The 24-hour period from June 25-26, 2026 reveals a critical convergence of supply chain vulnerabilities, authentication bypasses, and active exploitation across enterprise infrastructure. Multiple CRITICAL-severity vulnerabilities (CVSS 9.0+) were disclosed affecting widely-deployed platforms including Flowise AI, DICOM medical systems, Bitwarden password management, and Go SSH libraries. Cisco Unified Communications Manager (CVE-2026-20230) was weaponized within 24 hours of disclosure, demonstrating adversary capability to rapidly operationalize SSRF vulnerabilities for privilege escalation. Polish law enforcement disrupted a sophisticated SIM-swapping operation linked to millions in cryptocurrency theft, while ransomware groups AuditTeam and Qilin continued targeting critical infrastructure in Russia and Greece. The hospitality sector faces an active Node.js implant campaign using photo-themed social engineering, and Russian APT Gamaredon has significantly upgraded its malware delivery and C2 obfuscation capabilities. Organizations should prioritize patching authentication and SSRF vulnerabilities, review SIM-swap protections for high-value accounts, and validate AI/ML toolchain integrity given multiple supply chain incidents.
Multiple CRITICAL-severity vulnerabilities (CVSS 9.0+) disclosed across enterprise platforms with active exploitation observed
CISA added CVE-2026-20230 to KEV catalog. Unauthenticated SSRF vulnerability in Cisco Unified CM allows remote file write to underlying OS, escalating to root privileges. Attackers weaponized this flaw in less than 24 hours post-disclosure.
CRITICAL RCE vulnerability in Flowise versions 2.2.7-patch.1 and earlier allows unauthenticated attackers to execute arbitrary OS commands through unsandboxed Custom MCP feature due to minimal authentication model.
CRITICAL path traversal in Flowise /api/v1/document-store/loader/process endpoint enables unauthenticated attackers to write arbitrary files including package.json, achieving supply chain compromise through malicious dependency injection.
CRITICAL authentication bypass in medical DICOM WebSocket endpoints allows attackers to impersonate charging stations and access sensitive healthcare data without credentials (CVSS 9.4).
Out-of-bounds write in RTKLIB decode_type1033 function allows attackers controlling NTRIP or serial RTCM3 correction streams to overflow 191 bytes into 64-byte buffers, achieving RCE on GPS/navigation systems.
CISA added CVE-2026-12569 to KEV. Improper input validation allows unauthenticated remote attackers to execute arbitrary code via malicious network requests to industrial PLM systems.
golang.org/x/crypto/ssh affected by 5 CRITICAL vulnerabilities including CVE-2026-46595 (verified public key callback bypass), CVE-2026-42508 (revoked key enforcement bypass), CVE-2026-39831 (FIDO U2F presence check bypass), enabling complete authentication bypass in Go-based SSH implementations.
Hospitality sector targeted by Node.js implant campaign; Gamaredon APT upgrades capabilities; Amadey and Mozi botnets maintain active distribution
Microsoft identified multi-stage intrusion campaign targeting European and Asian hospitality organizations using photo-themed ZIP archives and fake image shortcuts to deploy persistent Node.js implant with detection evasion capabilities.
New macOS malware 'Gaslight' embeds prompt injection strings and fake debugging data to poison AI-assisted malware analysis tools, representing novel anti-analysis technique targeting automated security workflows.
46 malicious URLs on IP 62.60.226.140 distributing Amadey malware dropper (d52f85 variant) through tron-series campaigns, indicating large-scale botnet expansion operations.
Bluekit phishing-as-a-service evolved with 70 new hostnames and browser-in-the-middle capabilities for improved credential theft, bypassing MFA through real-time session proxying.
Multiple IPs (115.56.67.205, 163.142.93.21, 183.141.130.213, 112.239.99.159) distributing Mozi botnet payloads targeting MIPS and ARM architectures, focusing on IoT device compromise for DDoS and proxy operations.
Russian APT Gamaredon upgrades arsenal; CL-STA-1062 targets Southeast Asian governments; law enforcement disrupts SIM-swapping and piracy operations
FSB-sponsored Gamaredon operation enhanced malware loading mechanisms and C2 server obfuscation, requiring updated detection strategies. Group maintains persistent targeting of Ukrainian and Eastern European entities.
Advanced espionage operation targeting government entities and critical infrastructure in Southeast Asia using hybrid toolkit including custom TinyRCT backdoor for long-term intelligence collection.
Polish authorities arrested 4 members of organized cybercrime group that breached telecom partners and hijacked email accounts to conduct SIM-swapping attacks targeting cryptocurrency accounts, stealing millions.
