Cyber Threat Brief for 2026-06-04

2026-06-06: SolarWinds Serv-U and Cisco SD-WAN vulnerabilities are being exploited in the wild with no patch

SHOW NOTES - 2026-06-06 STORIES COVERED * Today: * SolarWinds Serv-U CVE-2026-28318 Denial-of-Service Vulnerability (CISA KEV) [https://www.bleepingcomputer.com/news/security/cisa-hackers-now-exploit-solarwinds-serv-u-flaw-to-crash-servers/] [Critical Alerts] * Cisco Catalyst SD-WAN Manager CVE-2026-20245 Actively Exploited (No Patch Available) [https://thehackernews.com/2026/06/cisco-catalyst-sd-wan-manager-cve-2026.html] [Critical Alerts] * Palo Alto PAN-OS CVE-2026-0257 GlobalProtect Authentication Bypass [https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/] [Critical Alerts] * UNC3753 (Luna Moth, Chatty Spider) Vishing Campaign Targets US Law Firms [https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms/] [Ransomware & Extortion] * Over 900 US Automatic Tank Gauge Systems Exposed to Attacks [https://www.bleepingcomputer.com/news/security/over-900-us-gas-station-tank-gauge-systems-exposed-to-attacks/] [Business & Infrastructure Threats] * IronWorm and Miasma Worm Hit npm Supply Chain [https://thehackernews.com/2026/06/ironworm-and-new-miasma-worm-variant.html] [Business & Infrastructure Threats] * Smart TV Apps Turn Devices Into Web-Scraping Proxies for AI [https://thehackernews.com/2026/06/free-apps-are-quietly-turning-smart-tvs.html] [Business & Infrastructure Threats] * Microsoft Claude Code GitHub Action Exposes CI/CD Secrets [https://www.microsoft.com/en-us/security/blog/2026/06/05/securing-ci-cd-in-agentic-world-claude-code-github-action-case/] [Business & Infrastructure Threats] * Chinese APT UNC5221 Deploys New Malware (Plenet, AgentPSD) for Persistent Access [https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/] [Windows / AD Security] * OP-512 Threat Cluster Targets Microsoft IIS Servers with Custom Web Shell Framework [https://thehackernews.com/2026/06/new-threat-cluster-op-512-targets.html] [Windows / AD Security] * Polyfill Service Reactivation Causes Login Prompts on Major Websites [https://www.bleepingcomputer.com/news/security/suspicious-polyfill-login-prompts-pop-up-on-toshiba-muji-websites/] [General Security News] * 2026 Verizon DBIR Highlights Browser-Based Attacks and Shadow AI [https://www.bleepingcomputer.com/news/security/what-2026-dbir-confirms-attacks-are-living-in-the-browser/] [General Security News] * Vulnerability Disclosure Dispute Between Microsoft and Nightmare Eclipse Researcher [https://cyberscoop.com/microsoft-coordinated-vulnerability-disclosure-debacle/] [General Security News] * AI Agent Discovers 21 Zero-Days in FFmpeg [https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html] [Vulnerability Disclosures] * Chrome 149 Patches Record 429 Vulnerabilities [https://thehackernews.com/2026/06/ai-agent-uncovers-21-zero-days-in.html] [Vulnerability Disclosures] * Sound Blaster Katana V2X Speaker Remote Code Execution via Bluetooth [https://arstechnica.com/security/2026/06/highly-reviewed-speaker-can-be-hacked-over-the-air-to-infect-connected-devices/] [Vulnerability Disclosures] CVES REFERENCED CVE-2021-35211, CVE-2022-20775, CVE-2024-28995, CVE-2026-0257, CVE-2026-10881, CVE-2026-20122, CVE-2026-20127, CVE-2026-20128, CVE-2026-20133, CVE-2026-20182, CVE-2026-20245, CVE-2026-28318, CVE-2026-39210, CVE-2026-39218 INDICATORS OF COMPROMISE Domains: lhlsjcb[.]com., polyfill[.]io IP Addresses: 23.128.228.6, 104.207.144.154, 146.19.216.119, 146.19.216.120, 146.19.216.125, 179.43.172.213, 185.195.232.139, 198.12.106.60, 202.144.192.47 Read the full brief [https://carolinacleartech.com/brief/2026-06-06/]

