Weekly Threat Landscape Digest – Week 25

1. Multiple Critical Vulnerabilities in F5 NGINX Products

Overview

• Multiple critical vulnerabilities were disclosed affecting several F5 NGINX products, including NGINX Open Source, NGINX Plus, NGINX Gateway Fabric, NGINX Instance Manager, NGINX Ingress Controller, and App Protect modules.

• The flaws impact HTTP/3 (QUIC), HTTP/2, and gRPC processing.
• Vulnerabilities allow remote, unauthenticated attackers to cause denial-of-service (DoS) and, in certain configurations, remote code execution (RCE).
• Several vulnerabilities affect internet-facing deployments, increasing exposure risk.

Impact

• Denial-of-service conditions.
• Potential remote code execution under specific configurations.
• Increased attack surface on internet-facing services.

Affected / Fixed Versions

• CVE-2026-42530: NGINX Open Source 1.31.0–1.31.1 fixed in 1.31.2; NGINX Gateway Fabric 2.0.0–2.6.3 and 1.3.0–1.6.2 fixed in 2.6.4; NGINX Instance Manager 2.17.0–2.22.0 and NGINX Ingress Controller 3.5.0–5.5.0 remain unpatched.
• CVE-2026-42055: NGINX Plus 37.0.0–37.0.1 and R33–R36 fixed in 37.0.2.1, R36 P6; NGINX Open Source 1.30.0–1.30.2 and 1.31.1 fixed in 1.30.3 and 1.31.2; multiple other F5 modules remain unpatched.
• CVE-2026-11311 and CVE-2026-50107 affect NGINX Gateway Fabric 2.3.0–2.6.3, fixed in 2.6.4.

Recommendations

• Immediately upgrade to the latest fixed versions where available.
• Implement temporary mitigations if patches are unavailable: Disable HTTP/3/QUIC; limit exposure of HTTP/2 and gRPC; restrict external access; strengthen exploit mitigations.

Reference

https://my.f5.com/manage/s/article/K000161785

https://my.f5.com/manage/s/article/K000161611

https://my.f5.com/manage/s/article/K000161616

https://my.f5.com/manage/s/article/K000161584

2. FortiBleed Credential-Based Campaign Targeting Internet-Facing Fortinet

Overview

• A large-scale credential-based campaign, known as FortiBleed, targets internet-facing Fortinet FortiGate firewalls and SSL-VPN gateways.

• The campaign uses previously compromised administrator and VPN credentials to access devices, not a new software vulnerability.
• A credential database with access details for 30,791 Fortinet devices in 194 countries was disclosed on June 16, 2026.
• Primary targets are SSL-VPN services running on TCP ports 443, 4443, 8443, and 10443.
• Upon access, attackers passively capture additional credentials traveling through compromised appliances, enabling further intrusions.
• No evidence of Fortinet infrastructure or customer database breaches.

Impact

• Unauthorized remote VPN or administrator access.
• Access to internal corporate networks and expanded credential compromise.
• Modification of firewall and VPN configurations to maintain persistence.
• Disabling or weakening of security controls.
• Lateral movement within enterprise environments.
• Heightened risk of ransomware deployment and data theft.

Affected / Fixed Versions

• No specific CVEs or official vulnerabilities identified.
• Organizations should verify and update to the latest supported FortiOS firmware versions.

Recommendations

• Immediately rotate all Fortinet administrator and VPN credentials and invalidate stored authentication tokens.
• Remove or restrict public exposure of SSL-VPN and firewall management interfaces.
• Enforce Multi-Factor Authentication (MFA) for SSL-VPN, administrators, and remote management.
• Prohibit password reuse and require credential updates after firmware upgrades to ensure PBKDF2 hashing.
• Upgrade FortiGate devices to the latest firmware and apply all security updates.
• Monitor authentication logs, admin activities, configuration changes, failed logins, and unusual access patterns.
• Implement privileged access management, conditional VPN access policies, network segmentation, and centralized SIEM monitoring.
• Conduct regular credential hygiene, password rotation, and firewall configuration audits.

