2026-05-31: Palo Alto GlobalProtect VPN suffers active exploitation of an authentication bypass (CVE-2026-0257

Cyber Threat Brief for 2026-06-04

SHOW NOTES - 2026-06-04 STORIES COVERED * June 4, 2026 * CISA Adds Three Actively Exploited Vulnerabilities to KEV Catalog [https://www.cisa.gov/news-events/alerts/2026/06/03/cisa-adds-one-known-exploited-vulnerability-catalog] [Critical Alerts] * Acer Wave 7 Routers Have Max-Severity Zero-Days Exposing Credentials [https://www.bleepingcomputer.com/news/security/acer-warns-of-max-severity-zero-days-affecting-wave-7-routers/] [Critical Alerts] * Microsoft 365 Android Apps Leaked OAuth Tokens via Debug Flag [https://thehackernews.com/2026/06/microsoft-365-android-apps-let-any-app.html] [Business & Infrastructure Threats] * Attackers Build Automated EDR Evasion Labs Using AI [https://www.darkreading.com/endpoint-security/attackers-automate-edr-evasion-testing] [Business & Infrastructure Threats] * CISA Warns of Cyberattacks Targeting Fuel Tank Monitoring Systems [https://www.bleepingcomputer.com/news/security/cisa-warns-of-cyberattacks-targeting-fuel-tank-monitoring-systems/] [Business & Infrastructure Threats] * HTTP/2 Bomb DoS Attack Crashes Web Servers in Seconds [https://www.bleepingcomputer.com/news/security/new-http-2-bomb-dos-attack-crashes-web-servers-in-under-a-minute/] [Business & Infrastructure Threats] * Fake Sites Mimicking Open-Source Tools Deliver Malware via Traffic Distribution System [https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/] [Business & Infrastructure Threats] * Stock Exchange Executive's Outlook Mailbox Compromised for Five Months [https://thehackernews.com/2026/06/hackers-spied-on-stock-exchange.html] [Business & Infrastructure Threats] * TA4922 Chinese Cybercrime Group Expands to Europe with Atlas RAT [https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-atlas-rat-malware-in-european-cyberattacks/] [Business & Infrastructure Threats] * DesckVB RAT Campaign Abuses Google DoubleClick for Evasion [https://thehackernews.com/2026/06/google-doubleclick-abused-in-new.html] [Business & Infrastructure Threats] * U.S. Sanctions Nobitex Crypto Exchange Used by Iranian Ransomware Actors [https://www.bleepingcomputer.com/news/security/the-us-sanctions-nobitex-crypto-exchange-used-by-ransomware/] [Business & Infrastructure Threats] * Active Directory Description Fields Stored Passwords in Plaintext [https://www.theregister.com/security/2026/06/04/all-the-passwords-were-stored-in-active-directory-description-fields/5250820] [Windows / AD Security] * Unpatched Windows Search URI Vulnerability Leaks NTLMv2 Hashes [https://thehackernews.com/2026/06/unpatched-windows-search-uri.html] [Windows / AD Security] * One-Click GitHub.dev Attack Steals Full OAuth Tokens [https://thehackernews.com/2026/06/one-click-github-dev-attack-lets.html] [Vulnerability Disclosures] * Autonomous AI Tool Finds 2-Year-Old Redis RCE (CVE-2026-23479) [https://thehackernews.com/2026/06/autonomous-ai-tool-finds-2-year-old-rce.html] [Vulnerability Disclosures] * Google Gemini Prompt Injection via Android Notifications [https://www.darkreading.com/application-security/malicious-notifications-could-trick-google-gemini-users] [Vulnerability Disclosures] * Open-Source AI Models Used to Build Self-Spreading Worms [https://www.theregister.com/research/2026/06/04/free-ai-model-powers-self-spreading-worm-in-enterprise-test-network/5250918] [General Security News] * Cyber Insurance Rates Drop but Exclusions Widen [https://www.darkreading.com/cyber-risk/cyber-insurance-rates-drop-exclusions-widen] [General Security News] * Police Dismantle 9 Crime Groups in Illegal Streaming Crackdown [https://www.bleepingcomputer.com/news/security/police-dismantles-9-crime-groups-in-illegal-streaming-crackdown/] [General Security News] CVES REFERENCED CVE-2022-0492, CVE-2023-35636, CVE-2025-48595, CVE-2026-23479, CVE-2026-33829, CVE-2026-41100, CVE-2026-41101, CVE-2026-41102, CVE-2026-42832, CVE-2026-45247, CVE-2026-49200, CVE-2026-49201, CVE-2026-49975 INDICATORS OF COMPROMISE IP Addresses: 10.0.1.100 Read the full brief [https://carolinacleartech.com/brief/2026-06-04/]