2026-06-05: Cisco discloses seventh SD-WAN zero-day this year, now actively exploited for root escalation with

SHOW NOTES - 2026-06-05 STORIES COVERED * June 5, 2026 * Today: * Cisco SD-WAN Zero-Day Actively Exploited (CVE-2026-20245) [https://www.bleepingcomputer.com/news/security/new-cisco-sd-wan-flaw-exploited-in-zero-day-attacks-to-gain-root/] [Critical Alerts] * Cisco Unified CM Critical SSRF with Public PoC (CVE-2026-20230) [https://www.bleepingcomputer.com/news/security/cisco-warns-of-critical-unified-cm-flaw-with-poc-exploit-code/] [Critical Alerts] * Windows 11 Zero-Day (CVE-2026-0257) [https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-23-7/] [Critical Alerts] * AI Agents as Insider Threat [https://cyberscoop.com/ai-agent-insider-threat-cybersecurity-dtex/] [Business & Infrastructure Threats] * Claude Code GitHub Action Repository Takeover [https://thehackernews.com/2026/06/claude-code-github-action-flaw-let-one.html] [Business & Infrastructure Threats] * Microsoft Agentic AI Failure Modes v2.0 [https://www.microsoft.com/en-us/security/blog/2026/06/04/updating-taxonomy-failure-modes-agentic-ai-systems-year-red-teaming-taught-us/] [Business & Infrastructure Threats] * UN World Food Programme Gaza Breach (600,000 Households) [https://www.bleepingcomputer.com/news/security/un-world-food-programme-breach-affects-600-000-gaza-households/] [Business & Infrastructure Threats] * DentaQuest Breach (2.6 Million Accounts) [https://www.bleepingcomputer.com/news/security/dentaquest-data-breach-exposed-info-of-26-million-accounts/] [Business & Infrastructure Threats] * China-Linked TA4922 Expands to Europe [https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-23-7/] [Ransomware & Extortion] * IronWorm npm Supply Chain Attack (36 Packages) [https://www.bleepingcomputer.com/news/security/new-ironworm-malware-hits-36-packages-in-npm-supply-chain-attack/] [Ransomware & Extortion] * Russian Mobile Spyware Operation [https://thehackernews.com/2026/06/threatsday-bulletin-ai-agents-gone.html] [Ransomware & Extortion] * Microsoft M365 Copilot RCE (CVE-2026-45497) [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45497] [Windows / AD Security] * Windows Driver Update Issue [https://www.bleepingcomputer.com/news/microsoft/microsoft-blames-unexpected-windows-driver-updates-on-caching-issue/] [Windows / AD Security] * Chrome 149 Patches Record 429 Vulnerabilities [https://www.securityweek.com/chrome-149-patches-429-vulnerabilities/] [General Security News] * Hola Browser Supply Chain Compromise [https://www.bleepingcomputer.com/news/security/hola-browser-for-windows-compromised-to-deliver-cryptominer/] [General Security News] * Everest Forms Pro WordPress RCE Actively Exploited (CVE-2026-3300) [https://thehackernews.com/2026/06/hackers-exploit-critical-everest-forms.html] [General Security News] * Magecart Campaign Abuses Stripe API [https://www.bleepingcomputer.com/news/security/credit-card-theft-campaign-abuses-stripe-to-host-stolen-payment-info/] [General Security News] * VIP Keylogger via JavaScript Loaders [https://isc.sans.edu/diary/rss/33054] [General Security News] * FlutterShell macOS Malvertising [https://thehackernews.com/2026/06/fluttershell-backdoor-spreads-to-macos.html] [General Security News] * FIFA World Cup 2026 Scams [https://thehackernews.com/2026/06/fifa-world-cup-2026-scams-are-already.html] [General Security News] * Hitachi Energy ICS Vulnerabilities [https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-04] [Vulnerability Disclosures] * B&R PPT30 OPC-UA DoS (CVE-2025-11482) [https://www.cisa.gov/news-events/ics-advisories/icsa-26-155-03] [Vulnerability Disclosures] CVES REFERENCED CVE-2024-8176, CVE-2025-11482, CVE-2025-20309, CVE-2025-59375, CVE-2026-0257, CVE-2026-10881, CVE-2026-10882, CVE-2026-10883, CVE-2026-20045, CVE-2026-20127, CVE-2026-20182, CVE-2026-20230, CVE-2026-20245, CVE-2026-25253, CVE-2026-3300, CVE-2026-45497, CVE-2026-7310 INDICATORS OF COMPROMISE IP Addresses: 202.56.2.126, 209.146.60.26, 15.235.166.18, 185.78.165.153 Read the full brief [https://carolinacleartech.com/brief/2026-06-05/]