Reference

https://www.hudsonrock.com/fortinet

3. Critical OS Command Injection Vulnerability in Splunk AI Toolkit

Overview

• CVE-2026-20266 is a critical OS command injection vulnerability in the btool configuration helper of the Splunk AI Toolkit.
• The flaw arises from unsafe shell execution patterns where dynamic parameters are used in OS command strings without proper shell interpretation safeguards.
• Exploitation requires an authenticated user with administrative privileges on Splunk Enterprise.

Impact

• An attacker with the admin Splunk role can execute arbitrary operating system commands on the host running Splunk Enterprise.
• This can lead to full system compromise, affecting confidentiality, integrity, and availability.

Affected / Fixed Versions

• Affected: Splunk AI Toolkit versions prior to 5.7.4.
• Fixed: Splunk AI Toolkit version 5.7.4 and later.

Recommendations

• Update to Splunk AI Toolkit version 5.7.4 or later to mitigate this vulnerability.

Reference

https://advisory.splunk.com/advisories/SVD-2026-0614

4. Security Updates – Cisco

Overview

• Cisco released security updates addressing multiple vulnerabilities across various products.

• Affected products include Cisco Identity Services Engine (ISE), Cisco Catalyst SD-WAN Controller, Cisco Webex App, Cisco Umbrella Virtual Appliance, and Cisco Crosswork Network Controller.
• Vulnerabilities range from medium to critical severity.
• Issues include remote code execution, authentication bypass, privilege escalation, information disclosure, open redirect, and server-side template injection.

Impact

• CVE-2026-20181 (Critical): Remote code execution on Cisco ISE by unauthenticated attackers.
• CVE-2026-20190 (Critical): Unauthorized information disclosure on Cisco ISE.
• CVE-2026-20127 & CVE-2026-20182 (Critical): Authentication bypass on Cisco Catalyst SD-WAN Controller, leading to unauthorized access.
• CVE-2026-20178 (Medium): Open redirect in Cisco Webex App, enabling redirect to malicious sites.
• CVE-2026-20246 (Medium): Privilege escalation in Cisco Umbrella Virtual Appliance by local authenticated users.
• CVE-2026-20220 (Medium): Server-side template injection in Cisco Crosswork Network Controller allowing command execution by authenticated attackers.

Affected / Fixed Versions

• Refer to the official Cisco advisory for detailed software versions affected and fixed.

Recommendations

• Apply the latest Cisco security updates and patches promptly.
• Follow Cisco’s provided mitigation and workaround guidance.
• Monitor systems for unusual activity indicative of exploitation attempts.

Reference

https://sec.cloudapps.cisco.com/security/center/publicationListing.x

5. Account Takeover Vulnerability in ManageEngine Products

Overview

• CVE-2026-11374 is a high-severity vulnerability affecting ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus when integrated with ManageEngine AD360.

• The issue arises from predictable Single Sign-On (SSO) ticket generation.
• An unauthenticated attacker can predict valid SSO tickets, retrieve user identity and roles, and take over user accounts.
• Attack vector is network-based, and no authentication is required to exploit.

Impact

• Account takeover of targeted user accounts via SSO ticket prediction.
• Exposure of user identity and role information.

Affected / Fixed Versions

• ADSelfService Plus: affected versions 6528 and earlier; fixed in 6529.
• RecoveryManager Plus: affected versions 6320 and earlier; fixed in 6321.
• M365 Manager Plus: affected versions 4816 and earlier; fixed in 4817.
• ADAudit Plus: affected versions 8702 and earlier; fixed in 8703.

Recommendations

• Immediately upgrade affected products integrated with ManageEngine AD360 to the fixed versions.
• Review integration and authentication configurations to ensure secure SSO implementation.

