// June 2026
79 articles published this month
Over 400 Arch Linux AUR Packages Poisoned with eBPF Rootkit in Coordinated Maintainer Compromise
More than 400 packages in the Arch Linux User Repository were compromised by an attacker who spoofed trusted maintainer identities to push malicious preinstall scripts. The scripts deploy an ELF infostealer harvesting developer credentials and an optional eBPF rootkit that persists across package removal attempts.
Cisco Catalyst SD-WAN Manager CVE-2026-20262 Actively Exploited — Arbitrary File Overwrite Escalates to Root
A file upload vulnerability in Cisco Catalyst SD-WAN Manager is under active exploitation, allowing an attacker with network-operator level access to overwrite arbitrary files on the underlying operating system and escalate privileges to root. CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities catalogue on 16 June, setting a federal remediation deadline.
DOJ Seizes CFAKE.com and SOCFAKE.com in First Criminal Enforcement Under the TAKE IT DOWN Act
US authorities seized two of the largest non-consensual deepfake pornography platforms in a joint operation with French and Italian law enforcement, marking the first major criminal enforcement action under the TAKE IT DOWN Act signed into law in May 2025. A French national was arrested in Nice on 10 June; cryptocurrency proceeds have been seized pending forfeiture.
iRhythm Cardiac Monitoring Breach Exposes Patient PHI for 12 Million Zio Patch Wearers
iRhythm Holdings disclosed a data breach after social engineering granted attackers access to third-party systems hosting protected health information for approximately 12 million patients. A ransom demand was received on 9 June, and HIPAA breach notification timelines are now active for any covered entity whose patient data iRhythm processes.
Microsoft 365 Copilot 'SearchLeak' CVE-2026-42824 — One-Click Exfiltration of Emails, Files, and MFA Codes
Varonis Threat Labs chained three vulnerabilities in Microsoft 365 Copilot into a single attack that exfiltrates emails, corporate files, and MFA authentication codes from a victim's account with a single click on a malicious link. Microsoft patched all three flaws server-side; no client update is required, but the disclosure illuminates the structural risks of embedding AI systems with broad data access into enterprise environments.
Velvet Ant's Operation Highland: China-Nexus APT Spent a Decade Inside an Air-Gapped Network via Auth Stack Hijack
Sygnia researchers disclosed Operation Highland, a China-nexus espionage campaign in which the Velvet Ant threat group maintained persistent, undetected access to an air-gapped enterprise network from 2016 to 2026 by hijacking authentication infrastructure and bridging the isolation via a modified Nginx binary and GS-Netcat reverse shell. The case fundamentally challenges the security model of air-gapping as an isolation control.
Europol Dismantles AudiA6 Cryptocurrency Laundering Service That Processed €336M+ for Ransomware Gangs
Europol, in coordination with German BKA, Dutch FIOD, and Lithuanian law enforcement, has dismantled AudiA6 — a professional cryptocurrency money laundering service that processed more than €336 million in criminal proceeds for ransomware groups including Conti, REvil, and BlackCat/ALPHV. Seven individuals have been arrested across three countries and the service's infrastructure seized.
The Gentlemen Ransomware Hits Mackay Sugar — Mill Operations Shut Down as OT Systems Disrupted
The Gentlemen ransomware group has claimed an attack on Mackay Sugar, Australia's second-largest sugar producer, causing the shutdown of mill crushing operations during the critical harvest season. The attack disrupted operational technology systems controlling sugar processing at two mills in Queensland, representing a significant escalation of The Gentlemen group's targeting of OT-dependent industrial operations.
Novo Nordisk Discloses Breach of Clinical Trial Participant Data — Ozempic and GLP-1 Research Records Exposed
Danish pharmaceutical giant Novo Nordisk has disclosed a cybersecurity incident in which attackers gained unauthorised access to IT systems holding personal data of clinical trial participants, including individuals enrolled in GLP-1 receptor agonist trials for Ozempic and Wegovy. The breach raises significant regulatory concerns under EU clinical trial data protection requirements and the ICH GCP framework governing trial participant data handling.
