Critical vulnerabilities, active threats, and security news — curated for professionals.
Logic flow weakness in certificate validation in deprecated IKEv1 key exchange allows unauthenticated remote attacker to bypass user authentication and establish VPN connection. Actively exploited in the wild since May 7, 2026. Qilin ransomware affiliate linked to exploitation.
SourceNewly identified China-linked threat cluster using a custom three-web-shell framework for remote access, command execution, and data exfiltration. Discovered by ReliaQuest researchers using agentic AI.
SourceGoogle and FBI joint advisory: SRG sends fake IT workers in-person to law firms, uses USB drops and remote access tools to compromise networks and deploy ransomware.
SourceQilin ransomware affiliate exploiting CVE-2026-50751 (Check Point VPN zero-day) for initial access and ransomware deployment.
SourceCVE-2026-28318 (CVSS 7.5) allows unauthenticated attackers to crash SolarWinds Serv-U via crafted POST requests. Federal agencies must patch by June 19, 2026.
Read moreCritical logic bug in Instagram web-based password reset flow exposed unredacted email addresses and phone numbers. Demonstrated June 6, 2026. Meta has fixed the issue.
Read moreFormer IBM cybersecurity executive alleges core network was routinely hacked by foreign state actors over several years with data exfiltrated and breaches covered up.
Read moreMajor incidents highlighted include massive DOGE data breach, hacking of critical energy/water systems, and compromise of FBI surveillance system.
Read moreGoogle June 2026 Android update patches 124 flaws including CVE-2025-48595, a Framework zero-day actively exploited in targeted attacks. CISA added to KEV catalog June 2.
Read moreSovereign office suite Euro-Office launches June 9, 2026 as Europe open-source answer to Microsoft Office and Google Docs, integrated with Nextcloud Hub 26.
Read moreInsufficiently protected credentials vulnerability allowing remote unauthenticated attackers to access credentials and restricted data.
SourceStack-based buffer overflow in Windows Netlogon service enabling remote code execution on domain controllers. Actively exploited in the wild.
SourceCritical stack-based buffer overflow in the Web Management Interface allowing remote code execution without authentication.
SourceUnauthenticated OS command injection vulnerability via SSH tunnel command. Update to version 2.3.2 to fix.
SourceNew Gafgyt variant exploiting CVE-2021-27137 in DD-WRT firmware to hijack devices. Spreads across multiple CPU architectures and removes rival malware.
SourceChinese espionage group UNC5221 deploying Brickstorm backdoor to maintain persistent access to compromised Microsoft 365 environments.
SourceRansomware group using fake IT support calls and in-person visits to gain physical access to law firms. FBI and Google issued joint warning.
SourceIBM Trusteer discovered new financial malware with remote access trojan capabilities designed for on-device fraud.
SourceFormer IBM VP of Threat Intelligence filed a whistleblower lawsuit alleging IBM and AT&T concealed multiple breaches by Chinese hackers, including 56,000+ network hits.
Read moreNew feature limits outbound ChatGPT requests to reduce prompt injection data exfiltration risk. Rolled out June 5 to all ChatGPT accounts.
Read moreCVE-2026-20245 (CVSS 7.8) allows authenticated local attackers to execute arbitrary commands as root on Cisco Catalyst SD-WAN Manager. Actively exploited, no patch available.
Read moreResearchers detail a five-step attack chain that silently redirects Claude Code MCP traffic through attacker-controlled servers to steal OAuth tokens.
Read moreMid-year roundup covering DOGE data breach, critical energy/water system hacks, FBI surveillance system compromise, and Telus breach (700TB stolen by ShinyHunters).
Read moreRemote Code Execution via security control bypass. Attacker can bypass security controls and execute arbitrary code.
SourceRemote Code Execution via deserialization of untrusted data in JAX-WS endpoints with WS-Security.
SourceIdentity spoofing vulnerability allowing attacker to impersonate legitimate users.
SourceUnauthenticated SSRF vulnerability allowing file writes. PoC exploit code publicly available. No workarounds.
SourceMass assignment vulnerability in MISP user edit functionality due to insufficient filtering.
SourceXSS vulnerability actively exploited. Added to CISA Known Exploited Vulnerabilities catalog May 15, 2026.
SourceZero-day actively exploited. Patched in Google June 2026 Android Security Update. Added to CISA KEV on June 3, 2026.
SourceImproper authentication privilege escalation flaw added to CISA KEV. Federal agencies required to patch by June 5, 2026.
