Weekly Threat Landscape Digest – Week 26

Vulnerability Threat Landscape

1. Command Injection Vulnerability in Multiple TP-Link Routers

Overview

• A high-severity command injection vulnerability (CVE-2026-11834) affects multiple TP-Link router models.
• Vulnerability occurs in DHCP option processing due to insufficient validation of externally supplied DHCP data.
• Allows adjacent, unauthenticated attackers to execute arbitrary commands on affected devices.

Impact

• Exploitation enables remote command execution without authentication or user interaction.
• Attack vector requires access to adjacent network.

Affected / Fixed Versions

• Archer MR200 (EN) V7 — fixed in firmware 1.3.0 Build 250605
• Archer MR200 (EU) V8 — fixed in firmware 1.5.0 Build 260605
• Archer MR402 (EU) V1 — fixed in firmware 1.5.0 Build 260605
• Archer VR2100 (EU) V1 — fixed in firmware EU_V1_260330
• Archer C20 V5 — fixed in firmware EU_V5_260317 / US_V5_260419
• Archer C20 V6 — fixed in firmware V6_260608
• TL-MR6400 (EU) V7 — fixed in firmware 1.7.0 Build 260413

Recommendations

• Immediately upgrade all affected TP-Link routers to the latest fixed firmware versions.
• Monitor network activity for abnormal DHCP traffic indicative of exploitation attempts.

Reference Links

• https://www.tp-link.com/us/support/faq/5141/

2. Multiple Vulnerabilities in Jenkins Plugins

Overview

• Multiple vulnerabilities discovered in various Jenkins plugins including sandbox bypass, command injection, CSRF, permission bypass, information disclosure, path traversal, XML External Entity (XXE), LDAP injection, and remote code execution (RCE) risks.
• High severity issues include sandbox bypass (CVE-2026-57280, CVE-2026-57281), path traversal (CVE-2026-57296), RCE via OWASP ZAP Plugin (CVE-2026-57301), and XXE (CVE-2026-57303).
• Several plugins currently have no available fixes, increasing exposure risk.

Impact

• Successful exploitation may allow attackers to execute arbitrary code on Jenkins controllers or agents.
• Unauthorized access to sensitive credentials and pipeline replay scripts.
• Bypass of authentication and authorization checks.
• Potential exposure and enumeration of credentials and server URLs.
• Disabling of SSL/TLS validation leading to insecure communication.

Affected / Fixed Versions

• Active Directory Plugin up to 2.41.1 (Fixed in 2.41.2)
• Assembla Plugin up to 1.4 (No fix available)
• Bitbucket Push and Pull Request Plugin up to 3.3.8 (Fixed in 3.3.9)
• Contrast Continuous Application Security Plugin up to 3.11 (Fixed in 3.12)
• EC2 Fleet Plugin up to 4.2.3.539.v8fedff2a_81c3 (Fixed in 4.2.3.540.va_6eedb_7b_c112)
• External Workspace Manager Plugin up to 1.3.2 (Fixed in 1.4.0)
• FitNesse Plugin up to 1.36 (No fix available)
• Git client Plugin up to 6.6.0 (Fixed in 6.6.1)
• Git Parameter Plugin up to 462.vdcf3df2ed2ca_ (Fixed in 462.463.v496a_59f698e5)
• Gitee Plugin up to 1288.v18b_deb_c9069b_ (Fixed in 1292.v2559f2f3f2c0)
• GitHub Branch Source Plugin up to 1967.1969.v205fd594c821 (Fixed in 1967.1970.vd86979736546)
• Job Configuration History Plugin up to 1356.ve360da_6c523a_ (Fixed in 1367.vc8fa_b_15101dc)
• MCP Server Plugin up to 0.177.v629fdb_2557fe (Fixed in 0.178.vffe5a_e770f3b_)
• OWASP ZAP Plugin up to 1.0.7 (No fix available)
• Pipeline: Groovy Plugin up to 4331.v9d06ed4658ff (Fixed in 4331.4333.v50a_b_076c5199)
• Priority Sorter Plugin up to 936.v2c01c6b_84449 (Fixed in 936.937.v5581d0b_2ccb_a_)
• Script Security Plugin up to 1402.v94c9ce464861 (Fixed in 1402.1405.vc96e74964250)
• Zowe zDevOps Plugin up to 1.1.3.50.ve350c9b_450b_1 (No fix available)

Recommendations

• Update all affected plugins to their fixed versions immediately.
• For plugins without available fixes (Assembla, FitNesse, OWASP ZAP, Zowe zDevOps), monitor for updates and avoid using them in critical environments.
• Remove or disable unused or unpatched plugins.
• Enforce least privilege access and strong role-based controls for Jenkins users.
• Restrict access to Jenkins controllers and admin interfaces.
• Limit and review script execution and sandbox exceptions rigorously.
• Monitor Jenkins logs for unusual pipeline or plugin activities indicative of exploitation attempts.
• Ensure proper enforcement of TLS for all external plugin integrations.
• Conduct regular audits of Jenkins plugins, configurations, and stored credentials.

Reference Links

• https://www.jenkins.io/security/advisory/2026-06-24/

3. Security Updates – Google Chrome

Overview

• Google released security updates addressing multiple vulnerabilities in Chrome, including critical use-after-free and memory safety issues.
• Vulnerabilities could lead to browser crashes, information disclosure, arbitrary code execution, or other security impacts.

Impact

• Critical use-after-free flaws in WebGL, Autofill, Blink, Bluetooth, Web Authentication, Digital Credentials, FileSystem, and WebView components.
• Out of bounds read in Blink InterestGroups.
• High severity issues including inappropriate implementation, uninitialized use, and insufficient validation in DeviceBoundSessionCredentials, Autofill, GPU, Navigation, DevTools, and Passwords components.

Affected / Fixed Versions

• Chrome Stable for Windows/Mac: 149.0.7827.196/197 or later
• Chrome Stable for Linux: 149.0.7827.196 or later
• Chrome Extended Stable for Windows/Mac: 148.0.7778.280 or later
• Early Stable Update for Windows/Mac: 150.0.7871.46/.47
• Chrome Stable 150 for iOS: 150.0.7871.51
• Chrome 150 for Android: 150.0.7871.46

Recommendations

• Update Google Chrome to the latest available version immediately to mitigate these vulnerabilities.