2026-06-03: CISA adds Oracle WebLogic CVE-2024-21182 to KEV catalog after active exploitation with federal

SHOW NOTES - 2026-06-03 STORIES COVERED * June 3, 2026 * Today: * Oracle WebLogic CVE-2024-21182 Actively Exploited (CVE-2024-21182) [https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-oracle-weblogic-flaw/] [Critical Alerts] * Google Patches Exploited Android Zero-Day (CVE-2025-48595) [https://www.bleepingcomputer.com/news/security/google-fixes-one-actively-exploited-android-zero-day-124-flaws/] [Critical Alerts] * Linux Kernel Privilege Escalation Added to KEV (CVE-2022-0492) [https://www.cisa.gov/news-events/alerts/2026/06/02/cisa-adds-two-known-exploited-vulnerabilities-catalog] [Critical Alerts] * Unpatched NTLM Coercion in Windows Search URI Handler (No CVE) [https://www.huntress.com/blog/unpatched-ntlm-coercion-windows-search-uri-handler] [Windows / AD Security] * Microsoft Backtracks on Zero-Day Researcher Legal Threats [https://www.securityweek.com/microsoft-tries-to-calm-legal-threat-fears-after-zero-day-disclosure-backlash/] [General Security News] * VS Code Zero-Day Allows GitHub Token Theft via Link Click [https://www.bleepingcomputer.com/news/security/vs-code-zero-day-lets-hackers-steal-github-tokens-in-one-click/] [General Security News] * AI-Built Ransomware Toolkit Automates EDR Evasion [https://www.bleepingcomputer.com/news/security/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery/] [General Security News] * DriveSurge Campaign Hijacks Thousands of Sites for Malware Delivery [https://www.darkreading.com/cyberattacks-data-breaches/drivesurge-hijacks-thousands-sites-clickfix-fakeupdate-attacks] [General Security News] * Exchange Online Outage Causes Email Delays and Failures [https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-outage-causes-email-delays-failures/] [General Security News] * Gamaredon Exploits WinRAR to Deliver Malware Against Ukraine [https://thehackernews.com/2026/06/gamaredon-exploits-winrar-to-deliver.html] [Ransomware & Extortion] * WordPress Kirki Plugin Privilege Escalation Exploited (CVE-2026-8206) [https://www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/] [Vulnerability Disclosures] * Microsoft Office Vulnerability (CVE-2026-21509) Used by APT28 [https://thehackernews.com/2026/06/gamaredon-exploits-winrar-to-deliver.html] [Vulnerability Disclosures] CVES REFERENCED CVE-2022-0492, CVE-2024-21182, CVE-2025-48595, CVE-2025-8088, CVE-2026-21509, CVE-2026-33825, CVE-2026-33829, CVE-2026-41091, CVE-2026-45498, CVE-2026-8206 INDICATORS OF COMPROMISE IP Addresses: 12.2.1.4, 14.1.1.0 Read the full brief [https://carolinacleartech.com/brief/2026-06-03/]

