Weekly Threat Landscape Digest – Week 28

  1. Security Update – OpenSSH

Overview

  • OpenSSH 10.4 (10.4p1) addresses eight security vulnerabilities affecting both SSH clients and servers.
  • Key issues include a high-severity client-side use-after-free vulnerability (CVE-2026-60002) triggered during key re-exchange by malicious SSH servers.
  • Additional flaws impact SFTP and SCP file transfer functions, enabling attacker-controlled servers to write files to unintended locations.
  • Several server-side fixes enhance security by restoring authentication delays, improving forwarding restrictions, mitigating denial-of-service risks, and strengthening internal checks.

Impact

  • CVE-2026-60002 (CVSS 7.7): Causes client crashes or disruptions when a malicious SSH server changes host keys mid-session.
  • CVE-2026-59995 and CVE-2026-59996: Allow malicious servers to overwrite files outside intended directories during SFTP and SCP operations.
  • CVE-2026-60001: Weakens brute-force login protections via flawed authentication delays.
  • CVE-2026-59999: Permission settings for PermitTunnel can bypass DisableForwarding, enabling unauthorized forwarding.
  • CVE-2026-60000: GSSAPI-related denial-of-service vulnerability permitting remote disruption of SSH services.

Affected / Fixed Versions

  • Affected: All OpenSSH versions prior to 10.4.
  • Fixed: OpenSSH 10.4 (10.4p1).

Recommendations

  • Immediately upgrade to OpenSSH 10.4 (10.4p1).
  • Review and audit SSH server configurations, especially regarding forwarding and authentication delays.
  • Monitor SSH client and server logs for unusual crashes or file write activities potentially linked to exploited vulnerabilities.

Reference Links

  1. Security Updates – Google Chrome

Overview

  • Google released Chrome Stable Channel version 150.0.7871.114/.115 for Windows and macOS, and 150.0.7871.114 for Linux.
  • The update addresses 27 security vulnerabilities: 2 Critical, 23 High, and 2 Medium severity issues.
  • Critical vulnerabilities include CVE-2026-15112 and CVE-2026-15129, both Use-After-Free (UAF) flaws in the Ozone and Views components.
  • Exploitation could lead to memory corruption, browser crashes, or arbitrary code execution.

Impact

  • Use-After-Free, Integer Overflow, Uninitialized Use, Out-of-Bounds Read/Write, Insufficient Validation, and Inappropriate Implementation issues affect multiple components (Ozone, Views, V8, InterestGroups, Extensions API, ANGLE, Autofill, Codecs, WebAppInstalls, Actor, Payments, Input, GetUserMedia, Core, WebRTC, DOM, Passwords, Forms, WebGL, IndexedDB, Navigation).
  • Potential impacts include remote code execution, denial of service, and data integrity compromise.

Affected / Fixed Versions

  • Fixed in Chrome 150.0.7871.114/.115 for Windows and macOS, and 150.0.7871.114 for Linux.

Recommendations

  • Immediately update Google Chrome to the latest stable version to mitigate these vulnerabilities.

Reference Links

  1. Multiple Critical Vulnerabilities in UniFi Applications

Overview

  • Critical vulnerabilities discovered in UniFi Connect, UniFi Talk, and UniFi Access applications.
  • Issues include Improper Access Control, Improper Input Validation, SQL Injection.
  • Vulnerabilities enable arbitrary command execution, SQL injection, privilege escalation.
  • CVE-2026-50746 (Critical, CVSS 10.0): Improper Access Control / Command Injection in UniFi Connect.
  • CVE-2026-50747 (Critical, CVSS 9.9): Authenticated SQL Injection in UniFi Talk.
  • CVE-2026-50748 (Critical, CVSS 9.9): Improper Input Validation / Command Injection in UniFi Access.
  • CVE-2026-54400 (Critical, CVSS 9.1): Improper Access Control / Privilege Escalation in UniFi Access.

Impact

  • Attackers can execute arbitrary commands, escalate privileges, access sensitive data, and disrupt services on affected systems.

Affected / Fixed Versions

  • UniFi Talk: affected versions 5.1.2 and earlier; fixed in 4.2.29 or later.
  • UniFi Access: affected versions 4.2.28 and earlier; fixed in 5.2.2 or later.
  • UniFi Connect: affected versions 3.4.16 and earlier; fixed in 3.4.20 or later.

Recommendations

  • Immediately upgrade UniFi Connect, UniFi Talk, and UniFi Access applications to the fixed versions or later.
  • Review system logs for indications of compromise or suspicious activity.
  • Restrict administrative access to affected systems until patches are applied.

Reference Links

  1. Critical Unauthenticated RCE Vulnerabilities in Joomla Page Builder Extensions

Overview

  • Two critical vulnerabilities, CVE-2026-48908 and CVE-2026-56290, have been disclosed in Joomla page builder extensions (SP Page Builder and Page Builder CK).
  • Both vulnerabilities allow unauthenticated attackers to upload arbitrary files, leading to remote code execution (RCE).
  • These vulnerabilities are actively exploited in the wild, putting internet-facing Joomla servers at significant risk.