Reference Links

• https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html
• https://chromereleases.googleblog.com/

4. Multiple Vulnerabilities in Webmin

Overview

• Three vulnerabilities identified in Webmin enabling authentication bypass, information disclosure, and multi-factor authentication (MFA) bypass through HTTP header and regex handling flaws.

Impact

• CVE-2026-56020 (Critical, CVSS 9.2): HTTP header manipulation in miniserv.pl leads to authentication bypass and user impersonation without credentials.
• CVE-2026-56021 (Medium, CVSS 6.9): Regex filtering flaw allows unauthenticated access to .conf configuration files in module directories, exposing sensitive information.
• CVE-2026-56022 (Medium, CVSS 6.9): Crafted User-Agent headers can bypass session validation and MFA under certain conditions.

Affected / Fixed Versions

• Affected: Webmin versions prior to 2.641
• Fixed: Webmin version 2.641 and later

Recommendations

• Immediately upgrade Webmin to version 2.641 or above.
• Restrict Webmin administrative interface exposure to trusted IPs or VPN only.
• Monitor authentication and access logs for unusual HTTP header patterns.
• Enforce network segmentation for administrative services.
• Enable centralized logging and alerting for unauthorized access attempts.

Reference Links

• https://www.cve.org/CVERecord?id=CVE-2026-56020
• https://www.cve.org/CVERecord?id=CVE-2026-56022
• https://www.cve.org/CVERecord?id=CVE-2026-56021

5. Critical Remote Code Execution Vulnerability in libssh2

Overview

• A critical vulnerability (CVE-2026-55200) has been identified in libssh2 due to an out-of-bounds write in the ssh2_transport_read() function.
• The flaw results from insufficient validation of the packet_length field, allowing remote attackers to send specially crafted SSH packets.

Impact

• Exploitation can lead to heap memory corruption.
• Potential remote code execution on affected systems.
• Severity rated Critical with a CVSS score of 9.2 (CVSS v4).

Affected / Fixed Versions

• Affected: libssh2 version 1.11.1 and earlier.
• Fixed: A patch is available including commit 7acf3df. Users should update to this or later versions.

Recommendations

• Update libssh2 and all dependent applications to the patched version immediately.
• Identify and remediate vulnerable installations within the environment.
• Monitor for unusual SSH traffic and application crashes indicative of exploitation attempts.
• Maintain an up-to-date inventory of third-party libraries to ensure prompt patching.
• Follow vendor advisories for additional guidance.

Reference Links

• https://nvd.nist.gov/vuln/detail/CVE-2026-55200

6. Actively Exploited Vulnerability in Lantronix

Overview

• A critical vulnerability (CVE-2025-67038) with a CVSS v3.1 score of 9.8 affects Lantronix EDS5000 devices, specifically version 2.1.0.0R3.
• The vulnerability exists in the HTTP RPC module, which executes a shell command when logging failed authentication attempts.
• The username parameter is unsanitized, allowing command injection.

Impact

• Enables unauthenticated remote attackers to execute arbitrary operating system commands with root privileges.
• Complete device compromise is possible without user interaction.

Affected / Fixed Versions

• Affected: Lantronix EDS5000 version 2.1.0.0R3.
• Fixed versions have been or will be released; users are advised to upgrade as soon as firmware updates are available.

Recommendations

• Identify all Lantronix EDS5000 devices running affected firmware.
• Apply vendor-provided firmware updates promptly upon release.
• Monitor for unusual activity indicative of exploitation.

Reference Links

• https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/2538438657/Latest+Firmware+f

7. Critical Vulnerabilities in MariaDB Server

Overview

• Multiple vulnerabilities in MariaDB Server can allow attackers to execute arbitrary shell commands on affected database servers.
• Exploitation may lead to full system compromise and unauthorized access to sensitive data.

Impact

• CVE-2026-49261 (Critical, CVSS 10.0): Command injection via improper handling of the wsrep_notify_cmd parameter through a malicious joiner node name.
• CVE-2026-48163 (High, CVSS 8.0): Command injection in SST rsync process permits arbitrary shell command execution on the donor node by a malicious joiner node.
• CVE-2026-48165 (High, CVSS 8.0): Privileged users can manipulate global variables to execute arbitrary commands with MariaDB database process privileges.

Affected / Fixed Versions

• Affected: MariaDB Server 10.6.1 to 10.6.26, 10.11.1 to 10.11.17, 11.4.1 to 11.4.11, 11.8.1 to 11.8.7, and 12.3.1
• Fixed: MariaDB Server 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2

Recommendations

• Immediately update MariaDB Server to fixed or latest versions to mitigate risk of exploitation.

Reference Links

• https://github.com/MariaDB/server/security/advisories/GHSA-3p3m-4x7c-p4pw
• https://github.com/MariaDB/server/security/advisories/GHSA-rpgv-q6gv-684r
• https://github.com/MariaDB/server/security/advisories/GHSA-7v3p-h23x-8hwv

8. Multiple Critical Vulnerabilities in QNAP QuMagie and License Center

Overview

• Multiple critical vulnerabilities identified in QNAP QuMagie and License Center products.
• CVE-2026-26236, CVE-2026-26237, CVE-2026-44083: Unauthenticated remote attackers can access sensitive media files, AI-generated thumbnails, folder cover images, and album archives, resulting in information disclosure.
• CVE-2025-62851: Path traversal vulnerability in License Center’s qlicenseRequest.cgi allows authenticated administrators to access files outside the intended directory.

Impact

• Unauthorized disclosure of sensitive media content and related metadata.
• Potential exposure of confidential system files due to path traversal.

Affected / Fixed Versions

• Affected: QuMagie versions 2.8.2 and 2.9.0; License Center version 1.8.56.
• Fixed: QuMagie versions 2.9.1 and 2.10.0; License Center version 2.0.42.

Recommendations

• Update QNAP QuMagie to version 2.9.1 or later.
• Update QNAP License Center to version 2.0.42 or later.
• Ensure timely patching to prevent exploitation of these vulnerabilities.