SourceUse-after-free RCE vulnerability discovered by autonomous AI security tool. Affects all stable versions since Redis 7.2.0.
SourceCompromised 32+ packages (90+ versions) under @redhat-cloud-services npm namespace. Steals GitHub credentials, cloud platform keys, SSH keys, and npm tokens. Auto-propagates through CI/CD environments.
SourceLarge-scale campaign infecting over 116,000 systems since January 2026. Distributed via YouTube SEO poisoning and fake mod downloads. MaaS platform costs as little as $5/month. 2,000-3,000 new infections daily.
SourceChinese-speaking cybercrime group expands to Europe. Deploys previously undocumented Atlas backdoor using credential phishing and social engineering.
SourceAbuses Google's DoubleClick ad platform to deliver RAT via 5-stage infection chain. Evades traditional detection by routing traffic through legitimate Google domains.
SourceAutonomous AI tool (Codex) discovers HTTP/2 Bomb DoS exploit affecting NGINX, Apache HTTPD, IIS, Envoy, Cloudflare Pingora. Single connection holds 32GB memory in 20 seconds. NGINX patched; Apache not yet.
Read moreGoogle patches 124 Android vulnerabilities including actively exploited zero-day CVE-2025-48595 in Framework component. CISA adds to KEV with June 5 remediation deadline.
Read moreCISA adds CVE-2025-48595 (Android) and CVE-2022-0492 (Linux Kernel) to Known Exploited Vulnerabilities catalog. Federal agencies ordered to patch by June 5, 2026.
Read moreCVE-2026-20230 allows unauthenticated SSRF in Cisco Unified Communications Manager. PoC exploit code publicly available. No workarounds available.
Read moreShinyHunters continues targeting Instructure's Canvas LMS, claiming 275M records stolen. Hackers defaced Canvas login pages for multiple schools. Ongoing threat to educational institutions.
Read moreCVE-2026-23479: Use-after-free RCE in Redis undetected for over 2 years. Found by autonomous AI security tool. Affects all versions since Redis 7.2.0.
Read more32+ @redhat-cloud-services npm packages compromised. Worm-like malware steals credentials from CI/CD environments. Microsoft, Wiz, Snyk publish analysis.
Read moreCritical stack buffer overflow in Windows Netlogon allowing remote code execution. Actively exploited in the wild with Belgium CCB warnings issued.
SourceRemote command injection in formWPS function (/goform/formWPS). Unauthenticated remote attackers can execute arbitrary commands.
SourceOrigin validation vulnerability added to CISA KEV catalog on May 22, 2026. Evidence of active exploitation; federal agencies required to patch by June 4, 2026.
SourceCompromised 90+ versions of @redhat-cloud-services npm packages. Malicious preinstall hook steals credentials and spreads via trusted CI/CD workflows. Linked to Mini Shai-Hulud malware family.
SourceRussian APT group Gamaredon exploiting WinRAR vulnerability. GammaPhish (HTA payload) retrieves VB Script dropping GammaWorm (persistence) and GammaSteel (data theft).
SourceActive since mid-2025. Uses fake LinkedIn recruiter messages and social engineering to target crypto developers with custom macOS Python-based malware for digital asset theft.
SourceNew single-machine DoS technique exploiting HTTP/2 stream handling. nginx patched; Apache patch still pending. Discovered by OpenAI Codex agent under Calif researchers.
Read more124 Android vulnerabilities patched. CVE-2025-48595 (Framework component) under active exploitation. Affects Samsung Galaxy and Pixel devices.
Read moreLocal privilege escalation in Linux kernel CIFS subsystem. Allows low-privileged users to gain root. PoC exploit code publicly released. Affects multiple distributions.
Read moreJune 3, 2026: CISA added actively exploited Android and Linux kernel vulnerabilities to KEV, mandating federal agencies to patch.
Read moreAuthentication bypass in Palo Alto Networks PAN-OS GlobalProtect VPN (CVSS 7.8). Allows unauthorized VPN connections. Rapid7 discovered active exploitation in the wild.
Read moreCritical information disclosure vulnerability allowing unauthenticated remote attackers to disclose sensitive information over a network. CVSS v3.1 vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
SourceAuthentication bypass in GlobalProtect portal and gateway. Actively exploited in the wild since May 17, 2026. Added to CISA KEV catalog. Enables unauthorized VPN access.