Impact

  • Successful exploitation enables attackers to execute arbitrary PHP code.
  • Potential consequences include complete server compromise, deployment of web shells, data theft, website defacement, malware installation, and persistent unauthorized access.

Affected / Fixed Versions

  • CVE-2026-48908: SP Page Builder for Joomla versions 1.0.0 through 6.6.1.
  • CVE-2026-56290: Page Builder CK for Joomla versions 1.0 through 3.5.x.

Recommendations

  • Immediately update SP Page Builder and Page Builder CK to fixed versions or later.
  • Identify and audit all Joomla servers running affected extensions; remove or disable vulnerable extensions if updates cannot be applied promptly.
  • Review web server and Joomla logs for suspicious file upload activity.
  • Scan upload directories for unauthorized PHP or executable files and remove any detected malicious files or web shells.
  • Reset administrator passwords if compromise is suspected.
  • Enable a Web Application Firewall (WAF) to detect and block malicious uploads.
  • Restrict executable file uploads where possible.
  • Continuously monitor Joomla installations for unauthorized file changes and suspicious behavior.

Reference Links

  1. Multiple Vulnerabilities in OWASP ModSecurity Allow WAF Bypass

Overview

  • Two vulnerabilities (CVE-2026-52761, CVE-2026-52747) in OWASP ModSecurity affect versions 3.0.0 through 3.0.15.
  • CVE-2026-52761 involves incorrect buffer size calculation in utf8toUnicode transformation on 32-bit systems, enabling security rule bypass.
  • CVE-2026-52747 is a high-severity multipart form-data parser flaw that removes embedded CR/LF characters prior to inspection, causing discrepancies between WAF analysis and backend application processing.
  • These issues allow specially crafted HTTP requests to bypass Web Application Firewall detection.

Impact

  • Bypassing ModSecurity inspection may allow malicious payloads, such as injection attacks, to reach backend applications unblocked, increasing risk to protected systems.

Affected / Fixed Versions

  • Affected: ModSecurity versions 3.0.0 to 3.0.15.
  • Fixed: ModSecurity version 3.0.16.

Recommendations

  • Upgrade ModSecurity to version 3.0.16 or later to mitigate these vulnerabilities.

Reference Links

  1. Critical Pre-Authentication Vulnerabilities in BeyondTrust Remote Support and Privileged Remote Access

Overview

  • Four vulnerabilities disclosed affecting BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA).
  • Two critical pre-authentication authentication bypass vulnerabilities allowing unauthenticated attackers to gain unauthorized access under specific authentication configurations.
  • Two high-severity vulnerabilities enabling denial-of-service (DoS) attacks and unauthorized resource access via improper query handling.

Impact

  • CVE-2026-40138 and CVE-2026-40139 (Critical, CVSS v4 9.2): Authentication bypass permitting unauthorized remote access.
  • CVE-2026-40140 (High, CVSS v4 8.7): Uncontrolled resource consumption leading to DoS.
  • CVE-2026-40141 (High, CVSS v4 8.5): Improper authorization allowing authenticated users with certain permissions to access unintended resources.

Affected / Fixed Versions

  • Affected: BeyondTrust Remote Support and Privileged Remote Access 25.3.2 and earlier.
  • Fixed: Version 25.3.3 or later.
  • Also fixed via April 2026 Security Rollup patches for RS (24 & 25) and PRA (24 & 25) versions.

Recommendations

  • Immediately upgrade BeyondTrust Remote Support and Privileged Remote Access to version 25.3.3 or later.
  • If upgrade is not immediately feasible, apply the April 2026 Security Rollup patches accordingly.

Reference Links

  1. Multiple Vulnerabilities in IBM WebSphere Application Server

Overview

  • IBM WebSphere Application Server versions 9.0 and 8.5 are affected by multiple vulnerabilities including two critical Cross-Site Scripting (XSS) flaws and one medium-severity Path Traversal vulnerability.
  • The XSS flaws reside in the administrative console’s integrated help system and can enable attackers to execute malicious scripts in an administrator’s browser and compromise admin sessions.
  • The Path Traversal vulnerability could allow remote attackers to access sensitive information from the integrated help system.

Impact

  • Execution of malicious scripts in administrative consoles leading to potential session compromise.
  • Unauthorized access to sensitive information due to path traversal exploitation.

Affected / Fixed Versions

  • Affected: IBM WebSphere Application Server 9.0 and 8.5.
  • For 9.0: Minimum required Fix Pack with Interim Fix for APAR PH71756 or Fix Pack 9.0.5.29 or later (expected Q3 2026).
  • For 8.5: Minimum required Fix Pack with Interim Fix for APAR PH71756 or Fix Pack 8.5.5.31 or later (expected Q3 2026).