Reference Links

• https://www.qnap.com/en-uk/security-advisory/qsa-26-35

9. Multiple PostgreSQL Remote Code Execution (RCE) Vulnerabilities in BIG-IP Next

Overview

• Three high-severity PostgreSQL vulnerabilities (CVE-2026-2004, CVE-2026-2005, CVE-2026-2006) enable arbitrary code execution with the privileges of the operating system user running PostgreSQL.
• Vulnerabilities affect extensions and components including intarray, pgcrypto, and text processing functions.
• Exploitation can lead to complete compromise of database confidentiality, integrity, availability, and control over the underlying host system.

Impact

• CVE-2026-2004: Missing input type validation in intarray extension selectivity estimator allows object creators to execute code.
• CVE-2026-2005: Heap buffer overflow in pgcrypto can be triggered by malicious ciphertext, enabling code execution.
• CVE-2026-2006: Improper validation of multibyte character length during text manipulation can cause buffer overruns and code execution.

Affected / Fixed Versions

• Affected PostgreSQL versions: before 14.21, 15.16, 16.12, 17.8, and 18.2.
• Affected BIG-IP Next for Kubernetes versions: 2.0.0 through 2.2.1.
• Fixed PostgreSQL versions: 14.21, 15.16, 16.12, 17.8, 18.2.
• Fixed BIG-IP Next for Kubernetes version: 2.2.2 and later.

Recommendations

• Upgrade PostgreSQL installations to fixed versions.
• Upgrade BIG-IP Next for Kubernetes to version 2.2.2 or later to mitigate these vulnerabilities.

Reference Links

• https://my.f5.com/manage/s/article/K000161732

10. Multiple Vulnerabilities in Moxa NPort Serial Device Servers

Overview

• Two vulnerabilities identified in Moxa NPort W2150A-W4/W2250A-W4 Series serial device servers.
• CVE-2026-10829: Stack-based buffer overflow in the ‘Server location’ parameter on the Basic Settings page.
• CVE-2026-10828: Format string vulnerability in the ‘Alias’ parameter on the Serial Param configuration page.
• Both require authenticated attacker access. Attack vector is network-based with no user interaction required.

Impact

• CVE-2026-10829 (CVSS 8.6) may allow remote code execution (RCE) with root privileges.
• CVE-2026-10828 (CVSS 6.9) may cause sensitive memory disclosure and ASLR bypass, potentially facilitating further exploitation.

Affected / Fixed Versions

• Moxa NPort W2150A-W4/W2250A-W4 Series firmware version 1.5 and earlier affected; fixed in version 1.5.1.
• Moxa NPort W2150A/W2250A Series firmware version 2.3 and earlier affected; product phased out and should be replaced by W2150A-W4/W2250A-W4 Series with firmware 1.5.1 or later.

Recommendations

• Upgrade affected devices to firmware version 1.5.1 obtained from Moxa Technical Support.
• Replace legacy NPort W2150A/W2250A devices with supported W2150A-W4/W2250A-W4 Series running fixed firmware.
• Prioritize patching to avoid potential RCE and data disclosure risks.

Reference Links

• https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261910-cve-2026-10828,-cve-2026-10829

11. Actively Exploited Vulnerability in Gravity SMTP plugin

Overview

• CVE-2026-4020 is an information disclosure vulnerability in the Gravity SMTP WordPress plugin.
• The flaw exists in the REST API endpoint (/wp-json/gravitysmtp/v1/tests/mock-data), allowing unauthenticated users to access sensitive system information.
• Attackers exploit improper access controls by appending the query parameter ?page=gravitysmtp-settings to retrieve detailed system reports.

Impact

• Exposure of WordPress configuration details, plugin and theme information, database details, and API credentials for Amazon SES, Google, Mailjet, Resend, and Zoho.
• Compromise could enable abuse of email services, credential harvesting, and further environment compromise.

Affected / Fixed Versions

• Affected: Gravity SMTP plugin versions prior to 2.1.5.
• Fixed: Gravity SMTP version 2.1.5 or later.

Recommendations

• Apply the latest Gravity SMTP plugin updates.
• Review logs for suspicious activity involving the vulnerable endpoint.
• Reset and rotate exposed credentials, API keys, and OAuth tokens.
• Monitor network traffic and implement security alerting for exploitation attempts.
• Restrict access to sensitive services and interfaces.
• Maintain up-to-date backups and incident response plans.

Reference Links

• https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-sensitive-information-exposure-vulnerability-in-gravity-smtp-plugin/

12. Multiple Vulnerabilities in QNAP Products

Overview

• Multiple vulnerabilities identified in QNAP QTS, QuTS hero, QuTS cloud, and QVP (QVR Pro) appliances.
• Flaws include URL injection, command injection, stack and buffer overflows, broken access control, NULL pointer dereference, and uncontrolled resource consumption.

Impact

• Credential theft via malicious password reset pages (CVE-2025-59382).
• Arbitrary command execution by authenticated administrators (CVE-2025-66273, CVE-2025-66279, CVE-2026-22893).
• Unauthorized actions, service crashes, memory corruption, and denial-of-service conditions due to overflow vulnerabilities.
• Unauthorized access to sensitive files (CVE-2026-24724).
• Denial-of-service caused by NULL pointer dereference (CVE-2026-22899, CVE-2025-66281).
• Excessive CPU and memory usage leading to service disruption (CVE-2026-24720).

Affected / Fixed Versions

• Affected: QTS 5.2.7, QuTS hero h5.2.8, QuTS cloud c5.2.8, QVP 2.7.1.
• Fixed: QTS 5.2.10, QuTS hero h5.2.9, QuTS cloud c5.2.9, QVP 2.8.0.

Recommendations

• Update all affected QNAP products to the fixed versions released by QNAP promptly to mitigate exploitation risks.

Reference Links

• https://www.qnap.com/en-uk/security-advisory/qsa-26-10

13. Critical Vulnerabilities in pgAdmin

Overview

• Three critical vulnerabilities identified and patched in pgAdmin 4, a PostgreSQL graphical administration tool.
• Issues include unauthenticated remote code execution via pickle deserialization, AI assistant prompt injection causing SQL execution, authentication bypass, and stored Cross-Site Scripting (XSS).