Reference

https://www.manageengine.com/products/self-service-password/advisory/CVE-2026-11374.html

6. Actively Exploited Vulnerability in Joomla JCE

Overview

• Critical vulnerability CVE-2026-48907 in Joomla Content Editor (JCE) extension by Widget Factory.

• CVSS score 10.0, due to improper access control allowing unauthenticated attacker actions.
• Attack vector is remote, no authentication or user interaction required.

Impact

• Unauthenticated creation of editor profiles.
• Arbitrary PHP file upload leading to remote code execution.
• Deployment of web shells.
• Full website compromise, server takeover, and installation of persistent backdoors.
• Actively exploited in the wild.

Affected / Fixed Versions

• Affected: JCE versions 1.0.0 through 2.9.99.4.
• Fixed: Version 2.9.99.5 and later.

Recommendations

• Immediately upgrade JCE to version 2.9.99.5 or later to mitigate exploitation risk.

Reference

https://www.cve.org/CVERecord?id=CVE-2026-48907

7. Security Updates – Atlassian

Overview

• Atlassian released June 2026 security updates addressing multiple critical and high-severity vulnerabilities across Bamboo, Bitbucket, Confluence, Crowd, Fisheye/Crucible, Jira Software, and Jira Service Management.

• Vulnerabilities primarily stem from insecure third-party dependencies such as axios, Apache Tomcat, Netty, and Spring Security.
• Exploits could lead to remote code execution (RCE), authentication bypass, server-side request forgery (SSRF), injection attacks, HTTP request smuggling, information disclosure, and denial-of-service (DoS).

Impact

• Critical issues include SSRF (CVE-2026-42043, CVSS 10.0), prototype pollution (CVE-2026-40175, CVSS 10.0), injection (CVE-2026-41293, CVSS 9.8), authentication bypass (CVE-2026-43512, CVSS 9.8), and HTTP request smuggling (CVE-2026-42581, CVSS 9.8).
• High-severity RCE vulnerabilities affect Bamboo (CVE-2026-41044, CVSS 8.8) and Jira platforms (CVE-2026-42211, CVSS 8.1).
• Several DoS vulnerabilities present in Netty, minimize, and other dependencies with CVSS scores up to 8.7.

Affected / Fixed Versions

• Bamboo Data Center/Server: Upgrade to 12.1.8 (LTS) or 10.2.20 (LTS) Data Center only.
• Bitbucket Data Center/Server: Upgrade to 10.3.1, 10.2.4 (LTS), or 9.4.21 (LTS) Data Center only.
• Confluence Data Center/Server: Upgrade to 10.2.13 (LTS) or 9.2.21 (LTS) Data Center only.
• Crowd Data Center/Server: Upgrade to 7.2.1 Data Center only.
• Jira Data Center/Server: Upgrade to 11.3.7 (LTS) or 10.3.22 (LTS) Data Center only.
• Jira Service Management Data Center/Server: Upgrade to 11.3.7 (LTS) or 10.3.22 (LTS) Data Center only.

Recommendations

• Immediately update affected Atlassian products to the applicable fixed or latest versions.
• Review use of third-party dependencies highlighted and monitor for indicators of compromise.
• Implement network-level mitigations to detect and block SSRF and request smuggling attempts.
• Maintain vigilance for any exploitation attempts, especially targeting critical RCE and authentication bypass vulnerabilities.

Reference

https://confluence.atlassian.com/security/security-bulletin-june-16-2026-1796309326.html

8. Security Updates – Google Chrome

Overview

• Google released security updates addressing multiple vulnerabilities in Chrome, including critical use-after-free bugs and high-severity memory corruption, input validation, and security implementation flaws.

Impact

• Exploitation could lead to arbitrary code execution, sensitive information disclosure, security control bypass, or browser crashes.