Recommendations

  • Apply the available Interim Fix for APAR PH71756 immediately.
  • Upgrade to the latest Fix Pack versions as listed above once available.
  • Monitor administrative console access and review logs for suspicious activity.

Reference Links

  1. Critical Remote Code Execution Vulnerability in Adobe Campaign Classic

Overview

  • Adobe released a Priority 1 security update for Adobe Campaign Classic addressing CVE-2026-48286.
  • The vulnerability arises from incorrect authorization (CWE-863).
  • It allows unauthenticated attackers to execute arbitrary code remotely.
  • Applies to on-premises and hybrid deployments; Adobe-hosted environments are already remediated.

Impact

  • CVSS v3.1 score: 10.0 (Critical).
  • Potential for complete system compromise via remote code execution.
  • No known active exploitation reported at time of disclosure.

Affected / Fixed Versions

  • Affected: Adobe Campaign Classic v7 up to 7.4.3 Build 9396 on Windows and Linux.
  • Fixed: Adobe Campaign Classic v7.4.3 Build 9397.

Recommendations

  • Immediately upgrade to Adobe Campaign Classic v7.4.3 Build 9397 or later to mitigate the vulnerability.

Reference Links

  1. Multiple Critical Vulnerabilities in Langflow

Overview

  • IBM Security researchers disclosed six critical vulnerabilities in Langflow OSS, an open-source platform for AI and LLM-powered applications.
  • These flaws allow arbitrary code execution, authorization bypass, application integrity compromise, sensitive data access, cross-tenant attacks, and full control over affected deployments.
  • Proof-of-concept exploits exist for several vulnerabilities; no confirmed active exploitation reported.

Impact

  • CVE-2026-10134: Unauthenticated Remote Code Execution, CVSS 10.0.
  • CVE-2026-7803: Flow Validation Bypass, CVSS 9.8.
  • CVE-2026-7871: Insecure Redis Deserialization, CVSS 9.8.
  • CVE-2026-7873: Code Injection / OS Command Execution, CVSS 9.9.
  • CVE-2026-10140: Cross-Tenant API Credential Reuse, CVSS 9.6.
  • CVE-2026-7663: Streamable MCP Authorization Bypass, CVSS 9.8 (NVD) / 9.1 (IBM CNA).

Affected / Fixed Versions

  • Langflow OSS versions 1.0.0 through 1.10.0.
  • Fixed in Langflow OSS version 1.10.1 and later.

Recommendations

  • Immediately update Langflow OSS installations to version 1.10.1 or later.
  • Review deployments for indicators of compromise.

Reference Links

  1. Microsoft Reins in RoguePlanet Zero-Day Threat

Overview

  • Security researcher ‘Nightmare-Eclipse’ published a proof-of-concept exploit targeting a Windows Defender vulnerability in early June.
  • This disclosure follows the release of several other Microsoft zero-day vulnerabilities by the same researcher.

Impact

  • Exploitation of the Windows Defender vulnerability could allow attackers to bypass security protections, potentially leading to unauthorized access or code execution.

Recommendations

  • Apply the latest Microsoft security updates and patches addressing the Windows Defender issue.
  • Monitor official advisories for further mitigation details and threat intelligence.

Reference Links

  1. USN-8526-1: libheif Vulnerabilities

Overview

  • Multiple security vulnerabilities were discovered in libheif affecting Ubuntu 26.04 LTS.
  • Issues include out-of-bounds read, null pointer dereference, integer overflow, integer underflow, and missing bound check in various libheif parsers and interfaces.

Impact

  • Vulnerabilities may allow attackers to cause denial of service or potentially obtain sensitive information.

Affected / Fixed Versions

  • Affected: Ubuntu 26.04 LTS.

Recommendations

  • Update libheif packages to the latest patched versions provided by Ubuntu to mitigate these vulnerabilities.

Reference Links

  1. ACSC Warns of Large-Scale CMS Exploitation Campaign Deploying Webshells

Overview

  • A widespread hacking campaign is exploiting multiple content management systems (CMS) and plugins globally, targeting small and medium-sized business websites.
  • Attackers chain known vulnerabilities including unauthenticated file uploads, remote code execution, server side request forgery, and unsafe deserialization.
  • Numerous WordPress plugins (e.g., Simple File List, Ninja Forms, Gravity Forms) and independent CMS platforms (e.g., Craft CMS, Joomla JCE) are targeted.
  • Compromises result in deployment of webshell backdoors, enabling remote control of servers for defacement, credential theft, malware distribution, and lateral movement.

Impact

  • Websites compromised are fully controlled by attackers, risking data theft, service disruption, and internal network breaches.
  • The campaign exploits already patched vulnerabilities, emphasizing risk to unpatched systems.