Impact

• CVE-2026-12046 (CVSS 9.5): Unauthenticated remote code execution through pickle deserialization in SQL Editor routes.
• CVE-2026-12045 (CVSS 9.4): AI assistant prompt injection enabling SQL injection and read-only transaction bypass.
• CVE-2026-12048 (CVSS 9.3): Stored XSS via untrusted error and plan-node text rendered insecurely.

Affected / Fixed Versions

• Vulnerabilities fixed in pgAdmin version 9.16 and later.

Recommendations

• Immediately upgrade to pgAdmin version 9.16 or later.
• Restrict administrative access and enforce secure deployment configurations.

Reference Links

• https://nvd.nist.gov/vuln/detail/CVE-2026-12048
• https://nvd.nist.gov/vuln/detail/CVE-2026-12045
• https://nvd.nist.gov/vuln/detail/CVE-2026-12046

14. Targeted Attacks Against ArcGIS Enterprise Account Recovery Mechanism

Overview

• Threat actors are actively exploiting weaknesses in the ArcGIS Enterprise built-in account recovery (Forgot Password) workflow.
• Attackers bypass primary authentication mechanisms protected by MFA by leveraging insecure account recovery configurations.
• No CVEs assigned yet; the issue is a security weakness in configuration actively exploited in the wild.
• Attackers focus on environments using built-in ArcGIS accounts rather than centralized identity providers.

Impact

• Unauthorized administrative access gained through exploitation of weak account recovery questions and predictable admin usernames.
• Password resets for privileged accounts enabling full control over compromised built-in accounts.
• Access, modification, or deletion of sensitive GIS datasets and geospatial information.
• Potential for persistent access and lateral movement into connected enterprise systems.

Affected / Fixed Versions

• Affects ArcGIS Enterprise deployments using built-in application accounts with Portal PSA and Server IAA accounts enabled and weak password recovery configurations.
• Does not affect organizations exclusively using centralized identity providers (Active Directory, Azure AD, SAML, LDAP) without enabled built-in accounts.
• Security patch under development by Esri, not yet released.

Recommendations

• Immediately disable Portal PSA and Server IAA accounts.
• Remove weak password recovery answers and replace common administrator usernames with unique names.
• Ensure ArcGIS Enterprise service accounts do not have administrator privileges.
• Enable SMTP configuration for secure email validation of password recovery requests.
• Use the ArcGIS Security & Privacy Adviser tool to audit and review built-in user accounts; remove unused accounts.
• Monitor administrative accounts for unauthorized password reset activity.
• Prepare to deploy Esri’s forthcoming security patch promptly upon release.
• Long-term: migrate authentication to centralized identity providers and enforce MFA for all admin accounts.
• Regularly review ArcGIS Enterprise hardening guidance and maintain updated security patches.
• Continuously monitor authentication logs and conduct periodic security assessments of account recovery configurations.

Reference Links

• https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/june-2026-arcgis-security-bulletin

15. CVE-2026-52952: Use-After-Free Vulnerability in Linux Kernel IOMMU Subsystem

Overview

• A race condition in the Linux kernel’s Input/Output Memory Management Unit (IOMMU) subsystem affects concurrent attachment of multiple memory domains during device recovery.
• This leads to a Use-After-Free (UAF) vulnerability, where freed memory may be improperly accessed.

Impact

• Local attackers can exploit the vulnerability to execute unauthorized code or cause system crashes resulting in denial of service.

Recommendations

• Apply available Linux kernel patches that address the race condition in the IOMMU subsystem.
• Limit local user permissions to reduce risk of exploitation.

Reference Links

• https://vulners.com/redhatcve/RH:CVE-2026-52952

16. CVE-2026-53025: Use-After-Free Vulnerability in Linux Kernel Greybus Raw Subsystem

Overview

• A use-after-free vulnerability was discovered in the Linux kernel’s Greybus raw subsystem.
• Triggered when a local user disconnects a Greybus raw bundle while its associated character device remains open.
• Subsequent attempts to release the character device result in accessing freed memory.

Impact

• Can cause a kernel panic.
• Results in a system-wide Denial of Service (DoS).

Affected / Fixed Versions

• Not specified in the provided information.

Recommendations

• Avoid disconnecting Greybus raw bundles while character devices are open.
• Apply vendor patches or kernel updates when available to mitigate the issue.

Reference Links

• https://vulners.com/redhatcve/RH:CVE-2026-53025

17. New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries

Overview

• A vulnerability (CVE-2026-46331) exists in the Linux kernel’s traffic-control subsystem.
• The flaw is an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory.
• It allows a local, unprivileged user to gain root privileges by poisoning cached binaries.
• A public, working exploit was released within one day of the CVE assignment on June 16.

Impact

• Local privilege escalation to root on affected Linux systems.

Recommendations

• Apply security patches from Linux distribution vendors promptly.
• Monitor systems for exploitation attempts involving packet editing features.

Reference Links

• https://thehackernews.com/2026/06/new-linux-pedit-cow-exploit-enables.html

18. CISA Adds Exploited PTC Windchill RCE Flaw to KEV as Web Shell Attacks Continue

Overview

• CISA added a critical remote code execution (RCE) vulnerability in PTC Windchill PDMlink and PTC FlexPLM products to its Known Exploited Vulnerabilities (KEV) catalog.
• The vulnerability affects enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) software.
• There is confirmed evidence of active exploitation, with attackers deploying web shells.

Impact

• Successful exploitation allows remote code execution on affected systems.
• Attackers use the vulnerability to deploy persistent web shells for ongoing access and control.

Affected / Fixed Versions

• Specific affected versions and patches were not detailed in the source.

Recommendations

• Organizations using PTC Windchill PDMlink and FlexPLM should prioritize patching or mitigating this RCE vulnerability.
• Enhance monitoring for unusual web shell activity and possible intrusions.

Reference Links

• https://thehackernews.com/2026/06/cisa-adds-exploited-ptc-windchill-rce.html

19. Synology Issues Critical Fix for MailPlus Server Vulnerabilities

Overview

• Synology released a security update for MailPlus Server addressing three critical vulnerabilities.
• CVE-2026-13136 is due to faulty authorization checks allowing remote attackers to read/write arbitrary files and cause denial-of-service.
• CVE-2026-13135 involves improper restriction of communication channels, enabling remote attackers to access internal services.
• CVE-2025-15660 is another significant issue addressed by this update.