Vulnerabilities

• Critical: CVE-2026-12437 through CVE-2026-12443 affecting WebShare, WebView, Digital Credentials, File Input, Passwords, and Web Authentication components.
• High: CVE-2026-12444 through CVE-2026-12469 covering out-of-bounds reads, use-after-free, heap buffer overflows, insufficient validation, race conditions, and incorrect security UI across Chromoting, Extensions, WebRTC, Media, Downloads, Safe Browsing, Tab Strip, Serial, File System Access, Views, Browser, Metrics, Updater, and GPU components.

Affected / Fixed Versions

• Chrome Stable for Windows/Mac: fixed in 149.0.7827.155/.156 or later.
• Chrome Stable for Linux: fixed in 149.0.7827.155 or later.
• Chrome 149 for Android: fixed in 149.0.7827.159 or later.
• Chrome Extended Stable for Windows/Mac: fixed in 148.0.7778.271 or later.

Recommendations

• Update Google Chrome to the latest stable version immediately to mitigate risk.

Reference

https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_01750511403.html

https://chromereleases.googleblog.com/

9. Security Updates – NVIDIA NeMo Framework

Overview

• NVIDIA released security updates addressing three high-severity vulnerabilities in the NeMo Framework.

• Vulnerabilities affect versions prior to 2.7.3 and include code injection, OS command injection, and deserialization of untrusted data.

Impact

• CVE-2026-24155 (Code Injection, CVSS 7.8): Allows low-privilege authenticated attackers to inject and execute malicious code within the application context.
• CVE-2026-24252 (OS Command Injection, CVSS 7.8): Enables execution of unintended OS commands on Linux systems due to improper input handling.
• CVE-2026-24228 (Deserialization of Untrusted Data, CVSS 7.8): Malicious serialized objects can cause arbitrary code execution during deserialization on Linux.

Affected / Fixed Versions

• Affected: NVIDIA NeMo Framework versions prior to 2.7.3.
• Fixed: NVIDIA NeMo Framework version 2.7.3 and later.

Recommendations

• Upgrade NVIDIA NeMo Framework to version 2.7.3 or later immediately to mitigate these vulnerabilities.
• Monitor for any suspicious activity that could indicate exploitation attempts targeting these flaws.

Reference

https://nvidia.custhelp.com/app/answers/detail/a_id/5839

10. Critical Vulnerability in HP One Agent Software

Overview

• HP released a security advisory for multiple vulnerabilities in HP One Agent Software used on certain HP PC products.

• The advisory details one Critical, one High, and one Medium severity vulnerability.

Impact

• Exploitation could allow privilege escalation, unauthorized actions, or denial-of-service impacting system availability.

Vulnerability Details

• CVE-2024-5535: Critical severity, CVSS 9.1.
• CVE-2026-5064: High severity, CVSS 8.5.
• CVE-2024-12797: Medium severity, CVSS 6.3.

Affected / Fixed Versions

• Fixed in HP Privacy Settings version 1.5.21.0 or later, which includes HP One Agent version 1.3.214.7339 or later, distributed via Microsoft Store.

Recommendations

• Immediately update HP Privacy Settings to version 1.5.21.0 or later.
• Verify HP One Agent is running version 1.3.214.7339 or newer.

Reference

https://support.hp.com/us-en/document/ish_15146555-15146580-16/hpsbhf04060

11. Actively Exploited Vulnerability in LiteSpeed cPanel Plugin

Overview

• CVE-2026-54420 is a high-severity (CVSS 8.5) privilege escalation vulnerability in the LiteSpeed cPanel User-End Plugin.

• The flaw results from improper validation of symbolic links created or modified by limited access users (FTP or web shell accounts).
• Attackers can exploit this to escalate privileges to root on shared hosting environments using CloudLinux/CageFS.
• Exploitation has been observed in the wild, threatening tenant isolation in shared hosting.

Impact

• Unauthorized root privilege escalation on shared hosting servers.
• Potential unauthorized access to restricted files and host-level compromise.