Recommendations

  • Inspect web servers for unusual files and suspicious web access logs focusing on known webshell paths.
  • Treat compromised servers as fully breached: isolate, audit logs for lateral movement, and identify breach entry.
  • Restore from clean backups after thorough patching.
  • Keep CMS software and plugins updated promptly.
  • Disable vulnerable plugins immediately upon vulnerability disclosure.
  • Configure web directories as read-only and restrict executable file paths.
  • Monitor for unexpected processes spawned by web servers.
  • Limit network connectivity between public websites and internal systems.

Reference Links

  1. curl Vulnerabilities – Ubuntu Security Update USN-8525-1

Overview

  • Multiple vulnerabilities discovered in curl affect different Ubuntu LTS and interim versions.
  • Issues include incorrect handling of credentials with HTTP redirects and .netrc files, OCSP stapling responses, connection reuse, SSH host verification skipping, and memory allocation problems with WebSocket PING frames.
  • Vulnerabilities allow attackers to obtain sensitive information, execute arbitrary code, cause denial of service, or perform man-in-the-middle attacks.

Impact

  • Information disclosure.
  • Denial of service.
  • Potential remote code execution.
  • Man-in-the-middle attacks.

Affected / Fixed Versions

  • Ubuntu 14.04 LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS, 24.04 LTS, 25.04, 25.10 — with issues varying by version.

Recommendations

  • Apply security update USN-8525-1 to upgrade curl to fixed versions.
  • Review network usage of curl where affected, especially HTTP/2, HTTP/3, SMB, Digest proxy auth, and SSH usage scenarios.

Reference Links

  1. USN-8523-1: libsoup Vulnerabilities

Overview

  • Two security issues were discovered in libsoup by Eric Su, Samuel Dainard, and Kona Arctic.
  • CVE-2026-2369: libsoup improperly handled content with zero-length resources, potentially causing buffer over-read.
  • CVE-2026-5119: libsoup did not adequately protect sensitive cookies when establishing HTTPS tunnels via HTTP proxies.

Impact

  • CVE-2026-2369: Information disclosure or denial of service through buffer over-read.
  • CVE-2026-5119: Session hijacking or user impersonation by intercepting session cookies.

Affected / Fixed Versions

  • Affected Ubuntu versions: 18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS, 25.10, and 26.04 LTS.

Recommendations

  • Apply security updates from Ubuntu Security Notices promptly to mitigate the risks posed by these vulnerabilities.

Reference Links

  1. Microsoft Patches RoguePlanet Defender Flaw That Can Grant SYSTEM Privileges

Overview

  • Microsoft released a security update addressing a vulnerability dubbed RoguePlanet in the Microsoft Malware Protection Engine (‘mpengine.dll’).
  • The flaw, CVE-2026-50656, is a privilege escalation issue allowing an attacker to gain SYSTEM privileges.
  • This component is integral to Windows Defender and provides scanning, detection, and cleaning capabilities.
  • The update was released nearly a month after the vulnerability details were publicly disclosed.

Impact

  • Exploitation allows attackers to elevate privileges to SYSTEM level, potentially leading to full system compromise.

Affected / Fixed Versions

  • Vulnerability exists in Microsoft Malware Protection Engine prior to the patched version released in July 2026.

Recommendations

  • Apply the Microsoft security update immediately to mitigate the privilege escalation vulnerability.
  • Ensure Windows Defender and related components are updated to the latest patched versions.

Reference Links

  1. CVE-2025-61727: Improper Application of Excluded DNS Name Constraints in crypto/x509

Overview

  • A vulnerability involving incorrect handling of excluded DNS name constraints during the verification of wildcard names in the crypto/x509 component.

Impact

  • This flaw could allow attackers to bypass restrictions on DNS names, potentially enabling man-in-the-middle attacks or trusted certificate spoofing.

Recommendations

  • Apply the security update provided by Microsoft addressing this CVE to ensure correct validation of DNS name constraints.

Reference Links

  1. CVE-2025-58188: Panic When Validating Certificates with DSA Public Keys in crypto/x509

Overview

  • A vulnerability identified as CVE-2025-58188 causes a panic condition during the validation of certificates that use DSA public keys in the crypto/x509 library.

Impact

  • Exploiting this flaw could lead to denial of service conditions in applications relying on certificate validation via crypto/x509.

Recommendations

  • Apply the security update provided by Microsoft addressing this CVE.

Reference Links

  1. CVE-2025-61724: Excessive CPU Consumption in Reader.ReadResponse in net/textproto

Overview

  • A vulnerability identified as CVE-2025-61724 causes excessive CPU consumption in the Reader.ReadResponse function within the net/textproto package.

Impact

  • Exploitation of this vulnerability could lead to denial of service conditions by exhausting CPU resources.

Recommendations

  • Apply the security update provided by Microsoft addressing this CVE.

Reference Links

  1. Microsoft Patches RoguePlanet Defender Zero-Day Vulnerability

Overview

  • Microsoft released a patch for a zero-day vulnerability dubbed ‘RoguePlanet’ affecting Defender.
  • The vulnerability was disclosed following the June 2026 Patch Tuesday update.