Impact

• Remote attackers could exploit these vulnerabilities to compromise private email infrastructures hosted on Synology NAS devices.
• Potential impacts include unauthorized file access/modification, service disruption, and unauthorized internal service access.

Affected / Fixed Versions

• Specific affected or fixed versions were not detailed in the source content.

Recommendations

• Apply the latest Synology MailPlus Server update immediately to mitigate these critical vulnerabilities.

Reference Links

• https://www.helpnetsecurity.com/2026/06/26/synology-mailplus-server-vulnerabilities/

20. Critical python.org Vulnerability Allowed Attackers to Forge Admin-Level API Requests

Overview

• A critical authentication bypass vulnerability was discovered in python.org’s release management API.
• The flaw allowed attackers to impersonate administrators by supplying an admin username with an arbitrary API key.
• Vulnerability existed since 2014, affecting over a decade of Python releases.
• Attackers could modify release metadata and redirect download URLs, including signature and PGP key links.
• Direct modification of release binaries was not possible.

Impact

• Potential for large-scale supply chain attacks targeting Python users worldwide by altering verification URLs.
• Millions of users could have been redirected to malicious download URLs if exploited.

Affected / Fixed Versions

• Affected versions span Python releases from 2.5 through 3.13.
• Python 3.14 and later verified solely via Sigstore after PEP 761 changes.
• Patch deployed by python.org team within 24 hours of disclosure.

Recommendations

• Users should ensure they use the patched python.org API and verify download URLs starting with https://www.python.org/.
• Verify artifact signatures using Sigstore or PGP where applicable.
• Organizations should benefit from extended logging and audit improvements at python.org for future incident detection.

Reference Links

• https://cybersecuritynews.com/critical-python-org-vulnerability/

21. CL-STA-1062 Hackers Use TinyRCT Backdoor to Target Southeast Asian Governments

Overview

• The Chinese-speaking threat group CL-STA-1062 has conducted a prolonged campaign since 2022 targeting government and energy sectors in Southeast Asia.
• The group uses a combination of open-source tools (SoftEther VPN, Mimikatz, VNT) and a custom C# backdoor named TinyRCT.
• TinyRCT is delivered via a malicious archive disguised as a Chrome installer, utilizing AppDomainManager Injection to load malware stealthily.
• The malware maintains persistence through scheduled tasks and communicates with its command-and-control servers every 10 seconds using AES-128 encryption.
• Attackers conduct lateral movement using traceroute and privilege escalation with JuicyPotato, and exfiltrate sensitive data such as web server source code.
• The campaign escalated in late 2025 with multiple compromises across at least ten organizations in the region.

Impact

• Compromise of critical government and energy infrastructure with potential exposure of sensitive data.
• Sustained espionage and foothold in multiple high-value targets across Southeast Asia.
• Use of sophisticated evasion and persistence techniques complicates detection and response.

Recommendations

• Monitor for untrusted binaries executing from local app data directories, especially those mimicking legitimate service names.
• Review outbound HTTP traffic for consistent beaconing patterns.
• Enforce strict application execution policies and sandbox environments.
• Investigate scheduled tasks that maintain persistence.
• Employ threat intelligence indicators and IoCs to detect and block infection attempts.

Reference Links

• https://cybersecuritynews.com/cl-sta-1062-hackers-use-tinyrct-backdoor/

22. CVE-2026-45930: net: mctp: ensure our nlmsg responses are initialised

Overview

• Microsoft released details on CVE-2026-45930, addressing a vulnerability in the Management Component Transport Protocol (MCTP) network component.
• The vulnerability involves ensuring that netlink message (nlmsg) responses are properly initialized.

Impact

• Potential exploitation could arise from uninitialized message responses in the MCTP network interface, possibly leading to unpredictable behavior or security issues.

Affected / Fixed Versions

• Not specified.

Recommendations

• Apply the security updates provided by Microsoft to ensure proper initialization of nlmsg responses within MCTP.

Reference Links

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45930

23. CVE-2025-68736: landlock: Fix handling of disconnected directories

Overview

• Vulnerability CVE-2025-68736 involves improper handling of disconnected directories in landlock, a Linux security module.

Impact

• Could potentially allow unauthorized actions or security bypass due to incorrect directory handling.

Affected / Fixed Versions

• Specific versions affected or fixed are not detailed in the published information.

Recommendations

• Apply updates or patches provided by the vendor once available to address the improper directory handling issue.

Reference Links

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-68736

24. CVE-2025-68296: drm, fbcon, vga_switcheroo: Avoid race condition in fbcon setup

Overview

• This vulnerability involves a race condition in the fbcon setup impacting drm, fbcon, and vga_switcheroo components.

Impact

• Race conditions can lead to unpredictable behavior, potentially allowing privilege escalation or denial of service.

Affected / Fixed Versions

• Not specified.

Recommendations

• Apply available patches or updates from the vendor promptly to mitigate the risk.

Reference Links

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-68296

25. FCC Passes New Cybersecurity Rules for Emergency Systems and Undersea Cables

Overview

• The FCC approved updated cybersecurity regulations for the U.S. Emergency Alert System (EAS), Wireless Emergency Alerts (WEA), and undersea cable operations.
• Updates focus on preventing hijacking attacks on EAS and WEA, critical national public warning systems used for emergencies.
• New rules mandate strong passwords, timely patching, firewall use, and introduce an authentication ID system to verify alerts and prevent unauthorized transmissions.
• The FCC also updated submarine cable regulations, balancing tighter cybersecurity requirements with exemptions from national security reviews for providers meeting high security standards.
• The changes enhance FCC oversight of submarine line terminal equipment and supply chain vulnerabilities.

Impact

• Strengthens defenses against hijacking or spoofing of emergency alert broadcasts and texts that could cause public panic or misinformation.
• Improves security and licensing processes for undersea cable infrastructure vital to national security and communications.
• Provides predictable and expedited licensing for compliant undersea cable operators.