SourcePrivilege escalation vulnerability (possibly to root) in LiteSpeed User-End cPanel Plugin before v2.4.5. Actively exploited in the wild in May 2026. Added to CISA KEV.
SourceUnauthenticated privilege escalation via account takeover in Kirki Freeform Page Builder. Affects ~150,000 WordPress sites. Allows attacker to reset any user's password to attacker-controlled email.
SourceCompromised 30+ official @redhat-cloud-services npm packages on June 1, 2026. Malicious preinstall hook steals credentials. Tied to threat actor TeamPCP.
SourceFake audio fix utility that extracts stored browser credentials, SSH keys, and cryptocurrency wallets from compromised macOS systems.
SourceDevice code phishing attacks abusing OAuth 2.0 Device Authorization Grant flow have surged 37x in 2026. New phishing kits like EvilTokens enable low-sophistication attackers to hijack accounts.
SourceGoogle patched 124 Android vulnerabilities including CVE-2025-48595 (CVSS 8.4), a Framework component zero-day under limited targeted exploitation. Affects Android 14, 15, and 16.
Read moreCISA added CVE-2024-21182 (CVSS 7.5) affecting Oracle WebLogic Server to its KEV catalog on June 1, 2026. The flaw allows unauthenticated attackers to take over affected servers via the T3 protocol.
Read moreA local privilege escalation vulnerability (CVSS 7.8) in the Linux kernel's CIFS/SMB client subsystem discovered via LLM-assisted research. Allows any low-privileged local user to escalate to root on affected distributions.
Read moreMalicious version 18.95.0 of Nx Console VS Code extension published, stealing developer credentials. Affected organizations include OpenAI and Grafana. Added to CISA KEV catalog.
Read moreStack-based buffer overflow in Windows Netlogon allows unauthenticated remote code execution on domain controllers. Belgium's CCB confirmed active exploitation in the wild. Patched in May 2026 Patch Tuesday — patch immediately.
SourceCritical vulnerability allows unauthenticated attackers to create administrative accounts on WordPress sites running vulnerable versions. Over 1,700 attacks blocked in the past 24 hours. Actively exploited.
SourceUnsafe serialization of stdio commands in the MCP adapter allows attackers to add a malicious MCP stdio server with an arbitrary command, achieving OS-level code execution — often as root in containerized deployments. Public exploit code available.
SourceCritical flaw actively exploited to deploy 'EKZ Infostealer' credential-stealing malware across managed endpoints via trusted endpoint management infrastructure.
SourceAny authenticated Gogs user can achieve RCE by creating a pull request with a malicious branch name that injects --exec into git rebase during merge. No patch available.
SourceSQL injection in Ghost's Content API allowing unauthenticated data reads. Exploited to inject malicious JavaScript for ClickFix attacks on 700+ sites.
SourceMaximum-severity incorrect privilege assignment flaw. Any cPanel user (including compromised accounts) can run arbitrary scripts with root privileges. Under active exploitation.
SourceOver 30 npm packages compromised to distribute self-propagating credential-stealing worm. Uses install-time execution, credential harvesting, CI/CD targeting, and encrypted exfiltration.
SourceLarge-scale campaign using zTDS Traffic Distribution System to redirect visitors to ClickFix social engineering or FakeUpdate lures. Operates as pay-per-install model for follow-on attacks.
SourceFunctional npm package advertised as OpenAI Codex remote web UI silently exfiltrates Codex authentication tokens. GitHub repo appears clean — malicious code only in npm package.
SourceSpear-phishing with ZIP attachments delivering AdaptixC2 agent via Rust-based loader. Multi-stage infection chain for data exfiltration and remote control.
SourceMalware campaign hides C2 data in Steam Community profile comments — an evasive technique leveraging a legitimate platform to avoid detection.
SourceDashlane disclosed a brute-force attack on May 31 targeting 2FA bypass. Fewer than 20 personal-plan users had encrypted vaults downloaded. Vaults remain encrypted; accounts secured.
Read moreDutch authorities seized C2 servers tied to a botnet of 17+ million infected devices used to power a residential proxy network for cybercrime. Over 200 servers seized.
Read moreHigh-profile Instagram accounts (Obama White House, US Space Force) briefly defaced after attackers tricked Meta's AI support chatbot into resetting credentials. Emergency patch deployed.
Read moreAfter researcher 'Chaotic Eclipse' published several zero-day exploits, Microsoft indicated criminal charges, sparking debate about responsible disclosure vs. legal intimidation.