Oracle PeopleSoft CVE-2026-35273 (CVSS 9.8): ShinyHunters Exploit Zero-Day to Breach University Student Records at Scale
A critical zero-day vulnerability in Oracle PeopleSoft Campus Solutions — CVE-2026-35273, CVSS 9.8 — has been exploited by the ShinyHunters threat group to breach student record systems at multiple universities across the US, UK, and Australia. The flaw allows unauthenticated attackers to bypass authentication in the PeopleSoft web application layer, granting direct access to student enrolment, financial aid, and academic records.
PAN-OS GlobalProtect CVE-2026-0257 (CVSS 9.3): Authentication Bypass Exploited Against Government and Critical Infrastructure
Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a critical authentication bypass in the GlobalProtect gateway that allows an unauthenticated attacker to establish VPN sessions as arbitrary users. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue, and Palo Alto's Unit 42 has observed exploitation targeting government and critical infrastructure networks since at least 12 June.
SimpleHelp Remote Support: New OIDC Flaw Lets Unauthenticated Attackers Create Rogue Privileged Technician Accounts
A new authentication vulnerability in SimpleHelp Remote Support — distinct from the path traversal and privilege escalation flaws patched earlier in 2026 — allows an unauthenticated attacker to exploit a flaw in the OIDC single sign-on implementation to create privileged technician accounts with full remote session capabilities. SimpleHelp has released emergency patches; exploitation has been observed in the wild.
Dell DSA-2026-239: CVE-2026-23856 Privilege Escalation in iDRAC9 Exposes PowerEdge Server Management Plane
Dell has patched a high-severity privilege escalation vulnerability in the iDRAC9 remote management controller affecting PowerEdge servers across multiple generations. CVE-2026-23856, rated CVSS 8.8, allows a low-privileged authenticated attacker to escalate to Administrator rights on the iDRAC management plane — granting control over server power, firmware, BIOS settings, and virtual console access outside the scope of the host operating system.
Fortinet FortiSandbox CVE-2026-25089 (CVSS 9.8): Unauthenticated Command Injection in Web Management UI
Fortinet has patched a critical command injection vulnerability in FortiSandbox that allows an unauthenticated remote attacker to execute arbitrary system commands through the web management interface. CVE-2026-25089, rated CVSS 9.8, requires no credentials to exploit and affects FortiSandbox versions through 5.4.5 — a particularly sensitive target given the appliance's privileged role in malware analysis.
Ivanti Sentry CVE-2026-10523 (CVSS 9.9): Second Critical Flaw Chains with CVE-2026-10520 for Complete Device Takeover
Ivanti has disclosed a second critical vulnerability in Sentry — CVE-2026-10523, an authentication bypass scoring CVSS 9.9 — that chains with the previously patched CVE-2026-10520 (CVSS 10.0) to enable complete unauthenticated takeover of the MDM gateway. Organisations that deployed the initial patch must apply additional updates; the two CVEs affect overlapping but distinct code paths.
Miasma / Shai Hulud Supply Chain Campaign: 100+ npm and PyPI Packages Compromised Including Red Hat Namespace
Security researchers have attributed a coordinated software supply chain attack to a threat cluster tracked as Miasma (also Shai Hulud), which compromised over 100 packages across npm and PyPI by stealing publisher credentials and injecting malicious code. The campaign reached the official Red Hat npm namespace, exposing organisations that rely on internal package mirror strategies as a security control.
ShinyHunters Claims Council of Europe Breach: 297 GB of HR and Payroll Data Exposed
The ShinyHunters threat group has claimed responsibility for breaching the Council of Europe, exfiltrating 297 GB of internal HR and payroll records covering more than 10,000 employees. The breach raises significant concerns around diplomatic personnel data protection and the security posture of intergovernmental bodies operating outside EU regulatory oversight.
Splunk Enterprise CVE-2026-20253 (CVSS 9.8): No-Authentication RCE Exposes SIEM Servers via PostgreSQL Sidecar
A critical remote code execution vulnerability in Splunk Enterprise allows unauthenticated attackers to run arbitrary commands on SIEM servers by targeting an exposed PostgreSQL sidecar service that bypasses all application-level authentication. CVE-2026-20253, rated CVSS 9.8, affects Splunk Enterprise 9.2.x and earlier on both Windows and Linux — a particularly damaging target given SIEM's visibility across the entire security estate.
AI Workflow Builder Security Governance: Langflow CVE-2026-5027 and the Unmanaged AI Tool Problem
Langflow CVE-2026-5027's active exploitation is accelerating because many enterprise Langflow deployments are outside the formal IT security perimeter — deployed by data science and developer teams without security review, not in the CMDB, not in the vulnerability scanning scope. This article provides a governance framework for bringing AI workflow tools under security management.