Recommendations

• Emergency alert system operators should implement strong password policies, prompt patch management, firewalls, and adopt the new authentication ID system.
• Undersea cable operators must comply with licensing, certification, and oversight requirements to maintain operations.
• Continuous monitoring of critical infrastructure components and supply chains is essential.

Reference Links

• https://cyberscoop.com/fcc-undersea-cable-regulations-national-security/

26. USN-8475-1: AMD Microcode Vulnerabilities

Overview

• AMD processors have vulnerabilities that may allow a local attacker to infer data from previous stores, potentially leaking privileged information (CVE-2024-36350, CVE-2024-36357).
• Some AMD Zen 5 processors supporting the RDSEED instruction may improperly handle entropy, leading to insufficiently random values (CVE-2025-62626).

Impact

• Potential exposure of sensitive privileged information.
• Possible loss of confidentiality and integrity due to predictable random values from RDSEED.

Affected / Fixed Versions

• AMD processors, specifically including some Zen 5 models supporting RDSEED.

Recommendations

• Apply available microcode updates from AMD and security patches from Ubuntu promptly to mitigate these vulnerabilities.

Reference Links

• https://ubuntu.com/security/notices/USN-8475-1

27. USN-8476-1: xrdp Vulnerabilities

Overview

• Multiple vulnerabilities were identified in xrdp, including improper bounds checking during user domain processing, failure to enforce maximum login attempts, and incorrect handling of font glyph data.
• These issues affect session establishment, login attempt restrictions, and memory access, posing risks of denial of service, arbitrary code execution, and session restriction bypass.

Impact

• Unauthenticated remote attackers can cause crashes or possibly execute code via bounds checking flaws (CVE-2025-68670).
• Attackers can perform unlimited login attempts due to MaxLoginRetry enforcement failure (CVE-2024-39917).
• Out-of-bounds read possible from font glyph handling leading to potential information disclosure (CVE-2023-42822).
• Bypass of OS-level session restrictions, including concurrent session limits enforced by PAM (CVE-2023-40184).

Affected / Fixed Versions

• Ubuntu 24.04 LTS specifically affected by some vulnerabilities.

Recommendations

• Users should apply the latest security updates for xrdp to mitigate these vulnerabilities.
• Review and adjust MaxLoginRetry settings post-update to ensure proper enforcement.

Reference Links

• https://ubuntu.com/security/notices/USN-8476-1

28. USN-8472-1: containerd Vulnerabilities

Overview

• Multiple vulnerabilities were discovered in containerd affecting HTTP/2 SETTINGS frame handling, group parsing, image reference validation, label propagation, symlink path validation, and device interface annotation trust.
• These issues allow various attack vectors including denial of service, arbitrary code execution in containers or host, information disclosure, resource allocation bypass, and injection of devices or host mounts into containers.

Impact

• Denial of service via infinite loop or excessive memory consumption.
• Arbitrary code execution in containers or on the host.
• Information disclosure through reading arbitrary host files.
• Bypass of resource allocation restrictions leading to privilege escalation.

Affected / Fixed Versions

• Ubuntu 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS.

Recommendations

• Apply the security updates provided by Ubuntu to mitigate risks from these vulnerabilities.

Reference Links

• https://ubuntu.com/security/notices/USN-8472-1

29. Cisco Finesse Remote File Inclusion Vulnerability

Overview

• A remote file inclusion vulnerability exists in Cisco Finesse due to insufficient validation of user-supplied input in HTTP requests.
• An unauthenticated, remote attacker could exploit this by convincing a user to click a crafted link pointing to the affected device.

Impact

• Successful exploitation allows browser-based attacks.
• Enables execution of arbitrary script code in the context of the affected interface.
• May lead to unauthorized access to sensitive information on the device.

Affected / Fixed Versions

• Cisco has released software updates addressing this vulnerability.

Recommendations

• Apply the Cisco software updates to remediate the vulnerability.
• There are no workarounds available.

Reference Links

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-finesse-rfi-gwpkdc89

30. Why Patch Directives Only Go So Far

Overview

• CVE-2026-50751 is a critical authentication bypass vulnerability (CVSS 9.3) in Check Point Remote Access VPN.
• The flaw stems from a logic error in certificate validation triggered by the deprecated IKEv1 key-exchange protocol.
• It allows remote attackers to establish authenticated VPN sessions without valid passwords, bypassing perimeter defenses.
• Exploitation began as early as May, weeks before the vulnerability’s public disclosure and a CISA emergency directive issued June 21.
• The Qilin ransomware affiliate used this vulnerability for stealthy intrusions involving data exfiltration with Rclone and Tox protocol-based command and control routed through disposable VPS infrastructure.

Impact

• Attackers gain trusted VPN access, invalidating downstream security measures and enabling undetected data theft and ransomware deployment.
• Organizations compromised during the exploitation window remain vulnerable despite patching due to attacker persistence as trusted users.

Recommendations

• Apply patches promptly to close the vulnerability and disable deprecated IKEv1 key-exchange protocol.
• Treat systems with IKEv1 enabled and access during May-June as potentially compromised and investigate accordingly.
• Adopt endpoint-level defenses that disrupt ransomware payload execution even when attackers have legitimate access, as a complement to perimeter controls.
• Recognize structural flaws in perimeter-dependent security architectures and develop layered strategies that mitigate damage post-compromise.

Reference Links

• https://cyberscoop.com/why-security-patching-is-not-enough-cve-2026-50751-op-ed/

31. Mandiant Reveals How Cisco SD-WAN Zero-Day Attacks Gained Root Access

Overview

• Hackers exploited a zero-day vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20245.
• The attacks created rogue root accounts on targeted devices, allowing persistent and privileged access.

Impact

• Full root access to affected Cisco SD-WAN devices, potentially enabling widespread network compromise and control.

Affected / Fixed Versions

• Not specified in the supplied content.

Recommendations

• Monitor for unusual account creation and privilege escalation in Cisco SD-WAN environments.
• Apply patches when available from Cisco to mitigate CVE-2026-20245.