Affected / Fixed Versions

• Affected: LiteSpeed cPanel User-End Plugin versions prior to 2.4.8 on servers using CloudLinux/CageFS.
• Not affected: LiteSpeed WHM Plugin itself, but older bundled user-end plugin versions remain vulnerable.
• Fixed: LiteSpeed cPanel Plugin version 2.4.8 and later; LiteSpeed WHM Plugin v5.3.2.1 and later.

Recommendations

• Immediately upgrade all affected LiteSpeed cPanel plugins to version 2.4.8 or later.
• Review cPanel and system logs using provided grep commands to detect exploitation attempts.
• Investigate suspicious IP addresses exhibiting exploitation indicators.
• Monitor for unauthorized privilege escalations and post-exploitation activity.
• Enable automatic updates where possible to reduce exposure.

Reference

https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/

https://www.tenable.com/cve/CVE-2026-54420

12. Actively Exploited Vulnerability in Cisco Catalyst SD-WAN Manager

Overview

• CVE-2026-20262 affects the web-based management interface of Cisco Catalyst SD-WAN Manager (formerly vManage).

• Insufficient validation of user-supplied input during file upload operations allows authenticated attackers, including low-privileged users, to create or overwrite arbitrary files on the underlying OS.
• Uploaded files can be leveraged for privilege escalation to root-level access.
• Exploitation has been confirmed in the wild as of June 2026.

Impact

• Potential full system compromise of the SD-WAN management platform.
• Privilege escalation leading to root-level control.

Affected / Fixed Versions

• Affected: Cisco Catalyst SD-WAN Manager versions 20.9.9.1 and earlier, 20.12.7.1 and earlier, 20.15.4.4 and earlier, 20.15.5.2 and earlier, 20.18.3, 26.1.1.1 and earlier across all deployment models.
• Fixed versions: 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, 26.1.1.2.

Recommendations

• Upgrade Cisco Catalyst SD-WAN Manager to a fixed release immediately.
• Restrict internet exposure of SD-WAN Manager instances.
• Review and remove unnecessary or inactive user accounts.
• Monitor logs (vManage server, appserver, service-proxy) for suspicious file uploads and unauthorized access.
• Investigate presence of suspicious file “suspicious.war” and related activity.
• Engage Cisco TAC if compromise is suspected.

Reference

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ

13. Critical Vulnerability in Wazuh Manager Inventory Sync

Overview

• A critical vulnerability exists in Wazuh Manager versions 5.0.0-beta1 and later, specifically in the inventory synchronization subsystem.

• The flaw allows injection of arbitrary OpenSearch _bulk operations via an unsanitized agent-controlled field (DataValue.index).
• This enables unauthorized manipulation of documents in the Wazuh Indexer.

Impact

• Remote attackers enrolling rogue agents can exploit this vulnerability without privileges.
• Can lead to arbitrary deletion, modification, and creation of OpenSearch documents.
• Potential consequences include tampering with alerts, erasing forensic evidence, altering vulnerability data, and compromising analyst dashboards.
• Assigned CVSS v3.1 score of 10.0 (Critical).

Affected / Fixed Versions

• Affected: Wazuh Manager versions 5.0.0-beta1 and later.
• Fixed: Wazuh Manager version 5.0.0-beta3.

Recommendations

• Upgrade Wazuh Manager to version 5.0.0-beta3 or later immediately to mitigate risk.

Reference

https://github.com/wazuh/wazuh/security/advisories/GHSA-ff9g-85jq-r3g3

14. Multiple Vulnerabilities in Apache HTTP Server

Overview

• Multiple vulnerabilities identified in Apache HTTP Server 2.4.67 and earlier across several modules including mod_proxy_html, mod_dav_fs, mod_proxy_ftp, mod_http2, mod_ldap, mod_xml2enc, mod_ssl, and core components.
• Issues include buffer overflows, use-after-free, out-of-bounds reads, denial of service (DoS), infinite loops, improper privilege management, and cross-site scripting (XSS).