Cyber Threat Brief for 2026-06-04

SHOW NOTES - 2026-06-04 STORIES COVERED * June 4, 2026 * CISA Adds Three Actively Exploited Vulnerabilities to KEV Catalog [https://www.cisa.gov/news-events/alerts/2026/06/03/cisa-adds-one-known-exploited-vulnerability-catalog] [Critical Alerts] * Acer Wave 7 Routers Have Max-Severity Zero-Days Exposing Credentials [https://www.bleepingcomputer.com/news/security/acer-warns-of-max-severity-zero-days-affecting-wave-7-routers/] [Critical Alerts] * Microsoft 365 Android Apps Leaked OAuth Tokens via Debug Flag [https://thehackernews.com/2026/06/microsoft-365-android-apps-let-any-app.html] [Business & Infrastructure Threats] * Attackers Build Automated EDR Evasion Labs Using AI [https://www.darkreading.com/endpoint-security/attackers-automate-edr-evasion-testing] [Business & Infrastructure Threats] * CISA Warns of Cyberattacks Targeting Fuel Tank Monitoring Systems [https://www.bleepingcomputer.com/news/security/cisa-warns-of-cyberattacks-targeting-fuel-tank-monitoring-systems/] [Business & Infrastructure Threats] * HTTP/2 Bomb DoS Attack Crashes Web Servers in Seconds [https://www.bleepingcomputer.com/news/security/new-http-2-bomb-dos-attack-crashes-web-servers-in-under-a-minute/] [Business & Infrastructure Threats] * Fake Sites Mimicking Open-Source Tools Deliver Malware via Traffic Distribution System [https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/] [Business & Infrastructure Threats] * Stock Exchange Executive's Outlook Mailbox Compromised for Five Months [https://thehackernews.com/2026/06/hackers-spied-on-stock-exchange.html] [Business & Infrastructure Threats] * TA4922 Chinese Cybercrime Group Expands to Europe with Atlas RAT [https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-atlas-rat-malware-in-european-cyberattacks/] [Business & Infrastructure Threats] * DesckVB RAT Campaign Abuses Google DoubleClick for Evasion [https://thehackernews.com/2026/06/google-doubleclick-abused-in-new.html] [Business & Infrastructure Threats] * U.S. Sanctions Nobitex Crypto Exchange Used by Iranian Ransomware Actors [https://www.bleepingcomputer.com/news/security/the-us-sanctions-nobitex-crypto-exchange-used-by-ransomware/] [Business & Infrastructure Threats] * Active Directory Description Fields Stored Passwords in Plaintext [https://www.theregister.com/security/2026/06/04/all-the-passwords-were-stored-in-active-directory-description-fields/5250820] [Windows / AD Security] * Unpatched Windows Search URI Vulnerability Leaks NTLMv2 Hashes [https://thehackernews.com/2026/06/unpatched-windows-search-uri.html] [Windows / AD Security] * One-Click GitHub.dev Attack Steals Full OAuth Tokens [https://thehackernews.com/2026/06/one-click-github-dev-attack-lets.html] [Vulnerability Disclosures] * Autonomous AI Tool Finds 2-Year-Old Redis RCE (CVE-2026-23479) [https://thehackernews.com/2026/06/autonomous-ai-tool-finds-2-year-old-rce.html] [Vulnerability Disclosures] * Google Gemini Prompt Injection via Android Notifications [https://www.darkreading.com/application-security/malicious-notifications-could-trick-google-gemini-users] [Vulnerability Disclosures] * Open-Source AI Models Used to Build Self-Spreading Worms [https://www.theregister.com/research/2026/06/04/free-ai-model-powers-self-spreading-worm-in-enterprise-test-network/5250918] [General Security News] * Cyber Insurance Rates Drop but Exclusions Widen [https://www.darkreading.com/cyber-risk/cyber-insurance-rates-drop-exclusions-widen] [General Security News] * Police Dismantle 9 Crime Groups in Illegal Streaming Crackdown [https://www.bleepingcomputer.com/news/security/police-dismantles-9-crime-groups-in-illegal-streaming-crackdown/] [General Security News] CVES REFERENCED CVE-2022-0492, CVE-2023-35636, CVE-2025-48595, CVE-2026-23479, CVE-2026-33829, CVE-2026-41100, CVE-2026-41101, CVE-2026-41102, CVE-2026-42832, CVE-2026-45247, CVE-2026-49200, CVE-2026-49201, CVE-2026-49975 INDICATORS OF COMPROMISE IP Addresses: 10.0.1.100 Read the full brief [https://carolinacleartech.com/brief/2026-06-04/]