Reference Links

• https://www.bleepingcomputer.com/news/security/mandiant-reveals-how-cisco-sd-wan-zero-day-attacks-gained-root-access/

32. What the Miasma Campaign Reveals About the New Supply Chain Threat Model

Overview

• Miasma is a self-propagating npm worm compromising 89+ npm packages across three waves in June 2026, affecting Red Hat, Vapi.ai, Microsoft Azure repositories.
• Attackers weaponized a stolen Red Hat developer’s GitHub credential and session cookie that circulated in underground markets for seven weeks.
• The worm delivered malicious packages with valid SLSA Build Level 3 provenance attestations, bypassing top-tier supply chain integrity verification.
• The campaign introduced persistence files targeting AI coding assistants (Claude Code, Cursor, Gemini CLI, VS Code), extending attacks from package registries to developer local environments.
• The attack exemplifies the emerging ‘Developer Credential Economy,’ a three-layer threat model involving credential generation via infostealers, underground distribution, and downstream weaponization by multiple threat actors.

Impact

• Credential theft and supply chain compromise affecting thousands of weekly npm package downloads.
• Supply chain integrity and developer environment security undermined, enabling widespread credential harvesting and malicious package propagation.
• Expands attack surface to AI-assisted development environments through novel persistence mechanisms.

Recommendations

• Treat developer credentials as critical control-plane infrastructure.
• Adopt phased Continuous Threat Exposure Management (CTEM) for hardening credential generation, real-time secret neutralization, and enforcing human-gated publishing.
• Monitor underground markets and infostealer logs proactively.
• Enhance CI/CD pipeline security and credential management practices.

Reference Links

• https://www.tenable.com/blog/what-the-miasma-campaign-reveals-about-the-new-supply-chain-threat-model-and-the-underground

33. CNAPP’s New Normal: Hyper-Prioritization and Autonomous Remediation at Cloud Scale

Overview

• AI-powered detection accelerates identification of vulnerabilities, misconfigurations, and attack paths in dynamic cloud environments.
• Cloud infrastructure changes rapidly, requiring continuous posture management and real-time remediation instead of periodic scanning.
• CNAPP platforms correlate signals across CSPM, CWP, and vulnerability data but need integration with automated remediation to close risks effectively.
• Hyper-prioritization techniques focus on actionable, exploitable risks rather than volume of findings.
• LLM-powered playbooks enable rapid zero-day response at cloud scale, improving the speed and credibility of remediation plans.

Impact

• Faster weaponization of vulnerabilities by attackers compresses the time window defenders have.
• Misprioritized or delayed remediation allows exploitable vulnerabilities to remain open longer, increasing risk.
• Diverse cloud environments and ephemeral workloads increase the complexity of securing systems and demand tailored remediation approaches.

Recommendations

• Adopt continuous posture management solutions integrated directly with autonomous remediation capabilities.
• Implement hyper-prioritization methods factoring exploitability in context, exposure, identity/access, lateral movement paths, business context, active threat signals, and compensating controls.
• Utilize AI-driven playbooks to automate response plans and reduce time from detection to remediation.
• Ensure remediation actions close the loop from code commit through to running workloads to prevent vulnerability reintroduction.

Reference Links

• https://blog.qualys.com/product-tech/2026/06/22/cnapps-new-normal-hyper-prioritization-and-autonomous-remediation-at-cloud-scale

34. One Intrusion, Two Cyberattackers: Uncovering Parallel Threat Activity

Overview

• Microsoft’s DART investigated a complex multi-stage intrusion involving two unrelated threat actors simultaneously operating within the same environment.
• The primary threat actor, Storm-2603, targeted on-premises SharePoint servers, exploiting known and potential local file inclusion vulnerabilities.
• Threat actors used legitimate tools like Velociraptor for environment mapping and privilege escalation, and established remote access through Cloudflare tunneling, Zoho Assist, and SSH configured via Visual Studio Code.
• Defense evasion included creating local and domain admin accounts and using a vulnerable driver to disable memory protections.
• A second actor used DLL sideloading and custom backdoors, complicating detection and attribution by masking the combined intrusion activities.

Impact

• Sustained multi-vector access with obscured threat activity and complicated investigation and remediation efforts.
• Increased risk of credential misuse, lateral movement, and ransomware impact.
• Elevated adversary stealth due to blending of malicious actions with trusted administrative tools.

Recommendations

• Prioritize comprehensive patching and vulnerability management on internet-facing systems.
• Strengthen identity security controls to limit escalation and persistence.
• Deploy broad endpoint protection and central telemetry to support detection and correlation.
• Monitor and restrict usage of trusted remote access and administrative tools exploited by attackers.
• Maintain and regularly test incident response plans for rapid containment and mitigation.

Reference Links

• https://www.microsoft.com/en-us/security/blog/2026/06/22/one-intrusion-two-cyberattackers-uncovering-parallel-threat-activity/

35. Cisco Packaged Contact Center Enterprise and Unified Contact Center Enterprise XSS Vulnerabilities

Overview

• Multiple XSS vulnerabilities in the web-based management interfaces of Cisco Packaged CCE and Cisco Unified CCE.
• Vulnerabilities arise from improper validation of user-supplied input.
• An attacker with valid administrative credentials can inject malicious scripts into specific web interface pages.

Impact

• Execution of arbitrary script code in the context of the affected interface.
• Potential access to sensitive browser-based information.

Affected / Fixed Versions

• Specific affected versions not detailed.
• Cisco has released software updates to address the vulnerabilities.

Recommendations

• Apply Cisco’s released software updates promptly.
• No workarounds available; patching is required.

Reference Links

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ucce-pcce-xss-2JVyg3uD

AI Threat Landscape

1. How much cyber risk does AI create for organizations? 457 million security issues.

Overview

• Tenable detected 457 million AI-related security issues across 7,000+ organizations over 30 days, averaging 62,000 exposures per organization.
• AI-related security issues mostly stem from misconfigurations and unmanaged dependencies rather than CVEs.
• Shadow AI, including unapproved AI tools with autonomous capabilities, contributes significantly to undeclared risk.
• Traditional vulnerability management focusing only on CVEs is insufficient; a broader exposure management approach is advised.
• Example cited: Unapproved OpenClaw AI assistant installed by contractor, with remote access via Telegram and access to source code, demonstrating real shadow AI risk.