BitLocker Bypass CVE-2026-50507 and the Physical Security Gap in Laptop Data Protection
CVE-2026-50507 bypasses BitLocker pre-boot authentication on devices using TPM-only mode, enabling data access from a stolen device without the Windows login password. With corporate laptops regularly carrying sensitive data, financial information, and cached credentials, the physical theft scenario this vulnerability enables has significant business impact beyond IT.
Managing Chrome V8 Zero-Days in Enterprise Fleets: Browser Asset Inventory and Rapid Update Strategies
CVE-2026-11645's active exploitation before the patch highlights a persistent gap in enterprise browser management: many organisations do not maintain accurate browser version inventories or have the ability to push browser updates faster than the standard monthly patch cycle. This guide covers Chrome fleet management, version enforcement, and emergency update deployment.
Gentlemen Ransomware Worm: Using Network Segmentation to Contain Propagation Before Detection
The confirmed worm capability in the Gentlemen ransomware payload — propagating via SMB exploitation and credential reuse — changes the containment calculus for enterprise incident response. Effective network segmentation stops worm propagation at VLAN boundaries. This guide maps the segmentation controls that constrain Gentlemen's lateral movement.
Windows DHCP Rogue Server Attacks: NAC and DHCP Guard Controls Against CVE-2026-44815
CVE-2026-44815 in the Windows DHCP Client enables SYSTEM-level RCE via a rogue DHCP server on the same broadcast domain. DHCP Snooping (DHCP Guard) on enterprise switches is the primary compensating control while patching proceeds, but its effectiveness depends on consistent enforcement across all access-layer switches and correct handling of edge cases like DHCP relay configurations.
The AI Infrastructure Security Deficit: Langflow, LiteLLM, and a Repeating Pattern
Two AI infrastructure components — Langflow and LiteLLM — have reached the CISA Known Exploited Vulnerabilities catalogue in June 2026, both with command injection vulnerabilities in Python-based AI tooling. The pattern reflects a systemic gap: AI infrastructure is being deployed in enterprise environments under procurement and security processes designed for end-user applications, not for server-side infrastructure with network-accessible APIs.
HTTP.sys CVE-2026-47291: Quantifying Wormable Risk Across the Windows Server Estate
Three days after the June Patch Tuesday, CVE-2026-47291 in HTTP.sys remains unpatched on a significant proportion of enterprise Windows Server infrastructure. This article maps the attack surface — which services expose HTTP.sys, how the worm propagation would function, and what network controls reduce the blast radius while patching is in progress.
SAP Landscape Security Assessment: Managing NetWeaver Vulnerabilities Across Enterprise ERP Environments
CVE-2026-44748 (CVSS 9.9) in SAP NetWeaver ABAP is the second critical SAP vulnerability of 2026 affecting SAML authentication. Enterprise organisations running complex SAP landscapes with multiple NetWeaver instances face challenges in identifying which systems are affected, prioritising patching across landscape tiers, and assessing whether compromise indicators are present.
Why Ransomware Groups Target Veeam First: Backup Infrastructure as the Strategic Priority
CVE-2026-44963 in Veeam Backup & Replication is the third critical Veeam RCE vulnerability in three years, each exploited by ransomware operators to neutralise backup infrastructure before deploying encryption payloads. This article examines why backup systems have become the primary strategic target in ransomware operations and what structural security controls reduce exposure.
Hardening Active Directory Against CVE-2026-47288 and the Kerberos Attack Surface
CVE-2026-47288 in the Windows Kerberos KDC is the most critical Active Directory vulnerability of 2026. Beyond patching, the Kerberos attack surface encompasses golden ticket attacks, AS-REP roasting, Kerberoasting, and credential relay. This article provides post-patch hardening guidance for enterprise AD environments.
Gentlemen Ransomware Claims 478 Victims in 66 Countries as Worm-Like Lateral Movement Capability Confirmed
New analysis of the Gentlemen ransomware operation reveals the group has compromised 478 organisations across 66 countries, significantly exceeding initial healthcare-focused estimates. Researchers have confirmed the ransomware includes a worm module that leverages SMB vulnerabilities and credential reuse to spread autonomously across enterprise networks without human operator intervention.