2026-06-03: CISA adds Oracle WebLogic CVE-2024-21182 to KEV catalog after active exploitation with federal

SHOW NOTES - 2026-06-03 STORIES COVERED * June 3, 2026 * Today: * Oracle WebLogic CVE-2024-21182 Actively Exploited (CVE-2024-21182) [https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-actively-exploited-oracle-weblogic-flaw/] [Critical Alerts] * Google Patches Exploited Android Zero-Day (CVE-2025-48595) [https://www.bleepingcomputer.com/news/security/google-fixes-one-actively-exploited-android-zero-day-124-flaws/] [Critical Alerts] * Linux Kernel Privilege Escalation Added to KEV (CVE-2022-0492) [https://www.cisa.gov/news-events/alerts/2026/06/02/cisa-adds-two-known-exploited-vulnerabilities-catalog] [Critical Alerts] * Unpatched NTLM Coercion in Windows Search URI Handler (No CVE) [https://www.huntress.com/blog/unpatched-ntlm-coercion-windows-search-uri-handler] [Windows / AD Security] * Microsoft Backtracks on Zero-Day Researcher Legal Threats [https://www.securityweek.com/microsoft-tries-to-calm-legal-threat-fears-after-zero-day-disclosure-backlash/] [General Security News] * VS Code Zero-Day Allows GitHub Token Theft via Link Click [https://www.bleepingcomputer.com/news/security/vs-code-zero-day-lets-hackers-steal-github-tokens-in-one-click/] [General Security News] * AI-Built Ransomware Toolkit Automates EDR Evasion [https://www.bleepingcomputer.com/news/security/ai-built-ransomware-toolkit-automates-edr-evasion-ad-discovery/] [General Security News] * DriveSurge Campaign Hijacks Thousands of Sites for Malware Delivery [https://www.darkreading.com/cyberattacks-data-breaches/drivesurge-hijacks-thousands-sites-clickfix-fakeupdate-attacks] [General Security News] * Exchange Online Outage Causes Email Delays and Failures [https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-online-outage-causes-email-delays-failures/] [General Security News] * Gamaredon Exploits WinRAR to Deliver Malware Against Ukraine [https://thehackernews.com/2026/06/gamaredon-exploits-winrar-to-deliver.html] [Ransomware & Extortion] * WordPress Kirki Plugin Privilege Escalation Exploited (CVE-2026-8206) [https://www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/] [Vulnerability Disclosures] * Microsoft Office Vulnerability (CVE-2026-21509) Used by APT28 [https://thehackernews.com/2026/06/gamaredon-exploits-winrar-to-deliver.html] [Vulnerability Disclosures] CVES REFERENCED CVE-2022-0492, CVE-2024-21182, CVE-2025-48595, CVE-2025-8088, CVE-2026-21509, CVE-2026-33825, CVE-2026-33829, CVE-2026-41091, CVE-2026-45498, CVE-2026-8206 INDICATORS OF COMPROMISE IP Addresses: 12.2.1.4, 14.1.1.0 Read the full brief [https://carolinacleartech.com/brief/2026-06-03/]