Impact

• Potential for denial of service via infinite loops, service crashes, and excessive memory allocation.
• Memory corruption and buffer overflows leading to potential exploitation.
• Privilege escalation allowing local .htaccess authors unauthorized file access.
• Cross-site scripting in FTP directory listings.
• Unauthorized manipulation of DAV property databases.
• Stack buffer over-read during outbound OCSP requests.

Affected / Fixed Versions

• Affected: Apache HTTP Server 2.4.67 and earlier.
• Fixed: Apache HTTP Server 2.4.68 and later.

Recommendations

• Update to Apache HTTP Server version 2.4.68 or later immediately to mitigate these vulnerabilities.
• Review server configurations especially related to affected modules and validate backend server trustworthiness.
• Monitor for unusual service crashes, DoS symptoms, or unauthorized access attempts.

Reference

https://httpd.apache.org/security/vulnerabilities_24.html

15. CVE-2026-42014 GnuTLS: Fix Use-After-Free in gnutls_pkcs11_token_set_pin

Overview

• A use-after-free vulnerability was identified in the gnutls_pkcs11_token_set_pin function of GnuTLS.

Impact

• An attacker could exploit this flaw to cause a denial of service or potentially execute arbitrary code.

Recommendations

• Apply the security update from GnuTLS that addresses this use-after-free issue.

Reference

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42014

16. Apple Patches Beats Studio Buds Flaw Letting Nearby Attackers Spy via Microphone

Overview

• A high-severity vulnerability (CVE-2025-20701) affecting Beats Studio Buds wireless earbuds allows unauthorized pairing via the Airoha Bluetooth audio SDK due to incorrect authorization.

Impact

• Nearby attackers can exploit this flaw to pair with the device without user consent and eavesdrop on conversations through the microphone.

Affected / Fixed Versions

• Beats Studio Buds firmware prior to the latest update released by Apple.

Recommendations

• Update Beats Studio Buds to the latest firmware version provided by Apple to mitigate the vulnerability.

Reference

https://thehackernews.com/2026/06/apple-patches-beats-studio-buds-flaw.html

17. New iPhone BootROM Vulnerability Exposes Apple SoCs to Full Chain-of-Trust Compromise

Overview

• A BootROM vulnerability named usbliter8 affects Apple devices with A12, S4/S5, and A13 SoCs.

• The flaw is in the Synopsys DWC2 USB controller’s handling of USB Setup packets, causing buffer underflow via pointer arithmetic errors.
• On A12 and A13, this enables full application processor boot-chain compromise with no software patch possible due to immutable BootROM.
• A14 and newer SoCs properly configure USB DART/IOMMU, making the exploit unexploitable on updated hardware.

Impact

• Allows arbitrary memory overwrite via DMA, enabling code execution in SecureROM’s EL1 execution environment.
• Bypasses Apple Secure Boot chain, allowing unsigned iBoot images to load and SoC demotion.
• Compromises the Secure Enclave indirectly, increasing the attack surface despite its additional security boundary.

Affected / Fixed Versions

• Affected: Apple A12 (iPhone XS, XR, iPad Pro 2018), Apple S4/S5 (Apple Watch Series 4/5), Apple A13 (iPhone 11 series).
• No software or firmware fix possible; mitigation requires migrating to A14 or later hardware generations.

Recommendations

• Upgrade to Apple devices with A14 or newer SoCs to avoid vulnerability.
• Monitor related threat intelligence for developments, especially regarding indirect Secure Enclave attack vectors.

Reference

https://cybersecuritynews.com/iphone-bootrom-vulnerability/

18. Hackers Breached Klue Integration to Steal Salesforce CRM Data via OAuth Tokens

Overview

• Threat actors exploited compromised credentials of the Klue Battlecards Salesforce integration to harvest CRM data.

• Attackers used OAuth tokens generated from the compromised service account to access Salesforce’s REST API.
• The attack involved a two-phase data exfiltration: prolonged slow extraction mimicking normal integration traffic followed by a burst of high-volume queries.
• This activity is linked to known OAuth-abuse tactics previously attributed to threat groups ShinyHunters and UNC6395.