Enterprise Guide: Prioritising the June 2026 Patch Tuesday Across 198 CVEs
Security teams face 198 CVEs from Microsoft's June 2026 Patch Tuesday plus concurrent advisories from SAP, Ivanti, Palo Alto, and CISA. This guide provides a decision framework for prioritising remediation across different infrastructure tiers — from internet-facing servers to workstations — with specific guidance for each of the highest-risk vulnerabilities.
CVE-2026-23111 Detection and Hardening Guide: Protecting Linux Environments from the nf_tables Exploit
With public proof-of-concept code available for CVE-2026-23111, security teams running Linux across production, containerised, and cloud environments need specific detection and hardening guidance. This guide covers kernel patch availability by distribution, interim mitigations, eBPF-based detection, and Kubernetes-specific containment measures.
Windows Server Fleet Patching After June Patch Tuesday: Managing Velocity and Risk in Large Environments
After the largest Microsoft Patch Tuesday of 2026, enterprise teams face the challenge of patching Windows Server fleets at emergency speed while avoiding the outages that come with untested updates. This article addresses patch deployment sequencing, testing compression strategies, and rollback planning for the June 2026 emergency patch cycle.
Ivanti Sentry CVE-2026-10520: CVSS 10.0 Pre-Authentication RCE Exploited After PoC Release
Ivanti has disclosed CVE-2026-10520, a CVSS 10.0 pre-authentication remote code execution vulnerability in Ivanti Sentry (formerly MobileIron Sentry) that is being actively exploited following public proof-of-concept release. A companion OS command injection flaw CVE-2026-10523 (CVSS 9.4) affects the same platform. Both require immediate action for all organisations running Ivanti Sentry in their mobile device management infrastructure.
Langflow CVE-2026-5027 Exploitation Accelerates: AI Workflow Builder's Path Traversal RCE Under Active Attack
Exploitation of CVE-2026-5027 in Langflow, the AI workflow builder, has intensified following public PoC release. The path traversal remote code execution vulnerability, added to CISA's KEV on 8 June, is being used to deploy credential stealers and post-exploitation agents against organisations running unsecured Langflow instances. Upgrade to Langflow 1.3.5 immediately.
Palo Alto Networks Patches PAN-OS Command Injection CVE-2026-0273 Across All Active Branches
Palo Alto Networks has patched CVE-2026-0273, a command injection vulnerability in the PAN-OS web management interface that allows authenticated administrators to execute arbitrary OS commands on the firewall. The vulnerability affects PAN-OS versions 10.1 through 11.2 and all active GlobalProtect gateway configurations. Updates are available across all supported branches.
Veeam Backup & Replication CVE-2026-44963 (CVSS 9.4): Domain Users Can Execute Remote Code on Backup Infrastructure
Veeam has patched CVE-2026-44963, a CVSS 9.4 remote code execution vulnerability in Veeam Backup & Replication that allows any domain user to execute arbitrary code on the Veeam backup server. The vulnerability exploits insufficient authorisation in the Veeam Backup Service API. Organisations using Veeam in Active Directory environments should apply the patch immediately.
June Patch Tuesday Zero-Days: BitLocker Bypass CVE-2026-50507 and CTFMON Privilege Escalation CVE-2026-45586
Two of June 2026's six publicly disclosed zero-days target security boundaries rather than remote execution: CVE-2026-50507 bypasses BitLocker pre-boot authentication on stolen devices, and CVE-2026-45586 enables local privilege escalation through the Windows Text Services Framework. Both carry named researcher disclosures and appear in active post-exploitation toolkits.
Three CVSS 9.8 Windows Flaws Demand Emergency Action: Kernel RCE, Wormable HTTP.sys, and DHCP Client
CVE-2026-45657 (Windows Kernel), CVE-2026-47291 (HTTP.sys), and CVE-2026-44815 (DHCP Client) each carry CVSS 9.8 and enable unauthenticated remote code execution. All three were publicly disclosed before Microsoft's June patch, giving attackers a head start. This article provides technical detail and remediation guidance for each flaw.
Google Chrome Zero-Day CVE-2026-11645: V8 Out-of-Bounds Write Actively Exploited Before Patch
Google has released Chrome 149.0.7762.95 patching CVE-2026-11645, an out-of-bounds write in the V8 JavaScript engine that was actively exploited before disclosure. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue. All users and enterprise deployments should update immediately — CISA's federal deadline is 30 June.
