Threat Alerts
A live, severity-rated stream of the threats actually hitting small and medium businesses worldwide, each with the one or two actions that matter most.
Active alerts
- New Ransomware Framework Evades Nine Major Security ToolsCritical · Ransomware · 2026-07-06Researchers have found a new modular ransomware framework called Avalon that is built specifically to slip past nine security products many small businesses run day to day, including Microsoft Defender, SentinelOne, and CrowdStrike. It arrives through a spoofed legal document and shows signs of AI-assisted development. By the time its CrownX ransomware component shows a ransom note, it has already stolen credentials and disabled recovery options.
- Ohio County Paid $1 Million to a Gang That Never Encrypted AnythingHigh · Ransomware · 2026-07-06A small Ohio county government paid roughly $1 million in bitcoin to a group calling itself Kairos, even though the attackers never locked a single file. A new case study, built from a leaked negotiation chat and the bitcoin trail the payment left, shows how a month-long negotiation moved from a $3 million opening demand down to seven figures. The case is a reminder that "ransomware" increasingly means stolen data held hostage, not scrambled files.
- New Bad Epoll Flaw Turns Any Linux User Into RootHigh · Vulnerability / CVE · 2026-07-06A newly disclosed Linux kernel bug called Bad Epoll lets a normal user account jump straight to root, and it works on desktops, servers, and some Android phones. A public proof-of-concept reaches root about 99% of the time on tested systems, though there's no sign yet that real attackers have picked it up. A patch exists, but epoll can't simply be switched off.
- Unpatched Flaws Found in Filesystem Used in Millions of DevicesWatch · Vulnerability / CVE · 2026-07-06Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library buried inside security cameras, drones, industrial controllers, and hardware crypto wallets. On the worst-affected devices, a booby-trapped USB drive or SD card can hand over full control. The lone maintainer hasn't responded, so most fixes now depend on individual device vendors.
- FBI and Google Seize Botnet Built From 2 Million Home DevicesHigh · Other · 2026-07-03The FBI and Google dismantled NetNut, a residential proxy network built from at least 2 million home devices including smart TVs and streaming boxes. Criminals rented the network to hide password-spray and account-takeover traffic behind ordinary residential IP addresses, the kind many business security tools are built to trust.
- Adobe Patches Seven Maximum-Severity ColdFusion and Campaign FlawsCritical · Vulnerability / CVE · 2026-07-03Adobe shipped patches for seven maximum-severity flaws across ColdFusion and Campaign Classic, including one CVE scored a perfect 10.0 that lets an unauthenticated attacker run code as SYSTEM. No active exploitation has been confirmed yet, but the fixes are worth applying now given how fast these bugs tend to get weaponized.
- China-Linked Group Hits Power and Water Utilities in AsiaHigh · Other · 2026-07-03A China-linked group tracked as CL-STA-1062 has compromised at least 10 electricity, water, and government organizations across Southeast Asia over the past year using a new stealth backdoor called TinyRCT. Palo Alto Networks says the group may be selling its footholds to other attackers rather than acting alone.
- AI Agent Runs an Entire Ransomware Attack AloneCritical · Ransomware · 2026-07-02Researchers at Sysdig say they've documented the first ransomware attack carried out end to end by an AI agent, no human at the keyboard. The agent broke into an exposed Langflow server through a year-old bug, stole cloud credentials, and encrypted a production database before leaving a ransom note. The entry point was a flaw that a patch already fixed months ago.
- Mass FortiGate Credential Theft Now Linked to RansomwareCritical · Ransomware · 2026-07-02A threat intelligence firm has tied the FortiBleed credential-harvesting campaign directly to two active ransomware operations, after finding a shared operator working negotiation panels for both groups. The campaign scanned more than 430,000 FortiGate firewalls worldwide and has already produced at least 12 ransomware deployments. If your business runs a FortiGate device, this is the moment to check whether your credentials were part of the haul.
- CISA Sets July 4 Deadline for SharePoint RCE FlawHigh · Vulnerability / CVE · 2026-07-02CISA has added a Microsoft SharePoint flaw to its list of vulnerabilities under active attack, giving federal agencies until July 4 to patch it. The bug lets any logged-in user with basic site permissions run code on the server, no admin access needed, and Microsoft already shipped the fix back in May. If you run SharePoint Server on-premises, this is a today problem.
- Fake Interpol Emails Push Ransomware at Small BusinessesHigh · Ransomware · 2026-07-02A ransomware campaign disguised as an Interpol fraud investigation is targeting small businesses across Europe, Asia, the Middle East, and the US. The email links to a password-protected archive that hides an executable disguised as video evidence, and once it runs, it encrypts local files. The one piece of good news: researchers found the decryption password baked into the malware itself.
- SimpleHelp Auth Bypass Exploited to Steal Cloud CredentialsCritical · Vulnerability / CVE · 2026-07-01A maximum-severity flaw in the SimpleHelp remote support platform is under active exploitation, letting attackers log in as a technician with no password at all. Once inside, they're deploying two new malware families that raid credentials from cloud accounts, code repositories, and AI coding tools on managed business systems.
