Three Microsoft Flaws, Drupal RCE & Iran Wiper Escalation | This Week's Threats

OceanLotus Supply Chain, Defender Zero-Day & Ivanti CVSS 10 Exploited

(00:00:00) OceanLotus Supply Chain, Defender Zero-Day & Ivanti CVSS 10 Exploited (00:01:18) OceanLotus Infrastructure Campaign (00:01:41) Windows Defender RoguePlanet Zero-Day (00:02:30) Ivanti Sentry CVSS Ten Exploitation (00:03:07) Microsoft Patch Tuesday and CISA Directive (00:03:54) VRChat Breach Notice Dispute (00:04:29) Watchpoints and Close Today's cybersecurity briefing opens with one of the most structurally dangerous supply chain attacks in recent memory. OceanLotus — the Vietnam-aligned APT group — spent five months silently poisoning the FireAnt Metakit update mechanism, delivering the SPECTRALVIPER backdoor to tens of thousands of retail stock investors without a single suspicious click required. The same group maintained 15 months of persistent access to an unnamed Vietnamese infrastructure firm via SQL Server exploitation. From nation-state patience to immediate exploitation urgency: researcher Nightmare Eclipse dropped a working proof-of-concept for RoguePlanet, a TOCTOU race condition in Windows Defender enabling full privilege escalation on fully patched Windows 10 and 11 machines. Real-world detections via tools BlueHammer and RedSun are already confirmed. Microsoft has not yet issued a patch. The speed problem compounds with Ivanti. Two CVSS 10.0 vulnerabilities in Ivanti Sentry — CVE-2026-10520 and CVE-2026-10523 — were confirmed exploited within 24 hours of public PoC release, with Shadowserver detecting backdoored instances by June 11. Ivanti Sentry serves over 40,000 enterprise customers. Microsoft's June Patch Tuesday delivered 206 updates including 33 critical CVEs and patches for three zero-days across Windows, Office, and Exchange. CISA simultaneously issued a new risk-based patching directive replacing BOD 22-01, setting a three-day remediation deadline for internet-exposed assets with fully exploitable flaws — a timeline critics say is unrealistic for legacy-burdened agencies. Finally, a disputed breach notice filed with the Maine Attorney General claims 2.4 million VRChat accounts were compromised. VRChat denies any incident or filing, raising serious questions about the integrity of the breach disclosure infrastructure itself. This episode includes AI-generated content.

Record Patch Tuesday: HTTP.sys Zero-Day, BitLocker Bypass & ServiceNow Breach

(00:00:00) Record Patch Tuesday: HTTP.sys Zero-Day, BitLocker Bypass & ServiceNow Breach (00:00:32) Three Zero-Days — CTFMON, HTTP.sys, BitLocker (00:01:39) AI Exploit Generation Shrinks Patch Window (00:02:24) ServiceNow Breach — Silent Disclosure Problem (00:03:19) Credential Exposure and What to Check Now (00:03:58) What Enterprises Must Do Now Microsoft has just released the largest Patch Tuesday in its 23-year history, covering up to 208 vulnerabilities — and three of them are confirmed, actively exploited zero-days that demand immediate action across every enterprise environment. The critical trio: an unauthenticated HTTP.sys remote code execution flaw granting kernel-mode access on internet-facing Windows servers; CVE-2026-45586, a CTFMON privilege escalation that elevates local attackers straight to SYSTEM; and CVE-2026-50507, a BitLocker volume master key bypass that undermines full-disk encryption as an offline defence. All three are in active exploitation. This is emergency patching territory. Making the response window even tighter: large language models can now reverse-engineer patches and generate functional exploits within hours of public release. The old assumption of weeks between patch and weaponised exploit is gone. Meanwhile, ServiceNow confirmed a separate breach of its customer data between June 2–3. Attackers exploited an unauthenticated Scripted REST API endpoint — disabled by a single misconfigured parameter — to query IT tickets and harvest embedded credentials across more than 8,000 enterprise instances. The platform was patched June 5; the advisory appeared June 9, behind a customer-only portal. That four-day gap may already have organisations running behind on GDPR, HIPAA, and SEC notification clocks. In this episode: what to patch first, how to assess your ServiceNow exposure, why the monthly patch cycle no longer fits the threat environment, and the specific actions security teams should take in the next 24 hours. This episode includes AI-generated content.