CISA Adds Chrome V8 Zero-Day, Cisco SD-WAN, and Arista EOS to Known Exploited Vulnerabilities Catalogue
CISA added three vulnerabilities to the KEV catalogue on 9 June: Google Chrome CVE-2026-11645 (V8 out-of-bounds write, actively exploited), Cisco SD-WAN CVE-2026-20245 (authentication bypass), and Arista EOS CVE-2026-7473 (privilege escalation command injection). Federal agencies face a 30 June remediation deadline across all three.
Linux Kernel CVE-2026-23111: nf_tables Use-After-Free Enables Container Escape and Root Privilege Escalation
A use-after-free vulnerability in the Linux kernel's nf_tables netfilter subsystem allows unprivileged users to escalate to root and break container isolation. Public proof-of-concept code published 9 June makes this an immediate remediation priority across all major Linux distributions running kernel versions 5.15 through 6.10.
Microsoft June 2026 Patch Tuesday: 198 CVEs and Six Zero-Days Including Wormable CVSS 9.8 HTTP.sys Flaw
Microsoft's June 2026 Patch Tuesday addresses 198 vulnerabilities across Windows, Office, Azure, and server components — including three CVSS 9.8 critical remote code execution flaws and six publicly disclosed zero-days. HTTP.sys CVE-2026-47291 is wormable, requiring no authentication or user interaction against any Windows Server with IIS or HTTP API exposed.
SAP June 2026 Security Patch Day: CVSS 9.9 SAML Authentication Bypass CVE-2026-44748 in NetWeaver ABAP
SAP's June 2026 Security Patch Day includes CVE-2026-44748, a CVSS 9.9 authentication bypass in SAP NetWeaver Application Server ABAP that allows unauthenticated remote attackers to forge SAML assertions and impersonate any user including system administrators. Twenty-one additional CVEs were patched, including three rated Critical.
Windows Kerberos KDC Remote Code Execution CVE-2026-47288 Puts Domain Controllers at Critical Risk
CVE-2026-47288 is a critical remote code execution vulnerability in the Windows Kerberos Key Distribution Centre that allows network-adjacent unauthenticated attackers to execute arbitrary code on Active Directory domain controllers. All supported Windows Server versions are affected. Domain controllers should be treated as the highest-priority patch target in the June 2026 update cycle.
CVE-2026-50751: Check Point Security Gateway Authentication Bypass Actively Exploited in Ransomware Campaigns
CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalogue on 8 June with a three-day remediation deadline and confirmed ransomware campaign use. The vulnerability is a CVSS 9.3 authentication bypass in Check Point Security Gateway's IKEv1 VPN protocol handling that allows unauthenticated attackers to bypass remote access VPN authentication entirely. An emergency hotfix is available.
CVE-2026-42271: BerriAI LiteLLM Command Injection Reaches CISA KEV — AI Infrastructure Under Attack
CISA added CVE-2026-42271 in BerriAI LiteLLM to the Known Exploited Vulnerabilities catalogue on 8 June, confirming active exploitation of a command injection vulnerability that allows API keys with limited privileges to execute arbitrary commands on the LiteLLM host. Organisations running LiteLLM as an AI gateway should update to v1.83.7-stable immediately.
Meta Files Contempt Motion Against NSO Group Over WhatsApp Spear-Phishing Attack on Journalists
Meta has filed a federal contempt motion against NSO Group alleging the Israeli spyware vendor violated a 2021 court order by deploying new WhatsApp-based spear-phishing infrastructure targeting journalists and human rights defenders. The case highlights the persistent challenge of enforcement against commercial spyware vendors whose products operate outside regulatory frameworks.
UNC3753: Vishing Calls Combined With Physical Office Intrusions in U.S. Data Theft Extortion Campaign
Threat group UNC3753 has been documented combining voice phishing (vishing) with physical office intrusions to conduct data theft and extortion against U.S. organisations. The group uses vishing to gather employee credentials and facility access information, then deploys operatives physically to compromise targets. The hybrid TTPs represent a significant escalation in social engineering attack sophistication.