- Kemp LoadMaster Flaw Lets Attackers Run Commands Pre-AuthCritical · Vulnerability / CVE · 2026-07-01A critical flaw in Progress Kemp LoadMaster, a load balancer appliance widely used to distribute traffic across business servers, lets an attacker run arbitrary commands with no login at all. Exploitation attempts began on June 29, and a detailed technical writeup now public is expected to accelerate the attacks.
- Password Spray Attack Bypasses MFA on 78 Azure AccountsHigh · Other · 2026-07-01An automated password spray campaign made more than 81 million login attempts against Azure in two weeks and compromised 78 accounts across 64 organizations, several of which had multi-factor authentication switched on. The attackers got in by using a legacy login method that skips MFA prompts entirely.
- Photo ZIP Phishing Campaign Hits Hotels in Europe and AsiaHigh · Phishing & BEC · 2026-07-01Since April, hotels across Europe and Asia have been receiving phishing emails posing as angry guests, complete with a ZIP file that claims to hold photos of the problem. Open it, and a hidden implant sets up shop for the long haul rather than cashing out immediately.
- Critical Oracle E-Business Suite Flaw Is Under Active AttackCritical · Vulnerability / CVE · 2026-06-30Attackers are exploiting a 9.8-rated flaw in Oracle E-Business Suite that hands them control of the Payments module with no login required. Oracle patched it in May, but exposed and unpatched instances are being hit now. Any business running EBS for finance needs to confirm the fix is installed.
- Apple Patches Three Dozen Flaws, Some Found by AI ToolsWatch · Vulnerability / CVE · 2026-06-30Apple's latest round of updates fixes more than 30 security bugs across iPhone, iPad, Mac, and Safari, including four in the WebKit browser engine. Some of the flaws were uncovered with help from AI tools. None are known to be under attack yet, which makes this the easy kind of update to install before it matters.
- Microsoft Pulls 119 Edge Extensions That Hid Malware in ImagesHigh · Other · 2026-06-30Microsoft removed 119 Edge extensions that smuggled malware inside image and font files, then waited days to wake up and steal logins. The add-ons looked like ordinary ad blockers and VPNs and reached up to 2.6 million installs over two years. Check your browser against Microsoft's list before you trust it again.
- Public Exploit Code Lands for Critical libssh2 SSH Client FlawCritical · Vulnerability / CVE · 2026-06-29A proof-of-concept is now public for CVE-2026-55200, a critical flaw in libssh2 that a malicious SSH server can use to corrupt memory on any client that connects to it. The library is bundled inside curl, Git, PHP, backup agents, and countless appliances, often statically linked so a normal update misses it. There is no fixed release yet. CVEs: CVE-2026-55200.
- Hijacked npm and Go Packages Hide a Stealer in Fake FontsHigh · Supply chain · 2026-06-29Researchers found two npm packages and 16 Go modules that quietly install a credential and crypto-wallet stealer the moment a developer opens the project in VS Code. The malware hides inside a fake font file and pulls its next stage from blockchain transactions to survive takedowns. It is the latest twist on North Korea's Contagious Interview campaign against developers.
- KDDI Breach Exposes Up to 14 Million Japanese Email LoginsHigh · Supply chain · 2026-06-29KDDI says attackers reached the email systems behind six Japanese internet providers and may have exposed up to 14.2 million email logins, including former and inactive accounts. The intrusion came through a flaw in third-party software and was caught on 17 June. Anyone using one of these mailboxes for business should reset the password and turn on two-step verification now.
- Hotel Phishing Campaign Hides a Node.js Implant in Photo ZIP FilesHigh · Phishing & BEC · 2026-06-28Microsoft is tracking an active phishing campaign that has hit hotels across Europe and Asia since April, using photo-themed ZIP files to plant a Node.js implant on front-desk computers. The emails pass every standard authentication check because they are routed through real Calendly and Google infrastructure. Any business with a public booking inbox is a plausible target.
- Public Exploit Turns a Linux Kernel Flaw Into Instant RootHigh · Vulnerability / CVE · 2026-06-28A new Linux kernel flaw, CVE-2026-46331 or 'pedit COW', lets any logged-in user become root, and a working exploit went public within a day of the patch. It corrupts a cached copy of a system binary in memory, so file-integrity tools see nothing wrong. Shared servers, CI runners, and Kubernetes nodes are the systems most at risk. CVEs: CVE-2026-46331.
- Supply Chain Worm Spreads From npm Into the Go EcosystemWatch · Supply chain · 2026-06-28The Shai-Hulud supply chain attack, also tracked as Miasma, has hit a fresh batch of npm packages and crossed into the Go ecosystem for the first time. It steals developer credentials and CI/CD secrets, then uses them to poison more packages automatically. Any business that builds software on npm or Go should check its pipelines.
- FBI Warns Russian Spies Are Phishing Signal Backup Recovery KeysHigh · Phishing & BEC · 2026-06-27The FBI says two Russian intelligence groups are tricking Signal users into handing over the recovery key that unlocks their encrypted message backups. Once they have it, they restore your full chat history on their own phone. The targets are officials and journalists for now, but the same trick works on anyone who uses Signal for work.