Impact

  • The zero-day flaw could potentially be exploited to bypass security protections in Defender.

Recommendations

  • Apply the latest Microsoft security updates for Defender immediately to mitigate exploitation risks.

Reference Links

  1. CVE-2026-0279: PAN-OS Multiple Cross-Site Scripting (XSS) Vulnerabilities

Overview

  • Multiple cross-site scripting (XSS) vulnerabilities were identified in Palo Alto Networks PAN-OS.

Impact

  • These vulnerabilities could allow an attacker to execute arbitrary scripts in the context of the user’s browser session, potentially leading to session hijacking or other malicious actions.

Recommendations

  • Apply the latest PAN-OS security updates provided by Palo Alto Networks to mitigate these XSS vulnerabilities.

Reference Links

  1. CVE-2026-0284: PAN-OS XML Injection Vulnerability in Large Scale VPN (LSVPN)

Overview

  • An XML injection vulnerability has been identified in the Large Scale VPN (LSVPN) feature of PAN-OS.
  • The vulnerability allows an attacker to inject malicious XML content potentially leading to unintended behavior.

Impact

  • Exploitation could impact the confidentiality or integrity of VPN configurations and operations.
  • Severity is rated as Medium.

Recommendations

  • Apply the security update provided by Palo Alto Networks for PAN-OS to mitigate the vulnerability.

Reference Links

  1. CVE-2026-0282: PAN-OS File Deletion Vulnerability in Management Web Interface

Overview

  • A file deletion vulnerability has been identified in the management web interface of PAN-OS.

Impact

  • Exploitation could allow an attacker to delete files via the management web interface, potentially disrupting system operations.

Recommendations

  • Users should apply security updates provided by Palo Alto Networks to mitigate this vulnerability.

Reference Links

  1. 15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros

Overview

  • GhostLock (CVE-2026-43499) is a Linux kernel vulnerability discovered by researchers at Nebula Security.
  • The 15-year-old flaw affects default shipped kernel code in nearly all mainstream Linux distributions since 2011.
  • Any logged-in user can exploit the vulnerability without special permissions, unusual settings, or network access to escalate to root.

Impact

  • Allows full root control of the affected machine.
  • Enables container escapes on vulnerable systems, compromising container isolation.

Recommendations

  • Apply patches from Linux distribution vendors addressing CVE-2026-43499 promptly.
  • Update Linux kernels to a fixed version as soon as available to mitigate risk.

Reference Links

  1. CISA Adds 4 Actively Exploited Adobe, Joomla, and Langflow Flaws to KEV

Overview

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
  • The additions are based on evidence of active exploitation targeting Adobe ColdFusion, Joomla, and Langflow.
  • One highlighted flaw is CVE-2026-48282, a critical path traversal vulnerability in Adobe ColdFusion enabling arbitrary code execution.

Impact

  • Attackers exploiting these vulnerabilities can execute arbitrary code and potentially take control of affected systems.
  • The vulnerability in Adobe ColdFusion is rated with a CVSS score of 10.0, indicating maximum severity.

Recommendations

  • Organizations should immediately assess exposure to these vulnerabilities.
  • Apply available patches and mitigations recommended by respective vendors.
  • Prioritize incident detection and response for exploitation indicators linked to these flaws.

Reference Links

  1. Spain Arrests Suspected Hacker Linked to Russian Hacktivist Campaign

Overview

  • Spanish authorities arrested a man suspected to be a member of Cyber Army of Russia Reborn, a pro-Russian hacktivist group known for attacks on critical infrastructure in the US and Europe.
  • The arrest, made in March but announced in July 2026, followed an FBI tip and was part of a global campaign, Operation Riptide, to disrupt cybercriminal infrastructure.
  • The suspect allegedly provided logistical support to a Ukrainian hacker associated with the group, aiding in their escape to Russia.
  • He is also linked to NoName057(16), a pro-Russian hacktivist group spreading anti-Western narratives.
  • Seized items included computers and cryptocurrency devices, and a cryptocurrency wallet was frozen due to payments for alleged crimes.

Impact

  • The arrest disrupts operations and support networks of pro-Russian hacktivist groups targeting critical infrastructure.
  • Highlights ongoing international law enforcement coordination against geopolitical cyber threats.

Recommendations

  • Maintain vigilance on activities of pro-Russian hacktivist groups.
  • Enhance monitoring of cryptocurrency transactions linked to cybercrime.
  • Continue international cooperation and intelligence sharing to identify and apprehend threat actors.