VerdantBamboo Deploys BSD Variant of BRICKSTORM Backdoor Against Linux and BSD Network Appliances
China-nexus threat cluster VerdantBamboo has deployed a BSD-compatible variant of the BRICKSTORM backdoor, extending its implant capability beyond Linux ESXi hosts to commercial network appliances running FreeBSD-derived operating systems. The implant uses HTTPS command and control via legitimate TLS certificates, survives reboots, and operates below enterprise EDR visibility.
VS Code Adds Two-Hour Extension Auto-Update Delay to Reduce Supply Chain Attack Window
Microsoft has released VS Code 1.101 with a configurable two-hour delay on automatic extension updates. The change is a direct response to supply chain attacks in which malicious updates were pushed to popular extensions, executing on developer machines within minutes of publication. The delay gives security teams a detection window before malicious updates execute across the developer fleet.
China-Nexus Threat Groups and the Shift to Linux and BSD Appliance Targeting
A pattern documented across multiple China-nexus threat actors in 2025–2026 shows a deliberate move from Windows endpoint compromise toward Linux-based network appliances and BSD-running security devices. Network devices running proprietary Linux/BSD derivatives sit at the network edge with high-privilege routing access — and typically outside the enterprise's EDR coverage.
Assessing Network Perimeter Device Security: A Methodology for Firewalls, VPN Gateways, and Load Balancers
Network perimeter devices — firewalls, VPN gateways, and load balancers — are the most frequently exploited initial access category in enterprise breaches. Despite this, they are often excluded from regular security assessments. This methodology covers how to assess the security posture of perimeter network devices without disrupting production operations.
VPN Gateway Security: Hardening the Network Perimeter Device That Attackers Target First
VPN gateways and remote access concentrators have become the most frequently exploited initial access vector in enterprise network intrusions. With critical vulnerabilities regularly disclosed in Palo Alto GlobalProtect, Citrix NetScaler, Fortinet FortiGate, and now Check Point Security Gateway, this guide covers the security hardening and monitoring posture that reduces exposure regardless of which vendor's appliance your organisation runs.
Enterprise AI Tool Governance: Controlling Access, Data Flows, and Shadow AI Risk
The rollout of ChatGPT Lockdown Mode highlights the broader challenge of governing AI tool access in enterprise environments: organisations must balance productivity benefits against data loss risk, prompt-injection exposure, and the proliferation of unofficial AI tools used without IT oversight. This guide covers the IAM and DLP controls that define an enterprise AI governance posture.
Free Apps Are Turning Smart TVs Into Residential Proxy Nodes — Without User Consent
Research published this week reveals that multiple free consumer applications are silently enrolling Android TV devices and Smart TV platforms as exit nodes for residential proxy networks, routing third-party AI web scraping and data harvesting traffic through household internet connections. Users receive free app access; their bandwidth and IP address are sold to commercial proxy operators without meaningful disclosure.
OpenAI Rolls Out ChatGPT Lockdown Mode to Block Prompt-Injection Data Exfiltration
OpenAI has released ChatGPT Lockdown Mode, a security configuration that prevents ChatGPT from loading external URLs, rendering images from arbitrary sources, or executing third-party plugin calls — the primary vectors for prompt-injection attacks that cause ChatGPT to exfiltrate data to attacker-controlled endpoints. Enterprise and education customers can now enforce Lockdown Mode organisation-wide via the admin console.
CISA KEV June 2026 Tracker: Vulnerability Additions, BOD 22-01 Deadlines, and Remediation Priorities
The CISA Known Exploited Vulnerabilities catalogue added three entries in the first week of June 2026, including the Oracle WebLogic deserialization vulnerability (CVE-2024-21182) and the Mirasvit Magento RCE (CVE-2026-45247). This tracker consolidates the June additions with their remediation deadlines and documents the patch availability status for each.
DBIR 2026 Identity Chapter: Credential Theft Remains Dominant, MFA Bypass Techniques Accelerating
The identity and credential findings from Verizon's 2026 DBIR show that stolen credentials remain the most common enabler of breaches across all sectors, used in 44% of analysed incidents. More troubling: the DBIR documents a significant increase in MFA bypass techniques — adversary-in-the-middle phishing toolkits, SIM swapping, and push notification fatigue attacks that defeat MFA as commonly deployed.