- Critical PTC Windchill Flaw Exploited to Plant Web ShellsCritical · Vulnerability / CVE · 2026-06-27Attackers are exploiting a CVSS 9.3 flaw in PTC Windchill, the product design software used across aerospace, automotive and medical manufacturing, to run code and drop web shells on exposed servers. CISA added it to its must-patch list with a 28 June federal deadline. It is the first PTC bug ever to make that catalogue.
- Hackers Drain 3 Million From Polymarket via a Third-Party ScriptHigh · Supply chain · 2026-06-27Polymarket lost close to 3 million dollars in crypto after attackers broke into one of its outside vendors and slipped malicious code into the website's front end. The company's own servers were never touched. It is a reminder that every third-party script on your site runs with your customers' trust.
- Amazon Q Flaw Let Malicious Repos Steal Cloud Credentials SilentlyHigh · Vulnerability / CVE · 2026-06-27A flaw in Amazon Q Developer, Amazon's AI coding assistant, let a booby-trapped code repository run commands the moment a developer opened it, with no prompt and no click. The payload could lift live AWS keys and cloud tokens straight off the machine. Amazon has patched it, but the lesson about auto-running AI config files is bigger than one tool.
- Three Chainable Ubiquiti UniFi Flaws Give Attackers Full Network ControlCritical · Vulnerability / CVE · 2026-06-26Three maximum-severity flaws in Ubiquiti's UniFi OS, all now on the CISA Known Exploited Vulnerabilities list, can be chained by unauthenticated attackers to gain full remote code execution. Patches were available in May; CISA is now ordering federal agencies to apply them within three days, confirming active exploitation is underway.
- Bluekit Streams Real Login Pages to Steal Sessions and Bypass MFA at ScaleHigh · Phishing & BEC · 2026-06-26A phishing-as-a-service platform called Bluekit has upgraded to browser-in-the-middle capabilities that stream the real login page to victims while authentication completes inside the attacker's browser. Standard MFA is bypassed, and the attacker walks away with a live session token.
- Poland Arrests Four in SIM-Swap Gang That Stole Millions in CryptoWatch · Other · 2026-06-26Polish police and the FBI arrested four people on 25 June after a joint investigation into a SIM-swapping network that drained cryptocurrency exchange accounts by compromising telecom partner systems. Prosecutors put the laundered total at over five million US dollars.
- Police Dismantle Amadey and StealC Malware in Operation EndgameHigh · Other · 2026-06-25An international police operation knocked out the servers behind Amadey and StealC, two malware families that infect computers and steal passwords for a living. Investigators recovered 27 million stolen credentials and froze more than 41 million euros in criminal cryptocurrency. If your saved browser passwords were taken, changing them now is the practical response.
- CISA Warns of Active Attacks on Lantronix Industrial DevicesCritical · Vulnerability / CVE · 2026-06-25CISA has confirmed attackers are actively exploiting CVE-2025-67038, a critical flaw in Lantronix EDS5000 serial-to-IP converters that hands over root access. Federal agencies were ordered to patch by 26 June. The devices connect older industrial and building equipment to networks, so a compromise can open a path deeper inside. CVEs: CVE-2025-67038.
- Cisco SD-WAN Bug Was Exploited as a Zero-Day for MonthsHigh · Vulnerability / CVE · 2026-06-25Mandiant says an unknown attacker exploited a Cisco Catalyst SD-WAN flaw, CVE-2026-20245, for at least two months before it was public, using it to take full root control of a network device. The attacker created a hidden admin account and then erased their own tracks. Any business running Cisco SD-WAN edge gear should run the checks below and confirm the patch is applied. CVEs: CVE-2026-20245.
- Popular Chrome Ad Blocker Hides a Dormant Code Injection PathWatch · Other · 2026-06-25A Chrome extension called Adblock for YouTube, installed more than 10 million times, contains a hidden way to run any code the developer chooses on every site you visit. Researchers at Island found it is switched off for now, but it could be turned on from the developer's server with no update and no review. The safe move is to remove it.
- Cisco Unified CM Flaw Under Active Attack After PoC PublicationCritical · Vulnerability / CVE · 2026-06-24CVE-2026-20230 is a CVSS 8.6 server-side request forgery flaw in Cisco Unified Communications Manager that lets unauthenticated attackers write arbitrary files and escalate to root. Patches arrived on 3 June 2026 but exploitation began days after a public proof-of-concept, and businesses running on-premises UCM telephony systems need to act immediately. CVEs: CVE-2026-20230.
- macOS Fake CAPTCHA Scam Delivers Atomic Stealer via Mounted Disk ImagesHigh · Other · 2026-06-24Attackers are delivering the Atomic macOS Stealer through a fake CAPTCHA page that tells visitors to paste a Terminal command. The command silently downloads and mounts a disk image without it appearing in Finder, then launches a malicious app that drains credentials from eight browser families, cryptocurrency wallets, and the Apple Keychain. For Ledger Live and Trezor Suite users, the malware also replaces the legitimate app with a trojanised copy designed to steal seed phrases on the next launch.