2026-06-02: Critical Alerts

SHOW NOTES - 2026-06-02 STORIES COVERED * CVE-2026-21182: Oracle WebLogic Server Added to CISA KEV [https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog] [Critical Alerts] * CVE-2026-41089: Windows Netlogon RCE Under Active Exploitation [https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/] [Critical Alerts] * CVE-2026-0257: Palo Alto Networks GlobalProtect Authentication Bypass Exploited [https://www.securityweek.com/recent-palo-alto-networks-vulnerability-exploited-for-weeks/] [Critical Alerts] * Gogs Remote Code Execution Zero-Day (No CVE Yet) [https://thehackernews.com/2026/06/weekly-recap-new-linux-flaw-pan-os.html] [Critical Alerts] * Red Hat npm Packages Compromised in Supply Chain Attack [https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/] [Business & Infrastructure Threats] * DriveSurge Campaign Hijacks Thousands of Sites for Malware Distribution [https://www.bleepingcomputer.com/news/security/hackers-hijack-thousands-of-sites-for-clickfix-and-fakeupdate-attacks/] [Business & Infrastructure Threats] * codexui-android npm Package Steals OpenAI Codex Tokens [https://thehackernews.com/2026/06/openai-codex-authentication-tokens.html] [Business & Infrastructure Threats] * Meta AI Support Bot Exploited for Instagram Account Takeover [https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/] [Business & Infrastructure Threats] * WordPress Malware Hides C2 Data in Steam Profile Comments [https://www.bleepingcomputer.com/news/security/wordpress-malware-campaign-hides-payloads-in-steam-profiles/] [Business & Infrastructure Threats] * CVE-2026-45498, CVE-2026-33825, CVE-2026-41091: Additional Windows Zero-Days Under Exploitation [https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/] [Windows / AD Security] * Microsoft Outages Affecting MFA Setup and Office Apps [https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outage-affecting-mfa-setup-mysignin-service/] [Windows / AD Security] * KB5089549 Windows 11 Security Update Installation Issues Resolved [https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-kb5089549-windows-security-update-install-issues/] [Windows / AD Security] * CVE-2026-26980: Ghost CMS SQL Injection Under Active Exploitation [https://research.checkpoint.com/2026/1st-june-threat-intelligence-report/] [General Security News] * CVE-2026-8732: WP Maps Pro WordPress Plugin Exploited for Site Takeover [https://www.securityweek.com/wp-maps-pro-vulnerability-exploited-to-take-over-wordpress-sites/] [General Security News] * Dashlane Brute-Force Attack Results in Limited Vault Downloads [https://www.bleepingcomputer.com/news/security/dashlane-password-manager-users-locked-out-by-brute-force-attacks/] [General Security News] * SVG Files Used in Phishing Campaigns [https://isc.sans.edu/diary/rss/33040] [General Security News] * GlassWorm C2 Infrastructure Taken Down [https://thehackernews.com/2026/06/weekly-recap-new-linux-flaw-pan-os.html] [General Security News] * Carnival Corporation, Charter Communications, Lithuania Data Breaches [https://research.checkpoint.com/2026/1st-june-threat-intelligence-report/] [General Security News] * Spain Arrests Doxer Targeting Government Employees [https://www.bleepingcomputer.com/news/security/spain-arrests-doxer-leaking-sensitive-data-of-govt-employees/] [General Security News] * Check Point Security Gateways: CVE-2026-48131, CVE-2026-48132 [https://research.checkpoint.com/2026/1st-june-threat-intelligence-report/] [Vulnerability Disclosures] * China-Aligned Threat Activity Targeting Czech Republic, Taiwan, India [https://thehackernews.com/2026/06/china-aligned-groups-ramp-up-attacks.html] [Vulnerability Disclosures] * Pakistan-Linked SideCopy Targets Afghanistan with Xeno RAT [https://thehackernews.com/2026/06/pakistan-linked-sidecopy-targets.html] [Vulnerability Disclosures] CVES REFERENCED CVE-2026-0257, CVE-2026-21182, CVE-2026-26980, CVE-2026-33825, CVE-2026-41089, CVE-2026-41091, CVE-2026-45498, CVE-2026-45585, CVE-2026-48131, CVE-2026-48132, CVE-2026-8732 INDICATORS OF COMPROMISE IP Addresses: 164.92.88.210 Read the full brief [https://carolinacleartech.com/brief/2026-06-02/]

2026-06-01: Critical WordPress plugin flaw under active exploitation allows unauthenticated admin account