Impact

• Potential unauthorized access to account records, contact details, deal outcomes, and pricing data.
• Large-scale data exfiltration over sustained periods without triggering typical user compromise alerts.

Recommendations

• Immediately revoke and rotate all Klue integration credentials, including service account passwords, OAuth refresh tokens, and client secrets.
• Audit Salesforce REST API logs for unusual activity patterns such as high query volumes, repeated pagination, usage of Python-urllib user-agent, and access from unfamiliar IPs.
• Implement IP allowlisting for connected apps and restrict API access to trusted infrastructure only.
• Increase API-layer visibility to detect similar OAuth token abuse attempts in integration-heavy environments.

Reference

https://cybersecuritynews.com/klue-integration-breached-salesforce/

19. How Software Development’s Speed Obsession Enabled TeamPCP’s Chaos Crusade

Overview

• TeamPCP has compromised and injected malicious code into over 1,000 open-source software packages across ecosystems like npm, PyPI, and GitHub within four months.

• The group exploits trust weaknesses in the open-source supply chain, targeting CI/CD workflows to spread malware automatically to downstream users.
• Their attacks leverage automated deployment systems and the growing reliance on AI tools that reduce human oversight during package installation and updates.
• TeamPCP’s activity is attributed primarily to a single operator based in South Africa, with a few associates also tracked.
• The threat actor’s motivation centers on causing chaos and gaining underground recognition rather than extortion profits.
• Compromised packages have amassed roughly 500 million weekly downloads, affecting notable projects such as Checkmarx, Bitwarden, PyTorch Lightning, SAP, Microsoft DurableTask, and Red Hat.

Impact

• Malware injected into open-source packages steals credentials for cloud environments including Kubernetes, AWS, Azure, and Google Cloud.
• Though potentially extensive, actual exploitation risk varies as many infected endpoints are not externally exposed.
• TeamPCP’s campaigns have caused significant disruption and damaged trust in open-source software distribution and maintenance processes.

Recommendations

• Strengthen security around CI/CD pipelines and credential management for publishing software packages.
• Implement rigorous vetting and monitoring of open-source dependencies before integration.
• Increase human oversight and sanity checks, especially when AI-assisted tools are used in software builds and deployments.
• Monitor repositories actively and respond quickly to suspicious package updates to limit exposure time.

Reference

https://cyberscoop.com/teampcp-breaks-open-source-software-trust-model/

20. Accenture Shells Out $4.18B on Three Companies in Big Industrial Cybersecurity Push

Overview

• Accenture announced acquisitions totaling $4.18 billion, including a majority stake in industrial cybersecurity firm Dragos ($3.25B) and full purchases of runZero and NetRise.

• The move marks a strategic pivot towards operational technology (OT) cybersecurity, focusing on protecting critical infrastructure sectors such as power grids, pipelines, and factories.
• Dragos specializes in OT threat detection with a proprietary industrial threat intelligence dataset.
• runZero provides asset discovery and attack surface intelligence, mapping connected devices and exposures.
• NetRise offers firmware-level visibility and software supply chain security to address vulnerabilities in industrial device ecosystems.
• The combined entity will operate independently under Accenture, led by Dragos CEO Robert M. Lee.

Impact

• Enhances Accenture’s footprint in the OT cybersecurity market, addressing growing AI-driven threats targeting OT environments.
• Aims to provide end-to-end OT security solutions amid increased AI integration in industrial decision-making and adversaries leveraging AI to shorten attack times.
• Expected to improve defense capabilities for critical infrastructure exposed due to traditional IT-focused cybersecurity budgets.

Recommendations

• Organizations in critical infrastructure sectors should monitor developments from Accenture’s expanded OT cybersecurity offerings for potential adoption.
• Emphasize the need for integrated xOT (extended OT) cybersecurity approaches that protect both traditional IT and OT assets in convergence environments.