- World Leaks Hits Tata Electronics, Releasing Apple Manufacturing SchematicsHigh · Ransomware · 2026-06-24Tata Electronics, a key iPhone component supplier in India, confirmed a breach by World Leaks, a data-extortion group that publishes stolen files without encrypting systems. Leaked documents include internal component schematics, PCB designs, and SDK files for Apple products. No customer or employee personal data appeared in the published materials.
- Compromised WhatsApp Accounts Deliver RMM Software to 11 CountriesHigh · Other · 2026-06-23Kaspersky researchers documented an active campaign in which attackers use compromised WhatsApp accounts to send VBScript files disguised as business documents. Opening one on Windows leads to silent installation of ManageEngine Endpoint Central, giving attackers persistent remote control of the machine. The campaign has reached the UK, Australia, and nine other countries.
- Phishing Attack on Healthcare Tech Vendor Exposes 1.4 Million People's Medical RecordsHigh · Phishing & BEC · 2026-06-23A phishing attack on Xsolis, a Tennessee-based healthcare technology company, led to the exposure of protected health information belonging to more than 1.3 million individuals. The breach occurred in January 2026 and was not publicly disclosed until June, appearing on the HHS breach tracker on 23 June. Stolen data includes Social Security numbers, medical treatment records, and health insurance details.
- Squidbleed (CVE-2026-47729): A 29-Year Memory Leak in Squid Proxy Exposes CredentialsWatch · Vulnerability / CVE · 2026-06-23CVE-2026-47729, nicknamed Squidbleed, is a memory leak in Squid Proxy's FTP parser that has sat undetected since 1997. In shared proxy environments, it can expose authentication credentials, session tokens, and API keys from one user's HTTP session to another. A patch is available in Squid 7.6, released June 2026. CVEs: CVE-2026-47729.
- AryStinger Malware Turns 4,300 Neglected Routers Into a Spy NetworkHigh · Other · 2026-06-22Security researchers at QiAnXin XLab have uncovered a malware family called AryStinger that has quietly enrolled more than 4,300 home and small-office routers into a botnet used for reconnaissance and proxy operations. The infected devices serve as cover for attack traffic targeting cloud services and business accounts. Any organisation running a router that has not received a firmware update in the last two years should consider itself at risk.
- Canada's Spy Agency Disinfected Botnet Victims Using a Legal FirstWatch · Other · 2026-06-22The Canadian Security Intelligence Service used a threat reduction warrant to push disinfection commands to routers and servers inside Canada enrolled in two foreign-linked botnets. A Federal Court ruling made public on 15 June authorized the operation, the first time CSIS has used this legal power on privately-owned networked devices. For businesses in Canada and those watching how governments respond to botnet infrastructure globally, this sets a precedent worth understanding.
- INTERPOL's Asia-Pacific Report: AI Scams and Ransomware Both AcceleratingWatch · Ransomware · 2026-06-22INTERPOL's 2025-2026 Asia-Pacific Cyberthreat Assessment covers 23 member countries and identifies phishing as the most widespread threat in the region, with AI-powered fraud and ransomware both growing faster than defensive adoption. Business email compromise and deepfake-enabled executive impersonation are producing the largest financial losses, hitting smaller businesses hardest. Organisations with any supply-chain or operational exposure to Asia-Pacific should treat this as a forward-looking threat indicator.
- Microsoft Discloses AutoJack Attack That Turns AI Agents Into Code Execution ToolsHigh · Vulnerability / CVE · 2026-06-21Microsoft security researchers have identified a technique called AutoJack that uses a malicious web page to hijack AI browsing agents and execute code on the host machine, with no user credentials or additional interaction required. As businesses deploy AI agents to handle tasks autonomously, AutoJack represents a new attack surface that sits outside the scope of traditional patching. No active exploitation has been confirmed, but the attack does not rely on any single software vulnerability and could emerge in any AI agent capable of browsing the web.
- Texas Breach Exposes 3 Million Hunting Licence Holders' ID DocumentsHigh · Supply chain · 2026-06-21An attack on a third-party vendor that handles Texas hunting and fishing licences has exposed driver's licence numbers, passport numbers, home addresses, and contact details for 3,087,721 Texans. The unnamed vendor has not disclosed how the attacker got in, but Texas Cyber Command is investigating. Businesses should treat this as a reminder that vendor systems can become breach pathways even when your own security is solid.
- Prinz Eugen Ransomware Targets Files in Active Use, Skips Ransom NotesWatch · Ransomware · 2026-06-21Security analysts at Threatdown have identified a new ransomware group called Prinz Eugen that breaks in via stolen Remote Desktop credentials and deliberately encrypts the files employees were most recently working on. Unlike most ransomware, the group leaves no note on infected systems, delivering demands by email and phone to complicate incident response. Standard Bank in South Africa has confirmed it is among the group's first victims.
- Stolen OAuth Tokens Let Hackers Loot Salesforce Data Through Klue AppHigh · Ransomware · 2026-06-20Salesforce has cut off the Klue Battlecards app after an extortion group called Icarus used stolen OAuth tokens to pull customer records from connected Salesforce accounts. Security firm Huntress and others have confirmed data theft. The case shows how one compromised vendor integration can expose hundreds of companies that never dealt with the attacker directly.