CISA's June 11 Deadline, Chrome's 5th Zero-Day & 698 Ransomware Attacks in May

(00:00:00) CISA's June 11 Deadline, Chrome's 5th Zero-Day & 698 Ransomware Attacks in May (00:01:18) Chrome V8 Fifth Zero-Day 2026 (00:02:04) Microsoft's Record Patch Tuesday (00:03:04) Ransomware Surge May 2026 (00:03:34) GenAI Leakage and Azure Supply Chain (00:04:25) What to Watch Next CISA has issued one of its tightest-ever emergency directives: every US federal civilian agency must patch CVE-2026-50751, an authentication bypass in Check Point Remote Access VPN, by end of day June 11 — or disconnect. Qilin ransomware affiliates have had a working exploit since at least May 7, with confirmed attacks across dozens of organizations globally. Mitigation paths exist — disable IKEv1 or enforce machine certificate authentication — but the three-day clock leaves no room for low-priority treatment of legacy VPN debt. Elsewhere on the threat landscape, Google has patched CVE-2026-11645, a V8 out-of-bounds read/write flaw in Chrome that enables remote code execution via a crafted HTML page. This is Chrome's fifth confirmed zero-day in 2026, with a $55,000 bounty paid on discovery. Microsoft's June Patch Tuesday broke records: more than 200 critical CVEs addressed, including 360 Chromium-related fixes. Three had public exploits at release time. A researcher known as Nightmare Eclipse — claiming former Microsoft employee status — has publicly pledged a mass exploit drop on July 14, a date now worth monitoring. May 2026 ransomware data paints a stark picture: 698 reported attacks globally, up 48% year-over-year. Business Services saw a 359% spike. Three groups account for 39% of all attacks; 58 additional groups share the rest — a resilient, industrialized ecosystem. Finally: enterprise GenAI tools are leaking credentials and IP at scale, with 1 in 25 prompts carrying high-risk content, and Microsoft's Azure Durable Task SDK has suffered a second Shai-Hulud worm infection across 72 public repositories — raising questions about whether remediation of the May attack was ever complete. This episode includes AI-generated content.

Check Point VPN Zero-Day, 44% Ransomware Surge & FBI Network Breach

(00:00:00) Check Point VPN Zero-Day, 44% Ransomware Surge & FBI Network Breach (00:00:44) Ransomware Surge: 44% of Breaches (00:01:30) SMBs: 61% Breached, Zero Budget (00:02:05) Nation-State Infrastructure Attacks (00:02:34) FBI Breach and Open Source Compromise (00:03:08) ETHS Closure and Hasbro Outage A Qilin ransomware affiliate is actively exploiting CVE-2026-50751, an authentication bypass in Check Point's Remote Access and Mobile Access VPN products, with dozens of confirmed victims and no patch timeline announced. The vulnerability targets systems still running the deprecated IKEv1 protocol — an attack surface defined entirely by deferred maintenance. That campaign lands against a dramatically worsened ransomware landscape. New figures show ransomware now appears in 44% of all data breaches, up from 32% the prior year — a 38% year-over-year rise. The ransomware-as-a-service ecosystem currently tracks 95 active gangs, 55 new families emerged in the past year, and double extortion is now standard in 88% of incidents. Small businesses face the sharpest exposure: 88% of SMB breaches involve ransomware, 61% of small firms were hit in the past year, and yet 47% of companies with fewer than 50 employees maintain zero dedicated cybersecurity budget. Elsewhere, Russia-linked actors are targeting European energy and water infrastructure across Poland, Sweden, and Norway. Iranian hackers struck US water utilities and Stryker medical devices with destructive wiper malware. The FBI declared a major cyber incident after an unclassified network breach exposed surveillance target phone numbers, with attribution pointing to Chinese government actors. A supply chain compromise also backdoored widely-used open source tools including Trivy, Bitwarden, and Checkmarx, with downstream impact reaching OpenAI and Vercel. Evanston Township High School closed through Tuesday following a ransomware attack. Hasbro remains largely offline weeks after a March intrusion. Key watchpoints: Check Point customers on IKEv1 need to act now. The open source supply chain map is still incomplete. The FBI breach is an unresolved national security question. This episode includes AI-generated content.

Cisco SD-WAN Zero-Day Exploited, FBI Breach & Iran Hits Water Utilities

(00:00:00) Cisco SD-WAN Zero-Day Exploited, FBI Breach & Iran Hits Water Utilities (00:01:00) FBI Breach Exposes Surveillance Targets (00:01:32) Infrastructure as Active Battleground (00:02:12) Social Security Database Under Investigation (00:02:41) Supply Chain Breaches Continue Weekly (00:03:09) Infostealers Feeding Ransomware Pipeline A zero-day in Cisco's Catalyst SD-WAN Manager is being actively exploited in the wild — no patch exists, and it's the seventh SD-WAN flaw weaponised this year. CVE-2026-20245 carries a CVSS score of 7.8, enabling root command injection on edge devices. Cisco has confirmed unauthorised configuration changes in the wild, with no vendor fix available. Today's episode opens there and doesn't move on quickly. From federal networks to critical infrastructure: the FBI has confirmed Chinese-linked actors compromised an unclassified network, exposing active surveillance targets and wiretap numbers from pen register data. The counterintelligence fallout could extend for years. Meanwhile, Iran-linked actors are actively targeting U.S. water utilities, Russia is sustaining its campaign against European power grids, and Iranian hackers wiped tens of thousands of devices at Stryker in March. Three nation-state actors are simultaneously running live operations against civilian infrastructure. On the domestic data exposure front, DOGE-led access to the Social Security Administration's database remains under investigation. If worst-case assessments hold, this could be the largest government data breach in U.S. history by affected population. Open source supply chain compromises — hitting Trivy, Bitwarden, and Checkmarx — are now running at a weekly cadence, with stolen developer credentials cascading into downstream platforms including OpenAI and Vercel. Rounding out today's briefing: infostealers have become the primary entry point for ransomware operations, with stolen session tokens remaining valid even after malware removal. ClickFix delivery and fake CAPTCHAs are the delivery mechanism of choice. This episode includes AI-generated content.