# PurpleOps — Full Resources Content for LLM Ingestion > This file contains the complete text of every published article on purple-ops.io. > It is intended for deep research, RAG pipelines, and LLM training/fine-tuning. > For a concise site overview and article index, see: https://purple-ops.io/llms.txt - Website: https://purple-ops.io - Generated: 2026-06-23T05:58:22.078Z - Total articles: 850 --- ## Category Index - [CVE Analysis](https://purple-ops.io/blog/cve-analysis): Critical vulnerability deep-dives with CVSS scoring and remediation guidance. - [Ransomware Reports](https://purple-ops.io/blog/ransomware-reports): Ransomware group tracking, campaign analysis, and victim disclosures. - [Threat Intelligence](https://purple-ops.io/blog/threat-intelligence): Threat actor profiles, campaign analysis, and emerging attack techniques. - [Vulnerability Alerts](https://purple-ops.io/blog/vulnerability-alerts): Vulnerability disclosures, patch analysis, and risk assessments. - [Security Reports](https://purple-ops.io/blog/reports): Ransomware tracker and long-form research reports. --- ## Splunk Enterprise CVE-2026-20253 Actively Exploited - URL: https://purple-ops.io/blog/splunk-enterprise-cve-2026-20253-exploit - Date: 2026-06-23 - Category: CVE Analysis - Tags: cve-2026-20253, splunk-enterprise, unauthenticated, file-operations, active-exploitation - Reading time: 5 min **Summary:** Cisco Splunk Enterprise CVE-2026-20253, a high-severity flaw, allows unauthenticated file operations and is actively exploited. Splunk Enterprise CVE-2026-20253 Actively Exploited Cisco has addressed a critical security vulnerability, CVE-2026-20253, affecting Splunk Enterprise versions. This high-severity vulnerability allows an unauthenticated, network-reachable attacker to create or truncate arbitrary files due to a lack of authentication controls within a specific service endpoint. Splunk Enterprise deployments are common in critical infrastructure and security operations centers, which means this flaw poses an immediate operational risk. The vulnerability stems from an unprotected PostgreSQL sidecar service endpoint, which attackers are actively exploiting in the wild. This direct evidence of in-the-wild exploitation mandates prompt attention and remediation for all affected organizations. The impact of such a vulnerability can range from data integrity compromise to system disruption, given the extensive file operation capabilities granted. Organizations using Splunk Enterprise are strongly advised to review their deployed versions and implement the provided remediation steps. Active exploitation makes this vulnerability an immediate operational security issue, not just a theoretical concern. Analysts must understand the technical specifics to effectively detect and mitigate potential threats. What is CVE-2026-20253 and why is it critical? CVE-2026-20253 is a high-severity vulnerability within Cisco Splunk Enterprise that permits unauthenticated users to perform file creation or truncation operations on the underlying system. The criticality arises from the fact that a PostgreSQL sidecar service endpoint, integral to Splunk Enterprise functionality, lacks necessary authentication controls. This omission allows any user with network reachability to this service to invoke sensitive file system operations without providing any credentials. The ability to create or truncate arbitrary files gives an attacker a powerful method for system compromise. This access can lead to severe consequences. Attackers could cause denial-of-service by overwriting or deleting critical system files. They might also compromise data integrity by altering configuration files, or facilitate privilege escalation and remote code execution by writing malicious scripts. The classification as a high-severity vulnerability aligns with the significant control an attacker can gain over a compromised system, especially one as central to IT and security operations as Splunk Enterprise. What is the potential impact of CVE-2026-20253? The primary impact of CVE-2026-20253 is the potential for an unauthenticated attacker to manipulate files on the host running Splunk Enterprise. Specifically, the vulnerability allows for the creation or truncation of arbitrary files. This capability has several critical implications for an organization's security posture and operational continuity. An attacker could use the file truncation capability to delete or corrupt critical system files, potentially leading to a denial-of-service condition for the Splunk Enterprise instance or even the underlying operating system. Truncating data files, logs, or configuration files can severely impair Splunk's operation, data processing, and historical information retention. This directly impacts an organization's logging and monitoring capabilities. For example, overwriting or emptying critical database files could render the Splunk instance inoperable, requiring significant recovery efforts. Conversely, the ability to create arbitrary files offers an attacker a vector for injecting malicious content or configuration settings. This could involve creating new scripts in directories that are executed by privileged services, introducing new user accounts, modifying existing configuration files to establish persistence, or facilitating further compromise. In environments where Splunk Enterprise holds sensitive data or acts as a central security information and event management (SIEM) solution, the integrity of these systems is paramount. Unauthorized file manipulation directly undermines data integrity and system trustworthiness. Organizations that deploy Splunk Enterprise are at risk, particularly those where the PostgreSQL sidecar service endpoint is exposed to untrusted networks or the internet. Given Splunk Enterprise's role in collecting, indexing, and analyzing machine-generated data, a compromise could lead to data exfiltration and manipulation of security logs to obscure malicious activity. It could also result in the compromised Splunk instance being used as a pivot point for lateral movement within a network. This type of vulnerability, particularly one exploited in the wild, represents a direct and immediate threat to the operational security of affected entities. The risk profile is similar to other critical vulnerabilities involving actively exploited weaknesses in network-facing services, as discussed in our prior analysis of a critical Cisco RCE vulnerability that was actively exploited in the wild. How is CVE-2026-20253 exploited? The exploitation of CVE-2026-20253 hinges on an attacker's ability to reach and interact with the PostgreSQL sidecar service endpoint associated with Splunk Enterprise. The core vulnerability lies in the complete absence of authentication controls on this specific network-reachable service endpoint. This means an attacker needs no prior credentials, nor do they need session tokens or authentication bypasses to initiate malicious operations; they only need network connectivity. The attack vector is described as an unauthenticated user being able to create or truncate arbitrary files. This implies that the PostgreSQL sidecar service, intended for internal database operations, exposes functions that directly interact with the file system, and these functions are callable without validation of the user's identity or authorization. The exploitation chain therefore primarily involves: Network Reconnaissance: An attacker identifies Splunk Enterprise instances, specifically looking for the exposed PostgreSQL sidecar service endpoint on accessible network segments. This service would typically listen on a specific port, which an attacker could discover through port scanning. Unauthenticated Access: Once the endpoint is located, the attacker can send specially crafted requests to it. Because there are no authentication controls, these requests are processed directly by the service. File Operation Execution: The crafted requests would invoke the internal file operation functionalities, instructing the service to either create a new file at a specified path and with specified content, or to truncate (empty or set to a specific size) an existing file at a given path. The specific parameters, such as file path and content for creation, or file path for truncation, would be embedded within the attacker's request. The consequences of such operations are extensive. An attacker could overwrite sensitive configuration files, such as those related to Splunk's user management or data inputs, potentially gaining administrative access to the Splunk instance itself. Alternatively, they could delete critical log files or operational data, causing significant disruption or hindering forensic investigations. The vulnerability description states that this is an Exploit in the Wild, confirming that adversaries have developed and are actively deploying methods to use this flaw against unpatched systems. This places the exploitation of CVE-2026-20253 in the category of immediate threats, similar to other critical unauthenticated access vulnerabilities that have seen active exploitation, such as our prior analysis of an authentication bypass vulnerability involving SimpleHelp. The lack of authentication on a critical service endpoint represents a fundamental security lapse, making exploitation straightforward for an attacker with network access. The specific details of the PostgreSQL sidecar service and its interaction with the file system are central to understanding the full scope of potential malicious actions. Which products and versions are affected by CVE-2026-20253? The CVE-2026-20253 vulnerability specifically impacts certain versions of Cisco Splunk Enterprise. Not all versions of Splunk Enterprise are vulnerable. Organizations must verify their installed versions against the following list to determine their exposure. The affected versions of Splunk Enterprise are: Splunk Enterprise 10.2 versions below 10.2.4 Splunk Enterprise 10 versions below 10.0.7 Earlier versions of Splunk Enterprise are not affected by this particular vulnerability. Splunk Enterprise 9.4 and earlier versions are not affected. This distinction is crucial for prioritization and remediation efforts. Organizations running older, unsupported versions might face different security risks but are not directly vulnerable to CVE-2026-20253. However, those operating within the vulnerable 10.x and 10.2.x series must take immediate action. How can CVE-2026-20253 be detected? Detecting exploitation attempts or successful exploitation of CVE-2026-20253 requires multiple approaches, such as monitoring network traffic, system logs, and file integrity monitoring. Given the vulnerability allows for unauthenticated file creation and truncation via a PostgreSQL sidecar service, detection strategies should target anomalies related to this service and unexpected file system modifications. Network-Based Detection: Unusual Traffic Patterns: Monitor network traffic directed towards the PostgreSQL sidecar service endpoint. Look for connections from unusual source IP addresses or networks, especially external ones, to the specific port used by the PostgreSQL service on Splunk Enterprise instances. Baseline Deviation: Establish a baseline of normal network activity to the PostgreSQL sidecar service. Any significant deviation, such as a sudden increase in unauthenticated requests or requests with unusual payloads, could indicate an exploitation attempt. Traffic Content Analysis: If deep packet inspection is possible, look for anomalies in the traffic content directed at the PostgreSQL sidecar. While specific signatures may not be public for this particular exploit, identifying non-standard database queries or commands indicative of file manipulation operations could be a strong indicator. Host-Based Detection (on the Splunk Enterprise server): File Integrity Monitoring (FIM): Implement strong FIM solutions to monitor critical Splunk directories, configuration files, and system directories for unauthorized changes. Unexpected creation, modification, or deletion of files, particularly those that are not typically altered by standard Splunk operations or expected administrative tasks, should trigger alerts. Pay close attention to file paths that could facilitate privilege escalation or persistence. Process Monitoring: Monitor processes associated with the Splunk Enterprise PostgreSQL sidecar service. Look for unusual child processes being spawned, or the PostgreSQL process itself performing unexpected file system operations outside its normal scope. System and Application Logs: Review system logs (e.g., OS audit logs, application logs) for any errors or unusual activity reported by the PostgreSQL service or related Splunk components. Anomalies in access logs for file system operations, especially those not attributable to legitimate users or processes, are critical. Disk Activity Anomalies: Monitor for unusual spikes in disk write or delete operations, particularly in sensitive directories. While not always specific to this CVE, it can indicate broader malicious activity. Splunk Internal Logging and Correlation (within Splunk Enterprise itself, if not compromised): Internal Splunk Logs: If the Splunk instance is still functioning, its internal logs may record attempts to access the PostgreSQL sidecar service or file system events. Analysts should create search queries to identify two key areas: failed or unusual connections to the PostgreSQL service, and file system events (creation, modification, deletion) by the user account running Splunk services, particularly in unexpected locations. Additionally, they should look for anomalous behavior patterns from internal Splunk components that could indicate compromise. Security Event Correlation: Correlate events from network devices (firewalls, IDS/IPS), host-based logs, and FIM alerts. For example, a network alert for unusual traffic to the PostgreSQL port, combined with an FIM alert for a new file creation, provides strong evidence of potential exploitation. Proactive monitoring and the establishment of baselines for normal activity are essential. Without specific IOCs provided by the vendor at the time of discovery, generic indicators of compromise related to unauthorized file system access and anomalous network behavior become critical for early detection. How can CVE-2026-20253 be remediated? Remediation for CVE-2026-20253 involves several steps, including patching, applying official workarounds, and continuous monitoring. Prompt action is crucial due to the active exploitation in the wild. Patching and Upgrading: The primary remediation is to upgrade Cisco Splunk Enterprise to a fixed version. Organizations using Splunk Enterprise 10.2 must upgrade to version 10.2.4 or a later release. Organizations using Splunk Enterprise 10 (referring to the 10.0.x series) must upgrade to version 10.0.7 or a later release. Consult the official Cisco Splunk Security Advisory (SVD-2026-0603) for the definitive patch and upgrade instructions. This advisory will provide the most accurate and up-to-date guidance for obtaining and applying the necessary updates. Workaround/Mitigation (if immediate patching is not possible): If immediate patching is not feasible, a critical workaround is available: disabling the PostgreSQL sidecar service. This action directly addresses the root cause of the vulnerability by removing the unauthenticated access point. Disabling this service might impact certain functionalities that rely on the PostgreSQL sidecar. Organizations must thoroughly test this mitigation in a non-production environment to understand any potential operational impacts before deploying it broadly. While disabling the service mitigates the immediate threat, it should be considered a temporary measure. Upgrading to a patched version remains the recommended long-term solution to restore full functionality and address all security fixes. Post-Remediation Monitoring: After applying patches or mitigations, continue to monitor for any signs of prior compromise. Active exploitation means that systems might have already been breached before remediation. Conduct thorough security audits and forensic analysis if there is any suspicion of compromise before the patch was applied. Look for persistence mechanisms, unauthorized accounts, unusual file system modifications, or other signs that might indicate a successful attack. Regularly review logs and FIM alerts, along with network traffic, for any residual indicators of compromise or further exploitation attempts. Adherence to these remediation steps, prioritized by immediate patching or application of the workaround, is essential for securing Splunk Enterprise environments against CVE-2026-20253 and mitigating the risks associated with active exploitation. Technical Takeaways CVE-2026-20253 is a high-severity vulnerability in Cisco Splunk Enterprise affecting versions 10.2 below 10.2.4 and 10 below 10.0.7. The vulnerability allows an unauthenticated, network-reachable attacker to create or truncate arbitrary files via a PostgreSQL sidecar service endpoint lacking authentication controls. This flaw is actively being exploited in the wild, necessitating immediate remediation actions. Impacts include potential denial-of-service and data integrity compromise. The flaw can also facilitate further system compromise or remote code execution. The primary remediation is upgrading to Splunk Enterprise 10.2.4 (or later) or 10.0.7 (or later). A critical workaround involves disabling the PostgreSQL sidecar service if immediate patching is not feasible. --- ## The Gentlemen Ransomware Claims 10 Victims in 24h - URL: https://purple-ops.io/blog/the-gentlemen-ransomware-victims - Date: 2026-06-22 - Category: Ransomware Report - Tags: none - Reading time: 6 min **Summary:** The Gentlemen ransomware group led recent activity by claiming 10 new victims in 24 hours, alongside other active groups like Qilin and Aur0ra. The Gentlemen Ransomware Claims 10 Victims in 24h Statistical Overview Victim Totals This month: 602 This quarter: 2145 Year to date: 4766 Last 24h: 25 Quarterly Breakdown Q1: 2631 | Q2: 2145 | Q3: 0 | Q4: 0 Ransomware activity continues at a consistent pace, with the current quarter tracking near Q1's high volumes. The 25 new victims reported in the last 24 hours show a consistent operational tempo from various threat actors. Introduction Ransomware operators reported 25 new victims, with The Gentlemen as the most active group, claiming 10 incidents. Qilin (6) and Aur0ra (4) were also active. Targeting was diverse, with significant activity in Technology/Software and Professional Services. Most impacted organizations were in the United States and Canada. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1The Gentlemen10Canada wide media, Ctm india limited motherson india, Ergomed (+7)United States, ThailandTechnology / Software, Transportation & Logistics 2Qilin6Belz institutions, Central bank of libya, Florida engineering services (+3)Taiwan, United StatesTelecommunications, Professional Services 3Aur0ra4Aerospace & advanced composites gmbh, Kochs gmbh, Nationsbuilders insurance services (+1)Netherlands, AustriaProfessional Services, Insurance 4CMD2Union Tractor, Wall ISDUnited States, CanadaManufacturing, Education 5DragonForce2Bits-pilani.ac.in, Mihana-v.comJapan, IndiaManufacturing, Education 6Akira1Ntd apparelCanadaRetail & Ecommerce The Gentlemen led ransomware activity this period, claiming 10 victims across sectors like Technology/Software and Transportation & Logistics. Qilin (6) and Aur0ra (4) also reported activity, continuing a trend seen in recent reporting on latest ransomware groups. Qilin, for instance, claimed the Central Bank of Libya as a victim, matching its presence in recent ransomware victim updates and showing a continued focus on critical infrastructure targets. CMD, DragonForce, and Akira also contributed to attacks impacting manufacturing, education, and retail. Victim Distribution By Country United States: 9 Canada: 4 Thailand: 2 India: 2 Germany: 2 Netherlands: 1 Taiwan: 1 Austria: 1 Libya: 1 Japan: 1 By Industry Education: 2 Manufacturing: 2 Civil Engineering: 1 Telecommunications: 1 Real Estate: 1 Occupational Health and Employment Testing: 1 Logistics and Freight Forwarding: 1 Insurance: 1 Financial Services: 1 Design Services: 1 The United States and Canada remain primary targets for ransomware operators, accounting for over half of the reported incidents. While no single industry dominates, attacks are distributed across many sectors, suggesting opportunistic targeting or specific campaigns by individual groups. Ransomware News Topline Recent intelligence shows ongoing ransomware campaigns exploiting critical vulnerabilities, significant law enforcement disruptions against established malware infrastructure, and rising regional cybercrime threats. Campaigns & Operations Global law enforcement, via Operation Endgame, disrupted the SocGholish malware infrastructure, taking down 106 domains and remediating nearly 15,000 compromised WordPress sites previously used to deploy ransomware and other malware. This activity was historically linked to Evil Corp. This action coincides with an INTERPOL warning on a surge in cybercrime across the Asia-Pacific region, including approximately 135,000 ransomware attacks recorded in 2024. These attacks are driven by AI-powered social engineering and the industrialization of scam operations. Vulnerabilities & TTPs At the same time, CISA identified active exploitation of CVE-2026-35273, a critical unauthenticated remote access vulnerability in Oracle PeopleSoft Enterprise PeopleTools, which is being used in ransomware attacks to gain control of ERP environments. Analyst Note These developments show the complex nature of the ransomware threat, involving both opportunistic exploitation and organized criminal infrastructure. Technical Takeaways The Gentlemen claimed 10 of 25 new ransomware victims, making it the most active operator. Qilin claimed 6 victims, including the Central Bank of Libya, showing a focus on critical infrastructure. North America, particularly the United States and Canada, remains a primary geographic target. Technology/Software, Professional Services, Education, and Manufacturing industries saw significant ransomware activity. A critical zero-day vulnerability, CVE-2026-35273 in Oracle PeopleSoft, is actively exploited in ransomware attacks. International law enforcement disrupted the SocGholish malware infrastructure, often used for ransomware deployment, and remediated nearly 15,000 WordPress sites. INTERPOL reported approximately 135,000 ransomware attacks in the Asia-Pacific region during 2024, showing an increase in AI-driven cybercrime. Why The Gentlemen Ransomware Group Stands Out The Gentlemen ransomware group's ability to claim 10 victims within a single 24-hour window signals a highly coordinated and operationally mature threat actor. Unlike opportunistic groups, their targeting across multiple geographies — including the United States and Thailand — suggests pre-planned infrastructure and established access broker relationships. Diverse sector targeting increases ransom pressure options Multi-country operations complicate law enforcement response High victim volume may indicate automated intrusion tooling See also: Ransomware Group Profiles Related: Most Active Ransomware Groups This Quarter Organizations in Technology and Logistics sectors should treat this group as an elevated near-term threat. Ransomware Defense Recommendations for Targeted Sectors With Technology/Software and Professional Services among the hardest-hit sectors in this reporting window, organizations in these industries should prioritize immediate defensive actions to reduce exposure. Audit and restrict RDP and VPN access points Enforce multi-factor authentication across all remote access Patch internet-facing systems on an accelerated schedule Conduct tabletop exercises simulating ransomware scenarios Maintain offline, tested backups following the 3-2-1 rule See also: Ransomware Incident Response Checklist Proactive hardening remains the most cost-effective defense against groups operating at the tempo demonstrated here. Geographic Hotspots in This Reporting Period The United States and Canada accounted for the majority of victim organizations identified in this 24-hour reporting window, consistent with longer-term trends showing English-speaking economies as primary ransomware targets. Taiwan and the Netherlands also appeared, reflecting the increasingly global reach of groups like Qilin and Aur0ra. United States: highest absolute victim count Canada: notable media sector targeting by The Gentlemen Taiwan: Qilin's telecommunications focus continues Netherlands and Austria: Aur0ra targets European professional services Related: Ransomware Victims by Country Geographic diversification by threat actors complicates attribution and response coordination across jurisdictions. --- ## Cisco Splunk CVE-2026-20253 Critical Exploit - URL: https://purple-ops.io/blog/cisco-splunk-cve-2026-20253-exploit - Date: 2026-06-22 - Category: CVE Analysis - Tags: cisco-splunk, cve-2026-20253, file-manipulation, exploit - Reading time: 5 min **Summary:** Cisco Splunk Enterprise CVE-2026-20253, a high-severity unauthenticated file manipulation vulnerability, is actively exploited in-the-wild. Cisco Splunk CVE-2026-20253 Critical Exploit Cisco has addressed a high-severity vulnerability, CVE-2026-20253, affecting Cisco Splunk Enterprise versions 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3. This flaw allows an unauthenticated, network-reachable user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint because it lacks authentication controls. The vulnerability has been confirmed as actively exploited, requiring affected organizations to take immediate action. The PostgreSQL sidecar service endpoint's exposure without proper authentication poses a security risk. Attackers can use this access to manipulate system files, which could lead to denial of service, data corruption, or other compromises of the affected Splunk Enterprise instance. Active exploitation makes CVE-2026-20253 an urgent threat, requiring rapid patching or specified mitigations. This analysis details CVE-2026-20253's technical specifics, including its attack vector, impacted versions, and Cisco's remediation steps. Organizations operating affected Cisco Splunk Enterprise instances must implement these measures to protect their environments. What is CVE-2026-20253 and What is its Potential Impact? CVE-2026-20253 is a high-severity vulnerability in Cisco Splunk Enterprise that allows unauthenticated arbitrary file creation or truncation. The vulnerability's core is a PostgreSQL sidecar service endpoint accessible over the network that lacks authentication mechanisms. This absence of authentication means any user with network connectivity to the service can perform file operations without valid credentials. The potential impact of CVE-2026-20253 is significant, with attackers gaining access as stated in the advisory. The ability to create or truncate arbitrary files can lead to severe outcomes for organizations using Splunk Enterprise: Denial of Service (DoS): An attacker could truncate system, configuration, or data files associated with Splunk Enterprise or the underlying operating system. This would make the Splunk instance inoperable, preventing it from collecting, indexing, or searching log data, thereby impairing an organization's security monitoring and operational intelligence functions. Truncating log files could also lead to a loss of forensic evidence. Data Integrity Compromise: Creating arbitrary files could allow an attacker to introduce malicious executables, configuration files, or scripts into the system. Truncating data files could lead to irreversible data loss or corruption within Splunk indexes or its operational database, impacting the reliability and trustworthiness of stored information. Privilege Escalation or Remote Code Execution (RCE) Facilitation: CVE-2026-20253 is described as an arbitrary file operation vulnerability, but such capabilities are often used to gain higher privileges or remote code execution. By creating or overwriting specific system or application files (e.g., cron jobs, startup scripts, library files, or configuration files that dictate execution paths), an attacker could manipulate the system into executing attacker-controlled code, especially if the PostgreSQL sidecar service or Splunk Enterprise operates with higher permissions. Information Disclosure: File manipulation or triggering error conditions could inadvertently disclose sensitive information about the system's configuration, paths, or contents, which could further aid an attacker in subsequent exploitation attempts. Unauthenticated access and direct file system manipulation through a network-reachable service endpoint make CVE-2026-20253 a serious vulnerability. The "Gain Access" impact implies an attacker can assert a high degree of control over the affected Splunk Enterprise instance, with significant consequences for security and operations. How is CVE-2026-20253 Exploited? Exploitation of CVE-2026-20253 is direct and requires minimal preconditions, which explains its high severity and active exploitation. The vulnerability's core mechanism is unauthenticated access to a specific network-reachable endpoint associated with the PostgreSQL sidecar service within Cisco Splunk Enterprise. The attack vector is network-based. An attacker does not require prior authentication or specialized privileges on the target system. Any unauthenticated user with network connectivity to the PostgreSQL sidecar service endpoint can initiate file operations. This means if the Cisco Splunk Enterprise instance, or its PostgreSQL sidecar service, is exposed to an untrusted network (e.g., the internet or a segmented internal network where threat actors have gained a foothold), it becomes an immediate target. Attackers can "create or truncate arbitrary files." File Creation: An attacker can introduce new files into arbitrary locations on the file system, assuming the PostgreSQL sidecar service process permissions allow it. This could involve creating configuration files, scripts, or other payloads to disrupt service or prepare for further compromise. For instance, an attacker could create a web shell file in a publicly accessible web directory if the PostgreSQL process can write to it. File Truncation: An attacker can reduce the size of existing files to zero, effectively erasing their contents while leaving the file present. This is an effective method for causing denial of service by wiping configuration, database, or log files. Truncating system binaries or libraries could also lead to system instability or crashes. The key factor enabling this exploitation is the complete absence of authentication controls on the vulnerable PostgreSQL sidecar service endpoint. Typically, such service endpoints require valid credentials before allowing operations, especially sensitive ones like file system manipulation. This lack of controls bypasses a basic security boundary, allowing any network-reachable adversary to directly interact with the file system through this service. The advisory states CVE-2026-20253 is being "Exploit in the Wild," strongly implying public exploit details or a Proof-of-Concept (PoC) exist. This indicates threat actors have already developed and are actively using tools or techniques to exploit this vulnerability against real-world targets. In-the-wild exploitation increases the urgency for organizations to apply patches or mitigations, as the window for unpatched systems to remain secure is diminished. Which Products Are Affected by CVE-2026-20253? CVE-2026-20253 specifically impacts certain versions of Cisco Splunk Enterprise. Organizations must identify if any of their deployed Splunk Enterprise instances fall within the vulnerable ranges to prioritize remediation. The vulnerability affects releases within the 10.0 and 10.2 major version lines. The affected products and their corresponding version ranges are as follows: Cisco Splunk Enterprise 10.0.0 through 10.0.6 This includes versions 10.0.0 up to, but not including, 10.0.7. Cisco Splunk Enterprise 10.2.0 through 10.2.3 This includes versions 10.2.0 up to, but not including, 10.2.4. Note that Cisco Splunk Enterprise versions 9.4 and earlier are explicitly stated as not affected by CVE-2026-20253. This helps organizations scope their vulnerability assessment and avoid unnecessary remediation efforts on older, unaffected deployments. Detection Strategies for CVE-2026-20253 Detecting CVE-2026-20253 exploitation requires monitoring for unusual activity that indicates unauthorized file operations or suspicious network interactions with the PostgreSQL sidecar service. The research findings do not specify concrete detection guidance like unique log signatures, Indicators of Compromise (IOCs), EDR queries, or network indicators, but general security monitoring principles apply. Organizations should implement full logging and monitoring across their Cisco Splunk Enterprise deployments and the underlying host systems. Key areas for detection include: Network Traffic Analysis: Monitor network connections to ports associated with the PostgreSQL sidecar service. Unauthenticated connections or an unusual volume of connections to this service, especially from unexpected source IP addresses or network segments, may indicate attempted or successful exploitation. Look for spikes in network activity directed at these service ports that do not correspond to normal Splunk operations or legitimate database interactions. File System Monitoring: Implement file integrity monitoring (FIM) solutions on Splunk Enterprise hosts. Monitor for unexpected creation, modification, or deletion of system, Splunk configuration, and database files in directories where the PostgreSQL sidecar service has write access. Focus on directories typically associated with the Splunk installation, its configuration, and data storage, as well as common operating system locations where an attacker could attempt to drop malicious payloads (e.g., /tmp, /var/tmp, web server directories, or user home directories if applicable). Look for newly created files with suspicious content or names, especially in unexpected locations. Process Monitoring: Monitor for unusual processes spawned by the PostgreSQL sidecar service process or the main Splunk processes. An attacker who successfully exploits the file manipulation vulnerability could attempt to execute arbitrary code. Look for processes running with unusual parameters, unexpected parent processes, or attempting to establish outbound network connections. Operating System Logs: Review operating system logs (e.g., Linux auditd logs, Windows security event logs) for events related to file system access, process creation, or changes to user accounts and permissions, particularly those associated with the Splunk user account or the PostgreSQL service account. Database Activity Monitoring (if applicable): Although the vulnerability resides in the sidecar service, monitoring for unusual activity within the PostgreSQL database itself-such as unexpected schema changes, data manipulation, or privilege alterations-may indicate post-exploitation activity. Given the "Exploit in the Wild" status of CVE-2026-20253, a proactive and layered detection approach is essential. Security teams should use existing monitoring tools and capabilities to establish baselines of normal behavior and quickly identify anomalies that may signify an ongoing attack. Without specific vendor-provided IOCs, focusing on the effects of arbitrary file operations offers the best chance for early detection. Remediation for CVE-2026-20253 Remediation for CVE-2026-20253 requires immediate action because of its high severity and confirmed in-the-wild exploitation. Cisco has provided guidance for patching and mitigation strategies. Organizations should consult the official Cisco Splunk Security Advisory SVD-2026-0603 for the most up-to-date and full information. The primary remediation methods are as follows: Patching and Upgrading: The recommended solution is to upgrade Cisco Splunk Enterprise to a version that addresses CVE-2026-0253. Organizations running Splunk Enterprise 10.0.x should upgrade to version 10.0.7 or higher. Those running Splunk Enterprise 10.2.x should upgrade to version 10.2.4 or higher. These updated versions contain security fixes to close the unauthenticated access vulnerability in the PostgreSQL sidecar service endpoint. Organizations should follow Cisco's standard upgrade procedures to ensure a smooth transition and minimize operational impact. Workarounds and Mitigations (if immediate upgrade is not possible): If an immediate upgrade is not feasible, a temporary mitigation involves disabling the PostgreSQL sidecar service. Disabling this service removes the vulnerable endpoint, preventing unauthenticated network access to file operations. Organizations should understand the potential impact of disabling this service on their Splunk Enterprise functionality and architecture. Consult the Cisco Splunk Security Advisory SVD-2026-0603 for precise instructions on how to safely disable the PostgreSQL sidecar service and any implications it could have on your specific Splunk deployment. This workaround is a temporary measure until the recommended patch can be applied. Monitoring: Even after applying patches or mitigations, continued monitoring for signs of exploitation is crucial. The "Exploit in the Wild" status means some systems may have already been compromised before remediation. Implement the detection strategies outlined previously, focusing on network activity to the PostgreSQL sidecar service, file system integrity, and process execution anomalies. This ongoing monitoring helps detect any residual attacker presence or attempts to re-exploit the vulnerability. Prioritizing these remediation steps based on the severity and active exploitation of CVE-2026-20253 is important for protecting Cisco Splunk Enterprise environments. Timely application of patches or mitigations reduces the attack surface and helps safeguard important log data and operational intelligence. Technical Takeaways CVE-2026-20253 is a high-severity vulnerability impacting Cisco Splunk Enterprise versions 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3. The vulnerability allows an unauthenticated, network-reachable user to create or truncate arbitrary files via a PostgreSQL sidecar service endpoint that lacks authentication controls. Impacts include Denial of Service, data integrity compromise, and potential for further system compromise through arbitrary file manipulation. This vulnerability is actively exploited, which requires urgent remediation. Affected organizations must upgrade to Splunk Enterprise 10.0.7 or higher, or 10.2.4 or higher, as directed by Cisco Security Advisory SVD-2026-0603. A temporary workaround involves disabling the PostgreSQL sidecar service if immediate patching is not possible; its operational impact should be assessed. --- ## FortiBleed: AI Cracks 75,000 Fortinet Firewalls - URL: https://purple-ops.io/blog/fortibleed-fortinet-firewalls-ai-exploit - Date: 2026-06-22 - Category: Threat Intelligence - Tags: none - Reading time: 11 min **Summary:** FortiBleed compromised 75,000 Fortinet firewalls by using rented AI supercomputing to crack credentials, enabling widespread access. FortiBleed Exploits AI to Compromise 75,000 Fortinet Firewalls A global campaign named FortiBleed has compromised nearly 75,000 Fortinet FortiGate firewalls across 21,632 domains. This breach used a new cybercrime method: readily available supercomputing power from rented GPU clusters. Russian-speaking hackers and Initial Access Brokers like SantaAd are partly responsible. The campaign did not use a zero-day vulnerability but instead relied on a large-scale credential-stuffing operation, fueled by previously compromised data and a new hash cracking method. Attackers bypassed traditional encryption defenses by renting 36 enterprise-class GPUs from decentralized cloud compute provider Vast.ai, costing about $14.40 per hour. This on-demand supercomputing capability allowed them to crack hundreds of billions of hashes per second, quickly exposing plaintext passwords from FortiOS configuration files. The compromised devices, across more than 200 countries including Australia, now serve as access points for moving into connected supply chains and third-party vendors. The Australian Signals Directorate's (ASD) Australian Cyber Security Centre (ACSC) issued several critical alerts, advising immediate action for affected organizations. Fortinet acknowledged the campaign, linking it to credential reuse from incidents identified in December 2025 (FG-IR-25-647) and January 2026 (FG-IR-26-060). The scope and the effective, accessible methods used by the attackers show an increase in the efficiency and potential impact of financially motivated cyber operations. How attackers use AI compute for FortiBleed Attackers in the FortiBleed campaign used widely available high-performance GPU hardware, often associated with the generative AI boom, to industrialize password cracking. Instead of building expensive custom infrastructure, the attackers rented a decentralized GPU cluster via Vast.ai. This cluster had six high-powered worker instances, totaling 36 enterprise-class GPUs, managed through a Telegram bot. This setup gave attackers immense processing power, capable of breaking encryption at high speeds for minimal cost. For example, a 36-GPU cluster with modern hardware, such as NVIDIA RTX 4090s, can process up to 720 billion legacy Fortinet (Salted SHA-256) hashes every second. Even against newer FortiOS versions using the PBKDF2 algorithm, the cluster cracked 180 million to 360 million hashes per second. This fast cracking allowed attackers to ingest exported FortiOS configuration files and immediately expose plaintext passwords of firewall administrators. The operational pipeline used more than raw compute power. Analysis of the attacker infrastructure showed the use of AI-assisted code editors like Cursor for script development and Telegram bot management. Once plaintext credentials were obtained and initial access was established, operators deployed open-source agentic penetration testing frameworks to automate Active Directory enumeration. This shows an optimized, modern intrusion pipeline, integrating AI tools for code generation, network mapping, and credential cracking. For more insights on AI's impact on network security, review analyses on AI-assisted firewall compromise analysis. Initial access to Fortinet devices has long been a commoditized dataset, frequently sold by Initial Access Brokers like SantaAd on underground forums. The FortiBleed campaign scales this by combining it with accessible, high-performance computing to create an industrialized process from scanning to cracking to subsequent lateral movement. This lateral movement includes pivoting into third-party vendors, managed service providers (MSPs), and trusted partners, significantly expanding the affected area. Following the initial credential compromise of FortiGate firewalls, attackers captured approximately 143,000 Kerberos and 33,000 NetNTLM hashes, targeting internal domain controllers. This shows why strong authentication and careful credential management for perimeter defenses are important. Organizations with exposed Fortinet devices need immediate comprehensive review and remediation. The ACSC and Fortinet provided the following immediate recommendations: Terminate all admin and VPN sessions and reset credentials: Force mandatory password resets for all firewall administrators and Fortinet VPN users, especially on internet-facing systems, and enforce strong password policies. Implement MFA on all administrator and VPN user accounts: Multi-factor authentication adds a layer of security against compromised credentials. Upgrade to latest versions of 7.4, 7.6, or 8.0: These versions support PBKDF2 hashing for administrator credentials. Follow guidance to remove older legacy password settings via set login-lockout-upon-weaker-encryption. Validate configuration: Review firewall and VPN users and other configurations for unauthorized changes. Compare current configurations to a known good baseline, paying attention to unrecognized accounts like "forticloud" or "fortinet-support." Check logs: Look for unexpected administrator access from unknown IPs and monitor domain controller logs for lateral movement, unusual access, suspicious accounts, or unauthorized configuration changes. Reduce attack surface and lock down management access: Restrict external management of devices through trusted hosts, local-in policies, or by removing internet administration access entirely. The reliance on harvested credentials shows the ongoing threat from information stealer logs. This cybercrime system demonstrates how rented GPUs function as the engine, while harvested credentials act as the fuel. A deeper look into credential security for Fortinet products can be found in discussions concerning FortiClient EMS credential theft. The speed at which Initial Access Brokers operate minimizes an organization's margin for error. More details on FortiGate vulnerabilities and exploitation are available through research on FortiGate CVE-2025-59718 exploit. Capabilities of the MYRA Linux RAT distributed via npm A sophisticated Linux Remote Access Trojan (RAT), named MYRA, has been discovered distributed through the npm package apintergrationpost (versions 4.0.1 through 4.0.6). The package, published by maintainer kimijohn01, claims to be a "hybrid Node.js integration client with native lab primitives for authorized red team exercises and EDR validation." However, its public availability on npm, along with a live C2 configuration, poses a significant risk. MYRA shows an advanced level of engineering for npm malware. It ships a compiled native C rootkit designed for stealth and persistence. The installation chain forces root privileges (sudo npm install -g apintergrationpost) and automatically installs system dependencies like build-essential, python3, ffmpeg, x11-utils, and grim on apt-based systems. This ensures the RAT has full control and functionality. The native rootkit component includes specialized tools for evasion and persistence: libcache.so: An LD_PRELOAD shared library that hooks readdir, readdir64, stat, and lstat to hide files and directories with names matching a configurable list (e.g., .libcache, .cache-update, systemd-userdbd). This makes persistence artifacts invisible to standard system utilities. This technique aligns with MITRE ATT&CK T1574.006 (Hijack Execution Flow: Dynamic Linker Hijacking). proc_hide: Changes /proc/PID/comm using prctl(PR_SET_NAME, ...) and overwrites argv[0] to make the process appear as systemd-userdbd, a legitimate systemd daemon. This is consistent with MITRE ATT&CK T1036.004 (Masquerading: Masquerade Task or Service). memfd_exec and memfd_loader: Implement fileless execution using the memfd_create syscall. They read payloads (including the Node.js binary and the JavaScript agent bundle) into anonymous memory-backed file descriptors, then execute them via fexecve. This results in a process running entirely from memory, with /proc/PID/exe pointing to /memfd:.node (deleted) and /proc/PID/cmdline showing systemd-userdbd --user. This technique relates to MITRE ATT&CK T1027.011 (Obfuscated Files or Information: Fileless Storage). injector: Attaches to a target process via ptrace to patch executable memory, appearing to be a diagnostic or proof-of-concept tool for ptrace-based injection. MYRA establishes three independent persistence mechanisms: LD_PRELOAD Rootkit: Copies libcache.so to /usr/local/lib/.libcache.so and registers it in /etc/ld.so.preload, ensuring file hiding across the system. Cron Job: Installs a wrapper script (/usr/local/lib/.cache-update.sh) as a cron entry to execute every 13 minutes. The script tries to launch the RAT via memfd_loader (fileless), agent_launcher (blended binary), or direct Node.js (fallback). Profile.d Login Hook: Writes to /etc/profile.d/.sh.local, which executes the wrapper script in the background upon every user login. The RAT's C2 framework uses a plugin architecture with 13 modules, communicating over TCP with length-prefixed JSON framing. Authentication uses an HMAC-SHA256 challenge-response mechanism. The default C2 address 192.168.54.1:4444 is a private RFC 1918 IP, suggesting a targeted network segment, VPN/tunnel endpoint, or accidental public release of a development build. The beacon schedule includes log-normal distribution jitter (45-300 seconds) and random padding (0-64 bytes) to avoid detection. MYRA's capabilities include full interactive PTY shell access, directory traversal, base64 file transfer, system information gathering, process enumeration, network enumeration, recursive file searching, and live screen streaming. The live screen capture system, refined across several versions, automatically detects active graphical sessions using loginctl and x11grab (for X11) or grim (for Wayland), even capturing as the logged-in user when running as root. MYRA Detection Indicators: Indicator TypeDetail npm Packageapintergrationpost (versions 4.0.1 through 4.0.6) C2 Host192.168.54.1:4444 (default, configurable) Auth Tokenmyra-lab-shared-key (default, configurable) Maintainerkimijohn01 File Artifacts/usr/local/lib/.libcache.so, /usr/local/lib/.cache-update.sh, /etc/profile.d/.sh.local Processsystemd-userdbd --user (masquerade target) Canadian Spy Agency CSIS Disrupts Foreign Botnets Canada's Security Intelligence Service (CSIS) used its threat reduction warrant powers for the first time to neutralize two foreign-run botnets operating on Canadian soil. A Federal Court ruling, released publicly on June 15, details the warrant, granted on May 1, 2024, and renewed in August of the same year. This legal action allowed CSIS to remotely alter, degrade, and destroy botnet data on infected machines, cutting them off from command-and-control networks. The operation targeted Canadian-based servers, small office/home office (SOHO) routers, and various Internet of Things (IoT) devices, such as Ring doorbells, security cameras, and Wi-Fi-enabled televisions. The court found that unnamed foreign state adversaries used these devices to relay traffic, probing critical infrastructure, government, and military networks in Canada. The ruling stated that the operation targeted devices, not individuals, and any incidentally collected personal data was destroyed. This action by CSIS is similar to botnet disruption efforts by U.S. law enforcement in early 2024. The FBI, operating under search-and-seizure warrants, had previously dismantled botnets used by the China-linked Volt Typhoon (exploiting Cisco and NetGear SOHO routers) and Russia's GRU APT28 group (using Ubiquiti routers). Both U.S. and Canadian operations show a common problem: neglected, end-of-life consumer-grade network and IoT hardware that remains unpatched or uses default credentials. The CSIS operation is important because it is the first time threat reduction measures were used, which enable the intelligence service to actively disrupt threats rather than just collecting intelligence. This legal precedent provides a new tool for national security agencies to address foreign state-sponsored cyber threats directly within domestic infrastructure. The underlying issue of unmaintained devices remains a challenge, as government cleanups do not fix these weaknesses, leaving devices open to reinfection if owners do not update or retire the vulnerable hardware. INTERPOL Identifies Escalating Cybercrime Trends Across Asia-Pacific INTERPOL's 2025/2026 Asia and South Pacific Cyberthreat Assessment Report shows a substantial increase in cybercrime across the region. This is driven by rapid digitalization, internet penetration, and the sophistication of organized criminal networks. The report indicates that over half of INTERPOL member countries in the region reported that cybercrime makes up no less than 30% of all recorded national crimes. Phishing has become the most common and financially damaging cybercrime, with one-third of countries reporting over 10,000 cases between January 2024 and March 2025. This is made worse by a regional average of 5.5 out of every 1,000 individuals clicking on phishing links monthly, nearly double the global average of 2.9 per 1,000. The region also experienced more than 135,000 ransomware-related attacks in 2024, mostly impacting the real estate, manufacturing, and financial services sectors. Transnational organized crime syndicates, particularly those operating out of Cambodia, Laos, Myanmar, and the Philippines, are industrializing cyber-enabled scams. These groups use deepfakes and AI-driven social engineering, including "romance baiting" schemes, to defraud individuals, contributing to an estimated $37 billion in regional cybercrime losses. They also impersonate business executives to authorize fraudulent transactions. The report also details the widespread use of banking trojans and information stealers, which rank as the second most common cybercrime type. Notable malware families in this category include RedLine, Lumma, LokiBot, Negasteal, and ZBot. Additionally, Distributed Denial-of-Service (DDoS) attacks surged by 92% in 2024 compared to the previous year, and system intrusions accounted for about 80% of all data breaches. These cybercriminal activities often exploit misconfigured systems, weak encryption, insecure APIs, and insufficient monitoring within target networks. Technical Takeaways The FortiBleed campaign shows a scalable, AI-assisted method for credential compromise, using Vast.ai GPU clusters to crack hashes from 75,000 Fortinet FortiGate firewalls at costs as low as $14.40 per hour. The MYRA Linux RAT, distributed via the apintergrationpost npm package, includes a native C rootkit for fileless execution (memfd_exec), process masquerading (systemd-userdbd), and three persistence mechanisms (LD_PRELOAD, cron, profile.d) at the system level. CSIS set a new precedent by using threat reduction warrants to disrupt foreign state-linked botnets operating on SOHO routers and IoT devices within Canada, physically altering compromised systems to remove malicious control. INTERPOL's report on the Asia-Pacific region shows the widespread nature of phishing and ransomware, along with the financial impact of AI-driven scams and the continued use of common information stealers like RedLine and Lumma. The widespread compromise in the FortiBleed campaign comes from the reuse of credentials and shows why multi-factor authentication and proactive credential rotation on internet-facing devices are critical, rather than exploitation of zero-day vulnerabilities. --- ## Critical Vulnerabilities Exploited, Data Exfiltration - URL: https://purple-ops.io/blog/vulnerability-exploitation-data-exfiltration - Date: 2026-06-15 - Category: report - Tags: none - Reading time: 18 min **Summary:** Threat intelligence reveals widespread exploitation of critical vulnerabilities in Check Point, Ivanti, and Oracle PeopleSoft. Critical Vulnerabilities Exploited, Data Exfiltration Executive Summary This week's intelligence shows swift exploitation of critical vulnerabilities and persistent data exfiltration campaigns. Adversaries continue to use newly identified flaws in widely adopted enterprise systems and network-edge infrastructure. Key Developments Active exploitation of a critical zero-day vulnerability in Check Point VPN appliances by the Qilin ransomware group was observed. This activity affects organizations globally that rely on these devices for secure network access. An actively exploited zero-day Remote Code Execution (RCE) vulnerability in Ivanti EPMM was confirmed, matching a CISA alert. This impacts organizations using Ivanti's mobile device management solutions, which can lead to broad system compromise. The ShinyHunters group exploited a zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273) to breach multiple universities, compromising extensive student and staff data. This shows continued targeting of Enterprise Resource Planning (ERP) systems. Over 400 packages in the Arch Linux AUR repository were found compromised, deploying infostealers and eBPF rootkits. This indicates ongoing supply chain integrity risks for developer environments and potentially downstream systems. Business Impact These activities create exposure for organizational data confidentiality and business operations. Exploitation of network access points, mobile management platforms, and core ERP systems can lead to unauthorized access, data theft, and potential disruption of critical business functions. The ongoing listing of national-scale datasets on dark web markets also shows widespread data compromise, affecting privacy and regulatory standing. Notable Trends and Changes The rapid weaponization of newly disclosed vulnerabilities in network-edge and enterprise systems remains consistent, mirroring previous weeks. Data exfiltration continues as a primary objective for various groups, including those involved in ransomware operations. A change seen this period is the increased visibility of supply chain compromises targeting software repositories. Ransomware groups, like LockBit and Payload, maintain widespread activity, increasingly targeting telecom backbone providers and international institutions, while criminal forums show resilience through infrastructure upgrades. Outlook Active exploitation of recently disclosed critical vulnerabilities in network infrastructure and enterprise applications is expected to persist. Data exfiltration operations, often stemming from compromises of third-party services or direct system breaches, will likely remain prevalent. Ransomware campaigns are anticipated to continue at current levels, employing data theft tactics and exploring new victim sectors. Adversary capabilities involving AI for reconnaissance and exploitation development are expected to evolve further. Key Threat Intelligence Highlights A critical zero-day vulnerability in Check Point VPN devices is under active exploitation, allowing remote code execution by attackers. This exploit has directly facilitated Qilin ransomware deployments, endangering organizations using these security gateways. Prompt patching is essential to prevent data compromise and encryption. CISA has mandated federal agencies apply an urgent patch for a critical Ivanti deserialization flaw that is under active exploitation. This vulnerability allows for remote code execution. This led to an Emergency Directive for agencies to address it by Sunday or disconnect affected Connect Secure and Policy Secure gateways to prevent unauthorized access. The directive shows the immediate danger this internet-facing vulnerability poses to federal systems. Cybercriminal group ShinyHunters exploited a zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft, leading to the breach of multiple universities. This attack permitted unauthorized access to institutional data, showing the significant challenge from unpatched software flaws in widely used enterprise systems. AI-powered scams have resulted in nearly $900 million in losses for Americans, according to FBI data. These sophisticated schemes use artificial intelligence to craft highly convincing and deceptive tactics, making them increasingly difficult for victims to identify. The growing use of AI in fraudulent activities is a serious and expanding danger to individuals' financial well-being. Malicious actors compromised over 400 Arch Linux AUR packages, executing a supply chain attack to inject an infostealer and an eBPF rootkit into user systems. This scheme enabled data exfiltration and persistent system control, raising serious concerns about the integrity of open-source software distribution channels. Additional Threat Intelligence Context The Council of Europe suffered a data breach of HR and payroll data by ShinyHunters/SLSH, now under extortion. An AI-assisted phishing-as-a-service platform, Outsider Enterprise, was dismantled; it had enabled widespread credit card fraud. CVE-2026-10520 | CVSS: 10.0 (VERY CRITICAL) - Ivanti Sentry OS command injection () and authentication bypass (CVE-2026-10523) are under active exploitation, allowing unauthenticated remote code execution and corporate network access. Available Exploits: CVE-2026-10520 Exploit CVE-2026-10520 Exploit CVE-2026-10520 Exploit CVE-2026-10520 Exploit Analysis: # CVE Analysis Report: CVE-2026-10520 Title: watchTowr Ivanti Sentry RCE Detection PoC CVE: CVE-2026-10520, CVE-2026-10523 (CVSS: 10.0, VERY CRITICAL) CVSS Score: 10.0 CVSS Severity: VERY CRITICAL The analysis shows: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: No... Risk Score: 100/100 _Based on ease of use, potential impact, how widel... CVE-2026-35273 | CVSS: 9.8 (VERY CRITICAL) - ShinyHunters is extensively exploiting Oracle PeopleSoft () for unauthenticated RCE against higher-education ERP systems, leading to the exfiltration of student, staff, and financial data. Available Exploits: CVE-2026-35273 Exploit CVE-2026-35273 Exploit Analysis: # CVE Analysis Report: CVE-2026-35273 GitHub Link: Title: CVE-2026-35273 Detection Script CVE: CVE-2026-35273 (CVSS: 9.8, VERY CRITICAL) CVSS Score: 9.8 CVSS Severity: VERY CRITICAL The analysis shows: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 100/100 _Based on ease of use, potential impact, how widel... CVE-2026-20253 | CVSS: 9.8 (CRITICAL) - A critical Splunk Enterprise vulnerability () is actively exploited, with public proof-of-concept code available for on-prem instances. Available Exploits: CVE-2026-20253 Exploit CVE-2026-20253 Exploit CVE-2026-20253 Exploit Analysis: # CVE Analysis Report: CVE-2026-20253 GitHub Link: Title: watchTowr-vs-Splunk-CVE-2026-20253 PoC CVE: CVE-2026-20253 (CVSS: 9.8, CRITICAL) CVSS Score: 9.8 CVSS Severity: CRITICAL The analysis shows: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Authenticated Privilege Required: None Risk Score: 100/100 _Based on ease of use, potentia... CVE-2026-48558 - The SimpleHelp OIDC authentication bypass () (CVSS 10.0) is actively exploited, allowing attackers to impersonate technicians and seize administrative control. Widespread data leaks result from the Anodot SaaS integrator compromise, affecting Snowflake and BigQuery datasets for major brands including Rockstar Games, Zara, and Ticketmaster. CVE-2026-50751 | CVSS: NA (CRITICAL) - Ongoing ransomware and extortion campaigns by groups like LockBit, Payload, SLSH, and Qilin target diverse sectors, frequently using vulnerabilities such as Check Point IKEv1 VPN authentication bypass (). Available Exploits: CVE-2026-50751 Exploit CVE-2026-50751 Exploit CVE-2026-50751 Exploit CVE-2026-50751 Exploit CVE-2026-50751 Exploit Analysis: # CVE Analysis Report: CVE-2026-50751 GitHub Link: Title: CVE-2026-50751 IKEv1 Safe Probe CVE: CVE-2026-50751 (CRITICAL) CVSS Score: NA CVSS Severity: CRITICAL The analysis shows: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 91/100 _Based on ease of use, potential impact, how widely it could spread, and... An Arch Linux AUR supply-chain compromise hijacked over 400 packages to deliver a Rust-based credential stealer and optional eBPF rootkit. CVE-2026-9082 | CVSS: 6.5 (CRITICAL) - Drupal JSON:API SQL injection () is actively exploited in the wild, allowing data extraction from node endpoints. Available Exploits: CVE-2026-9082 Exploit CVE-2026-9082 Exploit CVE-2026-9082 Exploit CVE-2026-9082 Exploit CVE-2026-9082 Exploit Analysis: # CVE Analysis Report: CVE-2026-9082 GitHub Link: Title: SA-CORE-2026-004 Detection PoC (Drupal JSON:API IN filter SQLi) CVE: CVE-2026-9082 (CVSS: 6.5, CRITICAL) CVSS Score: 6.5 CVSS Severity: CRITICAL The analysis shows: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 100/100 _Based on ease of use, potentia... CVE-2024-20399 | CVSS: 6.0 (MEDIUM) - Cisco NX-OS command injection () has been used by Velvet Ant for backdooring network infrastructure in long-dwell intrusion campaigns. Available Exploits: CVE-2024-20399 Exploit CVE-2026-47291 | CVSS: 9.8 (VERY CRITICAL) - Windows HTTP.sys integer-overflow RCE () poses an anticipated exploitation risk against internet-facing Windows infrastructure despite patching. Available Exploits: CVE-2026-47291 Exploit Analysis: # CVE Analysis Report: CVE-2026-47291 GitHub Link: Title: CVE-2026-47291 Windows HTTP.sys RCE PoC CVE: CVE-2026-47291 (CVSS: 9.8, VERY CRITICAL) CVSS Score: 9.8 CVSS Severity: VERY CRITICAL The analysis shows: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 100/100 _Based on ease of use, potentia... Ransomware Activity Overview The illicit trade of national-scale datasets remains active, with listings for over 160 million credit records from Vietnam, 160 million Iranian insurance records, 2.7 million Singaporean citizen records, and older, substantial dumps such as Turkey's TTNET. Criminal forums, like BreachForums, show resilience with confirmed infrastructure upgrades. Ransomware groups, including Medusa, LockBit, and SLSH, continue using data theft and double-extortion tactics, targeting public sector, healthcare, education, industrial, and professional services entities. They are also increasingly targeting telecom backbone providers and international institutions. Geopolitical motives influence cyber operations, with Russia-aligned actors exploiting WinRAR against Ukrainian targets, hacktivist groups conducting defacements and leaks against governmental sites in Indonesia and Malaysia, and the Z-Pentest Alliance launching a platform to solicit classified materials on opposing states. Data breach markets also show this trend, featuring leaks such as a NATO internal meeting document, potential Pakistani diplomatic and defense-related data, a substantial US SSN database, and extensive PII bundles from various services like SoundCloud, Betterment, and Crunchbase, alongside threats against Singaporean financial institutions and alleged compromises of UK Parliament-linked sites. During the reporting period, 166 total victims were identified across 37 active ransomware groups. The top 5 most active groups accounted for 80 victims. Top 5 Ransomware Groups Qilin - 25 victim(s) Notable victims: Altavista strategic partners, Bekman marder hopper malarkey & perlin, Bitek system, C.c. creations, Dbhms (and 20 more) The_Gentlemen - 21 victim(s) Notable victims: Allensbach volunteer, Central arkansas pediatrics, Danzo group, Empty, Fesco adecco (and 16 more) DragonForce - 13 victim(s) Notable victims: A. liberty engineering co. ltd, Al ishrak contracting, Al shafar grc, Areco, Astec valves & fittings pvt (and 8 more) LockBit - 12 victim(s) Notable victims: 5deagosto.com.br, abandw.com, ag-360.ca, amc.co.th, casaandina.com.co (and 7 more) Akira - 9 victim(s) Notable victims: Associated investor services, Centre ellipse, Ddc domus design collection, Hrc sicherheitsdienste, Port air express (and 4 more) Deep Web Deep Web Activity Report: Week Ending June 16, 2026 Deep web observations this week show a range of data compromises and sophisticated offensive tools available, affecting both government entities and major corporations globally. Activities included mass PII leaks affecting many people, highly sensitive defense and electoral data exposures, and the marketing of advanced mobile exploitation capabilities. What deep web activities were most apparent this week? Deep web forums and marketplaces this week presented a range of illicit offerings, focused on large-scale data breaches, access to critical infrastructure, and the sale of advanced cyber exploitation tools. Government data, particularly from national security, defense, and electoral institutions, was a key target. An active market persists for personal identifiable information (PII) and financial fraud tools, serving a broad spectrum of cybercriminal operations. The emergence of a zero-click mobile exploit chain also shows the continued evolution and commercialization of advanced attack capabilities. Which data leaks and access claims warrant immediate attention? Several incidents observed this week are particularly consequential due to their scale, nature, or the sensitivity of the compromised entities: Shanghai National Police Database Leak: An alleged database containing 1.2 billion records of Shanghai National Police identity records (SHGA) was posted for sale. The dataset, spanning 10.9 GB (compressed), purportedly includes names and Chinese Resident Identity Card Numbers, an extensive collection of PII. Pakistani Government Data Exposure: A vendor claimed to possess and offer data from both the Pakistani Embassy in Türkiye and the Directorate General Munitions Production (DGMP). The embassy data (8.88 GB) reportedly contains defense cooperation intelligence, internal operational manuals, identification documents, MFA governmental email access, SSL VPN credentials, and NADRA RCMS access points. The DGMP data (670 MB) is said to include highly classified information on the Pakistan Navy, DGMP, trilateral defense cooperation with Türkiye and China (2025-2035), foreign intelligence on the USSF arsenal, and internal documents related to the China-Pakistan Economic Corridor (CPAC). Ecuador National Electoral Council (CNE) Cloud Access: An actor claimed full and persistent access to cloud.cne.gob.ec, the cloud infrastructure of Ecuador's National Electoral Council. The access purportedly includes confidential files, credentials, memorandums, and critical electoral documents, with WebDAV remote access capabilities confirmed by provided code. The actor explicitly linked this compromise to upcoming elections, claiming potential for system manipulation. Dynatrace Internal GitHub Organization Dump: Internal infrastructure data from Dynatrace, a $13.2 billion observability/monitoring SaaS platform, was advertised. The dump, including 246 repositories (8.46 GB compressed), allegedly came from a developer's Personal Access Token (PAT). It is said to contain complete infrastructure topology, CI/CD pipeline details, secret management configurations (Vault endpoints, AWS/GCP infrastructure), and employee records (1000+ GitHub handles, names, corporate emails). CVE-2026-32157 Advanced Zero-Click RCS Exploit Chain: A vendor offered a full exploit chain for CVE-2026-32157, targeting the RCS messaging protocol across modern Android and iOS devices (Pixel 9 Pro, Galaxy S25 Ultra, iPhone 16 Pro, iPhone 17 series). This sophisticated capability allows zero-click to one-click compromise, which provides full remote control, persistence, real-time surveillance (call recording, keylogging, credential harvesting), phishing, and telephony control (SMS/call spoofing and interception). CIC Vietnam National Credit Registry Leak: A database of over 160 million records from CIC Vietnam (cic.gov.vn), the national credit registry, was posted for sale. The data, available in SQL/CSV format, reportedly includes full names, dates of birth, national identification numbers (CCCD, CMND, passport), loan data, balances, debt, tax IDs, company information, audit logs, and addresses. Global PII and Fraud Tool Marketplace: An actor advertised a full inventory of "FULLZ" (complete personal information sets) and various documents and tools that enable fraud. This listing includes worldwide identification documents (DL, ID, passport photos with selfies/videos), financial account details (dumps with PINs, bank statements), various categories of leads (investors, healthcare, job seekers), and a collection of hacking/scamming tools (BTC hacking tools, carding tutorials, scam pages, RATs, mailers). What is the character and extent of these compromises? The nature of the observed breaches includes direct exfiltration of sensitive databases, unauthorized persistent access to critical systems, and the development of advanced offensive cyber tools. The Shanghai National Police leak represents a database exposure of very large scale, affecting over a billion individuals with basic yet fundamental PII. This volume alone makes it a significant event. The Pakistani government and defense data involves a blend of diplomatic and military intelligence, operational manuals, and identification documents. The inclusion of trilateral defense cooperation details and foreign intelligence on USSF arsenal suggests state-level espionage or insider activity, with potential compromise of national security interests across multiple nations. The Ecuador CNE access is a breach of an electoral system, extending beyond data theft to potential direct manipulation capabilities. The claim of persistent WebDAV access and privilege escalation suggests a deep and enduring compromise, which raises concerns about democratic processes. The Dynatrace GitHub dump is an intellectual property and internal systems blueprint compromise. While not immediately affecting end-users, it provides adversaries with a full understanding of Dynatrace's internal operations, infrastructure, and employee identities, which could enable future sophisticated supply chain attacks or internal network penetration. Its value lies in the strategic intelligence it offers to well-resourced actors. The CVE-2026-32157 exploit chain is a product offering for offensive cyber operations, rather than a breach itself. Its zero-click capabilities across modern mobile platforms show a high level of sophistication, developed to bypass advanced mitigations. The detailed feature list, including remote control, surveillance, and telephony manipulation, describes a tool capable of full espionage. The CIC Vietnam leak is a substantial financial data breach, exposing the credit and personal details of a large segment of the Vietnamese population. This data is granular, including loan histories and tax IDs, making it ideal for identity theft and financial fraud. The "FULLZ" and fraud tool marketplace shows a well-organized cybercriminal ecosystem. It's a retail outlet for fraud, offering a wide array of raw materials (PII, financial data) and the tools/knowledge necessary to exploit them for financial gain. The global scope and variety of data/services show a mature and active criminal economy. Are there emerging patterns in this week's data? Several patterns are visible in this week's deep web activity: Government and Critical Infrastructure as Key Targets: A pattern exists of government entities experiencing data theft or unauthorized access. This includes national police, electoral commissions, embassies, and defense production bodies across different geographies (China, Pakistan, Ecuador). This suggests continued state-sponsored activity or politically motivated attacks. Massive PII Datasets Continually Surfacing: The leaks from Shanghai National Police and CIC Vietnam collectively account for well over a billion records of personal information. This confirms the ongoing, large-scale aggregation and monetization of PII on deep web markets, which fuels identity theft and financial fraud on an industrial scale. Sophistication of Offensive Capabilities: The availability of a zero-click, cross-platform mobile exploit chain (CVE-2026-32157) shows that highly advanced cyber weapons are regularly developed and offered for sale. These tools are tailored to bypass contemporary security measures, showing ongoing innovation among offensive security actors. Supply Chain and Corporate Intellectual Property Risk: The Dynatrace GitHub dump shows the continuing vulnerability of corporate intellectual property and internal infrastructure to compromise. Such leaks provide detailed blueprints for sophisticated adversaries to do reconnaissance, develop tailored attacks, and potentially start supply chain compromises affecting downstream customers. Geopolitical and Strategic Implications: Multiple incidents, particularly the Pakistani government data and the Ecuador CNE access, carry distinct geopolitical ramifications. These are potentially intelligence operations or actions intended to influence national stability or international relations, rather than just financial crimes. What are the downstream implications of these data exposures? The potential downstream implications are extensive and varied: For Individuals: The leaks of PII, especially the Shanghai National Police and CIC Vietnam data, create a high risk of identity theft, financial fraud, and targeted scams for millions. Individuals may experience unauthorized account access, fraudulent loan applications, or social engineering attacks using their detailed personal and financial information. The availability of "FULLZ" further worsens this risk globally. For Government and National Security: Compromises involving entities like the Pakistani Embassy, DGMP, and FSB documents directly endanger national security. This can lead to the exposure of intelligence operations, diplomatic vulnerabilities, military capabilities, and sensitive strategic plans, potentially affecting international relations and national defense posture. The Ecuador CNE compromise directly threatens democratic integrity and public trust in electoral processes. For Corporations and Critical Infrastructure: The Dynatrace leak offers adversaries a full understanding of a key software provider's internal systems. This knowledge can be used to create sophisticated attacks against Dynatrace itself or its Fortune 500 customers via supply chain vectors. This could result in widespread service disruptions, further data breaches, or intellectual property theft. Proliferation of Advanced Cyber Capabilities: The sale of zero-click mobile exploits lowers the barrier for nation-state actors and well-resourced criminal groups to conduct advanced surveillance and espionage. Such tools can be used to target high-value individuals, activists, journalists, or government officials with minimal risk of detection, creating pervasive digital insecurity. Erosion of Trust: Widespread breaches of sensitive personal data and governmental systems contribute to a general erosion of public trust in institutions responsible for data protection and national security. This can have far-reaching societal and political consequences. Sources Alert! Critical Check Point zero-day exploited in the wild, Qilin ransomware already at work CISA orders feds to patch actively exploited Ivanti flaw by Sunday ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities Americans lost nearly $900 million to AI-powered scams, FBI says Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit Mitigation Priorities for Security Teams Organizations should immediately prioritize patching the vulnerabilities identified in this report. Key actions include: Check Point VPN: Apply vendor patches immediately and audit VPN access logs for anomalous authentication patterns Ivanti EPMM: Follow CISA emergency directives and isolate affected MDM infrastructure pending patching Oracle PeopleSoft: Review CVE-2026-35273 advisories and restrict external-facing ERP access Arch Linux AUR: Audit developer environments for compromised packages and scan for eBPF rootkit indicators Prioritize network-edge devices and identity infrastructure, as these remain primary adversary entry points across all observed campaigns. Threat Actor Tactics and Attribution Insights This reporting period highlights distinct adversary behaviors worth tracking: Qilin ransomware group continues evolving its initial access methodology, now actively leveraging VPN zero-days before lateral movement ShinyHunters demonstrates increasing focus on higher education ERP systems, likely motivated by high-volume personally identifiable information (PII) for resale Supply chain attackers targeting developer toolchains show sophisticated persistence through eBPF rootkits, evading traditional endpoint detection Understanding these patterns enables defenders to anticipate targeting and apply threat-informed detection rules proactively. Indicators of Compromise and Detection Guidance Security operations teams should update detection pipelines based on this week's activity: Monitor for unusual outbound data transfers exceeding baseline thresholds, a key signal in active data exfiltration campaigns Deploy YARA rules targeting infostealer payloads associated with compromised AUR packages Alert on unexpected MDM configuration changes consistent with Ivanti EPMM exploitation behavior Implement integrity monitoring on ERP login portals and database query logs Cross-reference threat intelligence feeds for ShinyHunters and Qilin infrastructure indicators Proactive hunting using these signals significantly reduces dwell time across all identified threat vectors. --- ## PeopleSoft CVE-2026-35273 (CVSS 9.8) Actively Exploited - URL: https://purple-ops.io/blog/peoplesoft-cve-2026-35273-exploit - Date: 2026-06-15 - Category: CVE Analysis - Tags: peoplesoft, cve-2026-35273, active-exploitation, unauthenticated-rce, cisa-kev - Reading time: 5 min | CVSS: 9.8 **Summary:** Oracle PeopleSoft CVE-2026-35273, a critical missing authentication flaw with CVSS 9.8, is actively exploited for unauthenticated network takeovers. PeopleSoft CVE-2026-35273 (CVSS 9.8) Actively Exploited Oracle PeopleSoft Enterprise PeopleTools is affected by CVE-2026-35273, a critical missing authentication vulnerability allowing unauthenticated network takeovers. This flaw carries a CVSSv3.1 score of 9.8 (Critical) and is currently under active exploitation in the wild, having been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. This post provides a technical analysis of the vulnerability, its impact, and recommended mitigation strategies. The vulnerability stems from a critical function within PeopleSoft Enterprise PeopleTools lacking proper authentication, making it accessible to unauthorized external actors. Exploitation can lead to complete compromise of affected PeopleSoft environments, which shows the severe risk it poses to organizations utilizing this enterprise software. Immediate action is required to prevent potential network compromise. Our analysis indicates that this vulnerability permits unauthenticated remote attackers to establish control over vulnerable systems. Active exploitation means CVE-2026-35273 is a real threat, demanding immediate attention from security teams and system administrators responsible for Oracle PeopleSoft deployments. What is CVE-2026-35273 and why is it critical? CVE-2026-35273 identifies a missing authentication vulnerability in Oracle PeopleSoft Enterprise PeopleTools. This flaw is critical due to its CVSSv3.1 score of 9.8, signifying that it is remotely exploitable without authentication and can lead to a complete compromise of confidentiality, integrity, and availability. The "missing authentication for critical function" aspect means that a specific, vital component or capability within the PeopleSoft framework is exposed to the network without any requirement for credential verification. Its inclusion in the CISA KEV catalog amplifies its criticality, indicating confirmed active exploitation by threat actors. This designation signals the vulnerability is an ongoing threat that organizations must defend against immediately. Such unauthenticated access to critical functions can serve as a direct gateway for attackers to achieve deep access into an organization's enterprise resource planning (ERP) systems. The potential for "unauthenticated network takeovers" means that attackers can gain unauthorized control over the PeopleSoft application and potentially the underlying infrastructure. This level of access could enable adversaries to manipulate financial records, exfiltrate sensitive employee or customer data, disrupt business operations, or establish persistence within the network for future attacks. The broad deployment of Oracle PeopleSoft across various industries makes this a high-impact vulnerability. Impact Assessment An attacker exploiting CVE-2026-35273 can achieve an unauthenticated network takeover of vulnerable Oracle PeopleSoft environments. This encompasses a broad spectrum of malicious activities, including unauthorized data access, modification, and potential disruption of critical business processes. The vulnerability's CVSSv3.1 score of 9.8 directly correlates with its maximum impact potential across all security domains. Organizations that rely on Oracle PeopleSoft for human resources, financials, supply chain management, or student administration are at severe risk. Compromise of these systems can lead to the exfiltration of personally identifiable information (PII) for employees and customers, financial data, intellectual property, and other sensitive corporate information. The integrity of business operations can be undermined through unauthorized data alteration, potentially leading to financial fraud or operational paralysis. The "network takeover" capability implies that the attacker can gain administrative control over the PeopleSoft application and, depending on the architecture and privileges, potentially extend their reach to the host operating system or connected databases. This level of control facilitates lateral movement within the network and enables persistent access for long-term espionage or disruptive campaigns. Downtime for critical ERP systems can result in significant financial losses, reputational damage, and regulatory penalties. How is CVE-2026-35273 exploited? CVE-2026-35273 uses a missing authentication vulnerability in a critical function of Oracle PeopleSoft Enterprise PeopleTools. This flaw allows an unauthenticated remote attacker to interact directly with sensitive components that should only be accessible to authenticated and authorized users or processes. The specific critical function that is exposed without authentication enables the attacker to perform actions typically reserved for system administrators. The exploitation vector is remote and unauthenticated, meaning an attacker does not need prior access to the network or valid credentials to initiate an attack. They can target vulnerable PeopleSoft instances directly over the network. The "missing authentication" implies that the application fails to enforce security checks before executing a critical command or accessing a sensitive resource, thereby granting illicit access. Real-world exploitation reports confirm that this vulnerability is being actively used by sophisticated threat actors. For instance, our prior analysis in Oracle PeopleSoft CVE-2026-35273: Zero-Day RCE details how this flaw can lead to Remote Code Execution (RCE), allowing attackers to execute arbitrary commands on the underlying server with the privileges of the PeopleSoft application. This changes an unauthenticated network takeover into full system compromise. Further intelligence, as explored in Oracle PeopleSoft CVE-2026-35273 and ShinyHunters Exploitation, indicates that the threat actor group ShinyHunters has been observed exploiting this identical vulnerability. ShinyHunters is known for high-profile data breaches and has used this zero-day flaw to compromise Oracle PeopleSoft environments, which shows the severity and the caliber of actors interested in exploiting such weaknesses. This active exploitation by a named threat actor group shows the immediate threat posed by CVE-2026-35273. The attack preconditions are minimal, requiring only network connectivity to a vulnerable Oracle PeopleSoft instance. No complex social engineering or prior reconnaissance beyond identifying a vulnerable target is necessary. This low barrier to entry for attackers, combined with the high potential impact, makes CVE-2026-35273 a dangerous vulnerability. The critical function could involve anything from database configuration interfaces, application server controls, or direct API endpoints that lack proper access controls, allowing an attacker to inject commands or manipulate system settings. Affected Products and Versions The vulnerability CVE-2026-35273 affects: Oracle PeopleSoft Enterprise PeopleTools Specific affected version ranges for Oracle PeopleSoft Enterprise PeopleTools are not explicitly detailed in the provided intelligence source. Organizations are advised to consult official Oracle security advisories or their PeopleSoft support channels for precise version information and patching guidance. Given the critical nature and active exploitation of this vulnerability, all instances of Oracle PeopleSoft Enterprise PeopleTools should be considered potentially vulnerable until confirmed otherwise through vendor-specific patching or assessment. Detection Strategies Detecting exploitation attempts or successful compromise related to CVE-2026-35273 requires full logging and monitoring across application, host, and network layers. Indicators of compromise (IOCs) would primarily revolve around anomalous activity consistent with unauthenticated access to critical functions and subsequent network takeovers. Application Logs: Monitor PeopleSoft application server logs for any access attempts to critical or administrative functions that bypass standard authentication mechanisms. Look for successful accesses from IP addresses not associated with legitimate administrative users or known network segments. Review for unexpected modifications to system configurations, user accounts, or security settings within PeopleSoft that occurred without corresponding authenticated administrator actions. Look for abnormal process invocations or API calls originating from the PeopleSoft application server, especially those related to operating system commands or database interactions that deviate from baseline behavior. Host-Based Detection (EDR/HIDS): Monitor the underlying operating system of the PeopleSoft application server for unusual process creation, particularly shell processes (e.g., cmd.exe, powershell.exe, bash, sh) spawned by the PeopleSoft application's user account. Detect unexpected file system changes in critical PeopleSoft directories, web server root directories, or system configuration files. Look for network connections originating from the PeopleSoft server to unusual external IP addresses, especially those associated with known command-and-control infrastructure or cloud hosting providers. Identify any new or modified scheduled tasks, services, or persistence mechanisms created on the server hosting PeopleSoft. Network-Based Detection (IDS/IPS/Firewall Logs): Monitor network traffic for direct unauthenticated access attempts to PeopleSoft application ports and specific URLs or endpoints that might correlate with critical functions. Look for unusual traffic patterns, such as unexpected high volumes of data egress from the PeopleSoft server, which could indicate data exfiltration. Analyze HTTP/S logs for requests to non-standard or administrative URLs within the PeopleSoft application without prior authentication session establishment. Implement IDS/IPS rules to detect known attack signatures associated with exploitation attempts of Oracle PeopleSoft vulnerabilities, if available. Given the active exploitation, regularly update threat intelligence feeds for network signatures related to CVE-2026-35273. Remediation Measures Immediate remediation is critical to address CVE-2026-35273 due to its severe impact and active exploitation. Prioritize patching and implement strong mitigation strategies. Apply Vendor Patches: The primary remediation is to apply all available security patches from Oracle for PeopleSoft Enterprise PeopleTools. Consult Oracle's official security advisories and support documentation for the specific patch relevant to your version of PeopleSoft. Oracle typically releases quarterly Critical Patch Updates (CPUs) that bundle fixes for multiple vulnerabilities, including actively exploited zero-days. Workarounds and Mitigations (if patches are not immediately available): Network Segmentation: Isolate PeopleSoft application servers on a dedicated network segment with strict ingress and egress filtering. Restrict network access to PeopleSoft services only from trusted internal networks and specific IP addresses that genuinely require connectivity. Web Application Firewall (WAF): Deploy a WAF in front of your PeopleSoft application to inspect and filter suspicious web traffic. Configure the WAF to block requests that attempt to access critical functions without proper authentication or that contain known exploit patterns. Least Privilege: Ensure the PeopleSoft application and its underlying components run with the minimum necessary operating system privileges. This can limit the extent of compromise if an attacker successfully exploits the vulnerability. Disable Unused Services: Disable any unnecessary PeopleSoft modules, services, or features that could potentially expose additional attack surfaces. Review Access Controls: Conduct a thorough review of existing access controls within PeopleSoft, ensuring that all critical functions are strictly controlled and that any default or guest accounts are secured or disabled. Enhanced Monitoring: Implement enhanced logging and monitoring as detailed in the "Detection" section to quickly identify and respond to any active exploitation attempts or post-exploitation activities. This includes integrating PeopleSoft logs with a Security Information and Event Management (SIEM) system for centralized analysis and alerting. Perform regular vulnerability scanning and penetration testing of your PeopleSoft environments to identify any lingering weaknesses or misconfigurations. Technical Takeaways CVE-2026-35273 is a critical missing authentication vulnerability in Oracle PeopleSoft Enterprise PeopleTools with a CVSSv3.1 score of 9.8. The vulnerability allows unauthenticated remote attackers to achieve network takeovers, potentially leading to Remote Code Execution and full system compromise. CVE-2026-35273 is actively being exploited in the wild and has been added to the CISA KEV catalog, indicating confirmed real-world attacks. Threat actor groups such as ShinyHunters have been observed using this zero-day flaw to compromise Oracle PeopleSoft environments. Immediate patching through Oracle's official security advisories is the primary remediation; network segmentation and WAF deployment serve as critical interim mitigations. --- ## LockBit Claims 5 Victims in 24h Ransomware Leaks - URL: https://purple-ops.io/blog/lockbit-ransomware-5-victims-24h - Date: 2026-06-14 - Category: Ransomware Report - Tags: none - Reading time: 5 min **Summary:** LockBit ransomware affiliates led global activity in the last 24 hours, claiming 5 new victims across diverse sectors including manufacturing and government. LockBit Claims 5 Victims in 24h Ransomware Leaks Statistical Overview Victim Totals This month: 316 This quarter: 1861 Year to date: 4485 Last 24h: 13 Quarterly Breakdown Q1: 2631 | Q2: 1861 | Q3: 0 | Q4: 0 Ransomware activity in Q2, while substantial at 1861 victims, was lower than Q1's 2631 victims. The last 24-hour period recorded 13 new victims across diverse sectors and geographies. Introduction Recent ransomware activity included 13 new victims, with LockBit affiliates as the most active group, responsible for five incidents. NightSpire had three new victims, while several other groups each claimed one. Targeted sectors were diverse, affecting manufacturing, government, healthcare, and technology entities in multiple global regions. The United States experienced the highest concentration of attacks. For more on current threats, see understanding LockBit's operations. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1LockBit5ag-360.ca, amc.co.th, casaandina.com.co (+2)Thailand, ColombiaManufacturing, Construction & Engineering 2NightSpire3Blue nile medical center, Silsbee police department, Waxworks incUnited StatesGovernment / Public Sector, Healthcare 3DragonForce1InkUnited KingdomProfessional Services 4Nova (RALord)1BandungIndonesiaGovernment / Public Sector 5SLSH1Coe.intFranceGovernment / Public Sector 6Securotop1Charisma mediaUnited StatesMedia & Entertainment 7Shadowbyt3s1Tinypulse nintendo (nintendo.com) nintendo_file_tree.txtUnited StatesTechnology / Software LockBit had five reported victims, targeting manufacturing and construction & engineering firms primarily in Thailand and Colombia. NightSpire had three victims, affecting U.S. government/public sector and healthcare entities, including the Silsbee Police Department and Blue Nile Medical Center. Other groups such as DragonForce, Nova (RALord), SLSH, Securotop, and Shadowbyt3s each had one victim. This suggests fragmented and opportunistic targeting across industries and geographies. SLSH, for example, impacted an international organization (Coe.int), and Shadowbyt3s listed Nintendo.com. Victim Distribution By Country United States: 5 Canada: 1 Colombia: 1 Finland: 1 France: 1 Germany: 1 Indonesia: 1 Thailand: 1 United Kingdom: 1 By Industry Real Estate: 1 Hardware and Construction Materials: 1 Machinery Manufacturing: 1 International Organization: 1 Construction: 1 Regulatory Body: 1 Industrial Equipment Maintenance: 1 Design: 1 Healthcare: 1 Law Enforcement: 1 The United States remains the primary target country, with many incidents reported. Industry targeting is diverse, with no single dominant sector, suggesting a mix of opportunistic and broad attack vectors, particularly affecting critical functions such as law enforcement and healthcare. This diversity shows the relevance of monitoring ransomware trends targeting critical infrastructure. Ransomware News Topline No significant new ransomware developments or campaign shifts were observed within the recent collection period. Campaigns & Operations No new campaigns, shifts in operator tactics, or significant incidents involving named threat actors were identified. Vulnerabilities & TTPs There were no reports of newly exploited vulnerabilities or changes in adversary tradecraft this period. Analyst Note Current activity remains consistent with previously observed patterns, without immediate indications of emerging threats. Technical Takeaways LockBit remains the most active ransomware group recently, with five new victims across diverse sectors. The United States is the most frequently targeted country, accounting for five out of 13 recorded incidents. Ransomware targeting shows high industry diversity, affecting sectors from Manufacturing and Construction to Government, Healthcare, and Technology. NightSpire targeted critical sectors, including Government/Public Sector and Healthcare, in the United States. The overall ransomware activity for the current quarter, though substantial, was lower than the previous quarter. LockBit Targeting Patterns and Sector Impact LockBit affiliates continue to demonstrate sophisticated target selection across multiple industries. In this 24-hour window, their five victims spanned manufacturing and construction sectors across Thailand and Colombia, reflecting deliberate geographic diversification. Manufacturing remains a top target due to operational disruption leverage Construction & Engineering firms often lack mature incident response capabilities Affiliates exploit exposed RDP endpoints and unpatched VPN appliances Double extortion tactics pressure victims through data leak threats Organizations in these sectors should prioritize ransomware readiness assessments and offline backup validation to reduce exposure to affiliate-driven campaigns. Geographic Concentration of Ransomware Attacks The United States recorded the highest attack concentration in this reporting period, consistent with long-term trends. NightSpire's three US-based victims included a medical center and a police department, highlighting critical infrastructure targeting. Indonesia and Thailand reflect growing Asia-Pacific exposure United Kingdom faced DragonForce activity in professional services Colombia continues to appear in Latin American targeting patterns Regional variance suggests affiliates operate across time zones to maximize disruption windows. Global defenders should monitor threat intelligence feeds for emerging geographic clusters and coordinate with sector-specific ISACs for timely indicator sharing. Defending Against Multi-Group Ransomware Campaigns When multiple ransomware groups are simultaneously active, defenders face compounded detection and response challenges. This 24-hour period involved at least five distinct threat actors, each employing varied tactics. Implement network segmentation to contain lateral movement Deploy endpoint detection and response (EDR) with behavioral analysis Enforce multi-factor authentication on all remote access points Conduct tabletop exercises simulating concurrent ransomware incidents Maintain tested, immutable backups stored offline or in air-gapped environments Proactive threat hunting and cross-team coordination remain essential as ransomware-as-a-service ecosystems lower the barrier for new affiliates to launch high-impact attacks. --- ## Velvet Ant Targets Air-Gapped Networks: 2016–2024 - URL: https://purple-ops.io/blog/velvet-ant-cyberespionage-isolated-networks - Date: 2026-06-14 - Category: Threat Intelligence - Tags: none - Reading time: 12 min **Summary:** Velvet Ant's Operation Highland executed a decade-long espionage campaign, deeply embedding into isolated critical infrastructure networks. Velvet Ant Cyberespionage Campaign Hits Isolated Networks Operation Highland, a sophisticated, decade-long cyberespionage campaign orchestrated by the Chinese state-sponsored threat group Velvet Ant, was recently revealed. Discovered by Sygnia researchers, the group maintained deep persistence within an isolated critical infrastructure network of a large, unnamed organization since 2016. This highly stealthy intrusion involved the complete subversion of the target's authentication stack, providing Velvet Ant with continuous, unchallenged visibility into administrative activities and control over the compromised environment. The attackers' tactics included using vulnerable internet-facing systems to establish initial access before meticulously bridging to an air-gapped network, demonstrating advanced operational capability. Once inside, Velvet Ant deployed custom malware, backdoored core Linux authentication components such as Pluggable Authentication Modules (PAM) and OpenSSH, and hijacked existing network infrastructure to ensure covert remote execution and persistent credential theft. The campaign shows the difficulty in detecting and eradicating state-sponsored actors who prioritize long-term strategic access over immediate disruption. It also shows a commitment to deep infiltration and prolonged intelligence gathering within high-value targets. This roundup also covers a critical pre-authentication remote code execution vulnerability in Splunk Enterprise, the U.S. government's unprecedented move to impose export controls on Anthropic's advanced AI models Fable 5 and Mythos 5 due to national security concerns, the guilty plea of a Ukrainian national for his role in the notorious Conti ransomware operations, and a cyberattack that disrupted financial services at Brazil's MagaluPay. These incidents illustrate the range of current cyber threats, from sophisticated state-level espionage to critical software vulnerabilities and direct financial disruption. How Did Velvet Ant Maintain Decades-Long Persistence in Isolated Networks? The Velvet Ant threat group achieved its decade-long persistence by compromising internet-facing servers and subsequently establishing a covert execution path into an otherwise isolated critical infrastructure network. Their methodology involved a multi-stage attack chain designed for stealth and resilience. This included deploying custom tools and tampering with fundamental system components, and embedded their access into the core authentication processes of the target environment. The initial phase of Operation Highland involved gaining a foothold on internet-facing systems, though specific vulnerabilities for this entry point were not publicly disclosed. Upon compromise, Velvet Ant deployed a modified GS-Netcat reverse shell, camouflaged as a legitimate system component, to establish encrypted remote shell access to a hardcoded relay domain. Persistence on these initial hosts was secured either through malicious systemd services or by altering startup scripts. The group then installed a custom SOCKS5 proxy, masquerading as 'smbd -D' and utilizing varying filenames and ports, to tunnel network traffic and pivot deeper into the internal network, transforming compromised servers into internal stepping stones. The critical step in breaching the isolated network involved a sophisticated modification of existing infrastructure. Velvet Ant altered the configuration of a compromised internet-facing Nginx server to proxy specially crafted requests to a compromised backend server. This backend server's Nginx configuration was also modified to forward requests to a FastCGI process (fcgiwrap) listening on a separate port. This FastCGI wrapper acted as an execution bridge, processing requests and launching a custom binary named 'uptime,' which established SSH connections into the segregated critical infrastructure network using parameters supplied in HTTP POST requests. This chain of modifications allowed for remote execution into the isolated environment without any direct internet connection. For more context on similar sophisticated operations, China-aligned cyber espionage discusses the deep capabilities of such groups. Once access was established within the isolated environment, Velvet Ant focused on long-term persistence and credential harvesting by targeting Linux Pluggable Authentication Modules (PAM). They replaced legitimate 'pam_unix.so' modules with backdoored versions that accepted hardcoded passwords and captured user credentials. Sygnia identified nine distinct variants of these malicious PAM modules, each compiled in a separate build environment, which indicates significant resources and planning by the threat actor. Two variants were notable for their dual function as both backdoors and credential collectors. To further embed their control, Velvet Ant also replaced OpenSSH components (ssh, sshd, scp) with trojanized versions. These modified components captured credentials, logged commands executed during SSH sessions, and stored the collected data locally for later retrieval. By gaining control over the authentication process through PAM and OpenSSH modifications, the threat actor accessed credentials as they were used and could bypass the standard authentication flow. This deep level of compromise ensured persistence regardless of password changes or session terminations, significantly reducing the efficacy of conventional containment measures. Analyses like this one covering Chinese hackers gaining access provide further details on how such threat actors secure initial access. The remediation process for Operation Highland was exceptionally complex. The extensive replacement of critical system components with custom, malicious versions meant that their removal carried a high risk of breaking authentication, locking out legitimate administrators, and causing operational outages. Sygnia addressed this by developing a testing lab to validate binary replacement procedures, profiling each compromised host, exhaustively testing results, and preparing complete rollback plans before executing the cleanup. This meticulous approach was necessary to safely eradicate Velvet Ant from the deeply embedded network. What is the Impact of the Critical Splunk Enterprise CVE-2026-20253 Vulnerability? A critical security flaw, CVE-2026-20253, in Splunk Enterprise versions below 10.2.4 and 10.0.7, allows an unauthenticated attacker to perform arbitrary file operations and potentially achieve pre-authenticated Remote Code Execution (RCE), earning a CVSS score of 9.8. This vulnerability stems from the lack of authentication controls in a PostgreSQL sidecar service endpoint, enabling any network-reachable user to invoke file operations without requiring credentials. The exploit chain, detailed by watchTowr Labs, uses the "/v1/postgres/recovery/backup" and "/v1/postgres/recovery/restore" endpoints. An attacker can connect to a controlled database and use the backup endpoint to dump its contents into an arbitrary file on the Splunk Enterprise system. Subsequently, the restore endpoint is used to load this malicious database dump into the local PostgreSQL instance by including a "passfile" argument pointing to a .pgpass file (/opt/splunk/var/packages/data/postgres/.pgpass) containing the postgres_admin user's password. During the restoration process, SQL queries defined in the attacker-controlled database dump are executed by Splunk's PostgreSQL instance. This allows an attacker to define a new SQL function that utilizes lo_export - a function designed to extract a Binary Large Object (BLOB) from the database and save it as a file on the file system. This capability provides a controlled arbitrary file write primitive on the Splunk file system. The ultimate escalation to RCE is achieved by overwriting a frequently executed Python script within Splunk (e.g., /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py) with a malicious payload, which then executes when the script runs. The vulnerability affects: Splunk Enterprise versions 10.0.0 to 10.0.6, fixed in version 10.0.7. Splunk Enterprise versions 10.2.0 to 10.2.3, fixed in version 10.2.4. Splunk Enterprise 10.4 is not affected, and Splunk Cloud is also not impacted because it does not utilize Postgres sidecars. While there is no public evidence of in-the-wild exploitation, the availability of technical exploit details increases the risk, requiring immediate patching for all vulnerable deployments. Why Did the U.S. Government Order Anthropic to Disable Fable 5 and Mythos 5 AI Models? The U.S. government, specifically the Commerce Department, ordered Anthropic to immediately suspend foreign access to its two most advanced artificial intelligence models, Fable 5 and Mythos 5, citing national security concerns. This directive, issued through an export control decree by Secretary of Commerce Howard Lutnick, prohibited use by foreign nationals both within and outside the United States. In response, Anthropic disabled global access to both models to ensure compliance, though access to its other AI models remains unaffected. The government's concern reportedly stemmed from a technique for "jailbreaking" Fable 5, a term for methods that bypass a model's built-in safety guardrails. According to Anthropic, the government provided only verbal evidence of what it characterized as a "narrow, non-universal jailbreak." This technique purportedly involved prompting the model to analyze a specific codebase and identify software flaws. This incident shows government scrutiny over powerful AI models and their potential dual-use capabilities, echoing broader concerns about state-backed espionage and shadow campaigns using advanced technology. Anthropic, which had only released Fable 5 and Mythos 5 earlier in the week, disputed the severity of the government's finding. The company asserted that the capabilities demonstrated by the alleged jailbreak were already available in other publicly accessible models, including OpenAI's GPT-5.5, and are routinely used by cybersecurity professionals for defensive purposes. Anthropic maintained that perfect jailbreak resistance is unachievable for any model provider and that Fable 5 was designed with a "defense in depth" strategy. The company argued that applying such a stringent standard to commercial model deployments based on a narrow, non-universal jailbreak would effectively halt all new model deployments across the frontier AI industry. The impact on initiatives like Project Glasswing, which allowed selected cybersecurity companies and the National Security Agency to use Mythos 5 for identifying and addressing security flaws and offensive cyber operations, remains uncertain. This government action is part of a growing trend where advanced AI capabilities are increasingly viewed through a national security lens, leading to new forms of regulation and oversight over their development and deployment. The move has drawn criticism from researchers and industry analysts, who questioned the scope and implications of the export controls. What is the Significance of Oleksii Lytvynenko's Guilty Plea in Conti Ransomware Operations? Ukrainian national Oleksii Lytvynenko, 44, has pleaded guilty in the United States to conspiracy to commit wire fraud for his involvement with the Conti ransomware operation. Conti, one of the most prolific and damaging cybercrime groups between 2020 and 2022, impacted over 1,000 victims across 47 U.S. states, the District of Columbia, Puerto Rico, and 31 foreign countries, generating at least $150 million in ransom payments. Lytvynenko's plea follows his extradition from Ireland in October 2025. The Conti group operated a typical ransomware-as-a-service model, compromising victim networks, encrypting files, exfiltrating sensitive data, and then demanding ransoms under threat of public disclosure. Prosecutors stated that the group caused millions of dollars in damages to businesses and organizations of various sizes globally. Lytvynenko admitted joining the Conti conspiracy in September 2021 and acknowledged possessing data stolen from eight U.S. victims and four international victims. Court documents detail Lytvynenko's role in coding a "loader," a type of malware commonly used to install or execute additional malicious tools required for further attack stages. This specific contribution shows the collaborative and specialized nature of modern ransomware operations. Lytvynenko is scheduled for sentencing on September 10, 2026, and faces a maximum penalty of 20 years in prison. This conviction is a result of Operation Riptide, an ongoing FBI initiative targeting cybercrime actors, their infrastructure, and financial networks involved in online fraud and ransomware. The case reflects the U.S. government's intensified efforts to identify, extradite, and prosecute individuals associated with ransomware gangs, following a reported 26 percent increase in cybercrime losses, exceeding $20 billion, in the past year. Other recent guilty pleas, such as those related to the ALPHV (BlackCat) and Nefilim ransomware gangs, show a sustained focus on bringing cybercriminals to justice. What Was the Impact of the MagaluPay Cyberattack on Customers? MagaluPay, the financial services platform operated by Brazilian retail giant Magazine Luiza, experienced a "cybernetic event" that left many customers unable to access or move their financial resources for several days. The incident began on Saturday, June 6, 2026, and led to a wave of 29 customer complaints on platforms like Reclame Aqui by June 11, which indicated user frustration and financial disruption. The company confirmed the cyber incident but did not disclose its specific nature, the extent of financial damages, or a clear timeline for service normalization. While MagaluPay assured that customers' personal data had not been compromised, it temporarily suspended critical services, including payments via Pix, as a security measure. These services were only gradually restored, forcing many users to contend with delays in conducting essential transactions like paying rent and other bills. Some customers expressed their intent to permanently withdraw their funds once access was restored, showing a loss of trust. MagaluPay operates as a payment institution regulated by the Central Bank of Brazil, offering a digital account that facilitates payments, transfers, and bill payments, alongside cashback incentives. This platform is integral to Magazine Luiza's broader diversification strategy into financial technology through recent acquisitions. The incident at MagaluPay shows a broader trend of escalating cyberattacks and fraud within the Brazilian financial system. Between January and May 2026, the Central Bank recorded 33 security incidents, 25 of which were fraud-related, marking the highest number for this period on record. This heightened activity places increasing pressure on financial institutions to strengthen their security protocols and improve customer support, particularly during critical service disruptions. Technical Takeaways Velvet Ant's Operation Highland demonstrates that state-sponsored actors are capable of maintaining decade-long persistence within isolated critical infrastructure by subverting core authentication mechanisms like PAM and OpenSSH. The Splunk Enterprise CVE-2026-20253 vulnerability shows the critical importance of strong authentication controls on all service endpoints, as even unauthenticated file operations can be chained to achieve pre-authenticated Remote Code Execution. Government intervention in the deployment of advanced AI models like Anthropic's Fable 5 and Mythos 5 shows a new regulatory area where AI capabilities are being assessed for national security implications, particularly concerning potential "jailbreaks." The Conti ransomware operator's guilty plea reinforces international law enforcement's sustained efforts to dismantle cybercrime groups and prosecute their members, even for activities occurring years prior. The MagaluPay incident shows the direct and immediate impact cyberattacks can have on essential financial services. It leads to widespread customer disruption and emphasizes the critical need for strong incident response and communication strategies in financial technology platforms. --- ## SimpleHelp CVE-2026-48558 (CVSS 10.0) Bypass - URL: https://purple-ops.io/blog/simplehelp-cve-2026-48558-bypass - Date: 2026-06-14 - Category: CVE Analysis - Tags: simplehelp, cve-2026-48558, authentication-bypass, actively-exploited, cvss-10 - Reading time: 5 min | CVSS: 10 **Summary:** SimpleHelp CVE-2026-48558, a critical authentication bypass with a CVSS of 10.0, is actively exploited. SimpleHelp CVE-2026-48558 (CVSS 10.0) Bypass SimpleHelp, a remote management software used for technical support and remote access, is affected by a critical authentication bypass vulnerability identified as CVE-2026-48558. This flaw has a CVSS score of 10.0, indicating the highest level of severity and an immediate threat to organizations using the platform. The vulnerability allows unauthenticated attackers to forge credentials and establish administrative control over affected SimpleHelp instances. Cybersecurity researchers confirm that CVE-2026-48558 is actively exploited in the wild. This exploitation vector enables adversaries to bypass standard authentication mechanisms, including multi-factor authentication (MFA), gaining unauthorized access to the corporate environment managed by SimpleHelp. Such a compromise gives full control over managed endpoints and the potential for extensive data exfiltration or system disruption. Threat intelligence indicates a significant increase in global internet exposure of SimpleHelp servers, with approximately 14,000 instances now discoverable. Of these, an estimated 7.2 percent are configured in a vulnerable state, making them susceptible to immediate exploitation. Urgent action, including patching and implementing compensatory controls, is required to mitigate the risk posed by CVE-2026-48558. Impact Successful exploitation of CVE-2026-48558 grants unauthenticated attackers maximum privileges within the compromised SimpleHelp environment. An attacker can seize full administrative control, becoming an authorized technician with extensive capabilities. This level of access permits the execution of malicious scripts across managed endpoints and the initiation of remote sessions into corporate systems. Control over these endpoints directly facilitates lateral movement within a network, malware installation, data exfiltration, or operational disruption. Organizations that deploy SimpleHelp for their remote support and management operations are directly at risk. Any public-facing SimpleHelp server running an affected version, especially one configured with OpenID Connect (OIDC) authentication, represents a critical entry point for threat actors. Because the vulnerability circumvents multi-factor authentication (MFA) protections, it further increases the risk, as it nullifies a foundational layer of security typically relied upon to prevent unauthorized access. This makes affected instances prime targets for initial access brokers and other malicious entities aiming to penetrate corporate networks. The vulnerability has substantial global reach. Shodan data reveals an increase in publicly exposed SimpleHelp servers, growing from approximately 3,400 instances in the previous year to nearly 14,000 active instances currently. With 7.2 percent of these instances operating with vulnerable configurations, the attack surface for CVE-2026-48558 has expanded. This broad exposure, combined with the criticality of the flaw, positions SimpleHelp as a high-priority target for threat actors seeking to exploit remote management tools for network infiltration. What is the Technical Mechanism of CVE-2026-48558? CVE-2026-48558 is an authentication bypass vulnerability that arises from a fundamental flaw in SimpleHelp's implementation of its single sign-on (SSO) mechanism, specifically when OpenID Connect (OIDC) authentication is configured. The core issue lies in the application's failure to adequately verify the cryptographic signatures of identity tokens submitted during the login process. In an environment where OIDC authentication is enabled for SimpleHelp, identity tokens are accepted without validating their embedded cryptographic signatures. This critical omission allows an attacker to craft or alter an OIDC token and present it to the SimpleHelp server. Because the server does not perform the necessary signature verification, it trusts the integrity and authenticity of the attacker-supplied token. This trust relationship enables the attacker to spoof an arbitrary identity, gaining an authenticated technician session. The absence of signature validation means that even if a token is not legitimately issued by a trusted identity provider, the SimpleHelp server will process it as valid, resulting in unauthorized access. This bypass capability is critical, as it allows threat actors to impersonate legitimate technicians and immediately gain privileged access to the remote management environment. Exploitation Chain and Preconditions Exploitation of CVE-2026-48558 follows a straightforward chain, primarily using the lack of cryptographic signature verification in the OIDC authentication flow. The attack vector is entirely unauthenticated, meaning an adversary does not require any prior access or legitimate credentials to initiate the exploit. The primary precondition for successful exploitation is that the SimpleHelp server must be configured to use OIDC authentication. Also, the instance must be running one of the affected versions: SimpleHelp 5.5.15 and prior, or any 6.0 pre-release version. An attacker can then directly interact with the SimpleHelp server's OIDC endpoint. By constructing a specially crafted OIDC identity token that purports to represent a legitimate technician or administrator, the attacker can submit this token to the vulnerable SimpleHelp instance. Due to the absence of signature validation, the server accepts the forged token as authentic, granting the attacker an authenticated technician session with administrative privileges. Active exploitation of CVE-2026-48558 has been confirmed in the wild, signifying that threat actors are currently using this vulnerability to compromise SimpleHelp environments. Horizon3.ai and other cybersecurity researchers have documented this activity and provided full details on the vulnerability and associated Indicators of Compromise (IoCs). The documented global internet exposure, with nearly 14,000 SimpleHelp instances active and 7.2 percent running vulnerable configurations, indicates a significant target area for ongoing exploitation efforts. Discussions around active exploitation of similar authentication bypass vulnerabilities, such as those impacting Check Point VPN (CVE-2026-50751), show that strong detection mechanisms are needed for flaws of this nature. The ease of exploitation, combined with the high privileges granted, makes CVE-2026-48558 a critical threat requiring immediate attention. Affected Products and Versions The following SimpleHelp product lines and versions are confirmed to be vulnerable to CVE-2026-48558: SimpleHelp versions 5.5.15 and prior. This includes all minor and patch versions leading up to and including 5.5.15. SimpleHelp 6.0 pre-release versions. This encompasses any developmental or beta versions released under the 6.0 series before the official, patched release. Organizations are advised to identify all SimpleHelp instances within their environment and verify their respective versions against this list. Continued use of these specific versions without applying the necessary patches or implementing mitigations poses a significant and immediate security risk due to the confirmed active exploitation of CVE-2026-48558. Detection Detecting the exploitation of CVE-2026-48558 requires a multi-layered approach, focusing on anomalies within the authentication process, unusual technician activities, and network patterns. Given the nature of the authentication bypass, vigilance in monitoring OIDC-related logs and SimpleHelp session activities is paramount. Concrete detection guidance includes: Log Signatures and Anomaly Detection: Monitor SimpleHelp server logs for the creation of new technician accounts that were not explicitly provisioned by an administrator or that appear at unusual times. Scrutinize OIDC authentication logs for successful login attempts using identity tokens that lack proper cryptographic signature validation warnings or errors, or that originate from unexpected OIDC providers or scopes. Look for an increased number of failed OIDC token validations followed by immediate successful logins that bypass conventional authentication flows. Analyze authentication event logs for successful technician sessions originating from IP addresses not typically associated with legitimate administrative or support personnel. Indicators of Compromise (IoCs): Refer to the official Horizon3.ai vulnerability disclosure and IoC guide for specific network and host-based indicators related to CVE-2026-48558. These IoCs often include specific network request patterns, unusual file creations, or suspicious process executions on the SimpleHelp server. Monitor for unauthorized script execution on managed endpoints, particularly scripts initiated by SimpleHelp technician sessions that are not part of routine support or maintenance tasks. Detect any newly created, unrecognized, or highly privileged accounts within the SimpleHelp platform or on managed endpoints. EDR Queries and Host-Based Monitoring: Utilize EDR solutions to monitor SimpleHelp server processes for unusual child process creation. Look for processes attempting to modify configuration files, establish outbound connections to unknown destinations, or execute system commands. Implement EDR queries to identify remote desktop connections (RDP) or other remote access protocols initiated by SimpleHelp technicians into systems that are not typically part of their support scope. Look for modifications to SimpleHelp configuration files that alter OIDC settings or authentication parameters without proper change management documentation. Network Indicators: Implement network intrusion detection systems (NIDS) to identify suspicious network traffic originating from or directed to the SimpleHelp server. Pay attention to connections to unusual external IP addresses or command-and-control (C2) infrastructure. Monitor for an unexpected surge in outbound connections from the SimpleHelp server to managed endpoints that fall outside of normal operational hours or patterns. Configure firewall rules and network segmentation to restrict direct internet access to the SimpleHelp server to the minimum necessary, limiting potential attack surface. Because CVE-2026-48558 is actively exploited, immediate attention to these detection strategies is needed. Proactive monitoring and incident response capabilities are critical to identifying and mitigating successful breaches. Remediation Addressing CVE-2026-48558 requires immediate action to prevent or recover from exploitation. The most effective method is to apply the official software patches released by SimpleHelp. Patching: Apply the latest security updates released by SimpleHelp. Refer to the official SimpleHelp security update page (simple-help.com/security/simplehelp-security-update-2026-05) for the most current patch information and instructions. This update directly addresses the flaw in the OIDC authentication flow, ensuring that identity tokens are properly validated. Workarounds and Mitigations (if immediate patching is not feasible): Implement Strict Network Controls: Apply IP restrictions at the network perimeter (e.g., firewall rules) to limit the IP ranges from which technicians can authenticate. This measure significantly reduces the attack surface by only allowing access from known, trusted networks. Disable OIDC Authentication: If OIDC authentication is not a critical business requirement, disable it on your SimpleHelp server until the patches can be applied. This removes the vulnerable authentication pathway entirely, although it may impact legitimate user workflows. Review and Audit Technician Accounts: Conduct an immediate audit of all existing technician accounts within SimpleHelp. Revoke access for any unauthorized, suspicious, or unused accounts. Enforce least privilege principles, ensuring technicians only have the permissions necessary for their roles. Monitor for Unauthorized Access: Enhance monitoring capabilities for the SimpleHelp server and managed endpoints to detect any signs of unauthorized activity as described in the detection section. This includes vigilant observation for new technician accounts, unusual login locations, or suspicious command executions. Segment SimpleHelp Servers: Isolate SimpleHelp servers into a dedicated network segment with stringent ingress and egress filtering. This can limit lateral movement if a compromise occurs. Regular Backups: Ensure regular, immutable backups of your SimpleHelp server configuration and data are performed and stored securely offline. This enables restoration in the event of a successful attack. Organizations should prioritize applying official patches. Workarounds reduce risk but are temporary. Other critical improper authentication vulnerabilities, such as CVE-2026-50751, show that timely patching remains important. Technical Takeaways CVE-2026-48558 is a critical authentication bypass vulnerability in SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions, carrying a CVSS score of 10.0. The vulnerability stems from an improper validation of OIDC identity tokens, allowing unauthenticated attackers to forge credentials and obtain administrative control. Active exploitation of CVE-2026-48558 has been confirmed, with a significant percentage of internet-exposed SimpleHelp servers currently vulnerable. Successful exploitation grants threat actors full administrative privileges, enabling malicious script execution, remote access to managed endpoints, and bypassing MFA. Immediate remediation involves applying the vendor-supplied patches; strict network controls and disabling OIDC are recommended temporary mitigations. --- ## LockBit Ransomware Claims 3 Victims in 24h - URL: https://purple-ops.io/blog/lockbit-ransomware-3-victims - Date: 2026-06-13 - Category: Ransomware Report - Tags: lockbit, ransomware, cybercrime, threat-actors, victimology - Reading time: 5 min **Summary:** LockBit ransomware claimed 3 new victims in the last 24 hours, leading activity across manufacturing, retail, and legal sectors globally. LockBit Ransomware Claims 3 Victims in 24h Statistical Overview Victim Totals This month: 303 This quarter: 1848 Year to date: 4472 Last 24h: 8 Quarterly Breakdown Q1: 2631 | Q2: 1848 | Q3: 0 | Q4: 0 Ransomware activity continues, with Q2 activity maintaining a pace, though slightly lower than Q1 totals. The last 24 hours show a modest victim count across multiple groups. Introduction Eight new ransomware victims were recorded in the last 24 hours, showing continued threat activity. LockBit remained the most active group, accounting for three incidents. Other groups, including 3AM, Krybit, Payload, Shadowbyt3s, and Stormous, added to the varied threats. Targets included manufacturing, retail, legal, energy, and media sectors, with affected organizations distributed globally. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1LockBit35deagosto.com.br, abandw.com, eternal.hkHong Kong, ChinaManufacturing, Retail & Ecommerce 23AM1Mgrlaw.comUnited StatesLegal 3Krybit1Www.mbt-energy.comChinaEnergy & Utilities 4Payload1Myipo.gov.myMalaysiaLegal 5Shadowbyt3s1Nintendo company (nintendo.com)JapanMedia & Entertainment 6Stormous1Mlit.com.my newMalaysiaTechnology / Software LockBit reported three victims, mainly impacting manufacturing and retail entities in Hong Kong and China. Shadowbyt3s targeted a Japanese video game and electronics company. Groups 3AM, Krybit, Payload, and Stormous each accounted for one victim. These collectively affected legal services, energy & utilities, and technology sectors in the United States, China, and Malaysia. Victim Distribution By Country China: 2 Malaysia: 2 Brazil: 1 Hong Kong: 1 Japan: 1 United States: 1 By Industry Automotive Parts Distribution: 1 Manufacturing: 1 Renewable Energy: 1 Retail and Distribution: 1 Video Games and Electronics: 1 Information Technology and Services: 1 Intellectual Property Services: 1 Legal Services: 1 The victim distribution shows a geographic spread, with China and Malaysia each experiencing two incidents. Brazil, Hong Kong, Japan, and the United States each had one. Industrially, ransomware operators target many sectors, from automotive parts and manufacturing to renewable energy, retail, legal services, and the video games industry. Ransomware News Topline Law enforcement efforts against ransomware infrastructure and operators have had recent successes, including a crypto-laundering service takedown and a guilty plea from a Conti ransomware group member. Campaigns & Operations An international law enforcement operation, coordinated by the US Secret Service, IRS Criminal Investigation, Polish Police, Europol, and Eurojust, dismantled AudiA6, a crypto-laundering platform. This service laundered over EUR 336 million for various criminal groups, including ransomware operators, between 2022 and 2025. The operation arrested two administrators in Georgia and seized infrastructure. Separately, Oleksii Lytvynenko, a member of the Conti ransomware group, pleaded guilty to conspiracy to commit wire fraud. Lytvynenko admitted involvement in attacks impacting over 1,000 victims and extorting more than $150 million. Vulnerabilities & TTPs The AudiA6 platform used thousands of fraudulent exchange accounts, opened with stolen or purchased identities, to obscure transactions. This gave ransomware operators a rapid method for asset conversion. Lytvynenko's activities within Conti involved developing malware used in widespread attacks, showing a persistent threat from established ransomware groups and their changing tactics. Analyst Note These actions demonstrate ongoing international efforts to disrupt ransomware operations by targeting their technical infrastructure and the individuals involved. Technical Takeaways LockBit is active, with three new victims in manufacturing and retail sectors. Ransomware targets are geographically varied, with incidents in Asia, Europe, and the Americas. Shadowbyt3s targeted a video game company in the media and entertainment sector. This shows varied impact on organizations. Smaller ransomware groups (3AM, Krybit, Payload, Stormous) add to the threats, each with single victim counts. Victim industries cover many types, from critical sectors like energy to services like legal and intellectual property. This indicates opportunistic targeting. --- ## CVE-2026-35273 Oracle PeopleSoft Zero-Day RCE - URL: https://purple-ops.io/blog/oracle-peoplesoft-cve-2026-35273-rce - Date: 2026-06-13 - Category: CVE Analysis - Tags: cve-2026-35273, oracle-peoplesoft, rce, zero-day, shinyhunters - Reading time: 5 min **Summary:** Oracle PeopleSoft CVE-2026-35273 is a critical zero-day RCE actively exploited by ShinyHunters, compromising over 100 higher education entities for data theft. CVE-2026-35273 Oracle PeopleSoft Zero-Day RCE Oracle's PeopleSoft PeopleTools is affected by CVE-2026-35273, a critical zero-day Remote Code Execution (RCE) vulnerability that is currently being actively exploited in the wild by the cybercrime group ShinyHunters. This flaw allows unauthenticated attackers to gain full control over affected servers. While Oracle has not yet released a CVSS score for CVE-2026-35273, its nature as an unauthenticated RCE zero-day indicates maximum severity. The exploitation campaign, first identified by Mandiant and Google Threat Intelligence Group, commenced no later than May 27, 2026. It primarily targets organizations in the higher education sector, with over 100 entities potentially compromised. This widespread activity has led to significant data theft and subsequent extortion demands, showing the immediate and severe risk posed by this vulnerability. Oracle acknowledged the vulnerability and provided preliminary mitigation advice on June 12, 2026, several weeks after initial exploitation was detected. As of this report, a definitive patch to remediate CVE-2026-35273 remains unavailable. Organizations utilizing Oracle PeopleSoft PeopleTools are urged to implement all available mitigations and enhance monitoring to detect and respond to potential exploitation attempts. What is CVE-2026-35273 and why is it critical? CVE-2026-35273 is an unauthenticated Remote Code Execution (RCE) vulnerability present in Oracle PeopleSoft PeopleTools, which is currently under active exploitation by the ShinyHunters cybercrime group. This defect permits an attacker to execute arbitrary code on a vulnerable server without needing any prior authentication. CVE-2026-35273 is critical for several reasons. Firstly, RCE vulnerabilities are among the most severe, as they grant attackers the ability to run malicious code directly on a target system. This can lead to complete compromise of the server, including data exfiltration, system modification, or the establishment of persistent access. Secondly, the vulnerability is unauthenticated, meaning an attacker does not require valid credentials or session tokens to initiate the exploit. This significantly broadens the attack surface, allowing any threat actor with network access to a vulnerable instance to attempt exploitation. Thirdly, CVE-2026-35273 is a zero-day vulnerability, indicating that a fix from Oracle was not publicly available when exploitation began. This status leaves affected organizations exposed without an immediate patching solution, forcing reliance on mitigations that may not fully prevent exploitation. Oracle PeopleSoft PeopleTools provides core functionality for critical enterprise applications, including Human Resources (HR) and Customer Relationship Management (CRM). The compromise of systems hosting such data can have far-reaching consequences, impacting sensitive employee, student, and customer information. Impact and Risks Associated with CVE-2026-35273 Attackers exploiting CVE-2026-35273 can achieve unauthenticated remote code execution, leading directly to server takeover, full data exfiltration, and subsequent extortion attempts against victim organizations. The direct impact is the compromise of the underlying PeopleSoft server, enabling adversaries to access, steal, or manipulate sensitive information stored or processed by the system. Organizations using Oracle PeopleSoft PeopleTools are at risk, with a pronounced targeting of the higher education sector. Google and Mandiant intelligence indicates that 68% of the potential victim pool for this campaign comprises educational institutions, predominantly located in the United States. This specific targeting may be indicative of the prevalence of exposed PeopleSoft instances within this sector, or the perceived value of the data held by these entities. The nature of the data typically managed by Oracle PeopleSoft applications, such as student records, staff payroll information, human resources databases, and customer details, makes it highly valuable to threat actors. ShinyHunters, a financially motivated cybercrime group, specializes in data theft and subsequent extortion. Their modus operandi involves exfiltrating large volumes of sensitive data and then threatening to publish it publicly unless a ransom is paid. The University of Nottingham confirmed a significant amount of student data was stolen during a cyberattack linked to this campaign, with ShinyHunters subsequently leaking portions of the school's data. The real-world reach of this campaign is substantial, with Mandiant and Google alerting more than 100 organizations to potentially vulnerable endpoints. The ongoing nature of the campaign, with ShinyHunters actively sending extortion demands as recently as June 12, 2026, indicates a sustained and evolving threat. Beyond Google's immediate visibility, additional victims may be impacted, broadening the overall scope of the incident. The financial and reputational ramifications for compromised organizations are severe, encompassing potential regulatory fines, legal liabilities, reputational damage, and loss of trust among constituents. Exploitation Chain and Threat Actor Activity The exploitation of CVE-2026-35273 involves unauthenticated attackers using a critical defect in Oracle PeopleSoft PeopleTools to gain remote code execution, with initial observed activity dating back to at least May 27, 2026. This attack vector allows adversaries to execute malicious code on target systems without needing any valid credentials, significantly simplifying the initial access phase. The primary precondition for exploitation is a publicly accessible Oracle PeopleSoft PeopleTools instance connected to the internet. The threat actor behind this ongoing campaign is ShinyHunters, a notorious cybercrime group recognized for its focus on data theft and extortion. The group's operational pattern typically involves identifying vulnerable systems, exploiting them to gain unauthorized access, exfiltrating large quantities of sensitive data, and then publicly exposing or threatening to expose this data as a means of coercing victims into paying a ransom. This activity aligns with previous campaigns by ShinyHunters targeting Oracle products, an area of focus for the group as extensively documented in our analysis of ShinyHunters' Oracle PeopleSoft zero-day operations. The timeline of this exploitation event shows a significant period during which organizations were vulnerable without a vendor-supplied patch. Exploitation commenced at least by May 27, 2026. Oracle formally disclosed the vulnerability and provided mitigation steps on June 12, 2026, approximately two weeks after the attacks began. This gap demonstrates the challenges posed by zero-day threats, where active exploitation can precede public disclosure and the availability of official fixes. Our team has previously reported on aspects of this vulnerability, for instance, in our analysis of Oracle PeopleSoft CVE-2026-35273 RCE. ShinyHunters has been observed stealing data, naming victims, and publishing allegedly stolen information. The University of Nottingham's confirmation of a data security incident and the subsequent leak of student data by ShinyHunters serves as a concrete example of the group's operational tactics. This public shaming and data exposure tactic is a common element of their extortion model, increasing pressure on victims to comply with ransom demands. The group's activities, including data exfiltration and subsequent extortion, mirror those observed in other high-profile incidents involving Oracle products, such as those covered in our report on ShinyHunters and Oracle PeopleSoft CVE-2026-35273. Which products and versions are affected by CVE-2026-35273? CVE-2026-35273 specifically impacts Oracle PeopleSoft PeopleTools. While Oracle has confirmed the vulnerability within this product line, specific affected versions have not been publicly detailed by the vendor at the time of this report. This implies that organizations running any version of Oracle PeopleSoft PeopleTools should consider their installations potentially vulnerable until further specific guidance or patches are released. The broad nature of "PeopleSoft PeopleTools" as a product suite suggests that the vulnerability may reside in a core component common across various deployments, regardless of the specific PeopleSoft application (e.g., HR, CRM) being used. The lack of precise version numbers for affected software typically means that a wide range of deployments could be susceptible. Therefore, administrators should assume that all publicly exposed instances of Oracle PeopleSoft PeopleTools are at risk and prioritize applying any forthcoming patches or implementing all recommended mitigations. Detection Strategies for CVE-2026-35273 Exploitation Detecting exploitation of CVE-2026-35273 requires vigilant and proactive monitoring of Oracle PeopleSoft PeopleTools environments for anomalous process execution, unusual network activity, and indicators of data staging or exfiltration. Given the unauthenticated RCE nature of the vulnerability, initial compromise involves direct execution of malicious payloads, not traditional authentication failures. Organizations should implement full logging and monitoring across their PeopleSoft infrastructure, focusing on both application and operating system layers. Key detection strategies include: Log Analysis: Web Server Logs: Monitor for unusual or malformed HTTP requests targeting PeopleSoft PeopleTools endpoints, especially those that deviate from normal user or application behavior. Look for requests with suspicious payloads or long, encoded parameters. Application Logs: Scrutinize PeopleSoft application logs for errors, unexpected behavior, or unauthorized administrative actions that may indicate a compromise. Operating System Event Logs: Look for suspicious process creation by the PeopleSoft service account or related processes (e.g., cmd.exe, powershell.exe, wscript.exe) that deviate from baseline activity. Pay attention to unexpected child processes, especially those attempting to execute shell commands or interact with system utilities. Authentication Logs: While exploitation is unauthenticated, post-exploitation activity may involve attempts to create new user accounts or modify existing ones, which would be visible in authentication logs. Endpoint Detection and Response (EDR) Queries: Process Monitoring: Create EDR rules to detect anomalous process execution originating from the PeopleSoft application's process ID (PID). Look for processes spawning from the main PeopleSoft application server process that are not typical for its operation. File System Monitoring: Monitor critical PeopleSoft directories and files for unauthorized modifications, creation of new executable files, or staging of exfiltrated data. Network Connections: Identify outbound network connections initiated by PeopleSoft processes to unusual or external IP addresses, especially those commonly associated with command-and-control (C2) infrastructure or data exfiltration points. Registry/Configuration Changes: Monitor for suspicious modifications to system registry keys or configuration files that could establish persistence or alter system behavior. Network Traffic Analysis: Traffic Anomalies: Baseline normal network traffic patterns to and from PeopleSoft PeopleTools servers. Look for sudden spikes in outbound data transfer, particularly to suspicious external destinations. Protocol Deviations: Identify the use of unusual protocols or non-standard ports by PeopleSoft servers. Known IOCs: While specific Indicators of Compromise (IOCs) for CVE-2026-35273 exploitation by ShinyHunters have not been publicly released, organizations should continuously integrate and scan for any emerging IOCs from trusted threat intelligence feeds related to ShinyHunters or similar data exfiltration campaigns. File Integrity Monitoring (FIM): Implement FIM solutions on PeopleSoft servers to detect unauthorized changes to critical system files, application binaries, and configuration files. Regular auditing of security configurations, user accounts, and access permissions within the PeopleSoft environment can also help identify post-exploitation lateral movement or privilege escalation attempts. Remediation and Mitigation for CVE-2026-35273 As of June 12, 2026, Oracle has not released an official patch to fully remediate CVE-2026-35273. However, the vendor has provided mitigation steps that organizations should implement immediately to reduce their exposure to active exploitation. Given the severe nature of this zero-day unauthenticated RCE, proactive and stringent mitigation is important. Remediation and mitigation efforts should prioritize limiting exposure and monitoring for signs of compromise: Apply Patches Immediately (When Available): Monitor Oracle's official security advisories and patch releases closely. As soon as a patch for CVE-2026-35273 becomes available, organizations must plan and execute its deployment without delay across all affected Oracle PeopleSoft PeopleTools instances. Prioritize critical or publicly exposed systems. Implement Oracle's Recommended Mitigations: While specific details of Oracle's recommended mitigations were not provided in the initial disclosure, general best practices for protecting against unauthenticated RCE in web-facing applications include: Restrict Network Access: Limit network access to PeopleSoft PeopleTools instances from the internet to only essential IP ranges or trusted networks. Utilize firewalls to enforce strict inbound and outbound access control lists (ACLs). Consider placing PeopleSoft servers behind a VPN or bastion host for administrative access. Network Segmentation: Isolate PeopleSoft application servers and databases from other critical internal systems through network segmentation. This limits an attacker's ability to move laterally within the network post-exploitation. Web Application Firewall (WAF): Deploy and properly configure a WAF in front of PeopleSoft PeopleTools instances. A WAF can help detect and block malicious requests, including those attempting to exploit CVE-2026-35273, by filtering for known attack patterns or anomalies in traffic. Least Privilege: Ensure that the PeopleSoft application and its underlying services run with the absolute minimum necessary privileges on the operating system. Disable Unused Functionality: Review and disable any PeopleSoft PeopleTools components, services, or features that are not strictly required for business operations. Secure Configuration Review: Conduct a thorough review of all PeopleSoft and underlying server configurations to ensure they adhere to security best practices and hardened standards. Enhanced Monitoring and Incident Response: Given the active exploitation, organizations must enhance their monitoring capabilities as detailed in the detection section. This includes rigorous log analysis, EDR monitoring, and network traffic inspection for any indicators of compromise. Develop and rehearse incident response plans specifically for a potential PeopleSoft compromise. This includes procedures for isolating affected systems, forensic analysis, data recovery, and stakeholder communication. Conduct regular security audits and vulnerability assessments of PeopleSoft deployments to identify and address other potential weaknesses. The absence of an immediate patch increases the importance of strong mitigations and continuous monitoring. Organizations should operate under the assumption that their publicly exposed PeopleSoft instances are targets and prepare for potential breaches. Technical Takeaways CVE-2026-35273 is an unauthenticated Remote Code Execution (RCE) zero-day vulnerability affecting Oracle PeopleSoft PeopleTools. The ShinyHunters cybercrime group is actively exploiting this flaw, with observed activity dating back to at least May 27, 2026. The primary targets are organizations in the higher education sector, particularly in the United States, leading to data theft and extortion. Oracle disclosed the vulnerability and recommended mitigations on June 12, 2026, but has not yet released a patch, leaving systems exposed. Immediate implementation of network access restrictions, strong logging, and enhanced monitoring for anomalous activity on PeopleSoft PeopleTools instances is critical to mitigate risk. --- ## DragonForce Ransomware Claims 7 Victims in 24h - URL: https://purple-ops.io/blog/dragonforce-ransomware-7-victims - Date: 2026-06-12 - Category: Ransomware Report - Tags: none - Reading time: 7 min **Summary:** DragonForce ransomware claimed 7 new victims in 24 hours, leading recent activity across real estate and manufacturing sectors. DragonForce Ransomware Claims 7 Victims in 24h Statistical Overview Victim Totals This month: 295 This quarter: 1840 Year to date: 4464 Last 24h: 37 Quarterly Breakdown Q1: 2631 | Q2: 1840 | Q3: 0 | Q4: 0 Ransomware activity continues, with 37 new victims recorded in the last 24 hours. This adds to a total of 1840 victims this quarter. Activity comes from operations including DragonForce, M3RXDLS, and DireWolf. Introduction Ransomware operators posted 37 new victims in the last 24 hours. DragonForce (7 victims), M3RXDLS (6 victims), and DireWolf (4 victims) were responsible for most activity. Key sectors targeted include Real Estate, Manufacturing, and Construction & Engineering, affecting the United States and the United Arab Emirates. Qilin ransomware affiliates have been linked to a critical VPN vulnerability, CVE-2026-50751, and are actively exploiting it. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1DragonForce7A. liberty engineering co. ltd, Al ishrak contracting, Al shafar grc (+4)United Arab Emirates, BahrainReal Estate, Manufacturing 2M3RXDLS6Fasadeconsult.no, Hbexperts-conseils.ca, Ktwhs.com (+3)Costa Rica, CanadaConstruction & Engineering, Transportation & Logistics 3DireWolf4Clínica vida, Did asia, Jewelex (+1)Spain, ThailandManufacturing, Healthcare 4SLSH4American tower corporation, Jcpenney & several other subsdiaries under catalyst brands & authentic brands group, Madison square garden sports corp. (+1)United StatesTelecommunications, Retail & Ecommerce 5INC Ransom3DISCOLABINDU, Kewaunee Scientific, Signazon_USAUnited StatesLegal, Professional Services 6Gunra2Mhe9 logística ltda, Suárez&claveraUruguay, BrazilTransportation & Logistics, Professional Services 7Krybit2Aisem.gob.bo, Www.progress-security.comBolivia, United Arab EmiratesHealthcare, Professional Services 8NightSpire2Pattono s.r.l, Sierra west jewelersUnited States, ItalyRetail & Ecommerce 9Akira1Ddc domus design collectionUnited StatesProfessional Services 10Anubis1Fétis group & secom engineeringFranceConstruction & Engineering 11BlackX1Daechang solutionSouth KoreaManufacturing 12Bravox1Ccs global techUnited StatesTechnology / Software DragonForce and M3RXDLS were the most active ransomware groups, with 7 and 6 new victims respectively. DragonForce focused on Real Estate and Manufacturing in the United Arab Emirates, while M3RXDLS targeted Construction & Engineering and Transportation & Logistics firms, primarily in Canada and Costa Rica. Recent reporting details DragonForce's activity across various sectors. M3RXDLS has also shown activity recently. SLSH impacted Telecommunications and Retail & Ecommerce within the United States, claiming American Tower Corporation and JCPenney. The Anubis group carried out a targeted attack against the Adriatic Port Authority in France, disrupting critical infrastructure. Victim Distribution By Country United States: 13 United Arab Emirates: 4 Hong Kong: 2 Canada: 2 Spain: 2 Thailand: 1 Uruguay: 1 Bolivia: 1 Brazil: 1 Colombia: 1 By Industry Construction: 2 Engineering Services: 2 Legal Services: 1 Hospitality: 1 Security and Investigations: 1 Design Services: 1 Entertainment: 1 Furnishings, Fixtures & Appliances: 1 Information Technology Services: 1 Investment Banking: 1 The distribution shows ongoing targeting of North American entities, especially in the United States, along with attacks in the Middle East and parts of Europe. Various industries are affected, with Construction, Engineering, and Real Estate sectors frequently impacted. This shows consistent targeting of operational and infrastructure-related businesses. Ransomware News Topline Recent intelligence shows Qilin affiliates exploiting a critical vulnerability, a large cryptocurrency laundering service takedown, and information on new ransomware operations like The Gentlemen and an Anubis incident. Campaigns & Operations Qilin ransomware affiliates exploit CVE-2026-50751, a critical authentication bypass vulnerability in Check Point Remote Access VPNs. The Anubis ransomware group launched a targeted operation against the Adriatic Port Authority. They used spear-phishing (T1190) for initial access, which resulted in data exfiltration and operational disruption. The Gentlemen, tracked as Phantom Mantis and operating as an AI-enhanced Ransomware-as-a-Service, has claimed 478 victims. They often gain initial access through exposed VPNs and edge devices like Cisco and Fortinet FortiGate. The operation includes a self-spreading worm mode and multi-version ransomware for various operating systems. Law enforcement agencies, including Europol and the DOJ, dismantled AudiA6, a cryptocurrency laundering service that had processed over €336 million for ransomware gangs and cybercriminals. Vulnerabilities & TTPs Exploiting critical vulnerabilities such as CVE-2026-50751 in Check Point VPNs is a key way groups like Qilin gain initial access. Anubis gained initial access through spear-phishing (T1190), while The Gentlemen uses exposed VPNs and edge devices. The Gentlemen's operations include a Go-based payload with hybrid encryption, a self-spreading worm capability, and post-exploitation tooling such as NetExec and EDR killers. Technical Takeaways Qilin ransomware affiliates actively exploit CVE-2026-50751, a critical authentication bypass in Check Point Remote Access VPN. "The Gentlemen" ransomware (Phantom Mantis) has advanced features like a self-spreading worm mode and cross-platform targeting (Windows, Linux, ESXi). Spear-phishing (T1190) remains an effective initial access method for ransomware operations, as demonstrated by Anubis. The dismantling of the AudiA6 crypto laundering service shows ongoing law enforcement efforts to disrupt ransomware financial infrastructure. Ransomware groups continue to target the Manufacturing, Real Estate, and Construction & Engineering sectors globally, with a concentration in the United States and United Arab Emirates. DragonForce Ransomware: Tactics and Targeting Patterns DragonForce has emerged as a persistent threat actor with a clear preference for high-value targets in the Middle East and Asia-Pacific regions. Key operational characteristics include: Double extortion model: Data exfiltration before encryption maximizes leverage Sector focus: Real estate, manufacturing, and construction firms are primary targets Geographic concentration: UAE and Bahrain account for the majority of recent victims Affiliate structure: Operates a ransomware-as-a-service (RaaS) model attracting experienced affiliates Organizations in these sectors should prioritize endpoint detection and network segmentation to reduce exposure. See our DragonForce threat profile Understanding the 24-Hour Victim Surge A spike of 7 victims claimed by a single group within 24 hours signals either a coordinated campaign or exploitation of a newly disclosed vulnerability. Analysts should consider: Opportunistic timing: Ransomware groups often accelerate attacks after major vulnerability disclosures Pre-positioned access: Threat actors may have established footholds weeks before encryption Automated deployment: Modern ransomware tooling enables rapid, parallel victim processing Negotiation pressure tactics: High victim counts force faster ransom decisions Tracking velocity trends alongside victim totals provides early warning of escalating campaigns. Explore our ransomware velocity tracker Defensive Recommendations for Targeted Sectors With real estate and manufacturing firms consistently appearing in DragonForce victim lists, sector-specific defenses are critical: Patch management: Prioritize internet-facing VPN and remote access infrastructure immediately Backup isolation: Maintain offline, immutable backups tested monthly Access controls: Enforce MFA across all administrative and remote access accounts Threat intelligence subscriptions: Monitor ransomware leak sites for early breach indicators Incident response planning: Establish pre-negotiated IR retainer agreements before an incident occurs Proactive hardening remains the most cost-effective defense against ransomware operators at this activity level. --- ## Oracle PeopleSoft CVE-2026-35273 (CVSS 9.8) ShinyHunters - URL: https://purple-ops.io/blog/oracle-peoplesoft-cve-2026-35273-shinyhunters - Date: 2026-06-12 - Category: CVE Analysis - Tags: cve-2026-35273, oracle-peoplesoft, shinyhunters, rce, zero-day - Reading time: 5 min | CVSS: 9.8 **Summary:** Oracle PeopleSoft CVE-2026-35273, a critical CVSS 9.8 zero-day RCE in PeopleTools, is actively exploited by ShinyHunters for data theft. Oracle PeopleSoft CVE-2026-35273 (CVSS 9.8) ShinyHunters Oracle's PeopleSoft PeopleTools contains a critical zero-day vulnerability, CVE-2026-35273, which allows unauthenticated remote code execution (RCE). This flaw holds a CVSS base score of 9.8 and is currently being actively exploited by the ShinyHunters extortion group in data theft campaigns. The vulnerability is severe because it allows complete system compromise without prior authentication. Oracle has issued emergency mitigations for CVE-2026-35273, impacting PeopleSoft PeopleTools versions 8.61 and 8.62. A full patch is anticipated, but the immediate availability of mitigations shows this issue needs immediate attention. PurpleOps intelligence indicates that the education sector has been a primary target of these attacks. The ShinyHunters group is known for breaching cloud SaaS instances, CRMs, and enterprise platforms to steal large volumes of corporate data. Using this zero-day in Oracle PeopleSoft environments shows they are targeting critical business infrastructure. Organizations running affected PeopleSoft deployments are at heightened risk of data exfiltration and subsequent extortion demands. What is CVE-2026-35273 and why is it critical? CVE-2026-35273 is an unauthenticated remote code execution vulnerability in Oracle PeopleSoft PeopleTools, critical due to its high CVSS score of 9.8 and active zero-day exploitation. This flaw resides within the core PeopleTools component, which underpins various Oracle PeopleSoft Enterprise Applications. The ability for an unauthenticated attacker to remotely execute code grants them significant control over compromised systems. The vulnerability is more severe because it requires no prior authentication, allowing adversaries to initiate attacks directly against exposed PeopleSoft instances. A successful exploit can lead to arbitrary code execution with the privileges of the underlying application server, potentially escalating to root-level access. This level of access enables data theft, system manipulation, persistent unauthorized access, and further breaches within the enterprise environment. Oracle PeopleSoft systems often manage sensitive organizational data, including human resources, financial, student, and other sensitive information. The compromise of such a system can lead to severe data breaches, regulatory non-compliance, significant operational disruption, and reputational damage. The high CVSS score of 9.8 shows this critical impact, classifying it as a top-priority vulnerability requiring immediate attention and remediation. Impact An attacker successfully exploiting CVE-2026-35273 can achieve remote code execution with root privileges on the affected Oracle PeopleSoft system. This capability grants the threat actor full control over the application server and its underlying operating system. The primary risk identified in current exploitation campaigns is large-scale data theft from organizational instances. The ShinyHunters extortion gang has claimed to have stolen data from 300 instances belonging to over 100 organizations by exploiting this vulnerability. Mandiant's threat intelligence also reported that they initiated notifications to over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. 