Reference

https://cyberscoop.com/accenture-industrial-cybersecurity-acquisition-dragos-netrise-runzero/

21. Apple Fixes Beats Studio Buds Flaw That Let Hackers Spy on Conversations

Overview

• Apple released security updates to address a high-severity flaw in Beats Studio Buds wireless earbuds.

• The vulnerability could allow attackers within Bluetooth range to eavesdrop on users’ conversations.

Impact

• Unauthorized interception of audio streams from affected earbuds, compromising user privacy.

Recommendations

• Update Beats Studio Buds firmware to the latest version provided by Apple immediately to mitigate the risk.

Reference

https://www.bleepingcomputer.com/news/security/apple-fixes-beats-studio-buds-flaw-that-let-hackers-spy-on-conversations/

22. Beyond the Benchmark: Advancing Security at AI Speed

Overview

• Microsoft introduced MDASH, an AI-powered multi-model agentic scanning system for discovering, validating, and remediating software vulnerabilities across Windows, Hyper-V, Azure, and identity systems.

• MDASH integrates into existing DevSecOps workflows through GitHub Advanced Security, Azure DevOps, and Microsoft Defender, enabling actionable findings to be addressed during development with minimal disruption.
• The system enables deeper, broader, and earlier vulnerability discovery in complex components like the Windows kernel, networking stack, Azure infrastructure, and Active Directory Domain Services.

Impact

• Recent Patch Tuesday includes vulnerabilities discovered by MDASH covering remote code execution, elevation of privilege, and information disclosure.
• Notable CVEs: CVE-2026-45607 (Windows Hyper-V, Out-of-bounds Read RCE, CVSS 8.4); CVE-2026-45641 (Windows Hyper-V, Type Confusion RCE, CVSS 8.4); CVE-2026-47652 (Windows Hyper-V, Heap Buffer Overflow RCE, CVSS 8.2); CVE-2026-41108 (Windows DNS Client, EoP, CVSS 7.0); CVE-2026-45608 & CVE-2026-45634 (Windows DHCP Client, Info Disclosure, CVSS 6.8 & 5.5); CVE-2026-45648 (Windows ADDS, Stack Buffer Overflow RCE, CVSS 8.8); CVE-2026-47289 (Remote Desktop Client, Heap Buffer Overflow RCE, CVSS 8.8); CVE-2026-45657 (Windows Kernel, Use-after-free RCE, CVSS 9.8); CVE-2026-47291 (HTTP.sys, Integer Overflow RCE, CVSS 9.8).

Recommendations

• Apply June 2026 Patch Tuesday security updates without delay to mitigate high-severity RCE and privilege escalation vulnerabilities.
• Integrate AI-assisted vulnerability discovery tools into development workflows to improve detection efficiency and remediation speed.
• Continuously monitor security advisories from Microsoft and prioritize updates based on asset criticality and exposure.

Reference

https://www.microsoft.com/en-us/security/blog/2026/06/17/beyond-the-benchmark-advancing-security-at-ai-speed/

23. Microsoft Confirms RoguePlanet Defender Zero-Day, Says Patch is in Development

Overview

• Microsoft disclosed a zero-day vulnerability in Microsoft Defender, codenamed RoguePlanet.

• The vulnerability is an elevation of privilege flaw found in the Microsoft Malware Protection Engine.

Impact

• Exploitation allows an attacker to escalate privileges on affected systems.
• The CVSS score is 7.8, indicating high severity.

Affected / Fixed Versions

• Specific affected versions are not detailed.
• A patch is currently in development by Microsoft.

Recommendations

• Monitor official Microsoft channels for the patch release.
• Apply the patch promptly once available.
• Consider implementing temporary mitigation measures as per Microsoft advisories.

Reference

https://thehackernews.com/2026/06/microsoft-confirms-rogueplanet-defender_02022423645.html