Read moreENISA gains access to Anthropic's defensive cybersecurity initiative that has uncovered 10,000+ high/critical vulnerabilities in widely used software through AI-powered analysis.
Read moreNewly discovered Linux kernel vulnerability allows local privilege escalation to root by forging CIFS authentication key descriptions. PoC exploit code publicly released.
Read moreSpanish National Police arrested an individual for leaking sensitive information about members of key state organizations including the National Cybersecurity Institute (INCIBE).
Read morePre-authentication API access bypass allows unauthenticated attackers to execute unauthorized code. Actively exploited to deploy EKZ Infostealer credential-stealing malware disguised as Fortinet endpoint updates. Patched in version 7.4.7.
SourceAuthentication bypass in GlobalProtect portal and gateway allows unauthorized VPN connections. Under active exploitation since May 29. CISA KEV remediation deadline: June 1, 2026.
SourcePre-authenticated RCE via /terminal/ws WebSocket endpoint lacking authentication. Attackers using LLM agents for post-exploitation including cloud credential extraction. Patched in 0.23.0.
SourceCritical RCE allowing any authenticated user to execute code via malicious branch names injecting --exec flag into git rebase. No patch available.
SourceUse-after-free in Dawn (WebGPU) allows sandbox escape via crafted HTML page. Chromium severity: Critical. Update Chrome immediately.
SourcePrivilege escalation via administrator account creation through AJAX handler. Actively exploited to create rogue admin accounts on WordPress sites.
SourceRemote code execution via misconfigured 'check password script' feature in Samba file servers and classic domain controllers.
SourceCritical vulnerability affecting Oracle Hospitality OPERA 5 versions 5.6.19.24, 5.6.22, and 5.6.25.19.
SourceDelivered via CVE-2026-35616 exploitation. Disguised as Fortinet endpoint updates, silently executed via PowerShell to steal credentials.
SourceNew Russia-linked threat actor using AI-powered attacks, spear-phishing, fake CAPTCHA pages, and custom malware. Active since August 2025.
SourceNorth Korean state-sponsored Kimsuky deploying HTTPSpy via fake security installers, alongside HelloDoor backdoor and VS Code tunnel abuse for C2.
SourceFake NuGet package (versions 2.0.0-2.0.4) exfiltrates client IDs, PFX certificates, and Boleto payment data. Downloaded ~500 times.
SourceThreat actors abuse ChatGPT share links to host fake outage pages that deliver malware, exploiting trust in the chatgpt.com domain.
SourceDutch Politie and NCSC took down a botnet of 17M+ infected devices used as residential proxies. Over 200 servers in the Netherlands seized.
Read moreMicrosoft condemned 'Chaotic Eclipse' for disclosing Windows Defender and BitLocker zero-days without coordinated disclosure. GitHub account removed.
Read moreCarnival Corporation disclosed a breach affecting approximately 6 million individuals with personal and health-related data exposed.
Read moreThe Los Angeles Metro transit system cyberattack has been attributed to Iranian state-sponsored threat actors.
Read moreCalifornia's Attorney General filed suit against 23andMe for failing to protect user data including health information in the 2023 breach.
Read moreRed Access found 380K+ public web assets built with AI coding platforms; 2,000+ contained sensitive corporate data without access controls.
Read moreChrome rolled out session cookie theft protection to prevent session hijacking attacks across all users.
Read moreOfficials report Russian intelligence increasingly targeting Western tech companies as sanctions bite, with heightened cyber espionage activity.
Read moreUnpatched zero-day RCE — any authenticated user can achieve remote code execution via malicious branch name injection in git rebase
SourceActively exploited pre-auth API bypass delivering 'EKZ' credential stealer. Patch available (7.4.7+)
Source6 zero-day vulnerabilities disclosed without coordination — BlueHammer, RedSun, and UnDefend under active exploitation
SourceRussia-linked APT using ChatGPT/Gemini across all attack phases
SourceAndroid RAT with custom phishing builder ($700/mo)
SourceBanking trojan campaign targeting Iberian and Latin American banks
SourceNew credential stealer delivered via FortiClient EMS exploit
SourceMajor data breach at Carnival Corporation affecting approximately 6 million customers and employees
Read moreMassive investment in open-source supply chain security infrastructure
Read moreNew AI-powered platform for enterprise threat detection and response
Read moreFBI alert about phishing campaign targeting football fans ahead of 2026 World Cup
Read moreJoint operation by CrowdStrike, Google, and Shadowserver takes down major botnet command infrastructure
Read more