- Police Disrupt SocGholish Malware and Clean 15,000 Hacked SitesHigh · Ransomware · 2026-06-20Law enforcement from four countries seized 106 servers behind SocGholish, a malware operation that turns hacked WordPress sites into fake software-update traps, and cleaned 14,971 infected websites. The malware has fed ransomware crews including Evil Corp and LockBit since 2017. Owners of affected sites have been told to change credentials and update their CMS.
- WordPress Email Plugin Flaw Leaks API Keys From 100,000 SitesWatch · Vulnerability / CVE · 2026-06-20Attackers are actively exploiting a flaw in Gravity SMTP, a WordPress plugin on roughly 100,000 sites, that hands unauthenticated visitors the site's API keys, secrets, and email credentials. Wordfence has blocked more than 17 million exploit attempts. Sites running an old version should assume their connected email accounts are compromised.
- Hackers Hit Mexican Agencies Using Old Fortinet and Ivanti BugsHigh · Vulnerability / CVE · 2026-06-20Researchers at CloudSEK uncovered Operation Escaneo, an intrusion campaign that breached Mexican government bodies, banks, and utilities by exploiting known Fortinet and Ivanti VPN flaws. The attackers stole over 1.3 million personal records and mapped internal networks. Every flaw they used already had a patch, which is the uncomfortable part for smaller firms running the same gear.
- F5 Patches Two Critical NGINX Flaws That Allow Remote Code ExecutionCritical · Vulnerability / CVE · 2026-06-19F5 has fixed two critical vulnerabilities in NGINX, the web server and reverse proxy that sits in front of a large share of the world's websites. Either flaw can be used to run code on an affected server. There is no confirmed exploitation yet, but NGINX bugs have been attacked within days of disclosure before, and many small businesses run the software without realising it.
- INC Ransomware Tops 830 Victims as Affiliates Flock to the BrandHigh · Ransomware · 2026-06-19INC, a ransomware-as-a-service operation, has claimed more than 830 victims since August 2023 and now ranks among the busiest ransomware brands of 2026. US organisations make up over 65% of its targets, with legal, manufacturing, construction, technology, and healthcare firms hit hardest. INC grew by sticking to well-known techniques rather than exotic tooling.
- DragonForce Hides Ransomware C2 Traffic Inside Microsoft Teams RelaysHigh · Ransomware · 2026-06-19DragonForce ransomware affiliates used a custom backdoor that tunnels its command-and-control traffic through Microsoft Teams relay servers, leaving defenders blind for one to two months. Symantec and Carbon Black documented the attack against a US services firm. Because the traffic looks like ordinary Teams activity, standard firewall monitoring did not catch it.
- FortiBleed Campaign Harvests Admin Logins From 30,000 Fortinet FirewallsCritical · Other · 2026-06-18Researchers found an attacker database holding working administrator logins for more than 30,000 internet-facing Fortinet firewalls, pulled by cracking credentials inside exposed configuration files. The victims span banks, hospitals, universities, and large companies across 194 countries. Any business running a FortiGate with old firmware or a reused admin password could be on the list.
- Windows Defender Zero-Day Gives Attackers SYSTEM Access, Patch PendingHigh · Vulnerability / CVE · 2026-06-18Microsoft has confirmed a zero-day in Windows Defender, tracked as CVE-2026-50656 and nicknamed RoguePlanet, that lets a logged-in attacker jump to full SYSTEM control. A public proof-of-concept already works on fully patched Windows 10 and 11, whether or not real-time protection is switched on. Microsoft is still writing the fix and has not given a release date. CVEs: CVE-2026-50656.
- Chinese Spies Used Google Workspace Mail Rules To Steal EmailHigh · Other · 2026-06-18A China-linked group hid in North American medical and defense research networks for more than a year, then stole email using a built-in Google Workspace feature rather than malware. They turned the admin mail-compliance rules against the victims, silently copying any message matching their keywords to a Gmail account they controlled. The same technique works in Microsoft 365, and it leaves almost no trace.
- CISA Flags Maximum-Severity Joomla Editor Flaw as Actively ExploitedCritical · Vulnerability / CVE · 2026-06-17CISA added a CVSS 10.0 flaw in the Joomla Content Editor to its Known Exploited Vulnerabilities catalog after seeing attacks in the wild. The bug lets unauthenticated attackers upload and run PHP code on any site using a vulnerable version of the popular editor extension. US federal agencies have until June 19 to patch, and any small business running Joomla should update now.
- 144 Mastra npm Packages Hijacked to Spread a Crypto-Stealing TrojanHigh · Supply chain · 2026-06-17Attackers hijacked a former contributor's npm account and published 144 malicious packages under the Mastra AI framework's namespace, including @mastra/core, which sees over 900,000 weekly downloads. The packages pulled in a tampered dependency that ran a hidden crypto-stealing trojan during installation. Any developer or build server that installed an affected version since June 17 should treat the machine as compromised.