Impact

• About 31% of breaches start with unpatched CVEs, but approximately 63% of breach entry points come from non-CVE issues like misconfigurations or stolen credentials.
• AI accelerates vulnerability discovery and exploitation, increasing the pressure on patch management and risk mitigation.
• Organizations face numerous attack paths stemming from thousands of findings, with attackers likely to exploit the most critical pathways.

Recommendations

• Move beyond legacy vulnerability scanning to AI-driven, continuous exposure management that maps attack paths.
• Prioritize remediation based on mapped attack paths leading to critical assets.
• Implement automated, agentic AI security workflows to remediate exposures at machine speed.
• Monitor and control shadow AI tools to prevent unauthorized access and exposure.
• Adopt comprehensive asset discovery and exposure mapping across IT, cloud, OT, AI, and IoT environments.

Reference Links

• https://www.tenable.com/blog/how-much-cyber-risk-does-ai-create-for-organizations-457-million-security-issues-heres-what

2. Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs

Overview

• A high-severity vulnerability (CVE-2026-12957, CVSS 8.5) was found in Amazon Q Developer’s AI coding assistant.
• The flaw allowed malicious repositories to execute commands and steal developers’ cloud credentials through improper handling of Model Context Protocol (MCP) server configurations.
• The exploitation path required a developer to open and trust an untrusted repository workspace, after which Amazon Q would automatically execute the malicious code.

Impact

• Remote code execution.
• Theft of cloud credentials leading to potential further compromise of cloud environments.

Affected / Fixed Versions

• Issue patched by Amazon in Amazon Q Developer.

Recommendations

• Update Amazon Q Developer to the patched version immediately.
• Exercise caution when opening and trusting repositories in Amazon Q Developer workspaces.

Reference Links

• https://thehackernews.com/2026/06/amazon-q-developer-flaw-could-let.html

3. CERT-In’s AI Vulnerability Blueprint: Machine-Speed Risk Operations in the Post-Mythos Era

Overview

• Mythos-class AI can autonomously discover and exploit known and unknown vulnerabilities at machine speed, shifting cybersecurity from traditional CVE matching to active exploit generation.
• CERT-In’s 2026 blueprint mandates 12-hour containment for known exploited vulnerabilities on internet-facing and critical systems, continuous validation, and evidence of closure.
• India’s current average breach lifecycle of 263 days is incompatible with CERT-In’s rapid remediation, incident reporting within six hours, and same-day containment, posing compliance and operational risks.
• Anthropic’s export control suspension on Mythos 5 and Fable 5 AI models removed defensive access, but similar capabilities remain publicly available via GPT-5.5 and leaked models.
• AI governance, shadow AI monitoring, and layered risk-based controls are critical to meet CERT-In’s requirements and address exponentially accelerating AI-powered attack capabilities.

Impact

• AI enables rapid, autonomous vulnerability discovery and weaponization, including identification of decades-old high-severity vulnerabilities previously unknown or unexploited.
• The compression of discovery-to-exploitation timelines forces defenders to shift to continuous, machine-speed risk operations.
• Non-compliance with stringent remediation timelines faces potential regulatory penalties up to Rs. 250 crore, compounded by increased ransomware, APT, and supply chain attacks exploiting known vulnerabilities at scale.
• 42% of Indian organizations lack AI management policies, increasing exposure to Shadow AI-driven breaches.

Recommendations

• Transition from traditional vulnerability management to closed-loop Risk Operations Centers (ROC) operating continuously at machine speed for detection, prioritization, validation, remediation, and proof.
• Implement continuous exposure management, breach simulation, and advanced layered defenses (MFA, PAM, conditional access, micro-segmentation).
• Enforce AI governance, including usage policies, approval workflows, inventories, shadow AI detection, and agentic AI guardrails.
• Employ tools like Qualys ETM, TruRisk, TruConfirm, and TotalAI to meet CERT-In operational mandates.

Reference Links

• https://blog.qualys.com/product-tech/2026/06/24/cert-in-ai-vulnerability-blueprint-machine-speed-risk-operations

4. DifyTap Bugs Let Attackers ‘Wiretap’ AI Chat Histories

Overview

• Four vulnerabilities discovered in Dify, a platform for AI application building and management.
• These flaws allow attackers to silently access and exfiltrate sensitive AI chat histories and data.

Impact

• Unauthorized access to private AI chat histories, leading to sensitive data leakage.

Recommendations

• Users of Dify should apply security patches as released by the vendor.
• Monitor platforms for suspicious access patterns indicating exploitation attempts.

Reference Links

• https://www.darkreading.com/application-security/difytap-bugs-wiretap-ai-chat-histories

5. Guarding AI Memory

Overview

• AI memory allows AI systems to retain and recall information across interactions, enabling personalization and agentic coherence.
• AI memory attacks involve adversaries gradually influencing AI behavior over time, such as delayed tool execution through adversarial memory poisoning.
• Microsoft employs a defense-in-depth approach covering memory creation, storage, retrieval, interaction, and user control.
• Prompt-injection classifiers and Task Adherence checks mitigate memory manipulation and prompt injection attacks.
• Memory is governed by Microsoft 365 security policies, including encryption, customer lockbox, and tenant isolation.
• Memory update events are logged and integrated into security tools like Defender and Sentinel for enhanced observability and incident response.
• Design principles for safe AI memory include establishing intent and provenance, enforcing boundaries outside the model, risk-based retrieval, lifecycle visibility, and user control.

Impact

• Persistent threats can arise from compromised AI memory, enabling attackers to influence AI behavior beyond single interactions.
• Delayed execution of malicious instructions can exfiltrate sensitive user data unnoticed over time.
• AI memory expands the attack surface and blast radius in AI systems, increasing security risks.

Recommendations

• Employ defense-in-depth strategies for AI memory security, including sanitization and prompt-injection detection.
• Monitor memory update audit logs within existing SOC workflows to detect anomalous activity.
• Apply strict policy controls over AI memory personalization and access.
• Maintain transparency and user controls for review, editing, and deletion of AI memory content.
• Continue investing in iterative improvements to guard against evolving AI memory threats.

Reference Links

• https://www.microsoft.com/en-us/security/blog/2026/06/22/guarding-ai-memory/