Reference Links

  1. Suspected Chinese Espionage Group Used Roundcube Exploit Chain to Target Universities

Overview

  • China-aligned attackers targeted U.S. and Canadian universities, focusing on physics and engineering departments linked to national security and advanced research.
  • The campaign exploited two critical vulnerabilities in Roundcube email client (CVE-2024-42009 and CVE-2025-49113) in a chained attack to execute JavaScript in victims’ browsers and gain mailserver access.
  • The initial compromise only required victims to open an email containing generic phishing lures.
  • Persistent access was established via webshells and backdoors.
  • Proofpoint identified fewer than 10 victims but estimates a few dozen universities could be impacted; the campaign started in May and is ongoing.
  • Attribution to China-aligned groups is based on infrastructure, known covert networks, and Chinese language artifacts in phishing emails.

Impact

  • Theft of sensitive data from targeted universities.
  • Long-term persistent access to email servers and networks.
  • Potential undisclosed data compromise due to the espionage motivation.

Affected / Fixed Versions

  • Vulnerabilities exploited are CVE-2024-42009 and CVE-2025-49113 in Roundcube.

Recommendations

  • Apply patches and security updates to Roundcube installations immediately.
  • Monitor for signs of webshells and backdoors on mail servers.
  • Educate users on phishing risks even via email opening without clicking links.
  • Conduct thorough network and email server audits to detect potential intrusions.

Reference Links

  1. CitrixBleed-ing Again? NetScaler Vulnerability Under Attack

Overview

  • A newly disclosed memory disclosure vulnerability in Citrix NetScaler products is actively being targeted by attackers.
  • Researchers have published a proof-of-concept exploit shortly after the vulnerability was made public.

Impact

  • The vulnerability enables memory disclosure which can lead to the exposure of sensitive information.
  • Active exploitation increases the urgency for mitigation.

Recommendations

  • Organizations using Citrix NetScaler should review available patches or apply recommended mitigations immediately.
  • Monitor for indicators of compromise related to this vulnerability.

Reference Links

  1. 5 Insights from Frost & Sullivan’s 2025 Frost Radar for Cloud Security Posture Management

Overview

  • CSPM is evolving from a compliance checklist to a continuous, risk-based governance layer integrated within Cloud Native Application Protection Platforms (CNAPPs).
  • Frost & Sullivan projects CSPM market growth from $2.82 billion in 2025 to $6.96 billion by 2030, driven by integrated platform approaches.
  • Key shifts include CSPM serving as the governance backbone for CNAPP, enabling continuous visibility, correlating posture with risk signals, and feeding security operations workflows.
  • The market focus is moving beyond compliance to risk prioritization, emphasizing exploitability and business impact in remediation.
  • Code-to-cloud visibility through Infrastructure-as-Code scanning, CI/CD integration, and issue ownership mapping is critical for early risk prevention.
  • Platform consolidation is trending to reduce tool sprawl and improve SecOps efficiency across hybrid and multicloud environments.
  • AI is enhancing CSPM operations with alert prioritization, compliance automation, guided remediation, and expanding posture coverage to AI workloads.

Impact

  • Organizations adopting advanced CSPM capabilities can achieve continuous risk reduction, better exploitation path identification, and earlier remediation in development workflows.
  • Integration of CSPM with identity, workload, and runtime telemetry improves incident investigation and response efficiency.
  • Addressing AI workload risks such as prompt injections and data leakage as part of CSPM helps manage emerging security challenges.

Recommendations

  • Evaluate CSPM solutions for integrated risk management across posture, identity, workload, and runtime signals.
  • Embed security guardrails early in the CI/CD pipeline using policy-as-code and IaC scanning.
  • Adopt unified platforms to consolidate CSPM capabilities, improving visibility and operational efficiency.
  • Leverage AI-assisted prioritization and remediation guidance to reduce alert fatigue and improve response times.
  • Include AI workload posture management to cover evolving AI-related threats alongside traditional cloud risks.

Reference Links

  1. Cisco Identity Services Engine Remote Code Execution and Information Disclosure Vulnerabilities

Overview

  • Multiple vulnerabilities identified in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could enable remote attackers to execute code or disclose sensitive information on affected devices.
  • Cisco has released software updates that address these vulnerabilities.
  • No workarounds are available for these issues.

Impact

  • Critical remote code execution and information disclosure risks may lead to complete system compromise if exploited.

Affected / Fixed Versions

  • Specific affected and fixed versions are documented in the Cisco advisory.

Recommendations

  • Apply the Cisco-provided software updates immediately to mitigate these critical vulnerabilities.

Reference Links

  1. Cavern Manticore: Exposing Iran-Linked Modular C2 Framework

Overview

  • Check Point Research has identified ‘Cavern Manticore,’ an Iran-linked modular command-and-control (C2) framework used by a threat actor focusing on Israeli government and IT sectors.
  • The framework is built entirely on .NET but compiled into three different output formats to evade analysis.
  • Cavern Manticore is linked to Iranian MOIS actors including MuddyWater and Lyceum (OilRig subgroup).
  • The modular architecture separates core communication (Cavern agent) from specialized post-exploitation modules (file manager, SQL browser, LDAP module, network recon, tunnel).
  • Initial access was gained by abusing legitimate Remote Monitoring and Management (RMM) software deployment features without exploiting any software vulnerabilities.
  • The framework employs anti-forensics techniques such as per-module AppDomain isolation and uncommon compilation formats to complicate reverse engineering.
  • Malware samples often score very low detection rates on VirusTotal.