- One-Click Microsoft 365 Copilot Flaw Could Have Leaked Emails and FilesWatch · Vulnerability / CVE · 2026-06-17Researchers chained three bugs in Microsoft 365 Copilot Enterprise Search into a one-click attack that could pull a victim's emails, calendar, and indexed files using only a trusted microsoft.com link. Microsoft assigned CVE-2026-42824, rated it critical, and has already fixed it on its own servers, so there is nothing for customers to patch. No real-world attacks were seen, but the technique shows how AI assistants reopen old web flaws. CVEs: CVE-2026-42824.
- Attackers Exploit Three FortiSandbox Flaws Rated CVSS 9.1High · Vulnerability / CVE · 2026-06-17Threat intelligence firm Defused Cyber says attackers spent the past day probing three FortiSandbox vulnerabilities, each rated CVSS 9.1, that let unauthenticated attackers bypass authentication or run commands on the appliance. Two were patched in April and one only last week. Any business running FortiSandbox should confirm it is on the latest firmware now.
- Web Hosting Plugin Flaw Lets Attackers Seize Root on Shared ServersHigh · Vulnerability / CVE · 2026-06-16CISA has flagged CVE-2026-54420, a flaw in the LiteSpeed cPanel plugin that lets an attacker with basic FTP or web shell access escalate to root on shared hosting servers. Because one server holds many small business websites, a single compromise can expose every site on the box. Hosting customers should confirm their provider has patched. CVEs: CVE-2026-54420.
- ClickFix Scams Now Deliver Three New Loaders Tied to Ransomware CrewsHigh · Ransomware · 2026-06-16Researchers at Morphisec, BlueVoyant, and Huntress have documented three malware loaders, BabaDeda, Lorem Ipsum, and Potemkin, all delivered through ClickFix scams that trick people into pasting commands into their own computers. The campaigns hit education, legal, financial, and construction firms and end in stealers, RATs, and Rhysida ransomware. Train staff to never paste a command they did not write.
- Cisco Patches Exploited SD-WAN Manager Flaw That Grants Root AccessWatch · Vulnerability / CVE · 2026-06-16Cisco has patched CVE-2026-20262, a flaw in Catalyst SD-WAN Manager already under active attack, after intruders used it to overwrite files and gain root on the system that runs corporate networks. CISA added it to its Known Exploited Vulnerabilities catalog with a June 29 deadline for federal agencies. Any business whose network is managed through Cisco SD-WAN should patch now. CVEs: CVE-2026-20262.
- Rokarolla Android Trojan Steals Banking PINs and Crypto From PhonesHigh · Other · 2026-06-16A new Android banking trojan called Rokarolla targets 217 banking and cryptocurrency apps and can take near-total control of an infected phone, stealing lock-screen PINs, SMS codes, and crypto payments. It spreads through fake TikTok and Chrome sites and disguises itself as Google Play Protect. Owners who bank from a phone should install apps only from Google Play and guard the Accessibility permission.
- WordPress Plugin Files Hijacked to Backdoor Business SitesHigh · Other · 2026-06-15Attackers tampered with JavaScript served to sites running OptinMonster, TrustPulse, and PushEngage, three plugins from Awesome Motive that reach over 1.2 million sites. The poisoned code quietly created admin accounts and installed a hidden backdoor when a logged-in administrator visited. Affected sites need a server-side scan, not just a plugin update.
- Palo Alto GlobalProtect VPN Flaw Exploited in the WildHigh · Vulnerability / CVE · 2026-06-15Palo Alto Networks confirmed attackers are exploiting CVE-2026-0257, an authentication bypass in the GlobalProtect VPN portal, to set up unauthorised VPN sessions. CISA has ordered federal agencies to fix it, and any business running PAN-OS firewalls should patch now. CVEs: CVE-2026-0257.
- Critical Splunk Flaw Allows Unauthenticated Remote Code ExecutionCritical · Vulnerability / CVE · 2026-06-15A critical bug in Splunk Enterprise, CVE-2026-20253, lets an unauthenticated attacker write files and run code on the server through an exposed PostgreSQL service. Splunk Cloud is safe, but on-premise installs below versions 10.2.4 and 10.0.7 need patching fast now that exploit details are public. CVEs: CVE-2026-20253.
- INTERPOL Dismantles Free Phishing Service After Decade OnlineWatch · Phishing & BEC · 2026-06-15Police across 13 Middle East and North Africa countries arrested 201 people and shut down Sniper Dz, a phishing-as-a-service platform that ran free for a decade and collected over 45,000 victim records. New research shows the same operation also milked victims through fake Facebook offers and browser notification scams.
- Iran-Linked Handala Steals 5GB from California Water Utility, Exposes Customer DataCritical · Other · 2026-06-13The Iran-linked Handala group published 5GB of data stolen from California Water Service, covering roughly 2 million customers. The dump includes consumer PII, payment histories, and administrative credentials to the utility's GPS reference station network, raising concerns beyond consumer privacy.
- CISA Issues 3-Day Federal Patch Deadline for CVSS 10.0 Ivanti Sentry FlawCritical · Vulnerability / CVE · 2026-06-13CISA added CVE-2026-10520, a CVSS 10.0 OS command injection flaw in Ivanti Sentry, to its Known Exploited Vulnerabilities catalog and required federal agencies to patch within three days. Shadowserver warns that organisations that have not yet applied the patch are most likely already compromised. CVEs: CVE-2026-10520.