2026-06-02: Critical Alerts

SHOW NOTES - 2026-06-02 STORIES COVERED * CVE-2026-21182: Oracle WebLogic Server Added to CISA KEV [https://www.cisa.gov/news-events/alerts/2026/06/01/cisa-adds-one-known-exploited-vulnerability-catalog] [Critical Alerts] * CVE-2026-41089: Windows Netlogon RCE Under Active Exploitation [https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/] [Critical Alerts] * CVE-2026-0257: Palo Alto Networks GlobalProtect Authentication Bypass Exploited [https://www.securityweek.com/recent-palo-alto-networks-vulnerability-exploited-for-weeks/] [Critical Alerts] * Gogs Remote Code Execution Zero-Day (No CVE Yet) [https://thehackernews.com/2026/06/weekly-recap-new-linux-flaw-pan-os.html] [Critical Alerts] * Red Hat npm Packages Compromised in Supply Chain Attack [https://www.bleepingcomputer.com/news/security/red-hat-npm-packages-compromised-to-steal-developer-credentials/] [Business & Infrastructure Threats] * DriveSurge Campaign Hijacks Thousands of Sites for Malware Distribution [https://www.bleepingcomputer.com/news/security/hackers-hijack-thousands-of-sites-for-clickfix-and-fakeupdate-attacks/] [Business & Infrastructure Threats] * codexui-android npm Package Steals OpenAI Codex Tokens [https://thehackernews.com/2026/06/openai-codex-authentication-tokens.html] [Business & Infrastructure Threats] * Meta AI Support Bot Exploited for Instagram Account Takeover [https://krebsonsecurity.com/2026/06/hackers-used-metas-ai-support-bot-to-seize-instagram-accounts/] [Business & Infrastructure Threats] * WordPress Malware Hides C2 Data in Steam Profile Comments [https://www.bleepingcomputer.com/news/security/wordpress-malware-campaign-hides-payloads-in-steam-profiles/] [Business & Infrastructure Threats] * CVE-2026-45498, CVE-2026-33825, CVE-2026-41091: Additional Windows Zero-Days Under Exploitation [https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/] [Windows / AD Security] * Microsoft Outages Affecting MFA Setup and Office Apps [https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outage-affecting-mfa-setup-mysignin-service/] [Windows / AD Security] * KB5089549 Windows 11 Security Update Installation Issues Resolved [https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-kb5089549-windows-security-update-install-issues/] [Windows / AD Security] * CVE-2026-26980: Ghost CMS SQL Injection Under Active Exploitation [https://research.checkpoint.com/2026/1st-june-threat-intelligence-report/] [General Security News] * CVE-2026-8732: WP Maps Pro WordPress Plugin Exploited for Site Takeover [https://www.securityweek.com/wp-maps-pro-vulnerability-exploited-to-take-over-wordpress-sites/] [General Security News] * Dashlane Brute-Force Attack Results in Limited Vault Downloads [https://www.bleepingcomputer.com/news/security/dashlane-password-manager-users-locked-out-by-brute-force-attacks/] [General Security News] * SVG Files Used in Phishing Campaigns [https://isc.sans.edu/diary/rss/33040] [General Security News] * GlassWorm C2 Infrastructure Taken Down [https://thehackernews.com/2026/06/weekly-recap-new-linux-flaw-pan-os.html] [General Security News] * Carnival Corporation, Charter Communications, Lithuania Data Breaches [https://research.checkpoint.com/2026/1st-june-threat-intelligence-report/] [General Security News] * Spain Arrests Doxer Targeting Government Employees [https://www.bleepingcomputer.com/news/security/spain-arrests-doxer-leaking-sensitive-data-of-govt-employees/] [General Security News] * Check Point Security Gateways: CVE-2026-48131, CVE-2026-48132 [https://research.checkpoint.com/2026/1st-june-threat-intelligence-report/] [Vulnerability Disclosures] * China-Aligned Threat Activity Targeting Czech Republic, Taiwan, India [https://thehackernews.com/2026/06/china-aligned-groups-ramp-up-attacks.html] [Vulnerability Disclosures] * Pakistan-Linked SideCopy Targets Afghanistan with Xeno RAT [https://thehackernews.com/2026/06/pakistan-linked-sidecopy-targets.html] [Vulnerability Disclosures] CVES REFERENCED CVE-2026-0257, CVE-2026-21182, CVE-2026-26980, CVE-2026-33825, CVE-2026-41089, CVE-2026-41091, CVE-2026-45498, CVE-2026-45585, CVE-2026-48131, CVE-2026-48132, CVE-2026-8732 INDICATORS OF COMPROMISE IP Addresses: 164.92.88.210 Read the full brief [https://carolinacleartech.com/brief/2026-06-02/]