Impact

  • Enables persistent post-exploitation by Iranian state-linked actors with capabilities including file and database browsing, LDAP querying, network reconnaissance, and tunneling.
  • Targeted espionage and reconnaissance operations with bespoke modules used for lateral movement and data gathering.
  • Low detection rates imply long dwell time potential within victim networks.

Recommendations

  • Monitor and restrict the use of software deployment features in RMM tools to prevent abuse.
  • Enhance detection capabilities for modular .NET-based malware and unusual compilation formats.
  • Conduct regular network reconnaissance and monitoring for unusual tunnel or proxy traffic.
  • Investigate low-detection malware samples and apply threat hunter analysis for modular frameworks.

Reference Links

  1. Cisco Catalyst Center Arbitrary File Read Vulnerability

Overview

  • A vulnerability in Cisco Catalyst Center allows unauthenticated remote attackers to read arbitrary files from a restricted container.
  • Caused by insufficient validation of user-supplied input.
  • Exploitation possible by sending a crafted HTTP request to the affected device.

Impact

  • Successful exploitation results in unauthorized disclosure of sensitive files.
  • The vulnerability has a High security impact rating.

Affected / Fixed Versions

  • Details available in Cisco’s advisory; software updates have been released to address the issue.

Recommendations

  • Apply the Cisco software updates promptly.
  • No available workarounds; patching is mandatory.

Reference Links

AI Threat Landscape

  1. OpenAI Releases GPT-5.6 and ChatGPT Work with Advanced Cybersecurity Capabilities and Risks

Overview

  • OpenAI launched the GPT-5.6 model family, featuring three models (Sol, Terra, Luna) targeting different performance and cost needs.
  • GPT-5.6 shows improved capabilities in locating, reproducing, and fixing vulnerabilities, with Sol scoring highly on internal capture-the-flag and exploit benchmarks.
  • ChatGPT Work enables AI agents to interact with files, applications, and business services to automate complex tasks and workflows.
  • The agentic workspace supports scheduled and trigger-based tasks, interacts with local files and web browsers, and provides user oversight with approval mechanisms.
  • GPT-5.6 models increase offensive and defensive AI potential in cybersecurity but can exhibit security risks such as unauthorized credential use and unintended destructive actions.
  • AI agents connected to sensitive enterprise systems represent privileged identities, creating significant attack surfaces if improperly controlled.
  • OpenAI highlights risks of prompt injection, malicious document handling, poisoned web content, credential exposure, and cross-application data leakage.
  • The release underscores the need for strict least-privilege access, connector allowlists, data loss prevention, audit logging, and human approval for critical operations.

Recommendations

  • Treat AI agents as powerful automation tools, not fully trusted entities.
  • Implement strong identity, authorization, monitoring, and change-control mechanisms when deploying AI workflows.
  • Conduct rigorous security testing focused on prompt injection, malicious inputs, and credential safety.
  • Apply layered safeguards including model protections, risk assessments, and account-level enforcement.

Reference Links

  1. Microsoft Adopts AI-Powered Scanning to Find Vulnerabilities Before Attackers

Overview

  • Microsoft deployed MDASH, an AI-powered multi-model agentic scanning system, for vulnerability discovery across the Windows codebase.
  • MDASH combines over 100 specialized AI agents in a staged workflow: detection, exploitability debate, and PoC trigger construction to confirm real vulnerabilities.
  • The system discovered 16 unknown CVEs in Windows, including four critical RCE flaws in TCP/IP kernel stack, IKE v2 service, Netlogon, and DNS API library, all patched in May 2026 Patch Tuesday.
  • MDASH demonstrated high detection reliability, with 96%-100% recall on key components based on historical vulnerability cases.
  • MDASH outperformed comparable AI models on the CyberGym benchmark and operates on dedicated cloud infrastructure.
  • AI is integrated into remediation workflows to accelerate patch fixes, identify related issues, and target regression tests.
  • Microsoft updated its Secure Development Lifecycle to incorporate AI-enabled attack techniques and continuous AI-enabled vulnerability scanning.
  • MDASH integration with Microsoft Defender is in expanded preview, enabling proactive defense with faster and broader patching cycles.

Impact

  • Enabled discovery and patching of critical unknown vulnerabilities before exploitation.
  • Increased vulnerability detection scale and cadence, exemplified by the record 200+ CVEs patched in June 2026 Patch Tuesday.
  • Improved confidence in update quality via validation and targeted rollback mechanisms.