SHOW NOTES - 2026-06-01 STORIES COVERED * Today: * Critical WP Maps Pro Flaw Actively Exploited (CVE-2026-8732) [https://thehackernews.com/2026/06/critical-wp-maps-pro-flaw-actively.html] [Critical Alerts] * Dutch Authorities Dismantle 17 Million Device Botnet [https://thehackernews.com/2026/05/dutch-authorities-dismantle-botnet.html] [Business & Infrastructure Threats] * Container Attack Vectors Continue to Threaten Cloud Environments (CVE-2019-5736, CVE-2022-0492) [https://securelist.com/container-attack-vectors/120010/] [Business & Infrastructure Threats] * SmartApeSG ClickFix Campaign Delivers Multi-Stage RAT Infections [https://isc.sans.edu/diary/rss/33034] [Business & Infrastructure Threats] * Ransomware Group Claims HDFC AMC Data Theft [https://databreaches.net/2026/05/31/bombay-high-court-issues-injunction-prohibiting-hackers-from-publishing-allegedly-hacked-hdfc-investor-data/?pk_campaign=feed&pk_kwd=bombay-high-court-issues-injunction-prohibiting-hackers-from-publishing-allegedly-hacked-hdfc-investor-data] [Business & Infrastructure Threats] * Russia Expands SORM Surveillance Requirements [https://news.risky.biz/risky-bulletin-russia-greatly-expands-sorm-surveillance-requirements/] [General Security News] * 2026 Election Threats Target Campaign Infrastructure, Not Voting Systems [https://cyberscoop.com/2026-election-cyber-threats-campaign-systems/] [General Security News] * YARA-X 1.17.0 Released [https://isc.sans.edu/diary/rss/33032] [General Security News] * CVE-2026-8732 - WP Maps Pro Privilege Escalation [https://thehackernews.com/2026/06/critical-wp-maps-pro-flaw-actively.html] [Vulnerability Disclosures] * CVE-2019-5736 - Container Runtime Escape [https://securelist.com/container-attack-vectors/120010/] [Vulnerability Disclosures] * CVE-2022-0492 - Container Escape Vulnerability [https://securelist.com/container-attack-vectors/120010/] [Vulnerability Disclosures] CVES REFERENCED CVE-2019-5736, CVE-2022-0492, CVE-2026-8732 INDICATORS OF COMPROMISE IP Addresses: 89.110.110.119, 185.163.47.217, 178.156.165.82, 178.156.173.194 Read the full brief [https://carolinacleartech.com/brief/2026-06-01/]

2026-05-31: Palo Alto GlobalProtect VPN suffers active exploitation of an authentication bypass (CVE-2026-0257

SHOW NOTES - 2026-05-31 STORIES COVERED * Today: * Palo Alto GlobalProtect VPN Authentication Bypass (CVE-2026-0257) [https://www.bleepingcomputer.com/news/security/palo-alto-globalprotect-vpn-auth-bypass-flaw-now-exploited-in-attacks/] [Critical Alerts] * CIFSwitch Linux Privilege Escalation [https://www.bleepingcomputer.com/news/security/new-cifswitch-linux-flaw-gives-root-on-multiple-distributions/] [Critical Alerts] * Flowise AI Platform RCE (CVE-2026-40933) [https://www.securityweek.com/exploit-code-published-for-critical-flowise-rce-vulnerability/] [Critical Alerts] * Russian Intelligence Technology Procurement Escalation [https://www.securityweek.com/russian-spies-are-aggressively-seeking-western-technology-as-sanctions-bite-officials-say/] [Business & Infrastructure Threats] * GnuTLS Certificate Validation Bypass Flaws [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42012] [Vulnerability Disclosures] * Additional Certificate Validation Flaws [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42790] [Vulnerability Disclosures] * KubeVirt Security Flaws [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-7374] [Vulnerability Disclosures] * Node.js Permission Model Flaws [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-36137] [Vulnerability Disclosures] * Other Disclosed Vulnerabilities [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-46242] [Vulnerability Disclosures] * Microsoft Incident Response Criticized [https://databreaches.net/2026/05/30/microsofts-incident-response-is-getting-a-failing-grade-from-researchers/?pk_campaign=feed&pk_kwd=microsofts-incident-response-is-getting-a-failing-grade-from-researchers] [General Security News] CVES REFERENCED CVE-2024-22018, CVE-2024-36137, CVE-2025-15649, CVE-2025-23167, CVE-2026-0257, CVE-2026-40034, CVE-2026-40510, CVE-2026-40528, CVE-2026-40933, CVE-2026-42012, CVE-2026-42013, CVE-2026-42015, CVE-2026-42789, CVE-2026-42790, CVE-2026-44839, CVE-2026-46242, CVE-2026-48864, CVE-2026-48962, CVE-2026-5260, CVE-2026-7374, CVE-2026-9804 Read the full brief [https://carolinacleartech.com/brief/2026-05-31/]