Magento and eCommerce Platform Security: Knowing What You Run and What You Owe Customers
CVE-2026-45247's CISA KEV status means organisations running Mirasvit Full Page Cache Warmer are now under a federal mandate to remediate — and should be asking whether their eCommerce platform inventory is accurate enough to comply. Magento deployments often span multiple versions, extension states, and customisation layers that make attack surface visibility a genuine challenge.
Verizon DBIR 2026: Vulnerability Exploitation Surpasses Phishing as Top Initial Access Vector — Enterprise Implications
Verizon's 2026 Data Breach Investigations Report, published mid-May, documents a structural shift in breach methodology: vulnerability exploitation has overtaken phishing as the most common initial access pathway in analysed breaches. The shift reflects a maturing attacker ecosystem that increasingly uses automated exploit delivery rather than requiring human interaction. Enterprise security programmes built around phishing awareness need recalibration.
CVE-2026-46243 and the CIFS Attack Surface: Network-Layer Hardening for Linux SMB Environments
CVE-2026-46243 exploits a flaw in the Linux kernel CIFS client subsystem reachable from local shell access. But the broader CIFS/SMB attack surface extends beyond this single CVE — SMB signing enforcement, unauthenticated share access, and uncontrolled NTLM relay paths are network-level risks that compound the impact of any CIFS kernel vulnerability. This article covers network hardening for Linux environments that use SMB/CIFS mounts.
Healthcare Ransomware and Identity: The IAM Controls That Limit Gentelman's Blast Radius
The Gentelman ransomware group gains initial access through RMM vulnerabilities, but its ability to encrypt an entire healthcare network depends on how identity and access management is configured. Strong IAM controls — privileged access segmentation, MFA enforcement on administrative accounts, and service account restrictions — significantly limit what a ransomware operator can encrypt once inside the perimeter.
Magento Extension Supply Chain Risk: CVE-2026-45247 and the Third-Party Plugin Attack Surface
CVE-2026-45247 in the Mirasvit Full Page Cache Warmer illustrates a structural security problem in the Magento ecosystem: eCommerce site security is determined not just by the core platform version, but by every third-party extension installed. This guide covers how to assess and reduce the Magento extension attack surface.
Healthcare Ransomware Business Continuity: Prioritising Recovery When Clinical Systems Go Down
When ransomware hits a healthcare organisation, the recovery sequence matters as much as the containment response. Clinical systems have dependencies that make naive 'restore in alphabetical order' approaches catastrophic. This guide covers healthcare-specific BCP prioritisation for ransomware recovery, including the clinical dependency chain that drives sequencing decisions.
Gentelman Ransomware Surges: 9 Healthcare and Professional Services Victims in 72 Hours
The Gentelman ransomware group (tracked as Storm-2697) claimed 15 victims between 1–3 June with a heavy focus on healthcare providers and professional services firms in North America. The surge appears linked to exploitation of known vulnerabilities in remote management software. Healthcare organisations should review internet-exposed remote access and RMM tool exposure immediately.
CVE-2026-46243: Identifying Affected Systems and Detecting Exploitation Attempts
With a public proof-of-concept available and patched kernels in distribution repositories, security teams need a systematic approach to identify which Linux systems in their environment are exposed to CVE-2026-46243 and whether any exploitation activity has occurred. This guide covers detection queries, affected system identification, and temporary mitigation steps for environments that cannot patch immediately.
CVE-2026-46243: 19-Year-Old Linux CIFS Kernel Flaw Grants Unprivileged Local Root Across Major Distributions
A long-latent vulnerability in the Linux kernel's CIFS filesystem subsystem allows any unprivileged local user to forge a upcall key and escalate directly to root. Patched kernels reached distribution repositories on 2–3 June; Red Hat, AlmaLinux, Rocky Linux, and CloudLinux all issued security advisories on 3 June. A public proof-of-concept exists.
Linux Kernel Patch Management as Asset Security: Why CVE-2026-46243 Exposes the Kernel Update Gap
The CVE-2026-46243 disclosure — a 19-year-old kernel flaw with a public root exploit and distribution patches already available — is a useful lens for examining how enterprises manage Linux kernel versions as security-relevant assets. Many organisations have robust patch management for applications but inconsistent processes for kernel updates, particularly on specialised infrastructure like database hosts and container nodes.