Major sports piracy operation linked to illegal PirloTV streaming platform disrupted through coordinated seizure of 44 domains, disrupting significant copyright infringement infrastructure.
Shopify's Shop app abused for callback phishing; parcel mule scams proliferate; domain renewal phishing targets website owners
Russian authorities continue using Cellebrite phone-hacking tools to target dissidents despite company's 2021 announcement to cease operations in Russia, highlighting inability to fully control deployed technology.
Threat actors exploiting Shopify's order-tracking app Shop by injecting fake purchase receipts into user order histories to conduct callback phishing attacks and deploy remote access trojans.
Sophisticated phishing campaign using fake domain renewal notices and convincing websites to trick website owners into paying scammers, leveraging WHOIS data for targeted social engineering.
Ongoing scam campaigns recruiting money mules through fake 'Parcel Expert' job postings, tricking victims into receiving and forwarding stolen goods, exposing them to criminal liability.
Authentication bypasses in Flowise, Bitwarden, Keycloak and Chrome requiring immediate remediation
Unprotected /api/v1/account/register endpoint allows unauthenticated attackers to create arbitrary accounts and gain full API access to Flowise AI platform.
Google patched 18 vulnerabilities including 4 critical flaws. Two WebGL bugs could allow attackers to escape browser security sandbox and achieve code execution on host system.
Missing UUID validation in chatflowId/chatId parameters allows path traversal attacks to read arbitrary files from filesystem by supplying traversal sequences like '../../../../../tmp'.
Custom users with ManageUsers permission can remove Admin accounts from organizations due to missing role hierarchy validation in bulk user-remove endpoint, enabling privilege escalation.
JWT algorithm confusion in Keycloak JWT Authorization Grant flow allows attackers with valid client credentials to bypass signature verification and forge unauthorized access tokens.
Apicurio Registry WSDLReaderAccessor creates WSDL readers without disabling external entity resolution, enabling XXE attacks when VALIDITY rule is FULL. Attackers with Developer role can upload malicious WSDL documents.
Ransomware groups targeting Russian and Greek organizations; healthcare breach disclosure delayed
I-SYS, a 25-year-old Russian business automation and software development company, added to AuditTeam ransomware leak site. Company develops DocTrix EDMS platform and AI assistant Матрёшка, representing potential exposure of enterprise customer data and source code.
ISOPLUS (www.isoplus.gr) added to Qilin ransomware group's leak site, indicating breach of Greek manufacturing/industrial organization with potential operational disruption.
Colorado Health Network notifying patients of August 2025 breach after Cephalus threat actor claimed 900 GB data acquisition. Key details about data types and patient count remain undisclosed, raising transparency concerns.
Nathan Austad, third defendant in 2022 DraftKings hack, sentenced to 18 months prison. Case demonstrates continued prosecution of credential stuffing and account takeover operations targeting online gaming platforms.
Ukraine and Russia continue to face cyberattacks; Asian scam centers persist despite law enforcement pressure
Ukraine's state postal operator Ukrposhta experienced app service disruptions following suspected cyberattack, though attribution remains unclear. Represents continued targeting of Ukrainian critical infrastructure.
Despite international law enforcement efforts, scam centers in Asia continue to flourish due to local police collusion, with tens of billions flowing into regional economies from cybercrime operations.
Dairy products manufacturer in Russia's Bashkortostan republic disrupted by cyberattack, latest in series targeting Russian food production facilities, potentially indicating coordinated campaign.
CISA hiring expansion planned; Microsoft extends Windows 10 support; Europe emerges as ransomware hotspot
Analysis shows Europe has evolved into ransomware gangs' favorite region after global lull, with attackers increasingly targeting EU organizations and their supply chains for higher ransom potential.
Educational institutions face increasing risk as attackers pivot from directly targeting schools to compromising edtech software suppliers, amplifying attack surface and data exposure across multiple institutions.
DHS Secretary Mullin announced President has met with potential CISA director nominee. Once confirmed, agency plans major hiring push of 600 positions to strengthen national cybersecurity posture.
Microsoft quietly extended free Windows 10 Extended Security Updates program for consumers by one year to October 2027, providing additional time for organizations to plan migration strategies.
These briefings are compiled from publicly available threat-intelligence feeds, which may include CISA KEV, NIST NVD, the GitHub Advisory Database (OSV), abuse.ch, and Wordfence Intelligence. Data-breach and credential-leak items may include data from Have I Been Pwned and ransomware.live.
CVE® is a registered trademark of The MITRE Corporation. CVE Records are © The MITRE Corporation, reproduced under the CVE Program Terms of Use. WordPress vulnerability data is provided by Wordfence Intelligence, © Defiant, Inc. Breach data from Have I Been Pwned is licensed under CC BY 4.0.