- Over 400 Arch Linux AUR Packages Hijacked to Drop Rootkit and Credential StealerHigh · Other · 2026-06-13Attackers compromised more than 400 Arch User Repository packages this week by backdooring build scripts, deploying an infostealer and an eBPF rootkit that hides in the Linux kernel. Developer credentials are the primary target: GitHub tokens, SSH keys, HashiCorp Vault secrets, and messaging-app session data.
- Chrome 149 Fixes 5 Critical Flaws as Google's 2026 Patch Volume Hits 700High · Vulnerability / CVE · 2026-06-13Google released Chrome 149 with fixes for 28 vulnerabilities, five rated critical, including use-after-free bugs in Core and WebMIDI and a GPU heap buffer overflow. No confirmed exploitation has been reported, but use-after-free flaws in browsers have a history of being weaponised quickly after details become public.
- ShinyHunters Exploits Oracle PeopleSoft Zero-Day to Breach UniversitiesCritical · Ransomware · 2026-06-12The ShinyHunters extortion crew exploited a critical Oracle PeopleSoft zero-day (CVE-2026-35273) to steal data from more than 100 organizations, most of them US universities. The bug scores 9.8, needs no login, and was unpatched while attacks ran. Any business running PeopleSoft with internet-facing management endpoints is exposed. CVEs: CVE-2026-35273.
- GitHub Will Disable npm Install Scripts by Default to Stop Supply Chain AttacksWatch · Supply chain · 2026-06-12GitHub is turning off npm install scripts by default in npm version 12, due next month. The change blocks a common path attackers use to run malicious code during npm install. Any business whose developers or build servers pull npm packages should prepare now to avoid broken builds.
- Researchers Trick OpenClaw AI Agent Into Running Code and Leaking DataHigh · Vulnerability / CVE · 2026-06-12Two research teams showed the self-hosted OpenClaw AI agent can be driven to run attacker code or hand over sensitive data through ordinary inputs like a shared contact or a single email. One flaw is patched. The other is a design problem no patch fixes. Businesses adopting AI agents should limit what those agents can do on their own.
- Europol Disrupts AudiA6 Crypto Laundering Service Used by Ransomware GangsWatch · Ransomware · 2026-06-12Europol and the US Justice Department dismantled AudiA6, a cryptocurrency laundering service that washed more than 336 million euros in criminal profits since 2021. Two men were arrested and charged. The takedown cuts a cash-out pipeline ransomware crews relied on, but the gangs that hit small businesses are still operating.
- China-Linked JDY Botnet Grows to 1,500 Routers and IoT DevicesHigh · Other · 2026-06-12A China-linked botnet called JDY has grown to more than 1,500 hijacked small-office routers, firewalls, and IoT devices, scanning the internet to map vulnerable systems for state-backed hackers. Most infected devices sit in the US and Brazil. Aging routers in small businesses are the raw material.
- Exchange Server XSS Flaw CVE-2026-42897 Exploited for Weeks Before PatchHigh · Vulnerability / CVE · 2026-06-11Microsoft's June 2026 patches fix CVE-2026-42897, an XSS flaw in Exchange Server's Outlook Web Access that attackers have exploited since mid-May. On-premises Exchange running Server SE, 2016, or 2019 needs the update now. CVEs: CVE-2026-42897.
- The Gentlemen: Second Busiest Ransomware Gang Uses 90/10 Splits to RecruitHigh · Ransomware · 2026-06-11Security researchers have identified the operator behind The Gentlemen ransomware as a 36-year-old from Izhevsk, Russia, running the second most active ransomware-as-a-service platform of 2026. The group targets internet-facing VPNs and firewalls and has logged 332 victims since mid-2025.
- Windows BitLocker Bypass and Two SYSTEM Escalations Patched This WeekCritical · Vulnerability / CVE · 2026-06-11Microsoft's June 2026 patch cycle included three named zero-day vulnerabilities: YellowKey bypasses BitLocker in Windows Recovery Mode, while GreenPlasma and MiniPlasma both grant SYSTEM-level access on fully patched Windows 11 and Windows Server systems. None were exploited in the wild before patching.
- Critical Unauthenticated RCE Flaws Patched in Ivanti Sentry and FortiSandboxCritical · Vulnerability / CVE · 2026-06-10Ivanti and Fortinet patched critical unauthenticated remote code execution flaws in security appliances on June 10. Ivanti's CVE-2026-10520 scores the maximum CVSS 10 and allows root code execution on Sentry gateways without credentials. Fortinet's CVE-2026-25089 (CVSS 9.8) does the same to FortiSandbox. Neither is actively exploited yet, but Ivanti appliances have historically been targeted within days of similar advisories. CVEs: CVE-2026-10520, CVE-2026-25089.