CVE-2026-45247: CISA Adds Mirasvit Magento Cache Warmer RCE to KEV — Unauthenticated PHP Deserialization Exploited in Wild
CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities catalogue on 3 June, confirming active exploitation of a CVSS 9.8 PHP deserialization vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2. Attackers exploit a malicious serialised cookie value to execute arbitrary code without authentication. The patch has been available since 25 May; organisations running Mirasvit FPC Warmer must update immediately.
Android Enterprise Patch Management: Closing the Gap Between Google's Bulletin and Fleet-Wide Coverage
The June 2026 Android Security Bulletin — which includes an actively exploited zero-day — highlights a structural challenge for enterprise Android fleet management: Google publishes a patch, but enterprise coverage depends on OEM update timelines, carrier approval processes, and EMM deployment policies that can extend the effective exposure window by weeks. This guide covers a practical approach to managing the gap.
Android June 2026 Security Update: Zero-Day CVE-2025-48595 Patched Alongside 124 Vulnerabilities
Google's June 2026 Android Security Bulletin patches 124 vulnerabilities including CVE-2025-48595, an integer overflow in the Android Framework with confirmed limited exploitation consistent with nation-state spyware deployment. Enterprise Android fleets should prioritise this update given the zero-day's targeted exploitation pattern.
ITSM Platform Security Governance: Why ServiceNow, Jira, and Freshservice Are High-Value Targets
The ServiceNow API breach this week highlights a category of platform that organisations consistently underestimate as an attack target: IT Service Management tools. ITSM platforms aggregate privileged information about the organisation's infrastructure, credentials, and operational processes — making them a high-value target and a high-consequence breach.
ServiceNow API Security Configuration: Access Controls, ACLs, and Endpoint Hardening to Prevent Zero-Auth Exposure
The ServiceNow API breach highlights the risk of zero-auth API endpoint exposure in SaaS ITSM platforms. ServiceNow's platform provides granular access control mechanisms — ACLs, application scope policies, and API gateway controls — that, if properly configured, limit the blast radius of similar incidents. This guide covers the core security configuration for ServiceNow REST APIs.
ServiceNow Security Assessment: Auditing API Exposure and Access Control Configuration
Following the ServiceNow API breach, organisations should conduct a targeted security assessment of their ServiceNow instance, focusing on API endpoint exposure, unauthenticated access paths, ACL configuration, and service account privilege scope. This assessment guide covers the key checks and how to perform them without specialist ServiceNow security tooling.
ServiceNow Zero-Auth API Exploitation: Customer Instance Data Exposed Through Unauthenticated Endpoint
ServiceNow disclosed an active security incident beginning 2 June in which an unauthenticated API endpoint allowed attackers to query customer instance data including IT ticket contents, asset inventories, and stored credentials. Exploitation began 2 June; ServiceNow patched the endpoint by 5 June. No CVE was assigned at time of disclosure. Organisations should review ServiceNow access logs for the incident window.
Enterprise Java Middleware Security Governance: Bringing WebLogic and JBoss into the Vulnerability Management Programme
Oracle WebLogic, Red Hat JBoss/WildFly, and IBM WebSphere are foundational enterprise application infrastructure that frequently falls outside the scope of corporate vulnerability management programmes. CVE-2024-21182's CISA KEV addition — 18 months after the patch — reflects what happens when middleware is governed outside the security programme.
Oracle WebLogic CVE-2024-21182 Added to CISA KEV — Federal Deadline June 4 as Ransomware Payloads Observed
CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalogue on 1 June, citing confirmed active exploitation of the Oracle WebLogic Server unauthenticated remote attack vulnerability. Honeypot data shows attackers delivering Cobalt Strike beacons and ransomware payloads via the T3/IIOP protocol attack path. Federal civilian agencies must remediate by 4 June.
Oracle WebLogic Security Assessment Guide: Discovering Exposure Before the Next T3 Exploit
Enterprise Java middleware is often the least-assessed component of the application security programme. Oracle WebLogic installations are frequently discovered during incident response rather than proactive inventory. This guide covers the discovery, assessment, and continuous monitoring steps for WebLogic security.
Oracle WebLogic T3 and IIOP Hardening: Eliminating the Attack Surface Behind CVE-2024-21182
The T3 and IIOP protocols in Oracle WebLogic Server have been the source of 15+ critical vulnerabilities over the past decade. This guide covers the configuration controls that isolate T3/IIOP from untrusted networks — the single most effective defence regardless of which WebLogic CVE is currently being exploited.