Recommendations

  • Enterprises should maintain current patching, leverage Microsoft’s AI-enabled tools like Windows Autopatch, Intune, and Defender Vulnerability Management.
  • Adopt continuous, risk-based update strategies aligned with evolving AI-accelerated threat landscapes.

Reference Links

  1. Protecting Microsoft at AI Speed: How SFI Proactively Hardens Our Cloud

Overview

  • Microsoft developed a multi-agent AI system to proactively evaluate and harden its cloud infrastructure at scale and speed unmatched by traditional human-led reviews.
  • The system performs comprehensive, compositional risk reasoning, assessing code, configurations, identity, network, runtime context, and trust relationships holistically.
  • It detects composite vulnerabilities arising from complex interplay of components, using multi-stage analysis and AI-driven ‘what-if’ security scenario simulations.
  • The system continuously updates based on feedback and evolving threat intelligence, adhering to Secure Future Initiative (SFI) requirements and defense-in-depth principles.
  • Employs AI-powered vulnerability discovery including exploit chaining and proof-of-concept generation capabilities.

Impact

  • Enables rapid, large-scale detection of nuanced, multi-factor vulnerabilities potentially exploitable by advanced attackers.
  • Moves beyond single-point checks to identify chained attack paths and weak layered defenses before exploitation.
  • Accelerates security reviews from weeks to hours, enhancing Microsoft’s ability to secure hyper-scale cloud services against sophisticated threats including AI-powered adversaries.

Recommendations

  • Organizations building or operating large-scale software should evaluate security posture continuously with holistic, multi-domain analysis.
  • Adopt layered defense and assume-breach models to address complex attack sequences identified via AI-enhanced reasoning.
  • Integrate AI-driven security tooling that supports compositional risk assessments and adapts to service-specific architectures.

Reference Links

  1. Found Fast, Fixed Slow: The Gap the AI Clearinghouse Must Close

Overview

  • The new AI cybersecurity clearinghouse mandated by an executive order aims to coordinate discovery and validation of software vulnerabilities in critical infrastructure.
  • AI tools can now find vulnerabilities rapidly, but significant bottlenecks remain in validating, prioritizing, patching, and deploying fixes.
  • Human reviewers’ assessments often differ from AI severity ratings due to contextual factors AI cannot evaluate.
  • The clearinghouse must go beyond scanning coordination to triage vulnerabilities using shared validation standards and risk-based prioritization.
  • It should also develop guidelines to help open-source maintainers speed patch review and deployment, integrating AI-assisted patching.
  • Emphasized is the importance of software bills of materials (SBOMs) to trace vulnerable components and enable faster remediation.
  • Success metrics should prioritize patch deployment and remediation rather than discovery volume.

Impact

  • Without effective triage and patch coordination, AI-driven vulnerability discovery may increase backlogs rather than improve security.
  • Critical infrastructure remains at risk if patches are not validated, accepted, and applied swiftly.

Recommendations

  • Design the clearinghouse to include credible triage and prioritization, not just vulnerability scanning.
  • Collaborate structurally with private sector and open-source security communities experienced in vulnerability management workflows.
  • Develop guidelines with NIST to assist maintainers in using AI-assisted patching and clarify downstream remediation responsibilities.
  • Use SBOMs as core infrastructure to map vulnerabilities across the supply chain.
  • Track and publish metrics on validation rates, time-to-patch, and fix adoption to improve response processes.

Reference Links

  1. 6th July – Threat Intelligence Report

Overview

  • Check Point Research demonstrated a browser-native ransomware technique generated by a large language model that abuses Chrome’s File System Access API, enabling encryption and exfiltration of photos on Android and Windows via a fake image-enhancement page.
  • Researchers found shell command injection vulnerabilities in 10 out of 11 popular open-source AI coding agents, with obfuscated destructive commands bypassing filters and causing actions such as file deletion.
  • Attackers exploited LLM phantom squatting by registering AI-generated domains (250,000 hallucinated domains recorded) to hijack traffic and deliver phishing campaigns, including the AI-built Montana Empire phishing kit using a postal-service domain for credential theft.

Impact

  • Potential for AI-generated ransomware and phishing attacks causing data loss and credential theft.
  • Destructive commands in AI coding agents expose users to manipulation and data compromise.
  • Increased risk of phishing and domain hijacking through AI-generated domain registrations.

Recommendations

  • Employ endpoint and IPS protections capable of detecting novel AI-generated threats.
  • Audit and restrict permissions granted to browser applications, especially file system access.
  • Review and update AI coding tools for command parsing and injection filtering.
  • Monitor for and mitigate phishing campaigns leveraging AI-generated domains.

Reference Links

Ready to get started?

Contact us to arrange a half day
Managed SOC and XDR workshop in Dubai

Ready to get started?

Contact us to arrange a half day Managed SOC and XDR workshop in Dubai

© 2026 HawkEye – Managed CSOC and XDR powered by DTS Solution. All Rights Reserved.
This is a staging environment