- OpenSSL Patches High-Severity Heap Flaw Affecting TLS Servers and EmailHigh · Vulnerability / CVE · 2026-06-10OpenSSL patched 18 vulnerabilities this week, including CVE-2026-45447, a high-severity heap use-after-free flaw in PKCS#7 signature verification that can corrupt server memory and in some conditions enable remote code execution. OpenSSL is the TLS library behind most web servers, VPN endpoints, and email systems. Linux package managers will ship the fix, but self-managed servers and appliances with bundled OpenSSL need manual attention. CVEs: CVE-2026-45447.
- Supply Chain Worm Compromises 73 Microsoft GitHub Repos and PyPI PackagesWatch · Supply chain · 2026-06-10A supply chain campaign called Miasma compromised 73 Microsoft repositories across GitHub and poisoned three versions of the durabletask Python package on PyPI, targeting developers who use AI coding tools. The attack harvested OIDC tokens from CI/CD pipelines and installed credential stealers on developer machines. All Microsoft repos have been restored; developers who pulled the malicious durabletask versions need to rotate credentials immediately.
- Google Patches Actively Exploited Chrome V8 Zero-DayHigh · Vulnerability / CVE · 2026-06-10Google released emergency patches for CVE-2026-11645, an out-of-bounds flaw in Chrome's V8 JavaScript engine confirmed as exploited in the wild. An attacker can run arbitrary code on a victim's machine by getting them to visit a crafted web page. This is the fifth Chrome zero-day patched in 2026. CVEs: CVE-2026-11645.
- SAP Patches Critical NetWeaver Flaws Including CVSS 9.9 Authentication BypassCritical · Vulnerability / CVE · 2026-06-10SAP's June 2026 security update patches 15 vulnerabilities including four rated critical. CVE-2026-44748 (CVSS 9.9) lets an authenticated attacker bypass SAML authentication in SAP NetWeaver. CVE-2026-27671 (CVSS 9.8) allows unauthenticated remote code execution via crafted RFC requests to the ABAP Application Server. CVEs: CVE-2026-44748, CVE-2026-27671.
- ServiceNow Discloses Breach via Unauthenticated API EndpointWatch · Other · 2026-06-10ServiceNow disclosed a security incident in which attackers used an unauthenticated REST API endpoint to query customer instance data. The affected endpoint required no login. IT support tickets were among the data accessible, and those frequently contain credentials, API keys, and internal system details.
- Microsoft Patches 200 Windows Vulnerabilities in June 2026 Patch TuesdayCritical · Vulnerability / CVE · 2026-06-09Microsoft's June 2026 Patch Tuesday resolves 200 vulnerabilities, 33 of them Critical. Three publicly disclosed zero-days are included targeting Windows CTFMON, HTTP.sys, and BitLocker. For businesses running Windows, the most dangerous patches this cycle cover Remote Desktop Client, Microsoft Office, and Kerberos authentication.
- Critical Veeam Backup Flaw Gives Domain Users Remote Code ExecutionCritical · Ransomware · 2026-06-09Veeam patched CVE-2026-44963 in Backup and Replication today, a 9.4 CVSS flaw that lets any domain user execute code on backup servers running version 12. No active exploitation yet, but ransomware groups target Veeam backup infrastructure to disable recovery before deploying ransomware. The fixed version is 12.3.2.4854. CVEs: CVE-2026-44963.
- French Government Messaging Platform Tchap Breached via Social EngineeringWatch · Other · 2026-06-09France's government-mandated messaging platform Tchap was breached through a socially engineered employee account, exposing 650,000 messages and data on 73,000 civil servant accounts. The attacker also claims all files shared on the platform were downloadable without valid authentication tokens. DINUM confirmed the breach; France's CNIL data protection authority was notified.
- Check Point VPN Zero-Day Exploited by Qilin Ransomware in Active Global CampaignCritical · Ransomware · 2026-06-08A critical authentication bypass in Check Point's Remote Access VPN is under active exploitation, with a confirmed Qilin ransomware affiliate using it to enter networks without credentials. The flaw, CVE-2026-50751, affects Spark firewalls marketed to SMBs and managed service providers. Patches were released June 8. CVEs: CVE-2026-50751.
- Critical WordPress Plugin Flaw Used to Backdoor Over 100,000 Business SitesCritical · Vulnerability / CVE · 2026-06-08A 9.8 CVSS vulnerability in the Everest Forms Pro WordPress plugin has been exploited since April 13, allowing unauthenticated attackers to inject PHP code, create admin accounts, and install backdoors. Over 100,000 business sites use the plugin. A patch has been available since March.
- Silent Ransom Group Targets US Law Firms with Phone Extortion and DNS Fast FluxHigh · Ransomware · 2026-06-08The Silent Ransom Group is running a phone-based extortion campaign against US law firms, accounting for nearly 25% of all law firm ransomware incidents in Q1 2026. The group steals data without encrypting files, then demands payment under threat of publication. DNS fast flux across 22 ISPs in 18 countries makes their infrastructure difficult to block.
- New Ransomware Group 'Viperwave' Hits Professional Services Firms Across 14 CountriesCritical · Ransomware · 2026-06-06A newly identified ransomware group, Viperwave, has claimed responsibility for attacks on professional services firms across 14 countries. The group skips encryption entirely in favour of data exfiltration and targets businesses with 10–200 employees.