68% of these organizations operated within the higher education sector. This shows a targeted focus. The real-world implications of such a compromise extend beyond data theft. Threat actors who gain root-level access on an Oracle Sentry instance, or similar critical enterprise gateways, can: Control the appliance's configurations, potentially altering system behavior or creating backdoors. Access stored credentials and integrated authentication or directory connections, facilitating lateral movement. Modify access requirements and weaken existing security controls. Exfiltrate configurations, credentials, and other sensitive secrets from the appliance. Move laterally deeper into an organization's environment, depending on the network placement of the compromised PeopleSoft instance. The education sector, in particular, has increased risks due to the sensitive nature of student and staff data managed by PeopleSoft systems. Large-scale breaches can severely impact institutional reputation, incur significant financial penalties, expose personal information, and cause legal issues. This targeting pattern is consistent with ShinyHunters' prior activities, such as their attack on Instructure Canvas, where they reportedly stole 280 million data records from schools and universities. Our team has previously reported on similar critical Oracle flaws under attack that show the consistent threat to these systems. How is CVE-2026-35273 being exploited? CVE-2026-35273 is being exploited as a zero-day by the ShinyHunters extortion gang, using a "gadget chain" of old and zero-day flaws to breach PeopleSoft instances for data theft. The threat actor focuses on cloud SaaS instances, CRMs, and enterprise platforms that host extensive corporate data. This shows a financial motivation tied to extortion. Following successful exploitation, ShinyHunters typically downloads the stolen data and issues a ransom demand to prevent its public release. Mandiant's analysis describes the exploitation chain and attacker methodologies. Threat actors have been observed using exposed staging servers to host HTTP services, which serve as command-and-control infrastructure. They deploy custom MeshCentral remote management agents configured to communicate with attacker-controlled infrastructure. This infrastructure is often designed to masquerade as legitimate Microsoft Azure services to evade detection. Initial post-exploitation activities include extensive reconnaissance on compromised instances. Attackers meticulously map out PeopleSoft and WebLogic configurations to understand the environment. They then use scripts to enable lateral movement across internal systems, often using stolen or hardcoded credentials obtained during the initial compromise. This methodical approach allows them to deepen their foothold within the network and exfiltrate more data. Data exfiltration involves compressing the stolen information before transmitting it to attacker-controlled servers. Mandiant linked observed activity to the ShinyHunters data leak site through connections to a server at 176.120.22[.]24. The targeting of specific Oracle enterprise applications is consistent with observed patterns, as detailed in our analysis of CL0P's attacks on Oracle E-Business Suite. Several IP addresses have been identified as being used in these attacks, serving as command-and-control points or for data exfiltration: 142.11.200[.]186 142.11.200[.]187 142.11.200[.]188 142.11.200[.]189 142.11.200[.]190 108.174.202[.]99 176.120.22[.]24 (Associated with ShinyHunters data leak site) The exploitation of CVE-2026-35273 by ShinyHunters shows a persistent threat against critical enterprise software. Organizations should consider Oracle PeopleSoft instances to be high-value targets because of this group's history of high-profile data theft campaigns, including those against Salesforce and Snowflake customers. Our prior analysis of an Oracle zero-day exploit that was actively exploited after patching provides additional insight into persistent threats to Oracle systems. Affected products and versions The CVE-2026-35273 vulnerability specifically impacts the following Oracle PeopleSoft PeopleTools versions: Oracle PeopleSoft PeopleTools version 8.61 Oracle PeopleSoft PeopleTools version 8.62 Also, Oracle PeopleSoft Enterprise Applications customers may be affected by this vulnerability if their deployments utilize the vulnerable PeopleTools versions. Oracle's advisory states that the flaw is present within PeopleSoft PeopleTools, making it a basis for vulnerabilities in various applications built upon this framework. Organizations are advised to verify their exact PeopleTools version to determine exposure. Detection Detecting CVE-2026-35273 requires network monitoring, log analysis, and host-based forensics. These indicators are important for identifying active exploitation or post-compromise activity related to the ShinyHunters campaign. Restrict Network Access: Limit external exposure of PeopleSoft endpoints. Review Access Logs for Suspicious Requests: Monitor web server and application logs for unusual or high volumes of requests targeting the following paths: /PSEMHUB/ /PSIGW/HttpListeningConnector Look for requests originating from unexpected IP addresses or containing unusual parameters indicative of exploitation attempts. Inspect Servers for Signs of Compromise: Filesystem Anomalies: Presence of unexpected .jsp webshell files in WebLogic application directories. These files can provide persistent remote access. Unauthorized files or binaries staged within PSEMHUB transaction folders, indicating attacker staging areas. Suspicious directories such as logs, persistantstorage, or scratchpad with unusual contents or modification timestamps. Unusual modification timestamps on legitimate files. Configuration File Modifications: Recently modified XML files that could be used to maintain persistence or trigger remote code execution after a restart of PeopleSoft services. Changes to legitimate configuration files that introduce malicious elements. Process Monitoring: Identify unusual processes running on the PeopleSoft host, particularly those spawned by the application server user, or custom MeshCentral agents. Network Indicators of Compromise (IOCs): Monitor outbound network traffic for connections to the following known attacker IP addresses: 142.11.200[.]186 142.11.200[.]187 142.11.200[.]188 142.11.200[.]189 142.11.200[.]190 108.174.202[.]99 176.120.22[.]24 (This IP is associated with the ShinyHunters data leak site and is a strong indicator of compromise or data exfiltration attempts.) Identify unusual data transfer volumes from PeopleSoft servers to external IP addresses. These detection strategies help security teams identify potential exploitation attempts or successful compromises related to CVE-2026-35273. Remediation Immediate and thorough remediation is required to address the CVE-2026-35273 vulnerability and reduce the risk from active ShinyHunters exploitation. Oracle has provided specific guidance for affected organizations. Apply Emergency Mitigations: Oracle has released emergency mitigations documented under ID CPU187. Organizations must apply these mitigations to their affected Oracle PeopleSoft PeopleTools environments immediately. These temporary fixes are designed to reduce the attack surface before a full patch is available. Apply Official Patch: Monitor for Oracle's official patch release for CVE-2026-35273 and apply it without delay. Full patching is the most complete and permanent solution to the vulnerability. Restrict Network Access: Implement strict network segmentation and firewall rules to limit external access to PeopleSoft systems. Public-facing instances should be placed behind web application firewalls (WAFs) and access restricted to trusted networks or VPNs where feasible. This reduces the exposure to unauthenticated remote exploitation. Enhanced Monitoring and Incident Response: Review all logs for the detection indicators mentioned previously. Conduct a thorough compromise assessment on all PeopleSoft instances, particularly those with external exposure, to identify any signs of prior compromise or ongoing attacker presence. If compromise is detected, initiate incident response procedures, including forensic analysis and eradication of attacker footholds. Restore systems from known-good backups if compromise is detected. Regularly review and update security configurations for PeopleSoft and associated WebLogic components. --- ## ShinyHunters Exploits Oracle PeopleSoft Zero-Day Flaw - URL: https://purple-ops.io/blog/shinyhunters-oracle-peoplesoft-zero-day - Date: 2026-06-12 - Category: Threat Intelligence - Tags: shinyhunters, oracle-peoplesoft, zero-day, cve-2026-35273, rce - Reading time: 5 min **Summary:** ShinyHunters exploited a critical Oracle PeopleSoft zero-day (CVE-2026-35273, CVSS 9.8), compromising numerous university systems for data exfiltration. ShinyHunters Exploits Oracle PeopleSoft Zero-Day Flaw ShinyHunters, a prominent cybercrime group, has actively exploited a zero-day remote code execution vulnerability, CVE-2026-35273, in Oracle PeopleSoft Enterprise PeopleTools. This critical flaw, rated 9.8 out of 10, enabled the group to breach numerous enterprise systems, with universities bearing the brunt of the attacks. One confirmed victim, the University of Nottingham, saw sensitive data from approximately 455,000 unique email addresses compromised, including names, addresses, passport numbers, and personal demographic details. The campaign, tracked by Mandiant as UNC6240, unfolded between May 27 and June 9, 2026, predating Oracle's official advisory and patch release. This incident shows a critical shift in the threat environment, where sophisticated actors use unpatched vulnerabilities for significant data exfiltration and extortion. The rapid weaponization of such flaws creates persistent challenges in vulnerability management and incident response. The exploitation by ShinyHunters coincides with broader industry discussions about the accelerating pace of cyber threats. Developments in artificial intelligence are significantly compressing the time between vulnerability discovery and active exploitation, complicating defensive efforts. Simultaneously, international law enforcement agencies are intensifying their efforts to dismantle the financial infrastructure supporting these cybercriminal operations, as demonstrated by Europol's recent action against a major cryptocurrency laundering service. How did ShinyHunters exploit the Oracle PeopleSoft zero-day? The ShinyHunters extortion crew, identified by Mandiant as UNC6240, exploited CVE-2026-35273, a remote code execution (RCE) flaw in Oracle PeopleSoft Enterprise PeopleTools. This unauthenticated vulnerability, rated 9.8 on the CVSS scale, allowed attackers to take over affected servers without requiring user interaction, particularly those running the Environment Management Hub accessible externally. The flaw resides within the Updates Environment Management component (PSEMHUB), specifically impacting PeopleTools versions 8.61 and 8.62, with earlier unsupported versions also likely vulnerable. Mandiant observed active exploitation of this zero-day between May 27 and June 9, 2026, ahead of Oracle publishing its advisory and patch on June 10. The attackers' operational methods were revealed due to exposed infrastructure, initially flagged by researcher @nahamike01. This infrastructure included Python SimpleHTTP servers running on port 8888, which were used for staging files. Analysis of these servers revealed a shared .bash_history, custom MeshCentral remote-management agents disguised as Microsoft Azure binaries, and a lateral-movement script. The attack chain involved these custom MeshCentral agents, which communicated with a command-and-control server at azurenetfiles.net, a domain designed for obfuscation. A specific script, named [victim]_fanout.sh, facilitated lateral movement across internal networks. This script used SSH by spraying a hardcoded list of usernames and passwords against internal hosts enumerated from /etc/hosts. Upon successful compromise, the attackers dropped a marker file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into PeopleSoft directories. Exfiltrated data was compressed using zstd before being transferred via an outbound SSH connection to a server hosting a public mirror of the ShinyHunters leak site. The emergence of such sophisticated zero-day exploitation campaigns shows how advancements in adversarial capabilities, including potential AI assistance, can drastically accelerate the development and deployment of new exploits, as discussed in research on AI-built zero-day exploits. Mandiant subsequently notified over 100 organizations whose IP addresses matched vulnerable endpoints, identifying 68% of these as higher education institutions, predominantly in the United States. The University of Nottingham publicly confirmed its breach, with Have I Been Pwned documenting approximately 455,000 unique email addresses among the leaked records. This dataset included names, addresses, phone numbers, passport numbers, and sensitive details concerning ethnicity and disabilities. Oracle's immediate guidance centers on mitigation for those unable to apply patches promptly. This includes disabling the Environment Management Hub service in multi-server configurations or removing the PSEMHUB application entirely in single-server setups. If these actions are not feasible, organizations should block external access to /PSEMHUB/* (specifically /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the perimeter. Mandiant cautions that Web Application Firewall (WAF) body-inspection rules may be insufficient due to potential bypasses. Organizations should also hunt for indicators of compromise (IOCs) to detect existing breaches. This includes reviewing WebLogic access logs for external POST requests to /PSEMHUB/hub or /PSIGW/HttpListeningConnector. Further investigation should look for unexpected .jsp files within the PSEMHUB.war web application directory, or unusual logs, persistantstorage, or scratchpad folders under PSEMHUB paths. Recently modified .xml files under the web document root's envmetadata/data/environment could indicate XMLDecoder persistence, which fires upon server restart. Outbound SMB traffic on port 445 from PeopleSoft hosts to external destinations is another critical indicator, as the exploit chain may utilize this to capture machine-account NetNTLM hashes. Oracle recommends applying its vendor update for the relevant PeopleTools version once available via My Oracle Support. ShinyHunters has indicated that victim outreach is still underway, suggesting more compromises are likely to be disclosed. This shift by ShinyHunters towards server-side zero-day exploitation in ERP software marks a tactical escalation from their previous reliance on vishing, stolen tokens, and weak access controls. What is the impact of AI on vulnerability management and time-to-exploit? Artificial Intelligence (AI) has significantly altered the cybersecurity field by drastically compressing the window between vulnerability discovery and active exploitation, a metric known as time-to-exploit (TTE). This accelerated timeline disrupts traditional vulnerability management processes, which were historically designed with a buffer of months, now reduced to mere hours. Research indicates that AI tools are fundamentally changing the offensive side of the equation, making it increasingly difficult for defenders to keep pace. In a May 2026 update, Anthropic reported that its Claude Mythos Preview model, along with approximately 50 partners, identified over 10,000 high or critical-severity vulnerabilities in systemically important software within a single month. Earlier assessments of the gated Mythos model demonstrated its capability to generate 181 working exploits against Firefox, compared to only two from previous frontier models. This model also unearthed a 27-year-old OpenBSD bug that had remained undetected. At the time of reporting, more than 99% of these AI-discovered flaws remained unpatched, showing the sheer volume of new vulnerabilities entering the ecosystem. The collapse of the vulnerability weaponization window is stark: Zero Day Clock reports the 2026 average TTE at approximately 24 hours, a significant reduction from around 53 days in 2024. This rapid weaponization means that a vulnerability disclosed today can be actively exploited tomorrow. Verizon's 2026 DBIR supports this trend, linking 32% of initial access techniques to the exploitation of vulnerabilities and projecting an increase. AI coding assistants are empowering a broader range of attackers to build and port exploits, accelerating the overall threat velocity. Studies on AI exploit development speeds provide more detailed insights into this acceleration. An AWS threat-intelligence report from February 2026 provided a concrete example of this AI-augmented threat. It documented an actor using a custom MCP server to autonomously industrialize attacks on FortiGate devices. These attacks, which used weak credentials rather than zero-days, impacted over 600 devices across 55+ countries, with the actor's logs indicating a queue of 2,516 devices across 106 countries. This demonstrates how AI-driven automation scales offensive capabilities, allowing for widespread exploitation even of known issues. The shift towards AI-driven exploit generation means that organizations must adapt their vulnerability management strategies to cope with a significantly shrinking patch window; research on AI-driven exploit generation further explores this. Despite the increased urgency, remediation times are lagging. The Verizon 2026 DBIR, which tracked over 13,000 organizations, found that the median fix time for known-exploited vulnerabilities increased to 43 days, up from 32 the previous year. The percentage of fully patched systems decreased from 38% to 26%. Even top-performing organizations close only 30-40% of known-exploited vulnerabilities within the first week after detection. The median organization had to patch 16 known-exploited vulnerabilities in 2025, a nearly 50% increase from 11 the year prior, even before the flood of AI-discovered flaws. This new reality changes the useful question for security teams from "what's vulnerable?" to "what is actually exploitable against us right now, and would our defenses catch it if someone tried?" This shift in focus is driving the adoption of Breach and Attack Simulation (BAS), which takes real-world adversary techniques and safely runs them against live prevention and detection stacks to validate control effectiveness and prioritize risks based on actual exploitability. Why did CISA issue a Directive for the Ivanti Sentry vulnerability? The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued Binding Operational Directive (BOD) 26-04) requiring Federal Civilian Executive Branch (FCEB) agencies to patch CVE-2026-10520 in Ivanti Sentry within three days due to its maximum severity and confirmed active exploitation in the wild. This directive, released on June 11, 2026, showed the critical risk posed by the vulnerability. CVE-2026-10520 is an OS command injection flaw found in Ivanti Sentry, previously known as MobileIron Sentry, a security gateway appliance. This vulnerability allows for remote code execution as root, making it highly attractive to attackers. Ivanti released patches for this flaw on June 11, 2026, initially stating there was no evidence of in-the-wild exploitation. Just one day later, the Shadowserver Internet security watchdog reported widespread exploitation attempts. Shadowserver observed that attackers had already begun backdooring many of the Sentry gateways exposed online. They noted a "large amount of Ivanti Sentry CVE-2026-10520 exploitation attempts" based on publicly available Proof-of-Concept (PoC) code. Shadowserver cautioned that their detected number of exposed instances (just over 50) might be an underestimate due to organizations blocking their scans, warning that any systems not patched immediately were likely already compromised. CISA officially confirmed the active exploitation of CVE-2026-10520 and added it to its Known Exploited Vulnerabilities Catalog (KEV) on June 11, 2026. The agency's BOD 26-04 mandates that federal agencies prioritize patching if an asset is publicly exposed, if the flaw is in the KEV catalog, if exploitation can be automated for large-scale attacks, and if successful exploitation grants partial or total control of the targeted system. CISA explicitly warned that this type of vulnerability is a "frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise." Agencies were instructed to either follow cloud services guidance for BOD 26-04 or discontinue product use if mitigations were unavailable, emphasizing the need to evaluate internet exposure and ensure adherence to patching guidelines. Over the past several years, CISA has flagged 35 vulnerabilities across Ivanti products as actively exploited, with 12 of these being targeted by ransomware gangs. Which crypto laundering service did Europol dismantle? Europol, in a coordinated international operation, successfully dismantled AudiA6, a major cryptocurrency laundering service that had facilitated the movement of over €336 million (approximately $389 million) in illicit profits for ransomware gangs and cybercriminal networks since its inception in 2021. The operation, which took place on June 10, 2026, was a significant blow to the financial infrastructure supporting global cybercrime. The operators of AudiA6 are also suspected of managing Dark2Web, a prominent dark web cybercrime forum where threat actors advertised illegal services and collaborated worldwide. The enforcement action resulted in the arrest of two alleged administrators in Georgia: Ruslan Igorevich Tkachuk, 37, and Alexander Vladimirovich Ledenev, 25, both of Ukrainian and Russian nationality. The U.S. Department of Justice (DoJ) announced charges against them for conspiracy to launder monetary instruments and sting money laundering, each carrying a maximum sentence of 20 years in prison. The scale of the disruption was extensive, encompassing multiple coordinated actions: 25 domains were taken down. Over 30 servers were seized. More than 80 vehicles and numerous properties in Georgia were seized. Cryptocurrency assets totaling €692,000 ($798,000) were frozen, and an additional €86,000 ($99,400) in cryptocurrency was seized. Telegram accounts used by the network were blocked. The clear web and dark web websites for AudiA6 and Dark2Web were replaced with law enforcement seizure banners. The DoJ's investigation revealed that out of approximately 10,333 Bitcoin deposited into AudiA6 wallets, about 393.39 BTC (valued at around $19,234,331 at the time of transactions) originated directly from known darknet markets, ransomware organizations, and other illicit sources. Additional funds were indirectly deposited from other illicit activities. AudiA6 operated as an industrial-scale cryptocurrency laundering service, offering anonymity and speed to its clientele. It processed funds by transferring illicit proceeds to wallets controlled by the group, then returning "cleaned" funds within an hour via a complex chain of transactions designed to obscure their origin. The service relied on thousands of fraudulent exchange accounts, often opened using stolen or purchased identities. Operators charged commissions ranging from 3% to 10% for these services, with transactions commonly arranged over private messaging platforms. Over 6,000 Know Your Customer (KYC) records linked to money mule accounts were identified during the investigation. Many of these mule accounts were connected to Russian-speaking intermediaries specifically recruited to facilitate the movement of criminal proceeds through various cryptocurrency exchanges. The group used both commercial email providers and their own controlled domains to register these mule accounts, including designli.pictures, pheontx.eu, smplfy.in, sumato-soft.org, technobrains.dev, lett.email, trayo.app, deliverly.top, inboxly.top, postfast.eu, postino.click, inboxally.agency, mailora.eu, postify.email, quix.express, flowcomm.click, qube.black, deliverlett.com, and lettermail.eu. AudiA6 had been linked to more than 15 investigations worldwide related to ransomware attacks and large-scale cryptocurrency theft, including funds stolen during the 2022 LastPass hack. The successful takedown was the result of extensive collaboration between the United States Secret Service, IRS Criminal Investigation, Polish Police, and law enforcement partners from Australia, Canada, France, Georgia, Germany, Iceland, Japan, Switzerland, and the U.K. This operation demonstrates law enforcement's increasing capability to trace and disrupt sophisticated crypto laundering schemes, even those employing chain-hopping, decentralized exchanges, and mixer-as-a-service platforms. Technical Takeaways AI is significantly reducing the time-to-exploit (TTE) window to approximately 24 hours, challenging traditional vulnerability management processes that typically average 43 days for remediation. Zero-day exploits, exemplified by CVE-2026-35273 in Oracle PeopleSoft, are being actively weaponized by advanced threat actors like ShinyHunters against high-value targets such as educational institutions, leading to substantial data compromises. Critical infrastructure and federal agencies face immediate and severe threats from actively exploited vulnerabilities, as evidenced by CISA's Binding Operational Directive (BOD) 26-04 requiring rapid patching for Ivanti Sentry's CVE-2026-10520 within three days. International law enforcement collaboration is effective in dismantling major financial infrastructures that enable cybercrime, such as the AudiA6 cryptocurrency laundering service, significantly impacting the operational capabilities of ransomware gangs and other illicit networks. The accelerated pace of threats necessitates a shift toward real-time validation of security controls through Breach and Attack Simulation (BAS), especially autonomous, agentic systems, to prioritize remediation based on actual exploitability rather than theoretical severity. --- ## Ivanti Sentry CVE-2026-10520 (CVSS 10.0) RCE - URL: https://purple-ops.io/blog/ivanti-sentry-cve-2026-10520-rce - Date: 2026-06-12 - Category: CVE Analysis - Tags: ivanti-sentry, cve-2026-10520, rce, os-command-injection - Reading time: 5 min | CVSS: 10 **Summary:** Ivanti Sentry CVE-2026-10520, a critical OS command injection with CVSS 10.0, enables unauthenticated RCE; patch immediately to mitigate active exploitation. Ivanti Sentry CVE-2026-10520 (CVSS 10.0) RCE Ivanti Sentry is affected by a severe OS command injection vulnerability, tracked as CVE-2026-10520, which carries a maximum CVSS base score of 10.0. This serious flaw allows an unauthenticated remote attacker to execute arbitrary code with root privileges on affected devices. Organizations using Ivanti Sentry products are urged to apply patches immediately. The vulnerability became actively exploited in the wild within 24 hours of its public disclosure. The availability of a public Proof-of-Concept (PoC) exploit accelerated its weaponization, leading to widespread scanning and exploitation attempts targeting vulnerable instances. Attackers likely pre-identified vulnerable Ivanti assets, allowing them to act quickly once exploit details surfaced. Given its maximum severity CVSS score and confirmed active exploitation, CVE-2026-10520 presents a direct and serious risk to organizations relying on Ivanti Sentry for mobile and device access management. Complete system compromise and lateral movement within an enterprise network require urgent remediation efforts. What is CVE-2026-10520? CVE-2026-10520 is an OS command injection vulnerability impacting Ivanti's Sentry mobile gateway product. It allows an unauthenticated remote attacker to achieve remote code execution (RCE) with root privileges. This means an attacker can gain full control over the compromised Sentry appliance without needing any legitimate login credentials. The CVSS base score of 10.0 indicates maximum severity. This vulnerability is critical for several reasons. Exploitation does not require authentication, which lowers the barrier for attackers. Gaining root-level access provides complete control over the device, its configurations, and any data it handles. Furthermore, Ivanti Sentry appliances often sit in a sensitive position within enterprise network architectures, controlling mobile and device access to internal systems. This placement means that a compromise can serve as a pivot point for broader network intrusion. What is the exploitation chain for CVE-2026-10520? The exploitation chain for CVE-2026-10520 is direct and requires no prior authentication. An unauthenticated remote attacker with network access to a vulnerable Ivanti Sentry appliance can send specially crafted requests that exploit the OS command injection flaw. This vulnerability then enables the execution of arbitrary operating system commands with root privileges directly on the appliance. A public Proof-of-Concept (PoC) exploit became available shortly after the vulnerability's disclosure, accelerating its weaponization. Cybersecurity vendors such as WatchTowr published technical analyses and PoC exploits, which were subsequently used by threat actors. This immediate availability of exploitation tools contributed directly to the rapid observed exploitation in the wild. Within 24 hours of disclosure, the Shadowserver Foundation observed a substantial volume of exploitation attempts leveraging the public PoC. Specifically, Shadowserver identified vulnerable instances, with at least two confirmed as backdoored. Defused also reported continuous active exploitation against their Ivanti honeypots, noting that attacks were launched directly without prior system fingerprinting, implying attackers had pre-mapped Ivanti assets. This rapid response from threat actors shows the ease of exploitation and the high value placed on compromising Ivanti Sentry devices. What impact can an attacker achieve via CVE-2026-10520? Successful exploitation of CVE-2026-10520 provides an attacker with full control over the compromised Ivanti Sentry appliance due to the root-level privileges obtained. This level of access enables a range of severe impacts on corporate data access and overall network security. Attackers can achieve a total system takeover, allowing them to deploy persistent backdoors or execute arbitrary operating system commands. The specific impacts include: Configuration Control: Gaining complete control over the appliance's configurations, potentially altering security policies or network routing. Credential Theft: Accessing and extracting stored credentials, including those used for integrated authentication or directory connections to enterprise systems. This could include sensitive authentication tokens or hashes. Data Modification and Exfiltration: Intruders can use the compromise to modify internal databases or view confidential user logs, depending on the Sentry's integrations. This also opens possibilities for data exfiltration from connected enterprise resources. Lateral Movement: Given Sentry's role as a gateway, a compromised appliance can serve as a launchpad for lateral movement deeper into the organization's environment. Attackers can use this foothold to access other internal systems, escalate privileges, and broaden their attack surface. Weakening Security Controls: Threat actors can modify access requirements, disable security features, or otherwise weaken the security posture of the Sentry appliance and potentially connected systems. This could lead to further compromises that are harder to detect. The strategic placement of Ivanti Sentry as a control point for mobile and device access amplifies the downstream impact of its compromise. As noted in our prior analysis of CVE-2026-10520, the appliance's function as an in-line gateway for mobile devices connecting to enterprise systems means that its compromise can directly affect the security of sensitive enterprise resources, including email and other critical services. This mirrors the severe implications of other critical RCE vulnerabilities observed in 2026, such as those affecting Mirasvit Cache Warmer (CVE-2026-45247) and IBM WebSphere (CVE-2026-8633), both of which also carried high CVSS scores and posed significant RCE risks. Which products are affected by CVE-2026-10520? The CVE-2026-10520 vulnerability specifically affects Ivanti Sentry mobile gateway products. All versions of Ivanti Sentry prior to the patched releases are vulnerable. The affected versions include: Ivanti Sentry versions prior to R10.5.2 Ivanti Sentry versions prior to R10.6.2 Ivanti Sentry versions prior to R10.7.1 Organizations should review their Ivanti Sentry deployments to identify any instances running these vulnerable versions. Prompt identification and updating of affected systems are essential to mitigate the risk posed by active exploitation. What detection guidance is available for CVE-2026-10520? Detecting exploitation of CVE-2026-10520 involves monitoring for anomalous activities indicating unauthorized command execution or system compromise on Ivanti Sentry appliances. Since attackers gain root privileges, the scope of potential indicators is broad. Organizations should focus on network traffic, system logs, and process monitoring for signs of post-exploitation activity. Specific detection guidance includes: Network Indicators: Monitor outbound network connections from Ivanti Sentry appliances to unusual or unauthorized external IP addresses or domains. Attackers may establish C2 channels or exfiltrate data. Look for suspicious HTTP/HTTPS requests originating from external sources targeting the Sentry appliance that deviate from normal operational patterns or show characteristics of the public PoC exploit. Host-Based Indicators (on Sentry appliance): Process Monitoring: Identify unusual or unknown processes running with root privileges on the Sentry appliance. This includes unexpected shell processes, network utilities, or data manipulation tools. File System Monitoring: Monitor for unexpected file creations, modifications, or deletions in critical system directories or web directories. Look for suspicious executables, scripts, or web shells. Log Analysis: Review system logs (e.g., /var/log/auth.log, web server access logs, Sentry application logs) for: Error messages or entries indicating failed command execution attempts that could be related to exploit attempts. Unusual login attempts or privilege escalation activities. Changes to system configurations or services that are not part of scheduled maintenance. Configuration Integrity Monitoring: Implement checks to detect unauthorized changes to the Sentry appliance's configuration files, firewall rules, or installed software packages. Backdoors often involve modifying these settings for persistence. Threat Intelligence Feeds: Integrate intelligence from sources like Shadowserver or Defused into security monitoring tools to identify known malicious IP addresses, domain names, or file hashes associated with CVE-2026-10520 exploitation. While no specific IOCs were detailed in the research findings, these organizations confirmed observing exploitation attempts and backdoored instances. Such IOCs would likely be available through their feeds. What are the remediation steps for CVE-20520? Immediate remediation is critical due to the active exploitation of CVE-2026-10520. The primary and most effective remediation is to apply the vendor-provided patches. Remediation steps include: Patching: Upgrade Ivanti Sentry instances to R10.5.2, R10.6.2, or R10.7.1 as soon as possible. These versions contain the necessary fixes for CVE-2026-10520. Refer to the official Ivanti security advisory for detailed patching instructions and any prerequisites. Workarounds/Mitigations (if immediate patching is not feasible): While specific workarounds were not detailed in the provided research, organizations should evaluate temporary network segmentation or access control restrictions to limit external exposure of Ivanti Sentry devices. Restricting access to trusted IP ranges could reduce attack surface. Implement an Intrusion Prevention System (IPS) or Web Application Firewall (WAF) rules to detect and block known exploit patterns for OS command injection, if applicable, although this is a less strong solution compared to patching. Post-Compromise Procedures: If compromise is suspected, administrators must conduct a forensic analysis of the Ivanti Sentry appliance to identify the extent of compromise, remove any backdoors or persistent access mechanisms, and ensure data integrity. Rotate all credentials associated with the Ivanti Sentry appliance and any integrated systems (e.g., authentication servers, directory services). Rebuild affected instances from trusted backups if forensic cleaning cannot be fully guaranteed. Technical Takeaways CVE-2026-10520 is an OS command injection vulnerability in Ivanti Sentry with a CVSS score of 10.0, enabling unauthenticated remote code execution with root privileges. The vulnerability affects Ivanti Sentry versions prior to R10.5.2, R10.6.2, and R10.7.1. Active exploitation of CVE-2026-10520 began within 24 hours of public disclosure, facilitated by a public Proof-of-Concept (PoC) exploit. Successful exploitation grants threat actors full control over the Ivanti Sentry appliance, allowing for configuration alteration, credential theft, data access, and lateral movement into enterprise networks. Immediate patching to a non-vulnerable version is the critical remediation step. Post-compromise forensic analysis and credential rotation are necessary if exploitation is suspected. --- ## Qilin Ransomware Claims 18 Victims in 24h - URL: https://purple-ops.io/blog/qilin-ransomware-victims-24h - Date: 2026-06-11 - Category: Ransomware Report - Tags: qilin-ransomware, ransomware, leak-site, cybercrime, victim-report - Reading time: 5 min **Summary:** Qilin ransomware claimed 18 victims across manufacturing and energy in 24 hours, as part of a total 39 new ransomware leaks. Qilin Ransomware Claims 18 Victims in 24h Statistical Overview Victim Totals This month: 258 This quarter: 1803 Year to date: 4427 Last 24h: 39 Quarterly Breakdown Q1: 2631 | Q2: 1803 | Q3: 0 | Q4: 0 Ransomware activity remains significant this quarter, with 39 new victims reported in the last 24 hours. The volume for Q2 currently stands at 1803, indicating continued operations from groups like Qilin, The_Gentlemen, and DragonForce. Introduction In the last 24 hours, ransomware operators listed 39 new victims across various sectors. Qilin was the most active group, accounting for 18 victims, primarily affecting the Energy & Utilities and Manufacturing sectors. Other groups included The_Gentlemen with 6 victims and DragonForce with 4. Attacks covered various targets, including a significant number of law firms. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Qilin18Altavista strategic partners, Bekman marder hopper malarkey & perlin, Bitek system (+15)United States, South KoreaEnergy & Utilities, Manufacturing 2The Gentlemen6Allensbach volunteer, Highwoods, Scenic hudson (+3)Japan, United StatesGovernment / Public Sector, Financial Services 3DragonForce4Astec valves & fittings pvt, Brian cox, Cekok (+1)Hong Kong, United KingdomManufacturing, Real Estate 4Prinz Eugen3Spratley's of mortimer, Standard bank group, Transitions pro centre val de loireSouth Africa, United KingdomFinancial Services, Automotive 5Krybit2Libertyinsurance.com.ph, Probe, s.a. de c.vPhilippines, El SalvadorInsurance, Professional Services 6SLSH2Nexstar.tv, Ralph lauren corporationUnited StatesRetail & Ecommerce, Media & Entertainment 7CMD1New FACOM Co., Ltd.JapanTechnology / Software 8INC Ransom1fineconsultingUnited StatesProfessional Services 9Lamashtu1Patayafood.comThailandAgriculture & Food 10World Leaks1Reliance groupIndiaProfessional Services The summary table shows Qilin's significant activity, responsible for nearly half of all listed victims, with a focus on Energy & Utilities and Manufacturing. Groups like The_Gentlemen and DragonForce also operated consistently, attacking Government, Financial Services, and Real Estate. Prinz Eugen targeted a prominent Financial Services institution, Standard Bank Group, in South Africa. For more information on groups like Qilin and DragonForce, see our analysis on ransomware victims updates. Victim Distribution By Country United States: 22 United Kingdom: 2 Japan: 2 India: 2 Brazil: 1 Turkey: 1 Thailand: 1 South Korea: 1 South Africa: 1 Philippines: 1 By Industry Law Firms & Legal Services: 6 Construction: 2 Real Estate: 2 Machinery Manufacturing: 2 Jewelry Manufacturing: 1 Advertising, Marketing & PR: 1 Apparel Manufacturing: 1 Civil Engineering: 1 Computer Networking: 1 Energy Efficiency Services: 1 The data shows a strong concentration of ransomware attacks against organizations in the United States, accounting for over half of all new victims. Law Firms & Legal Services was a leading target industry, suggesting a broader trend: professional services are often impacted by groups like The_Gentlemen ransomware. Ransomware News Topline Law enforcement efforts disrupted a major cryptocurrency laundering service, while various threat actors targeted education, financial services, and Oracle PeopleSoft deployments. Campaigns & Operations Europol-led authorities dismantled the "AudiA6" cryptocurrency laundering service, arresting two administrators and seizing assets tied to over 15 international ransomware investigations. At the same time, the education sector faced multiple incidents. Great Marlow School in the UK confirmed a cyberattack, and Onslow County Schools in North Carolina experienced a districtwide outage that impacted phones and internet. ASEC reports ongoing BlackX ransomware campaigns against Korean and U.S. organizations. CrowdStrike's 2026 Financial Services Threat Report describes continued data-leak-and-ransom operations by Chinese and North Korean threat groups against financial services in the Asia-Pacific region. Vulnerabilities & TTPs ShinyHunters is actively exploiting a gadget chain of old and zero-day vulnerabilities to breach Oracle PeopleSoft deployments, affecting both cloud and on-prem instances and dropping ransom notes. North Korean campaigns frequently combine sophisticated social engineering, such as recruiter impersonation, with money-laundering networks. The dismantled AudiA6 service demonstrated a key TTP: it facilitated industrial-scale crypto laundering through thousands of fraudulent exchange accounts. Analyst Note These developments show the persistent nature of ransomware and cybercrime. These range from opportunistic exploitation to sophisticated state-sponsored financial operations and crucial law enforcement countermeasures. Technical Takeaways Qilin remains an active ransomware group, significantly affecting the Energy & Utilities and Manufacturing sectors. The United States is the most frequently targeted country, with other targets across Europe and Asia. Law Firms & Legal Services was a concentrated target industry this period. This indicates a specific focus on sensitive data. The ShinyHunters group is using unpatched and zero-day vulnerabilities in Oracle PeopleSoft environments to exfiltrate data and deploy ransom notes. International law enforcement successfully disrupted a major cryptocurrency laundering operation, AudiA6. This highlights ongoing efforts to disrupt the financial systems that support ransomware. --- ## Langflow CVE-2026-5027 (CVSS 8.8) Unauthenticated RCE - URL: https://purple-ops.io/blog/langflow-cve-2026-5027-rce - Date: 2026-06-11 - Category: CVE Analysis - Tags: langflow, cve-2026-5027, rce, path-traversal, ai-security - Reading time: 5 min | CVSS: 8.8 **Summary:** Langflow CVE-2026-5027, a high-severity path traversal flaw, enables unauthenticated RCE and is actively exploited on thousands of instances. Langflow CVE-2026-5027 (CVSS 8.8) Unauthenticated RCE The Langflow open-source low-code platform for building artificial intelligence (AI) applications has a high-severity, unpatched security flaw, CVE-2026-5027. This path traversal vulnerability permits unauthenticated remote code execution (RCE). With a CVSS score of 8.8, this flaw is actively exploited. Tenable discovered CVE-2026-5027 and publicly disclosed it in late March 2026 after unsuccessful attempts to contact the project maintainers. The vulnerability allows an attacker to write files to arbitrary locations on the filesystem. Langflow's default unauthenticated auto-login feature exacerbates this, as it removes the need for credentials to reach the vulnerable endpoint. A single unauthenticated request can facilitate exploitation. Security researchers at VulnCheck confirmed exploit attempts have been detected. These attempts involve writing test files to victim systems. This activity shows a persistent threat to organizations using Langflow for AI application development, especially with approximately 7,000 publicly exposed Langflow instances identified by Censys. The rapid weaponization of such flaws means organizations must prioritize security in AI infrastructure. What is CVE-2026-5027 and why is it critical? CVE-2026-5027 is a critical path traversal vulnerability (CVSS 8.8) in the Langflow platform that allows unauthenticated remote code execution (RCE). It is critical because it is easy to exploit, requires no prior authentication, and impacts systems hosting AI development environments. Attackers can use this vulnerability to bypass file system boundaries and inject malicious content into sensitive locations. The flaw is in the POST /api/v2/files endpoint of the Langflow platform. This endpoint handles file uploads but does not adequately sanitize the filename parameter within multipart form data. Attackers can use this oversight by embedding path traversal sequences, such as ../, into the filename. This lets them manipulate the file upload path, directing the server to write arbitrary files outside the intended upload directory. For example, an attacker could instruct the server to write a malicious web shell or a configuration file to a directory that, when accessed or executed by the application, grants them remote command execution. Writing files to arbitrary locations is a basis for many RCE attacks, allowing persistent access and further system compromise. Langflow's default configuration often enables unauthenticated auto-login, which compounds the severity of CVE-2026-5027. A malicious actor does not need prior authentication credentials to interact with the vulnerable POST /api/v2/files endpoint. A single, unauthenticated HTTP request containing the crafted filename parameter is enough to get a valid session token. This enables later exploitation stages, including file writing and remote code execution. This lack of authentication significantly reduces the barrier to entry for attackers, making publicly exposed Langflow instances particularly susceptible. Unauthenticated RCE on a key platform for AI application development poses a substantial risk, as it could compromise sensitive data, intellectual property, and the integrity of AI models and deployed applications. Impact An attacker exploiting CVE-2026-5027 can achieve unauthenticated remote code execution, giving them significant control over the compromised Langflow instance and the underlying host system. This access allows various malicious activities, including data exfiltration of sensitive AI models, proprietary code, user data, or system configurations. An attacker could also disrupt AI workflows, inject malicious logic into applications developed with Langflow, or use the compromised host as a staging ground for lateral network movement. The ability to write arbitrary files also allows for persistent backdoors, ensuring continued access even after initial exploitation. Organizations using Langflow for AI application development and deployment are directly at risk. Any publicly accessible Langflow instance that has not been patched is vulnerable to immediate compromise. This includes businesses, research institutions, and other organizations using Langflow for their AI initiatives. The criticality increases due to the nature of AI development environments, which often contain valuable intellectual property, access to computational resources, and connections to other critical enterprise systems. Compromise of such an environment can lead to severe business disruption, intellectual property theft, and reputational damage. Data collected by Censys indicates that approximately 7,000 Langflow instances are publicly exposed on the internet, with a notable concentration in North America. Each exposed instance is a potential target. Initial exploitation attempts observed by VulnCheck involve writing "test files." This behavior is characteristic of reconnaissance or proof-of-concept validation, usually preceding more destructive or persistent attacks. A large, publicly accessible attack surface and the unauthenticated nature of the RCE suggest a high likelihood of widespread exploitation if not promptly addressed. This trend of targeting critical development infrastructure, including zero-day vulnerabilities in platforms like Ivanti CSA as documented in our prior analysis of Ivanti CSA zero-day attacks, shows attackers focus on high-value targets. Exploitation Chain Exploitation of CVE-2026-5027 begins with a path traversal vulnerability in the POST /api/v2/files endpoint of the Langflow application. This endpoint handles file uploads but lacks sufficient input validation on the filename parameter. Attackers can therefore craft a malicious HTTP request containing path traversal sequences to write files to arbitrary locations on the host filesystem. Several preconditions allow successful exploitation of CVE-2026-5027. An unpatched Langflow instance must be running. The default unauthenticated auto-login feature in Langflow must be enabled; this important setting removes the need for any authentication. The Langflow instance must also be publicly accessible on the internet. As identified by Censys, approximately 7,000 such instances are currently exposed, providing a broad target pool for attackers. The exploitation mechanism involves sending a crafted multipart form data request to the POST /api/v2/files endpoint. In this request, the filename parameter is manipulated to include ../ sequences. This allows the attacker to traverse directories and specify an arbitrary write location. For example, an attacker could submit a request instructing the server to upload a file named ../../../../tmp/malicious_shell.php (or a similar extension based on the environment) to a web-accessible directory. Upon successful upload, this malicious file (often a web shell) can then be remotely accessed and executed, granting the attacker remote code execution capabilities. Security researchers at VulnCheck confirmed active exploitation in the wild, observing attackers weaponizing the bug to write test files onto victim systems. This shows initial probing and validation phases. This immediate in-the-wild exploitation of unpatched vulnerabilities, similar to the exploitation of VMware ESXi zero-days by sophisticated groups detailed in our analysis of VMware ESXi zero-day activity, shows the urgency of addressing CVE-2026-5027. Previous Langflow vulnerabilities, such as CVE-2026-33017 and CVE-2025-34291, have also seen active exploitation. CVE-2025-34291 was specifically linked to attacks by the Iranian state-sponsored group MuddyWater, demonstrating a consistent focus by threat actors on vulnerabilities within AI-related infrastructure. Affected Products and Versions The vulnerability CVE-2026-5027 affects the following product and its versions: Langflow: All unpatched versions of the Langflow platform are vulnerable. The issue occurs in the POST /api/v2/files endpoint where the filename parameter within multipart form data is not properly sanitized, leading to path traversal. No specific version range for a patch has been published; the vulnerability remains unpatched according to available intelligence. Organizations should assume that any active Langflow deployment not explicitly stated as patched by official maintainers is at risk. With no patch available, users must apply mitigations and monitor their environments for signs of compromise. Detection Detecting exploitation attempts related to CVE-2026-5027 requires full monitoring of network traffic, application logs, system behavior, and host activity. Proactive detection strategies are important, given the vulnerability's unpatched status and active exploitation. Log Signatures: Monitor web server logs (e.g., Nginx, Apache) or application logs for POST requests to the /api/v2/files endpoint. Specifically, look for path traversal sequences (e.g., ../, ..%2f, ..\) within the filename parameter of multipart form data. This parameter may be encoded, requiring URL decoding for accurate detection. Look for unusual HTTP status codes (e.g., 200 OK followed by immediate suspicious activity, or 500 server errors indicating failed exploitation attempts) associated with these requests. Indicators of Compromise (IOC) Families: Unexpected File Writes: Monitor the filesystem for new files created in arbitrary or unusual directories, especially outside typical Langflow application data or upload paths. Look for files with suspicious extensions (e.g., .php, .jsp, .aspx, .sh, .py) being written to web-accessible directories, system directories like /tmp, /var/www/html, Langflow's root directory, or other common web roots. Web Shells: Scan for known web shell signatures (e.g., cmd.php, shell.php, rce.jsp, or similar files) or files with obfuscated content often associated with command execution. Suspicious Process Execution: Monitor for unusual or unauthorized commands executed by the user account running the Langflow application. This could include shell commands (bash, sh), command-line interpreters, or unexpected child processes. Endpoint Detection and Response (EDR) Queries: Query EDR logs for file system modifications made by the Langflow process (langflow.exe or langflow) in directories outside its legitimate operational scope. Look for process lineage where the Langflow application spawns unexpected child processes, particularly shell interpreters or compilation tools. Monitor for changes to critical system files or configurations by the Langflow process, which could indicate privilege escalation or persistence attempts. Network Indicators: Observe unusual outbound network connections from the system hosting Langflow, particularly to external IP addresses or domains not typically associated with the application's legitimate function. This could indicate command-and-control (C2) communication or data exfiltration. Look for a sudden increase in outbound scanning activity from the Langflow host, suggesting the compromised system is being used to find other vulnerable targets. Apply deep packet inspection to identify HTTP requests containing the specific path traversal payloads targeting the POST /api/v2/files endpoint. Public Exposure Scanning: Use internet-wide scanning tools (e.g., Censys, Shodan) to identify your organization's publicly exposed Langflow instances. This proactive step helps prioritize remediation efforts. Remediation Since CVE-2026-5027 is unpatched, remediation focuses on workarounds and strict monitoring until an official fix is released. Immediate action is required to protect exposed instances. Patch First: Apply any official security updates or patches released by the Langflow maintainers as soon as they become available. Regularly check the official Langflow project repositories and security advisories for updates. Workarounds and Mitigations (Until Patch is Available): Restrict Network Access: Immediately restrict network access to Langflow instances to only trusted internal IP addresses or virtual private networks (VPNs). Eliminate any public exposure of the Langflow interface and its API endpoints. Disable Unauthenticated Auto-Login: If possible, modify the Langflow configuration to disable the default unauthenticated auto-login feature. Enforce strict authentication for all platform access. Apply Input Validation: If feasible, apply a reverse proxy or Web Application Firewall (WAF) in front of the Langflow instance. Configure the WAF to detect and block POST requests to /api/v2/files that contain path traversal sequences (../, ..%2f, etc.) in the filename parameter within multipart form data. Least Privilege Principle: Ensure the Langflow application runs with the absolute minimum necessary privileges. This limits the damage an attacker can cause if RCE is achieved, preventing actions like system-level file modifications or arbitrary process execution. File System Permissions: Apply strict file system permissions to prevent the Langflow user account from writing to critical system directories or arbitrary locations outside its designated application and data folders. Remove Unnecessary Endpoints: If the POST /api/v2/files endpoint is not critical for an organization's specific Langflow usage, consider disabling or heavily restricting access to it through network segmentation or application-level configurations where possible. Monitoring and Incident Response: Continuously monitor all Langflow instances for the detection indicators outlined previously. Set up alerts for suspicious activity, particularly for file writes outside expected directories or unusual process creations. Develop and test an incident response plan specifically for compromises involving AI application platforms. This should include procedures for isolating compromised systems, conducting forensic analysis, removing malicious artifacts, and restoring from trusted backups. Regularly back up Langflow configurations, data, developed AI models, and associated intellectual property to ensure recovery capabilities in case of a successful attack. Technical Takeaways CVE-2026-5027 is an unpatched high-severity path traversal vulnerability (CVSS 8.8) in the Langflow open-source AI platform. The flaw is in the POST /api/v2/files endpoint. Insufficient sanitization of the filename parameter allows arbitrary file writes. Default unauthenticated auto-login in Langflow reduces the exploitation barrier, allowing unauthenticated remote code execution. Approximately 7,000 Langflow instances are publicly exposed according to Censys data, creating a large global attack surface. Exploitation has been observed in the wild, with attackers writing test files, showing initial reconnaissance and validation. Immediate remediation for unpatched systems focuses on strict network access restrictions, disabling unauthenticated access, applying WAF rules, and continuous monitoring for compromise. --- ## KrebsOnSecurity Unmasks The Gentlemen Ransomware Operator - URL: https://purple-ops.io/blog/gentlemen-ransomware-operator-unmasked - Date: 2026-06-11 - Category: Threat Intelligence - Tags: ransomware, threat-intelligence, zero-day, patch-tuesday, botnet - Reading time: 5 min **Summary:** KrebsOnSecurity unmasked Alexander Yapaev as The Gentlemen ransomware operator, responsible for over 332 victims. KrebsOnSecurity Unmasks The Gentlemen Ransomware Operator An intelligence revelation by KrebsOnSecurity unmasked the individual behind The Gentlemen ransomware group, identifying him as Alexander Andreevich Yapaev, a 36-year-old from Izhevsk, Russia. This group is the second most active ransomware gang, claiming over 332 published victims since mid-2025, with more than 240 attacks documented in 2026 alone. The unmasking shows how Yapaev, operating under the aliases Zeta88 and Hastalamuerte, established a ransomware-as-a-service (RaaS) operation that offered affiliates a 90 percent revenue split, attracting many cybercriminals. The cybersecurity field remains dynamic, with Microsoft addressing 6 zero-day vulnerabilities and 200 other flaws in its June 2026 Patch Tuesday, including an actively exploited spoofing flaw in Exchange Server, CVE-2026-42897. Concurrently, an unauthenticated authentication bypass vulnerability, CVE-2026-10795, within the UpdraftPlus WordPress plugin is under active exploitation, targeting millions of installations. The China-linked JDY botnet, associated with the Volt Typhoon threat actors, has expanded its reconnaissance efforts, specifically targeting U.S. military and associated networks. Oracle has also released an emergency fix for a Remote Code Execution (RCE) vulnerability, CVE-2026-35273, in PeopleSoft Enterprise PeopleTools. This vulnerability, with a CVSS score of 9.8, allows unauthenticated attackers to achieve complete system takeover. These developments show heightened threat activity across direct criminal enterprises, state-sponsored espionage, and widespread opportunistic exploitation. How was "The Gentlemen" ransomware operator unmasked? The operator of The Gentlemen ransomware group, identified as Alexander Andreevich Yapaev, was unmasked through a breadcrumb trail across various cybercrime forums and public records. Yapaev, known online by the aliases Zeta88 and Hastalamuerte, registered on platforms like Exploit, Breachforums, and Raidforums between 2019 and the present. His initial registration on Breachforums in January 2025 was tied to an Internet address in Izhevsk, Russia, a detail corroborated by his subsequent registration as Zeta88 on the Breached forum in August 2022 from another Izhevsk IP address. Further investigation by security firms Intel 471, Flashpoint, and Constella Intelligence linked the alias Hastalamuerte to the email address hastalamuerte1488@protonmail.com, a GitHub account under SantaMuerte, and a Telegram username @hastalamuerte18. The Protonmail address and Telegram ID were connected to a Russian phone number ending in 04. This phone number was then traced through hacked Russian government databases, identifying Alexander Andreevich Yapaev of Izhevsk as the owner. Yapaev's digital footprint also included a Pikabu social media account under "4apai18" and a LinkedIn profile where he listed himself as the head of B2B marketing at Uralenergo Udmurtia, a Russian electrotechnical supplier. Early forum posts from 2019-2020 revealed a less sophisticated hacker, still learning penetration testing tools, demonstrating a common trajectory for cybercriminals who gradually develop their skills and expand their operations. What did Microsoft Patch Tuesday address this June 2026? Microsoft's June 2026 Patch Tuesday released security updates for 200 flaws, including six zero-day vulnerabilities, to address security exposures across its product suite. Of these six, one was actively exploited in attacks, and five were publicly disclosed prior to the patch release. The updates included fixes for 33 Critical vulnerabilities, with 28 of these being Remote Code Execution (RCE) flaws, 4 elevation of privilege, and 1 information disclosure. For historical context on similar security releases, readers can refer to our analysis of Microsoft's May 2026 Patch Tuesday. The actively exploited vulnerability, CVE-2026-42897, is a Microsoft Exchange Server Spoofing Vulnerability. This flaw allows an attacker to execute arbitrary JavaScript in a target's browser if the user opens a specially crafted email in Outlook Web Access and specific interaction conditions are met. Microsoft is deploying mitigations for this flaw through its Exchange Emergency Mitigation Service, which is enabled by default. This type of vulnerability shows the ongoing need for continuous patching, as discussed in our report on Microsoft WebDAV zero-day fixes. The five publicly disclosed zero-days fixed this month included several Windows privilege escalation and security bypass vulnerabilities: CVE-2026-45586: A Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability, known as GreenPlasma, allows local attackers to gain SYSTEM privileges. Security researcher Nightmare Eclipse publicly disclosed this flaw. CVE-2026-49160: An HTTP.sys Denial of Service Vulnerability, dubbed the "HTTP/2 Bomb" by researchers at Calif., allows unauthenticated attackers to cause service outages by exploiting HTTP/2 protocol compression. Microsoft introduced a new "MaxHeadersCount" registry setting to mitigate this. CVE-2026-45585: A Windows BitLocker Security Feature Bypass Vulnerability, known as YellowKey, enables local attackers with physical access to bypass BitLocker Device Encryption on TPM-only protected systems (Windows 11, Windows Server 2022/2025). Nightmare Eclipse also disclosed this flaw. CVE-2026-50507: Another Windows BitLocker Security Feature Bypass Vulnerability, believed to fix the "bitskrieg" zero-day disclosed by Windows security expert Jonas Lykkegaard, which also allows local access to encrypted drives. CVE-2020-17103: A Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability, identified as "Mini-Plasma," grants SYSTEM privileges. This flaw, also disclosed by Nightmare Eclipse, was originally reported by Google Project Zero's James Forshaw in 2020 and was thought to be fixed then. The volume of fixes, particularly for zero-days, shows the persistent effort required in patch management and vulnerability response. How are attackers exploiting the UpdraftPlus vulnerability? Attackers are actively exploiting CVE-2026-10795, an unauthenticated authentication bypass vulnerability in the UpdraftPlus WordPress plugin, impacting over three million active installations worldwide. This flaw allows unauthenticated attackers to execute arbitrary Remote Procedure Calls (RPC) as a connected administrator, leading to full website takeover. Wordfence reported blocking 4,987 attacks targeting this vulnerability within a single 24-hour period, indicating widespread and aggressive exploitation. The vulnerability stems from a cryptographic validation error within the UpdraftCentral integration, which handles encrypted remote procedure calls. During processing, the software registers an unauthenticated listener, and a decryption step fails to properly verify malformed keys. This failure causes the system to default to an insecure state, using a deterministic cipher with an all-zero AES-128 key. Attackers can then encrypt their own malicious commands locally, which the vulnerable server accepts as legitimate without requiring authentic keys. By using the RPC capabilities, attackers can trigger file upload commands, writing a malicious ZIP file directly to the server's disk. This ZIP file, once activated as a new plugin, grants the attackers arbitrary PHP and operating system command execution, effectively compromising the entire WordPress installation. The development team has released a security patch that introduces a strict return-value check to fix the broken cryptographic function, requiring immediate updates to the newest patched version of the UpdraftPlus plugin. Which U.S. military targets are facing the JDY botnet? The China-linked JDY botnet, previously associated with Volt Typhoon threat actors, has expanded its targeting to focus predominantly on U.S. military and associated networks. Researchers at Black Lotus Labs by Lumen report that the botnet has grown from approximately 650 active bots in January 2024 to over 1,500 compromised SOHO and IoT devices today. While not a DDoS botnet, JDY specializes in distributed scanning and fingerprinting to identify targets vulnerable to newly disclosed flaws. The compromised devices in the JDY botnet originate from various manufacturers, including Cisco, Araknis, Mimosa Networks, Ubiquiti, DrayTek, Hikvision, and Linksys, supporting MIPS, MIPS64, MIPSEL, and MIPSEL64 architectures. The botnet's operators, linked to Chinese APT actors, rapidly operationalize reconnaissance output, with Black Lotus Labs observing JDY scans targeting CVE-2026-35616, a Fortinet FortiClient EMS flaw, shortly after its public disclosure. CISA has previously issued warnings about the risks Volt Typhoon poses to unprotected SOHO routers, urging vendors to harden their devices against such attacks. The JDY botnet conducts various reconnaissance activities, including TCP and UDP scanning, SSL/TLS scanning, ICMP probing, banner collection, TLS certificate harvesting, and service fingerprinting using downloadable rule sets. Operators control the botnet via hidden Tor services that function as Command-and-Control (C2) infrastructure, with some instances also employing the open-source Platypus reverse-shell framework. The malware performs fast and stealthy raw SYN scanning when granted sufficient privileges, using custom-crafted TCP packets with a fixed source port of 19000. What is the impact of Oracle's PeopleSoft RCE flaw? Oracle has issued an emergency security alert regarding a Remote Code Execution (RCE) vulnerability, CVE-2026-35273, in PeopleSoft Enterprise PeopleTools. This flaw carries a near-maximum CVSS base score of 9.8, posing an immediate threat to corporate systems. The vulnerability specifically impacts PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62. The RCE vector allows unauthenticated remote attackers with network access via HTTP to compromise affected systems without requiring any legitimate login credentials. Successful exploitation of CVE-2026-35273 can result in a total system takeover, giving malicious actors the ability to modify internal databases, view confidential user logs, deploy persistent backdoors, or execute arbitrary operating system commands. This level of compromise can have a catastrophic impact on corporate data security. To neutralize this security flaw, organizations must deploy the latest vendor updates from the official Oracle Security Alerts Page. Regular validation checks are advised to ensure enterprise systems maintain resilience against automated exploitation campaigns. Technical Takeaways The Gentlemen ransomware group, run by Alexander Andreevich Yapaev, remains an active threat, accounting for over 240 victims in 2026 alone by using a 90% affiliate revenue model. Microsoft's June 2026 Patch Tuesday addressed 200 flaws, including 6 zero-days. CVE-2026-42897, an Exchange Server spoofing flaw, is under active exploitation, while multiple Windows privilege escalation and bypass flaws (e.g., GreenPlasma, YellowKey, Mini-Plasma, HTTP/2 Bomb) were publicly disclosed. CVE-2026-10795, an unauthenticated authentication bypass in the UpdraftPlus WordPress plugin, is being actively exploited, with Wordfence reporting 4,987 attacks in 24 hours against its three million active installations. The China-linked JDY botnet, associated with Volt Typhoon, has expanded its network to over 1,500 compromised SOHO and IoT devices, specifically targeting U.S. military and associated entities for reconnaissance and rapid exploitation of newly disclosed vulnerabilities like CVE-2026-35616. Oracle released an emergency patch for CVE-2026-35273, an RCE flaw (CVSS 9.8) in PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, enabling unauthenticated attackers to achieve complete system takeover. --- ## World Leaks Ransomware Claims 6 New Victims in 24h - URL: https://purple-ops.io/blog/world-leaks-ransomware-victims - Date: 2026-06-10 - Category: Ransomware Report - Tags: none - Reading time: 7 min **Summary:** World Leaks ransomware leads recent activity with 6 new victims in 24 hours, alongside insights into other active groups like PEAR and Akira. World Leaks Ransomware Claims 6 New Victims in 24h Statistical Overview Victim Totals This month: 219 This quarter: 1764 Year to date: 4388 Last 24h: 31 Quarterly Breakdown Q1: 2631 | Q2: 1764 | Q3: 0 | Q4: 0 Cumulative figures show fewer reported victims this quarter compared to the previous one. New ransomware incidents remain a daily occurrence, demonstrating the persistent threat from diverse ransomware operators. Introduction In the past 24 hours, 31 new ransomware victims were reported across various sectors. World_Leaks, PEAR, Akira, LockBit, and Play News were the most active groups by victim count. Beyond these immediate trends, recent intelligence provides a detailed operational profile of the "The Gentlemen" ransomware group, including their ransomware-as-a-service model and alleged links to a significant healthcare breach. Qilin affiliates have also exploited critical vulnerabilities, showing how threats continue to evolve. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1World Leaks6Apollo pipes, Centra sota cooperative, First federal savings & loan (+3)United States, IndiaFinancial Services, Manufacturing 2PEAR4Alpha it, Bayou electrical services, K & e distributing (+1)Jamaica, NorwayConstruction & Engineering, Retail & Ecommerce 3Akira3Associated investor services, Port air express, The midland theatreUnited StatesTransportation & Logistics, Financial Services 4LockBit3delano.k12.mn.us, probat.com, sweetome.comGermany, ChinaManufacturing, Education 5Play News2Mundt and associates, Rainbow distributors usaUnited StatesManufacturing, Transportation & Logistics 6Space Bears2Cattani, Lösing filtertechnikGermany, ItalyManufacturing, Technology / Software 7TripleX2Bni.co.id bank of indonesia free data., Law offices us immigrationonline.comIndonesia, United StatesLegal, Financial Services 8Chaos1Airespring.comUnited StatesTelecommunications 9DragonForce1Sayre associatesUnited StatesConstruction & Engineering 10Embargo1Auburn electrical construction companyUnited StatesConstruction & Engineering 11Fulcrum1gsgSingaporeEducation 12INC Ransom1FIZACzech RepublicProfessional Services World_Leaks was the top ransomware group in the recent 24-hour period with six victims, followed by PEAR (4) and Akira (3). Manufacturing, Financial Services, and Construction & Engineering were key sectors targeted. The United States remains the primary geographical target, accounting for half of the reported incidents. Notable victims include a large banking institution in Indonesia, listed by TripleX, and an education entity (delano.k12.mn.us) impacted by LockBit. Further insights into some of these groups can be found in our look at active ransomware groups, including World_Leaks ransomware activity and Akira's exploitation of VPN vulnerabilities. Victim Distribution By Country United States: 16 India: 4 Germany: 2 China: 1 United Kingdom: 1 Sweden: 1 Singapore: 1 Norway: 1 Jamaica: 1 Italy: 1 By Industry Financial Services: 2 Education: 2 Banking: 1 Wholesale Hardware, Plumbing, Heating Equipment: 1 Transportation and Logistics: 1 Traffic Signal Equipment Distribution: 1 Telecommunications: 1 Performing Arts: 1 Non-Profit & Charitable Organizations: 1 Legal Services: 1 Attacks remain concentrated in the United States, followed by India. Industry targeting is diversified, but critical sectors such as Financial Services, Education, Banking, Manufacturing, and Construction & Engineering remain a focus. Ransomware News Topline - Recent intelligence shows the operational dynamics of "The Gentlemen" ransomware, active exploitation of critical vulnerabilities, and challenges in victim validation. Campaigns & Operations - "The Gentlemen" operates as a ransomware-as-a-service (RaaS) with a 90/10 revenue split for affiliates. It frequently targets internet-facing VPNs and firewalls for initial access. The group's administrator is reportedly linked to the Hastalamuerte/Zeta88 persona, potentially identifying Alexander Andreevich Yapaev. The group has been highly active, with hundreds of victims since mid-2025. This includes a significant ransomware-style intrusion at Rajagiri Hospital in India, which resulted in the exfiltration of over 800 GB of patient and administrative data. Separately, the Qilin ransomware group recently listed The Banyans Healthcare on its leak site. This entry was later clarified as a misattribution due to shared branding, which demonstrates the need for rigorous victim validation in threat intelligence. Vulnerabilities & TTPs - Public reporting confirms active exploitation of CVE-2026-50751, a critical authentication bypass in Check Point VPN Remote Access, by Qilin ransomware affiliates. This vulnerability allows unauthenticated attackers to establish VPN sessions without valid credentials. Veeam Backup & Replication has also patched CVE-2026-44963, a critical remote code execution (RCE) flaw (CVSS 9.4) that permits authenticated domain users to execute arbitrary code on the Backup Server. Immediate patching is necessary because ransomware groups have historically exploited similar Veeam flaws. Post-compromise activity associated with CVE-2026-50751 has included data exfiltration via Rclone and potential Tox protocol usage. Analyst Note - Detailed profiling of new and active RaaS operators, coupled with critical vulnerability exploitation, shows a persistent threat environment where rapid patching and strong validation processes are essential. Technical Takeaways Ransomware-as-a-Service (RaaS) Model: "The Gentlemen" group operates a RaaS model, offering affiliates a 90/10 revenue split. This indicates a professionalized ransomware ecosystem. Initial Access Vectors: "The Gentlemen" primarily gain initial access by exploiting internet-facing VPNs and firewalls, a common tactic for many ransomware groups. Healthcare Sector Targeting: "The Gentlemen" have been linked to a major data exfiltration and encryption incident at Rajagiri Hospital, showing continued ransomware pressure on healthcare entities. Critical Vulnerability Exploitation: Qilin affiliates are exploiting CVE-2026-50751, an authentication bypass in Check Point VPN. This demonstrates rapid weaponization of newly disclosed critical vulnerabilities. Supply Chain Risk (Backup Solutions): The patched CVE-2026-44963 in Veeam Backup & Replication, a critical RCE flaw, emphasizes the importance of securing backup infrastructure. Ransomware groups frequently use such vulnerabilities. Threat Intelligence Validation: The misattribution incident involving Qilin and The Banyans Healthcare shows the critical need for meticulous validation of victim listings to prevent misinformation. How World Leaks Ransomware Operates World Leaks operates as a ransomware-as-a-service (RaaS) platform, enabling affiliates to deploy attacks across multiple sectors. Key operational characteristics include: Double extortion tactics: Data is exfiltrated before encryption, increasing pressure on victims Targeted sectors: Financial services and manufacturing remain primary targets Leak site infrastructure: Victims are publicly listed to compel ransom payment Geographic spread: Active across North America and South Asia simultaneously Understanding their attack chain helps organizations prioritize defenses. See our guide on ransomware defense strategies for actionable mitigation steps. Protecting Your Organization From Active Ransomware Groups With 31 new victims reported in a single 24-hour window, proactive defense is critical. Organizations should implement the following measures immediately: Patch management: Qilin affiliates actively exploit unpatched vulnerabilities — prioritize critical CVEs Network segmentation: Limit lateral movement opportunities for ransomware operators Offline backups: Maintain immutable, tested backups to reduce recovery time Threat intelligence feeds: Monitor active groups like Akira, PEAR, and World Leaks for targeting shifts Stay updated with our ransomware group tracker to monitor evolving threats in real time. Why Ransomware Victim Counts Are Rising The quarterly data reveals a troubling pattern — 1,764 victims this quarter continues a sustained wave of ransomware activity globally. Several factors are driving this trend: RaaS expansion: Lower barriers to entry allow more affiliates to launch attacks Healthcare and financial targeting: High-value data makes these sectors prime targets Underreporting: Actual victim counts likely exceed published figures significantly Evolving evasion techniques: Groups like "The Gentlemen" demonstrate increasingly sophisticated operational security Tracking these trends is essential for security teams building resilient incident response programs. --- ## Chrome Zero-Day CVE-2026-11645 Actively Exploited - URL: https://purple-ops.io/blog/chrome-zero-day-cve-2026-11645 - Date: 2026-06-10 - Category: CVE Analysis - Tags: chrome, zero-day, cve-2026-11645, v8-engine, rce - Reading time: 5 min **Summary:** Google Chrome CVE-2026-11645, a high-severity zero-day in the V8 JavaScript engine, is actively exploited for remote code execution via crafted HTML pages. Chrome Zero-Day CVE-2026-11645 Actively Exploited Google has issued an emergency security update for its Chrome web browser to address CVE-2026-11645, a high-severity zero-day vulnerability actively exploited in the wild. This flaw, characterized as an out-of-bounds read and write weakness within the V8 JavaScript engine, marks the fifth such zero-day patched by Google since the beginning of the year. While a specific CVSS score has not been publicly detailed, Google's classification of the vulnerability as high-severity shows its potential impact. Successful exploitation of CVE-2026-11645 could allow remote attackers to execute arbitrary code within the browser's sandboxed environment. Attackers achieve this by crafting malicious HTML pages, which, when rendered by an unpatched Chrome instance, can trigger the vulnerability. Google's rapid patching shows this vulnerability is critical, making it urgent for users to update their browser installations. Google's response follows the vulnerability's anonymous disclosure to the company approximately two weeks prior to the public patch release. The patches, designated for Chrome versions 149.0.7827.102 for Windows and Linux, and 149.0.7827.103 for Mac, are being rolled out globally. Organizations and individual users are advised to implement these updates without delay to reduce the risk from this actively exploited flaw. What is CVE-2026-11645 and why is it critical? CVE-2026-11645 is a high-severity zero-day vulnerability in Google Chrome that results from an out-of-bounds read and write weakness within the V8 JavaScript engine. The V8 engine compiles and executes JavaScript code within the browser. Attackers often target it due to its privileged position in processing web content. An out-of-bounds read or write occurs when a program attempts to access memory outside the boundaries of an allocated buffer. This can lead to various unpredictable behaviors, from application crashes to the disclosure of sensitive information, and the ability to execute arbitrary code. Google confirms this vulnerability is critical due to active exploitation. The designation "zero-day" indicates the flaw was being actively exploited by malicious actors before a patch was publicly available. These vulnerabilities pose an immediate, severe risk because attackers have an exploit defenders may not detect or prevent. Remote code execution within the browser's sandbox means an attacker can potentially gain control of the compromised browser, which could lead to further system compromise. Impact The exploitation of CVE-2026-11645 can have significant consequences for affected users and organizations. An attacker can achieve remote code execution (RCE) inside the web browser's sandbox. They can inject and run their own code within the browser's isolated environment. While browsers are designed with sandboxes to limit the impact of such compromises, an RCE in the sandbox often provides an initial foothold for further attacks, possibly leading to sandbox escapes and full system compromise. The out-of-bounds read and write weakness can expose sensitive information or trigger application crashes. Accessing data beyond the memory buffer through heap corruption can allow attackers to read memory that should not be accessible. This could disclose user data, internal program states, or other confidential information. The vulnerability can also bypass protection mechanisms like Address Space Layout Randomization (ASLR). ASLR is a security feature that prevents reliable exploitation of memory corruption vulnerabilities. Bypassing ASLR simplifies exploiting other weaknesses, making it easier for attackers to achieve arbitrary code execution outside the browser's sandbox. All users running unpatched versions of Google Chrome on Windows, macOS, and Linux are at risk. This includes individuals, enterprises, and government entities that rely on Chrome for web browsing. Because Google Chrome is widely adopted, the vulnerability has extensive real-world reach. Organizations using Chrome in their environments face increased risk of initial access by threat actors. This could lead to data exfiltration, malware deployment, or persistent access within their networks. The attack vector, using crafted HTML pages, means merely visiting a malicious website can initiate an attack without direct user interaction beyond browsing. Exploitation Chain The exploitation of CVE-2026-11645 starts with a remote attack vector: crafted HTML pages. Attackers prepare a malicious webpage with HTML and JavaScript code designed to trigger the out-of-bounds read and write vulnerability in Chrome's V8 JavaScript engine. When a user navigates to this malicious page with an unpatched version of Google Chrome, the browser attempts to parse and execute the embedded code. Exploitation requires the victim to use an affected version of Google Chrome and visit an attacker-controlled webpage. This could occur through deceptive campaigns like phishing or malvertising, or by users visiting compromised legitimate websites. Once the crafted HTML page is loaded, the vulnerability is triggered, allowing the attacker's code to run within the browser's sandbox. Google has confirmed that an exploit for CVE-2026-11645 exists in the wild and has been actively used in attacks. While specific details about the ongoing exploitation incidents have been kept restricted by Google to allow a majority of users to update their browsers, the company's immediate emergency patch indicates the severity and active threat situation. Such restrictions are also common when the bug might exist in third-party libraries used by other projects. This practice prevents further exploitation before widespread patching. This incident is not isolated. It marks the fifth Chrome zero-day vulnerability patched by Google this year alone, demonstrating a consistent targeting of the browser by threat actors. Previous exploited zero-days in Chrome in 2026 include: CVE-2026-2441: An iterator invalidation bug in CSSFontFeatureValuesMap, addressed in mid-February. CVE-2026-3909: An out-of-bounds write weakness in the Skia 2D graphics library, patched in March. CVE-2026-3910: An inappropriate implementation vulnerability in the V8 JavaScript and WebAssembly engine, also patched in March. CVE-2026-5281: A use-after-free weakness in Dawn, the cross-platform implementation of the WebGPU standard, addressed in April. These recurring zero-day exploitations show the persistent efforts by malicious actors to compromise web browsers to gain initial access, steal data, or penetrate networks further. Our analysis of Google Chrome zero-day vulnerability CVE-5419 detailed similar attack patterns and the need for prompt updates. A recent blog post detailing another Google Chrome zero-day vulnerability also showed the rapid response required for such threats. For context on Google's response to these threats, refer to our analysis of Chrome zero-days exploited in 2025. The pattern in these vulnerabilities, particularly those affecting the V8 engine, suggests attackers continue to focus on core browser components that render and execute dynamic web content. Affected Products and Versions The CVE-2026-11645 vulnerability affects Google Chrome on multiple operating systems. Users running versions before the patched versions are vulnerable. The following versions of Google Chrome are confirmed to be affected: Google Chrome Stable Desktop channel versions prior to 149.0.7827.102 on Windows and Linux. Google Chrome Stable Desktop channel versions prior to 149.0.7827.103 on Mac. Organizations should identify and inventory all Google Chrome instances in their environment and compare them against these affected version ranges to determine their exposure to CVE-2026-11645. Detection Detecting CVE-2026-11645 exploitation in real-time can be challenging. It is a zero-day vulnerability with limited public details about specific exploit payloads. However, a multi-layered approach using endpoint, network, and logging visibility can help identify post-exploitation activities or indicators. Endpoint Detection and Response (EDR) Systems: Monitor for unusual process execution from the Chrome browser process (e.g., chrome.exe spawning child processes like cmd.exe, powershell.exe, or other untypical browser helper processes). Look for suspicious file writes or modifications in user profile directories or system critical locations by Chrome processes. Implement rules to detect abnormal memory access patterns or unexpected code execution in the chrome.exe process space. Identify attempts by Chrome processes to access network resources outside of typical browsing behavior or to connect to known malicious IP addresses or domains. Network Monitoring: Monitor network traffic for outbound connections from user workstations running Chrome to unusual or unknown IP addresses or domains, particularly those deviating from baselines, and analyze DNS queries for suspicious domain resolution. Look for unexpected increases in data exfiltration attempts or communication with command-and-control (C2) servers. Logging and Alerting: Regularly review browser, operating system event (e.g., Windows Event Log, Linux audit logs), and security software logs for anomalies tied to Chrome processes. Focus on alerts related to process creation, network connections, and file system activity initiated by the browser. Maintain full web proxy or firewall logs to monitor HTTP/S traffic and identify requests to known malicious URLs or unusual user agent strings. Because the vulnerability involves crafted HTML pages, organizations should prioritize strong email and web filtering solutions to block access to known malicious sites or content. While Google has not yet publicly detailed specific Indicators of Compromise (IOCs) for this zero-day, general vigilance against common web-based attack patterns remains crucial. Remediation Prompt remediation is essential due to the active exploitation of CVE-2026-11645. The most effective remediation is to update Google Chrome to the patched versions immediately. Patching: For Windows and Linux users: Update Google Chrome to version 149.0.7827.102 or later. For Mac users: Update Google Chrome to version 149.0.7827.103 or later. Users can typically update Chrome by navigating to chrome://settings/help or by restarting the browser, which often triggers an automatic update check. Enterprise environments should use their software deployment tools to push these updates to all managed endpoints. Workarounds: While immediate patching is the definitive solution, in scenarios where instant deployment across all systems is not feasible, the following operational mitigations can reduce exposure, though they may impact usability: Temporarily restrict access to untrusted or suspicious websites through network proxies or firewalls, and consider enforcing stricter browser security settings or deploying browser isolation technologies. Educate users on phishing awareness, particularly regarding suspicious links or attachments that could lead to malicious web pages. Monitoring: After applying patches, continue to monitor systems for any signs of residual compromise or post-exploitation activity, as attackers may have already gained a foothold on some systems prior to patching. Regularly verify that all Chrome instances across the environment are running the latest stable versions to ensure ongoing protection against newly discovered vulnerabilities. Maintain strong endpoint detection and response capabilities. Review security logs for any anomalous behavior originating from browser processes. Technical Takeaways CVE-2026-11645 is a high-severity zero-day out-of-bounds read/write vulnerability in Google Chrome's V8 JavaScript engine. The flaw enables remote attackers to achieve arbitrary code execution in the browser's sandbox via crafted HTML pages. Google confirmed active exploitation of CVE-2026-11645 in the wild, which required an emergency patch. Affected Chrome versions are those prior to 149.0.7827.102 for Windows/Linux and 149.0.7827.103 for Mac. Successful exploitation can expose data, crash applications, and bypass security mitigations like ASLR. This marks the fifth Chrome zero-day patched in 2026, indicating persistent targeting of browser vulnerabilities. --- ## Qilin Ransomware Claims 5 Victims in 24h - URL: https://purple-ops.io/blog/qilin-ransomware-5-victims - Date: 2026-06-09 - Category: Ransomware Report - Tags: qilin-ransomware, zero-day, cve-2026-50751, ransomware-activity, check-point - Reading time: 5 min **Summary:** Qilin ransomware claimed 5 new victims in the last 24 hours, actively exploiting a Check Point zero-day vulnerability, CVE-2026-50751, across various sectors. Qilin Ransomware Claims 5 Victims in 24h Statistical Overview Victim Totals This month: 188 This quarter: 1734 Year to date: 4358 Last 24h: 15 Quarterly Breakdown Q1: 2631 | Q2: 1734 | Q3: 0 | Q4: 0 Ransomware activity remains consistent. 15 new victims were reported in the last 24 hours. The year-to-date total shows persistent threats; Q2 contributed significantly to overall victim numbers this year. Introduction Ransomware operations recorded 15 new victims. Qilin was the most active group, accounting for five publicly claimed incidents, followed by Akira, RansomHouse, and Termite. The United States remained the primary target geography, with various sectors impacted, including manufacturing, healthcare, and professional services. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Qilin5Isuzu motors, Kinetic education, Opera comique (+2)United States, ThailandEducation, Media & Entertainment 2Akira4Centre ellipse, Rockaway river country club, Smpc architects (+1)United States, FranceHospitality & Travel, Healthcare 3RansomHouse2Aegle Aviation, Ma Pak Leung Company LimitedHong KongTransportation & Logistics, Pharmaceuticals & Biotech 4Termite2Https://www.rolandmachinery.com/, Https://www.wieseusa.com/United StatesManufacturing, Construction & Engineering 5Gunra1Cambridge law chambersBahamasLegal 6Nova (RALord)1TreviItalyTechnology / Software Qilin leads in reported victim count, showing continued activity across sectors like education and entertainment. Akira and RansomHouse also maintained operations, targeting hospitality, healthcare, and transportation sectors. The United States remains a primary geographical focus for multiple ransomware groups. Victim Distribution Which Geographies Experienced Ransomware Activity? United States: 6 Australia: 2 France: 2 Hong Kong: 2 Bahamas: 1 Italy: 1 Thailand: 1 Which Industries Were Most Targeted? Education: 1 Healthcare Services: 1 Law firm: 1 Healthcare: 1 Performing Arts: 1 Airlines and Aviation: 1 Traditional Chinese Medicine Manufacturing: 1 Consumer Electronics: 1 Manufacturing: 1 Architecture and Interior Design: 1 Ransomware activity is concentrated in the United States. While no single industry dominates, many sectors, including manufacturing, healthcare, and various professional services, continue to experience attacks. This shows broad targeting rather than a narrow sectoral focus this period. Ransomware News Topline Qilin ransomware activity is prominent in recent reporting, due to its exploitation of a significant Check Point zero-day vulnerability. Campaigns & Operations The Qilin operation has been linked to an authentication-bypass vulnerability (CVE-2026-50751) in Check Point Remote Access VPN, exploited since May 2026. This activity coincides with Qilin's claim against Australia's Tripod Farmers Group, part of its ransomware-as-a-service model affecting over 1,900 victims globally. Separately, Mandiant attributes a data-theft extortion campaign against US law and professional services firms to UNC3753, the Silent Ransom Group, employing advanced social engineering and legitimate remote access tools. An additional ransomware attack forced the closure of Evanston Township High School in Illinois. Vulnerabilities & TTPs Beyond Qilin's exploitation of CVE-2026-50751, threat actors are using IT/OT convergence to target industrial automation systems via engineering workstations and remote-access points. Silent Ransom Group's tactics include phishing, vishing, and the use of tools like AnyDesk, Zoho Assist, WinSCP, and Rclone for data exfiltration. Analyst Note These incidents demonstrate significant vulnerability exploitation, targeted data exfiltration, and the changing role of social engineering and dark web marketplaces in facilitating ransomware operations. Technical Takeaways Qilin ransomware has been observed exploiting CVE-2026-50751, a significant authentication-bypass vulnerability in Check Point Remote Access VPN products. The United States remains the most frequently targeted country, facing many ransomware attacks across various industries. Ransomware operations increasingly use advanced social engineering techniques, including vishing and pretexts, to gain initial access and facilitate data exfiltration. Some groups, like Silent Ransom Group (UNC3753), are employing legitimate remote access tools and common file transfer utilities (e.g., AnyDesk, WinSCP, Rclone) for post-exploitation activities and data exfiltration. Threats to industrial automation systems continue to change, with targeted intrusions and ransomware exploiting IT/OT convergence points. --- ## Check Point VPN CVE-2026-50751 (CVSS 9.3) Bypass - URL: https://purple-ops.io/blog/check-point-vpn-cve-2026-50751 - Date: 2026-06-09 - Category: CVE Analysis - Tags: check-point, cve-2026-50751, vpn-bypass, zero-day, qilin-ransomware - Reading time: 5 min | CVSS: 9.3 **Summary:** Check Point CVE-2026-50751 is a critical authentication bypass (CVSS 9.3) in IKEv1 VPNs, actively exploited by Qilin ransomware for unauthorized access. Check Point VPN CVE-2026-50751 (CVSS 9.3) Bypass Check Point has disclosed a critical authentication bypass vulnerability, CVE-2026-50751, affecting specific configurations of its Security Gateways and Spark Firewalls. This flaw, assigned a CVSS score of 9.3, impacts Remote Access VPN and Mobile Access deployments that are configured to utilize the deprecated IKEv1 key exchange protocol. Exploitation of CVE-2026-50751 has been confirmed in the wild as a zero-day, with threat activity observed as early as May 7, 2026. The vendor indicates a surge in exploitation attempts during early June. Affected organizations should implement immediate hotfixes and review configurations to reduce risks from this vulnerability. The confirmed post-exploitation activities include an association with a Qilin ransomware affiliate, indicating that the threat actor is financially motivated. This actor has also been observed exploiting other VPN-related vulnerabilities across different vendors, showing a focused approach on network perimeter access. Impact Successful exploitation of CVE-2026-50751 grants an unauthenticated attacker the ability to establish a VPN session without a valid password. This authentication bypass enables initial access to the internal network. While "additional post-authentication activity is required to access internal resources or escalate privileges," the initial unauthorized VPN session represents a significant breach of perimeter security. Organizations utilizing affected Check Point Security Gateways or Spark Firewalls with Remote Access VPN or Mobile Access configured to use the IKEv1 protocol are at direct risk. The compromise of VPN access points can serve as a primary entry vector for sophisticated attacks, including data exfiltration, lateral movement, unauthorized access, and the deployment of ransomware. The confirmed link to a Qilin ransomware affiliate demonstrates the tangible and severe financial and operational consequences of such a breach. How is CVE-2026-50751 exploited? CVE-2026-50751 is an authentication bypass vulnerability stemming from a logic flaw in the certificate validation process within Check Point Remote Access VPN and Mobile Access deployments configured for the deprecated IKEv1 key exchange protocol. This flaw allows an attacker to circumvent normal authentication requirements, establishing a VPN session without the necessary valid password. The core mechanism involves manipulating the certificate validation process to trick the IKEv1 endpoint into accepting an illegitimate connection. The IKEv1 protocol, originally created in 1998, has been superseded by IKEv2 and is widely considered deprecated due to inherent security weaknesses and the availability of more solid alternatives. Its continued use, particularly in configurations susceptible to CVE-2026-50751, creates a significant exposure. Once the initial VPN session is established, further post-authentication steps are required to move laterally within the network or achieve privilege escalation. This post-authentication activity would depend on the network architecture and available internal resources, but the initial foothold is achieved through the described authentication bypass. The vulnerability was exploited as a zero-day, with the earliest confirmed exploitation occurring on May 7, 2026. Check Point Research detected malicious activity on June 4, 2026, leading to the public disclosure on June 8, 2026. This timeline indicates a period of unpatched exploitation for nearly a month. A Qilin ransomware affiliate has used this vulnerability in at least one instance for post-exploitation activities, showing a financially motivated attack vector. The same threat actor has been observed exploiting other VPN vulnerabilities, including those affecting Palo Alto, Fortinet, and F5 products, indicating a broader campaign targeting VPN infrastructure. For instance, similar authentication bypass vulnerabilities in other VPN products have been detailed in our prior analysis of CVE-2026-0257 in Palo Alto GlobalProtect and the related Palo Alto PAN-OS vulnerability. The threat actor has also reportedly utilized the Tox open-source peer-to-peer protocol for communication and dedicated virtual private server (VPS) infrastructure to orchestrate these attacks. Which Check Point products and versions are affected by CVE-2026-50751? The CVE-2026-50751 vulnerability affects Check Point Security Gateways and Spark Firewalls when their Remote Access VPN and Mobile Access deployments are configured to use the deprecated IKEv1 key exchange protocol. Organizations must identify impacted versions for immediate remediation. The following Check Point Security Gateway versions are affected: R82.10 Jumbo Hotfix Take 19 or below R82 Jumbo Hotfix Take 103 or below R81.20 Jumbo Hotfix Take 141 or below R81.10 (End of Service - EOS) R81 (End of Service - EOS) R80.40 (End of Service - EOS) The following Check Point Spark Firewall versions are affected: R80.20.X (End of Service - EOS) R81.10.X R82.00.X Versions designated as "End of Service (EOS)" no longer receive official support or security updates, increasing the risk for organizations still running these versions. The vulnerability targets configurations using IKEv1, a protocol deprecated for several years in favor of its more secure successor, IKEv2. Organizations should verify their VPN configurations to determine if IKEv1 remains enabled for Remote Access VPN or Mobile Access. Detection Strategies for CVE-2026-50751 Effective detection for CVE-2026-50751 involves forensic log audits and configuration reviews. Organizations should prioritize an immediate review of logs from May 7, 2026, forward, given the earliest observed exploitation date. Detection activities include: Log Auditing for Unusual VPN Sessions: Review VPN connection logs for Check Point Security Gateways and Spark Firewalls for any unauthorized or anomalous connection attempts. Look for IKEv1 negotiation attempts from unusual source IP addresses or at unexpected times. Identify successful VPN sessions established without a corresponding valid user credential or machine certificate. Investigate connections that do not align with known organizational remote access patterns. Authentication Anomaly Detection: Monitor authentication logs for Remote Access VPN and Mobile Access for patterns indicative of bypass activity. This includes successful VPN authentications not preceded by a correct password challenge or certificate validation sequence. Look for rapid succession of failed then successful authentication attempts from a single source, potentially indicating automated brute-force attempts followed by exploitation. Network Flow and Traffic Analysis: Analyze network flow data for unusual traffic patterns originating from newly established VPN tunnels. This could include access to internal resources not typically accessed by remote users or unexpected data volumes. Look for indications of post-authentication activity, such as attempts to access internal resources, lateral movement (e.g., RDP, SMB), or unusual outbound connections (e.g., C2 traffic, data exfiltration). Configuration Review: Regularly audit Check Point device configurations to identify if IKEv1 is still enabled for Remote Access VPN or Mobile Access deployments. Verify that machine certificate authentication is enforced where applicable, or that legacy client connection support has been disabled if not strictly necessary. Implementing strong logging practices and integrating these logs with security information and event management (SIEM) systems can improve the ability to correlate events and detect suspicious activity related to CVE-2026-50751 or subsequent post-exploitation actions. Remediation and Mitigation for CVE-2026-50751 Addressing CVE-2026-50751 requires immediate action, starting with applying vendor-provided hotfixes. For instances where immediate patching is not feasible, specific workarounds and mitigations can reduce exposure. 1. Patching: Apply Hotfixes Immediately: The primary remediation is to apply the relevant hotfixes provided by Check Point. These hotfixes address the underlying logic flaw in certificate validation. Refer to Check Point's dedicated support pages for CVE-2026-50751 (sk185033) and CVE-2026-50752 (sk185035) for detailed instructions and access to the necessary hotfix packages. Ensure all affected Security Gateway and Spark Firewall versions receive the appropriate hotfix. 2. Workarounds and Mitigations (if patching is not immediate): Disable IKEv1 and enforce IKEv2: Configure all Remote Access VPN and Mobile Access deployments to exclusively use the IKEv2 key exchange protocol. IKEv2 is the recommended successor to IKEv1 and is not affected by this vulnerability. This is the most effective mitigation if patching cannot be performed immediately. Remove Support for Legacy Remote Access Client Connections: If your environment does not require support for older or legacy remote access client connections that exclusively rely on IKEv1, disable these connections. This reduces the attack surface by eliminating the vulnerable protocol's availability. Enforce Mandatory Machine Certificate Authentication: For Remote Access VPN and Mobile Access connections, configure the system to require machine certificate authentication as mandatory. This adds an additional authentication factor that the current vulnerability bypasses only partially, making exploitation more difficult even if the password authentication is bypassed. Review and Update End-of-Service (EOS) Devices: For any Check Point products identified as End of Service (EOS), organizations should prioritize upgrading to supported versions that can receive patches. Continued use of EOS products poses inherent security risks beyond CVE-2026-50751. 3. Monitoring: Conduct Forensic Log Audits: Starting from May 7, 2026, conduct forensic audits of all relevant logs to identify any signs of compromise before patches were applied. Look for suspicious VPN connection attempts, unexpected session establishments, or unauthorized post-authentication activity. Implement Enhanced Monitoring: Increase monitoring for VPN authentication events and internal network access patterns from VPN clients. Configure alerts for any anomalies that could indicate attempted or successful exploitation. Applying hotfixes and transitioning away from IKEv1 are crucial steps for securing Check Point environments against CVE-2026-50751 and other IKEv1-related vulnerabilities. Technical Takeaways CVE-2026-50751 is a critical authentication bypass with a CVSS score of 9.3, affecting specific Check Point Security Gateways and Spark Firewalls. The vulnerability enables an attacker to establish a VPN session without valid credentials by exploiting a logic flaw in IKEv1 certificate validation. Exploitation has been active as a zero-day since May 7, 2026, with a confirmed link to a Qilin ransomware affiliate. Affected products include Security Gateways R82.10 Jumbo Hotfix Take 19 or below, R82 Jumbo Hotfix Take 103 or below, R81.20 Jumbo Hotfix Take 141 or below, and various Spark Firewall versions, especially when IKEv1 is configured for Remote Access VPN or Mobile Access. Immediate remediation involves applying vendor hotfixes. Effective mitigations include transitioning to IKEv2, disabling legacy client support, and enforcing mandatory machine certificate authentication. --- ## Qilin Ransomware Exploits Check Point VPN CVE-2026-50751 - URL: https://purple-ops.io/blog/qilin-ransomware-check-point-vpn-cve - Date: 2026-06-09 - Category: Threat Intelligence - Tags: qilin-ransomware, check-point-vpn, cve-2026-50751, zero-day, vpn-vulnerability - Reading time: 5 min **Summary:** Qilin ransomware is actively exploiting CVE-2026-50751, a critical Check Point VPN zero-day, to gain unauthorized access in global attacks. Qilin Ransomware Exploits Check Point VPN CVE-2026-50751 The Qilin ransomware affiliate is actively exploiting CVE-2026-50751, a critical authentication bypass vulnerability impacting Check Point Remote Access VPN and Mobile Access deployments. This zero-day exploitation has affected a few dozen organizations globally since early May 2026, with a significant surge in activity observed in early June. One confirmed incident involved successful post-compromise activity directly linked to the Qilin ransomware operation. The vulnerability allows unauthenticated, remote attackers to bypass security measures on targeted Mobile Access / SSL VPNs, Remote Access VPNs, or Spark firewalls, enabling them to establish unauthorized remote access VPN connections. This ongoing exploitation by a prominent ransomware group shows the threat posed by VPN appliance vulnerabilities and the persistent focus of financially motivated actors on gaining initial access through these perimeter devices. Check Point has released security updates to address CVE-2026-50751 and a second related flaw, urging customers to apply patches immediately. The swift action follows the detection of active exploitation, showing the urgency for organizations to secure their remote access infrastructure against sophisticated threat actors like Qilin. How did the Qilin ransomware affiliate exploit the Check Point VPN flaw? The Qilin ransomware affiliate used CVE-2026-50751 by exploiting specific misconfigurations in Check Point Remote Access VPN and Mobile Access deployments. This critical authentication bypass primarily targets systems configured to use the deprecated IKEv1 key exchange protocol, particularly those that also accept legacy Remote Access clients and do not mandate machine certificates for connections. The attacks began on May 7, 2026, and intensified in early June, impacting a limited number of organizations worldwide. Successful exploitation of CVE-2026-50751 grants unauthenticated, remote attackers the ability to establish a remote access VPN connection, effectively bypassing intended security controls. This unauthorized access serves as a key entry point for threat actors to infiltrate targeted networks and proceed with their ransomware operations. Check Point identified CVE-2026-50752, a second vulnerability related to certificate validation within the deprecated IKEv1 key exchange protocol. While there is no current evidence of CVE-2026-50752 being exploited in the wild, it could be used in man-in-the-middle attacks on site-to-site VPN connections. Customers are advised to patch against both vulnerabilities as a proactive measure. To mitigate immediate risks for those unable to patch, Check Point recommends several steps: removing support for legacy remote access clients, configuring global properties for Remote Access VPN Authentication to IKEv2 only, enforcing Machine Certificate Authentication as mandatory, and enabling IPS with updated signatures. Addressing these configuration weaknesses significantly reduces the attack surface. More details on these mitigations are available in our analysis of the Check Point VPN vulnerability and Qilin ransomware exploitation. The Qilin ransomware operation, which emerged as "Agenda" in August 2022, is a Ransomware-as-a-Service (RaaS) model that has publicly claimed nearly 400 victims on its dark web leak site. The group has targeted various high-profile organizations across different sectors, showing a wide operational reach. Past Qilin victims include: Automotive giant Yangfeng Nissan Japanese beer company Asahi Publishing giant Lee Enterprises Pathology services provider Synnovis (linked to attacks on London hospitals) Australia's Court Services Victoria The confirmed post-compromise activity linked to the Qilin ransomware affiliate following exploitation of the Check Point flaw aligns with the group's history of targeting diverse entities for financial gain. The recent activity by Qilin in the healthcare sector has been a concern, as detailed in our analysis of Qilin ransomware's healthcare activity. How did the Miasma worm impact Microsoft's AI coding ecosystem? The Miasma worm, attributed to the TeamPCP threat actor, executed a rapid supply-chain attack that compromised over 70 Microsoft repositories in under two minutes. This fast-moving operation infiltrated Microsoft's Azure cloud tools developer ecosystem by exploiting a previously compromised contributor account to push malicious code. The incident affected repositories across the Azure, Azure-Samples, and Microsoft collections, including projects associated with Azure Functions and the Durable Task framework. Attackers planted malicious configuration files designed to execute code when developers interacted with the affected repositories using AI coding tools such as Claude Code, Cursor, and Gemini CLI. This method targeted the inherent trust relationships and automation features within modern software development workflows, allowing for rapid and widespread infection. The malicious payload was engineered to steal sensitive developer assets, including credentials, authentication tokens, and developer secrets from infected systems. Earlier iterations of the Miasma campaign have been observed targeting cloud credentials, Kubernetes configurations, password manager data, and source code repositories. GitHub temporarily disabled 73 repositories in response to the attack to contain the spread and facilitate investigation. These repositories were subsequently restored after Microsoft and GitHub completed their initial investigation and removed the malicious code. The incident shows the growing risks in open-source supply chains and the growing sophistication of threat actors targeting development environments. What financial impact did AI-powered scams have on Americans? Americans reported a substantial loss of nearly $900 million in 2025 due to AI-powered scams, stemming from 22,364 complaints filed with the Federal Bureau of Investigation (FBI) Internet Crime Report. These figures represent only reported incidents, suggesting the actual financial impact could be considerably higher. The widespread adoption of artificial intelligence tools by scammers has improved the efficacy and scale of traditional fraud schemes. The surge in AI-powered scams stems mainly from advancements in voice cloning, deepfake images and videos, and AI-generated scripts. These technologies allow threat actors to create highly believable and personalized fraudulent communications that can deceive even experienced individuals. Scammers use AI to: Automate victim research Generate convincing scam scripts and create highly realistic deepfake personas at scale These capabilities have revitalized classic fraud schemes such as romance scams, kidnapping and extortion calls, fake influencers, and government impersonation. Losses from Business Email Compromise (BEC) cases involving AI have already reached tens of millions of dollars for businesses. Verifying identities through official contact channels is a key recommendation from the FBI and financial institutions. What new phishing tactics is NSO Group using against WhatsApp users? NSO Group, the Israeli spyware vendor, engaged in new spear-phishing attempts against WhatsApp users, which Meta detected and subsequently blocked. These operations involved trying to trick individuals into clicking malicious links designed to redirect them to external websites, a tactic similar to previously reported "1-click phishing campaigns" linked to NSO. Meta also identified NSO Group creating test accounts and groups on WhatsApp, which were promptly taken down. As a direct response to these activities, Meta is pursuing a federal court contempt order against NSO Group for violating a permanent injunction that prohibits the company from targeting WhatsApp and its users. The specific malicious domains linked to this recent activity included fr24cast[.]com, ghazacast[.]com, and ikhwancast[.]com. While Meta did not disclose the precise timing or the number of users targeted in this particular campaign, nor confirmed any successful compromises, the action signals ongoing attempts by NSO Group to circumvent legal restrictions. This development follows a U.S. court order in 2025, which fined NSO Group approximately $168 million for exploiting WhatsApp servers to deploy Pegasus spyware on over 1,400 individuals globally. Further context on similar exploits can be found in our discussion on Ivanti zero-day exploitation, describing the broader landscape of VPN zero-day attacks. WhatsApp maintains that users' personal messages and calls remain protected with default end-to-end encryption. However, the company advises users to keep their applications and devices updated and report any suspicious activity. For individuals at elevated risk of sophisticated cyberattacks, enabling strict account settings is recommended. This feature hardens accounts by locking them to more private settings, such as requiring two-step verification, turning off link previews, and restricting profile visibility and group additions to known contacts only. Why do Iranian-affiliated threat actors continue cyber operations despite ceasefires? Iranian-affiliated actors persistently conduct cyber operations, including espionage and attacks on critical infrastructure, even during periods of kinetic ceasefire, due to the lack of specific international legal frameworks governing cyberwarfare. Six U.S. federal agencies, including the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command's Cyber National Mission Force, issued a joint advisory warning of Iranian-affiliated actors manipulating Programmable Logic Controllers (PLCs) within U.S. critical infrastructure sectors since at least March 2026. These targeted sectors include water, energy, and government services. The ongoing cyber activity shows a loophole in international conflict resolution, where traditional ceasefires address physical hostilities but often overlook digital warfare. Hours after a kinetic ceasefire took effect, one IRGC-linked group declared a pause on attacks against the U.S. while simultaneously vowing to revive them "when the time is right." Another group explicitly stated that operations against Israel would continue "at full force." Reports indicate that Iranian-affiliated groups have been conducting multiyear espionage campaigns against Western aerospace, defense, and telecommunications companies. For instance, APT Iran reportedly claimed to be selling exfiltrated data from Lockheed Martin, including purported F-35 blueprints, for over $598 million. These actions demonstrate a strategy of persistent access and intelligence gathering that continues regardless of kinetic ceasefires. The lack of a "cyber extension" to the Geneva Conventions means there are no universally agreed-upon rules for state-aligned hacking groups targeting critical civilian infrastructure. This allows for continuous digital incursions without immediate diplomatic or military repercussions typically associated with kinetic attacks. Establishing international norms and consequences for cyber actions, particularly those originating from a nation's territory, is recognized as essential to closing this gap. Technical Takeaways Qilin ransomware affiliate is actively exploiting CVE-2026-50751, a critical authentication bypass in Check Point Remote Access VPN and Mobile Access deployments, showing the severe risk of unpatched or misconfigured VPN infrastructure. The Miasma worm, linked to TeamPCP, compromised over 70 Microsoft repositories in under two minutes through a sophisticated supply-chain attack targeting Microsoft's AI coding ecosystem, showing the escalating threat to software development pipelines. Americans reported a collective loss of nearly $900 million from 22,364 AI-powered scam complaints in 2025, demonstrating the significant financial impact of malicious actors using voice cloning, deepfake images, and AI-generated scripts. NSO Group continues to engage in targeted spear-phishing activities against WhatsApp users, leading Meta to file a contempt order, which reflects persistent attempts by nation-state actors to bypass legal restrictions and exploit communication platforms. Iranian-affiliated actors maintain persistent cyber operations against U.S. critical infrastructure and defense sectors despite kinetic ceasefires, exploiting the absence of clear international cyberwarfare norms to conduct long-term espionage and disruptive activities. --- ## Check Point VPN Bypass CVE-2026-50751 (CVSS 9.3) - URL: https://purple-ops.io/blog/check-point-vpn-bypass-cve-2026 - Date: 2026-06-09 - Category: CVE Analysis - Tags: check-point, cve-2026-50751, vpn-bypass, qilin-ransomware, critical-vulnerability - Reading time: 5 min | CVSS: 9.3 **Summary:** CVE-2026-50751, a critical improper authentication vulnerability in Check Point VPNs (CVSS 9.3), is actively exploited. Check Point VPN Bypass CVE-2026-50751 (CVSS 9.3) Check Point Security Gateway products are affected by a critical improper authentication vulnerability, tracked as CVE-2026-50751. This defect, which resides in the remote access VPN component, permits unauthenticated users to establish unauthorized administrative sessions. Assigned a CVSSv3 score of 9.3 (Critical), CVE-2026-50751 is being actively exploited in the wild. The vulnerability stems from a logic flaw within certificate validation routines, specifically impacting deprecated IKEv1 VPN protocol configurations. Threat actors, including financially motivated ransomware syndicates, have used this flaw since at least May 7, 2026. This exploitation allows adversaries to bypass password authentication requirements, gaining an initial foothold into targeted enterprise networks. Urgent software hotfixes have been released by Check Point to address CVE-2026-50751 and a related flaw, CVE-2026-50752. Organizations utilizing affected Check Point Remote Access and Mobile Access VPN deployments are advised to apply these patches immediately. Forensic investigations indicate that successful exploitation is followed by attempts to deploy malicious payloads, including Qilin Linux ransomware. What is CVE-2026-50751 and why is it critical? CVE-2026-50751 is a critical improper authentication vulnerability impacting Check Point Security Gateway products configured for Remote Access and Mobile Access VPN. The flaw has a CVSSv3 score of 9.3, indicating severe potential impact. It permits an external attacker to bypass authentication requirements and establish an unauthorized administrative VPN session without possessing a valid password. The criticality of CVE-2026-50751 is amplified by its active exploitation in the wild. This vulnerability provides a direct pathway for threat actors to gain initial access to corporate networks, circumventing established perimeter defenses. The ability to establish unauthenticated administrative sessions significantly increases the risk of data exfiltration, lateral movement, and the deployment of advanced malware, including ransomware. Specifically, the vulnerability compromises the integrity of remote access mechanisms, which are fundamental for secure distributed workforces. Organizations relying on Check Point VPNs for remote connectivity are at immediate risk of breach. The bypass of core authentication mechanisms represents a profound security failure, requiring rapid response and remediation to protect sensitive internal application pools and data. What an attacker can achieve with CVE-2026-50751? With CVE-2026-50751, an attacker can establish unauthenticated administrative VPN sessions to affected Check Point Security Gateways. This level of access grants a remote adversary a direct entry point into the targeted internal network. The primary objective is to bypass all conventional authentication controls, including username/password combinations and potentially multi-factor authentication (MFA) that relies on the initial VPN session integrity. Once administrative access is obtained, attackers can conduct various malicious activities. These include, but are not limited to, network reconnaissance, configuring additional access for persistence, escalating privileges, and deploying malicious payloads. The research specifically links successful intrusions to attempts to run malicious ELF files and deploy Qilin Linux ransomware on local systems within the compromised environment. Organizations with vulnerable Remote Access or Mobile Access VPN deployments are at severe risk. Compromise could lead to extensive network disruption, data theft, and significant financial losses due to ransomware encryption and operational downtime. The real-world reach of this vulnerability is substantial, as attack volumes have spiked significantly across multiple distinct jurisdictions. Exploitation chain for CVE-2026-50751 The exploitation of CVE-2026-50751 uses a logic flaw within deprecated encryption handshake routines associated with the IKEv1 VPN protocol. The core vulnerability lies in the authentication handler's failure to correctly execute validation steps for incoming identity certificates. This allows an attacker to present a specially crafted certificate during the VPN session establishment process that bypasses the password requirement entirely. The attack vector is remote, meaning a malicious actor does not require prior access to the internal network. The precondition for exploitation is the use of Check Point Security Gateways that have Remote Access or Mobile Access VPN configured and are still utilizing the vulnerable, deprecated IKEv1 VPN protocol. The advisory from Check Point explicitly states this protocol is the point of weakness. Active exploitation of CVE-2026-50751 has been observed in the wild since at least May 7, 2026. Forensic investigations confirm that financially motivated threat groups are actively targeting this vulnerability. Post-compromise tracking has identified an overlap between initial intrusions and the deployment of Qilin Linux ransomware binaries. This suggests a direct pipeline from VPN bypass to ransomware execution. Attackers are observed attempting to download malicious ELF files from actor-controlled infrastructure following successful access. These operations often utilize dedicated virtual server fleets hosted across multiple global providers to camouflage background traffic and maintain anonymity. While no public Proof of Concept (PoC) exploit is detailed in the provided research, the confirmed active exploitation demonstrates the existence and operational effectiveness of private exploits. Further insights into this critical vulnerability can be found in our prior analysis of CVE-2026-50751: Check Point VPN Improper Authentication. Affected products and versions for CVE-2026-50751 CVE-2026-50751 primarily affects Check Point Security Gateway products that are configured for Remote Access and Mobile Access VPN. The vulnerability is specifically associated with a logic flaw in certificate validation within deprecated IKEv1 VPN protocol routines. The research findings do not provide explicit version numbers or product lines beyond "Remote Access and Mobile Access certificate validation." Therefore, organizations should assume that any Check Point Security Gateway deployment offering these VPN capabilities and configured to use IKEv1 is potentially vulnerable. Affected Product Lines: Check Point Security Gateway appliances configured for Remote Access VPN. Check Point Security Gateway appliances configured for Mobile Access VPN. Affected Protocol: Deployments utilizing the IKEv1 VPN protocol. It is crucial for administrators to review their Check Point configurations to determine if IKEv1 is in use for their Remote Access or Mobile Access VPN services. Due to the lack of specific version numbers in the provided intelligence, the most prudent approach is to consider all such deployments at risk until the recommended hotfixes are applied. Detection Capabilities for CVE-2026-50751 Effective detection of exploitation attempts and post-exploitation activities related to CVE-2026-50751 requires an approach focusing on VPN gateway logs, network traffic, and endpoint telemetry. Early identification is critical due to the active nature of this threat and its association with ransomware deployment. VPN Gateway Log Analysis: Unauthenticated Session Events: Look for VPN session initiation events that bypass traditional password authentication. Monitor for successful VPN connections where the authentication method deviates from standard security policies, particularly those indicating certificate validation anomalies. Unusual Source IPs: Identify VPN connection attempts or successful sessions originating from atypical geographic locations or IP addresses not part of expected remote access pools. Deprecation Warnings/Errors: Review logs for any warnings or errors related to deprecated IKEv1 protocols or certificate validation processes, which may precede or indicate exploitation. Network Traffic Analysis: Anomalous IKEv1 Traffic: Monitor network traffic for unusual patterns in IKEv1 handshake sequences or malformed requests that could indicate exploitation attempts. Outbound Connections to Suspicious Infrastructure: After a successful VPN login, scrutinize outbound connections from internal systems, particularly those initiated from the VPN gateway or newly connected remote hosts, to known malicious IP addresses or C2 infrastructure associated with Qilin ransomware. ELF File Downloads: Detect network traffic indicative of attempts to download Executable and Linkable Format (ELF) files from external, actor-controlled infrastructure to internal systems. This is a direct indicator of post-exploitation activity as noted in the research. Endpoint Detection and Response (EDR) Queries: Qilin Ransomware Signatures: Implement EDR queries to detect known file hashes, process names, or behavioral patterns associated with Qilin Linux ransomware binaries. Anomalous Process Creation: Monitor for unexpected process creation or command execution on endpoints that have recently connected via VPN, especially those involving scripting environments or system utilities not typically used by remote users. File System Changes: Look for unusual file system modifications, encryption activities, or the creation of ransom notes characteristic of ransomware deployment. Threat Intelligence Integration: Regularly update security information and event management (SIEM) systems and EDR platforms with the latest Indicators of Compromise (IOCs) related to CVE-2026-50751 and Qilin ransomware. Correlate internal logs with external threat intelligence to identify potential matches for attacker infrastructure or methodologies. Remediation Guidance for CVE-2026-50751 Prompt remediation is critical for CVE-2026-50751 due to its active exploitation and high CVSS score. The primary method of mitigation involves applying vendor-provided hotfixes. Apply Urgent Software Hotfixes: Check Point has released urgent software hotfixes to address CVE-2026-50751. These patches must be applied directly to all affected Check Point Security Gateways. Refer to the official Check Point advisory (blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/) for specific instructions and hotfix availability for your product versions. Applying these released patches completely mitigates both CVE-2026-50751 and the secondary flaw, CVE-2026-50752. While CVE-2026-50752 introduces man-in-the-middle risks for site-to-site tunnels, it has not seen real-world weaponization according to the research. Review and Migrate from Deprecated Protocols: The vulnerability explicitly targets deprecated IKEv1 VPN protocol routines. Organizations should assess their VPN configurations and plan to migrate away from IKEv1 to more secure, modern protocols like IKEv2 where feasible. This proactive measure reduces exposure to vulnerabilities inherent in older, less maintained protocols. Implement Continuous Monitoring: Even after patching, continuous monitoring of VPN gateway configuration states and authentication logs is essential. This ensures persistent network integrity across all enterprise nodes and helps detect any subsequent or novel attack attempts. Establish alerts for unusual VPN activity, failed certificate validations, or unexpected outbound connections. Perform Log Audits: Conduct extensive log audits dating back to May 7, 2026, the identified initial exploitation date. Look for indicators of compromise (IOCs) such as unauthorized VPN sessions, suspicious file downloads (especially ELF files), or evidence of Qilin ransomware activity. If compromise is detected, initiate incident response procedures immediately. Technical Takeaways CVE-2026-50751 is a critical improper authentication vulnerability (CVSS 9.3) in Check Point Security Gateways used for Remote Access and Mobile Access VPN. The flaw specifically impacts deprecated IKEv1 VPN protocol routines, allowing attackers to establish unauthenticated administrative VPN sessions by exploiting a logic error in certificate validation. Active exploitation has been observed in the wild since May 7, 2026, with financially motivated threat groups, including Qilin ransomware syndicates, using this vulnerability. Successful exploitation provides a direct remote access pathway into targeted networks, leading to attempts to download malicious ELF files and deploy ransomware payloads. Urgent software hotfixes released by Check Point address both CVE-2026-50751 and the related CVE-2026-50752, making immediate patching essential for all affected deployments. --- ## The Gentlemen Ransomware Claims 15 Victims - URL: https://purple-ops.io/blog/gentlemen-ransomware-victims - Date: 2026-06-08 - Category: Ransomware Report - Tags: the-gentlemen, ransomware, cybersecurity, threat-intelligence - Reading time: 5 min **Summary:** The Gentlemen ransomware group spearheaded recent global activity, publicly claiming 15 new victims. The Gentlemen Ransomware Claims 15 Victims Statistical Overview Victim Totals This month: 174 This quarter: 1720 Year to date: 4344 Last 24h: 28 Quarterly Breakdown Q1: 2631 | Q2: 1720 | Q3: 0 | Q4: 0 Ransomware incidents in Q2 show a substantial volume. The current 24-hour period reflects a consistent operational tempo compared to observed quarterly averages. Introduction The past 24 hours saw 28 new ransomware victims publicly reported across various platforms. The_Gentlemen group was the most active operator, claiming 15 victims. This significantly outnumbered other groups such as NightSpire (3), Payload (3), LockBit (2), and Qilin (2). Key sectors impacted included Transportation & Logistics, Education, Manufacturing, and Professional Services. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1The Gentlemen15Central arkansas pediatrics, Danzo group, Empty (+12)Argentina, PolandTransportation & Logistics, Education 2NightSpire3Asia strategic, Grip outreach for youth, Unique litho, incUnited States, SingaporeProfessional Services, Financial Services 3Payload3Hansoll textile in vietnam, Plaza lama, Villea hotels in attanahotelsVietnam, MalaysiaManufacturing, Retail & Ecommerce 4LockBit2patta.com, sands.muTaiwan, MauritiusManufacturing, Hospitality & Travel 5Qilin2Isuzu motors, Shipping association of ny and njUnited States, ThailandManufacturing, Transportation & Logistics 6Akira1Hrc sicherheitsdiensteGermanyProfessional Services 7BlackByte1QuanticateUnited KingdomPharmaceuticals & Biotech 8Morpheus13I INFOTECHIndiaTechnology / Software The_Gentlemen ransomware group had 15 reported victims. This shows its high operational tempo and varied targeting, which has included healthcare and education in previous campaigns. Other active groups, including NightSpire and Payload, attacked professional services, manufacturing, and retail globally. Victim Distribution By Country United States: 8 Taiwan: 3 Thailand: 2 India: 2 Vietnam: 1 United Kingdom: 1 Argentina: 1 Spain: 1 Singapore: 1 Poland: 1 By Industry Healthcare: 3 Hospitality: 2 Computer Peripherals and Electronic Components: 1 Textile Manufacturing: 1 Printing Services: 1 Medical Device Manufacturing: 1 Maritime Transportation: 1 Industrial Distribution: 1 Individual and Family Services: 1 Construction: 1 Attack distribution shows broad-spectrum targeting across multiple geographies. The United States experienced the highest number of reported incidents. Healthcare had three victims, indicating a focus on critical service providers. Ransomware News Topline Recent threat intelligence shows ransomware groups exploiting critical network vulnerabilities. They also use evolving obfuscation and infrastructure tactics to evade detection and takedown. Campaigns & Operations A Qilin ransomware affiliate exploits a critical Check Point VPN vulnerability (CVE-2026-50751). This allows bypassing user authentication in IKEv1 setups. Post-exploitation activity includes VPS infrastructure and Tox communications. The Silent Ransom Group (SRG) uses a fast-flux botnet to host its law firm data-leak sites. It leverages compromised consumer-grade routers and social engineering tactics for initial access. Vulnerabilities & TTPs The Check Point VPN flaw (CVE-2026-50751, CVSS 9.3) allows unauthenticated attackers to establish remote-access VPN sessions. Analysis of Play Ransomware's Grixba scanner shows a multi-stage evolution. This includes WMI/WinRM reconnaissance, RDP usage, and ntdll-based obfuscation. Earlier versions incorporated AMSI/WLDP bypasses. Later versions refined payload delivery. Analyst Note These developments show a trend toward exploiting critical vulnerabilities, using resilient C2 infrastructure, and continuously refining reconnaissance tools. This enhances ransomware operational effectiveness. Technical Takeaways The The_Gentlemen ransomware group accounted for 15 new victims, making it the most active operator. Healthcare was the most targeted industry by victim count (3). There was also targeting across hospitality, manufacturing, and transportation. A Qilin ransomware affiliate exploits CVE-2026-50751 in Check Point VPNs. This shows a focus on supply chain and network infrastructure vulnerabilities. Ransomware operators like the Silent Ransom Group use fast-flux botnets and social engineering. This complicates site takedowns and initial access defense. Analysis of Play Ransomware's Grixba scanner shows continuous evolution in reconnaissance tooling, including WMI/WinRM abuse and ntdll-based obfuscation. --- ## Windows Netlogon RCE CVE-2026-41089 Under Attack - URL: https://purple-ops.io/blog/windows-netlogon-rce-cve-41089 - Date: 2026-06-08 - Category: Threat Intelligence - Tags: windows-netlogon, rce, cve-2026-41089, domain-controller, zero-click - Reading time: 5 min **Summary:** Windows Netlogon RCE CVE-2026-41089 enables zero-click SYSTEM-level compromise of domain controllers, actively exploited against unpatched servers. Windows Netlogon RCE CVE-2026-41089 Under Attack Cybersecurity threats have significantly escalated, primarily due to the active exploitation of CVE-2026-41089, a critical zero-click Remote Code Execution (RCE) vulnerability in the Windows Netlogon service. This flaw, patched by Microsoft in May 2026, directly impacts all supported Windows Server versions configured as domain controllers. It poses an immediate, severe risk of complete domain compromise for unpatched organizations. Exploitation allows attackers to execute arbitrary code with SYSTEM-level privileges without authentication or user interaction, enabling widespread network control. Threat actors also demonstrate evolving tactics, including sophisticated social engineering with physical intrusions by UNC3753 targeting professional, legal, and financial services in the U.S. The North Korean state-sponsored Lazarus Group has deployed a stealthy, memory-resident malware framework known as RemotePE against financial and cryptocurrency institutions. The week's roundup also details a data breach affecting 20,225 Instagram accounts, stemming from an exploited vulnerability in Meta's AI-powered High Touch Support (HTS) system. These incidents show a persistent threat environment, with fundamental infrastructure vulnerabilities, advanced social engineering, and state-sponsored espionage continuing. Understanding these attack vectors and their technical details is important for effective defense in complex enterprise environments. How is the Windows Netlogon Zero-Click RCE being exploited? The Windows Netlogon Zero-Click RCE, tracked as CVE-2026-41089, is actively exploited in the wild through specially crafted Netlogon network requests. Attackers target unpatched Windows Server domain controllers, using the flaw to gain SYSTEM-level privileges on the compromised system. This high-severity vulnerability requires no authentication, local access, or user interaction, making it exceptionally dangerous for automated attacks and post-compromise lateral movement. The vulnerability resides within the core Netlogon service, which is fundamental for user and machine authentication in Active Directory environments. Successful exploitation grants attackers the highest level of access on a targeted server, enabling them to manipulate user accounts, disable security controls, deploy malware, and ultimately seize control of an entire domain. Organizations running any supported version of Windows Server are affected if their domain controllers remain unpatched. Microsoft addressed CVE-2026-41089 during its May 2026 Patch Tuesday release, urging immediate application of security updates. The remote exploitability and ease of exploitation make this vulnerability a key target for threat actors seeking to establish a foothold in enterprise networks. Rapid patching, especially for internet-facing and high-risk domain controllers, is the primary mitigation. Security teams should also enhance monitoring for anomalous Netlogon activity, unusual authentication attempts, and privilege escalation events. Implementing network segmentation and restricting access to Netlogon services to only authorized systems can further reduce exposure. For more details on this critical flaw and its implications, refer to our analysis on Netlogon RCE CVE-2026-41089 and CVE-2026-41089 affecting Windows domain controllers. Impact of CVE-2026-41089: Privilege Escalation to SYSTEM-level. Remote Code Execution without authentication. Complete domain compromise of Active Directory. Lateral movement and persistent access within the network. What are UNC3753's latest tactics in data theft extortion? The financially motivated threat actor group UNC3753, also known as Chatty Spider and Luna Moth (and Silent Ransom Group - SRG), has intensified its data theft extortion campaign against dozens of organizations across professional, legal, and financial services in the U.S. from January to May 2026. The group's latest tactics blend voice phishing (vishing) and social engineering with unprecedented physical intrusions to gain remote access and exfiltrate sensitive data. UNC3753 is assessed to be an offshoot of the now-defunct Conti ransomware gang, evolving from BazarCall-style campaigns to its current sophisticated methods. Attackers initiate contact through benign, invoice-themed emails sent from consumer email accounts, which serve as a pretext to raise security concerns and increase susceptibility to follow-up phone calls. During these vishing calls, UNC3753 impersonates IT support staff, convincing targets to join screen-sharing sessions on platforms like Zoom or Microsoft Teams. They then guide victims to install legitimate remote desktop software such as AnyDesk, Bomgar, SuperOps RMM, or Zoho Assist, often sharing instructions via privnote[.]com to establish a persistent foothold. UNC3753's capabilities have escalated significantly to include physical intrusions, where threat actors pose as IT technicians to enter corporate offices and steal data using removable USB media. Once remote or physical access is established, the group conducts direct searches or manipulates victims into exfiltrating proprietary legal agreements, personally identifiable information (PII), and financial records using tools like WinSCP or Rclone, or through the victim's email. The group operates on a fast-tempo model, with complete operations from initial contact to extortion occurring within a single business day, often completing data searches and theft in under an hour. Stolen data is frequently published on the LEAKEDDATA site, which currently lists close to 100 victim organizations. UNC3753 also employs DNS Fast Flux network infrastructure across various countries to evade detection and takedown attempts, showing their operational resilience. UNC3753 Tools and Tactics: Initial Access: Vishing and social engineering (including physical intrusion). Remote Access Tools (RMM): AnyDesk, Bomgar, SuperOps RMM, Zoho Assist. Communication Platforms: Zoom and Microsoft Teams. Secure Note Sharing: privnote[.]com. Data Exfiltration: WinSCP, Rclone, victim email accounts, USB drives. Infrastructure: DNS Fast Flux network for domains like business-data-leaks[.]com and ep6pheij[.]com. Extortion: Threat of public data disclosure on LEAKEDDATA if ransom not paid within a three-day deadline. Which sophisticated malware is Lazarus Group deploying against financial targets? The North Korean state-sponsored Lazarus Group is deploying a sophisticated cross-platform malware framework named RemotePE in stealthy attacks against financial institutions and cryptocurrency organizations. This multi-stage infection chain uses two loaders, DPAPILoader and RemotePELoader, to ultimately deliver the memory-resident RemotePE remote access trojan (RAT). RemotePE was actively developed between mid-2023 and mid-2024, demonstrating its role as a persistent and covert tool for high-value targets. The attack typically begins with targeted social engineering, as seen in a case involving a decentralized finance (DeFi) organization where attackers impersonated trading company employees on Telegram to lure victims to fraudulent Calendly and Picktime websites. Once a device is compromised, DPAPILoader decrypts a payload on disk using the Windows Data Protection API (DPAPI), loading it into memory as RemotePELoader. This second-stage loader then contacts a command-and-control (C2) server to retrieve the final RemotePE RAT. RemotePELoader employs advanced evasion techniques, including Hell's Gate and Event Tracing for Windows (ETW) patching, to bypass detection by security solutions. The final payload, RemotePE, is written in C++ and operates entirely in memory, minimizing forensic evidence and making it difficult to detect with traditional disk-based scanning. This RAT provides extensive capabilities, including configuration management, file operations (such as securely overwriting files seven times before deletion, a trait seen in other Lazarus malware like PondRAT and POOLRAT), process control, DLL management, system reconnaissance, and remote command execution. The memory-only execution, combined with low detection rates and advanced evasion mechanisms, indicates that RemotePE is reserved for critical intelligence gathering and financially motivated operations within the financial and cryptocurrency sectors. Organizations in these sectors are advised to implement strong endpoint detection and response (EDR) solutions with memory forensics capabilities, enforce multi-factor authentication (MFA), and conduct regular phishing awareness training to counter Lazarus Group's tactics. RemotePE Key Characteristics: Malware Type: Memory-resident Remote Access Trojan (RAT). Loaders: DPAPILoader, RemotePELoader. Evasion Techniques: Hell's Gate, Event Tracing for Windows (ETW) patching. Capabilities: File operations, process control, DLL management, system reconnaissance, remote command execution. Forensic Evasion: Never touches disk, overwrites deleted files seven times. Target Sectors: Financial institutions, cryptocurrency organizations (including Decentralized Finance - DeFi). How did attackers hijack 20,225 Instagram accounts using Meta's AI support? Attackers successfully hijacked 20,225 Instagram accounts by exploiting a vulnerability in Meta's AI-powered High Touch Support (HTS) system. The breach, which began on April 17, 2026, stemmed from a flaw in the HTS tool's password reset mechanism, where the system failed to verify if the email address provided by an individual requesting a password reset actually matched the email associated with the targeted Instagram account. This misconfiguration allowed unauthorized third parties to receive password reset links for accounts they did not own. Upon obtaining a valid password reset link, attackers could log in and hijack accounts, particularly those without two-factor authentication (2FA) enabled. Meta's associate general counsel for incident response legal, Amber Hannah, confirmed that the HTS tool itself functioned as intended, but a separate code path bug led to the improper verification. This critical flaw exposed users' contact information (email/phone), dates of birth, social media content (photos, videos, stories), direct messages, account activity, and profile information. After discovering the incident, Meta took immediate action, disabling the HTS AI-powered support system and invalidating all generated password reset links to prevent further exploitation. The company subsequently enrolled all potentially stolen accounts into a mandatory security verification process, requiring affected users to reset their passwords and re-authenticate to regain control. Meta has committed to fixing the authentication check in the Instagram recovery entry point before re-launching the tool and is conducting a full review of similar account recovery flows across its platforms. This incident demonstrates security risks in automated support systems, particularly when critical authentication checks are not rigorously enforced. Details of the Instagram Account Hijack: Victim Count: 20,225 Instagram users globally (30 in Maine's jurisdiction). Exploited System: Meta's AI-powered High Touch Support (HTS) tool. Vulnerability: Failure to verify if a provided email for password reset matched the account's registered email. Attack Method: Sending password reset links to unassociated emails, then logging in. Contributing Factor: Absence of two-factor authentication (2FA) on victim accounts. Data Exposed: Contact information, dates of birth, social media content, direct messages, account activity, profile information. Remediation: HTS disabled, password reset links invalidated, mandatory security verification process for affected accounts, commitment to fix authentication bug. Technical Takeaways The active exploitation of CVE-2026-41089 represents a critical zero-click RCE against Windows Server domain controllers, enabling SYSTEM-level privilege escalation and complete domain compromise. UNC3753 (aka Silent Ransom Group) demonstrates an evolving blend of vishing, social engineering, and unprecedented physical intrusions to compromise organizations in the legal, professional, and financial sectors, exfiltrating data for extortion. The Lazarus Group's deployment of RemotePE, a memory-resident RAT, showcases advanced evasion techniques like Hell's Gate and ETW patching, targeting financial and cryptocurrency entities with a multi-stage, diskless infection chain. A flaw in Meta's AI-powered High Touch Support (HTS) system allowed attackers to hijack over 20,000 Instagram accounts by exploiting improper email verification during password reset processes. These incidents collectively show the persistent threat from fundamental infrastructure vulnerabilities, sophisticated human-centric attacks, and memory-resident malware, requiring full security measures from patching to advanced EDR capabilities. --- ## Supply Chain & Ransomware Threat Briefing 2026 - URL: https://purple-ops.io/blog/threat-overview-supply-chain-vulnerabilities-ransomware - Date: 2026-06-08 - Category: report - Tags: none - Reading time: 16 min **Summary:** Miasma supply chain attacks, active PAN-OS exploitation, and 150 ransomware victims highlight this week's critical cyber threats. Threat Overview Supply Chain Vulnerabilities Ransomware Briefing Executive Summary The past week saw an active cyber environment, marked by supply chain compromises, widespread vulnerability exploitation, and ongoing ransomware activity. Supply Chain Compromise Targeting Developer Environments: The Miasma campaign exploited the Red Hat npm supply chain by injecting a credential-stealing worm into affected packages. This impacts organizations using the compromised npm dependencies, presenting a risk to developer accounts, cloud environments, and CI/CD pipelines. Active Exploitation of Network Edge Vulnerabilities: Active exploitation of Palo Alto Networks PAN-OS CVE-2026-0257 continued, allowing unauthorized access and affecting entities with vulnerable PAN-OS GlobalProtect configurations, leading to potential network intrusions. New Denial-of-Service Vulnerability: CVE-2026-49975, an HTTP/2 bomb attack, gained attention because it can rapidly incapacitate web servers. This vulnerability affects any organization hosting web services accessible via HTTP/2, posing a direct threat to service availability. Industrial Control Systems Targeted: Exposed fuel tank gauges in the US were attacked. This affects industrial entities with internet-exposed operational technology, which creates risks of operational disruption. Business Impact: These activities impact various business functions. Supply chain compromises and network edge breaches create opportunities for data theft and service interruptions across IT and development. Ransomware operations, notably by groups such as Akira, Medusa Locker, and Qilin, continued to disrupt organizations within defense, aerospace, education, manufacturing, and general services. Mass data breaches, including national identity documents and government registries across Latin America, MENA, and APAC, increase chances for identity fraud. Unconfirmed reports also surfaced regarding the potential compromise of highly sensitive defense industrial information related to submarine technology. Trends and Changes vs. Last Week: Software supply chain attacks, critical vulnerability exploitation, diverse ransomware activity, and geopolitically motivated hacktivism remained consistent. An increase occurred in the advertisement and sale of privileged network access credentials for government and critical infrastructure entities on underground forums. Mass data breaches, particularly those involving national identity and sensitive government data, became more prevalent, along with reports of high-value defense industrial information being referenced in illicit markets. Outlook: Continued activity is expected concerning supply chain compromise campaigns targeting developer tools and cloud environments. Sustained exploitation of recently disclosed critical vulnerabilities in network infrastructure is also anticipated. Ransomware operations are likely to remain active and diverse, with an ongoing trade in network access credentials. Geopolitically motivated hacktivist operations are projected to persist, especially within current conflict zones. The underground trade of stolen data and access credentials is expected to remain active. Key Threat Intelligence Highlights Key developments this week: A Miasma supply chain attack has compromised Red Hat npm packages, injecting a credential-stealing worm. This incident exposed users to data theft via trusted software components, showing the persistent danger to software development. A critical, actively exploited remote code execution vulnerability, CVE-2026-0257, in Palo Alto Networks' PAN-OS GlobalProtect gateways and firewalls allows unauthenticated attackers root-level control, enabling arbitrary code execution and potential full system compromise. Affected organizations must patch or mitigate immediately. A new vulnerability, CVE-2026-49975, allows an HTTP/2 bomb attack that can quickly overwhelm web servers. This attack method can render target systems inoperable within seconds, causing widespread service interruptions and denying user access to online resources. The issue affects all services using the HTTP/2 protocol, requiring swift defensive measures against denial-of-service. Internet-exposed fuel tank gauges in the US are under active attack, with malicious actors exploiting poor security configurations. This compromise enables the manipulation of fuel levels and operational controls, posing risks of environmental damage and supply chain interruptions for essential services. The exposure of these devices shows an urgent need for better cybersecurity practices to protect critical infrastructure. Additional Threat Intelligence Context CVE-2026-20245 | CVSS: 7.8 (PROBLEMATIC) - Cisco Catalyst SD-WAN Manager Command Execution: Actively exploited, this vulnerability allows remote command execution as root, often chained with authentication flaws, controlling SD-WAN management and routing, with no patch yet available. Available Exploits: CVE-2026-20245 Exploit Analysis: # CVE Analysis Report: CVE-2026-20245 GitHub Link: Title: CVE-2026-20245 PoC (template) CVE: CVE-2026-20245 (CVSS: 7.8, PROBLEMATIC) CVSS Score: 7.8 CVSS Severity: PROBLEMATIC Based on the analysis: Complexity Score: NA Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 75/100 Based on ease of use, potential impact, how widely it could spread, etc. Multi-Ecosystem Software Supply-Chain Campaigns: Coordinated efforts like the Miasma worm, Node.js/npm worms, and typosquats (e.g., axios delivering Epsilon Stealer) spread credential stealers and remote access tools, compromising developer systems and CI/CD pipelines. CVE-2026-3300 | CVSS: 9.8 (CRITICAL) - Everest Forms Pro Remote Code Execution: This critical WordPress plugin vulnerability has been actively exploited since April 2026 to create rogue administrator accounts, with public proof-of-concept code widely available. Available Exploits: CVE-2026-3300 Exploit CVE-2026-3300 Exploit Analysis: # CVE Analysis Report: CVE-2026-3300 GitHub Link: Title: Everest Forms Pro RCE PoC CVE: CVE-2026-3300 (CVSS: 9.8, CRITICAL) CVSS Score: 9.8 CVSS Severity: CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 100/100 Based on ease of use, potential impact, how widely it could spread, etc. CVE-2026-49261 - MariaDB Remote Code Execution (CVSS 10.0): Actively exploited, threatening many internet-exposed database servers. CVE-2026-0257 | CVSS: None (CRITICAL) - PAN-OS GlobalProtect Authentication Bypass: Actively exploited, it permits adversaries to impersonate local administrators via crafted cookies, gaining covert VPN access and bypassing perimeter controls. Available Exploits: CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit Analysis: # CVE Analysis Report: CVE-2026-0257 GitHub Link: Title: PAN-OS GlobalProtect Auth Bypass Detection PoC CVE: CVE-2026-0257 (CVSS: None, CRITICAL) CVSS Score: None CVSS Severity: CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 91/100 Based on ease of use, potential impact, etc. CVE-2026-45247 | CVSS: 9.8 (CRITICAL) - Magento Mirasvit Cache Warmer RCE: A critical unauthenticated RCE actively exploited by initial access brokers to implant malware. This RCE appears on the CISA KEV catalog. Available Exploits: CVE-2026-45247 Exploit Analysis: # CVE Analysis Report: CVE-2026-45247 GitHub Link: Title: CVE-2026-45247 PoC skeleton CVE: CVE-2026-45247 (CVSS: 9.8, CRITICAL) CVSS Score: 9.8 CVSS Severity: CRITICAL Based on the analysis: Complexity Score: NA Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 75/100 Based on ease of use, potential impact, how widely it could spread, etc. CVE-2026-28318 | CVSS: 7.5 (PROBLEMATIC) - Verizon VoLTE IMS Core Vulnerability: Active exploitation allows unprotected SIP signaling for call manipulation, spoofing, and denial-of-service against subscribers. Available Exploits: CVE-2026-28318 Exploit Analysis: # CVE Analysis Report: CVE-2026-28318 GitHub Link: Title: SolarWinds Serv-U POST Deflate Crash PoC (CVE-2026-28318) CVE: CVE-2026-28318 (CVSS: 7.5, PROBLEMATIC) CVSS Score: 7.5 CVSS Severity: PROBLEMATIC Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 100/100 Based on ease of use, etc. CVE-2026-28318 | CVSS: 7.5 (PROBLEMATIC) - SolarWinds Serv-U Denial of Service: Actively exploited for remote unauthenticated availability disruption via crafted requests, which disrupts managed file transfer services. Available Exploits: CVE-2026-28318 Exploit Analysis: # CVE Analysis Report: CVE-2026-28318 GitHub Link: Title: SolarWinds Serv-U POST Deflate Crash PoC (CVE-2026-28318) CVE: CVE-2026-28318 (CVSS: 7.5, PROBLEMATIC) CVSS Score: 7.5 CVSS Severity: PROBLEMATIC Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 100/100 Based on ease of use, etc. CVE-2026-34908 | CVSS: 10.0 (CRITICAL) - UniFi OS Server Vulnerability Chain (CVE-2026-34910): A critical chain allowing unauthenticated attackers to achieve root-level command execution and expose sensitive data on UniFi OS Server deployments. Available Exploits: CVE-2026-34908 Exploit Analysis: # CVE Analysis Report: CVE-2026-34908 GitHub Link: Title: UniFi OS Server unauth RCE detector (CVE-2026-34908/34909/34910) CVE: CVE-2026-34908 (CVSS: 10.0, CRITICAL) CVSS Score: 10.0 CVSS Severity: CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 100/100 Based on ease of use, etc. CVE-2026-7312 - Progress Sitefinity OData Insight Flaws (CVSS 10.0): Actively exploited, exposing plaintext credentials and allowing CMS pivots. CVE-2026-40965 - Cloud Foundry UAA JWT Signing Key Disclosure (CVSS 10.0): Allows unauthenticated JWT forgery in affected deployments. CVE-2026-10622 - Collibra Platform Agent Issues ( & CVE-2026-10621): Allow unauthenticated remote code execution via exposed REST endpoints and Zip Slip conditions. CVE-2026-0826 - Poly VVX Office VoIP Phones RCE: Critical stack-based buffer overflow with publicly available exploit code, allowing root RCE through crafted SIP INVITE messages. CVE-2026-9311 - IBM WebSphere Vulnerabilities (CVE-2026-9330, CVE-2026-9319, CVE-2026-8644): Include RCE and authentication bypass flaws, allowing unauthenticated or low-privilege users to run arbitrary code or forge identities. Ransomware Activity Overview Ransomware groups like Akira targeted defense and aerospace entities like RUAG, exfiltrating military documentation. Medusa Locker continued widespread campaigns against mid-sized organizations globally across education, NGOs, manufacturing, and services, often using public victim naming. Other active groups include LockBit, NightSpire, Play, and Qil. The underground market also advertised privileged network access, including Fortinet SSL VPN access for the Argentine Army (L4TAMFUCK3R$) and full access to Canada's Iteris Radius+ traffic network (Z-Pentest Alliance), granting visibility over road-monitoring cameras. Direct VPN access credentials for government entities were also available. Large-scale data breaches continued, involving the sale of 11.4 million Spanish national identity documents, a 160 million-record Vietnamese "CIC 2025" dataset, 31 million Peruvian citizen records, Indonesian government and election data, and sensitive UN World Food Programme Gaza beneficiary information. These exposures create opportunities for identity fraud and subsequent network penetration. An advertisement on Spear.cx referenced the potential leak of "USA advanced nuclear submarines Critical-Quiet Technology - FROM VACCO," suggesting a highly sensitive defense-industrial information compromise. Geopolitically aligned hacktivist groups, including Iran-linked clusters, continued DDoS operations against Dutch and Israeli entities, sometimes blending cyber messaging with kinetic missile threat narratives. RipperSec also performed DDoS attacks on Israeli targets, and OpThailand-themed actors claimed compromises against Thai government and education platforms. During the reporting period, 150 total victims were identified across 34 active ransomware groups. The top 5 most active groups accounted for 66 victims. Top 5 Ransomware Groups The_Gentlemen - 24 victim(s) Notable victims: 3e accounting, Anandji haridas, Arabian procession holding, Bouri group, Brian jessel bmw (and 19 more) Qilin - 15 victim(s) Notable victims: Avcon jet, Central florida cosmetic & family dentistry, Clinica maitenes, Eat salad, Interspa betriebsverwaltungsgesellschaft (and 10 more) INC_Ransom - 10 victim(s) Notable victims: Bradley law firm, CUSTOMSIGN, Champaign-Urbana Public Health District, Colina Financial Advisors, Oztugotomotiv (and 5 more) Medusa Locker - 9 victim(s) Notable victims: Académie de montpellier / csjm, Actionaid / tacosa, Baiapai, Baratai, Colegio maría inmaculada (cmi) (and 4 more) Akira - 8 victim(s) Notable victims: Cherokee distributing co, Factors western, Hal otey financial, Kennon worldwide, National standard parts associates (and 3 more) Deep Web Deep Web Activity Overview Deep web observations this week reveal varied data breaches and access offerings, spanning highly sensitive government and defense information, mass personal identification data, and industrial control system details. Activities included the sale of national security documents, critical military technology, compromised electoral systems, and large-scale citizen data registries. The observed incidents show malicious actors continue to seek data and access for financial gain, identity-related fraud, or geopolitical disruption. What major data leaks appeared on deep web forums this week? Several high-impact data leaks and access sales surfaced on deep web forums this week, involving government entities, critical infrastructure, and extensive citizen data from various nations. Sensitive Defense and Security Data: A post titled "USA advanced nuclear submarines Critical-Quiet Technology - FROM VACCO" appeared on June 7, 2026, offering data purportedly related to advanced US nuclear submarine technology. The content directly referenced several US Navy submarine classes (SSN-637, SSBN/SSN-640, SSN-688, SSBN-726, SSN-21, SSN-774, SSBN(X)). The origins of this data and its authenticity remain under assessment, but the claims alone represent a serious concern for national security. On June 5, 2026, a listing titled "[NATO] COSMIC TOP SECRET NATO REPORTS FOR SALE" was observed. The actor "mosad" offered highly classified NATO reports, inviting potential buyers to contact them for samples or a full document list. The nature of these reports suggests a breach of top-tier government or military networks, carrying extensive geopolitical implications. Compromised Government and Electoral Systems: A concerning incident emerged on June 5, 2026, with "GordonFreeman" claiming "Full SSH Acces to CNE.GOB.EC Electoral Registry DB 2026" in Ecuador. The actor asserted complete control over the country's electoral registry database, exfiltrating over 13.5 million valid voter records. They claimed the ability to modify voter data, enable "massive electoral fraud," and deploy backdoors. A ransom of 4 BTC was demanded, with a stated intent to "poison" backups, wipe the registry, or inflate the database with "ghost voters" if demands were not met. This incident directly attacks democratic integrity. On June 7, 2026, "TheNegratas" offered "Spain ID Breach - 11.4M ID Documents for Sale," claiming to have breached the State Digital Administration Agency. The compromised data includes DNI numbers, full names, photographs, signatures, dates of birth, addresses, and various document-specific details, effectively providing complete digital identities for a large portion of the Spanish population. Critical Infrastructure and Law Enforcement Access: A posting on June 2, 2026, titled "Canada! Central East Correctional Centre (Jail) databases SQL" by "Moneyistime" advertised over 70GB of SQL backups from a Canadian correctional facility. The data includes sensitive databases such as "AccessManager" (electronic locks, gates, biometric security), "DIRECTORY" (staff personal files, credentials), "SecurityPatrolSystemSPSCheckPoint" (guard schedules, patrol routes, physical blind spots), "UnitAssistant" (cell assignments, gang conflict maps, informant registries), and "HealthMonitor" (server status, broken security equipment). This information could compromise physical security and operational integrity. On June 4, 2026, "henny" posted an offer to sell "[Government + Law Enforcement Emails And Panels]" from multiple regions (EU, South America, Asia, Africa). This actor claimed access to email accounts and administrative panels for government and law enforcement systems, including "kodex," "meta," and "microsoft." This type of access can lead to further intrusions, intelligence gathering, or operational disruption. Large-Scale Corporate and Financial Data Leaks: "max987" advertised "Vietnam 160M (CIC) 2025" on June 7, 2026, offering a national credit registry containing over 160 million records for individuals and companies. The data, priced at 8000 USDT, includes full names, dates of birth, national IDs, passports, loan data, balances, debt, tax IDs, company information, audit logs, and addresses. This is a vast collection of financial and personal information. A substantial breach of a Turkish food company, GOKNUR GIDA A.Ş., was advertised by "DreamFyre" on June 4, 2026, offering 10.7 TB of data for $200,000. The exposed information is extensive, encompassing Active Directory architecture, SCADA, PLC, and RTU configurations, network device configurations, ESXi infrastructure, customer and financial data, employee PII (including Turkish ID numbers, passports, salaries), production recipes, R&D data, patents, supply chain information, ERP/CRM systems, and cybersecurity protocols. Industrial control system data was particularly notable. Access for Ransomware Operations: A post from "Simpson2" on June 4, 2026, titled "[want to sell company access for ransomware]" offered packages of access to companies with reported revenues between $10 million and $10 billion. The starting price was $10,000 for 10 targets, suggesting a dedicated access broker for ransomware attacks. What patterns or trends are emerging from these incidents? Patterns in this week's deep web breach data indicate evolving tactics and motivations among malicious actors. Targeting of Government and Critical Infrastructure: A recurring theme is the compromise of governmental bodies, electoral commissions, defense contractors, and correctional facilities. This shows a direct interest in data and access that can destabilize nations, compromise national security, or facilitate high-impact physical and cyber operations. Widespread Personal Identifiable Information (PII) Exfiltration: Large-scale PII breaches affect millions of citizens. Examples include 11.4 million Spanish national IDs and 160 million Vietnamese credit registry records. Such extensive datasets allow widespread identity theft, financial fraud, and sophisticated social engineering campaigns. Industrial Espionage and Operational Technology (OT) Compromise: The GOKNUR GIDA A.Ş. breach explicitly included SCADA, PLC, RTU configurations, and production recipes. This points to a drive for industrial espionage and potential disruption or sabotage of critical industrial processes. The Role of Access Brokers: Multiple postings advertise direct access to compromised networks or systems (e.g., government/law enforcement panels, company access for ransomware). These brokers serve as an initial entry point for other malicious actors, lowering the barrier for subsequent attacks such as data exfiltration, ransomware deployment, or network manipulation. Geographic Diversity of Targets: The affected entities span North America (USA, Canada), Europe (NATO, Spain), South America (Ecuador), Asia (Vietnam), and the Middle East (Turkey). This widespread distribution shows a global reach by various threat actor groups. Motivation for Financial Gain and Geopolitical Influence: While many breaches are for direct sale and financial profit, incidents like the Ecuadorian electoral system compromise suggest motivations extending to political disruption and manipulation. The sale of sensitive defense and NATO documents could serve both financial and state-sponsored intelligence objectives. What are the potential impacts of this week's deep web activity? The information observed on deep web forums this week carries several severe potential impacts across national security, economic stability, and individual privacy. National Security and Geopolitical Instability: The purported leaks of US nuclear submarine technology and NATO "COSMIC TOP SECRET" reports could give adversaries unprecedented intelligence advantages, compromising military capabilities, operational secrecy, and strategic planning. The alleged manipulation of Ecuador's electoral system directly attacks sovereign democratic processes, capable of undermining public trust and potentially inciting political unrest. Economic Disruption and Corporate Espionage: The 10.7 TB data breach from GOKNUR GIDA A.Ş., including production recipes, R&D data, and SCADA configurations, could cause substantial competitive disadvantage, intellectual property theft, and potential operational disruption for the affected company. The broad offerings of company access for ransomware operations consistently threaten organizations with service outages, data destruction, and considerable financial extortion. Widespread Identity Theft and Fraud: The availability of 11.4 million Spanish ID documents and 160 million Vietnamese credit records provides malicious actors with extensive data for identity theft, account takeovers, and various forms of financial fraud against individuals and institutions. The combination of personal details, financial history, and national identifiers creates a solid foundation for sophisticated phishing and social engineering campaigns. Compromise of Public Safety and Law Enforcement Operations: The exposure of Canadian correctional facility databases, including guard schedules, patrol routes, and informant registries, could directly compromise the physical security of personnel and inmates, facilitate escapes, or aid in internal criminal activities. The sale of government and law enforcement email access allows malicious actors to potentially infiltrate investigations, acquire sensitive operational details, and evade justice. Erosion of Public Trust: Incidents involving the compromise of national ID systems, electoral registries, and critical government infrastructure directly diminish public confidence in government's ability to protect citizen data and maintain essential services. Sources Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 CVE-2026-49975: HTTP/2 Bomb Attack Can Knock Web Servers Offline in Seconds Exposed Fuel Tank Gauges Under Attack in the US --- ## CVE-2026-7312 Sitefinity Credential Exposure - URL: https://purple-ops.io/blog/sitefinity-cve-2026-7312-credentials-exposure - Date: 2026-06-08 - Category: CVE Analysis - Tags: none - Reading time: 12 min | CVSS: 10 **Summary:** Progress Sitefinity CVE-2026-7312, a critical CVSS 10.0 vulnerability, exposes Sitefinity Insight credentials to unauthenticated attackers via OData Web... Progress Sitefinity CVE-2026-7312 (CVSS 10.0) Credential Exposure Progress Sitefinity, a widely used content management system, has issued an urgent security advisory about several critical vulnerabilities. CVE-2026-7312 is particularly severe, with a maximum CVSS v3.1 score of 10.0. This flaw, categorized as "Insufficiently Protected Credentials in OData Web Services," allows a remote, unauthenticated attacker to obtain plain-text credentials. The exposed credentials are specifically those used to connect to the Sitefinity Insight service. The critical nature of CVE-2026-7312 requires immediate attention from organizations using Progress Sitefinity. Because the vulnerability can be exploited remotely and without authentication, a threat actor does not need prior access or legitimate user credentials to compromise the system. This directly exposes sensitive connection information, which attackers can then use for further attacks or unauthorized data access. At the time of this report, there are no public confirmations of in-the-wild exploitation specifically targeting CVE-2026-7312. However, the vendor has urged all customers to apply available product updates without delay. Failure to address this vulnerability leaves affected Progress Sitefinity installations, particularly those using OData Web Services, susceptible to significant compromise. What is CVE-2026-7312 and what is its impact? CVE-2026-7312 is a critical security vulnerability affecting Progress Sitefinity versions 8.0 through 15.4, rated with a CVSS v3.1 score of 10.0. It stems from "Insufficiently Protected Credentials in OData Web Services," a condition classified under CWE-522. This flaw allows a remote, unauthenticated attacker to obtain plain-text credentials specifically configured for connecting to the Sitefinity Insight service. The highest possible CVSS score shows the severity; the vulnerability is easily exploitable and can lead to a complete compromise of confidentiality, integrity, and availability. The direct impact of CVE-2026-7312 is the unauthorized exposure of sensitive credentials. For organizations using Sitefinity Insight service, these credentials are critical for the proper functioning and security of their analytics and personalization capabilities. Compromise of these credentials means an attacker could gain unauthorized access to the Sitefinity Insight service itself, potentially exfiltrating sensitive analytics data, manipulating tracked user behavior, or gaining deeper insights into the organization's customer interactions. Such credentials often grant access to backend systems or databases, presenting a significant opportunity for lateral movement within a targeted network. The exposure of plain-text credentials is a fundamental security failure, as it bypasses cryptographic protections designed to safeguard sensitive information. An attacker obtaining these credentials effectively gains access to a critical component of the Sitefinity ecosystem. This level of access could enable an attacker to impersonate legitimate services, inject malicious data, or tamper with the collection and reporting of business-critical information. The remote and unauthenticated nature of the attack vector implies that any internet-facing Sitefinity instance with the vulnerable OData Web Services enabled is a potential target, regardless of prior user interaction or network authentication. This vulnerability is part of a broader security alert issued by Progress, which also addresses other significant flaws in Sitefinity. For instance, CVE-2026-7198, with a CVSS score of 9.8, shows an "Improper Access Control in web services" that permits a remote unauthenticated attacker to access restricted content. Another vulnerability, CVE-2026-7195, concerns "Improper Input Validation" that could lead to user account compromise. While CVE-2026-7312 focuses on credential exposure, the presence of these other high-severity issues in the same advisory shows a pervasive risk to Sitefinity environments. These collective threats mean that neglecting to patch any of these vulnerabilities could result in a wide-ranging compromise, including data theft, unauthorized content modification, or privilege escalation. Exploitation Chain and Preconditions The exploitation chain for CVE-2026-7312 begins with a remote, unauthenticated attacker targeting exposed OData Web Services within a vulnerable Progress Sitefinity instance. The attacker does not require any prior authentication or authorization to initiate this attack, making the vulnerability accessible and dangerous. This unauthenticated access permits the attacker to interact directly with the vulnerable OData endpoint, triggering the flaw that leads to the exposure of plain-text credentials. The primary precondition for this vulnerability is the active use and exposure of OData Web Services within the Progress Sitefinity environment, specifically those configured to connect to the Sitefinity Insight service. OData (Open Data Protocol) is an ISO/IEC approved OASIS standard that defines how to build and consume REST APIs. It allows for standardized querying and manipulation of data sources via HTTP. In the context of Sitefinity, OData services are often used for integrating with external systems, providing data feeds, or supporting analytics components like Sitefinity Insight. If these services are improperly secured or configured, they can become an entry point for attackers. The "Insufficiently Protected Credentials" aspect (CWE-522) implies a failure in how the Sitefinity application or its OData Web Services component handles the storage, transmission, or retrieval of authentication material. This could manifest in several ways: hardcoded credentials, credentials stored in plain text within configuration files accessible via the OData endpoint, improper encryption or hashing of stored credentials, or insecure transmission protocols that expose credentials during communication. Once the attacker triggers the vulnerability through a crafted request to the OData endpoint, the system divulges the plain-text credentials for the Sitefinity Insight service. As noted, the provided research does not indicate active in-the-wild exploitation or the existence of public Proof-of-Concept (PoC) exploits specifically for CVE-2026-7312. The theoretical attack vector is remote, unauthenticated access leading to critical credential exposure. The absence of reported active exploitation does not mean there is no threat. The CVSS 10.0 score indicates maximum risk, and it is common for sophisticated threat actors to use such high-impact vulnerabilities discreetly before public PoCs emerge. For an example of how critical vulnerabilities can transition to active exploitation, our report on CVE-2026-28318 details an actively exploited uncontrolled resource consumption vulnerability in SolarWinds Serv-U. The immediate patching advised by Progress is a proactive measure against potential future exploitation attempts. Organizations should prioritize securing their OData Web Services and other integration points to prevent unauthorized access to sensitive credential information, mitigating the risk posed by this and similar critical flaws. Affected products and versions The CVE-2026-7312 vulnerability impacts a broad range of Progress Sitefinity versions, affecting both older deployments and relatively recent releases. Organizations managing Sitefinity instances must verify their deployed versions against the vendor's advisory to determine their exposure. The vulnerability affects Progress Sitefinity versions ranging from 8.0 up to and including 15.4. This extensive range indicates that a significant portion of the active Sitefinity installation base could be at risk. Older, unsupported versions are especially vulnerable as they may not receive further security updates, making upgrading to a supported and patched release necessary. To mitigate the risks associated with CVE-2026-7312 and other related critical vulnerabilities addressed in the same advisory, Progress has released specific patched versions. The following versions incorporate the necessary security fixes: Progress Sitefinity 15.4.8630 Progress Sitefinity 15.3.8531 Progress Sitefinity 15.2.8441 Progress Sitefinity 15.1.8335 Progress Sitefinity 15.0.8234 Progress Sitefinity 14.4.8152 Progress Sitefinity 13.3.7652 Administrators are advised to check the precise version number of their Sitefinity deployments against this list. Ensure that the installed version matches or exceeds these specified patch levels. Instances running any version between 8.0 and 15.4 that are not specifically listed as patched are considered vulnerable and require immediate updating. Checking specific version numbers is a fundamental step in vulnerability management, as discrepancies can leave systems exposed despite perceived patching efforts. Detection Detecting potential exploitation of CVE-2026-7312 requires careful monitoring of Progress Sitefinity application logs, underlying web server logs, network traffic, and authentication attempts directed towards related services. Since the vulnerability involves the exposure of plain-text credentials through OData Web Services, detection efforts should focus on anomalies associated with these components and the Sitefinity Insight service. The vendor's advisory does not provide specific Indicators of Compromise (IOCs) or unique detection signatures for CVE-2026-7312. Therefore, a proactive and generalized approach to monitoring is necessary: OData Web Service Access Logs: Examine web server logs (e.g., IIS logs for Windows-based deployments) for unusual or excessive requests targeting OData endpoints within the Sitefinity application. Look for patterns of access from unexpected IP addresses, unusual request parameters, or high volumes of requests that might indicate automated scanning or exploitation attempts. Pay close attention to endpoints associated with the Sitefinity Insight service. Application Logs: Review Sitefinity application logs for any errors, warnings, or other audit events related to OData service operations, credential handling, or connections to the Sitefinity Insight service. Abnormal entries or frequent credential-related failures could signal an issue. Network Traffic Analysis: Monitor network traffic originating from and directed to Sitefinity servers. Look for unauthorized outbound connections, especially to destinations unrelated to normal Sitefinity Insight service operations. Analyze traffic patterns for anomalous data exfiltration attempts or unusual communication protocols that might indicate compromised credentials being used for C2 (Command and Control) or data transfer. Authentication and Authorization Logs: Although the vulnerability enables unauthenticated access to obtain credentials, these compromised credentials could subsequently be used for authenticated attacks. Monitor authentication logs for the Sitefinity Insight service or other integrated systems for suspicious login attempts, especially those using the newly obtained credentials. This includes logins from unusual geographical locations, odd hours, or unexpected user agents. Sitefinity Insight Configuration and Data Monitoring: Keep an eye on the configuration and data integrity of the Sitefinity Insight service. Any unauthorized changes to service settings, data collection parameters, or the appearance of anomalous data could be a post-exploitation indicator. Organizations should also consider implementing Web Application Firewalls (WAFs) to monitor and filter traffic to Sitefinity OData Web Services, looking for patterns that might match known or suspected exploitation techniques. While not a direct patch, a WAF can provide an additional layer of defense and logging capabilities. For broader detection strategies related to critical web application vulnerabilities, similar to our report on CVE-2026-48172 which concerns a root privilege escalation in a cPanel plugin, continuous monitoring and strong logging practices are essential. Remediation The primary and most effective remediation for CVE-2026-7312 is to immediately apply the latest security updates released by Progress Sitefinity. The vendor has provided specific patched versions that address this vulnerability and others outlined in their security advisory. The following Progress Sitefinity versions include the necessary security fixes and should be deployed as soon as possible: 15.4.8630 15.3.8531 15.2.8441 15.1.8335 15.0.8234 14.4.8152 13.3.7652 Organizations running any Sitefinity version prior to these patched releases, or within the affected range of 8.0 to 15.4 that is not specifically listed, must initiate an upgrade process immediately. Before applying any updates, it is recommended to perform a full backup of the Sitefinity application and its associated databases to ensure data integrity and facilitate rollback if necessary. Thorough testing of the patched environment should also be conducted in a staging environment to confirm functionality and compatibility before deployment to production. While patching is the definitive solution, several mitigations and workarounds can be considered to reduce exposure until updates can be fully implemented: Restrict OData Web Service Access: If the Sitefinity OData Web Services are not required to be publicly accessible, implement network access controls (e.g., firewall rules, WAF policies) to restrict access to these endpoints only from trusted IP ranges or internal networks. This limits the attack surface by preventing remote, unauthenticated attackers from reaching the vulnerable component. Review and Harden Credential Management: Conduct an immediate audit of all credentials associated with the Sitefinity Insight service and other integrated services. Ensure that strong, unique passwords are used and that no plain-text credentials are exposed in configuration files, code, or its databases. Rotate these credentials after patching as a precautionary measure, assuming potential prior exposure. Implement Network Segmentation: Isolate Sitefinity servers within a segmented network zone. This strategy helps limit the lateral movement an attacker could achieve even if CVE-2026-7312 were successfully exploited and credentials obtained. By containing the compromised system, the potential impact on other critical assets can be minimized. Monitor and Audit System Configurations: Regularly review and audit Sitefinity configurations, particularly those related to OData setup and Sitefinity Insight service integration, to ensure they adhere to security best practices. Disable any unnecessary features or services that could introduce additional attack vectors. Post-Patch Verification: After applying the patches, verify that the vulnerability is resolved by conducting vulnerability scans or penetration testing against the updated Sitefinity instance. Confirm that OData Web Services no longer expose credentials as described. Adherence to these remediation steps is critical to securing Progress Sitefinity deployments against CVE-2026-7312. Proactive patching and strong security practices are essential, particularly when dealing with unauthenticated, high-severity flaws that provide direct access to sensitive information. These steps align with general cybersecurity best practices for critical vulnerabilities, as further exemplified in our full report on CVE-2026-20079, which shows the urgency of addressing unauthenticated root access flaws. Technical Takeaways CVE-2026-7312 is a critical vulnerability in Progress Sitefinity with a CVSS v3.1 score of 10.0, affecting versions 8.0 through 15.4. The flaw allows a remote, unauthenticated attacker to obtain plain-text credentials used for the Sitefinity Insight service via OData Web Services (CWE-522). Compromise of these credentials can lead to unauthorized access to the Sitefinity Insight service, data exfiltration, or lateral movement within the network. While no confirmed in-the-wild exploitation for CVE-2026-7312 has been publicly reported, the severity dictates immediate action. The primary remediation is to apply the latest security updates, specifically to versions 15.4.8630, 15.3.8531, 15.2.8441, 15.1.8335, 15.0.8234, 14.4.8152, and 13.3.7652. Detection efforts should focus on anomalous log entries, unusual network traffic to/from OData endpoints and the Sitefinity Insight service, and suspicious authentication attempts. --- ## 2 New Ransomware Victims in Diverse Sectors - URL: https://purple-ops.io/blog/ransomware-victims-diverse-sectors - Date: 2026-06-07 - Category: Ransomware Report - Tags: none - Reading time: 5 min **Summary:** Blackwater and Medusa Locker claimed 2 new ransomware victims in diverse sectors, including hospitality and education in China and Costa Rica. 2 New Ransomware Victims in Diverse Sectors Statistical Overview Victim Totals This month: 146 This quarter: 1692 Year to date: 4317 Last 24h: 2 Quarterly Breakdown Q1: 2631 | Q2: 1692 | Q3: 0 | Q4: 0 Current ransomware activity shows a low volume of new victims but adds to larger quarterly and year-to-date totals. New incidents target various global locations. Introduction In the last 24 hours, two new ransomware victims were disclosed. Blackwater and Medusa Locker each claimed one victim. Targets included hospitality & travel and education sectors, in China and Costa Rica. Reports also indicated operations affecting U.S. law firms and an Indian healthcare institution. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Blackwater1Www.utourworld.comChinaHospitality & Travel 2Medusa Locker1Colegio maría inmaculada (cmi)Costa RicaEducation Ransomware activity during this period shows few new victims claimed by specific groups. Blackwater took one victim in China's hospitality and travel sector. Medusa Locker, a group that targets various industries, listed an education sector victim in Costa Rica. Learn more about this group's operations in our Medusa Locker ransomware victims analysis. Blackwater also listed a new victim, aligning with trends discussed in our Q2 ransomware intelligence report. Victim Distribution By Country China: 1 Costa Rica: 1 By Industry Travel and Tourism: 1 Education: 1 Even with few new victim disclosures, the distribution points to broad, opportunistic targeting across different regions and industries. Activity this period included the education sector, a frequent ransomware target as detailed in our report on Genesis Group ransomware victims. This shows ransomware groups continue to spread out their victim profiles instead of focusing on specific sectors. Ransomware News Topline Recent ransomware developments show social engineering tactics remain effective and critical sectors face ongoing threats. Campaigns & Operations The Silent Ransom Group (UNC3753, Luna Moth, Chatty Spider) targets U.S. law firms and professional services. This campaign uses invoice-themed phishing, which makes victims call back impostor IT support. These calls lead to remote sessions where attackers install tools like AnyDesk for initial access and data exfiltration. The group often demands extortion within 30 minutes of data theft. Separately, the Chandrapur Cancer Care Foundation in India experienced a ransomware attack around June 1, 2026. This encrypted patient and administrative databases, severely disrupting operations. Vulnerabilities & TTPs The Silent Ransom Group's methods include voice phishing, using various remote access tools (AnyDesk, Zoho Assist, Bomgar, SuperOps) for system control, and tools like WinSCP or Rclone for data exfiltration. They minimize forensic traces by sharing commands via Privnote and using fast-flux infrastructure with residential IPs. No specific CVEs were linked to these incidents. Analyst Note These incidents show sophisticated social engineering attacks remain effective. Organizations, especially in sectors like legal and healthcare, need strong defenses. Technical Takeaways Ransomware activity has a broad targeting scope, affecting various sectors and geographies with low victim volumes. Operators like Blackwater and Medusa Locker continue to claim victims in hospitality, travel, and education. The Silent Ransom Group uses sophisticated social engineering, including voice phishing and impersonation, to gain remote access and quickly exfiltrate data from professional services firms. Attackers use common remote access (AnyDesk, Zoho Assist) and data exfiltration (WinSCP, Rclone) tools, and evasion tactics like Privnote and fast-flux infrastructure. Attacks on critical infrastructure, such as the Chandrapur Cancer Care Foundation, show the severe operational impact and the need for strong offline backups and incident response plans. Ransomware Groups Behind Recent Attacks Understanding the threat actors behind these incidents is critical for defenders. Blackwater is a relatively emerging ransomware group that has begun targeting hospitality and travel organizations across Asia. Medusa Locker, by contrast, is a well-established ransomware-as-a-service (RaaS) operation known for: Targeting small-to-mid-sized organizations in education and healthcare Using phishing and RDP exploitation as primary vectors Demanding ransoms typically ranging from $10,000 to $50,000 Operating double-extortion tactics to pressure victims Learn more in our ransomware group profiles and Medusa Locker attack patterns deep dives. Sectors Most Targeted by Ransomware in 2025 The hospitality and education sectors continue to attract ransomware operators due to historically weaker cybersecurity postures and valuable personal data. Key trends observed year-to-date include: Education: Schools and universities face budget constraints limiting security investment Hospitality & Travel: High volumes of payment card and passport data make these targets lucrative Healthcare: Ongoing pressure to pay ransoms quickly to restore critical systems Legal Services: Law firms targeted for sensitive client data and confidentiality leverage These patterns align with our 2025 ransomware sector analysis, which tracks shifting attacker priorities across industries. How Organizations Can Defend Against Ransomware Despite low single-day victim counts, cumulative 2025 totals exceeding 4,300 victims highlight the persistent ransomware threat. Organizations in targeted sectors should prioritize: Implementing offline and immutable backups tested regularly Patching RDP and VPN vulnerabilities promptly Deploying endpoint detection and response (EDR) solutions Training staff to recognize phishing attempts Establishing an incident response plan before an attack occurs Proactive defense remains far less costly than ransomware recovery. Explore our ransomware prevention checklist for actionable guidance tailored to small and mid-sized organizations. --- ## Miasma Worm Hits GitHub, PyPI, AI Agents (2025) - URL: https://purple-ops.io/blog/miasma-worm-targets-ai-github-pypi - Date: 2026-06-07 - Category: Threat Intelligence - Tags: none - Reading time: 13 min **Summary:** The Miasma worm attack compromises 123 GitHub repositories, AI coding agents, and PyPI via stolen PATs to exfiltrate cloud credentials. Miasma Worm Targets AI, GitHub, PyPI in Supply Chain Attack The Miasma worm, a sophisticated variant of the Mini Shai-Hulud malware, has expanded its attack vectors, actively compromising GitHub repositories, targeting AI coding agents, and infiltrating the Python Package Index (PyPI) ecosystem. This coordinated campaign, also tracked with the Hades cluster designation for its PyPI operations, has impacted many targets, including 123 GitHub repositories, over 50 npm packages, and 448 distinct artifacts across both npm and PyPI registries. High-profile targets such as Microsoft Azure's durabletask repository have fallen victim, alongside popular projects like icflorescu/mantine-datatable and numerous bioinformatics and deep-learning toolkits. Threat actors are using stolen Personal Access Tokens (PATs) to push malicious commits directly into GitHub repositories, introducing configuration files designed to auto-execute a credential-harvesting payload. This multi-stage attack targets developer environments, detonating when repositories are opened in AI coding agents like Claude Code, Gemini CLI, Cursor, or even standard Integrated Development Environments such as VS Code. The underlying mechanism also extends to the Python ecosystem, where malicious .pth files are being deployed to trigger a similar Bun-based payload during Python startup, broadening the supply chain compromise. The campaign's intricate design demonstrates a shift in adversary tactics, moving beyond traditional package manager hooks to exploit editor auto-run features and Python's native startup mechanisms. This adaptability ensures persistent access and solid credential exfiltration capabilities across different development pipelines. The Miasma operation shows the increasing sophistication of supply chain attacks. These attacks use legitimate developer tools and trusted repositories for widespread infection and data theft. How is the Miasma Worm Exploiting AI Coding Agents and GitHub Repositories? The Miasma worm is exploiting AI coding agents and GitHub repositories by injecting malicious configuration files directly into legitimate projects through compromised maintainer accounts and stolen Personal Access Tokens. This approach bypasses traditional package manager security checks and initiates a credential-harvesting payload upon common developer actions. On June 3, 2026, the Miasma worm was observed pushing commits to GitHub source repositories, circumventing package registries. An attacker used a commit titled chore: update dependencies [skip ci] to add six files to target repositories, including five configuration files designed to auto-execute a payload named .github/setup.js. These triggers were crafted to use legitimate auto-run features in various developer tools: Claude Code and Gemini CLI: Both use a SessionStart hook in .claude/settings.json and .gemini/settings.json to run a shell command (node .github/setup.js) when an agent session opens. Cursor: Uses an always-applied project rule in .cursor/rules/setup.mdc that instructs the agent to execute node .github/setup.js, using prompt injection against the AI assistant. VS Code: Uses a task in .vscode/tasks.json configured to run node .github/setup.js automatically when the folder is opened. npm: The package.json file is modified to hijack the test script, so npm test also detonates the payload. The dropper, .github/setup.js, is a JavaScript file that builds a string from a character-code array, applies a Caesar shift (observed as ROT-4 in this wave, differing from the ROT-9 in earlier Miasma campaigns), and executes the result via eval. This decoded loader then uses node:crypto to decrypt two hardcoded blobs, _b (bootstrap) and _p (the worm). The loader writes _p to a random temporary file and executes it using the Bun JavaScript runtime, downloading Bun directly from GitHub if not already present on the host. This ensures the worm runs in an isolated environment, avoiding reliance on the victim's existing Node.js or Python installations. This technique is similar to how the Miasma worm has previously targeted npm supply chains, as documented in analysis concerning Miasma's impact on Red Hat npm supply chain. Blast Radius and Exfiltration of the GitHub Arm The initial wave of attacks against icflorescu saw the same malicious commit land in five repositories within a 49-second window, indicating automated propagation. These five repositories collectively account for 1,459 GitHub stars, with mantine-datatable contributing 1,225 alone. RepoStarsPushed (UTC)HEAD commit mantine-datatable1,22522:38:51f72462d9 mantine-contextmenu17022:38:599ef8b396 next-server-actions-parallel5622:39:1901e00e78 mantine-datatable-v6322:39:296592194 mantine-contextmenu-v6522:39:405aa0201b A broader GitHub code search identified 123 repositories across dozens of accounts containing similar malicious configurations. This includes official projects like Microsoft Azure's durabletask (Azure/durabletask) which has 1,718 stars, metersphere/helm-chart, and Azure-Samples/llm-fine-tuning. For the Azure/durabletask repository, the attacker used a stolen Personal Access Token from a legitimate Microsoft contributor and backdated the commit timestamp to 2020 to conceal it within a dormant branch. This widespread compromise aligns with the documented self-propagation capabilities of the Shai-Hulud family of malware, which harvests GitHub tokens with write access from prior infections to propagate itself. Related research, such as the Miasma worm targeting Microsoft and GitHub, provides more details on this variant's propagation through GitHub. The worm's payload is a multi-cloud credential harvester, designed to scan for and exfiltrate secrets from environments including AWS, Azure, GCP, Vault, Kubernetes, npm, and GitHub. Exfiltration occurs to attacker-created public GitHub repositories, which serve as dead-drops. Identified exfiltration accounts include liuende501 (236 dead-drop repos for the npm arm), and windy629 (200+ repos) and HerGomUli for the source-repo arm. These dead-drop repositories typically carry descriptions such as Miasma - The Spreading Blight or the reversed string niagA oG eW ereH :duluH-iahS ("Shai-Hulud: Here We Go Again"). The timing of these activities, with dead-drop creation often preceding repository pushes by seconds, shows token theft and subsequent propagation are integrated. Indicators of Compromise for GitHub Arm Indicator TypeDetails File Hashesd630397de8b01af0f6f5cf4463da91b17f28195a2c50c8f3f38ad9f7873fdb8e (setup.js for icflorescu/taxepfa waves) 3a9db5ba0c8cd4c91e91717df6b1a141fc1e0fbc058b5a78d7f5c23f5b2a150 (setup.js for Azure/durabletask) 633c8410ee0413ca4b090a19c30b20c03f31598c25247c484846fa34c1df5b64 (_p payload) Planted Files.github/setup.js, .claude/settings.json, .gemini/settings.json, .cursor/rules/setup.mdc, .vscode/tasks.json, package.json (modified test script), Gemfile (in Ruby projects) Commit SignaturesAuthor: github-actions (unsigned) Author: amdeel (unsigned, backdated) Message: chore: update dependencies [skip ci] or Switched DataConverter to OrchestrationContext [skip ci] Exfil Accountswindy629, HerGomUli, liuende501 (all with Miasma - The Spreading Blight description) Runtime ArtifactsBun download from hxxps://github[.]com/oven-sh/bun/releases/download/bun-v1.3.13/ Temp payload: /tmp/p.js Temp runtime: /tmp/b-/bun What is the "Hades Cluster" and Its Impact on PyPI? The Hades cluster is a new arm of the Shai-Hulud and Miasma malware lineage, targeting Python developers through a supply chain attack on the Python Package Index (PyPI). This intrusion compromised multiple popular open-source packages, injecting malicious code via maintainer account takeovers to steal credentials. The attack uses Python's .pth files, which typically add directory paths to the system environment but also execute lines starting with an import statement during interpreter initialization. The compromised PyPI releases shipped a *-setup.pth file that automatically attempts to execute during Python startup, without requiring an explicit package import. This subtle execution trigger allows the malware to bootstrap its payload instantly, even during local test runs or CI/CD jobs. This poses a significant risk before any code review. The use of such evasive execution methods shows the challenges in securing modern software supply chains. The Miasma worm has previously used similar tactics, as shown in analyses of the Miasma worm targeting the npm supply chain. Once triggered, the malicious .pth file downloads a standalone copy of the Bun JavaScript runtime directly from GitHub. This cross-runtime execution technique allows the malware to run complex JavaScript payloads on a Python system, bypassing assumptions about the availability of Node.js or Python environments. The malware builds its own isolated execution engine within local temporary directories. The underlying JavaScript payload then executes a sweeping search for sensitive credentials, including cloud authentication tokens (AWS, Google Cloud, Azure, Kubernetes), private SSH keys, npm access tokens, and PyPI access tokens. The Hades cluster has been linked to 448 affected artifacts spanning both npm and PyPI registries, which shows the broad reach of this campaign. For stealthy exfiltration, the malware uses legitimate cloud platforms as network camouflage, sending decoy traffic to Anthropic AI servers. The actual exfiltration occurs via automated GitHub interactions, where the payload creates public code repositories to host stolen data, marked with specific descriptions like Hades - The End for the Damned. The campaign has impacted scientific research communities. It compromised established bioinformatics and deep-learning toolkits that collectively have hundreds of thousands of cumulative downloads. How is the Pink Extortion Group Bypassing MFA and Exfiltrating Cloud Data? The Pink Extortion Group, tracked as CL-CRI-1147 and linked to the broader Com network, is bypassing multi-factor authentication (MFA) and exfiltrating cloud data primarily through voice phishing (vishing) scams. This method targets corporate users to gain initial access before using legitimate cloud services for data theft and extortion. The Pink Extortion Group avoids traditional malware deployment, instead relying on social engineering. Threat actors impersonate internal IT personnel via phone calls, manipulating employees into visiting credential-stealing domains such as passkeyaddcom or passkeydeploy.com. When an employee enters their login details on these malicious sites, the attackers steal their active login session, bypassing MFA defenses. With compromised credentials, the group gains access to the victim organization's Microsoft 365 environment. They then exploit Microsoft's own automated tools to sweep and exfiltrate sensitive files from OneDrive and SharePoint folders within minutes. This strategy allows them to operate under the guise of legitimate user activity. This makes detection challenging for standard security controls. Following data exfiltration, the Pink Extortion Group starts an extortion phase. They use the compromised employee accounts to send internal emails and Microsoft Teams messages to co-workers and executives, demanding payment and setting a 72-hour deadline for a response. The group launched a dedicated data leak site on May 31, 2026, listing initial victims. This confirms their intent for public exposure if demands are not met. Forensic analysis by Gurucul revealed that Pink uses fileless methods to maintain persistence and evade detection on local workstations. The malware deploys small code commands that hide within legitimate system paths and constructs its main operational code directly in the computer's temporary memory cache, making it invisible to conventional antivirus scanners. The code also includes checks for sandbox or analysis laboratory environments, adapting its behavior to avoid detection during security analysis. The group's reliance on legitimate cloud tools and authentic account access requires a shift in defensive strategies, focusing on behavioral monitoring and employee training to verify suspicious communications. What Vulnerability is Actively Exploited in Everest Forms Pro? Hackers are actively exploiting CVE-2026-3300, an unauthenticated remote code execution (RCE) vulnerability in the Everest Forms Pro plugin, versions 1.9.12 and earlier, to take complete control of WordPress websites. This flaw allows threat actors to create rogue administrator accounts and perform arbitrary actions on compromised sites. The CVE-2026-3300 vulnerability resides in the Everest Forms Pro plugin's Complex Calculation feature. This feature accepts user-submitted values from form fields and directly inserts them into a PHP code string, which is then executed using PHP's eval() function. Although the user input passes through a sanitize_text_field() function, this sanitization mechanism does not escape single quotes (') or other characters that can manipulate PHP syntax. Attackers exploit this oversight by submitting a value that closes the intended string literal, injects arbitrary PHP code, and then comments out the remaining generated code to prevent syntax errors. Specifically, telemetry data from Wordfence indicates that attackers are injecting a PHP statement that calls wp_insert_user() to create a new administrator account with the username diksimarina. Once this malicious administrator account is created, attackers gain full control over the compromised WordPress site, allowing them to modify content, install plugins and themes, establish backdoors, and access private databases. The vulnerability was initially reported by researcher h0xilo in February 2026, and a patch addressing the issue was released by the Everest Forms developer on March 18, 2026. However, active exploitation of CVE-2026-3300 began on April 13, 2026. Wordfence firewalls have blocked over 29,300 attempts to exploit this flaw. The majority of these exploitation attempts originate from specific IP addresses, 202.56.2[.]126 and 209.146.60.26. Website administrators are advised to update Everest Forms Pro to a patched version immediately. They should also review server logs for suspicious activity and check for unauthorized administrator accounts, especially those containing the string diksimarina. What are the Details of the Chandrapur Cancer Hospital Ransomware Attack? The Chandrapur Cancer Care Foundation (Cancer Hospital), located in Chandrapur, India, was hit by a ransomware attack that encrypted its entire database, with hackers demanding a ransom of 1.23456 Bitcoin, valued at approximately Rs 75 lakh (approximately 90,000 USD at the time of the incident). This cyberattack disrupted the hospital's operations and patient management systems. The incident was first detected on June 1, 2026, at around 7:30 AM, when the hospital's IT department identified a technical issue with the main server. Upon investigation, staff discovered a ransomware message displayed on the server, confirming unauthorized access and data encryption. The attackers had encrypted patient records, treatment histories, and administrative information, making the hospital's database inaccessible. The ransom note demanded a payment of 1.23456 Bitcoin for a decryption key, with the hackers claiming that access would be restored only after the payment was made and assuring that the compromised information would not be shared. The attack has had a major impact on the hospital's information management system, causing disruptions to daily operations and patient care. Authorities are currently investigating how the attackers breached the hospital's network, showing the persistent threat ransomware poses to healthcare infrastructure. Technical Takeaways The Miasma/Shai-Hulud malware family has expanded its attack surface, moving past npm package manager hooks to target AI coding agent configurations and Python's native .pth startup files for initial execution. The use of the Bun JavaScript runtime is a consistent fingerprint across Miasma and Hades cluster campaigns, allowing cross-runtime payload execution and creating an isolated environment for credential harvesting. Threat actors are using stolen GitHub Personal Access Tokens (PATs) to inject malicious commits directly into many public and official repositories, including Microsoft Azure's durabletask, which shows the effectiveness of account takeover in supply chain attacks. The Pink Extortion Group uses a social engineering approach by using vishing to bypass MFA and then using legitimate Microsoft 365 tools to exfiltrate data from OneDrive and SharePoint for financial extortion. Active exploitation of CVE-2026-3300 in Everest Forms Pro shows how improper input sanitization in WordPress plugins can lead to unauthenticated remote code execution and site compromise, and creates rogue administrator accounts. Ransomware continues to threaten infrastructure, as seen in the Chandrapur Cancer Care Foundation incident, which saw a demand for 1.23456 Bitcoin to restore encrypted patient and administrative data. --- ## SolarWinds Serv-U CVE-2026-28318 (CVSS 7.5) DoS - URL: https://purple-ops.io/blog/solarwinds-serv-u-cve-2026-28318 - Date: 2026-06-07 - Category: CVE Analysis - Tags: solarwinds-serv-u, cve-2026-28318, denial-of-service, cisa-kev, actively-exploited - Reading time: 5 min | CVSS: 7.5 **Summary:** SolarWinds Serv-U CVE-2026-28318, a high-severity DoS vulnerability with CVSS 7.5, is actively exploited via unauthenticated requests. SolarWinds Serv-U CVE-2026-28318 (CVSS 7.5) DoS SolarWinds Serv-U, a multi-protocol file server software, is currently impacted by an actively exploited denial-of-service (DoS) vulnerability, identified as CVE-2026-28318. This high-severity flaw carries a CVSS score of 7.5, indicating a substantial risk to the availability of affected systems. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-28318 to its Known Exploited Vulnerabilities (KEV) catalog, showing its immediate threat and confirmed in-the-wild exploitation. The vulnerability stems from an uncontrolled resource consumption issue, triggered by specially crafted POST requests. These requests use Content-Encoding: deflate and do not require authentication. They can cause the Serv-U service to crash, disrupting file transfer operations and impacting business continuity. Organizations deploying SolarWinds Serv-U must prioritize remediation efforts to mitigate the risk posed by this actively exploited flaw. This post analyzes CVE-2026-28318, covering its technical characteristics, impact, affected versions, and guidance for detection and remediation. The presence of this vulnerability in the CISA KEV catalog requires immediate attention from all federal civilian executive branch (FCEB) agencies, who have been directed to apply patches by June 19, 2026. This directive also warns private sector entities globally. Impact Successful exploitation of CVE-2026-28318 results in an availability impact, specifically a denial-of-service condition. An unauthenticated attacker can trigger a crash of the SolarWinds Serv-U service by sending specially crafted POST requests. CISA describes this as an "uncontrolled resource consumption" vulnerability, where the service is forced to consume excessive system resources (such as memory or CPU cycles) until it becomes unresponsive or terminates abruptly. For organizations reliant on SolarWinds Serv-U for secure file transfer and exchange, a service crash translates directly into operational disruption. File uploads, downloads, and data transfer functions would cease, potentially halting business processes, impairing data sharing, and impacting overall productivity. While CVE-2026-28318 does not inherently lead to data theft or direct system compromise in terms of confidentiality or integrity, the loss of availability can have severe financial and reputational consequences, particularly for entities handling sensitive or time-critical information. CVE-2026-28318's inclusion in CISA's Known Exploited Vulnerabilities catalog means real-world attacks are occurring. This changes the vulnerability from a theoretical risk to an immediate threat, directly risking operational disruption for organizations using SolarWinds Serv-U. The CVSS score of 7.5 further shows its severity, as it is a high-severity flaw that is easy to exploit and directly impacts service availability. The CISA mandate for FCEB agencies to address the flaw by a specific deadline shows the urgency and criticality of this vulnerability across all sectors. What is CVE-2026-28318 and its exploitation chain? CVE-2026-28318 is a denial-of-service vulnerability affecting SolarWinds Serv-U that allows an unauthenticated attacker to crash the service. The exploitation chain for this vulnerability involves an attacker sending specially crafted POST requests to the vulnerable Serv-U instance. These requests specifically use the Content-Encoding: deflate header. The vulnerability arises because SolarWinds Serv-U is susceptible to an uncontrolled resource consumption issue when processing these particular requests. While available advisories do not fully detail the exact technical mechanism causing the resource consumption, the service's handling of the deflate content encoding, possibly during decompression or parsing, leads to excessive resource allocation or consumption. This causes the Serv-U process to become unstable and terminate, resulting in a DoS condition. The fact that this can be achieved without authentication significantly lowers the bar for an attacker, as no prior credentials or access are required to initiate the attack. The active exploitation status, as confirmed by CISA, indicates that threat actors have developed and are deploying exploits for CVE-2026-28318 in real-world environments. While specific details about the attackers or the nature of campaigns are not publicly available, the addition to the KEV catalog implies that this vulnerability is being used for disruptive purposes. Historically, SolarWinds Serv-U has been a target for various threat actors, including sophisticated groups like the Cl0p ransomware gang (which exploited a different vulnerability, CVE-2021-35211, for initial access). This shows why threat actors find Serv-U an appealing attack vector. Our prior analysis of another critical denial-of-service vulnerability, CVE-2026-49975, further demonstrates the potential for severe disruption through such flaws. Which SolarWinds Serv-U versions are affected? The SolarWinds Serv-U vulnerability, CVE-2026-28318, affects versions of the software prior to the release of the official patch. Specifically, the issue has been addressed in SolarWinds Serv-U version 15.5.4 HF1. This means that any installed instance of SolarWinds Serv-U running a version older than 15.5.4 HF1 is susceptible to the denial-of-service flaw. Organizations should verify their current Serv-U installation version immediately. Affected versions include: SolarWinds Serv-U versions 15.5.4 and earlier. Organizations are advised to upgrade to the patched version as soon as possible to mitigate the risk of exploitation. Detection Strategies Detecting attempts to exploit CVE-2026-28318 primarily involves monitoring network traffic and server logs for specific patterns indicative of the attack vector. Because the vulnerability involves specially crafted POST requests with a specific content encoding, network and application-level logging are crucial. Concrete detection guidance includes: Network Intrusion Detection/Prevention Systems (NIDS/NIPS) and Firewalls: Configure rules to detect and alert on HTTP POST requests targeting SolarWinds Serv-U services with a Content-Encoding: deflate header. This header is typically not required for normal Serv-U functionality, making its presence a strong indicator of malicious intent. Monitor for a sudden increase in POST requests to Serv-U endpoints, particularly if followed by service disruptions or crashes. Implement traffic shaping or rate limiting for unauthenticated POST requests to the Serv-U port to hinder DoS attempts. Web Server/Application Logs: Review SolarWinds Serv-U access logs and error logs for entries immediately preceding a service crash or restart. Look for HTTP POST requests from suspicious IP addresses. Filter logs for occurrences of Content-Encoding: deflate within incoming request headers. While direct logging of full headers might vary by configuration, some logging mechanisms can capture this information. Look for abnormal process terminations or restart messages in system event logs or Serv-U specific logs. Endpoint Detection and Response (EDR) Systems: While available research does not detail specific EDR queries, general EDR monitoring for abnormal CPU usage, memory spikes, or unexpected process termination of the Serv-U application could indicate an ongoing DoS attack. Monitor for crash dumps or error reports generated by the Serv-U process. Security Information and Event Management (SIEM) Systems: Ingest logs from firewalls, NIDS/NIPS, and SolarWinds Serv-U application logs into a SIEM platform. Create correlation rules to alert on high volumes of Content-Encoding: deflate POST requests followed by Serv-U service outages or restarts. Establish baselines for normal Serv-U resource utilization and alert on significant deviations. Organizations should also verify the network exposure of their Serv-U instances. If a Serv-U instance is internet-exposed, detection and monitoring become even more critical due to the vulnerability's unauthenticated nature. Remediation Measures Addressing CVE-2026-28318 requires immediate action due to its active exploitation status. Organizations should prioritize patching and, where patching is not immediately feasible, implement the specified workarounds. Patching: The primary and most effective remediation is to upgrade SolarWinds Serv-U to version 15.5.4 HF1 or later. This version contains the necessary fix to prevent the uncontrolled resource consumption vulnerability triggered by specially crafted POST requests. Review the official SolarWinds security advisory for CVE-2026-28318 to ensure all prerequisites and post-installation steps for the patch are followed correctly. Workarounds and Mitigations: Limit Access to Known Addresses: Restrict network access to SolarWinds Serv-U to only trusted IP addresses or networks. This can be achieved through firewall rules, network access control lists (ACLs), or security group configurations. By limiting who can connect to the Serv-U instance, the attack surface for unauthenticated exploitation is significantly reduced. Block Requests Containing "Content-Encoding": Implement firewall or web application firewall (WAF) rules to block any HTTP POST requests that include the Content-Encoding header. The SolarWinds advisory indicates the vulnerable service does not require this functionality for legitimate operations. Care should be taken to ensure this rule does not inadvertently block other legitimate web services if the WAF covers more than just the Serv-U application. Disable Public Exposure: If SolarWinds Serv-U does not require internet exposure, remove it from public-facing networks. This reduces the risk surface to internal networks only. Monitoring: Following the implementation of patches or workarounds, maintain vigilant monitoring of SolarWinds Serv-U logs and system performance. Continuously observe for signs of attempted exploitation or abnormal service behavior to confirm the effectiveness of remediations. This includes monitoring for Serv-U process crashes, unusual resource consumption, and network traffic patterns consistent with the described attack. Organizations should develop an incident response plan for SolarWinds Serv-U instances, given the product's history of critical vulnerabilities, such as CVE-2025-26399. This ensures a coordinated and rapid response if a DoS event occurs despite remediation efforts. Technical Takeaways CVE-2026-28318 is a high-severity (CVSS 7.5) denial-of-service vulnerability affecting SolarWinds Serv-U. The flaw is caused by uncontrolled resource consumption from unauthenticated, specially crafted POST requests using Content-Encoding: deflate. CISA added CVE-2026-28318 to its Known Exploited Vulnerabilities catalog, confirming active exploitation. The primary remediation is upgrading SolarWinds Serv-U to version 15.5.4 HF1. Effective mitigations include limiting network access to trusted IPs and blocking HTTP POST requests containing the Content-Encoding header via firewall or WAF rules. Continuous monitoring of network traffic and application logs for suspicious POST requests and service instabilities is crucial for detection. --- ## Medusa Locker Ransomware Claims Six New Victims - URL: https://purple-ops.io/blog/medusa-locker-ransomware-victims - Date: 2026-06-06 - Category: Ransomware Report - Tags: medusa-locker, ransomware, cybercrime, threat-activity, victim-count - Reading time: 5 min **Summary:** Medusa Locker ransomware leads recent cyber activity, claiming six new victims in Retail & Ecommerce, Transportation, and Legal services globally. Medusa Locker Ransomware Claims Six New Victims Statistical Overview Victim Totals This month: 144 This quarter: 1690 Year to date: 4315 Last 24h: 18 Quarterly Breakdown Q1: 2631 | Q2: 1690 | Q3: 0 | Q4: 0 Ransomware activity was moderate, with 18 new victims reported in the last 24 hours. The Q2 count of 1690 victims and year-to-date totals show global targeting continues. Introduction Ransomware groups posted 18 new victims on various leak sites in the past 24 hours. This shows a fragmented threat environment. Medusa Locker was the most active group, with six new incidents. Other groups included Anubis, CoinbaseCartel, INC_Ransom, and Krybit. Victim organizations were in sectors like Retail & Ecommerce, Transportation & Logistics, Construction & Engineering, Legal services, and Technology. Most targets were in the United States, with others across Brazil, China, India, Indonesia, and France. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Medusa Locker6Académie de montpellier / csjm, Actionaid / tacosa, Baratai (+3)None, TanzaniaRetail & Ecommerce, Transportation & Logistics 2Anubis2D&m contractors, Jeffrey burrUnited States, United KingdomConstruction & Engineering, Legal 3CoinbaseCartel2Cambridge mobile telematic, Demand.ioUnited StatesTechnology / Software, Telecommunications 4INC Ransom2kelmreuter.com, obrieneng.comUnited StatesConstruction & Engineering, Legal 5Krybit2Huashan.com.cn, Schultz.com.brBrazil, ChinaHospitality & Travel, Manufacturing 6Nova (RALord)2Aspire hospital, Universitas nasionalIndonesia, IndiaHealthcare, Education 7LockBit1sandMauritiusHospitality & Travel 8Play News1Pearson fordUnited StatesAutomotive Medusa Locker was most active, affecting six organizations in Retail & Ecommerce and Transportation & Logistics. These included Académie de montpellier / csjm and Actionaid / tacosa, a non-profit. Multiple other groups, including Anubis, CoinbaseCartel, INC_Ransom, and Krybit, each claimed two new victims. Targets were spread geographically, affecting organizations in the United States, United Kingdom, Brazil, China, India, Indonesia, and France. Groups like CoinbaseCartel, whose activities have been tracked in earlier PurpleOps analyses on Q2 ransomware threats, focused on technology and telecommunications firms. Victim Distribution By Country United States: 7 Brazil: 2 None: 1 United Kingdom: 1 Tanzania: 1 Australia: 1 Mauritius: 1 Indonesia: 1 India: 1 France: 1 By Industry Legal Services: 2 IT Infrastructure Services: 1 Telematics: 1 None: 1 Engineering and Architecture: 1 E-Commerce and AI Technology: 1 Automobile Dealers: 1 Building and Mechanical Services: 1 Non-profit Organization Management: 1 Relocation and Moving Services: 1 The United States is a primary target for ransomware operators, accounting for over a third of new victims. However, the spread of victims from Tanzania to Brazil and India shows ransomware targets globally. Industry targeting is also broad, with legal services, technology, and engineering firms seeing activity, as did retail and logistics. Ransomware News Topline - No significant new ransomware news was collected from public sources during the analysis period. Campaigns & Operations - No new high-profile incidents or major actor announcements were reported, and no campaign shifts beyond observed victim postings. Vulnerabilities & TTPs - There were no new reports detailing exploitation of zero-day vulnerabilities or shifts in ransomware groups' tradecraft detected. Analyst Note - Without new external developments, monitoring ongoing ransomware activity on leak sites continues. Technical Takeaways Medusa Locker was the most active ransomware group, with six victims, mainly targeting Retail & Ecommerce and Transportation & Logistics. It remains a persistent threat, as detailed in PurpleOps real-time ransomware intelligence updates. Eight ransomware groups accounted for the 18 new victims, showing a fragmented threat environment. Geographic targeting was widespread. The United States was the most impacted country, followed by Brazil and other nations across Africa, Asia, and Europe. Industries affected included Legal Services, Construction & Engineering, Technology / Software, and Healthcare. This shows threat actors used a broad approach. Public service and non-profit organizations were among the victims, demonstrating that the impact extends beyond corporate entities. --- ## Miasma Worm Compromises 73 Microsoft GitHub Repos - URL: https://purple-ops.io/blog/miasma-worm-microsoft-github - Date: 2026-06-06 - Category: Threat Intelligence - Tags: miasma-worm, microsoft-github, supply-chain-attack, github-security, developer-credentials - Reading time: 5 min **Summary:** Miasma worm, a Mini Shai-Hulud variant, compromised 73 Microsoft GitHub repositories by stealing developer credentials in a sustained supply chain attack. Miasma Worm Compromises 73 Microsoft GitHub Repos A self-replicating worm, Miasma (a variant of the previously observed Mini Shai-Hulud worm), has recently compromised 73 Microsoft GitHub repositories across four of its organizations: Azure, Azure-Samples, Microsoft, and MicrosoftDocs. This incident escalates ongoing supply chain attacks by exploiting trusted mechanisms within open-source ecosystems to spread malicious code. GitHub has disabled access to the affected repositories as security researchers track the worm's changing tactics. The Miasma worm operates by stealing developer credentials and secrets, then using them to push malicious code to new packages and repositories, creating a persistent, self-propagating infection. This strategy allows the malware to bypass conventional defenses that rely on signature-based detection or trust in authenticated publishers. The attack demonstrates a significant vulnerability in the trust models supporting modern software development and delivery. The compromise of Microsoft's infrastructure shows how broad and adaptable this threat is, as the worm has demonstrated an ability to mutate and change its propagation tactics. The focus on developer tools and supply chains signals a targeted approach aimed at widespread impact by exploiting a single point of entry within the development pipeline. The ongoing nature of this campaign requires immediate, coordinated defensive measures across the software development community. How is the Miasma Worm Propagating in Microsoft's GitHub? The Miasma worm propagates by exploiting established trust relationships within software supply chains, notably within npm and PyPI registries and directly on GitHub repositories. Security researchers from OpenSourceMalware reported the compromise of 73 Microsoft GitHub repositories, affecting important projects such as Azure/azure-functions-host and various Durable Task ecosystem components. The worm's success lies in compromising legitimate developer credentials and then using those to perform actions indistinguishable from routine updates by authorized maintainers. The attack specifically targets developer environments by embedding malicious code in widely used packages and projects. When a developer clones an infected repository and opens it in an AI coding agent or executes standard development scripts, the payload detonates. This method avoids traditional vulnerability exploitation in platforms like GitHub or npm, instead focusing on the implicit trust associated with a package published by an authenticated maintainer. The initial compromise often involves stealing developer credentials and secrets. Subsequently, the worm pushes malicious updates to existing packages or creates new public repositories, often disguised with names such as "Miasma: The Spreading Blight" or "Hades - The End for the Damned." These repositories then serve as further infection vectors, demonstrating the worm's ability to spread rapidly across the open-source ecosystem. This self-replicating characteristic distinguishes Miasma from many other forms of malware, enabling it to rapidly expand its footprint. The Miasma campaign has evolved to skip the npm registry entirely in some instances. Threat actors have been observed directly pushing malicious code to source repositories like icflorescu/mantine-datatable and its related projects. The embedded payload runner is a 4.3 MB staged Bun loader, configured for automatic execution through popular developer tools. These tools include Claude Code, Gemini CLI, Cursor, VS Code, and the npm test script, showing a broad targeting of developer workflows. This approach transforms the GitHub source repository itself into a vector for persistence, rather than solely relying on registry poisoning. How are Adaptive AI Worms Predicted to Impact Enterprises? Adaptive, agentic AI worms are predicted to emerge as the next significant enterprise cyber threat within the next six months to a year, according to researchers from BeyondTrust. These advanced AI worms, metaphorically described as "viruses with wings and brains," are designed to be autonomous agents capable of rapidly self-propagating across diverse environments. Their primary mechanisms involve searching for zero-day vulnerabilities, exploiting known but unpatched software flaws, and discovering unprotected secrets in real-time. Researchers at the University of Toronto, the Canadian AI incubator Vector Institute, enterprise-software firm ServiceNow, and the University of Cambridge have developed a proof-of-concept (PoC) agentic AI worm to study this impending threat. This PoC can adapt to new environments, identify vulnerabilities, and generate custom exploitation programs on the fly. Unlike traditional worms that target specific, fixed vulnerabilities, these adaptive worms use a recursive reasoning loop to detect and exploit diverse weaknesses as they propagate, making them extremely difficult to stop through conventional patching methods alone. For more insight into how AI influences new exploit development, refer to our analysis on AI accelerates exploit development. The implications for enterprise security are substantial. Kinnaird McQuade, chief security architect at BeyondTrust, warned that such an attack would likely target developers and engineers who often possess broad access across various cloud environments, allowing the worm to pivot extensively. The potential for many companies to not recover from such an event shows how severe such an event could be. The challenge is compounded by the vast amount of software in use, creating an insurmountable patching issue even with advanced vulnerability-finding technologies. The development of these AI agents marks an evolutionary step in malware capabilities, moving beyond attackers simply using large language models (LLMs) for coding assistance or obfuscation during execution. The real-world PoC agents demonstrate a shift towards dynamic, goal-directed reasoning that can adapt to the unique vulnerabilities of each target system in real-time. This level of autonomy, driven by small, free AI models, enables the agents to use a system's own resources against itself to identify weaknesses and spread. Our research on Agentic AI Threats provides further context on this emerging danger. The historical precedent of academic research catalyzing malicious development, such as the SQL Slammer worm appearing five months after a paper on "flash worms," adds urgency to these predictions. While technical hurdles exist, such as the increased detectability of resource-intensive AI models on typical systems, the barrier to creating AI-powered worms is low. Defenses will need to emphasize hardening, enhanced visibility, strict least privilege principles, and aggressive auto-remediation actions to combat this changing threat environment. The foundational principles of zero-trust architectures and network micro-segmentation remain crucial for limiting lateral movement and propagation. Learn more about the broader security risks posed by Autonomous AI Agents in our dedicated blog post. What New Vulnerabilities Did AI Agents Uncover in FFmpeg and Chrome? An autonomous AI agent developed by security startup depthfirst recently discovered 21 previously unknown zero-day vulnerabilities in FFmpeg, the ubiquitous open-source multimedia framework. These bugs, primarily heap or stack overflows in parsers and demuxers, spanned components from the TS demuxer to the VP9 decoder, with some having been latent for as long as 23 years. The company identified nine specific CVEs, CVE-2026-39210 through CVE-2026-39218, noting that the remaining issues are fixed but awaiting identifiers. A proof-of-concept (PoC) for these vulnerabilities has also been publicly released. At the same time, Google released Chrome 149, addressing a record 429 security bugs in a single update. Over 100 of these vulnerabilities were classified as critical or high severity, predominantly use-after-free errors and insufficient input validation issues. The most severe flaw, CVE-2026-10881 (CVSS: 9.6), is an out-of-bounds read and write bug in the ANGLE graphics engine. This vulnerability could allow a crafted web page to escape the browser's sandbox and execute arbitrary code on the host system. Google awarded $97,000 for its discovery. While the majority of high-severity bugs in Chrome 149 were discovered internally by Google, the sheer volume of fixes points to an accelerating pace of vulnerability disclosure, partly influenced by AI. Google's recent bounty program overhaul, prompted by a flood of AI-generated submissions, reflects the increasing role of automated tools in uncovering vulnerabilities. Previous AI efforts, such as Google's Big Sleep agent and Anthropic's Mythos model, have also successfully identified numerous flaws in FFmpeg, including a 16-year-old H.264 flaw. The efficiency of AI in vulnerability discovery is also demonstrated by the recent finding of a two-year-old authenticated Remote Code Execution (RCE) flaw in Redis by another autonomous AI tool. A February study also demonstrated AI agents reproducing working PoCs for more than half of 100 real Linux kernel N-day bugs, surpassing the efficacy of traditional fuzzing techniques. This increasing pace of discovery necessitates shorter patch cycles, widespread auto-updates, and the prioritization of dependency bumps containing CVE fixes as critical security work. Which Threat Actors Are Exploiting the PAN-OS GlobalProtect Vulnerability? Unspecified threat actors are actively exploiting CVE-2026-0257 (CVSS: 7.8), an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect portal and gateway components. Palo Alto Networks confirmed active exploitation of this flaw on May 29, 2026, leading to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog. The vulnerability allows attackers to bypass security restrictions and establish unauthorized VPN connections, granting access to internal networks. The exploitation primarily impacts systems where GlobalProtect is enabled with authentication override cookies configured alongside specific certificate settings. In such configurations, threat actors can circumvent authentication controls and initiate VPN sessions without valid credentials. Rapid7 observed two distinct exploitation waves, both assessed as likely originating from a single threat actor due to consistent device identifiers. The first wave, on May 17, involved suspicious cookie authentication to local admin accounts, while the second, on May 21, resulted in VPN IP address assignments and subsequent internal network access. Panorama and Cloud Next-Generation Firewall (Cloud NGFW) deployments are not affected by this issue. However, numerous versions of PAN-OS across branches 12.1, 11.2, 11.1, and 10.2 are vulnerable, alongside specific Prisma Access versions. CISA has mandated that federal agencies remediate this vulnerability by June 1, 2026, because of the threat's serious nature. A publicly available Proof-of-Concept (PoC) script for CVE-2026-0257 has been developed by Rapid7 Labs. This script assists security teams in validating their exposure by simulating the authentication bypass under controlled conditions. Organizations using affected PAN-OS or Prisma Access deployments are advised to apply vendor-provided security patches immediately. As temporary mitigations, Palo Alto Networks recommends disabling the authentication override feature or generating a new certificate used exclusively for authentication override. Product/ComponentAffected VersionsUnaffected Versions Cloud NGFWNoneAll PAN-OS 12.1>= 12.1.4-h6, >= 12.1.7 PAN-OS 11.2>= 11.2.4-h17, >= 11.2.7-h14, >= 11.2.10-h7, >= 11.2.12 PAN-OS 11.1>= 11.1.4-h33, >= 11.1.6-h32, >= 11.1.7-h6, >= 11.1.10-h25, >= 11.1.13-h5, >= 11.1.15 PAN-OS 10.2>= 10.2.7-h34, >= 10.2.10-h36, >= 10.2.13-h21, >= 10.2.16-h7, >= 10.2.18-h6 Prisma Access 11.2.0>= 11.2.7-h13* Prisma Access 10.2.0>= 10.2.10-h36* Are US Gas Station Tank Gauge Systems Under Active Attack? Yes, over 900 automatic tank gauge (ATG) systems across the United States are exposed online and are subject to ongoing attacks, according to a joint advisory from CISA, the FBI, the NSA, and the Department of Energy. These systems, important for monitoring fuel and chemical storage tanks, are found in various critical infrastructure sectors, including gas stations and industrial facilities. Shadowserver reported 909 exposed ATG devices in the United States alone out of over 1,000 globally. Threat actors are targeting these internet-exposed ATG systems to alter system settings through command execution attacks. The attacks use various security flaws, including hardcoded credentials, authentication bypasses, SQL injection vulnerabilities, OS command execution flaws, and privilege escalation weaknesses. While the U.S. government has not yet attributed the recent malicious cyber activity to a specific nation-state or threat actor group, CNN previously reported that Iranian hackers had breached similar systems, manipulating display readings at multiple gas stations. Successful compromises enable attackers to disable system alerts, which could increase the risk of leaks or equipment failures and potentially cause permanent damage to the targeted tank systems. Although previous incidents primarily involved manipulating display readings rather than altering actual fuel levels, the potential for hindering automated fuel leak detection and other safety functions is a significant concern. The targeting of industrial control systems by Iranian state-backed hackers has also been noted in other advisories, impacting devices like Rockwell Automation/Allen-Bradley PLCs. Critical infrastructure organizations are advised to take immediate action to secure these systems. Key recommendations include restricting remote access to ATG systems from the internet, implementing controlled access through firewalls, VPNs, access control lists, and segmenting networks. Organizations should also replace default passwords with strong, unique credentials, apply all available security updates, monitor systems for unauthorized changes, and deploy multi-factor authentication where feasible. Technical Takeaways The Miasma worm compromises software supply chains by stealing developer credentials and pushing malicious code to 73 Microsoft GitHub repositories, showing how it evades trust models. AI agents are accelerating vulnerability discovery, with depthfirst finding 21 zero-days in FFmpeg and Chrome 149 patching a record 429 bugs, including a severe sandbox escape (CVE-2026-10881). The widespread adoption of AI in both offensive and defensive cybersecurity requires a quick shift towards shorter patch cycles, automated updates, and treating dependency updates with CVE fixes as high-priority security tasks. Active exploitation of Palo Alto Networks PAN-OS GlobalProtect vulnerability CVE-2026-0257 allows authentication bypass and unauthorized VPN access, showing the importance of immediate patching and strict access controls for network perimeter devices. Over 900 US-based Automatic Tank Gauge (ATG) systems remain exposed and under ongoing attack, showing critical infrastructure is vulnerable to simple exploitation methods like weak credentials and inadequate network segmentation, which risks physical system integrity. --- ## Palo Alto GlobalProtect CVE-2026-0257 (CVSS 7.8) Bypass - URL: https://purple-ops.io/blog/palo-alto-globalprotect-cve-2026-0257 - Date: 2026-06-06 - Category: CVE Analysis - Tags: palo-alto, globalprotect, cve-2026-0257, authentication-bypass, kev-catalog - Reading time: 5 min | CVSS: 7.8 **Summary:** Palo Alto Networks GlobalProtect CVE-2026-0257, an authentication bypass vulnerability (CVSS 7.8), is actively exploited, granting unauthorized VPN access. Palo Alto GlobalProtect CVE-2026-0257 (CVSS 7.8) Bypass Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, an authentication bypass vulnerability affecting its PAN-OS GlobalProtect portal and gateway components. This vulnerability, assigned a CVSS score of 7.8, allows unauthenticated attackers to bypass security controls and establish unauthorized VPN connections. The vulnerability stems from improper handling of authentication override cookies when specific certificate settings are configured. Since its initial advisory on May 13th, 2026, Palo Alto Networks updated its guidance on May 29th, 2026, to acknowledge observed limited exploit attempts in the wild. In response to confirmed active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29th, 2026. This mandates federal agencies to remediate the flaw by June 1st, 2026. This action demonstrates the immediate security risk this vulnerability presents to both government and private sector organizations. Impact Attackers exploiting CVE-2026-0257 can bypass authentication mechanisms within Palo Alto Networks PAN-OS GlobalProtect portal and gateway components, enabling unauthorized access to internal networks. This vulnerability primarily affects organizations using vulnerable PAN-OS or Prisma Access deployments with specific GlobalProtect configurations. Successful exploitation of CVE-2026-0257 allows a threat actor to establish an unauthenticated VPN session. This grants access to resources behind the firewall, effectively circumventing network perimeter defenses. The CVSS score of 7.8 reflects the potential for impact, given the network access it provides without requiring user interaction or prior authentication. Organizations with remotely accessible GlobalProtect deployments are particularly vulnerable, as these services are often exposed to the internet. Compromising such an entry point can lead to further lateral movement, data exfiltration, or the deployment of additional malicious payloads within the targeted network. Given the widespread use of Palo Alto Networks GlobalProtect for remote access, the vulnerability affects a broad range of industries and government entities. CISA's inclusion of CVE-2026-0257 in its KEV catalog shows the severity and immediate threat of this vulnerability. This categorization indicates that threat actors have actively used the flaw, presenting a risk to federal and private sector networks alike. An attacker's ability to establish an unauthorized VPN connection directly compromises the integrity and confidentiality of internal systems, making it a priority threat. How is CVE-2026-0257 exploited? CVE-2026-0257 is an authentication bypass vulnerability within Palo Alto Networks PAN-OS GlobalProtect portal and gateway components, specifically targeting configurations involving authentication override cookies and particular certificate settings. The attack vector involves sending specially crafted requests that manipulate these components to achieve unauthorized access. The preconditions for successful exploitation include having GlobalProtect enabled on the PAN-OS device, with authentication override cookies configured, and specific certificate settings in place. When these conditions are met, attackers can bypass the legitimate authentication process. This allows them to create a VPN session without providing valid user credentials, effectively gaining an unauthorized foothold within the network. Rapid7 researchers identified two distinct waves of exploitation attempts. The first wave, observed on May 17th, 2026, involved suspicious cookie authentication targeting local administrative accounts across various customer environments. This initial activity suggested reconnaissance or credential validation attempts. A second wave of exploitation was identified on May 21st, 2026. During this phase, attackers successfully used cookie authentication to obtain VPN Internet Protocol (IP) addresses, granting them direct access to internal networks. Both exploitation waves are believed to originate from a single threat actor due to consistent device identifiers used in the attacks. A public Proof-of-Concept (PoC) script for CVE-2026-0257 has been developed by Rapid7 Labs and published on GitHub. This PoC allows security teams to safely test their PAN-OS GlobalProtect appliances for vulnerability by simulating the authentication bypass condition. The existence of a public PoC lowers the barrier to entry for potential attackers, increasing the likelihood of widespread exploitation. This scenario aligns with our prior analysis of CVE-2026-0257 and GlobalProtect bypass vulnerability, showing recurring patterns in network perimeter bypass attacks. Affected Products and Versions This section outlines the specific Palo Alto Networks products and PAN-OS versions that are susceptible to CVE-2026-0257. Organizations must review their deployed versions against this list to determine their exposure. The vulnerability affects GlobalProtect portal and gateway components when configured with authentication override cookies and certain certificate settings. Affected Products and Version Ranges The following Palo Alto Networks PAN-OS and Prisma Access versions are impacted by CVE-2026-0257: PAN-OS 12.1: Versions earlier than 12.1.4-h6 Versions earlier than 12.1.7 PAN-OS 11.2: Versions earlier than 11.2.4-h17 Versions earlier than 11.2.7-h14 Versions earlier than 11.2.10-h7 Versions earlier than 11.2.12 PAN-OS 11.1: Versions earlier than 11.1.4-h33 Versions earlier than 11.1.6-h32 Versions earlier than 11.1.7-h6 Versions earlier than 11.1.10-h25 Versions earlier than 11.1.13-h5 Versions earlier than 11.1.15 PAN-OS 10.2: Versions earlier than 10.2.7-h34 Versions earlier than 10.2.10-h36 Versions earlier than 10.2.13-h21 Versions earlier than 10.2.16-h7 Versions earlier than 10.2.18-h6 Prisma Access 11.2.0: Versions earlier than 11.2.7-h13* Prisma Access 10.2.0: Versions earlier than 10.2.10-h36* Cloud NGFW is not affected by this vulnerability. Panorama is also not affected. Organizations should specifically check their GlobalProtect configurations to ascertain the presence of authentication override cookies and relevant certificate settings, as these are key preconditions for exploitation. Unaffected Products and Version Ranges The following Palo Alto Networks products and PAN-OS versions are not affected or have received patches addressing CVE-2026-0257: Cloud NGFW: All versions Panorama: All versions PAN-OS 12.1: Versions 12.1.4-h6 and later Versions 12.1.7 and later PAN-OS 11.2: Versions 11.2.4-h17 and later Versions 11.2.7-h14 and later Versions 11.2.10-h7 and later Versions 11.2.12 and later PAN-OS 11.1: Versions 11.1.4-h33 and later Versions 11.1.6-h32 and later Versions 11.1.7-h6 and later Versions 11.1.10-h25 and later Versions 11.1.13-h5 and later Versions 11.1.15 and later PAN-OS 10.2: Versions 10.2.7-h34 and later Versions 10.2.10-h36 and later Versions 10.2.13-h21 and later Versions 10.2.16-h7 and later Versions 10.2.18-h6 and later Prisma Access 11.2.0: Versions 11.2.7-h13* and later Prisma Access 10.2.0: Versions 10.2.10-h36* and later Note: The asterisk on Prisma Access versions indicates a specific patch within the broader version release. Detection Detecting exploitation attempts for CVE-2026-0257 requires several methods, focusing on network traffic analysis and log review. The objective is to identify anomalous VPN connections or authentication bypass indicators. Network Monitoring: Monitor GlobalProtect portal and gateway logs for unusual authentication patterns, especially attempts using authentication override cookies from unfamiliar IP addresses or at unusual times. Look for unexpected VPN connection establishments from unauthenticated sources. Indicators may include successful VPN connections without preceding successful user authentication events. Alert on connections that bypass expected multi-factor authentication (MFA) or other typical security checks. The PurpleOps team has previously detailed how to identify suspicious activity related to this type of vulnerability in our post about Palo Alto GlobalProtect CVE-2026-0257. Endpoint Detection and Response (EDR) Queries: Once an unauthorized VPN connection is established, an attacker may attempt to move laterally or execute commands on internal systems. Monitor endpoints for: Unusual process creation, especially from the IP address assigned to the unauthorized VPN session. Anomalous network connections originating from systems that typically do not initiate outbound traffic. Privilege escalation attempts or suspicious account activity. Log Analysis: Review Palo Alto Networks PAN-OS system logs, specifically those related to GlobalProtect authentication and VPN session establishment. Search for authentication override events that are not correlated with legitimate administrative actions or expected system behavior. Investigate any sudden increases in failed or successful authentication attempts on GlobalProtect interfaces that deviate from baselines. eSentire's Threat Response Unit (TRU) has developed specific threat detections within their MDR for Network service for CVE-2026-0257. They are also evaluating additional threat detection capabilities within their MDR for Log service. eSentire Managed Vulnerability Service (MVS) has integrated plugins to identify devices vulnerable to CVE-2026-0257. Organizations using MVS should use this capability to scan their environment. TRU has also conducted threat hunts within MDR for Log to identify known Indicators of Compromise (IOCs) associated with this exploitation. Security teams should replicate similar hunting activities within their own environments, focusing on the attack patterns identified by Rapid7. Vulnerability Scanning: Use vulnerability scanners with updated signatures to identify unpatched Palo Alto Networks PAN-OS devices. The public Proof-of-Concept (PoC) from Rapid7 Labs (sfewer-r7/CVE-2026-0257 on GitHub) can be used to safely validate whether GlobalProtect appliances are vulnerable under controlled conditions. This helps in identifying exposed systems before malicious actors exploit them. Remediation Addressing CVE-2026-0257 requires immediate action, prioritizing patching and implementing temporary mitigations where patching is not immediately feasible. Patching: Apply the vendor-provided security patches immediately. Palo Alto Networks has released updated PAN-OS versions that resolve the CVE-2026-0257 vulnerability. The specific patched versions are: PAN-OS 12.1: Update to 12.1.4-h6 or later, or 12.1.7 or later. PAN-OS 11.2: Update to 11.2.4-h17 or later, 11.2.7-h14 or later, 11.2.10-h7 or later, or 11.2.12 or later. PAN-OS 11.1: Update to 11.1.4-h33 or later, 11.1.6-h32 or later, 11.1.7-h6 or later, 11.1.10-h25 or later, 11.1.13-h5 or later, or 11.1.15 or later. PAN-OS 10.2: Update to 10.2.7-h34 or later, 10.2.10-h36 or later, 10.2.13-h21 or later, 10.2.16-h7 or later, or 10.2.18-h6 or later. Prisma Access 11.2.0: Update to 11.2.7-h13* or later. Prisma Access 10.2.0: Update to 10.2.10-h36* or later. Organizations operating on affected versions should prioritize applying these updates after conducting a full business impact review. This is the most complete and recommended remediation. As detailed in our analysis of Palo Alto PAN-OS CVE-2026, timely patching is important for vulnerabilities affecting network perimeters. Workarounds and Mitigations (Temporary): If immediate patching is not feasible, Palo Alto Networks recommends two primary temporary mitigations: Disable Authentication Override: If the authentication override feature is not essential for business operations, disable it entirely within the GlobalProtect configuration. This removes the specific mechanism exploited by CVE-2026-0257. Generate New Certificate: Alternatively, generate and configure a new certificate that is used exclusively for the authentication override feature. This measure helps to invalidate any potentially compromised or default certificates being used by attackers. These temporary mitigations reduce the attack surface by altering the vulnerable configuration but do not fully resolve the flaw. They should be implemented as interim steps while preparing for full patching. Monitoring: Monitor GlobalProtect logs for any signs of unauthorized access attempts or successful bypasses, even after applying patches or mitigations. This includes monitoring for the indicators described in the Detection section. Conduct internal threat hunts to identify any lingering compromise from pre-patch exploitation attempts. Technical Takeaways CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect portal and gateway components, assigned a CVSS score of 7.8. The vulnerability is actively exploited in the wild, as confirmed by Palo Alto Networks on May 29th, 2026, and its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog. Exploitation preconditions involve GlobalProtect enabled with authentication override cookies and specific certificate settings. Successful attacks enable unauthorized VPN connections to internal networks. Affected versions span PAN-OS 12.1, 11.2, 11.1, 10.2, and Prisma Access 11.2.0 and 10.2.0. Cloud NGFW and Panorama are not affected. Remediation requires applying specific PAN-OS hotfix versions or later. Temporary mitigations include disabling authentication override or configuring a dedicated certificate for this feature. A public Proof-of-Concept (PoC) exists, increasing the risk of widespread exploitation by a broader range of threat actors. --- ## Qilin Ransomware Hits 9 Healthcare Victims in 24 Hours - URL: https://purple-ops.io/blog/qilin-ransomware-healthcare-activity - Date: 2026-06-05 - Category: Ransomware Report - Tags: none - Reading time: 5 min **Summary:** Qilin ransomware continues to dominate, adding 9 new victims in the last 24 hours with a significant focus on the healthcare sector. Qilin Ransomware Activity Dominates Healthcare Statistical Overview Victim Totals This month: 126 This quarter: 1672 Year to date: 4297 Last 24h: 27 Quarterly Breakdown Q1: 2631 | Q2: 1672 | Q3: 0 | Q4: 0 While quarterly totals show a decrease from Q1, the consistent emergence of new victims indicates ongoing threat actor activity, particularly from Qilin, Play News, and Akira. Ransomware operations continue to impact many sectors globally. Introduction Twenty-seven new ransomware victims were disclosed in the last 24 hours. Qilin was the most active group, responsible for nine of these new listings. Other groups that added victims include Play News with four, and Akira and World_Leaks each with three. Healthcare, automotive, and the public sector were the primary targets, and the United States remained the most affected geography. Further analysis on Qilin's activities can be found in our detailed Qilin ransomware update. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Qilin9Avcon jet, Central florida cosmetic & family dentistry, Interspa betriebsverwaltungsgesellschaft (+6)Germany, AustriaHealthcare, Hospitality & Travel 2Play News4Corley mfg, Dallis law firm, The chapel (+1)United StatesNonprofit, Legal 3Akira3Kennon worldwide, Oaks park, T/cci manufacturingUnited States, NoneAutomotive, Hospitality & Travel 4World Leaks3Access dental, Ch karnchang public, United auto supplyUnited States, ThailandHealthcare, Automotive 5LockBit2sierravistahospital.com, wessels.groupUnited States, NetherlandsHealthcare, Transportation & Logistics 6NightSpire2First mutual holdings, Krum public libraryUnited States, ZimbabweGovernment / Public Sector, Financial Services 7AiLock1Groupe sécurité clbCanadaGovernment / Public Sector 8DragonForce1Reha-activGermanyHealthcare 9INC Ransom1Stuga MachineryUnited KingdomManufacturing 10Securotop1Kriete truck centersUnited StatesTransportation & Logistics Qilin led in new victim disclosures, focusing on healthcare and hospitality. Targets include Central Florida Cosmetic & Family Dentistry by Qilin, sierravistahospital.com by LockBit, and Access Dental by World_Leaks, showing a continued emphasis on the healthcare sector. The Krum Public Library, listed under NightSpire, is also a critical public sector target. Insights into Akira's campaigns are available in our Akira ransomware intelligence, and World_Leaks's activities are detailed in our active ransomware groups report. Victim Distribution By Country United States: 15 Canada: 3 Germany: 2 Zimbabwe: 1 Austria: 1 United Kingdom: 1 Thailand: 1 Slovenia: 1 None: 1 Netherlands: 1 By Industry Behavioral Health Services: 1 Financial Services: 1 Truck Transportation: 1 Religious Institutions: 1 Public Library: 1 Motor Vehicle Parts Manufacturing: 1 Medical Practice: 1 Law Firms & Legal Services: 1 Industrial Machinery & Equipment: 1 Healthcare: 1 The United States remains the most targeted country by a wide margin because of its large economic footprint and diverse digital infrastructure. Industry targeting shows a fragmented distribution, with healthcare-related entities, automotive, and public sector organizations often appearing among the affected. Ransomware News Topline Ransomware developments include both proactive law enforcement actions against criminal infrastructure and ongoing attacks by established and new threat groups targeting diverse sectors. Campaigns & Operations The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is known for its data-theft driven extortion model. It employs a fast-flux DNS botnet to conceal its infrastructure and primarily targets data-rich sectors such as law firms. Separately, the Karl Auto Group experienced a cyberattack that disrupted its Iowa dealerships. RansomHouse claimed responsibility for encrypting Karl Chevrolet systems and potentially exposing sensitive customer data. The Krum Public Library in Texas reported a ransomware incident that disrupted its computer services, leading to an extortion demand and forensic investigation. Vulnerabilities & TTPs SRG's operational security relies on a fast-flux DNS botnet that rotates multiple A-record IPs via public resolvers tied to residential ISPs, using ECS spoofing to mask geographic diversity. In a law enforcement action, a global operation led by the Netherlands and France, with Europol and Eurojust, dismantled First VPN. This Russian-language service provided anonymized infrastructure for ransomware operators, and the operation seized 33 servers and took down associated domains. Technical Takeaways Qilin is currently the most active ransomware group, frequently targeting the healthcare sector. The United States remains the primary geographical target for ransomware operations. At least ten distinct ransomware groups disclosed victims. Tradecraft, such as the Silent Ransom Group's fast-flux DNS botnet, continues to be employed by threat actors. International law enforcement efforts are disrupting critical services, like First VPN, used by ransomware operators for operational security. --- ## Cisco SD-WAN CVE-2026-20245 Critical Root RCE - URL: https://purple-ops.io/blog/cisco-sd-wan-cve-2026-20245 - Date: 2026-06-05 - Category: CVE Analysis - Tags: cisco-sd-wan, cve-2026-20245, rce, command-injection, zero-day - Reading time: 5 min **Summary:** Cisco Catalyst SD-WAN Manager CVE-2026-20245 enables authenticated root RCE via command injection, actively exploited in the wild. Cisco SD-WAN CVE-2026-20245 Critical Root RCE Cisco has issued a critical security warning concerning Cisco Catalyst SD-WAN Manager, formerly known as SD-WAN vManage, which has a severe command injection vulnerability tracked as CVE-2026-20245. This flaw results from insufficient validation of file transfer payloads, permitting an authenticated local attacker with netadmin privileges to execute arbitrary commands as root on the affected system. The vulnerability directly impacts the product's command-line interface (CLI). While a specific numerical CVSS score for CVE-2026-20245 has not been publicly detailed, the vulnerability is classified as critical due to its potential for full root privilege escalation and its active exploitation in the wild. Cisco's Product Security Incident Response Team (PSIRT) confirmed observing exploitation of this vulnerability in June 2026. This active exploitation has led to observed configuration changes on connected edge devices, which poses an immediate risk to enterprise networks. The active exploitation of this zero-day vulnerability requires immediate attention from network administrators and security personnel. Its active exploitation, coupled with the potential for root remote code execution (RCE), necessitates prompt isolation measures and adherence to vendor guidance to mitigate the threat to corporate data centers and network perimeters. The requirement for authenticated access and netadmin privileges is a significant precondition, but the severity of the outcome mandates urgent action. What is CVE-2026-20245 and why is it critical? The CVE-2026-20245 vulnerability is a critical command injection flaw impacting the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager, a centralized orchestration software formerly known as SD-WAN vManage. It permits an authenticated local attacker, holding netadmin privileges, to execute arbitrary commands with root privileges on the affected system. This level of access grants complete control over the compromised device. CVE-2026-20245 is critical for several reasons. Firstly, command injection vulnerabilities enable attackers to bypass security controls by injecting malicious system commands into an application's input, which the application then executes. In this specific instance, the vulnerability arises from "poor validation of file transfer payloads." The system incorrectly processes user-supplied files, which allows embedded commands to run. Secondly, achieving "full root privileges" is the highest level of authorization on a Linux-based system, which is typically the underlying operating system for such network appliances. An attacker with root access can install persistent backdoors, manipulate system configurations, exfiltrate sensitive data, and gain complete control over the network orchestration functions. This can lead to a full network takeover, impacting the integrity, confidentiality, availability, and security of an entire corporate network. The third critical factor is the confirmed active exploitation of this zero-day vulnerability in the wild. Cisco PSIRT became aware of exploitation in June 2026. Threat actors are actively using this flaw. Observed outcomes include "configuration change pushed to edge devices," which signifies direct manipulation of the network's operational components through the compromised SD-WAN Manager. Such unauthorized changes can disrupt services, re-route traffic, facilitate further compromise, or establish persistent access within the network perimeter. The centralized nature of SD-WAN Manager platforms means a compromise here can have wide-reaching effects across an organization's distributed network environment. How is CVE-2026-20245 exploited? Exploitation of CVE-2026-20245 commences through an authenticated session within the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager. The underlying mechanism for the attack is a command injection flaw facilitated by "insufficient validation of file transfer payloads." This means that when a user uploads a file to the system, the SD-WAN Manager's CLI does not properly sanitize or validate the content of this file, allowing an attacker to embed and execute arbitrary operating system commands. A critical precondition for this exploitation is that the attacker must possess "netadmin privileges" on the affected system. The netadmin role typically grants extensive administrative capabilities over network configurations and operations but generally stops short of full root-level access. The vulnerability allows an attacker to raise these netadmin privileges to full root privileges, thus overcoming this security boundary. To achieve the necessary netadmin privileges, an attacker might use other vulnerabilities. For example, chaining this bug with another flaw like CVE-2026-20182 could provide the initial netadmin access required to then exploit CVE-2026-20245 for root RCE. Our prior analysis of CVE-2026-20182 detailed a similar critical SD-WAN zero-day with maximum severity, which shows the potential for multi-stage attacks targeting these platforms. This indicates a broader trend of sophisticated attacks targeting network orchestration layers. Once the attacker has authenticated access with netadmin privileges, they can then upload a specifically crafted malicious file. This file contains the embedded commands designed to execute with root privileges due to the poor validation logic. The execution of these commands allows the attacker to gain full control over the Cisco Catalyst SD-WAN Manager instance. The Cisco Product Security Incident Response Team (PSIRT) confirmed observing exploitation in June 2026; this attack vector is actively being used by malicious actors in real-world scenarios. This active exploitation has resulted in unauthorized "configuration change pushed to edge devices," and demonstrates direct impact on network operations and security. This incident shows the continuous threat posed by zero-day vulnerabilities in critical infrastructure components, as previously explored in our discussion on Cisco SD-WAN zero-day threats. These platforms, by their nature, manage vast portions of an enterprise network. They are high-value targets for adversaries seeking broad network control. The ability to push configuration changes to edge devices from a compromised SD-WAN Manager can lead to widespread network disruption, data exfiltration, or the establishment of persistent access across the network. Affected products and versions The CVE-2026-20245 vulnerability specifically impacts the Cisco Catalyst SD-WAN Manager platform. The advisory from Cisco identifies the affected product as follows: Cisco Catalyst SD-WAN Manager (formerly known as SD-WAN vManage) At the time of the advisory, specific version ranges or build numbers for the affected software were not publicly detailed. Therefore, all deployments of Cisco Catalyst SD-WAN Manager should be considered potentially vulnerable unless explicit patching guidance from the vendor indicates otherwise. Organizations are advised to consult official Cisco security advisories directly for the most current and specific information regarding affected versions and any applicable patch releases. Detection Detecting exploitation of CVE-2026-20245 requires thorough log auditing and monitoring for anomalous activities within the Cisco Catalyst SD-WAN Manager environment and its managed devices. Given the nature of a command injection flaw which leads to root privilege escalation, the focus should be on identifying unexpected command execution, unusual file modifications, unauthorized configuration changes, and suspicious process activity. Concrete detection guidance includes: Log Auditing: Inspect scripts.log Path: System administrators should regularly inspect the scripts.log path on the Cisco Catalyst SD-WAN Manager for "unusual text entries" or indications of "unauthorized background script executions." Look for: Execution of commands or scripts that are not part of legitimate administrative tasks or automated processes. Unusual arguments passed to legitimate system utilities (e.g., bash, sh, python). Unexpected users or processes initiating script executions, especially those that appear to be running with elevated privileges (root). Timestamps of log entries that do not align with scheduled maintenance or known administrative activity. System Logs: Review general system logs (syslog, auth.log, etc.) for signs of privilege escalation, unexpected user sessions (especially root sessions), failed authentication attempts, or unusual process starts. Application Logs: Monitor Cisco Catalyst SD-WAN Manager application-specific logs for any errors related to file transfer validation, unexpected file uploads, unusual CLI commands, or authentication failures. Endpoint Detection and Response (EDR) Queries (if applicable to the underlying OS): Process Monitoring: Query for unexpected child processes spawned by the Cisco Catalyst SD-WAN Manager CLI or related management binaries. Look for process trees that diverge from normal operation. File System Monitoring: Detect suspicious file creations, modifications, deletions, or permission changes in unusual directories (e.g., /tmp, /var/tmp) or changes to critical system binaries or configuration files. User Behavior Analytics: Identify anomalous behavior by netadmin accounts, such as logging in from unusual IP addresses, accessing resources outside their normal scope, executing commands typically reserved for root, or unusual login times. Network Indicators: Anomalous Traffic: Monitor network traffic originating from the Cisco Catalyst SD-WAN Manager appliance for suspicious outbound connections (e.g., to unknown external IP addresses or command-and-control servers), unusual protocols, excessive data transfer volumes, or unencrypted sensitive data transfers. Configuration Change Alerts: Configure alerts for any unauthorized or unscheduled configuration changes pushed from the SD-WAN Manager to managed edge devices. This can include changes to routing policies, firewall rules, VPN settings, or access control lists. These changes were explicitly observed during in-the-wild exploitation. VPN Session Monitoring: Observe for unauthorized VPN connections initiated or managed by the SD-WAN Manager, especially if these connections target unexpected internal network segments or external entities. The key to effective detection lies in establishing a baseline of normal behavior for the SD-WAN Manager environment and actively monitoring for deviations. Any unusual activity, particularly involving root-level command execution or configuration manipulation, warrants immediate investigation. Remediation Remediation for CVE-2026-20245 presents immediate challenges as "standard software patches are not yet available from the vendor." This necessitates a proactive and direct engagement approach with Cisco and the implementation of strong interim mitigation strategies. The primary steps for remediation and mitigation are: Vendor Engagement for Custom Workarounds: Organizations "must engage directly with the technical assistance center to obtain custom isolation workarounds." Given the zero-day status and active exploitation, Cisco's Technical Assistance Center (TAC) is the authoritative source for specific, verified mitigations tailored to your deployment. These workarounds are critical until official patches are released. Regularly check Cisco's official security advisories and support channels for updates on patch availability and detailed remediation instructions. Proactive Isolation Steps and Mitigation: Restrict Management Interface Access: Implement strict network access controls to the Cisco Catalyst SD-WAN Manager's management interfaces. This includes restricting access to a limited set of trusted administrative IP addresses and utilizing multi-factor authentication for all administrative accounts. Network Segmentation: Isolate the Cisco Catalyst SD-WAN Manager within a dedicated management network segment, with minimal and strictly controlled connectivity to other network segments. This limits an attacker's lateral movement capability if the manager is compromised. Least Privilege Principle: Ensure that all administrative accounts, especially those with netadmin privileges, operate under the principle of least privilege. Regularly review and revoke any unnecessary permissions. Enhanced Monitoring: Implement the detection measures outlined previously, focusing on continuous monitoring of scripts.log, system logs, and network traffic for any indicators of compromise. Rapid detection is crucial in the absence of a patch. Backup and Recovery: Ensure up-to-date and verified backups of Cisco Catalyst SD-WAN Manager configurations and system images are available. In the event of a successful compromise, a clean restore may be necessary. Review Chaining Vulnerabilities: Given that CVE-2026-20245 can be chained with other vulnerabilities like CVE-2026-20182 for initial access, ensure that any other known vulnerabilities in Cisco SD-WAN Manager components are also addressed or mitigated to prevent an attacker from gaining the prerequisite netadmin privileges. Until definitive patches are provided, a layered defense strategy focusing on restricted access, network segmentation, continuous monitoring, and direct communication with Cisco is necessary to protect against the active exploitation of CVE-2026-20245. Technical Takeaways CVE-2026-20245 is a critical command injection vulnerability in Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage). The flaw enables an authenticated local attacker with netadmin privileges to execute arbitrary commands as root due to insufficient validation of file transfer payloads. Cisco's PSIRT confirmed active exploitation of this zero-day vulnerability in the wild as of June 2026, leading to unauthorized configuration changes on edge devices. No standard software patches are publicly available; organizations must contact Cisco's technical assistance center for custom isolation workarounds. Exploitation can be facilitated by chaining with other vulnerabilities, such as CVE-2026-20182, to achieve the required netadmin privileges. Detection efforts should focus on auditing scripts.log for unusual entries, monitoring for unexpected root command executions, identifying anomalous network traffic or configuration changes, and tracking suspicious process activity. --- ## Miasma Phantom Gyp Worm Targets npm Supply Chain 2026 - URL: https://purple-ops.io/blog/miasma-phantom-gyp-supply-chain - Date: 2026-06-05 - Category: Threat Intelligence - Tags: none - Reading time: 8 min **Summary:** Miasma's Phantom Gyp worm exploits the npm supply chain via binding.gyp files, stealing credentials and achieving widespread propagation. Miasma Phantom Gyp Worm Hits npm Supply Chain This week, a supply chain attack, named "Miasma," spread through the npm registry. Concurrently, a zero-day in Cisco SD-WAN environments was exploited. This "Miasma" campaign, a descendant of the "Shai-Hulud" worm family and meticulously tracked by Snyk as the Node-gyp Supply Chain Compromise - June 2026, uses a new "Phantom Gyp" technique for code execution during npm install. By weaponizing binding.gyp files, it bypasses traditional script-focused security controls. The attack has impacted 57 distinct npm packages and hundreds of their malicious versions, including high-traffic targets like @vapi-ai/server-sdk, which logs approximately 86,500 weekly downloads, and ai-sdk-ollama, with around 36,900 weekly downloads. Its primary objective is extensive credential theft across npm, GitHub, AWS, GCP, Azure, HashiCorp Vault, and Kubernetes, coupled with self-propagation across npm and RubyGems ecosystems. This incident shows an increase in software supply chain threats, using complex evasion and persistence mechanisms. Cisco also issued a warning about CVE-2026-20245, a high-severity, unpatched zero-day in its Cisco Catalyst SD-WAN Manager, actively exploited for root privilege escalation. These varied, impactful incidents, spanning from important developer environments to government and humanitarian organizations, demonstrate the persistent and varied nature of current cyber threats across diverse sectors. How does the "Phantom Gyp" technique enable code execution? The "Phantom Gyp" technique, central to the Miasma supply chain worm, enables arbitrary code execution during npm install by exploiting binding.gyp files, without relying on preinstall or postinstall lifecycle scripts. This method exploits node-gyp, which npm invokes for native C/C++ addons, a process often overlooked by script-focused security tooling. The attack uses GYP's command expansion syntax, , which executes embedded shell commands during the build configuration phase. Compromised packages like @vapi-ai/server-sdk@1.2.2 and autotel@3.4.3 shipped a 157-byte binding.gyp containing /dev/null 2>&1 && echo stub.c). This command executes node index.js during node-gyp's configuration, with "type": "none" preventing actual compilation and ensuring the command's side effect is the sole objective. The index.js file is a 4.5 MB obfuscated loader, initially decrypted via ROT-14 Caesar cipher and AES-128-GCM. It then downloads a standalone Bun v1.3.13 binary from oven-sh/bun releases, executing a ~649 KB stealer payload under this new binary. This Bun execution evades Node.js-scoped monitoring. The payload harvests credentials from developer and CI/CD environments, targeting: AWS: aws_access_key_id / aws_secret_access_key, and IMDSv2 metadata endpoint. GCP: GOOGLE_APPLICATION_CREDENTIALS and service account keys. Azure: managed identity tokens via IMDS. GitHub Actions: ACTIONS_ID_TOKEN_REQUEST_TOKEN plus runner process memory scraping for masked secrets. HashiCorp Vault and Kubernetes: service account tokens from standard paths. Password managers: 1Password, pass, and gopass. Exfiltration occurs through attacker-controlled GitHub repositories, notably linked to the GitHub account liuende501, which maintains over 300 public repositories used as dead drops. This method blends malicious traffic with legitimate GitHub activity. How does the Miasma worm propagate across ecosystems? The Miasma worm is designed for self-propagation across multiple software ecosystems, demonstrating a varied approach to achieve widespread compromise. The npm worm component enumerates a compromised maintainer's packages via registry.npmjs.org/-/v1/search, injects the malicious binding.gyp and index.js files, and republishes the infected versions. A key characteristic is the forging of Sigstore provenance attestations through Fulcio and Rekor, making reinfected packages appear legitimately signed and aiding evasion. Cross-ecosystem reach is evident with the RubyGems worm, which injects equivalent malicious logic into extconf.rb, RubyGems' native-extension build hook. This file functions similarly to binding.gyp by executing automatically at build time, sidestepping "script"-focused monitoring. Both npm and RubyGems variants reuse the Bun downloader for payload execution. This consistent strategy targets build-time extension files, which are not typically classified as lifecycle scripts. Persistence is also achieved through GitHub repository poisoning. Using stolen GitHub tokens, the payload commits backdoor files into accessible repositories. These backdoors are placed within configurations for development tools and AI coding agents, such as .claude/, .cursor/rules/, and .vscode/tasks.json. Specifically, tasks.json entries may be configured with runOn": "folderOpen", ensuring that the payload re-executes whenever a developer opens the project in their integrated development environment. This mechanism ensures long-lived persistence, surviving even npm uninstall. This campaign, part of the Shai-Hulud / Miasma lineage, consistently introduces new techniques for evasion, persistence, and execution. Which Cisco SD-WAN zero-day is actively exploited? Cisco has issued a warning regarding CVE-2026-20245, a high-severity, unpatched zero-day vulnerability actively exploited in Cisco Catalyst SD-WAN Manager to achieve root privilege escalation. The flaw stems from insufficient input validation, enabling local attackers with low privileges to execute arbitrary commands as the root user. Exploitation typically requires prior netadmin privileges, which attackers may gain through valid credentials or by exploiting existing Cisco SD-WAN vulnerabilities such as CVE-2026-20182 or CVE-2026-20127. Google Cloud's Mandiant reported the flaw, leading to Cisco's awareness in June 2026. The company has observed limited cases where exploitation resulted in configuration changes pushed to edge devices. The affected Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is network management software overseeing up to 6,000 Catalyst SD-WAN devices. The vulnerability impacts all deployment types: On-Prem, Cloud-Pro, Cloud (Cisco Managed), and Government (FedRAMP). While patches for CVE-2026-20245 are unavailable, Cisco advises upgrading to versions fixing earlier vulnerabilities. For example, fixes for CVE-2026-20182 were released May 14, 2026, as detailed in Cisco SD-WAN Zero-Day AI May 15. This incident extends a pattern of exploited Cisco SD-WAN zero-days. CVE-2026-20133, an information disclosure flaw, was flagged by CISA as exploited since 2023. Subsequently, CVE-2026-20128 and CVE-2026-20122 were also found under active abuse. Indicators of compromise (IOCs) for CVE-2026-20245 include specific log entries in /var/log/scripts.log, such as /usr/bin/vconfd_script_upload_tenant_list.sh -cli path /home/admin/malicious.csv vpn 0, indicating attempts to upload tenant configuration data for privilege escalation. What data was exposed in the UN World Food Programme breach? The United Nations' World Food Programme (WFP) is investigating a security incident that compromised personal information from approximately 600,000 Palestinian households in Gaza. This data, collected via the WFP's Self-Registration Application (SRA) used exclusively in Palestine for humanitarian assistance, included names, identification numbers, phone numbers, and detailed neighborhood location information. The breach occurred on May 14, 2026. Upon discovering the intrusion, the WFP promptly suspended the SRA platform, initiated containment efforts, and strengthened security controls. While "unauthorized parties" accessed the data, their identity and specific attack methods remain undisclosed. As the world's largest humanitarian organization, providing aid to about 1.6 million people in Gaza monthly, the WFP handles highly sensitive data for vulnerable populations. This compromise poses significant privacy and security risks, including potential for identity theft or further targeting, within an already volatile region. The investigation continues, with no public confirmation yet of whether the exposed information has been leaked or misused beyond initial unauthorized access. How are Chinese intelligence services recruiting insiders via job platforms? The Five Eyes intelligence partnership (ASIO, CSIS, FBI, MI5, NZSIS) issued its first joint bulletin on June 4, 2026, warning of extensive recruitment by China's military intelligence services. These services are using online job platforms, often through front companies outside China, to target individuals with access to sensitive information. Targets include government and military personnel (especially those with security clearances or in the Indo-Pacific), academics, journalists, and think tank employees. Chinese intelligence officers pose as recruiters for private consultancies, advertising roles like foreign-policy analysts to attract applicants with valuable connections or insights. Recruitment now emphasizes applicants responding to job ads, with résumés ranked by likely access to sensitive data. Virtual interviews probe government contacts or military roles. Successful candidates write trial reports on topics of strategic interest to China, then are directed to provide privileged material via encrypted messaging. Payments, ranging from hundreds to thousands of dollars per report, often use unconventional methods. The bulletin, "Safeguarding Our Secrets," emphasizes that even unclassified information on government policy, military strategy, or different capabilities can be combined to form a full operational picture. This aggregated intelligence can endanger frontline personnel, weaken economic prosperity, and enable interference in democratic processes. China's Ministry of Foreign Affairs denounced the allegations as "fabricated and malicious slander," asserting that Five Eyes members are the "real threat" with their own global intelligence operations. Technical Takeaways The Node-gyp Supply Chain Compromise uses the new "Phantom Gyp" technique, executing malicious code via binding.gyp files during npm install, bypassing traditional preinstall/postinstall script monitoring. This npm worm, a descendant of the Shai-Hulud / Miasma family, employs a multi-stage, obfuscated loader that downloads and executes a standalone Bun binary for its core credential-stealing operations. The worm exfiltrates stolen credentials (npm, GitHub, AWS, GCP, Azure, HashiCorp Vault, Kubernetes, password managers) to attacker-controlled GitHub repositories and achieves persistence through GitHub Actions injection and editor/AI agent hooks. CVE-2026-20245, a high-severity, unpatched zero-day in Cisco Catalyst SD-WAN Manager, is actively exploited for root privilege escalation, requiring prior netadmin access or exploitation of other Cisco SD-WAN vulnerabilities. The UN World Food Programme's Self-Registration Application (SRA) experienced a breach exposing names, identification numbers, phone numbers, and location data of approximately 600,000 Palestinian households in Gaza. The Five Eyes intelligence alliance warns that Chinese military intelligence services are using online job platforms to recruit individuals with access to sensitive information by posing as legitimate recruiters for front companies. --- ## Mirasvit CVE-2026-45247 (CVSS 9.8) RCE Exploit - URL: https://purple-ops.io/blog/mirasvit-cve-2026-45247-rce - Date: 2026-06-05 - Category: CVE Analysis - Tags: mirasvit, cve-2026-45247, rce, magento, deserialization - Reading time: 5 min | CVSS: 9.8 **Summary:** Mirasvit CVE-2026-45247, a critical RCE vulnerability (CVSS 9.8) in Magento's Cache Warmer, is under active exploitation and demands immediate patching. Mirasvit CVE-2026-45247 (CVSS 9.8) RCE Exploit Mirasvit, a vendor of extensions for Magento, has addressed a critical remote code execution (RCE) vulnerability, CVE-2026-45247, within its Full Page Cache Warmer extension. This flaw, rated with a CVSS score of 9.8, is a deserialization of untrusted data vulnerability that allows unauthenticated attackers to execute arbitrary PHP code on affected e-commerce platforms. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of this vulnerability. CISA mandates that Federal Civilian Executive Branch (FCEB) agencies apply necessary fixes by June 6, 2026. All organizations running affected systems should prioritize remediation. Sansec and Imperva have observed active attacks using this flaw. Organizations operating Magento environments with the Mirasvit Cache Warmer extension should immediately review their installation status, apply available patches, implement detection mechanisms, and identify potential exploitation attempts. What is CVE-2026-45247 and why is it critical? CVE-2026-45247 is a critical deserialization of untrusted data vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento. It enables unauthenticated remote code execution (RCE). A CVSS score of 9.8 indicates maximum severity. Exploitation can lead to complete system compromise without user interaction or prior authentication, and it is under active exploitation. This vulnerability is a deserialization of untrusted data, specifically PHP object injection (CWE-502). In this attack, an application deserializes untrusted input, which allows an attacker to manipulate the object creation process. By crafting a malicious serialized object, an attacker can control the application's internal logic, leading to arbitrary code execution. Its inclusion in CISA's KEV catalog also shows the criticality of CVE-2026-45247. The KEV catalog is a list of vulnerabilities with significant risk due to demonstrated real-world exploitation. This status makes the flaw an immediate and demonstrable threat requiring prompt attention from all affected entities. What is the potential impact of CVE-2026-45247? Exploitation of CVE-2026-45247 allows an unauthenticated attacker to execute arbitrary PHP code on affected Magento servers, leading to full compromise of the e-commerce platform and its underlying server infrastructure. This level of access grants attackers extensive control over the compromised system, posing severe risks to data integrity, confidentiality, and availability. Attackers gaining remote code execution can achieve various malicious objectives. These include stealing sensitive customer and payment information, defacing the website, injecting malicious scripts (e.g., Magecart attacks for credit card skimming), deploying ransomware, or establishing persistent backdoors for future access. Complete compromise of an e-commerce platform can lead to significant financial losses, severe reputational damage, and potential legal and regulatory penalties for data breaches. Imperva noted that observed payloads contained base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains. These payloads attempt to invoke functions such as system() and current() to execute arbitrary commands. Initial attacks focus on validating successful code execution to flag vulnerable Magento environments. Sansec, a Dutch security company, identified approximately 6,000 stores running Mirasvit extensions, showing a substantial attack surface. Active attacks have been observed primarily targeting gaming and business sites, with victims across multiple countries, including the U.S., U.K., France, and Australia. The broad reach and severe potential consequences make CVE-2026-45247 a critical threat for any organization using the affected extension. How is CVE-2026-45247 exploited? An unauthenticated attacker exploits CVE-2026-45247 by supplying a specially crafted serialized PHP object within the CacheWarmer cookie of any storefront HTTP request. PHP's native unserialize() function then deserializes this object without adequate validation, allowing the attacker to inject arbitrary PHP objects and escalate to remote code execution. The attack is remote and requires no authentication or administrative privileges. The main requirement for successful exploitation is the installation and active status of the Mirasvit Full Page Cache Warmer extension on a Magento instance. Attackers use the application's trust in the incoming CacheWarmer cookie. The cookie is processed directly from the client without proper sanitization or validation of its contents. This approach is reminiscent of other critical deserialization flaws, such as those discussed in our prior analysis of CVE-2026-45659-rce, which also showed the dangers of insecure deserialization. The exploitation chain proceeds: Object Crafting: An attacker constructs a malicious serialized PHP object. This object invokes specific "gadget chains" often present in PHP applications like Magento and its dependencies. These gadget chains are sequences of legitimate function calls or methods that, when triggered by an attacker-controlled object, can lead to unintended execution flow, resulting in RCE. Cookie Injection: The crafted serialized PHP object is Base64-encoded and embedded within the CacheWarmer cookie. This cookie attaches to a standard HTTP request destined for any storefront page of the target Magento application. Server-Side Deserialization: Upon receiving the HTTP request, the Magento application, the Mirasvit Full Page Cache Warmer extension, processes the CacheWarmer cookie. The extension uses PHP's unserialize() function to reconstruct the PHP object from the cookie's value. Remote Code Execution: The unserialize() function operates on attacker-controlled data without proper validation, so the malicious object is instantiated. The object's constructor or magic methods (e.g., destruct, wakeup) within the gadget chain are triggered, leading to the execution of arbitrary PHP code on the server. Imperva has confirmed observing active attacks using serialized PHP object payloads delivered via malicious HTTP requests. These payloads attempt to invoke functions such as system() and current() to execute arbitrary commands on the underlying server, showing intent for remote code execution. Which products and versions are affected by CVE-2026-45247? CVE-2026-45247 affects the Mirasvit Full Page Cache Warmer extension for Magento. This vulnerability impacts installations with the extension deployed, regardless of the Magento version, as the flaw resides within the extension itself. The following product line and version ranges are known to be vulnerable: Product Line: Mirasvit Full Page Cache Warmer for Magento Affected Versions: All versions prior to 1.11.12 Organizations should confirm the version of their Mirasvit Full Page Cache Warmer extension to confirm their exposure to CVE-2026-45247. Any version preceding 1.11.12 indicates immediate vulnerability and requires urgent attention. How can CVE-2026-45247 exploitation be detected? Detecting CVE-2026-45247 exploitation requires auditing web server logs for HTTP requests containing suspicious CacheWarmer cookie values, especially those with serialized PHP objects. Given this deserialization vulnerability, monitoring inbound network traffic and server-side process execution is important. Detection guidance: Network Indicators / Log Signatures: Web Server Access Logs: Monitor and audit web server access logs (e.g., Apache, Nginx logs) for HTTP requests directed at Magento storefronts. CacheWarmer Cookie Presence: Look for the CacheWarmer cookie within these requests. Suspicious Cookie Value Patterns: Identify CacheWarmer cookie values containing "CacheWarmer:" followed by a Base64-encoded string. A strong indicator is a CacheWarmer cookie value matching the regular expression CacheWarmer:(Tz|Qz|YT). These prefixes (Tz, Qz, or YT) are characteristic starting sequences for Base64-encoded serialized PHP objects. WAF Alerts: Configure Web Application Firewalls (WAFs) to inspect incoming HTTP request bodies and headers, particularly the Cookie header, for these patterns. Implement rules to alert or block requests matching the suspicious CacheWarmer cookie format. Payload Analysis: If suspicious cookie values are identified, attempt to Base64-decode the string following "CacheWarmer:". Inspect the decoded PHP object for common RCE functions or system commands (e.g., system(), exec(), passthru(), shell_exec(), current()). Look for evidence of attempts to write files to disk, establish reverse shells, create new user accounts, or perform reconnaissance commands (whoami, id, ls, pwd). EDR/SIEM Queries: Configure Endpoint Detection and Response (EDR) or Security Information and Event Management (SIEM) systems to alert on unexpected process execution from the web server. This includes PHP processes executing shell commands (e.g., sh, bash, cmd.exe) or any abnormal child processes spawned by the web server process. Monitor for the creation of new, suspicious files in web-accessible directories, especially PHP files (.php), or modifications to existing critical application files. Integrate threat intelligence feeds with known malicious payloads, IP addresses, or domains associated with CVE-2026-45247 exploitation into SIEM rules. For further insights into detecting actively exploited vulnerabilities, refer to our analysis of CVE-2026-41091, which details methods for identifying such threats. Vulnerability Scanning: Regularly perform authenticated and unauthenticated vulnerability scans of your Magento environment to identify the presence and version of the Mirasvit Cache Warmer extension. While not direct exploitation detection, it helps identify vulnerable assets. By combining these detection methods, organizations can create a full monitoring system to identify and respond to potential exploitation attempts of CVE-2026-45247. How can CVE-2026-45247 be remediated? To remediate CVE-2026-45247, apply the vendor-provided patch by upgrading the Mirasvit Full Page Cache Warmer extension to a secure version. Given the active exploitation and critical CVSS score of 9.8, immediate action is necessary to protect affected Magento environments. Specific remediation and mitigation steps: Patching: Upgrade to Secure Version: The most effective remediation is to upgrade the Mirasvit Full Page Cache Warmer extension to version 1.11.12 or later. Mirasvit released these patches on May 25, 2026. This upgrade directly addresses the deserialization vulnerability. Deadlines: CISA specifically mandated Federal Civilian Executive Branch (FCEB) agencies to apply these fixes by June 6, 2026, showing the urgency for all organizations. Mitigation (if immediate patching is not feasible): Disable/Uninstall Extension: If immediate patching is not possible due to operational constraints or testing requirements, consider temporarily disabling or, if feasible, uninstalling the Mirasvit Full Page Cache Warmer extension. Assess this action's impact on website performance and business operations. Disabling the extension would remove the vulnerable component from the active attack surface. Network Protections: Deploy or enhance WAF rules to inspect and block HTTP requests containing CacheWarmer cookies with suspicious Base64-encoded serialized PHP object patterns (e.g., CacheWarmer:(Tz|Qz|YT)). These rules can act as a temporary safeguard by preventing malicious payloads from reaching the vulnerable component. Also, implement strict network segmentation for your Magento servers and configure egress filtering to restrict outbound network connections from the Magento server to only essential services. This can help prevent an attacker from establishing command-and-control (C2) communication or exfiltrating data, even if RCE is achieved. Monitoring: Post-Remediation Audit: After applying the patch, conduct a thorough security audit of the Magento environment to ensure no persistent compromise occurred prior to remediation. This includes checking for backdoors, unauthorized user accounts, or modified files. Continuous Monitoring: Maintain closer monitoring of web server logs, WAF alerts, and EDR telemetry for any signs of attempted or successful exploitation of CVE-2026-45247. Continue to look for the detection indicators outlined in the previous section. This helps ensure the patch was effectively applied and no new or subtle exploitation methods emerge. Organizations should prioritize patching immediately to remove the exposure to CVE-2026-45247. Any delay in applying the fix significantly increases the risk of a successful compromise. Technical Takeaways CVE-2026-45247 is a critical unauthenticated remote code execution vulnerability (CVSS 9.8) in the Mirasvit Full Page Cache Warmer extension for Magento. The flaw stems from a deserialization of untrusted data (CWE-502), allowing attackers to inject malicious serialized PHP objects via the CacheWarmer cookie in any storefront HTTP request. Active exploitation is confirmed, leading to its inclusion in CISA's Known Exploited Vulnerabilities catalog and requiring immediate remediation for U.S. federal agencies. Observed attacks target e-commerce gaming and business sites across multiple countries, with initial payloads designed to validate remote code execution capabilities on compromised servers. Immediate patching to Mirasvit Full Page Cache Warmer extension version 1.11.12 or later is mandatory. Detection looks for CacheWarmer cookie patterns, such as CacheWarmer:(Tz|Qz|YT), in HTTP request logs. --- ## Diverse Ransomware Activity Sees 14 New Victims - URL: https://purple-ops.io/blog/diverse-ransomware-activity - Date: 2026-06-04 - Category: Ransomware Report - Tags: ransomware, ransomware-activity, manufacturing, financial-services, healthcare - Reading time: 5 min **Summary:** Fourteen new ransomware victims were reported in the last 24 hours, primarily affecting manufacturing, financial services, and healthcare sectors. Diverse Ransomware Activity Sees 14 New Victims Statistical Overview Victim Totals This month: 99 This quarter: 1645 Year to date: 4270 Last 24h: 14 Quarterly Breakdown Q1: 2631 | Q2: 1645 | Q3: 0 | Q4: 0 Ransomware activity maintains a consistent pace, with this quarter's victim count indicating sustained threat actor operations. The total new victims in the last 24 hours align with a steady pattern observed across the year. Introduction The past 24 hours saw 14 new ransomware victims reported, reflecting ongoing threat actor operations across various sectors. Active groups included Akira (2), DragonForce (2), Genesis (2), and INC Ransom (2), alongside others like Anubis (1). Primary targets were concentrated in the Manufacturing, Healthcare, and Financial Services sectors, with the United States remaining the most frequently impacted geography. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Akira2National standard parts associates, Northern ohio regional multiple listing serviceUnited StatesTechnology / Software, Manufacturing 2DragonForce2Copamex, Sets solutionsLebanon, MexicoTechnology / Software, Manufacturing 3Genesis2Family medical associates of raleigh, Pb white & coUnited StatesHealthcare, Financial Services 4INC Ransom2CUSTOMSIGN, pdcbodynitsUnited States, SingaporeManufacturing 5Anubis1Singing river health systemUnited StatesHealthcare 6CMD1SeeWriteHearUnited StatesMedia & Entertainment 7Medusa Locker1BaiapaiSingaporeFinancial Services 8Space Bears1SicolBrazilFinancial Services 9Stormous1Sa2000.com newCanadaHospitality & Travel 10The Gentelman1Michigan surgical centerUnited StatesHealthcare The summary table illustrates varied ransomware activity, with no single group overwhelmingly dominant in victim count. Akira, Akira ransomware TTP analysis, DragonForce, and INC Ransom each claimed two victims, primarily affecting manufacturing and technology sectors across the United States, Singapore, Lebanon, and Mexico. Groups such as Genesis Group ransomware, Anubis, and The Gentelman continued targeting healthcare and financial services, predominantly in the United States. DragonForce ransomware activity further extended its reach to include financial and manufacturing entities. Victim Distribution By Country United States: 8 Singapore: 2 Brazil: 1 Canada: 1 Lebanon: 1 Mexico: 1 By Industry Financial Services: 3 Healthcare: 2 Food Service: 1 Information Technology: 1 Paper and Forest Product Manufacturing: 1 Apparel Manufacturing: 1 Healthcare & Social Services: 1 Information Services: 1 Manufacturing: 1 Publishing: 1 The United States remains a primary target for ransomware operators, accounting for over half of the new victims. Industrially, Manufacturing and Financial Services show the highest concentration of attacks, suggesting continued emphasis on critical and potentially lucrative sectors. Ransomware News Topline Multiple ransomware incidents were reported against local government entities and various organizations. The US government announced sanctions against cryptocurrency exchanges for facilitating ransomware payments. Campaigns & Operations Bowman, North Dakota Parks & Recreation experienced a ransomware attack leading to encrypted files, which were subsequently decrypted with expert assistance. In South Korea, Qilin ransomware targeted an automation equipment company, Nova ransomware affected a university's AI department, and Black X was observed in a data-extortion leak against a plastic surgery clinic. The National Federation of Subpostmasters (UK) also suffered a ransomware attack. Globally, the upcoming FIFA World Cup 2026 is projected to face increased threats, with high ransomware activity expected, particularly in the US and Canada. The US Treasury's OFAC sanctioned Nobitex, a major Iranian crypto exchange, for facilitating payments tied to IRGC-linked ransomware and sanctions evasion as part of the "Economic Fury" campaign, which also targeted other exchanges. Vulnerabilities & TTPs The ransomware attack on the National Federation of Subpostmasters stemmed from the exploitation of a critical vulnerability in the cPanel hosting control panel used by its web hosting provider. This period also shows the persistent use of dark-web channels for data leakage and extortion by various threat actors. Analyst Note These developments show the persistent and diversified threats posed by ransomware and its supporting financial infrastructure to a broad array of targets globally. Technical Takeaways Ransomware activity remains distributed across numerous groups, with Akira, DragonForce, Genesis, and INC Ransom leading in victim counts. Manufacturing, Financial Services, and Healthcare continue to be highly targeted sectors, indicating a focus on critical and high-value industries. The United States accounts for the majority of reported new ransomware victims, showing its significant threat landscape. Exploitation of vulnerabilities in common infrastructure, such as cPanel hosting control panels, remains a key initial access vector for some campaigns. Efforts to disrupt ransomware financing continue, as evidenced by US sanctions against cryptocurrency exchanges facilitating illicit payments. --- ## Mirasvit Cache Warmer CVE-2026-45247 (CVSS 9.8) RCE - URL: https://purple-ops.io/blog/mirasvit-cache-warmer-cve-2026-45247 - Date: 2026-06-04 - Category: CVE Analysis - Tags: mirasvit-cache-warmer, cve-2026-45247, magento, rce, deserialization - Reading time: 5 min | CVSS: 9.8 **Summary:** Mirasvit Cache Warmer vulnerability CVE-2026-45247 (CVSS 9.8) allows unauthenticated RCE on Magento and is actively exploited, added to CISA's KEV catalog. Mirasvit Cache Warmer CVE-2026-45247 (CVSS 9.8) RCE A critical deserialization of untrusted data vulnerability, CVE-2026-45247, impacts the Mirasvit Cache Warmer extension for Magento, a popular e-commerce platform. This flaw carries a CVSS score of 9.8, signifying its severe potential for compromise. The vulnerability allows unauthenticated attackers to achieve remote code execution (RCE) on affected servers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-45247 to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion follows confirmed reports of active exploitation in the wild, demonstrating the immediate and severe threat this vulnerability poses to organizations utilizing the Mirasvit Cache Warmer extension. Enterprise administrators and security teams are advised to prioritize remediation efforts. The absence of authentication requirements for exploitation, combined with the availability of exploit payloads in active attacks, necessitates prompt action to mitigate potential system compromise and data loss. What is CVE-2026-45247 and why is it critical? CVE-2026-45247 is a critical deserialization of untrusted data vulnerability in the Mirasvit Cache Warmer Magento extension. With a CVSS score of 9.8, this flaw permits unauthenticated remote attackers to execute arbitrary PHP code on vulnerable Magento installations, directly leading to total system takeover. The vulnerability stems from the extension's improper handling of user-supplied data within the CacheWarmer cookie. Specifically, the extension deserializes a portion of this cookie's value using PHP's native unserialize() function without adequate validation or sanitization. Deserialization of untrusted data is a severe class of vulnerability, often categorized as CWE-502 (Deserialization of Untrusted Data), because it allows an attacker to manipulate the process of reconstructing data objects. When an application attempts to reconstruct an object from attacker-controlled serialized data, the attacker can inject malicious objects or alter existing ones. In the context of CVE-2026-45247, an attacker can supply a specially crafted serialized PHP object within the CacheWarmer cookie. This crafted object is then processed by the unserialize() function. By using "gadget chains"-sequences of legitimate method calls present in the application's codebase or its dependencies-the injected object can trigger unintended code execution. This technique, known as PHP object injection, effectively bypasses security controls and allows the attacker to dictate the execution flow of the application. The critical nature of this vulnerability is further amplified by the fact that it requires no authentication or administrative privileges, meaning any unauthenticated storefront request carrying the malicious cookie can initiate the attack. The active exploitation of CVE-2026-45247 in real-world scenarios and its subsequent addition to CISA's KEV catalog demonstrate the urgency for immediate patching. Attackers are demonstrably aware of this flaw and possess the technical means to use it for significant compromise, transforming a theoretical risk into a tangible threat. This direct path to remote code execution makes CVE-2026-45247 a critical priority vulnerability for any organization operating a Magento environment with the affected extension. Impact of CVE-2026-45247 Successful exploitation of CVE-2026-45247 grants an unauthenticated attacker the ability to execute arbitrary PHP code on the underlying server. This level of access is equivalent to achieving full system takeover, enabling attackers to perform a wide range of malicious activities with severe consequences for the compromised organization and its customers. An attacker with remote code execution capabilities can: Exfiltrate sensitive data: Access databases containing customer information, payment details, order histories, and proprietary business data. Deface or alter the website: Modify web content, inject malicious scripts, or redirect legitimate users to malicious sites, damaging brand reputation and user trust. Deploy malware: Install backdoors, web shells, or other persistent malware to maintain access or launch further attacks, potentially leading to long-term compromise of the server and connected systems. Establish a foothold for lateral movement: Use the compromised Magento server as a pivot point to access other systems within the internal network. Organizations running Magento installations with the Mirasvit Cache Warmer extension are directly at risk. Sansec research identified approximately 6,000 stores utilizing Mirasvit extensions, though the actual number is likely higher due to the masking effects of content delivery networks (CDNs) like Cloudflare. The broad deployment of Magento across various industries means a significant number of entities are potentially exposed. Imperva has observed active attack activity targeting CVE-2026-45247, primarily singling out gaming and business sites. The most targeted countries include the U.S., the U.K., France, and Australia. The observed attack payloads incorporate base64-encoded serialized objects, designed to trigger PHP Object Deserialization and achieve remote code execution. These payloads have been noted to invoke functions such as system() and current() to execute arbitrary commands. Initial attacker objectives appear to focus on identifying vulnerable Magento environments and confirming the feasibility of remote code execution, indicating potential precursor activity to more extensive operations. Exploitation Chain Exploiting CVE-2026-45247 uses a deserialization of untrusted data vulnerability present in the Mirasvit Cache Warmer extension. The attack vector is entirely unauthenticated and remote, relying on specially crafted HTTP requests to the Magento storefront. The preconditions for a successful exploit are straightforward: an active Magento installation with the Mirasvit Cache Warmer extension installed, specifically any version prior to 1.11.12. No prior authentication or administrative privileges are necessary for an attacker to initiate the compromise. This low barrier to entry significantly increases the exploitability and risk profile of the vulnerability. The exploitation process unfolds as follows: Crafted HTTP Request: An attacker sends an HTTP request to the Magento storefront. This request contains a CacheWarmer cookie with a malicious value. Malicious Cookie Content: The CacheWarmer cookie value includes a Base64-encoded serialized PHP object. This object is meticulously constructed to manipulate the application's deserialization process. Deserialization Trigger: The Mirasvit Cache Warmer extension, in its normal operation, deserializes a part of the incoming CacheWarmer cookie value using PHP's unserialize() function. Due to the lack of sufficient input validation, the malicious serialized object is processed. PHP Object Injection: During deserialization, the crafted object takes advantage of a PHP object injection vulnerability (CWE-502). This allows the attacker to control what objects PHP reconstructs, introducing attacker-controlled data and logic into the application's memory space. Gadget Chain Execution: The injected object, in conjunction with existing legitimate classes and methods (a "gadget chain") within Magento and its dependencies, triggers the execution of arbitrary PHP code. Imperva reported observing payloads designed to invoke functions like system() and current() for command execution. Remote Code Execution: The arbitrary commands supplied by the attacker are executed on the underlying server, granting the attacker full control over the compromised Magento environment. Public exploit code and detailed technical information regarding this vulnerability are available, further accelerating the threat environment. Imperva has specifically reported active attack activity, indicating that threat actors are successfully using this flaw in the wild. The inclusion of CVE-2026-45247 in CISA's KEV catalog serves as official confirmation of its active exploitation and necessitates immediate attention from all affected organizations. Affected Products and Versions CVE-2026-45247 specifically impacts the Mirasvit Cache Warmer extension for Magento. Mirasvit Cache Warmer extension for Magento: All versions prior to 1.11.12. No other Mirasvit extensions or Magento core versions have been identified as directly affected by this specific vulnerability in the provided research. Organizations must verify the version of their Mirasvit Cache Warmer extension to determine their exposure. Detection Strategies for CVE-2026-45247 Detecting CVE-2026-45247 exploitation attempts relies on vigilant monitoring of web traffic and server logs for specific indicators. The attack vector directly involves a maliciously crafted CacheWarmer cookie within storefront requests. Security teams should implement the following detection strategies: HTTP Request Log Analysis: Continuously audit HTTP access logs for inbound requests targeting your Magento storefront. Focus on requests that include a CacheWarmer cookie in their headers. Specifically, examine the value of the CacheWarmer cookie for patterns indicative of serialized PHP objects. Specific Cookie Value Patterns: Sansec's research provides a crucial indicator: a CacheWarmer cookie value matching the regex CacheWarmer:(Tz|Qz|YT). This pattern is a strong indicator of an exploitation attempt. Explanation: When PHP objects are serialized and then Base64-encoded, their resulting string typically starts with specific characters based on the serialized content. Tz often indicates a serialized object (O: followed by length and class name). Qz may relate to custom classes or specific serialized structures. YT can indicate an array or string in some Base64 contexts, but in this specific exploit, it is associated with Base64-encoded serialized PHP objects. Any CacheWarmer cookie value that begins with "CacheWarmer:" followed by a Base64-encoded string starting with Tz, Qz, or YT should be treated as highly suspicious and investigated immediately. Web Application Firewall (WAF) Rules: Configure WAFs to detect and block requests containing CacheWarmer cookies with values matching the identified malicious patterns (CacheWarmer:(Tz|Qz|YT)). Implement rules that scrutinize cookie values for unusual Base64-encoded strings, especially those that align with known serialized PHP object signatures. Endpoint Detection and Response (EDR) Queries: While the initial attack is network-based, successful exploitation would lead to process execution on the server. EDR solutions can be configured to monitor for unusual process creation, particularly PHP processes executing system commands, or suspicious file modifications related to web shells or unauthorized scripts. Look for executions of system(), current(), or similar command execution functions from web server processes. Proactive monitoring and alert generation for these specific indicators are essential for identifying and responding to exploitation attempts of CVE-2026-45247. Due to the unauthenticated nature of the vulnerability and its active exploitation, immediate detection capabilities are paramount to prevent compromise. Remediation Organizations running the Mirasvit Cache Warmer extension on their Magento installations require prompt remediation, given the active exploitation of CVE-2026-45247. Applying the vendor-supplied patch is the primary and most effective remediation path. Patching: Upgrade the Mirasvit Cache Warmer extension to version 1.11.12 or a later release. This version includes the necessary fixes to address the deserialization of untrusted data vulnerability. Organizations should consult Mirasvit's official documentation and release notes for detailed upgrade instructions specific to their Magento environment. Compliance Mandates: The urgency of patching is reinforced by mandates from cybersecurity authorities. CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply the necessary fixes for CVE-2026-45247 by June 6, 2026. This directive shows the severity and confirmed risk associated with unpatched systems. No Workarounds: The provided research does not indicate any effective temporary workarounds that fully mitigate this vulnerability without applying the patch. Disabling the extension entirely might remove the immediate threat, but it would also remove core functionality, which may not be feasible for operational environments. Therefore, immediate patching remains the only recommended and complete remediation. Post-Patch Verification: After applying the patch, organizations should conduct thorough verification to ensure the update was successful and the vulnerability is no longer present. A comprehensive security audit of the Magento environment should be performed to detect any signs of prior compromise, such as persistent backdoors or unauthorized configuration changes, which may have occurred if the system was exploited before patching. Technical Takeaways CVE-2026-45247 is a critical deserialization of untrusted data vulnerability with a CVSS score of 9.8, affecting the Mirasvit Cache Warmer Magento extension. The flaw enables unauthenticated attackers to achieve remote code execution (RCE) via a specially crafted CacheWarmer cookie. The vulnerability is actively exploited in the wild, leading to its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog. Detection involves monitoring storefront HTTP requests for CacheWarmer cookies with specific Base64-encoded serialized PHP object prefixes like Tz, Qz, or YT. Remediation requires upgrading the Mirasvit Cache Warmer extension to version 1.11.12 or a later release immediately. --- ## FAMOUS CHOLLIMA Deploys MicrosoftSystem64 npm RAT - URL: https://purple-ops.io/blog/famous-chollima-microsoftsystem64-npm-rat - Date: 2026-06-04 - Category: Threat Intelligence - Tags: famous-chollima, microsoftsystem64-rat, npm-supply-chain, huggingface, cryptocurrency-theft - Reading time: 5 min **Summary:** DPRK's FAMOUS CHOLLIMA group deploys the MicrosoftSystem64 multi-platform RAT via npm, exfiltrating credentials and crypto assets using HuggingFace. FAMOUS CHOLLIMA Deploys MicrosoftSystem64 npm RAT FAMOUS CHOLLIMA, a DPRK-linked threat actor group also known by the toskypi cluster of identities, has deployed a multi-platform Remote Access Trojan (RAT), identified as MicrosoftSystem64. This campaign uses malicious npm packages, such as js-logger-pack, to infect cryptocurrency traders and developers. The attack uses HuggingFace as a command-and-control (C2) platform and a data exfiltration channel, which helps it bypass traditional security detections. The MicrosoftSystem64 RAT, an 81 MB Node.js Single Executable Application (SEA), can steal credentials and execute remote commands on Windows, macOS, and Linux. A live probe on May 28, 2026, confirmed this threat infrastructure was active. Evidence included a valid embedded HuggingFace token and real-time exfiltration of victim data. This analysis revealed the theft of 417 periodic screenshots and a 500 MB archive containing 1,097 credential files from just two active victims observed in the attacker's HuggingFace datasets. The stolen data included browser credentials, over 80 cryptocurrency wallet extension details, Telegram Desktop sessions, and SSH keys. The actor shows operational resilience by rapidly rotating accounts and pivoting infrastructure. What are MicrosoftSystem64's Core Capabilities and Targets? The MicrosoftSystem64 RAT operates as an 81 MB stripped ELF binary. It is packaged as a Node.js v20.18.2 Single Executable Application (SEA) to evade detection and remove Node.js runtime dependencies on victim systems. This packaging allows the malware to appear as a native executable to endpoint monitoring tools, rather than a node process. The binary also sets its process.title to MicrosoftSystem64, mimicking a legitimate Microsoft service. The malware connects to a WebSocket C2 server at 195[.]201[.]194[.]107:8010 and accepts 24 remote commands from the operator. These commands provide full remote access capabilities, including arbitrary shell command execution, directory listing, drive enumeration, system information collection, and real-time screenshot streaming. The RAT uses a simple XOR cipher for obfuscating hardcoded configuration values. However, plaintext comments left by the attacker in the development build made deobfuscation trivial for analysts. Data exfiltration is a critical function, using HuggingFace as a backend. Instead of direct C2 uploads, the agent creates private HuggingFace datasets under the attacker's account (jpeek998) and commits stolen files using the Git LFS commit API. This method offloads storage infrastructure and makes network-level detection challenging because traffic appears as legitimate HTTPS requests to a trusted machine learning platform. The C2 server only receives lightweight notifications of successful uploads. The MicrosoftSystem64 RAT targets browser credentials from 15 browser families on all major operating systems. It also has a hardcoded mapping for over 80 cryptocurrency wallet browser extensions, from which it copies both extension code and localStorage data. The RAT also captures Telegram Desktop sessions by compressing the tdata directory and exfiltrates ~/.ssh directories, including private keys like id_rsa and authorized_keys. Persistence is established across Windows, macOS, and Linux through Scheduled Tasks, LaunchAgents, systemd user units, and XDG autostart entries, respectively, using the name MicrosoftSystem64. A self-update mechanism checks for new binary versions every 24 hours from a HuggingFace repository (jpeek998/system-releases) to keep the RAT current. A persistent upload queue provides resilience by retrying failed exfiltrations even after system restarts. A cross-platform keylogger is implemented using native OS APIs, such as SetWindowsHookEx on Windows, CGEventTap on macOS, and xinput/evdev on Linux. This keylogger runs alongside a clipboard watcher that polls every second. Periodic screenshots are captured every 60 seconds and uploaded to HuggingFace, giving operators near real-time visual surveillance of compromised systems. Attribution links this campaign to FAMOUS CHOLLIMA, a DPRK-linked threat actor group. The associated identity cluster includes npm publishers like jpeek868, jpeek886, jpeek895, and the persistent author identity toskypi. These entities are known for publishing malicious npm packages and are linked to campaigns such as Contagious Trader, which targets cryptocurrency trading bot developers. The pivot to HuggingFace after initial npm takedowns shows the actor's adaptive operational security. What Happened with the Red Hat Cloud Services npm Supply Chain Compromise? On June 1, 2026, an attacker compromised Red Hat Cloud Services by abusing npm's GitHub Actions trusted publishing mechanism, affecting 32 @redhat-cloud-services npm packages with a total of 96 malicious versions. Each malicious package version carried valid npm provenance, which indicated the build was ostensibly from the legitimate GitHub repository and workflow. The root cause was an issue where npm binds trusted publishing to a repository and workflow filename, not to a specific branch. The attacker exploited this by pushing short-lived oidc- branches to RedHatInsights repositories such as javascript-clients, frontend-components, and platform-frontend-ai-toolkit. On each branch, the legitimate CI workflow (ci.yml or release.yml) was rewritten into a self-publishing job. This modified workflow ran a Bun worm with id-token: write permissions. The worm exchanged the workflow's OIDC token for npm publish tokens, then repackaged the legitimate tarballs with a malicious preinstall hook and republished them, complete with valid provenance. The publishes occurred in three waves; the third wave remains the live latest for every affected package. The injected preinstall hook executes a 4.3 MB index.js payload. This payload uses ROT-9 decoding and AES-128-GCM decryption to reveal a 634 KB Bun script. The script then downloads the Bun runtime from GitHub and executes the decrypted payload. The payload is a multi-cloud credential harvester that steals secrets from various services. Organizations are advised to scan their projects for this and similar threats using tools for malicious npm packages. The worm harvests cloud credentials for AWS (IMDS, ECS, Secrets Manager, SSM), Azure (managed identity), GCP (service accounts), HashiCorp Vault tokens, Kubernetes service account tokens, GitHub PATs, npm tokens, and data from password managers like Bitwarden and gopass. It self-propagates by injecting a malicious .github/workflows/codeql.yml into accessible repositories and republishing tampered npm tarballs. Stolen credentials are exfiltrated to attacker-controlled public GitHub repositories, identifiable by the description Miasma: The Spreading Blight. The campaign, "Miasma: The Spreading Blight", also attempts privilege escalation by checking for Docker socket access. If available, it launches a container to bind-mount the host /etc/sudoers.d and grant the CI runner passwordless sudo access. The payload includes anti-analysis measures, checking for endpoint protection tools like CrowdStrike and SentinelOne, and specific environment variables to suppress malicious behaviors in analysis environments. This compromise of Red Hat Cloud Services packages and the abuse of GitHub Actions OIDC trusted publishing were detailed in a recent analysis. Persistence targets developer tooling, including .claude/settings.json and .vscode/tasks.json, for AI-agent and editor hijacking. The provenance data itself reveals the compromise, showing malicious versions built from attacker-controlled branches like oidc-4d5900f3 but using the registered workflow path (.github/workflows/ci.yml). This allowed npm to issue publish rights and sign provenance, legitimizing the malicious versions. The initial access method for pushing branches to the Red Hat repositories remains an open question. Why is CISA Warning About Fuel Tank Monitoring Systems? The Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, and Department of Energy issued a joint warning regarding cyberattacks targeting internet-exposed Automatic Tank Gauge (ATG) systems. These systems are used to monitor fuel and liquid storage tanks across critical infrastructure sectors including Energy, Chemical, Food and Agriculture, and Transportation Systems. Threat actors are compromising these devices and modifying system settings through command execution. Attackers are gaining access to ATG systems by exploiting vulnerabilities. These include authentication bypass flaws, hardcoded credentials, operating system command-execution vulnerabilities, SQL injection vulnerabilities, and privilege-escalation weaknesses. Once compromised, threat actors can alter critical network settings, product identifiers, tank volumes, and pump controls. They can also disable alerts, preventing operators from accurately monitoring tank fill levels, which could lead to leaks or equipment failures. While the advisory does not attribute the activity to a specific nation-state or threat actor group, it follows previous CNN reporting that Iranian hackers were behind similar breaches. These earlier incidents involved ATG systems at gas stations, where attackers exploited weak or non-existent passwords on internet-exposed devices. The Iranian group manipulated display readings but did not alter actual fuel levels, though the potential for interference with safety functions was a concern. Limited forensic evidence has made direct attribution challenging in the recent attacks. However, the observed malicious activity mirrors known tactics of threat actors interested in industrial control systems. CISA recommends immediate mitigation: block ATG systems from direct internet exposure, restrict remote access via firewalls, VPNs, or access control lists, and replace all default passwords. Strong credentials, multifactor authentication, prompt application of security updates, and active system monitoring for unauthorized changes are also advised to reduce the risk of compromise. What Remote Code Execution Flaw Was Discovered in Redis? An autonomous AI security tool named Team Xint Code discovered a two-year-old use-after-free vulnerability in Redis, tracked as CVE-2026-23479. This flaw, present in Redis versions 7.2.0 through 7.2.13, 7.4.0 through 7.4.8, 8.2.0 through 8.2.5, 8.4.0 through 8.4.2, and 8.6.0 through 8.6.2, allows an authenticated user to execute arbitrary OS commands on the database-hosting machine. Redis assigned it a CVSS 4.0 score of 7.7, while NVD rated it 8.8 under CVSS 3.1. The vulnerability resides in the unblockClientOnKey() function within src/blocked.c, which is triggered when a key event unblocks a command. This function dispatches the queued command via processCommandAndResetClient(), which can, as a side effect, free the client. However, unblockClientOnKey() continues to use the freed client pointer, leading to a use-after-free condition (CWE-416). The flaw resulted from two separate commits in January and March 2023 that became dangerous only when combined in Redis 7.2.0. The full remote code execution chain consists of three stages. First, a Lua script leaks a heap address. Second, the attacker grooms client memory, then frees a blocked client mid-call, immediately reclaiming the freed slot with a fake client structure using a pipelined SET command. Third, Redis's updateClientMemoryUsage() performs an out-of-bounds decrement using attacker-controlled fields, targeting the Global Offset Table (GOT) to repoint strcasecmp() at system(). The next command parsed by Redis then executes as a shell command. The default Redis Docker image ships with only partial RELRO, leaving the GOT writable at runtime. This facilitates the third stage of the exploit. This full chain requires an authenticated session with CONFIG SET, EVAL, stream commands (XREAD/XADD), and basic SET/GET privileges, typically grouped under @admin, @scripting, @stream, and @read/@write ACL categories. The default Redis user often possesses all these privileges. Redis has released patched minor versions: 7.2.14, 7.4.9, 8.2.6, 8.4.3, and 8.6.3, all available since May 5. While no in-the-wild exploitation has been reported, the public release of the technical exploit chain increases the risk. Mitigation strategies for unpatched instances include removing Redis from public internet exposure, enforcing TLS, and tightening ACLs to prevent any single role from combining @admin, CONFIG, and @scripting privileges. Disabling @scripting if Lua is not in use can also disrupt the initial heap address leak. How Did Meta's AI Support Bot Lead to Instagram Account Hijacks? Attackers exploited an AI support assistant deployed by Meta to hijack Instagram accounts over the past few months. High-profile victims included accounts belonging to the Obama White House (dormant), beauty retailer Sephora, a senior US Space Force official, and security researcher Jane Manchun Wong. The issue, a "confused deputy" problem, arose because the AI bot had permissions to make account changes without identity verification mechanisms. The attack method was straightforward: threat actors determined an account owner's geographic region, often through publicly available information, and then used a VPN to match that region. This step helped avoid triggering Instagram's security flags. They then initiated a normal password reset process and engaged with the AI support bot, requesting an email address change on the target account. The bot then sent a one-time code directly to the attacker's inbox, granting them control. In cases where enhanced security measures were triggered, attackers reportedly resorted to creating video deepfakes of their targets. These deepfakes were constructed using images harvested from Instagram itself, which enabled attackers to bypass more stringent identity verification processes. Meta communications executive Andy Stone confirmed the issue was resolved and impacted accounts were being secured, though the total number of affected accounts was not disclosed. The motivation behind these hijacks often goes beyond simple defacement; financial gain is a primary driver. Attackers have been known to blackmail businesses reliant on Instagram for marketing or target "OG" accounts with short, desirable usernames that can fetch thousands of dollars on underground markets. This incident shows the risks of deploying AI with broad permissions in sensitive systems without strong security controls. To protect against such attacks, enabling multi-factor authentication (MFA) is crucial. Reports indicate that accounts with MFA enabled, even using SMS codes, were unaffected by this attack vector. Users should navigate to Instagram's Settings, then their Meta Accounts Center, and enable Two-factor authentication. Using an authenticator app over SMS offers enhanced security. New reports suggest new attack methods are emerging, involving modified Android emulators to manipulate AI prompts with hidden characters. Technical Takeaways FAMOUS CHOLLIMA, a DPRK-linked group, uses MicrosoftSystem64, a multi-platform Node.js SEA RAT. It exfiltrates 1,097 credential files and 417 screenshots from observed victims via HuggingFace datasets. The "Miasma: The Spreading Blight" campaign compromised 32 Red Hat Cloud Services npm packages (96 malicious versions). It exploited GitHub Actions trusted publishing flaws, and malicious versions remain live as latest. CISA warned of unattributed cyberattacks on critical infrastructure Automatic Tank Gauge (ATG) systems. Attackers exploit authentication bypasses and hardcoded credentials to alter tank monitoring capabilities. Team Xint Code, an autonomous AI tool, discovered CVE-2026-23479, a two-year-old authenticated use-after-free RCE in Redis versions 7.2.x, 7.4.x, 8.2.x, 8.4.x, and 8.6.x. Meta's AI support bot was exploited as a "confused deputy." This allowed attackers to hijack Instagram accounts by requesting email changes and potentially using deepfakes to bypass identity verification. --- ## CVE-2026-49975 HTTP/2 Bomb Critical DoS - URL: https://purple-ops.io/blog/cve-2026-49975-http2-bomb-dos - Date: 2026-06-04 - Category: CVE Analysis - Tags: cve-2026-49975, http2-bomb, denial-of-service, web-servers, apache-nginx - Reading time: 5 min **Summary:** Critical HTTP/2 Bomb vulnerability CVE-2026-49975 actively exploits major web servers like Apache and NGINX, causing severe memory exhaustion. CVE-2026-49975 HTTP/2 Bomb Critical DoS A critical denial-of-service vulnerability, tracked as CVE-2026-49975, impacts multiple vendors' HTTP/2 implementations, including Apache httpd, NGINX, Microsoft IIS, Envoy, and Cloudflare Pingora. This "HTTP/2 Bomb" exploit uses a new combination of compression and slow-read techniques to trigger severe memory exhaustion on vulnerable servers. While a specific CVSS score for CVE-2026-49975 has not been publicly assigned, the reported impact on server resources indicates a critical severity. Security firm Calif publicly disclosed full details and Proof-of-Concept (PoC) exploit code for this vulnerability on June 3, 2026. The widespread availability of this exploit code increases the immediate risk of active exploitation against unpatched systems. Organizations operating any of the affected web server platforms must prioritize remediation efforts to prevent service disruption. This vulnerability allows a remote attacker to consume substantial server memory with minimal network traffic, potentially paralyzing enterprise data centers using basic internet connections. The attack bypasses traditional defense mechanisms designed to prevent out-of-bounds data payloads. What is the HTTP/2 Bomb Vulnerability (CVE-2026-49975)? The HTTP/2 Bomb vulnerability, CVE-2026-49975, is a denial-of-service exploit that combines two long-standing infrastructure manipulation techniques: a compression bomb and a Slowloris-style hold. The attack primarily targets HPACK, the header compression framework central to modern HTTP/2 protocol configurations. By exploiting HPACK, a malicious actor can transmit a single byte over the wire that expands into a significant memory allocation block on the receiving server. This amplification occurs due to the server's per-entry bookkeeping overhead for nearly empty headers, a mechanism that bypasses standard volumetric data payload filters. The core of the attack involves sending specially crafted HTTP/2 headers that, despite their minimal wire size, force the server to allocate substantial memory for internal tracking. This process generates a high memory amplification ratio. The attacker maintains a zero-byte flow-control window for the connection, preventing the server from releasing the allocated memory. Tiny, periodic update signals are transmitted by the attacker to bypass standard connection timeouts, ensuring the memory remains pinned indefinitely. This sustained pressure pushes the host environment into heavy swap space cycles, leading to severe performance degradation rather than an immediate process crash, thereby increasing disruption. Impact The HTTP/2 Bomb exploit, tracked as CVE-2026-49975, is a serious threat, enabling attackers to achieve severe denial-of-service conditions through rapid memory exhaustion. The primary risk is the ability of a remote adversary to paralyze an unprotected enterprise data center using minimal resources, such as a basic home internet connection. A single client exploiting this vulnerability against Apache httpd and Envoy could consume and hold 32GB of server memory in approximately 20 seconds. This level of resource consumption quickly overwhelms system capabilities, leading to heavy swap utilization and rendering legitimate user requests unresponsive. The attack's design, which uses a zero-byte flow-control window and periodic update signals, ensures that the consumed memory remains locked, preventing standard connection timeouts from resolving the issue. The vulnerability affects the default configurations of most modern web servers. Shodan search parameters indicate that over 880,000 active public web portals currently expose the vulnerable HTTP/2 protocol configuration. Organizations whose services rely on HTTP/2-enabled web servers are at high risk of operational disruption, reputational damage, and financial losses due to service outages. The ability to induce such widespread and persistent resource exhaustion with minimal effort categorizes this vulnerability as high impact. Our prior analysis of a massive DDoS attack against a hosting provider illustrates similar widespread operational disruption. Exploitation Chain The exploitation of CVE-2026-49975 is initiated remotely over the HTTP/2 protocol. The attack does not require any prior authentication or special privileges. The primary preconditions for successful exploitation are the presence of a web server configured to use HTTP/2 and its susceptibility to the HPACK compression bomb and Slowloris-style hold techniques. The attack vector involves two chained techniques: HPACK Compression Bomb: The attacker sends HTTP/2 headers that are very small in wire size but are crafted to trigger large memory allocations on the server. This occurs due to the server's internal bookkeeping for each header entry during decompression. The malicious headers cause an exponential expansion of memory usage. Slowloris-style Hold: Once memory is allocated, the attacker uses a zero-byte flow-control window and sends tiny, periodic data frames. This prevents the server from timing out the connection and releasing the consumed memory. The memory remains pinned, gradually driving the server into resource exhaustion and heavy swap utilization. Public Proof-of-Concept (PoC) exploit scripts are now accessible online via the califio/publications/tree/main/MADBugs/http2-bomb repository. The availability of these scripts lowers the barrier for attackers to use this vulnerability. Automated intelligence systems can easily transform these public source differentials into active network payloads, indicating a high probability of widespread exploitation. Affected Products and Versions The HTTP/2 Bomb vulnerability, CVE-2026-49975, affects the default configurations of many modern web servers utilizing HTTP/2. The research specifically identifies the following platforms as vulnerable or having been assessed for the flaw: Apache httpd: Affected. An emergency patch addressing CVE-2026-49975 was deployed on May 27, 2026. Prior versions are vulnerable. NGINX: Affected. The NGINX open-source team integrated an advanced header counting directive into their latest software build to mitigate the issue. Versions prior to this update are vulnerable. Envoy: Affected. As of the disclosure date, formal security updates for Envoy were not yet available. Microsoft IIS: Affected. As of the disclosure date, formal security updates for Microsoft IIS were not yet available. Cloudflare Pingora: Affected. As of the disclosure date, formal security updates for Cloudflare Pingora were not yet available. The widespread nature of this vulnerability across different server implementations shows a fundamental issue within the HTTP/2 HPACK compression mechanism when combined with resource holding techniques. Organizations operating these unpatched systems remain exposed to severe denial-of-service attacks. Detection Detecting exploitation attempts related to CVE-2026-49975 requires monitoring for anomalous resource consumption and network traffic patterns on HTTP/2-enabled web servers. Due to the nature of the attack, which involves memory amplification with minimal incoming data, traditional signature-based detection focused on payload size may be insufficient. Concrete detection guidance includes: System Resource Monitoring: Monitor the memory usage of web server processes (e.g., httpd, nginx, envoy, w3wp.exe). Look for sharp, sustained increases in Resident Set Size (RSS) or Virtual Memory Size (VSZ) without a corresponding increase in legitimate request volume or bandwidth. Observe system-wide swap space utilization. A sudden and large increase in swap activity on a web server host, especially if persistent, is a strong indicator of memory exhaustion, potentially due to CVE-2026-49975 or similar resource starvation attacks. Monitor CPU utilization, which may spike due to increased paging activity as the system struggles with memory pressure. Network Flow Analysis: Look for HTTP/2 connections that maintain a long duration but exhibit low data transfer rates after the initial connection establishment. This could indicate the Slowloris-style hold component of the attack. Analyze HTTP/2 header frames. While difficult without deep packet inspection capabilities, patterns of numerous small header frames that lead to high server memory consumption should be investigated. EDR/Host-based Telemetry: EDR solutions can be configured to alert on web server processes consuming large amounts of memory (e.g., >80% of allocated memory, or sustained >X GB per process). Monitor for instances where web server processes approach or hit defined ulimit or cgroup memory thresholds, indicating resource contention. Log Signatures (Indirect): While direct exploitation logs may not be immediately evident, application and system logs may show signs of service degradation, such as increased request latency, connection timeouts for legitimate users, or process restarts due to resource limits being hit. Web access logs may show a high number of open connections from a single source IP that remain open for extended periods without much data exchange. Organizations should prioritize the establishment of baseline resource usage for their HTTP/2 services to more readily identify deviations caused by this or similar attacks. Remediation Remediation for CVE-2026-49975 involves applying vendor-provided patches or implementing mitigating controls where patches are not yet available. Given the public availability of PoC exploit code, immediate action is advised. Patching: Apache httpd: Apply the emergency patch released on May 27, 2026, which addresses CVE-2026-49975. System administrators should consult Apache's official security advisories for specific version updates and instructions. NGINX: Update to the latest software build that includes the advanced header counting directive. Refer to NGINX's official documentation and security announcements for updated versions. Microsoft IIS, Envoy, Cloudflare Pingora: As of the disclosure date, formal security updates for these platforms were not publicly available. Organizations utilizing these products must implement the described workarounds and mitigations immediately. Workarounds & Mitigations (for unpatched systems): Disable HTTP/2 Protocol: If your operational environment can tolerate the protocol shift, reverting perimeter configurations to classic HTTP/1.1 protocols will completely eliminate the exploit path. This is a very effective, albeit potentially impactful, workaround. Our analysis of CVE-2026-23918 affecting Apache HTTP/2 offers more information on HTTP/2 vulnerabilities. Implement Intermediate Gateway with Header Limits: Front vulnerable infrastructure with an intermediate gateway (e.g., a load balancer, WAF, or reverse proxy) that can enforce a strict maximum cap on incoming HTTP/2 header fields. This limits the potential for amplification of the attack. Apply Strict Container Resource Constraints: For services running in containerized or virtualized environments, enforce strict memory limits using tools like Linux cgroups or ulimit. Configuring the kernel to terminate a malicious worker process quickly once it exceeds memory limits is a better failure mode than allowing an attacker to hold the entire machine at 95% resource utilization. This strategy prioritizes process isolation and system stability. Monitoring: Continuously monitor system resources (CPU, memory, swap) and network traffic patterns on web servers for anomalies that could indicate an attempted or ongoing attack. Implement alerting for sudden spikes in memory usage or sustained low-bandwidth connections. Organizations should review their architecture to determine the most appropriate and effective remediation strategy, prioritizing patching where available and implementing strong mitigations otherwise. Technical Takeaways CVE-2026-49975 is a critical HTTP/2 denial-of-service vulnerability using HPACK compression and Slowloris-style resource exhaustion. The attack achieves high memory amplification, allowing a single client to consume tens of gigabytes of server memory (e.g., 32GB in 20 seconds for Apache httpd and Envoy). Public Proof-of-Concept (PoC) exploit code is available, increasing the immediate risk of widespread exploitation. The vulnerability affects major web server platforms, including Apache httpd, NGINX, Microsoft IIS, Envoy, and Cloudflare Pingora, with over 880,000 public web portals potentially exposed. Remediation includes applying vendor patches (Apache and NGINX have released updates or directives) and implementing mitigations like disabling HTTP/2, enforcing header limits via gateways, or setting strict memory resource constraints. --- ## The Gentelman Ransomware Activity: 9 New Victims - URL: https://purple-ops.io/blog/gentelman-ransomware-activity - Date: 2026-06-03 - Category: Ransomware Report - Tags: the-gentelman, ransomware, cybercrime, threat-activity, healthcare-victims - Reading time: 5 min **Summary:** The Gentelman ransomware led recent activity with 9 new victims, significantly impacting healthcare and professional services sectors globally. The Gentelman Ransomware Activity: 9 New Victims Statistical Overview Victim Totals This month: 85 This quarter: 1631 Year to date: 4256 Last 24h: 35 Quarterly Breakdown Q1: 2631 | Q2: 1631 | Q3: 0 | Q4: 0 Ransomware activity shows 35 new victims. The Gentelman, LockBit, and Qilin operations influenced the victim count this period. Introduction Recent ransomware activity shows 35 new victims, with The Gentelman as the most active operator. Other groups include LockBit, Qilin, Akira, and INC_Ransom. Affected sectors include Healthcare and Professional Services, with targeting primarily in the United States, India, and Germany. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1The Gentelman93e accounting, Downriver medical associates, Edgewood surgical hospital (+6)Germany, GuatemalaHealthcare, Professional Services 2LockBit4dobarro.com.uy, elumax.com, helios.com.bo (+1)Uruguay, TaiwanRetail & Ecommerce, Technology / Software 3Qilin4Eat salad, Jnp eng, Marketjoy (+1)United States, South KoreaProfessional Services, Hospitality & Travel 4Akira3Cherokee distributing co, Factors western, Hal otey financialUnited States, CanadaRetail & Ecommerce, Financial Services 5INC Ransom3Colina Financial Advisors, Oztugotomotiv, trrac.netTurkey, United StatesAutomotive, Insurance 63AM2Agroexportavocados.com, Hoplongtech.comMexico, VietnamTechnology / Software, Agriculture & Food 7Kill Security2Acehospital.in, Csinsurance.mxMexico, IndiaHealthcare, Insurance 8APT731Smarty.arpinet.amArmeniaTelecommunications 9Krybit1Www.elumax.comTaiwanTechnology / Software 10Medusa Locker1Dolrad demoUnited Arab EmiratesProfessional Services 11Nitrogen1PyramidUnited StatesReal Estate 12SafePay1Iql-nog.comSpainManufacturing The Gentelman led activity with 9 reported victims, impacting healthcare and professional services across Germany and Guatemala. LockBit and Qilin were also active, each claiming 4 victims in sectors like retail, technology, and hospitality in Uruguay, Taiwan, and the United States. The varied sectors and geographies show how widely current ransomware campaigns operate. Victim Distribution By Country United States: 7 India: 3 Taiwan: 2 Germany: 2 Mexico: 2 Portugal: 2 South Korea: 1 Spain: 1 Thailand: 1 The Bahamas: 1 By Industry Financial Services: 3 Healthcare: 2 Advertising & Marketing: 1 Industrial Machinery & Equipment: 1 Chemical Manufacturing: 1 Industrial Distribution: 1 Process Control and Electronics/Telecommunication: 1 Conglomerates: 1 Automotive and Industrial Manufacturing: 1 None: 1 The United States is the most frequently targeted country, followed by India. This shows a continued focus on economically significant regions. Industries such as Financial Services and Healthcare face attacks, which suggests these sectors are high-value targets. Ransomware News Topline Recent intelligence shows an increase in ransomware activity, including new AI-driven tools and an active global campaign from The Gentelman operator. Campaigns & Operations Microsoft Threat Intelligence has documented The Gentelman ransomware-as-a-service operation, attributed to the Storm-2697 syndicate. This operation infiltrates corporate assets, exfiltrates data, and expands via a self-spreading worm and a 21-vector remote-execution playbook. This occurs alongside broader ransomware trends: the global cost is projected to reach approximately $275 billion annually by 2031, and 29% of organizations pay the initial ransom demand. Municipalities like the City of Thorold have also confirmed cybersecurity incidents, showing the continued operational and financial impact on public services. The threat economy is consolidating, driven by four main groups. Identity is becoming a key perimeter, and there is an increase in living-off-the-land techniques, with APAC financial services accounting for about 22% of incidents. These events show a continued evolution of understanding ransomware attacks. Vulnerabilities & TTPs Sophos researchers have identified an AI-built ransomware toolkit that automates Active Directory discovery and EDR evasion, using multiple AI agents, including Claude Opus, to develop and harden payloads. The Gentelman campaign uses advanced evasion tactics, including PowerShell-driven Defender real-time monitoring disablement, local binary exclusion, and C:\\ volume scan exclusion. It also performs aggressive post-encryption cleanup of Volume Shadow Copies and logs, using a custom hybrid crypto stack (Curve25519 with XChaCha20). Analyst Note These developments show the increased sophistication of ransomware threats, combining advanced TTPs with AI to improve evasion and operational scale. This shows that timely threat intelligence platform insights are important. Technical Takeaways The Gentelman, operated by the Storm-2697 syndicate, uses an advanced 21-vector remote execution playbook, a self-spreading worm, and a custom hybrid crypto stack for encryption. Active ransomware groups use advanced evasion techniques, including PowerShell-driven Defender disablement and aggressive post-encryption cleanup of logs and Volume Shadow Copies. AI is used in ransomware toolkit development to automate Active Directory discovery and EDR evasion, though human oversight is important for payload refinement and deployment. Ransomware operations are evolving towards double extortion and data exfiltration. Identity is recognized as a primary defense perimeter. Healthcare and Professional Services are highly targeted sectors, with a wide geographical distribution of victims. This indicates both opportunistic and strategic targeting across regions. --- ## InHand Router Command Injection CVE-2026-38702 (CVSS 9.8) - URL: https://purple-ops.io/blog/inhand-router-command-injection-cve-2026 - Date: 2026-06-03 - Category: CVE Analysis - Tags: inhand-networks, command-injection, cve-2026-38702, industrial-iot, router-vulnerability - Reading time: 5 min | CVSS: 9.8 **Summary:** InHand industrial routers, including IR302 and IR305, have critical command injection flaw CVE-2026-38702 (CVSS 9.8), enabling remote code execution. InHand Router Command Injection CVE-2026-38702 (CVSS 9.8) InHand Networks industrial routers (IR302, IR305, IR315, IR615) have critical command injection vulnerabilities. CVE-2026-38702 allows remote arbitrary command execution, potentially leading to root privilege escalation or denial of service. Other flaws, including CVE-2026-38703, CVE-2026-38704, CVE-2026-38705, and CVE-2026-38707, also pose a severe risk to industrial internet-of-things (IoT) setups globally. Several vulnerabilities in this series have a maximum CVSS score of 9.8. These security defects are in the core operating software, specifically targeting management routines and VPN implementations. No public confirmation of active exploitation exists at the time of publication, but the vendor's immediate patch release shows the urgency of remediation. Remote attackers could seize full administrative control or cause complete system paralysis, requiring prompt firmware updates. These vulnerabilities directly threaten automated corporate environments where InHand industrial routers are critical edge network components. Successful exploitation could disable security features, execute arbitrary commands, and delete files, leading to operational disruption and data compromise in industrial and enterprise infrastructures. Impact Command injection vulnerabilities in InHand Networks industrial routers pose a substantial risk because they can give remote attackers extensive control. With multiple flaws having a maximum CVSS score of 9.8, exploitation severity is high. An attacker exploiting these vulnerabilities could gain root privileges, allowing full administrative control over the router. This access enables adversaries to bypass security features, execute arbitrary system commands, and delete files. The impact extends beyond direct control to the operational integrity of industrial IoT setups and automated corporate environments. Gaining root access or executing arbitrary commands means an attacker could completely compromise router functionality. This could cause a denial of service (DoS), paralyzing remote factory systems or other enterprise environments dependent on these routers for critical network connectivity and data exchange. Vulnerabilities in VPN implementations (ZeroTier via CVE-2026-38703, WireGuard via CVE-2026-38704, and IPSec via CVE-2026-38707) are concerning because they could allow attackers to intercept, manipulate, or disrupt secure remote connections, undermining industrial communications' confidentiality and integrity. The flaw affecting localized digital input-output features (CVE-2026-38705) could also allow attackers to manipulate physical processes managed by the router, introducing physical safety and operational hazards. This presents a significant operational risk, threatening critical infrastructure stability and security. Exploitation Chain Exploiting these InHand router flaws involves command injection, a vulnerability type where an attacker executes arbitrary commands on a host operating system via a vulnerable application. Command injection vulnerabilities often occur when an application builds a system command using user-supplied input without proper sanitization or validation. If an attacker injects malicious commands into this input, the operating system executes them with the vulnerable application's or device's privileges. For InHand industrial routers, the vulnerabilities are in critical device subsystems. The attack vector is remote, so attackers do not need physical access. The flaws target management routines and several VPN implementations (ZeroTier via CVE-2026-38703, WireGuard via CVE-2026-38704, and IPSec via CVE-2026-38707), along with localized digital input-output features (CVE-2026-38705). This suggests injection points are likely within the web management interface or configuration for these services and I/O functions. Successful exploitation typically requires preconditions like network access to vulnerable router interfaces. An unauthenticated remote attacker could use these flaws to send specially crafted requests with malicious command payloads. When processed, the router's operating system would execute the embedded commands, leading to arbitrary command execution, file deletion, and ultimately, root privilege escalation or denial of service. The potential impact of such exploitation in industrial environments, as discussed in our analysis of a critical command injection flaw in industrial robots, shows the serious risks of such OT vulnerabilities. The official advisory does not detail specific PoC exploits or active exploitation reports at the time of publication. Which InHand Industrial Routers are affected? These security vulnerabilities directly affect several InHand Networks industrial router models. The vendor's advisory lists specific models and their vulnerable firmware versions. InHand IR302 Industrial Router: All firmware versions prior to InRouter3XX-V3.5.112 are vulnerable to these command injection flaws. InHand IR305 Industrial Router: All firmware versions prior to V1.0.121 are vulnerable. InHand IR315 Industrial Router: All firmware versions prior to V1.0.121 are vulnerable. InHand IR615 Industrial Router: All firmware versions prior to V1.0.121 are vulnerable. These models are common in industrial and enterprise environments, acting as critical components for edge network connectivity and data processing. Their widespread deployment in sensitive OT settings shows the need for prompt patching. This resembles other firmware flaws and RCE in SOHO routers that have posed significant network infrastructure risks. How can these vulnerabilities be detected? The vendor or researchers have not publicly detailed specific detection guidance for CVE-2026-38702 and related InHand industrial router vulnerabilities. This includes unique log signatures, Indicator of Compromise (IOC) families, detailed EDR queries, or specific network indicators. Without specific technical detection artifacts, organizations must primarily rely on diligent vulnerability management and patching. Without specific signatures, detecting attempted or successful exploitation relies on general security monitoring. This means monitoring router logs for unusual activity, unauthorized command execution attempts, or unexpected system reconfigurations. Anomalous network traffic patterns to or from InHand routers, especially concerning VPN services (ZeroTier, WireGuard, IPSec) or management interfaces, could indicate suspicious activity. However, these are general monitoring recommendations, not specific indicators for these CVEs. Given the high CVSS score and command injection's potential to grant root privileges, applying vendor-provided patches is the most reliable and immediate way to address the risk. What remediation steps are available? To ensure network safety and mitigate risks from these critical command injection vulnerabilities, InHand Networks has released updated firmware for affected industrial routers. Administrators must deploy these updates immediately. The primary remediation steps are as follows: Patching for IR302 Industrial Router: Users of the IR302 model must upgrade device firmware to version InRouter3XX-V3.5.112 or later. This update directly addresses previous versions' identified vulnerabilities. Patching for IR305, IR315, and IR615 Industrial Routers: Companies operating IR305, IR315, or IR615 units must install firmware version V1.0.121 or later. This consolidated update fixes all three models. Firmware Acquisition: Administrators should download update files directly from the official InHand Networks manufacturer portal. Obtaining firmware from official channels is important to prevent installing malicious or compromised software. Immediate Deployment: With a maximum CVSS score of 9.8 and the potential for remote root access or denial of service, deploy these firmware updates without delay. This aligns with urgent patching advice for router vulnerabilities, like those discussed in our analysis of a critical command injection vulnerability in a TP-Link router. Operational Continuity Planning: Organizations should review their industrial router update procedures, ensuring firmware upgrades can be performed efficiently and minimize disruption to critical operational technology systems. Strict software patch updates remain the most effective defense against exploiting these vulnerabilities in edge network devices. Technical Takeaways Multiple critical command injection vulnerabilities, including CVE-2026-38702, affect InHand Networks IR302, IR305, IR315, and IR615 industrial routers. These flaws have a maximum CVSS score of 9.8, indicating severe risk. They allow remote arbitrary command execution, root privilege escalation, and denial of service. Vulnerabilities exist in key software components: device management routines, VPN implementations (ZeroTier via CVE-2026-38703, WireGuard via CVE-2026-38704, and IPSec via CVE-2026-38707), and digital I/O features (CVE-2026-38705). Affected router models require immediate firmware updates: IR302 to InRouter3XX-V3.5.112; IR305, IR315, IR615 to V1.0.121. The high severity and remote exploitability show the critical need for immediate patching, especially in industrial IoT and automated corporate environments where these devices are deployed. --- ## Miasma Campaign Exploits Red Hat npm Supply Chain - URL: https://purple-ops.io/blog/miasma-red-hat-npm-supply-chain - Date: 2026-06-03 - Category: Threat Intelligence - Tags: miasma-campaign, red-hat, npm-supply-chain, github-actions - Reading time: 5 min **Summary:** The Miasma campaign compromised 32 Red Hat npm packages via a GitHub Actions flaw, deploying a worm to harvest multi-cloud credentials. Miasma Campaign Exploits Red Hat npm Supply Chain A complex supply chain attack, attributed to the "Mini Shai-Hulud" or "Miasma: The Spreading Blight" campaign, has compromised 32 @redhat-cloud-services npm packages across 96 versions. The attackers used a critical logic flaw in npm's GitHub Actions trusted publishing mechanism, enabling the deployment of a worm that harvests multi-cloud credentials. This worm exfiltrates sensitive data, self-propagates across repositories, attempts container escapes, and establishes persistence within AI development systems. The malicious payload remains active, with the current latest version for every affected package delivering the exploit. The attack bypassed standard security controls by manipulating the GitHub Actions workflow, leading to the signing and distribution of malicious artifacts with valid npm provenance. This incident shows supply chain attacks are becoming more sophisticated and demonstrates the critical need for strong validation processes beyond mere provenance checks. The compromise of Red Hat's widely used cloud services packages shows the effects such vulnerabilities can have in the development ecosystem. This event shows a broader trend of faster exploitation timelines and more varied attack vectors. Examples include recent Google Android zero-day patches, successful Instagram account hijacks via Meta's AI support bot, and Iran's expansion of the Handala brand into physical threat operations. Each incident demonstrates distinct challenges in defending against modern cyber threats, from software vulnerabilities and social engineering to nation-state influence. How was the "Miasma" campaign deployed against Red Hat packages? The "Miasma" campaign was deployed by exploiting a logic flaw in npm's GitHub Actions trusted publishing, which binds trust to the repository and workflow filename but not to the branch or ref. An unnamed attacker pushed short-lived oidc- branches to three RedHatInsights repositories: javascript-clients, frontend-components, and platform-frontend-ai-toolkit. On these branches, the attacker rewrote the legitimate CI workflow (ci.yml or release.yml) into a self-publishing job that executed a Bun worm with id-token: write permissions. This worm then exchanged the workflow's OIDC token for npm publish tokens, enabling it to repackage the legitimate npm tarballs. A malicious preinstall hook and a 4.3 MB index.js dropper were injected into these packages. The modified packages were subsequently republished with valid npm provenance, deceiving automated verification systems. The malicious publishes occurred in three waves, with the third wave's payloads remaining the live latest versions for all affected packages. The injected preinstall hook executes the dropper, which ROT-9 decodes a loader that then AES-128-GCM decrypts a 634 KB Bun script payload. If the Bun runtime is not present on the system, the loader downloads it directly from github.com/oven-sh/bun/releases/download/bun-v1.3.13 and executes the decrypted payload using this runtime. This method ensures the worm operates independently of the victim's Node.js installation. Campaign Details and Impact The "Miasma" payload is a harvester of multi-cloud credentials, obfuscated with string-array and PBKDF2 + SHA-256-keystream S-box ciphers. It targets credentials from major cloud providers, development tools, and password managers. Targeted Credentials: Cloud Providers: AWS (IMDSv2, ECS, Secrets Manager, SSM), Azure (managed identity), GCP (service accounts). DevOps & Authentication: HashiCorp Vault tokens, Kubernetes service account tokens, GitHub Personal Access Tokens (PATs), npm tokens, CircleCI, Travis CI, Jenkins, GitLab CI, Buildkite, and Vercel credentials. Local Storage: Bitwarden and gopass vaults, ~/.npmrc, ~/.netrc, shell history, and database history files. API Keys: Anthropic API keys, Stripe sk_/pk_ keys. Propagation Mechanisms: npm Republishing: The payload calls OIDC token exchange and whoami endpoints, repackages tarballs (updateTarball), and signs artifacts via Sigstore. Stolen credentials are exfiltrated to attacker-created public GitHub repositories with the description Miasma: The Spreading Blight. CI Workflow Injection: The worm enumerates GitHub repositories with write access, reads action.yml/action.yaml via GraphQL, and commits a malicious workflow to .github/workflows/codeql.yml on a new branch named chore/add-codeql-static-analysis. This workflow pins actions/checkout to a specific commit hash, masquerading as a security improvement. Advanced Capabilities: Container Escape: Attempts to reach the Docker socket to launch a container that bind-mounts the host /etc/sudoers.d and grants the CI runner passwordless sudo. EDR Awareness: Probes for the presence of endpoint protection solutions such as CrowdStrike, SentinelOne, Carbon Black, and StepSecurity Harden-Runner before executing sensitive operations. AI-Agent Persistence: Installs persistence within developer tooling by targeting .claude/settings.json (with a SessionStart reference) and .vscode/tasks.json. Anti-Analysis: Uses environment variables like FAKE_PLATFORM, TESTING_TAR_FAKE_PLATFORM, __IS_DAEMON, or SKIP_DOMAIN to suppress specific behaviors when detected in automated analysis environments. The initial access method, allowing the attacker to push branches to the RedHatInsights repositories, remains an open question, although git author metadata was forged to appear as a real Red Hat engineer. How did hackers hijack Instagram accounts using Meta's AI support bot? Hackers successfully hijacked several Instagram accounts by exploiting a logic flaw in Meta's AI support assistant. The targeted accounts included those belonging to the beauty brand Sephora, US Space Force Chief Master Sergeant John Bentivegna, security researcher Jane Wong, and the archived Barack Obama White House account, which boasts over two million followers. This incident occurred over a weekend and was reported by many users on platforms like X and Reddit. The exploitation process began with the attackers using a VPN to spoof their geographical location, choosing one near the intended victim. This step helped to circumvent Instagram's security flags based on location. Subsequently, the attackers initiated a chat with Meta's AI support assistant, which had been introduced in March 2026 to facilitate tasks such as password resets without human intervention. The hackers provided the AI bot with the username of the target account and requested to add a new email address. Due to a critical logic flaw, the AI assistant incorrectly sent the security verification code to the attacker's email address instead of the legitimate account owner's. Upon receiving and inputting this code, the bot then presented the attacker with an option to change the password. This method also bypassed two-factor authentication (2FA), a common security measure designed to prevent unauthorized access. The system accepted fake selfie videos, likely generated by AI tools, to bypass identity verification. The legitimate account owners received no warnings, texts, or emails regarding these unauthorized changes. Following the hijack, some accounts, such as the archived Barack Obama White House profile, were used to post fabricated images and pro-Iranian messages, including a statement reading, "The White House is under Shiites' control." Step-by-step videos detailing this exploitation circulated rapidly within blackhat hacking groups on Telegram, leading to the theft and sale of valuable short handles. Meta spokesperson Andy Stone confirmed the issue was fixed and efforts were underway to secure affected accounts. Which Android zero-day did Google patch in June 2026? Google patched one actively exploited Android zero-day, tracked as CVE-2025-48595, as part of its June 2026 security updates. This high-severity vulnerability resides within the Android Framework component. In total, Google addressed 124 flaws across the Android ecosystem with this update. CVE-2025-48595 can be exploited by local attackers to achieve code execution and escalate privileges on devices running Android 14 or later. While Google has not disclosed specific technical details or identified the actors behind the ongoing attacks, the company's bulletin notes "indications that CVE-2025-48595 may be under limited, targeted exploitation." Historically, similar zero-day vulnerabilities in Android have been exploited by commercial spyware vendors and nation-state operations targeting high-profile individuals. This vulnerability shows the ongoing threat of advanced persistent threats using mobile platforms. Beyond this zero-day, the June 2026 patches included fixes for 18 critical vulnerabilities across System, Framework, and Qualcomm closed-source components. These critical issues can lead to remote escalation of privilege without requiring additional execution privileges or user interaction for exploitation. Google encourages all users to update to the latest Android version where possible, as enhancements in newer platforms make exploitation more difficult. The security updates were released in two patch levels: 2026-06-01 and 2026-06-05. The latter bundles all fixes from the first batch, along with patches for closed-source third-party and kernel subcomponents. Google Pixel devices received these updates immediately, while other Android vendors typically require additional time to test and adapt the patches for their specific hardware configurations. This is not the first actively exploited zero-day Google has patched this year; previous updates in December addressed CVE-2025-48633 and CVE-2025-48572, and in March, CVE-2026-21385 (a Qualcomm display component flaw) was patched. For more information on mobile security, see our analysis of a actively exploited zero-day vulnerability affecting Android devices. How is AI accelerating vulnerability exploitation and challenging traditional defenses? Artificial intelligence (AI) is accelerating vulnerability exploitation timelines, compressing the window between disclosure and widespread exploitation from days to mere hours. This rapid acceleration challenges traditional vulnerability management strategies, as remediation and patching processes, which often take weeks, cannot keep pace. The Verizon 2026 DBIR indicates that the median time to patch a critical vulnerability increased year-over-year, from 32 to 43 days, a timeline too slow for the new AI-driven threat environment. AI tools automate vulnerability research for both defenders and attackers. For example, Anthropic's Project Glasswing, using Claude Mythos Preview, reportedly identified over 10,000 high or critical-severity vulnerabilities in important software within a single month. Attackers use similar AI capabilities to quickly identify, reproduce, and weaponize vulnerabilities, leading to indiscriminate exploitation across the internet almost immediately after disclosure. This phenomenon creates an imbalance where attackers operate on timelines measured in hours, while defenders are still operating in weeks. Regulators, such as India's CERT-IN, have begun issuing guidance pushing for sub-day patching expectations for critical vulnerabilities, showing the urgency. However, this demand often overlooks the operational realities of complex enterprise environments, which involve rigorous testing, change windows, business approvals, and compliance obligations. Given that full remediation often cannot match the speed of AI-driven exploitation, security teams must shift their operating models to preempt, validate, and mitigate threats. This shift involves three key steps: first, preempting which vulnerabilities are most likely to be exploited based on traits like broad deployment, internet reachability, and repeatable exploitation; second, rapidly reacting to emerging threats by validating specific organizational exposure and determining exploitability; and third, mitigating risk with temporary controls (e.g., access restrictions, WAF rules, IDS/IPS updates) to buy time for thorough remediation. Solutions like the watchTowr Platform aim to provide preemptive exposure management using AI by identifying exploitable weaknesses and enabling autonomous mitigation to align defender timelines with attacker speeds. How is Iran's MOIS expanding its Handala brand into physical threats and influence operations? Iran's Ministry of Intelligence (MOIS) has expanded its "Handala" brand, traditionally associated with hacktivist cyber operations, to encompass external physical and influence operations targeting US and Israeli interests. This strategic shift uses the global recognition of the Handala brand to amplify MOIS's broader solicitation efforts for physical attacks and espionage. This approach integrates cyber, physical, and influence personas, increasing reach and impact. The expansion includes newly identified threat actor personas alongside the established Handala Hack Team: Handala Popular Resistance Front (HPRF): A newly created persona claiming responsibility for physical attacks within Israel. For instance, the HPRF claimed an arson targeting an Israeli law enforcement official's vehicle in April 2026. This persona directly solicits individuals to conduct physical attacks and espionage, operating within Israel. VIPEmployment: An online network engaging in coordinated inauthentic behavior (CIB) to recruit proxies outside Iran. This persona uses Telegram bots (e.g., @VIPEmployment02Bot) to solicit individuals globally for physical attacks (e.g., killing soldiers, assassinating businessmen, burning consulate buildings, targeting gas pipelines) and espionage against US and Israeli targets for financial rewards. MOISIRAN: A Telegram persona, created in April 2026, which posts purported surveillance footage of Israeli intelligence and military personnel, including individuals from Shin Bet, Mossad, and Unit 8200, as well as Israeli nuclear scientists. MOISIRAN also claims to have successfully recruited an Israeli police officer to share sensitive intelligence. It actively amplifies VIPEmployment's recruitment efforts. Brave Israel: An earlier persona, mostly inactive now, that functioned as a prototype for recruiting and amplifying proxy threat activities. In December 2024, Brave Israel solicited low-level physical threat activities like vandalism, graffiti, and burning cars for monetary rewards in Tel Aviv. It now promotes Handala Hack Team, VIPEmployment, and MOISIRAN content. These personas are assessed to be coordinated by MOIS and are likely part of the Void Manticore (TAG-145, Red Sandstorm, Banished Kitten) cluster, known for targeting Israel and Iranian opposition groups. The combined activities create a complex threat, using Handala Hack Team's cyber reputation to give credibility to physical threat operations and expand the pool of potential recruits for espionage and sabotage. This integration of capabilities can enable advanced targeting through cyber-enabled physical attacks and influence operations, posing increased risks for law enforcement, military, intelligence agencies, and critical infrastructure sectors in US and Israeli regions. Technical Takeaways Supply chain attacks are increasingly complex, bypassing traditional security measures by exploiting trusted publishing mechanisms in CI/CD pipelines. AI-driven tools are compressing vulnerability exploitation windows, requiring real-time threat detection and mitigation strategies. Mobile operating systems remain a key target for actively exploited zero-day vulnerabilities, often used in targeted attacks by sophisticated actors. Logic flaws in emerging AI-powered support systems create novel attack surfaces for social engineering and account compromise, even bypassing multi-factor authentication. Nation-state actors are broadening their operational scope to integrate physical threats, espionage, and influence campaigns with cyber capabilities for impact across multiple domains. --- ## CVE-2026-8206 Kirki Privilege Escalation (CVSS 9.8) - URL: https://purple-ops.io/blog/cve-2026-8206-kirki-privilege-escalation - Date: 2026-06-03 - Category: CVE Analysis - Tags: wordpress, kirki-plugin, cve-2026-8206, privilege-escalation, unauthenticated - Reading time: 5 min | CVSS: 9.8 **Summary:** Kirki plugin CVE-2026-8206 (CVSS 9.8) enables unauthenticated privilege escalation, allowing attackers to hijack WordPress admin accounts on 150,000 sites. CVE-2026-8206 Kirki Privilege Escalation (CVSS 9.8) The Kirki plugin for WordPress has a critical vulnerability, CVE-2026-8206. This unauthenticated privilege escalation flaw, with a CVSS severity score of 9.8, exposes web infrastructure to malicious attacks. Threat actors are actively exploiting CVE-2026-8206 to hijack administrative accounts, creating an immediate threat for approximately 150,000 vulnerable sites. The issue, introduced in the Kirki 6.0 major release, allows a remote adversary to gain full administrative control over affected WordPress installations. The flaw stems from a critical logic error in the plugin's REST API endpoint for password reset requests. Immediate action, including applying vendor updates, is necessary to reduce the risk. This article describes CVE-2026-8206, its technical details, impact, exploitation status, and remediation steps. Organizations managing WordPress sites with the Kirki plugin must patch immediately to prevent unauthorized access and potential site compromise. What is the Impact of CVE-2026-8206? An attacker exploiting CVE-2026-8206 can gain full administrative control over a vulnerable WordPress installation, compromising the entire site. This unauthenticated privilege escalation allows an adversary to bypass authentication and reset the password of any administrative account. The flaw's severity is shown by its CVSS score of 9.8, classifying it as critical. With administrative access, attackers can install malicious plugins, modify site content, or deploy web shells for persistent access. This lets them inject malware, deface websites, redirect visitors, or steal sensitive data. WordPress is widely used, and the Kirki plugin is popular, so this vulnerability affects thousands of websites globally. Our prior analysis of a similar WordPress plugin RCE also shows the risk from such flaws. Organizations operating WordPress sites with the Kirki plugin installed, specifically versions 6.0.0 through 6.0.6, are at risk. While the extension has over 500,000 active installations, researchers estimate about 150,000 sites use a vulnerable version because the issue appeared in the 6.0 major release. This large attack surface requires immediate attention from web administrators to prevent an administrative account takeover. How is CVE-2026-8206 Exploited? CVE-2026-8206 is exploited through an unauthenticated privilege escalation due to a logic flaw in the Kirki plugin's custom REST API endpoint for password reset requests. The main issue is in the plugin's frontend account management features. This flaw requires no prior authentication, allowing any remote adversary to initiate the attack. The exploitation begins with an attacker submitting a crafted request to the plugin's exposed REST API endpoint. Specifically, the vulnerability is in the handle_forgot_password() function of the CompLibFormHandler class. This function processes "forgot password" requests and accepts both a username parameter and a target email address in the incoming request body. The logic flaw occurs in the email verification process. The software identifies the targeted user account by matching the provided username. However, instead of using the email address associated with the identified account, the function uses the email address supplied directly in the attacker's request. This means an unauthenticated attacker can submit a high-privilege username (e.g., an administrator's username) along with an external inbox address they control. The vulnerable system then generates a valid password reset key and sends it directly to the attacker's specified email address. Using this link, the attacker can set a new password for the targeted high-privilege account, gaining full control. Threat intelligence confirms malicious groups are actively exploiting this defect. Wordfence, a WordPress security company, reported its firewall systems blocked 59 attacks targeting CVE-2026-8206 within a 24-hour period. This rapid exploitation shows the immediate threat to unpatched corporate websites. Security researcher CHOIGYEONGMIN responsibly disclosed the issue through a bug bounty program. Recent reports on actively exploited web server vulnerabilities, like our analysis of a LiteSpeed cPanel plugin flaw, show the continuous threat from such exploited flaws in web infrastructure components. Affected Products and Versions The CVE-2026-8206 vulnerability impacts the Kirki plugin for the WordPress content management system. The flaw was introduced with the plugin's 6.0 major release. Affected versions: Kirki plugin for WordPress, versions 6.0.0 through 6.0.6 The vulnerability does not affect Kirki plugin versions prior to 6.0.0, as the vulnerable code was not present in those releases. Approximately 150,000 WordPress sites are estimated to run one of the vulnerable versions. Detection Detecting exploitation attempts or successful compromise related to CVE-2026-8206 requires careful monitoring of WordPress logs, web application firewall (WAF) alerts, and user activity. Security teams should use these detection strategies: WordPress Access Logs: Monitor requests to the Kirki plugin's custom REST API endpoint for password resets. The specific endpoint path may vary but usually involves /wp-json/ followed by Kirki-specific identifiers for account management. Look for a high number of password reset attempts for high-privilege usernames (e.g., 'admin', 'administrator'). Identify password reset requests where the email address in the request body does not match the known email address for the associated username, particularly if the supplied email is external or suspicious. Analyze HTTP request payloads for the handle_forgot_password() function within the CompLibFormHandler class context. Web Application Firewall (WAF) Logs: Review WAF logs for blocked attempts targeting the Kirki plugin's REST API password reset endpoint. WAF rules configured to detect unusual behavior or suspicious API calls may trigger alerts. Look for patterns showing rapid-fire attempts or attempts from unusual geographical locations that might suggest automated exploitation. User Activity Monitoring: Monitor WordPress user logs for sudden password changes for administrative accounts not initiated by a known, legitimate administrator. Investigate the creation of new administrator accounts that cannot be attributed to authorized personnel. Look for unauthorized plugin installations or modifications to existing site content or theme files after a suspicious password reset. Track changes to core WordPress files or the presence of new files that could indicate web shell deployment. Endpoint Detection and Response (EDR) Queries: If EDR is deployed on the underlying server, query for processes initiated by the web server that perform unusual file modifications or network connections, potentially showing post-exploitation activities such as web shell execution. Remediation Timely remediation is important to protect WordPress sites from CVE-2026-8206 exploitation. The main remediation step is to apply the official vendor updates. Patching: Upgrade the Kirki plugin to version 6.0.7 or later immediately. This version contains the security fixes to fix the exploit path. The update addresses the logic flaw in the handle_forgot_password() function, ensuring password reset emails go only to the email address associated with the user account, not to an attacker-supplied address. Regularly check for and apply updates for all WordPress core, themes, and plugins to keep good security. Workarounds and Mitigations: Use a Web Application Firewall (WAF): Configure WAF rules to detect and block suspicious requests targeting the Kirki plugin's password reset REST API endpoint. While not a substitute for patching, a WAF can help reduce exploitation attempts temporarily. Disable unnecessary REST API access: If the Kirki plugin's frontend account management features, including password resets via REST API, are not actively used, consider disabling or restricting access to the specific API endpoint. This may require custom development or the use of other security plugins. Post-Compromise Actions and Monitoring: Audit user registries: Immediately after patching, audit all WordPress user accounts for any unauthorized administrator profiles or suspicious changes to existing user privileges. Remove any unauthorized accounts and revoke elevated privileges if necessary. Review site integrity: Check for any unauthorized plugin installations, modifications to site content, or the presence of unexpected files that could indicate a web shell or other malicious files. Restore from a clean backup if compromise is suspected. Enable multi-factor authentication (MFA): Enforce MFA for all administrative accounts to add another layer of security, making it harder for attackers to maintain access even if they reset a password. Technical Takeaways CVE-2026-8206 is an unauthenticated privilege escalation vulnerability in the Kirki WordPress plugin, with a CVSS score of 9.8. The flaw exists in the handle_forgot_password() function in the CompLibFormHandler class, allowing an attacker to specify any email for password reset links. Exploitation grants an unauthenticated attacker full administrative control over affected WordPress sites, allowing installation of malicious plugins, modification of content, and deployment of web shells. Kirki plugin versions 6.0.0 through 6.0.6 are vulnerable, affecting approximately 150,000 WordPress installations. Threat intelligence confirms active exploitation of CVE-2026-8206. Immediate patching to Kirki 6.0.7 or later is the key remediation. --- ## SafePay Ransomware Hits 6 Victims Across Key Sectors - URL: https://purple-ops.io/blog/safepay-ransomware-threat-activity-diverse-sectors - Date: 2026-06-02 - Category: Ransomware Report - Tags: none - Reading time: 5 min **Summary:** SafePay ransomware led recent activity with 6 new victims, impacting diverse sectors like transportation and professional services in the US and Europe. SafePay Ransomware Activity Targets Diverse Sectors (6 Victims) Statistical Overview Victim Totals This month: 50 This quarter: 1596 Year to date: 4221 Last 24h: 23 Quarterly Breakdown Q1: 2631 | Q2: 1596 | Q3: 0 | Q4: 0 Ransomware activity reported 23 new victims in the last 24 hours. The quarterly total of 1596 shows continued threat actor activity, with the last 24 hours having a moderate number of new victim disclosures. Introduction In the last 24 hours, ransomware groups disclosed 23 new victims. SafePay was the most active with six victims, followed by BlackX with four. Groups like Nova (RALord) and CoinbaseCartel were also active. Primary targets included entities in Transportation & Logistics, Professional Services, and Healthcare. Attacks concentrated in the United States and Europe, especially Germany, Italy, and France. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1SafePay6Compactmould.com, Lcnet.eu, Parsa-beauty.de (+3)Germany, ItalyTransportation & Logistics, Professional Services 2BlackX4African national congress, Case.law, Elektroverband-bayern (+1)Germany, United StatesHealthcare, Professional Services 3CoinbaseCartel2Cambridge mobile telematics, Panasonic.aeroUnited StatesTransportation & Logistics, Technology / Software 4Krybit2Activ88-interim.com, Www.transbras.com.gtGuatemala, FranceProfessional Services, Transportation & Logistics 5Nova (RALord)2Everlite concept, Ibena textilwerkeGermany, FranceConstruction & Engineering, Manufacturing 6Qilin2Clinica maitenes, Nova medical productsUnited States, ChileHealthcare 7APT731Elections.mia.gov.am from wolves of turanArmeniaGovernment / Public Sector 8Anubis1Power & telUnited StatesTelecommunications 9Interlock1Cold front distributionUnited StatesAgriculture & Food 10Shadowbyt3s1Cropwise (syngenta group)SwitzerlandAgriculture & Food 11Space Bears1StellarFranceTelecommunications SafePay led activity with six new victims, as reported in SafePay ransomware's operations. It primarily impacted Transportation & Logistics and Professional Services across Germany and Italy. BlackX followed with four victims, targeting entities in Healthcare and Professional Services, including the African National Congress, and showing activity in Germany and the United States. CoinbaseCartel and Krybit both focused on Transportation & Logistics and Professional Services, with victims in the United States, Guatemala, and France. Overall, 11 groups contributed to the victim count, with varied targeting strategies across multiple geographies. Victim Distribution By Country United States: 6 Germany: 4 Italy: 3 France: 3 Switzerland: 1 South Korea: 1 South Africa: 1 Armenia: 1 Guatemala: 1 Chile: 1 By Industry Consumer Goods: 1 Telecommunications Equipment Distribution: 1 Software Development: 1 Legal Research: 1 Hospital & Health Care: 1 Grocery and Foodservice Distribution: 1 Aviation & Aerospace: 1 Agricultural Technology and Innovation: 1 Plastic Surgery: 1 Political Organization: 1 The United States remains the most targeted country, followed by European nations such as Germany, Italy, and France. Industry targeting is fragmented, with Professional Services and Transportation & Logistics frequently appearing among impacted sectors. This suggests broad, opportunistic targeting by multiple ransomware groups. Ransomware News Topline - Recent threat intelligence shows evolving ransomware tradecraft, exemplified by a new variant, and demonstrates the importance of strong incident response methods. Campaigns & Operations - Analysis of the EndPoint ransomware, a Midnight-era variant built on the Babuk framework, shows it targets Windows, ESXi, and NAS environments. This ransomware uses a double-extortion model, encrypting data with ChaCha20 and an in-house RSA operation for session key protection. EndPoint specifically targets folders, network shares, and file extensions, while terminating key processes and deleting volume shadow copies. This shows a focused approach to data encryption and system disruption. Vulnerabilities & TTPs - EndPoint ransomware's methods include terminating critical backup and security services such as VSS, SQL, Veeam, and Sophos, along with deleting volume shadow copies via vssadmin. To counter these tactics, effective incident response techniques focus on fast, data-driven detection using tools like EDR, SIEM, SOAR, and XDR. They also use network segmentation and isolation to contain threats and prevent lateral movement. Analyst Note - These developments show organizations continually need to understand emerging ransomware variants and maintain agile, complete incident response frameworks to mitigate their impact. Technical Takeaways SafePay is the most active group, accounting for 6 of the 23 new victims. It primarily targets Transportation & Logistics and Professional Services. BlackX targets diverse sectors, including Healthcare, Professional Services, and a political organization. Multiple ransomware groups, including CoinbaseCartel, Krybit, and Nova (RALord), show varied targeting across sectors such as Transportation & Logistics, Professional Services, and Manufacturing. Geographically, the United States, Germany, Italy, and France are the most frequently impacted regions. The newly analyzed EndPoint ransomware variant uses the Babuk framework to target Windows, ESXi, and NAS environments. It uses ChaCha20/RSA encryption and aggressive tactics such as vssadmin for shadow copy deletion and service termination. --- ## CVE-2026-0257 GlobalProtect Bypass (CVSS 7.8) - URL: https://purple-ops.io/blog/cve-2026-0257-globalprotect-bypass - Date: 2026-06-02 - Category: CVE Analysis - Tags: cve-2026-0257, palo-alto-networks, globalprotect, authentication-bypass, actively-exploited - Reading time: 5 min | CVSS: 7.8 **Summary:** Palo Alto Networks GlobalProtect CVE-2026-0257, an authentication bypass (CVSS 7.8), is actively exploited, granting unauthorized VPN access. CVE-2026-0257 GlobalProtect Bypass (CVSS 7.8) Palo Alto Networks has addressed an authentication bypass vulnerability, identified as CVE-2026-0257, affecting its PAN-OS GlobalProtect VPN portal and gateway. This flaw enables attackers to circumvent authentication mechanisms and gain unauthorized access to VPN services without valid user credentials. The vulnerability was initially assigned a CVSS score of 7.8, classifying it as medium severity, though cybersecurity researchers urge organizations to treat it with urgent attention due to its active exploitation. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, showing the threat this vulnerability poses. Observed exploitation attempts began as early as mid-May, with a subsequent increase in activity. These attacks successfully used the flaw across multiple customer environments, showing the operational impact and the necessity for prompt remediation. This post details the technical aspects of CVE-2026-0257, its exploitation chain, affected components, and guidance for detection and remediation. The information presented is derived from vendor advisories and independent security research, intended for network engineers and security analysts responsible for maintaining Palo Alto Networks infrastructure. What is CVE-2026-0257 and why is it critical? CVE-2026-0257 is an authentication bypass vulnerability within Palo Alto Networks PAN-OS GlobalProtect VPN products. It allows an unauthenticated attacker to gain access to VPN sessions by forging authentication override cookies. Despite an initial CVSS score of 7.8, which typically denotes medium severity, the operational implications of this vulnerability are considered critical by Rapid7 and Suzu Labs due to its nature and active exploitation. The criticality of CVE-2026-0257 stems from an attacker's ability to establish an unauthenticated VPN session directly into an organization's internal network. While the base CVSSv4 calculation may factor in direct impact primarily as a VPN connection, the downstream impact to the underlying network makes this a severe event. Security researchers at Rapid7 explicitly advise organizations to treat this flaw as a critical vulnerability, stating that an authentication bypass in an edge-facing enterprise VPN appliance can significantly affect compromised organizations. Denis Calderon, CTO and Principal at Suzu Labs, characterizes an unauthenticated VPN session as an administrative user into the internal network as a critical event without qualification. Impact An attacker exploiting CVE-2026-0257 can bypass standard authentication mechanisms for Palo Alto Networks PAN-OS GlobalProtect VPN portal and gateway. This leads to unauthorized VPN access without requiring legitimate user credentials. The primary risk involves an attacker gaining a foothold within the target network perimeter. Specifically, successful exploitation permits an adversary to impersonate legitimate users and establish authenticated sessions with GlobalProtect gateways. Observed instances show that in some exploitation instances, attackers were assigned valid VPN addresses, effectively granting them access to the internal network. This network access represents a security breach, offering a pathway to internal resources. While initial reports from Rapid7 did not observe indications of successful lateral movement from the compromised GlobalProtect devices themselves, the establishment of an authenticated VPN session is a step for further reconnaissance and lateral movement within a compromised environment. Organizations utilizing Palo Alto Networks GlobalProtect for remote access are at risk if their devices are unpatched and configured vulnerably. The unauthorized access potentially exposes sensitive internal systems and data to adversaries. Exploitation Chain The exploitation of CVE-2026-0257 hinges on a specific misconfiguration within the "authentication override" feature of Palo Alto Networks PAN-OS GlobalProtect. This feature enables a GlobalProtect portal or gateway to issue cookies to an authenticated user, which can then be used in subsequent communications to bypass re-authentication, functioning similarly to a bearer token. This functionality is not enabled by default. The vulnerability arises when two conditions are met: Authentication Override Enabled: The GlobalProtect portal or gateway must be configured to use authentication override cookies. Certificate Misconfiguration: The certificate used to encrypt and decrypt these authentication override cookies must be the same certificate utilized for the GlobalProtect portal or gateway's HTTPS service. Under this specific certificate misconfiguration, the system trusts decrypted cookies without adequately verifying their authenticity. If an administrator reuses the same certificate for both HTTPS services and authentication cookie encryption, an attacker can obtain the certificate's public key. With this public key, an adversary can then generate forged authentication override cookies. These maliciously crafted cookies are subsequently accepted as valid by the vulnerable PAN-OS VPN gateway, allowing the attacker to establish an authenticated VPN session as an impersonated user. Rapid7 successfully developed and demonstrated a Proof-of-Concept (PoC) tool validating this attack method. Their PoC showed that a forged cookie could be accepted by vulnerable GlobalProtect gateways, leading to the successful establishment of authenticated sessions. This capability directly correlates with observed in-the-wild exploitation. Rapid7 documented successful attacks across numerous customer environments beginning around May 17, with a second distinct wave of activity noted on May 21. These real-world attacks involved adversaries using forged authentication cookies to impersonate valid users, some of whom subsequently received VPN addresses and established internal network connectivity. CISA's addition of CVE-2026-0257 to its Known Exploited Vulnerabilities catalog further confirms active exploitation. This vulnerability represents another instance of security issues affecting Palo Alto Networks products under active attack, a trend discussed in our prior analysis of another Palo Alto PAN-OS vulnerability (CVE-2024-3400) and its active exploitation. Affected Products and Versions The vulnerability CVE-2026-0257 affects the Palo Alto Networks PAN-OS GlobalProtect portal and gateway components. The vendor advisory for CVE-2026-0257 states that the flaw impacts various versions of PAN-OS. While the source material indicates these versions are listed in the official Palo Alto Networks advisory, the research findings provided do not enumerate the specific version numbers or ranges. Organizations should consult the official Palo Alto Networks security advisory for a definitive list of all affected PAN-OS versions. Detection Detecting exploitation attempts related to CVE-2026-0257 involves monitoring for anomalous VPN authentication and connection patterns, given that the attack vector involves forged authentication cookies. The core challenge is that the forged cookies are accepted as legitimate by the vulnerable system, making detection of the forgery difficult without specific telemetry. Key areas for detection include: Authentication Logs: Monitor GlobalProtect authentication logs for successful logins from unusual or unexpected source IP addresses, especially those not associated with known organizational VPN users or locations. Look for a high volume of successful VPN authentications within a short period from a single source IP that is not typical for legitimate users. Investigate successful authentications that occur outside of normal business hours or from geographic regions not aligned with employee travel or remote work policies. Correlate successful VPN logins with subsequent activity logs from the same user account for any immediate suspicious actions that deviate from established baselines. VPN Connection Metrics: Observe the assignment of VPN addresses to unknown or suspicious user accounts. Track the total number of concurrent VPN connections; significant spikes might indicate unauthorized access, especially if not correlated with legitimate business needs. Analyze bandwidth usage and data transfer patterns for VPN sessions. Unusual data egress or unexpected internal network scanning originating from a VPN-assigned IP address can be indicative of compromise. System Configuration Audits: Regularly audit GlobalProtect portal and gateway configurations to verify whether the "authentication override" feature is enabled. Specifically check the certificate configuration. Confirm that the certificate used for encrypting and decrypting authentication override cookies is distinct from the certificate used for the GlobalProtect portal/gateway's HTTPS service. A misconfiguration here is a direct indicator of vulnerability. Network Flow Data: Analyze NetFlow or IPFIX data for connections originating from VPN-assigned IP ranges to internal network segments that are typically restricted or not accessed by VPN users. Look for lateral movement attempts from VPN-connected devices to critical internal assets, domain controllers, or sensitive data repositories. Increased scanning activity targeting Palo Alto Networks products, as discussed in our analysis of broader threat environment for Palo Alto products, should prompt heightened vigilance for such authentication bypass attempts. Remediation Addressing CVE-2026-0257 requires immediate action to prevent or mitigate active exploitation. Remediation involves applying the vendor-supplied patch. In situations where immediate patching is not feasible, specific workarounds and mitigations can reduce exposure. Patching Apply Vendor Patch Immediately: Organizations should apply the official patch released by Palo Alto Networks for PAN-OS GlobalProtect as soon as possible. This is the recommended solution to eliminate the vulnerability. Consult the official Palo Alto Networks security advisory for the specific patch versions relevant to your deployment. Workarounds and Mitigations If immediate patching is not possible, the following mitigations can reduce the risk of exploitation: Dedicated Certificate for Authentication Override Cookies: Generate a new, unique digital certificate specifically for encrypting and decrypting authentication override cookies. Ensure this dedicated certificate is stored securely and not reused for any other service, especially not for the GlobalProtect portal or gateway's HTTPS service. Strictly avoid sharing this certificate with other features or users within the network infrastructure. This separation prevents attackers from using an exposed HTTPS certificate to forge authentication cookies. Disable Authentication Override Entirely: Access the configuration settings for the GlobalProtect portal and gateway. Locate the "authentication override" feature options. Disable this feature completely by unchecking all options related to both the generation and acceptance of authentication override cookies. This removes the attack vector entirely, though it may require users to re-authenticate more frequently. Monitoring: Implement enhanced monitoring of GlobalProtect VPN authentication and session logs. Look for any anomalous login patterns, such as connections from unexpected geographical locations, unusual times, or unknown user accounts. Monitor for any suspicious activity originating from newly established VPN sessions, including attempts at lateral movement or access to sensitive internal resources. These steps, prioritized with patching, are important for securing Palo Alto Networks PAN-OS GlobalProtect deployments against CVE-2026-0257. Technical Takeaways CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect VPN portal and gateway components. The vulnerability carries an initial CVSS 7.8 score, but its active exploitation and operational impact warrant attention from security teams. Exploitation uses a misconfiguration where the same certificate is used for both the GlobalProtect HTTPS service and authentication override cookie encryption. Attackers can forge authentication override cookies to gain unauthorized VPN access, potentially leading to internal network infiltration. Immediate remediation involves applying the vendor-supplied patch or implementing specific mitigations such as using a dedicated certificate for authentication override cookies or disabling the feature entirely. --- ## Pro-Iran Hackers Exploit Meta AI to Seize Instagram - URL: https://purple-ops.io/blog/pro-iran-hackers-meta-ai-instagram - Date: 2026-06-02 - Category: Threat Intelligence - Tags: none - Reading time: 11 min **Summary:** Pro-Iran hackers exploited Meta's AI support bot to compromise high-profile Instagram accounts, demonstrating a new social engineering vector. Pro-Iran Hackers Exploit Meta AI to Seize Instagram An attack targeting Meta's AI support assistant bot has enabled pro-Iran hackers to compromise several prominent Instagram accounts, including those associated with the Obama White House and the Chief Master Sergeant of the U.S. Space Force. The exploitation, which surfaced with instructions circulating on Telegram on May 31, 2026, allowed threat actors to bypass traditional security measures and execute unauthorized password resets and account takeovers. This incident shows a new area in social engineering, where artificial intelligence interfaces designed for user convenience become avenues for malicious activity. The method used a critical design flaw in Meta's AI chatbot, allowing attackers to trick the automated assistant into initiating account recovery procedures for unsuspecting targets. This led to the defacement of the high-profile accounts with pro-Iranian imagery and messages. This showed the potential for significant reputational damage and the ease with which AI systems can be manipulated when not adequately secured against social engineering tactics. Meta confirmed the issue and swiftly deployed an emergency patch to mitigate the vulnerability and secure affected accounts. This AI-based social engineering campaign is among several critical cybersecurity developments observed in the last 24 hours. Security agencies and researchers are dealing with active exploitation of a severe remote code execution flaw in Windows Netlogon, an authentication bypass in Palo Alto Networks GlobalProtect VPNs, and a zero-day vulnerability impacting the Android Framework. These incidents collectively show a dynamic threat environment characterized by innovative attack vectors and persistent targeting of foundational software and network infrastructure. How did threat actors trick Meta's AI assistant? Pro-Iran hackers successfully manipulated Meta's AI support assistant bot through a series of social engineering steps. Its design facilitated unauthorized account takeovers on Instagram. The method, widely shared and demonstrated in videos on Telegram channels, hinged on the bot's willingness to add a new email address to an existing account as part of its standard password reset workflow. This approach bypassed complex technical exploits by relying on the chatbot's conversational capabilities. The attack typically began with the actor using a Virtual Private Network (VPN) to establish a connection from an IP address geographically close to the target account's usual login location. This step aimed to make the subsequent password reset request appear more legitimate to automated security systems. Then, the attacker would initiate a password reset for the target Instagram account and select the option to engage with Meta's AI support assistant for assistance. The AI bot, designed to simplify account recovery, became an unwitting accomplice in the compromise. During the chat, the attacker would instruct the AI bot to link the target account to a new, attacker-controlled email address. The bot, seemingly programmed to assist with account access issues, would then send a one-time verification code to this newly linked email. With this code, the pro-Iran hackers could complete the password reset process, gaining full control of the Instagram account. Evidence of the successful attacks, including screenshots of defaced accounts featuring pro-Iran messages, was subsequently posted on Telegram, showing the exploit's effectiveness. Meta responded quickly to the emerging threat, deploying an emergency patch over the weekend of June 1, 2026, to address the vulnerability within its AI support system. Company spokesperson Andy Stone confirmed on X (formerly Twitter) that the issue had been resolved and that all impacted accounts were being secured. Cybersecurity analysis from TheCyberSecGuru.com indicated that no backend database breach occurred; the weakness was confined to the social engineering of the AI interface. Critically, accounts protected with multi-factor authentication (MFA)-even simple SMS-based codes-were largely impervious to this particular exploit. This shows MFA as a strong defense against such social engineering techniques. What is the impact of the actively exploited Windows Netlogon RCE? Threat actors are actively exploiting CVE-2026-41089, a critical stack-based buffer overflow vulnerability in Windows Netlogon, posing a significant risk of remote code execution (RCE) on targeted domain controllers. The Centre for Cybersecurity Belgium (CCB) issued a warning on June 1, 2026, confirming the active exploitation in the wild, urging immediate patching of affected servers. This vulnerability, which carries a CVSS 9.8 score, allows unprivileged attackers to execute code on sensitive Windows Server systems without requiring prior authentication or user interaction. The Netlogon service, a core component of Microsoft Windows Server, is responsible for authenticating users and services across Windows domain-based networks. Its critical role means a compromise can grant attackers deep access and control over an entire network infrastructure. All currently supported Windows Server versions, including Windows Server 2025, are susceptible to CVE-2026-41089. Microsoft initially patched this flaw during its May 2026 Patch Tuesday, describing the attack vector as a specially crafted network request that causes improper handling by the Netlogon service, leading to arbitrary code execution. This particular vulnerability was discovered by Windows Attack Research & Protection (WARP), an internal offensive cybersecurity and engineering research team at Microsoft. The urgency communicated by the CCB emphasizes the direct and severe threat this RCE poses to organizations globally. Active exploitation of such a fundamental service shows the persistent targeting of core enterprise components. Addressing critical Netlogon RCE vulnerabilities is important for maintaining network integrity, as detailed in discussions around Netlogon RCE CVE-2026-41089 and other Windows Server RCE vulnerabilities. While specific threat actors exploiting CVE-2026-41089 have not been publicly identified by Microsoft or the CCB, the widespread nature of Windows Server deployments means a broad range of entities could be at risk. The successful exploitation enables attackers to gain system-level privileges on domain controllers, potentially leading to full network compromise, data exfiltration, or the deployment of ransomware. Organizations must prioritize applying the May 2026 security updates to prevent attackers from using this critical flaw. How are attackers bypassing authentication in Palo Alto GlobalProtect VPNs? Attackers are actively exploiting CVE-2026-0257, an authentication bypass vulnerability within Palo Alto Networks' PAN-OS GlobalProtect VPN technology, to gain unauthorized network access. This flaw allows adversaries to bypass authentication mechanisms and establish VPN connections without valid credentials, enabling them to impersonate legitimate users and potentially access internal network resources. Rapid7 observed successful exploitation "across numerous customers" as early as May 17, 2026, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add this flaw to its Known Exploited Vulnerabilities (KEV) catalog on May 29. The vulnerability affects the GlobalProtect portal and gateway components of PAN-OS software across various versions. Exploitation requires specific configuration conditions: firewalls must have both authentication override cookies enabled and a particular certificate setup. Specifically, the flaw becomes exploitable if the certificate used to encrypt and decrypt authentication override cookies is the same certificate used for the GlobalProtect portal or gateway's HTTPS service. While Palo Alto Networks initially assigned a CVSS score of 7.8, Rapid7 researchers have urged organizations to treat it as a critical vulnerability due to its active exploitation and the significant impact an authentication bypass on an edge-facing VPN appliance can have. Rapid7's analysis detailed the exploitation mechanism, observing two distinct waves of attack activity. Initially, attackers utilized forged authentication cookies to impersonate legitimate users and authenticate to vulnerable GlobalProtect gateways. A second wave of activity on May 21 showed evidence of attackers being assigned VPN addresses and subsequently gaining access to internal networks. This occurs because, under certain configurations, the system trusts decrypted cookies without verifying their authenticity. If administrators reuse the same certificate for both HTTPS services and cookie encryption, attackers can obtain the certificate's public key, generate forged cookies, and the VPN gateway will accept them as valid. To mitigate CVE-2026-0257, Palo Alto Networks has released patches, and immediate application is strongly advised. If patching is not feasible, organizations should implement alternative mitigations. This includes using a dedicated, securely stored certificate exclusively for authentication override cookies, ensuring it is not reused for other features or shared. Disabling the authentication override feature entirely by unchecking all related options in the GlobalProtect portal and gateway configuration is another recommended measure to prevent exploitation. Which Android zero-day is under targeted exploitation? A critical zero-day flaw, identified as CVE-2025-48595, within the core Android Framework component is currently under limited, targeted exploitation by cybercriminals. Google confirmed the active exploitation as part of its June 2026 security bulletin, urging users and administrators to apply the latest patches without delay. This vulnerability, stemming from a dangerous memory management error-specifically an integer overflow-poses a severe risk, potentially allowing threat actors to achieve code execution and gain full control over compromised mobile devices. The flaw's presence in the Android Framework makes it particularly concerning, as this core component underpins the operating system's functionality across a vast ecosystem of devices. Successful exploitation of CVE-2025-48595 requires no user interaction, making it a "zero-interaction" vulnerability and increasing the urgency of applying security updates. The full June 2026 security bulletin from Google addresses a total of 113 vulnerabilities across multiple software layers, with 18 critical flaws patched that could otherwise lead to complete device takeover. Beyond the Android Framework, the June 2026 security update also includes vital patches for subcomponents from key hardware vendors such as Qualcomm, MediaTek, and Unisoc. This broad coverage aims to secure the diverse Android ecosystem against a wide array of threats. For users, devices running Android system version 10 or later are configured to automatically receive updates via Google Play services. However, manual verification of the patch level is essential to confirm remediation. To ensure protection against this zero-day and other documented threats, Android devices must have patch levels dated June 5, 2026, or later. Maintaining strict patch hygiene is a crucial defense against advanced mobile threat groups and the continuous emergence of new vulnerabilities. The limited, targeted nature of the current exploitation does not diminish the potential for wider campaigns, which shows the need for immediate action across all Android deployments. Technical Takeaways The exploitation of Meta's AI support assistant demonstrates a significant shift in social engineering tactics, targeting AI interfaces as new attack surfaces for account compromise. The active exploitation of CVE-2026-41089, a critical RCE in Windows Netlogon, shows the ongoing and severe threat posed by vulnerabilities in core enterprise infrastructure components. Authentication bypass vulnerabilities, such as CVE-2026-0257 in Palo Alto Networks GlobalProtect VPNs, continue to be high-priority targets for threat actors seeking initial access to corporate networks. Zero-day flaws like CVE-2025-48595 in the Android Framework show the persistent risk of remote code execution on mobile devices, even when exploitation is initially limited and targeted. Strong multi-factor authentication (MFA) remains a fundamental security control, proving effective in preventing account takeover attacks even when novel AI-based social engineering techniques are employed. How the Meta AI Social Engineering Attack Worked The attack exploited a fundamental trust gap in Meta's AI support infrastructure. Threat actors crafted carefully worded requests to the AI chatbot, mimicking legitimate account recovery scenarios: Impersonation prompts convinced the bot the attacker was the account owner Automated password reset flows were triggered without secondary human verification Telegram-distributed scripts standardized the attack for wider replication The bot lacked behavioral anomaly detection for repeated recovery attempts This technique required no malware or phishing infrastructure — only conversational manipulation. See also: Social Engineering Attack Vectors Indicators of Compromise and Affected Targets Security researchers identified several patterns across compromised accounts that defenders should monitor: Sudden profile photo and bio changes to pro-Iranian imagery Unauthorized password reset emails sent to legitimate account owners Account activity originating from Middle Eastern IP ranges High-profile targets included government-adjacent and military-affiliated accounts The Obama White House account and U.S. Space Force Chief Master Sergeant profile were among confirmed victims. Organizations should audit admin account recovery settings immediately. See also: Instagram Account Security Best Practices Defensive Measures Against AI-Assisted Account Takeovers This incident highlights urgent gaps in how AI support tools handle sensitive account actions. Recommended mitigations include: Enforce hardware security keys (FIDO2) on high-value accounts Disable AI-initiated password resets for accounts with elevated privileges Require human-in-the-loop verification for recovery requests on flagged accounts Monitor for rapid successive AI chatbot interactions from single sessions Platforms should implement rate limiting and intent classification on support bots Users should review connected apps and active sessions immediately if suspicious recovery emails are received. See also: Multi-Factor Authentication Guide --- ## Palo Alto PAN-OS CVE-2026-0257 Bypass (CVSS 7.8) - URL: https://purple-ops.io/blog/palo-alto-pan-os-cve-2026 - Date: 2026-06-02 - Category: CVE Analysis - Tags: palo-alto, pan-os, cve-2026-0257, auth-bypass, globalprotect - Reading time: 5 min | CVSS: 7.8 **Summary:** Palo Alto Networks PAN-OS CVE-2026-0257 is an actively exploited authentication bypass (CVSS 7.8) allowing unauthorized VPN connections. Palo Alto PAN-OS CVE-2026-0257 Bypass (CVSS 7.8) Palo Alto Networks has acknowledged a critical authentication bypass vulnerability, identified as CVE-2026-0257, affecting its PAN-OS and Prisma Access products. This vulnerability, rated with a CVSS score of 7.8, allows unauthorized threat actors to establish Virtual Private Network (VPN) connections by circumventing standard authentication protocols. Although classified as a medium-severity flaw, a high CVSS score indicates a significant potential impact. The vulnerability is concerning due to its active exploitation. This active exploitation requires immediate attention from organizations utilizing affected configurations. The issue specifically targets firewalls with GlobalProtect portal or gateway configured under conditions where authentication override cookies are enabled and a particular certificate configuration is present. This document analyzes CVE-2026-0257, discussing its implications, exploitation specifics, affected products, detection methods, and remediation steps. Understanding the technical details of this flaw helps network defenders protect their infrastructure against ongoing threats. What is CVE-2026-0257 and why is it critical? CVE-2026-0257 is an authentication bypass vulnerability within Palo Alto Networks PAN-OS and Prisma Access that carries a CVSS score of 7.8. Despite being categorized as "medium-severity," this score typically places it within the "High" severity range, indicating a substantial risk. The vulnerability is critical because it permits unauthorized individuals to establish VPN connections to an organization's network, effectively circumventing the intended security perimeter. Active exploitation in the wild amplifies the criticality of CVE-2026-0257. Threat actors are using this flaw to gain unauthorized network access, posing a threat to the integrity and confidentiality of systems protected by affected Palo Alto Networks devices. An authentication bypass on a VPN gateway is severe, granting attackers direct entry into the internal network without valid credentials. This access can serve as a primary vector for reconnaissance, lateral movement, data exfiltration, and the deployment of additional malicious payloads. What is the potential impact of CVE-2026-0257? Unauthorized VPN connections to an organization's network are the primary impact of CVE-2026-0257. An attacker who successfully exploits this vulnerability can bypass the configured authentication mechanisms of PAN-OS GlobalProtect portal or gateway, gaining an unauthenticated entry point into the network. This effectively bridges the secure perimeter that VPNs are designed to enforce. Organizations using Palo Alto Networks firewalls with GlobalProtect portal or gateway configured are at risk, especially if authentication override cookies are enabled and a specific certificate configuration exists. VPN access compromise can lead to several severe consequences. Once inside the network, threat actors can conduct extensive reconnaissance, map network topology, identify valuable assets, and locate sensitive data. This initial access often precedes more sophisticated attacks, including privilege escalation, lateral movement to other systems, data exfiltration, or the deployment of ransomware and other destructive malware. Such unauthorized access directly threatens the confidentiality, integrity, and availability of network resources. How is CVE-2026-0257 exploited? This vulnerability is an authentication bypass. The attack vector specifically targets Palo Alto Networks firewalls configured with a GlobalProtect portal or gateway. Successful exploitation requires two key preconditions: authentication override cookies must be enabled, and a specific certificate configuration must be present on the affected firewall. Authentication override cookies are typically used for a smoother user experience, allowing subsequent connections to bypass re-authentication for a period. However, in this scenario, a flaw in how PAN-OS and Prisma Access handle these cookies, combined with certain certificate configurations, allows an unauthenticated attacker to manipulate the process. This manipulation enables the attacker to initiate a VPN connection as if they were a legitimate, authenticated user, bypassing established security controls and allowing adversaries to "set up VPN connections" without valid credentials. Palo Alto Networks confirmed CVE-2026-0257 is under active exploitation. Threat actors are actively using this vulnerability to gain unauthorized network access. This active exploitation shows organizations must address the vulnerability promptly. Further details on this issue are in our prior analysis of CVE-2026-0257. The rapid pace of exploit development, sometimes accelerated by advanced tooling, means the window between vulnerability disclosure and active exploitation shrinks. Our research on AI's role in accelerating exploit development discusses this trend. Which products are affected by CVE-2026-0257? The CVE-2026-0257 vulnerability affects specific products and configurations within the Palo Alto Networks ecosystem. Organizations relying on these products for VPN access control should review their deployments carefully. Affected products include: Palo Alto Networks PAN-OS: Specifically, firewalls running PAN-OS with a GlobalProtect portal or gateway configured are vulnerable. Enabled authentication override cookies and a specific certificate configuration are critical factors in the vulnerability's exploitability. Palo Alto Networks Prisma Access: This cloud-delivered security platform is also impacted by the same authentication bypass flaw when its GlobalProtect functionalities are configured under the specific conditions mentioned. The research indicates the vulnerability appears when a GlobalProtect portal or gateway is configured, authentication override cookies are enabled, and a specific certificate configuration exists. Since the research does not specify exact version numbers for affected PAN-OS or Prisma Access, all versions configured under these conditions should be considered potentially vulnerable until specific guidance from Palo Alto Networks states otherwise. Organizations must consult official Palo Alto Networks advisories for the precise scope of affected versions and any applicable patch information. What are the detection measures for CVE-2026-0257? Effective detection of CVE-2026-0257 exploitation depends on monitoring network and system logs for anomalous activity, particularly related to VPN connections and authentication processes. The research does not detail specific Indicators of Compromise (IOCs) like precise log signatures or EDR queries, but a proactive monitoring strategy can identify suspicious behavior that may signal compromise. Organizations should implement the following detection measures: Monitor VPN Connection Logs: Look for unexpected or unauthorized VPN connections to GlobalProtect portals or gateways. This includes connections originating from unusual geographical locations, IP addresses not associated with legitimate users, or at abnormal times. Track the number of failed authentication attempts followed by successful connections without a clear, legitimate reason. Focus on GlobalProtect session logs for any entries indicating successful connections where the expected authentication flow appears abnormal or incomplete. Review Authentication Logs: Scrutinize authentication logs for the GlobalProtect portal and gateway for any bypass events or successful authentications that do not correspond to known user activity. Monitor for the creation of VPN sessions without corresponding pre-authentication entries in logs. Certificate Configuration Monitoring: Regularly audit the certificate configurations on GlobalProtect interfaces. Any unauthorized changes or unusual activity related to certificate issuance, revocation, or usage should be investigated. Network Flow Analysis: Analyze network flow data (NetFlow, IPFIX, sFlow) for unusual traffic patterns originating from newly established VPN tunnels. This could include sudden spikes in data transfer, connections to internal assets not typically accessed by VPN users, or communication with known malicious external IP addresses. Security Information and Event Management (SIEM) Alerts: Configure SIEM systems to alert on the aforementioned anomalies. Establish baselines for normal VPN usage and flag deviations, especially those related to authentication events and source IP reputation. Continuous and vigilant monitoring is essential to detect and respond to potential compromises swiftly. What is the remediation guidance for CVE-2026-0257? Remediation for CVE-2026-0257 is crucial due to its active exploitation. The primary focus involves patching the vulnerability, or if a patch is not immediately available or deployable, implementing effective workarounds and mitigations. The following steps outline the remediation guidance: Apply Vendor Patches: Immediately consult official Palo Alto Networks security advisories and support channels for information regarding available patches for PAN-OS and Prisma Access. Apply all recommended security updates to all affected devices as soon as they are released and thoroughly tested in a staging environment. Given the active exploitation, patching should be prioritized over routine maintenance schedules. Implement Workarounds and Mitigations: Disable Authentication Override Cookies: If feasible and not critical for operational continuity, disable authentication override cookies on GlobalProtect portal and gateway configurations. This removes one of the key preconditions for CVE-2026-0257 exploitation. Review and Restrict Certificate Configurations: Carefully review the certificate configurations on GlobalProtect interfaces. Ensure that only necessary and properly configured certificates are in use and that they adhere to strong security practices. Remove any certificates that are not explicitly required. Enforce Strong Multi-Factor Authentication (MFA): While CVE-2026-0257 is an authentication bypass, strong MFA implementations can provide an additional layer of defense against follow-on attacks, even if the initial VPN connection is established. This ensures that even if an attacker gains unauthorized access, they still face hurdles in accessing internal resources that require MFA. Network Segmentation: Implement or strengthen network segmentation to limit the potential lateral movement of an attacker who manages to establish an unauthorized VPN connection. Isolate sensitive assets and restrict communication paths. Access Control Policies: Review and tighten access control policies for users connecting via GlobalProtect. Ensure that VPN users only have access to the resources absolutely necessary for their roles (least privilege principle). Enhance Monitoring: Continue to actively monitor VPN and authentication logs for any anomalous activity, as detailed in the detection section. Immediate alerting for suspicious connections can help in rapid incident response. Conduct regular security audits of GlobalProtect configurations to ensure compliance with best practices and the vendor's latest recommendations. Technical Takeaways CVE-2026-0257 is an actively exploited authentication bypass vulnerability affecting Palo Alto Networks PAN-OS and Prisma Access, specifically their GlobalProtect portal and gateway components. The vulnerability carries a CVSS score of 7.8, indicating a high potential impact despite being classified as medium-severity. Exploitation requires enabled authentication override cookies and a specific certificate configuration on the targeted firewalls. Successful exploitation grants unauthorized threat actors the ability to establish VPN connections, providing initial network access. Organizations must immediately apply available patches and implement mitigations like disabling authentication override cookies and reviewing certificate configurations if patching is not feasible. Continuous monitoring of VPN and authentication logs for anomalous connections is critical for early detection of exploitation attempts or successful breaches. --- ## Gentelman Ransomware Hits 14 Healthcare, Retail Victims - URL: https://purple-ops.io/blog/gentelman-ransomware-healthcare-retail - Date: 2026-06-01 - Category: Ransomware Report - Tags: none - Reading time: 5 min **Summary:** The Gentelman ransomware group claimed 14 new victims, predominantly impacting healthcare and retail sectors with active operations. The Gentelman Ransomware Claims 14 Healthcare, Retail Victims Statistical Overview Victim Totals This month: 27 This quarter: 1573 Year to date: 4198 Last 24h: 29 Quarterly Breakdown Q1: 2631 | Q2: 1573 | Q3: 0 | Q4: 0 Ransomware activity maintains a consistent volume, with 29 new victims reported in the last 24 hours. Quarterly data indicates substantial impact across global organizations, accumulating 1573 victims in Q2. Introduction In the last 24 hours, ransomware operators claimed 29 new victims across various sectors and geographies. The Gentelman group was active, accounting for 14 of these new compromises. Other groups included DragonForce, Abyss, INC Ransom, and Lapsus. Primary affected sectors observed include Healthcare, Retail & Ecommerce, Professional Services, and Government / Public Sector, with attacks concentrated in North America, including the United States and Canada. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1The Gentelman14Anandji haridas, Arabian procession holding, Bouri group (+11)Hong Kong, CanadaHealthcare, Retail & Ecommerce 2DragonForce3Panorama bpo, Synex international pvt ltd, Taos mountain casinoUnited States, PeruConstruction & Engineering, Professional Services 3Abyss2Landkreis-limburg-weilburg.de, School facility consultantsGermany, United StatesProfessional Services, Government / Public Sector 4INC Ransom2Bradley law firm, Champaign-Urbana Public Health DistrictUnited StatesHealthcare, Legal 5Lapsus2Mapfre assurance, MercorUnited States, SpainInsurance, Technology / Software 6Play News2Digitall graphics, Hightower communicationsUnited States, CanadaProfessional Services, Telecommunications 7AiLock1SchneebeliSwitzerlandManufacturing 8Brain Cipher1Squamish.netCanadaGovernment / Public Sector 9Bravox1Grupo mauáBrazilProfessional Services 10Kairos1MortensenlawofficesUnited StatesLegal Ransomware activity remains active, largely driven by The Gentelman, which claimed 14 victims, predominantly in Healthcare and Retail & Ecommerce across Hong Kong and Canada. Other groups such as DragonForce and Abyss also contributed to the victim count, targeting sectors like Professional Services and Government / Public Sector. INC Ransom impacted the Champaign-Urbana Public Health District in the United States. This shows the ongoing threat to critical public services. The geographic distribution shows a continued focus on North America, alongside incidents in Europe, South America, and Asia. Further insights into the activity of The Gentelman ransomware group are available in our dedicated analysis. Victim Distribution By Country United States: 11 Canada: 4 India: 2 Brazil: 2 Spain: 1 Thailand: 1 Switzerland: 1 Sri Lanka: 1 Saudi Arabia: 1 Portugal: 1 By Industry Legal Services: 2 Automotive Manufacturing: 2 Telecommunications: 2 Insurance: 1 Water Utility: 1 School Facility Planning and Consulting: 1 Public Health: 1 Law Practice: 1 Industrial Textile Manufacturing: 1 Healthcare: 1 The United States continues to be the primary target region, accounting for 11 out of 29 new victims, followed by Canada. Industry targeting is diverse. Legal Services and Automotive Manufacturing each saw multiple incidents, with Telecommunications also experiencing two, reflecting a broad opportunistic approach by ransomware groups. Ransomware News Topline VSP Solutions, an Australian video security distributor, is responding to a cyber security incident claimed by the Stormous ransomware-as-a-service group. Campaigns & Operations Stormous has reportedly exfiltrated and published over 40 GB of data from VSP Solutions, encompassing financial backups (QuickBooks & Reckon), email archives, staff personal folders, and customer databases. The company has engaged forensic experts, notified law enforcement and Australian government agencies, and is investigating the incident's scope. Stormous, known for its double-extortion tactics and data publication, continues to use compromised access against technology and business services globally. Vulnerabilities & TTPs The specific initial access vector for the VSP Solutions breach was not detailed. However, Stormous's operational methods consistently involve data exfiltration followed by publication if demands are unmet, employing double-extortion as a core tactic. Analyst Note This incident shows the persistent threat posed by established ransomware-as-a-service groups like Stormous, which continue to successfully compromise and extort organizations through data theft and publication. Technical Takeaways The Gentelman emerged as the most active ransomware group, responsible for nearly half of the new victims observed. Targeting remains globally diverse but shows a concentration in North America, with the United States and Canada experiencing a large volume of attacks. Healthcare, Retail & Ecommerce, Professional Services, and Government / Public Sector are among the top-affected sectors, indicating continued opportunistic targeting across various industries. Ransomware-as-a-service (RaaS) groups, exemplified by Stormous, continue to use double-extortion tactics involving data theft and publication to pressure victims. Critical infrastructure entities, such as public health districts, remain vulnerable to compromise by groups like INC Ransom. --- ## Netlogon RCE CVE-2026-41089 (CVSS 9.8) Actively Exploited - URL: https://purple-ops.io/blog/netlogon-rce-cve-2026-41089 - Date: 2026-06-01 - Category: CVE Analysis - Tags: netlogon, cve-2026-41089, rce, windows-server, actively-exploited - Reading time: 5 min | CVSS: 9.8 **Summary:** CVE-2026-41089, a critical Netlogon RCE with a CVSS 9.8, is actively exploited, allowing unauthenticated attackers SYSTEM privileges on Windows Server. Netlogon RCE CVE-2026-41089 (CVSS 9.8) Actively Exploited Microsoft's Netlogon service in Windows Server is affected by a critical Remote Code Execution (RCE) vulnerability, tracked as CVE-2026-41089. This flaw, with a CVSS score of 9.8, allows attackers to execute arbitrary malicious code with SYSTEM privileges on vulnerable domain controllers. Threat actors are actively exploiting CVE-2026-41089 in the wild, posing an immediate risk to corporate network infrastructure. The vulnerability enables an unauthenticated attacker to compromise domain controllers remotely without requiring user interaction. Successful exploitation grants complete control over affected enterprise identities and core authentication systems. Organizations must act immediately to mitigate the risk and prevent further compromise. Microsoft addressed CVE-2026-41089 as part of its May 2026 Patch Tuesday release, which included fixes for 118 vulnerabilities. This particular flaw is considered a significant threat to corporate networks among the patched vulnerabilities. Organizations must prioritize deploying these security updates to protect their environments. What is CVE-2026-41089 and why is it critical? CVE-2026-41089 is a critical Remote Code Execution (RCE) vulnerability in the Netlogon service of Microsoft Windows Server. This flaw is critical because of its CVSS score of 9.8 and its ability to enable unauthenticated attackers to achieve SYSTEM-level privileges on vulnerable domain controllers remotely. The vulnerability stems from improper handling of specially crafted network data packets by the Netlogon service. The criticality of CVE-2026-41089 is significant because it can fully compromise an organization's authentication infrastructure. An attacker who successfully exploits this vulnerability can gain complete administrative control over the domain controller, subsequently allowing control over all connected systems and user accounts within the domain. This level of access bypasses all typical security boundaries, giving adversaries an unfettered pathway to persistent network presence, data exfiltration, and widespread disruption. The absence of a requirement for user interaction or prior authorization also shows its severity, making it an attractive target for malicious campaigns. Impact An attacker exploiting CVE-2026-41089 can achieve Remote Code Execution (RCE) with SYSTEM privileges on the targeted Windows Server domain controller. This means they can execute any command or malicious payload on the compromised system as the highest-privileged user. The direct consequence is complete control over the domain controller itself. Organizations relying on Microsoft Windows Server for their authentication and directory services are at significant risk. Specifically, corporate networks with exposed domain controllers are vulnerable to this flaw. An attacker gaining SYSTEM privileges on a domain controller can effectively seize complete control of the entire corporate infrastructure. This includes managing user accounts, group policies, access to network resources, and potentially deploying ransomware or other destructive payloads across the entire domain. The real-world reach is widespread, affecting any enterprise environment operating unpatched Windows Server domain controllers. This malicious action requires zero user interaction and no prior authorization, allowing for complete system compromise, similar to the impact of some Windows kernel zero-day exploits. Exploitation Chain The exploitation of CVE-2026-41089 begins with an attacker sending a specially crafted network request to a vulnerable Windows Server domain controller. The vulnerability resides in the Netlogon service, which is responsible for user and machine authentication within a Windows domain. When the Netlogon service improperly handles this incoming data packet, it creates a condition that allows for Remote Code Execution. Preconditions for exploitation are minimal, primarily requiring network access to a susceptible Windows Server domain controller running the Netlogon service. Successful exploitation does not require any user interaction from the victim, nor does it necessitate prior authentication or authorization. This makes CVE-2026-41089 a zero-click, unauthenticated RCE vulnerability. The Centre for Cybersecurity Belgium (CCB) has confirmed that threat actors are actively executing this attack in the wild, indicating that public details and potentially Proof-of-Concept (PoC) exploits are available and used by malicious entities. The ability to gain SYSTEM privileges and control core authentication systems through a network service is a significant threat, similar to other critical operating system vulnerabilities, such as a Linux kernel local privilege escalation vulnerability. Affected Products and Versions The CVE-2026-41089 vulnerability affects specific versions of Microsoft Windows Server. All Windows Server versions from 2012 onwards that have not applied the May 2026 security updates are susceptible. The following Windows Server product lines and their respective versions are impacted: Microsoft Windows Server 2012 Microsoft Windows Server 2012 R2 Microsoft Windows Server 2016 Microsoft Windows Server 2019 Microsoft Windows Server 2022 Organizations operating any of these Windows Server versions as domain controllers are advised to assess their patch status immediately. The vulnerability is present in the Netlogon service component, which is fundamental to the operation of these domain controller roles. Detection Detecting exploitation attempts or successful compromise related to CVE-2026-41089 requires monitoring network traffic and system logs, particularly those related to the Netlogon service. Detection guidance includes: Network Indicators: Monitor network traffic for unusual authentication requests targeting domain controllers, especially those utilizing the Netlogon Remote Protocol (MS-NRPC). Unusual traffic, such as a sudden increase in Netlogon authentication requests from unexpected source IPs or with abnormal parameters, may indicate an exploitation attempt. Look for deviations from baseline Netlogon communication behaviors, including attempts to establish insecure or null sessions if not typically observed in the environment. Observe outbound network connections from domain controllers that are not part of normal operational behavior. These could signify successful RCE and subsequent command-and-control (C2) communication. Log Signatures: Review Netlogon event logs for anomalies. Investigate event IDs related to Netlogon service activity, authentication failures, and changes in Netlogon secure channel status. While specific event IDs directly indicating CVE-2026-41089 exploitation may not be documented, any unusual or failed Netlogon negotiation attempts require investigation. Examine Windows Security Event Logs on domain controllers for suspicious activity following any observed unusual Netlogon traffic. This includes: Event ID 4624 (An account was successfully logged on): Look for successful logons using system or machine accounts from unusual source workstations or IP addresses that correspond to the timing of suspected exploitation. Event ID 4672 (Special privileges assigned to new logon): This event indicates administrative privileges being assigned, which could happen post-exploitation. Event ID 4663 (An attempt was made to access an object): Monitor for access attempts to sensitive objects or files that differ from normal administrative activities. Analyze System Event Logs for any unexpected service crashes or restarts of the Netlogon service, which could occur during an exploitation attempt. Monitor for the creation of new user accounts, changes to existing highly privileged accounts, or unexpected scheduled tasks, which are common post-exploitation activities. Organizations should implement strong logging and security information and event management (SIEM) solutions to centralize and analyze these logs effectively. Baselines of normal Netlogon activity and domain controller behavior are essential to identify anomalies. Remediation Immediate action is required to address CVE-2026-41089 because it is critical and actively exploited. Remediation steps include: Patch Deployment: Deploy the security updates released by Microsoft as part of the May 2026 Patch Tuesday. These fixes address the vulnerability in the Netlogon service. System administrators should apply these patches immediately to all affected Windows Server versions-including 2012, 2012 R2, 2016, 2019, and 2022-that function as domain controllers. Prioritize domain controllers and other critical servers in the patching schedule. Verify the patch installation to confirm the update was successfully applied. Network Isolation and Segmentation: Immediately isolate exposed domain controllers from untrusted networks. This protective measure restricts direct access to the Netlogon service from external or less secure network segments, limiting the potential attack surface. Implement strict network segmentation so only authorized systems and personnel can communicate with domain controllers over the necessary ports and protocols. Review firewall rules and access control lists (ACLs) to enforce this. Continuous Monitoring: After patching and isolation, maintain continuous monitoring of network traffic for unusual authentication requests and thoroughly review Netlogon logs for anomalies. This ongoing vigilance is important to confirm the effectiveness of remediation and to detect any lingering compromise or new exploitation attempts. Implement auditing for changes to privileged user accounts and groups, as well as modifications to domain policies, to identify any unauthorized post-exploitation activity. Fast remediation will prevent malicious actors from executing code and gaining total control over enterprise identities, reducing the risk of a widespread compromise. Technical Takeaways CVE-2026-41089 is a critical Remote Code Execution (RCE) vulnerability in the Netlogon service of Microsoft Windows Server. The vulnerability has a CVSS score of 9.8, indicating maximum severity because it can be exploited over the network without authentication. Successful exploitation grants an attacker SYSTEM privileges on the targeted domain controller, which leads to full control over enterprise identities and infrastructure. CVE-2026-41089 is confirmed to be under active exploitation in the wild by threat actors. Microsoft released patches for all affected Windows Server versions (2012, 2012 R2, 2016, 2019, 2022) as part of its May 2026 Patch Tuesday updates. --- ## CVE-2026-41089 Netlogon RCE Hits Domain Controllers - URL: https://purple-ops.io/blog/cve-2026-41089-netlogon-rce - Date: 2026-06-01 - Category: Threat Intelligence - Tags: cve-2026-41089, netlogon-rce, windows-server, active-exploitation, domain-controller - Reading time: 5 min **Summary:** Microsoft's Netlogon RCE, CVE-2026-41089 with CVSS 9.8, is actively exploited to seize Windows domain controllers and gain SYSTEM privileges. CVE-2026-41089 Netlogon RCE Hits Domain Controllers Microsoft's Netlogon Remote Code Execution vulnerability (CVE-2026-41089, CVSS 9.8) is under active exploitation by threat actors targeting corporate networks worldwide. This critical flaw allows attackers to seize complete control of Windows domain controllers and gain SYSTEM privileges without prior authorization or user interaction. The Centre for Cybersecurity Belgium recently confirmed these in-the-wild attacks, which demonstrates an immediate and severe risk to enterprise infrastructure. The widespread use of Netlogon in enterprise environments makes this vulnerability dangerous. Successful exploitation grants adversaries an uncontested foothold, enabling broad reconnaissance, privilege escalation, lateral movement, and identity compromise across an organization's most sensitive systems. This could also disrupt critical business operations. Microsoft released patches for CVE-2026-41089 as part of its May 2026 Patch Tuesday. This update addressed 118 vulnerabilities, 16 rated as critical. The urgent deployment of these specific fixes is important for organizations to protect their core authentication systems from ongoing exploitation. How is the Netlogon RCE vulnerability being exploited in the wild? Threat actors exploit CVE-2026-41089 by sending specially crafted network requests to unpatched Windows domain controllers. This causes the Netlogon service to improperly handle incoming data, which enables arbitrary code execution on the target system. Its CVSS score of 9.8 shows the vulnerability's critical impact. The exploit grants attackers full SYSTEM privileges on the affected domain controller, giving them complete administrative control over the compromised system. This malicious action requires zero user interaction and no prior authorization, allowing for silent and rapid compromise. The Centre for Cybersecurity Belgium issued an advisory confirming active exploitation, stressing that immediate defensive measures are needed to safeguard corporate infrastructure. Microsoft provided fixes for Windows Server versions from 2012 onwards in its May 2026 Patch Tuesday release. Organizations that have not yet applied these updates remain vulnerable to these active attacks. Prompt application of these security patches is the primary defense against this critical vulnerability. Remediation for CVE-2026-41089 System administrators must immediately deploy fixes for all affected Windows Server versions. This important step is the most effective way to prevent ongoing exploitation. Organizations should also consider isolating exposed domain controllers from untrusted networks to limit their attack surface while patches are applied. Further protective measures include continuous monitoring of network traffic for unusual authentication requests. Security operations centers should regularly review Netlogon logs for anomalies that could indicate attempted or successful exploitation. Maintaining strict patch hygiene and active monitoring remain fundamental defenses against advanced threat groups using vulnerabilities like CVE-2026-41089. Past incidents involving actively exploited Microsoft Exchange zero-days demonstrate the persistent threat posed by critical vulnerabilities in core enterprise services. Dutch Authorities Dismantle Large-Scale Asocks Botnet Affecting 17 Million Devices Dutch authorities, in a joint operation involving the Politie and the National Cyber Security Center (NCSC), have successfully dismantled a massive botnet known as Asocks. This botnet enslaved at least 17 million infected devices globally, using them for various malicious activities. The operation involved seizing more than 200 servers located in the Netherlands that served as the botnet's backend infrastructure. The infected devices encompassed a broad spectrum, including computers, tablets, smartphones, and various IoT devices. The NCSC identified Asocks as a residential proxy service, which, while having legitimate uses, is frequently abused by threat actors. Reports from local news outlet NL Times corroborated the botnet's identity as Asocks. Previous intelligence reports, such as HUMAN's Satori Threat Intelligence team's findings in April 2024, linked Asocks to a campaign dubbed PROXYLIB. This campaign involved infecting Android devices with proxyware from both LumiApps and Asocks, showing a history of malicious activity associated with this service. The law enforcement action involved seizing a subset of these servers from a hosting provider, which took the botnet offline. Botnet Infection and Mitigation Devices typically become part of a botnet when threat actors gain unauthorized access and install malware for remote control. This integrates the compromised device into a network used for cybercriminal activities. The scale of the Asocks botnet shows the pervasive nature of such infections. To counter botnet malware, organizations and individuals should implement several security practices. These include keeping operating systems and software applications up-to-date with the latest security patches. Maintaining visibility of edge devices, such as routers, is also important for identifying and mitigating potential compromises. Additional recommendations include using strong, unique passwords for all accounts and enabling two-factor authentication (2FA) wherever possible. Installing applications only from trusted sources and changing default passwords on new devices, particularly IoT devices, are important steps. Securing Wi-Fi networks with strong encryption protocols like WPA2 or WPA3 can further prevent unauthorized access and potential botnet recruitment. Malicious Codex UI npm Package Steals OpenAI Refresh Tokens from 27,000 Developers A malicious npm package, codexui-android, a popular remote web user interface for OpenAI Codex, has been discovered exfiltrating OpenAI refresh tokens from users. With an estimated 27,000 weekly downloads, this supply chain attack exposed a significant number of developers to persistent account takeover risks. Aikido Security researcher Charlie Eriksen made the discovery on May 27, 2026. The attackers employed a deceptive strategy, developing a useful tool likely to establish a legitimate user base before initiating malicious activity. The important element of this attack is that the malicious code was not present in the public GitHub repository. Instead, it was found exclusively within the published npm package, allowing it to bypass standard source code audits. The attack initiates immediately upon module load, with the dist-cli/index.js file importing a hidden script named chunk-PUR7OUAG.js. This script then checks for local credentials. If found, it launches a data exfiltration routine to steal access_token, id_token, account ID, and the important refresh_token from the auth.json file. The refresh token is dangerous as it typically does not expire, granting attackers indefinite access and impersonation capabilities. Covert Data Exfiltration and Associated Android Apps To evade detection, the exfiltrated data was sent to a server endpoint named sentry.anyclawstore. This endpoint was chosen intentionally to blend in with normal Sentry error-reporting telemetry. The hidden source map even contained a comment from the author: "Send tokens to our startlog endpoint (always)," indicating deliberate intent. Further investigation revealed that the threat actor behind this package, operating under the developer identity BrutalStrike, also targeted Android mobile devices. BrutalStrike has published applications on the Google Play Store, including a paid productivity app called codex.app and another named "OpenClaw Codex Claude AI Agent." Both these applications were found to contain the same malicious infrastructure. These Android apps initially bypassed Google's pre-publish security scans due to their clean initial APK file. Once installed, the app extracts a Termux-derived Linux userland into private storage and launches Node.js using PRoot. It then executes a command to install the latest version of the npm package: pnpm add codexui-android@latest. The exfiltration functionality has been active since version 1.0.0 of the package. Critical Langroid Prompt Injection Vulnerability Exposes LLM Applications to RCE Researchers from Carnegie Mellon University (CMU) and the University of Wisconsin-Madison (UW-Madison) have identified a critical Remote Code Execution (RCE) flaw within the Langroid Python framework, specifically affecting Large Language Model (LLM) applications. This vulnerability, which achieved a maximum CVSS score of 9.8, presents a significant risk to database servers by allowing prompt injection attacks. Developers are urged to upgrade their installations immediately. The core of the problem resides within the framework's SQLChatAgent component. While designed to execute database queries generated by an underlying language model, the component can be manipulated by malicious users through prompt injection. If the database role associated with the agent possesses elevated administrative privileges, the consequences can be severe. An attacker can force the system to execute dangerous dialect-specific primitives. For example, on a PostgreSQL backend, an attacker could trigger commands like COPY FROM PROGRAM. This action facilitates full RCE on the underlying database host, granting the attacker extensive control. This type of vulnerability shows the emerging security challenges in the rapidly evolving field of LLM-powered applications. Security Impact and Patch Availability Successful exploitation of this flaw carries high security implications. Adversaries could execute arbitrary system commands using the database's local privileges, potentially leading to a broader compromise of the network. Furthermore, attackers could silently exfiltrate sensitive corporate data from the server or maliciously modify and delete critical database tables. The ability to pivot through the network from a compromised database server makes this an important entry point for sophisticated attacks. Fortunately, the Langroid development team has addressed this dangerous RCE bug. A security patch is available in version 0.63.0 and all newer releases of the framework. This update introduces a strict SELECT-only allowlist parsed by sqlglot and implements a dialect-aware blocklist to prevent dangerous operation patterns. Users can manually restore the old behavior via a configuration flag in trusted environments, though this is not recommended for most deployments. Addressing vulnerabilities in development frameworks is as critical as patching operating systems. Lessons from past critical Microsoft Defender zero-days show the importance of rapid patching across the entire software supply chain. Hard-Coded Password Exposes Eppendorf BioFlo 320 Bioreactor Systems An urgent industrial control security warning has been issued for laboratory facilities concerning a critical flaw in the Eppendorf BioFlo 320 bioreactor platform. This high-severity vulnerability (CVE-2026-7251, CVSS 9.8) exposes these systems to unauthorized manipulation of sensitive biochemical processes. Lab managers must inspect their device configurations to prevent potential safety incidents. The software defect originates from a poorly secured remote management tool. The underlying system relies on an exposed Virtual Network Computing (VNC) architecture that uses a hard-coded password. Official documentation confirms: "The affected product is vulnerable due to VNC server using a hard-coded password." This access mechanism lacks encrypted network interactions, further reducing its security posture. If an attacker identifies the network address of a target system, they can exploit this default credential to gain unauthenticated administrative authority. The vulnerability report explicitly states: "Once connected, the attacker would have full access to all control panel features for the BioFlo 320." This level of access could enable important changes to experiments, potentially compromising research integrity or causing hazardous conditions in laboratory settings. Remediation for CVE-2026-7251 Eppendorf, the manufacturer, has developed an update to eliminate this threat. The newly released Version 5.0 software patch safely disables the vulnerable remote control protocol. Importantly, all systems originally shipped with this feature deactivated by default. Users could only activate the module manually at the physical workstation tower. Applying the permanent fix resolves the Eppendorf bioreactor security flaw, protecting important laboratory equipment. Administrators should download and apply the latest Version 5.0 software package without delay. Furthermore, security teams should verify that local user role protections adequately restrict configuration changes to trusted supervisors, adding another layer of defense against unauthorized access. Technical Takeaways Active Exploitation of Core Enterprise Systems: Microsoft's Netlogon RCE, CVE-2026-41089 (CVSS 9.8), is actively exploited to gain SYSTEM privileges on Windows domain controllers, requiring immediate patching of Windows Server versions from 2012 onwards. Large-Scale Botnet Disruption: Dutch authorities dismantled the Asocks botnet, which comprised 17 million infected devices, including Android and IoT devices, linked to the PROXYLIB campaign. Supply Chain Attacks Targeting AI Development: A malicious codexui-android npm package, with 27,000 weekly downloads, was found stealing persistent OpenAI refresh tokens via a covert supply chain attack, also impacting related Android applications. Prompt Injection Risks in LLM Frameworks: A critical Langroid Python framework vulnerability (CVSS 9.8) allows RCE via prompt injection in the SQLChatAgent component, enabling arbitrary command execution on database hosts without authentication. ICS/OT Hard-Coded Credential Vulnerability: The Eppendorf BioFlo 320 bioreactor platform has a critical flaw, CVE-2026-7251 (CVSS 9.8), due to a hard-coded VNC password, allowing unauthenticated administrative access to industrial control functions. --- ## Threat Intelligence Briefing on Critical Vulns, Ransomware, Leaks - URL: https://purple-ops.io/blog/threat-intelligence-vulns-ransomware-leaks - Date: 2026-06-01 - Category: report - Tags: threat-intelligence, critical-vulnerabilities, ransomware, data-breach - Reading time: 5 min **Summary:** Critical PAN-OS GlobalProtect vulnerability exploitation, TrapDoor supply chain attacks, and evolving ransomware tactics are impacting global sectors. Threat Intelligence Briefing on Critical Vulns, Ransomware, Leaks Executive Summary CTI reporting for this period shows persistent and evolving cyber adversary activity affecting various sectors globally. Key Developments PAN-OS GlobalProtect Vulnerability Exploitation: A critical authentication bypass vulnerability (CVE-2026-0257) affecting Palo Alto GlobalProtect VPNs has been under active exploitation. This directly affects organizations using affected versions, allowing unauthorized network access. TrapDoor Supply Chain Attack: A supply chain campaign, TrapDoor, spread credential-stealing malware through popular software package registries (npm, PyPI, CratesIO, and other platforms). This affects software development pipelines and any organization consuming dependencies from these platforms, risking developer account compromise and intellectual property exposure. Botnet Dismantlement: Dutch authorities disrupted a large botnet with approximately 17 million infected devices worldwide. This action diminishes global cybercrime infrastructure, potentially reducing various large-scale malicious operations. Evolving Ransomware Tactics: Ransomware actors used an in-person tactic to steal sensitive data from a law firm. This shows a rare, evolving method of data exfiltration, combining physical intrusion with cyber extortion. It affects organizations with high-value, sensitive data. Business Impact The reported activities collectively risk core business functions. Widespread exploitation of internet-facing infrastructure can lead to unauthorized access and data exfiltration from network perimeters. Supply chain compromises threaten software integrity; this affects development processes and deployed applications. Data exposure incidents cause reputational damage, regulatory scrutiny, subsequent financial fraud, and other issues against affected entities or individuals. Ransomware operations cause operational disruption across sectors like healthcare, education, and technology. Notable Trends and Changes vs Last Week Consistent patterns include widespread exploitation of internet-facing systems and increased data exposure incidents. Ransomware operations maintained a broad targeting scope, frequently using double extortion methods. A specific change this week is the confirmed active exploitation of the Palo Alto GlobalProtect vulnerability, requiring urgent attention to network perimeter security. In-person data theft tactics also represent a shift in adversary operational methods beyond purely remote cyber means. Outlook Over the next seven days, active exploitation of newly disclosed critical vulnerabilities, particularly those affecting internet-facing infrastructure, will likely remain prevalent. Ransomware groups are expected to sustain their operational tempo, employing various extortion schemes. Supply chain integrity challenges will likely persist as adversaries seek to inject malicious code into widely used software components. Geopolitical and hacktivist cyber activities targeting critical infrastructure and specific sectors will also likely remain active. Key Threat Intelligence Highlights This week saw several key developments: Dutch authorities, collaborating with international partners, dismantled a botnet that had compromised 17 million devices globally. This malicious network facilitated cybercrimes such as distributed denial-of-service attacks and data theft. The operation sets back criminal operations, protecting users and showing effective cross-border cooperation. An actively exploited authentication bypass (CVE-2026-0257) exists in Palo Alto Networks' PAN-OS GlobalProtect portal and gateway. This critical flaw allows unauthenticated attackers to execute arbitrary code. Organizations must apply patches immediately to protect their systems. The TrapDoor supply chain attack distributes credential-stealing malware by compromising package managers such as npm, PyPI, CratesIO, and other common platforms. This operation targets developers to steal their account credentials, potentially compromising numerous downstream software projects. Its broad presence across these repositories poses a security challenge for the open-source ecosystem. Ransomware actors are escalating tactics by incorporating physical intrusions. Individuals recently gained on-site access to a law firm to directly exfiltrate sensitive client data. This development shows increased attacker boldness and sophistication, requiring organizations to broaden security measures beyond digital perimeters. A severe flaw in the Langroid library allows Remote Code Execution (RCE) via prompt injection. This enables adversaries to trick AI applications into running arbitrary code on the underlying system. This poses a grave danger to tools built with Langroid. The vulnerability means attackers could gain full control over affected systems. Additional Threat Intelligence Context CVE-2026-8732: CVSS: 9.8 (CRITICAL) - Active exploitation of WP Maps Pro () allows unauthenticated administrator account creation on WordPress sites. Available Exploits: CVE-2026-8732 Exploit CVE-2026-8732 Exploit CVE-2026-8732 Exploit Analysis: # CVE Analysis Report: CVE-2026-8732 GitHub Link: Title: WP Google Map Pro CVE-2026-8732 PoC CVE: CVE-2026-8732 (CVSS: 9.8, CRITICAL) CVSS Score: 9.8 CVSS Severity: CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 100/100 Ease of use, potential impact, and widespread availability contribute to this score. CVE-2026-0257: CVSS: None (CRITICAL) - Widespread exploitation of Palo Alto Networks PAN-OS GlobalProtect authentication bypass (), allows unauthorized VPN access and is listed in CISA KEV. Available Exploits: CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit Analysis: # CVE Analysis Report: CVE-2026-0257 GitHub Link: Title: PAN-OS GlobalProtect Auth Bypass Detection PoC CVE: CVE-2026-0257 (CVSS: None, CRITICAL) CVSS Score: None CVSS Severity: CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 91/100 Ease of use and potential impact contribute to this score. CVE-2026-35616: CVSS: 9.8 (VERY CRITICAL) - Active exploitation of a pre-authentication API bypass in FortiClient EMS () delivers EKZ Infostealer and allows unauthenticated administrative actions. Available Exploits: CVE-2026-35616 Exploit CVE-2026-35616 Exploit CVE-2026-35616 Exploit CVE-2026-35616 Exploit CVE-2026-35616 Exploit Analysis: # CVE Analysis Report: CVE-2026-35616 GitHub Link: Title: FortiClient EMS Safe Detector (CVE-2026-35616) CVE: CVE-2026-35616 (CVSS: 9.8, VERY CRITICAL) CVSS Score: 9.8 CVSS Severity: VERY CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 100/100 Ease of use and potential impact contribute to this score. Critical Gogs (0.14.2 and 0.15.0+dev) remote code execution zero-day (CVSS 9.4) due to an argument injection flaw, exploitable by unauthenticated internet users due to default open registration. CVE-2026-48172: CVSS: None (VERY CRITICAL) - Active exploitation of LiteSpeed cPanel user-end plugin Redis RCE (), allows unauthenticated escalation to root on shared hosting servers and prompted a CISA BOD. Available Exploits: CVE-2026-48172 Exploit CVE-2026-48172 Exploit CVE-2026-48172 Exploit Analysis: # CVE Analysis Report: CVE-2026-48172 GitHub Link: Title: CVE-2026-48172 PoC Template CVE: CVE-2026-48172 (CVSS: None, VERY CRITICAL) CVSS Score: None CVSS Severity: VERY CRITICAL Based on the analysis: Complexity Score: NA Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 75/100 Ease of use, potential impact, and widespread availability contribute to this score. Critical Windows DNS Client remote code execution (CVSS 9.8) with three observed active exploits, alongside public zero-days (BlueHammer, RedSun, UnDefend) in Windows Defender/BitLocker. CVE-2026-41089: Active exploitation of Netlogon RCE () on Windows domain controllers. CVE-2026-0257: CVSS: None (CRITICAL) - Publicly available exploit code and reported exploitation for a FreeBSD kernel stack buffer overflow () that leads to local privilege escalation. Available Exploits: CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit CVE-2026-0257 Exploit Analysis: # CVE Analysis Report: CVE-2026-0257 GitHub Link: Title: PAN-OS GlobalProtect Auth Bypass Detection PoC CVE: CVE-2026-0257 (CVSS: None, CRITICAL) CVSS Score: None CVSS Severity: CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 91/100 Ease of use and potential impact contribute to this score. Widespread campaigns target the npm ecosystem through dependency confusion and deployment of RAT packages, like the forge-jsxy family, for credential theft and persistent access. CVE-2026-39987: CVSS: None (CRITICAL) - Pre-authenticated RCE in Marimo notebook service () has been observed in targeted intrusions for credential harvesting from cloud environments. Available Exploits: CVE-2026-39987 Exploit CVE-2026-39987 Exploit CVE-2026-39987 Exploit CVE-2026-39987 Exploit CVE-2026-39987 Exploit Analysis: # CVE Analysis Report: CVE-2026-39987 GitHub Link: Title: CVE-2026-39987 version detector (Marimo) CVE: CVE-2026-39987 (CVSS: None, CRITICAL) CVSS Score: None CVSS Severity: CRITICAL Based on the analysis: Complexity Score: Easy Remote/Local: Remote Authenticated/Unauthenticated: Unauthenticated Privilege Required: None Risk Score: 91/100 Ease of use, potential impact, and widespread availability contribute to this score. Extensive exposure of identity, genetic, and messaging data through major breaches affecting entities such as Charter Communications (4.9M accounts), 23andMe (6.9M customers), and massive Telegram user datasets (claimed 1.2B records). DDoS attacks, such as the one claimed by "Infrastructure Destruction Squad" against Ukrainian OPW Fuel Management Systems, disrupting remote visibility and control of fuel infrastructure. Ransomware Activity Overview Ransomware groups like Krybit, CMD, Lapsus, Bravox, Gunra, and Stormous are actively targeting healthcare, education, insurance, AI startups, entertainment, and smaller tech/service providers across multiple continents. These operations commonly employ double extortion tactics, use leak sites, and gain initial access through RDP/VPS resale, initial access broker offerings, and web application exploitation. Data breach activity includes a claimed 1TB exfiltration from the Israeli Holocaust victims welfare center by the Handala group, an unverified claim of 10+ petabytes from China NSCC Supercomputing Center, and widespread sales of AT&T Mobile, Salesforce, HCA Healthcare, and various government/telecom datasets. Geopolitical cyber activity features Infrastructure Destruction Squad claiming a network takedown at Noi Bai International Airport via old MikroTik RouterOS exploitation and performing DDoS actions against Ukrainian industrial control systems. The TRK25 group promotes an advanced SCADA industrial exploitation framework. Hacktivist actions are observed from pro-Palestinian, pro-Russian, and Indonesian groups, among others. The broader cybercrime ecosystem shows extensive advertising of offensive services, tools, and training bundles. Concerns exist about malicious npm packages and residential-proxy botnet takedowns. Underground markets also display a supply of government, financial, and telecom databases from regions like Asia, the Middle East, Europe, and the Americas. They also trade forged court orders and services for domain suspension to assist fraud and takedown operations. During the reporting period, 170 total victims were identified across 36 active ransomware groups. The top 5 most active groups accounted for 74 victims. Top 5 Ransomware Groups DragonForce - 37 victim(s) Notable victims: Allianceadjustment.com, Arsenalscaffold.com, Businessrecord.com, Delbrook capital advisors, Dentonfirm.com (and 32 more) LockBit - 10 victim(s) Notable victims: columbiaorthogroup.com, groupe-mbm.com, grupodetoni.com.br, gu, hgs-wt.at (and 5 more) Akira - 9 victim(s) Notable victims: Alpine aerotech, General doors, Gone fishin' marine, Gs yuasa lithium power, Interstate roofing (and 4 more) Everest - 9 victim(s) Notable victims: Advanced psychiatry associates, Akm, Asopagos s.a., L&p aesthetics, Sidra kuwait hospital (and 4 more) Medusa Locker - 9 victim(s) Notable victims: Baeaoai, Baeaxai, Bakaxah, Dadolighting demo, Dolrad (and 4 more) Deep Web Deep Web Observations This week's deep web activity revealed extensive data exposures across multiple sectors and geographies, with a concentration on governmental, military, and critical financial institutions. Threat actors posted or offered for sale vast datasets containing sensitive national defense information, full financial and personal records of citizens, and internal law enforcement intelligence. The trend shows a continued pursuit of high-value targets for strategic and financial exploitation. What major data leaks appeared on deep web forums this week? Several large-scale data leaks emerged this week. The compromise of a Chinese supercomputing network and the National Credit Information Center of Vietnam stood out for their scale and sensitivity. Other incidents involved national law enforcement agencies, a major telecommunications provider, and a customer support platform for a widely used communication service. China National Supercomputing Center (NSCC) Breach: A 10+ petabyte dataset, described as direct exfiltration from China's supercomputing network, was advertised. This collection includes years of raw simulation data, design files, satellite telemetry, and classified research from national defense contractors (AVIC Aviation Industry and COMAC). The leak also contains employee personal data, including Chinese ID card scans with names and addresses. National Credit Information Center of Vietnam (CIC) Exposure: Over 160 million records from Vietnam's national credit information center were put up for sale. This extensive database contains detailed personal identifying information (PII) like full names, dates of birth, national ID cards (CCCD, CMND), passport numbers, driving license numbers, military IDs, student IDs, addresses, phone numbers, and email addresses. Financial details are present, like loan data, various balance types (e.g., loan, bad debt, credit card), outstanding debt figures, and credit card numbers. Company information and audit logs complete this financial dataset. Charter Communications, Inc. Customer Data: A dataset comprising over 42 million records of PII from Charter Communications, a major US telecommunications company, was released. The actor claimed this release happened after unsuccessful negotiations. DIRANDRO: Peruvian National Police Data: A database containing approximately 300,000 folders, totaling 7.8 GB, from DIRANDRO (the Drug Enforcement Directorate of the Peruvian National Police) was offered. This compromise includes personal identification data (full names, national ID, police identification codes) for police/military personnel, demographic information, family details, precise residential addresses, and civil registry data. Police intervention data is present, including narratives of incidents, exact geographic coordinates of events, descriptions of seized illicit substances, and images of national ID documents (DNI). Argentine Government Institutions Compilation: A 650 GB compilation of databases from multiple Argentine government institutions was made available. Entities affected include GDEBA, IOMA, Buenos Aires City Police, AFIP (tax authority), BCRA (central bank), and the Federal Police. The data includes emails, passwords, phone numbers, document numbers, biometric photos, ranks, credit scores, and confidential PDF documents. The actor mentioned targeting numerous other Latin American government institutions. Philippines Land Transportation Office (LTO) Data: Over 14 million records from the Philippines' Land Transportation Office were listed, including PII like full names, addresses, dates of birth, sex, civil status, nationality, weight, height, and blood type. The breach includes over 14 million user images, with the actor claiming to possess proof of concept (0day) for the LTO system. Discord Data through Zendesk: A 1.6 TB dataset pertaining to Discord users, allegedly sourced from Zendesk (a customer support platform), was advertised. This data includes user email addresses, Discord usernames, phone numbers, support ticket/chat logs, IP addresses, the last four digits of credit cards, and images of ID cards or passports for age verification for approximately 70,000 users. Russian GRU Advanced Weapons Report Leak: A document titled "Top Secret GRU Advanced Weapons Report 2025" was freely distributed on a forum, purportedly originating from Russia's Main Intelligence Directorate. What is the nature and scope of these breaches? The nature of these breaches ranges from direct exfiltration of highly classified state secrets and critical infrastructure data to widespread compromises of sensitive personal and financial information affecting millions of individuals. The scope often involves full datasets, including identity documents, financial records, and operational intelligence. This enables various downstream malicious activities. The NSCC breach compromises state-sponsored research and development. It provides adversaries with access to advanced military and aerospace designs that could accelerate their own programs or reveal strategic vulnerabilities. The scale of 10+ petabytes signifies a deep, sustained infiltration. The National Credit Information Center of Vietnam and Charter Communications breaches show the monetization of large-scale PII and financial data. These datasets offer a foundation for identity theft, financial fraud, targeted social engineering campaigns, and account takeovers due to the individual and corporate financial attributes present. The breaches of DIRANDRO (Peruvian National Police) and multiple Argentine government institutions carry substantial risks for public administration and law enforcement personnel. Exposure of police and military personnel data, including identity documents and operational details, could lead to targeted harassment, blackmail, physical threats, or compromise of ongoing investigations. This undermines trust in government security, impeding critical functions. The Land Transportation Office (LTO) Philippines data, particularly with 14 million user images alongside full PII, creates an avenue for high-fidelity identity impersonation and fraudulent document creation. This level of biometric-linked data raises the risk beyond standard identity theft. The Discord data from Zendesk, though from a customer service platform, is particularly sensitive due to the inclusion of actual ID card/passport photos for age verification. This enables high-confidence identity fabrication. The associated support ticket logs can also reveal sensitive personal issues or specific vulnerabilities for targeted social engineering. Beyond data leaks, one item offered initial access broker (IAB) services to an APAC Telecom target and an Eastern Europe B2B platform. This included verified network configurations, dynamic application behaviors, and pre-authentication session bypass payloads, alongside internal metadata. This kind of offering provides a foothold for subsequent, more damaging attacks, rather than a direct data leak. Are there any patterns or trends in the breach data? A recurring pattern in this week's data involves targeting national critical infrastructure and government entities, particularly those holding vast amounts of citizen data or sensitive state intelligence. There is a persistent market for full PII and financial records, often affecting entire populations within a given country. Government and Critical Infrastructure as Prime Targets: Many observed incidents pertain to government agencies (Argentina, Peru, Philippines) or entities integral to national operations (China's supercomputing, Vietnam's credit bureau). These targets are attractive for espionage, strategic advantage, large-scale data harvesting, or disruption. Large-Scale PII and Financial Data Exploitation: Multiple breaches involved millions of individual records, including detailed PII, financial histories, and identity document images. This indicates an enduring demand for datasets suitable for identity theft, fraud, account takeovers, and other illicit activities on a massive scale. Geographic Diversity of Victims: The affected organizations span multiple continents, including Asia (China, Vietnam, Philippines), North America (USA), and South America (Argentina, Peru). This global distribution shows the ubiquitous nature of deep web activities. Mixed Actor Sophistication: While established and reputable actors like ShinyHunters continue to conduct large-volume breaches, several new or low-reputation users are also surfacing with access to sensitive government and classified data, suggesting a broad base of actors or the fragmentation of capabilities. Initial Access as a Commodity: The sale of pre-authenticated access to corporate networks suggests a sub-economy where initial entry points are prepared and sold, enabling other threat actors to execute various follow-on attacks without needing to establish their own initial foothold. Broad Data Spectrum: The compromised data is diverse, ranging from advanced military research and blueprints to individual credit scores, criminal intervention records, and customer support interactions, reflecting varied motivations among threat actors-from state-sponsored espionage to common cybercrime. What is the potential impact of these deep web breaches? The potential impact of this week's deep web breaches is broad, extending from national security repercussions to widespread individual financial and personal harms, and a general erosion of trust in institutions. The exposure of 10+ petabytes of classified military and aerospace research from China's NSCC could compromise national security. Such detailed data, including schematics for advanced satellites and defense simulations, provides foreign adversaries with intelligence that could accelerate their own technological advancements, expose vulnerabilities in existing systems, or inform counter-intelligence strategies. This intellectual property loss has long-term strategic implications. Similarly, the Russian GRU Advanced Weapons Report could reveal classified defense strategies and capabilities, offering tactical advantages to opposing forces. For individuals, the 160 million records from the National Credit Information Center of Vietnam and the 42 million PII records from Charter Communications create an expansive surface for identity theft, sophisticated financial fraud, and targeted scams. Detailed financial histories combined with personal identifiers empower malicious actors to open fraudulent accounts, obtain loans, or impersonate victims with high success rates. Including credit card numbers, even partial, reduces the effort for carding schemes. The breaches of DIRANDRO (Peruvian National Police) and multiple Argentine government institutions carry substantial risks for public administration and law enforcement personnel. Exposure of police and military personnel data, including identity documents and operational details, could lead to targeted harassment, blackmail, physical threats, or compromise of ongoing investigations. This undermines trust in government security, impeding critical functions. The Land Transportation Office (LTO) Philippines data, particularly with 14 million user images alongside full PII, creates an avenue for high-fidelity identity impersonation and fraudulent document creation. This level of biometric-linked data raises the risk beyond standard identity theft. The Discord data from Zendesk, though from a customer service platform, is particularly sensitive due to the inclusion of actual ID card/passport photos for age verification. This enables high-confidence identity fabrication. The associated support ticket logs can also reveal sensitive personal issues or specific vulnerabilities for targeted social engineering. The initial access broker (IAB) services serve as precursors to future destructive events. By providing verified entry points into critical infrastructure, these sales allow other actors to deploy ransomware, conduct long-term espionage, or orchestrate sabotage. This escalates the scope and severity of potential future incidents. In summary, this week's deep web activity shows a persistent and evolving threat where sensitive national and personal data is continuously sought, acquired, and traded. This has far-reaching consequences for state security, economic stability, individual privacy, and public trust. Sources Dutch Authorities Dismantle Botnet Linked to 17 Million Infected Devices PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation TrapDoor Supply Chain Attack Spreads Credential-Stealing Malware via npm, PyPI, and CratesIO Ransomware Actors Show Up In Person to Steal Law Firm Data Critical Langroid Vulnerability Allows RCE via Prompt Injection --- ## PAN-OS CVE-2026-0257 Auth Bypass Actively Exploited - URL: https://purple-ops.io/blog/pan-os-cve-2026-0257-auth - Date: 2026-06-01 - Category: CVE Analysis - Tags: palo-alto, pan-os, cve-2026-0257, auth-bypass - Reading time: 5 min **Summary:** Palo Alto Networks PAN-OS is critically affected by CVE-2026-0257, an authentication bypass vulnerability under active exploitation. PAN-OS CVE-2026-0257 Auth Bypass Actively Exploited Palo Alto Networks PAN-OS is affected by CVE-2026-0257, an authentication bypass vulnerability currently under active exploitation. This critical flaw allows unauthorized access to systems running PAN-OS, threatening network security perimeters. Though specific technical details, such as the CVSS score and affected version ranges, have not been publicly disclosed, the active exploitation status requires immediate attention from security teams. The presence of in-the-wild exploitation for CVE-2026-0257 increases its severity beyond what an unrated vulnerability might typically suggest. An authentication bypass on a network security platform like PAN-OS can directly lead to compromised administrative access, VPN system breaches, or manipulation of network traffic. Organizations relying on Palo Alto Networks devices for perimeter defense are at immediate risk. PurpleOps assesses this vulnerability as critical due to its nature and exploitation status. This intelligence post compiles available facts and outlines the implications for organizations, focusing on detection and remediation strategies based on limited public information. What is CVE-2026-0257 and why is it critical? CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS. This means an attacker can circumvent standard authentication mechanisms to gain unauthorized access to protected functionalities or resources. Its criticality stems from the role PAN-OS plays in an organization's network infrastructure; it typically acts as a firewall, VPN concentrator, or network access controller. An authentication bypass in such an important security appliance can grant an adversary direct access to sensitive administrative interfaces. This allows them to reconfigure security policies, establish malicious VPN tunnels, create backdoors, or otherwise compromise the system. The impact extends to potentially bypassing VPN access controls, enabling unauthorized users to connect to internal networks. This capability could be exploited by remote, unauthenticated attackers, making it an effective entry vector into protected network segments. The active exploitation of CVE-2026-0257 in the wild shows that threat actors possess reliable methods to use this vulnerability, making it an immediate operational threat rather than a theoretical risk. Impact An attacker successfully exploiting CVE-2026-0257 can gain unauthorized access to the affected Palo Alto Networks PAN-OS device. This typically means gaining administrative control over the firewall, a privileged position within a network infrastructure. From this vantage point, an adversary can perform various malicious actions, including creating new user accounts, modifying firewall rules to permit arbitrary traffic, disabling security features, establishing persistent access mechanisms (such as VPN connections or SSH keys), exfiltrating sensitive data traversing the network, or deploying further malware onto internal systems. The potential for a complete network compromise through a compromised perimeter device is significant. Organizations at risk include any entity deploying Palo Alto Networks firewalls or other devices running PAN-OS. This encompasses a broad spectrum of industries and sizes, from large enterprises, government agencies, to small and medium-sized businesses that rely on Palo Alto Networks for network security. This vulnerability's real-world impact is global, affecting any organization with internet-exposed PAN-OS instances that remain unpatched or unmitigated. A compromised perimeter firewall fundamentally undermines all downstream security controls. This makes CVE-2026-0257 a serious threat to data confidentiality, integrity, and network availability. Exploitation chain The attack vector for CVE-2026-0257 is an authentication bypass. While the specific technical mechanism (e.g., cryptographic flaw, logic error, or input validation issue) has not been publicly detailed, the outcome is evident: an attacker can bypass the requirement for valid credentials to gain access. This vulnerability type typically targets network-exposed services such as web-based management interfaces, API endpoints, or VPN portals. The primary precondition for exploitation is that a vulnerable PAN-OS instance must be accessible from the network, likely over the internet, allowing unauthenticated remote access attempts. Public Proof-of-Concept (PoC) code has not been disclosed in the provided research. However, the notification states "Active Exploit Detected Today." This confirms that threat actors currently possess and use functional exploits for CVE-2026-0257 in real-world attacks. This means private or targeted exploits are in circulation and are being deployed against vulnerable systems. Active exploitation indicates a high level of sophistication among adversaries using this flaw, and it suggests that technical details, even if not public, are understood within certain threat groups. For more context on the implications of a widely exploited perimeter device, our prior analysis of CVE-2026-0257 also covered the implications for Palo Alto GlobalProtect installations. Affected products and versions CVE-2026-0257 specifically impacts Palo Alto Networks PAN-OS. At the time of this intelligence post, the research findings do not publicly specify the range of affected product versions. This lack of specific version information creates a major challenge for network defenders attempting to determine their exposure. It requires a broad approach to assessment and remediation until more precise vendor guidance becomes available. Organizations utilizing Palo Alto Networks firewall appliances or virtual firewalls running PAN-OS should assume they are potentially affected, regardless of their current version. The absence of version specifics implies that multiple versions or even an entire product line could be susceptible to this critical authentication bypass. Product Line: Palo Alto Networks PAN-OS Affected Versions: Not publicly disclosed in the provided research. All currently deployed PAN-OS instances should be considered potentially vulnerable until specific vendor advisories clarify the scope. The underlying operating system of many Palo Alto Networks appliances is based on a hardened Linux kernel. While CVE-2026-0257 is an application-level authentication bypass, critical flaws can emerge at various layers, including the kernel. We discussed analogous vulnerabilities, such as a critical Linux kernel vulnerability leading to root access, in our analysis of CVE-2026-31431 Linux Root Access. This shows that a complete security posture across all layers of network devices is necessary. Detection Given the absence of specific Indicators of Compromise (IoCs) or detailed attack patterns in publicly available research for CVE-2026-0257, detection strategies must focus on general anomalous activity related to authentication and access on Palo Alto Networks PAN-OS devices. Proactive monitoring and scrutiny of logs are essential to identify potential exploitation attempts or successful compromises. Authentication Log Monitoring: Routinely review PAN-OS authentication logs for unusual login attempts, successful logins from unfamiliar source IP addresses, and accounts accessing administrative interfaces at unusual times. Specifically, look for multiple failed authentication attempts followed by a successful one, or successful logins without any preceding authentication challenge. Administrative Access Auditing: Monitor for any unauthorized changes to firewall configurations, security policies, VPN settings, or user accounts. Changes initiated by unfamiliar accounts or from unexpected locations are suspicious. Network Flow Analysis: Analyze network traffic patterns to and from PAN-OS management interfaces and VPN portals. Look for anomalous data transfers, connections to unusual external IP addresses, or attempts to tunnel unauthorized traffic. System Resource Monitoring: Observe PAN-OS device performance and resource utilization. Sudden spikes in CPU, memory, or network traffic could indicate compromise and malicious activity. Endpoint Detection and Response (EDR) Correlation: If the PAN-OS device is integrated with an EDR solution or has internal network visibility, correlate firewall logs with EDR alerts from internal systems. A successful authentication bypass could lead to further lateral movement within the network. Threat Hunting: Proactively search for signs of compromise, even without specific IoCs. This involves looking for deviations from baseline behavior in network traffic, process execution on the firewall, and configuration settings. Remediation The most effective remediation for CVE-2026-0257 will be the application of official patches released by Palo Alto Networks. Due to active exploitation and the critical nature of an authentication bypass, it is essential that organizations apply these patches as soon as they become available and have been tested in a pre-production environment. Patch Application: Monitor official Palo Alto Networks security advisories and support channels for security updates addressing CVE-2026-0257. Plan for immediate deployment of these patches across all affected PAN-OS instances following vendor guidelines. Access Restriction Workarounds: If patches are not immediately available, implement strict network access restrictions to the PAN-OS administrative interface and any public-facing VPN portals. Limit access to only trusted IP ranges or internal management networks. If possible, consider temporarily disabling external access to management interfaces until a patch can be applied. Multi-Factor Authentication (MFA): Ensure MFA is enforced for all administrative accounts and VPN users. An authentication bypass might circumvent the initial authentication step; however, MFA can provide an additional layer of defense against post-exploitation access attempts if the bypass is incomplete or leads to a different access vector. Network Segmentation: Review and strengthen network segmentation to minimize the blast radius in case of a PAN-OS compromise. Isolate management networks and critical internal systems from less trusted segments. Continuous Monitoring and Auditing: Implement continuous monitoring of PAN-OS devices, focusing on authentication logs, administrative actions, and network traffic for any anomalies. Regularly audit configurations to detect unauthorized changes. Incident Response Preparedness: Ensure incident response plans are updated to include procedures for addressing a compromised network perimeter device. This includes steps for forensic investigation, containment, eradication, and recovery. Technical Takeaways CVE-2026-0257 is a critical authentication bypass vulnerability impacting Palo Alto Networks PAN-OS. The vulnerability is confirmed to be under active exploitation by threat actors, which means immediate risk. Successful exploitation grants unauthorized access to PAN-OS devices, potentially leading to administrative control and network compromise. Specific affected versions and a CVSS score have not been publicly disclosed in the provided research. This requires a broad assessment and proactive defense. Immediate application of vendor-provided patches, coupled with strict access controls and monitoring, is essential for all PAN-OS deployments. --- ## Genesis Group Leads Ransomware Activity with 5 Victims - URL: https://purple-ops.io/blog/genesis-group-ransomware-victims - Date: 2026-05-31 - Category: Ransomware Report - Tags: none - Reading time: 5 min **Summary:** The Genesis Group led recent ransomware activity, claiming 5 new victims across diverse US sectors like construction, retail, and education. Genesis Group Leads Ransomware Activity with 5 Victims Statistical Overview Victim Totals This month: 767 This quarter: 1544 Year to date: 4169 Last 24h: 7 Quarterly Breakdown Q1: 2631 | Q2: 1544 | Q3: 0 | Q4: 0 Ransomware activity totaled 7 new victims in the last 24 hours. The Genesis group accounted for most incidents during this period. Introduction In the last 24 hours, seven new ransomware victims were reported across various sectors and geographies. The Genesis group was the most active, responsible for five incidents, while CMD and Krybit each claimed one victim. Affected sectors include Construction & Engineering, Retail & Ecommerce, Education, Healthcare, Investment Banking, Lubricants, and Residential Remodeling, primarily impacting organizations in the United States. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Genesis5A roettgers, Cavalier flooring systems inc., Cedar street capital (a part of a cynvestors limited partnership) (+2)United StatesConstruction & Engineering, Retail & Ecommerce 2CMD1Lake Washington School DistrictUnited StatesEducation 3Krybit1Tulipmediworld.comIndiaHealthcare The Genesis group was responsible for five recent ransomware victims, primarily in the United States, targeting industries such as construction, retail, and investment banking. CMD ransomware affected the Education sector, attacking Lake Washington School District. Krybit claimed one victim in the Healthcare sector in India. Victim Distribution By Country United States: 6 India: 1 By Industry Home Improvement & Hardware Retail: 2 Healthcare: 1 Education: 1 Investment Banking: 1 Lubricants: 1 Residential Remodeling: 1 The United States experienced the most ransomware attacks, accounting for most new victims. Targeting showed a broad approach across various industries, including retail, construction, education, and healthcare, without concentrating on a single vertical. Ransomware News Topline Threat intelligence indicates a rising risk to critical infrastructure, with a shift from cyber espionage to physical disruption. Campaigns & Operations Attackers are increasingly exploiting internet-exposed industrial systems, default passwords, and outdated configurations, with small utilities and local municipalities facing disproportionate risk. Historical instances include destructive wiper attacks, post-breach cleanups, Iranian-affiliated PLC exploitation, and telecom intrusions. The United States experiences a 62% higher cyber-attack frequency compared to the global average. Vulnerabilities & TTPs Exploitation uses weaknesses like default passwords and unpatched systems. Artificial intelligence is integrated into intrusion lifecycles, handling 80-90% of operational tasks in some campaigns, which improves attack automation and efficiency. Analyst Note This trend shows a rising frequency of sophisticated attacks with real-world consequences. It requires strong OT/ICS security measures and coordinated defense strategies. Technical Takeaways The Genesis group accounted for the majority of new ransomware incidents, with five victims in the last 24 hours. Organizations in the United States were overwhelmingly targeted, comprising six out of seven reported victims. Ransomware groups show broad targeting across diverse industries, including construction, retail, education, and healthcare. Critical infrastructure and industrial control systems face escalating threats, with attackers increasingly focused on physical disruption rather than just data exfiltration. Artificial intelligence is used to automate a significant portion of intrusion lifecycles, showing a change in threat actor methods. The continued targeting of organizations in the investment banking sector indicates ongoing financial sector risks. Genesis Group Tactics and Target Profile The Genesis ransomware group has demonstrated a consistent pattern of targeting small-to-mid-sized US businesses across diverse industries. Their recent activity highlights several concerning trends: Sector diversity: Targets span construction, retail, investment banking, and residential services Geographic focus: Predominantly United States-based victims Volume consistency: Five victims in a single 24-hour window indicates an active and organized operation Business size: Targets appear to include both regional firms and larger corporate entities Organizations in these sectors should review their ransomware readiness immediately. See also: Ransomware Group Profiles for detailed threat actor analysis. How Organizations Can Defend Against Genesis Group Attacks Defending against groups like Genesis requires a layered security approach. Security teams should prioritize the following actions: Patch management: Ensure all internet-facing systems are updated to close known vulnerabilities Endpoint detection: Deploy EDR solutions capable of identifying ransomware behavior before encryption begins Backup integrity: Maintain offline, immutable backups tested regularly for restoration Employee training: Phishing remains a primary initial access vector for ransomware operators Incident response planning: Establish documented playbooks for ransomware scenarios Proactive defense reduces dwell time and limits the blast radius of any successful intrusion. Related reading: Ransomware Incident Response Guide. Recent Ransomware Trends Across Active Groups Beyond Genesis, the broader ransomware landscape remains highly active. CMD's targeting of the Lake Washington School District reflects a troubling continuation of attacks on educational institutions, which often lack mature security programs. Krybit's victim in India's healthcare sector underscores that ransomware is a global threat with no industry immune. Education: Frequently targeted due to limited IT budgets and large user bases Healthcare: High-value data and operational urgency make hospitals prime targets Emerging groups: Smaller operators like CMD and Krybit are filling gaps left by disrupted major gangs Monitor the latest ransomware activity feed for real-time updates on emerging group behavior. --- ## MCP Toolbox CVE-2026-9739 (CVSS 9.4) Hijacking Flaw - URL: https://purple-ops.io/blog/cve-2026-9739-mcp-toolbox-hijacking - Date: 2026-05-31 - Category: CVE Analysis - Tags: cve-2026-9739, mcp-toolbox, session-hijacking, cors-bypass, enterprise-database - Reading time: 5 min | CVSS: 9.4 **Summary:** MCP Toolbox CVE-2026-9739 (CVSS 9.4) is a critical flaw enabling session hijacking and data exfiltration from enterprise databases via CORS bypass. MCP Toolbox CVE-2026-9739 (CVSS 9.4) Hijacking Flaw Security researchers have recently identified CVE-2026-9739, a critical vulnerability in the open-source MCP Toolbox affecting enterprise database connectors, with a CVSS base score of 9.4. This flaw enables malicious actors to bypass security controls by exploiting a hardcoded access control wildcard header, overriding critical Cross-Origin Resource Sharing (CORS) policies. As a direct consequence, unauthorized external connections to local servers running the MCP Toolbox become possible. The vulnerability stems from a fundamental development oversight in the tool's Server-Sent Events handler. While developers intended to implement strict origin flags for security, an inadvertently retained permissive header bypasses these controls. This architectural flaw permits unauthorized connections to the local server, which risks enterprise data integrity and confidentiality. At the time of this publication, no confirmed active exploitation of CVE-2026-9739 in the wild has been publicly reported. However, its high CVSS score and clear exploitation vector show its criticality. System administrators and development teams are advised to prioritize remediation to mitigate the potential for session hijacking and unauthorized data exfiltration. What is CVE-2026-9739 and why is it critical? CVE-2026-9739 is a critical vulnerability impacting MCP Toolbox, an open-source software component designed to connect artificial intelligence agents and applications directly to corporate data storage systems. The vulnerability, assigned a CVSS base score of 9.4, allows attackers to circumvent established security policies, specifically Cross-Origin Resource Sharing (CORS) protections. Its criticality arises from the direct pathway it creates for malicious external entities to interact with internal enterprise resources, leading to severe compromises like session hijacking and unauthorized data access. The core of CVE-2026-9739 lies in a misconfiguration within the MCP Toolbox's Server-Sent Events handler. Despite intentions to enforce strict origin policies, a hardcoded access control wildcard header (Access-Control-Allow-Origin: * or similar permissive declaration) was left within the initialization source code. This wildcard effectively overrides any global CORS middleware, enabling any external domain to make requests to the local server where the MCP Toolbox is deployed. The ability to bypass fundamental web security mechanisms makes this flaw highly significant, especially for systems connected to sensitive enterprise databases. Impact The successful exploitation of CVE-2026-9739 carries serious consequences for enterprise networks. An attacker can achieve session hijacking, allowing them to impersonate legitimate users and execute actions within the context of their established sessions. This capability means that any actions or privileges available to the compromised user become accessible to the attacker. The vulnerability allows attackers to use the hijacked MCP Toolbox instance as an open proxy for malicious activities. Enterprises relying on MCP Toolbox to bridge AI applications with critical data infrastructure are particularly at risk. The direct consequence of this vulnerability is the potential for silent data exfiltration from linked databases. Malicious websites can use the hijacked toolbox to run arbitrary commands or queries on behalf of a legitimate user, facilitating unauthorized access and extraction of sensitive information. This risk extends to popular database systems, including Postgres and BigQuery. The compromise of such databases can lead to significant data breaches, regulatory penalties, and reputational damage. The integration of MCP Toolbox within enterprise environments, often connecting to core business data, means that this vulnerability presents a direct path to an organization's most valuable assets. Exploitation Chain The exploitation of CVE-2026-9739 follows a specific sequence, using a fundamental design flaw in the MCP Toolbox's architecture. The attack vector is initiated via a network connection, typically from a malicious website. Vulnerable Component Identification: The prerequisite for exploitation is an MCP Toolbox deployment that utilizes the older v2024-11-05 protocol specification. This version range or protocol adherence indicates the presence of the vulnerable code. Hardcoded Header Presence: The core of the vulnerability resides in the MCP Toolbox's Server-Sent Events handler. Despite intentions to enforce strict origin policies for security, a hardcoded access control wildcard header (Access-Control-Allow-Origin: ) remains embedded within the initialization source code. This header acts as an explicit instruction to browsers to permit cross-origin requests from any* domain. CORS Policy Override: The presence of this permissive hardcoded header completely overrides any global Cross-Origin Resource Sharing (CORS) policies that might be configured at a higher level (e.g., via middleware or server configurations). Instead of adhering to strict origin checks, the system unexpectedly permits unauthorized external connections to the local server where the MCP Toolbox is running. Malicious Website Interaction: An attacker can host a malicious website that contains JavaScript code designed to interact with the vulnerable MCP Toolbox instance. Because of the overridden CORS policy, this malicious website can successfully make requests to the victim's local MCP Toolbox server. Session Hijacking and Tool Execution: Through these unauthorized cross-origin requests, the malicious site can execute arbitrary tools or commands on behalf of the real user whose browser is interacting with the malicious website. This leads directly to session hijacking, where the attacker gains control over the user's session with the MCP Toolbox. Data Exfiltration: Once a session is hijacked, the attacker can use the compromised toolbox as an open proxy to interact with linked enterprise databases like Postgres and BigQuery. This allows for silent data exfiltration, unauthorized data modification, or various other malicious operations, all executed under the guise of the legitimate user's identity and permissions. The absence of public Proof of Concept (PoC) code for CVE-2026-9739 at this time does not diminish its potential impact. However, the underlying mechanism is defined, providing a roadmap for potential exploit development. While this analysis focuses on CVE-2026-9739, organizations should also remain aware of other critical, actively exploited vulnerabilities, such as CVE-2026-0257, a Palo Alto Networks PAN-OS authentication bypass flaw. Our prior analysis of this critical authentication bypass vulnerability, along with further insights into the Palo Alto Networks CVE-2026-0257 exploit, provides context on broader threats. Affected Products and Versions The CVE-2026-9739 vulnerability primarily affects deployments of the MCP Toolbox that utilize a specific, older protocol specification. Organizations should verify their current implementations against this information. Product: MCP Toolbox (open-source enterprise database connectors) Affected Protocol Specification: v2024-11-05 protocol specification This indicates that any deployments configured to adhere to or built upon this specific protocol version are vulnerable. It implies that newer protocol specifications or versions of the MCP Toolbox have either rectified the issue or are not susceptible due to architectural changes. Affected Databases: While the vulnerability is in MCP Toolbox, its impact extends to any enterprise database systems connected via the affected toolbox, specifically mentioning Postgres and BigQuery. Administrators must understand that the vulnerability's presence is tied to the underlying protocol specification being used by their MCP Toolbox instance, rather than a single explicit software version number. This requires a review of the configuration and operational parameters of deployed MCP Toolbox instances to confirm exposure. Detection Detecting exploitation attempts or the presence of CVE-2026-9739 requires a multi-layered approach focusing on network anomalies, log analysis, and endpoint behavior. Given the nature of a CORS bypass leading to session hijacking and potential data exfiltration, monitoring for unusual activity is paramount. Network Indicators: Unusual Cross-Origin Requests: Monitor network traffic for unexpected or unauthorized cross-origin requests originating from internal systems running MCP Toolbox to external, unknown, or suspicious domains. While the vulnerability allows requests to the local server, subsequent attacker actions (e.g., proxying to C2) might involve outbound connections. HTTP Traffic Analysis: Analyze HTTP headers for Origin and Access-Control-Allow-Origin. While the vulnerability itself is about the server sending a permissive header, monitoring suspicious client-side Origin headers alongside responses that contain Access-Control-Allow-Origin: * could indicate an attempt to use the flaw. Anomalous Proxy Activity: Since an exploited toolbox can act as an open proxy, monitor for unusual proxy-like traffic patterns originating from the server hosting MCP Toolbox. This might include connections to unusual ports, protocols, or destinations that are not part of normal operational procedures. Log Signatures: Server Access Logs: Review web server or application logs for the MCP Toolbox for requests originating from unexpected or untrusted IP addresses, especially those that result in successful authentication or data access without prior legitimate interaction. Database Query Logs: Monitor logs of connected databases (e.g., Postgres, BigQuery) for unusual query patterns, high volumes of data access, or queries issued from unexpected user accounts or applications. Pay attention to queries that appear automated or out of character for typical user behavior. CORS-related Warnings/Errors: While the vulnerability bypasses CORS, some underlying systems might still log attempts or warnings related to CORS policies if they are present at other layers, even if ultimately overridden. Endpoint Detection and Response (EDR) Queries: Suspicious Process Execution: Look for unusual child processes being spawned by the MCP Toolbox application or its associated services. This could indicate the execution of arbitrary tools by an attacker. File System Modifications: Monitor for unauthorized file modifications or creations, especially in critical configuration directories or locations where the MCP Toolbox stores sensitive data or scripts. Network Connections by Non-Browser Processes: Query EDR logs for outbound network connections initiated by the MCP Toolbox process to external IPs or domains that are not part of its normal operation, potentially indicating C2 communication or data exfiltration. Implementing strong logging and active monitoring for these indicators can help identify exploitation attempts early, allowing for timely incident response. Remediation Remediating CVE-2026-9739 requires a direct modification to the MCP Toolbox's configuration or source code to remove the permissive access control header. This is a critical step to restore proper Cross-Origin Resource Sharing (CORS) enforcement. Patching: Remove Hardcoded Header: The primary remediation is to remove the hardcoded access control wildcard header from the internal server file of the MCP Toolbox. This header is specifically located within the Server-Sent Events handler's initialization source code. By removing this line (e.g., Access-Control-Allow-Origin: *), the system will revert to its intended behavior, allowing global middleware or other configured security policies to manage origin permissions safely and correctly. Upgrade to a Secure Protocol Specification: If available, upgrade the MCP Toolbox to a version that utilizes a newer protocol specification known to be unaffected by this flaw. The vulnerability specifically targets deployments using the v2024-11-05 protocol specification, suggesting that later versions or protocols might have addressed the issue. Consult the official MCP Toolbox documentation or project repository for information on updated versions or patches. Workarounds and Mitigations: Network Segmentation: Isolate systems running MCP Toolbox into a separate network segment with strict ingress and egress filtering. This can limit the ability of malicious external websites to directly reach the toolbox and restrict any potential outbound data exfiltration or command-and-control communication. Web Application Firewall (WAF): Deploy a WAF in front of the MCP Toolbox instance. Configure the WAF to enforce strict CORS policies, blocking any cross-origin requests that do not originate from explicitly approved domains. While the hardcoded header might bypass some client-side CORS enforcement, a strong WAF can provide an additional layer of protection at the network edge. Principle of Least Privilege: Ensure that the service account or user under which the MCP Toolbox operates has only the absolute minimum necessary permissions to perform its functions. This can limit the impact of a successful session hijacking, reducing an attacker's ability to exfiltrate data or execute arbitrary commands. Input Validation and Output Encoding: While not directly addressing the CORS bypass, implementing stringent input validation for any data processed by MCP Toolbox and proper output encoding for any data displayed can mitigate the risk of secondary injection attacks if an attacker gains partial control. Monitoring: Continuous Security Monitoring: Implement continuous monitoring of network traffic, system logs, and database activity for the indicators described in the Detection section. Rapid detection of anomalous behavior is crucial for minimizing the window of compromise. Regular Security Audits: Conduct regular security audits of MCP Toolbox configurations and connected database permissions to ensure adherence to security best practices and to identify any lingering vulnerabilities or misconfigurations. Prioritizing these remediation steps is essential for protecting enterprise databases and AI applications from the risks posed by CVE-2026-9739. Technical Takeaways CVE-2026-9739 is a critical vulnerability (CVSS 9.4) in MCP Toolbox, an open-source enterprise database connector, allowing session hijacking and data exfiltration. The flaw originates from a hardcoded Access-Control-Allow-Origin: * header in the Server-Sent Events handler, which bypasses global Cross-Origin Resource Sharing (CORS) policies. Exploitation involves a malicious website initiating unauthorized external connections to the local server running the vulnerable MCP Toolbox (specifically those using the v2024-11-05 protocol specification). Successful exploitation can lead to execution of arbitrary tools, use of the toolbox as an open proxy, and silent data exfiltration from linked databases like Postgres and BigQuery. Remediation requires removing the hardcoded permissive header from the internal server file and upgrading to a secure protocol specification if available, complemented by network segmentation and strong monitoring. --- ## FAMOUS CHOLLIMA RAT Abuses HuggingFace for Exfil - URL: https://purple-ops.io/blog/famous-chollima-huggingface-rat - Date: 2026-05-31 - Category: Threat Intelligence - Tags: famous-chollima, huggingface, rat, dprk, cryptocurrency-theft - Reading time: 5 min **Summary:** DPRK-backed FAMOUS CHOLLIMA's MicrosoftSystem64 RAT actively exfiltrates 1,097 credentials and 417 screenshots from crypto traders using HuggingFace for... FAMOUS CHOLLIMA RAT Abuses HuggingFace for Exfil A sophisticated multi-platform Remote Access Trojan (RAT), dubbed MicrosoftSystem64, linked to the DPRK-backed threat actor FAMOUS CHOLLIMA, is actively exploiting the open-source supply chain to target cryptocurrency traders and exfiltrate sensitive data. This advanced malware, distributed through a series of malicious npm packages, notably js-logger-pack, utilizes HuggingFace as a novel command-and-control (C2) and data exfiltration backend, making detection challenging for conventional security measures. As of a live infrastructure probe on May 28, 2026, researchers confirmed the active surveillance of multiple victims, observing the theft of 1,097 credential files and 417 screenshots from compromised systems. The MicrosoftSystem64 RAT demonstrates a comprehensive array of capabilities, including persistent cross-platform keylogging, extensive cryptocurrency wallet and browser credential theft, Telegram session hijacking, and SSH key exfiltration. Its operational resilience is marked by rapid account rotation and infrastructure pivoting, circumventing previous takedowns. The use of a legitimate machine learning platform like HuggingFace for authenticated data uploads provides FAMOUS CHOLLIMA with a stealthy exfiltration channel, where stolen data is organized into private datasets, further obscuring the malicious traffic within expected network patterns. This campaign underscores the persistent and evolving threat from state-sponsored actors targeting developers and high-value individuals within specialized sectors like cryptocurrency trading. Organizations engaged in software development, particularly those relying on public package registries, face an immediate need to enhance their supply chain security posture against such advanced and adaptive threats. How Does the MicrosoftSystem64 RAT Operate and Exfiltrate Data? The MicrosoftSystem64 RAT, identified as an 81 MB stripped ELF binary (with Windows and macOS variants), functions as a Node.js Single Executable Application (SEA) built on Node.js v20.18.2. This packaging method allows the malware to run without requiring Node.js to be pre-installed on victim machines, while also making static analysis more difficult due to the embedded V8 runtime strings. The binary sets its process.title to MicrosoftSystem64, masquerading as a legitimate Microsoft service. The malware's configuration, bundled from dist/config.js, includes hardcoded values obfuscated with a simple XOR cipher and an easily deciphered key: [90, 60, 126, 18, 159, 75, 109, 138]. This configuration reveals its C2 WebSocket endpoint at ws://195[.]201[.]194[.]107:8010 and details for the HuggingFace model repository jpeek998/system-releases, used for binary updates and exfiltration. The threat actor's operational security lapse is evident, as plaintext comments within the configuration disclose the actual values, simplifying deobfuscation. Command and Control Protocol The MicrosoftSystem64 agent establishes a WebSocket connection to its C2 server, implementing automatic reconnection with exponential backoff. Upon connection, it sends a heartbeat message containing a unique agentId derived from the victim's platform, username, and machine identifier, facilitating operator tracking. The heartbeat interval is configured at 15 seconds, ensuring regular communication and resilience against network interruptions. The binary is designed to accept 24 distinct task types from the C2 operator, effectively acting as a full-featured remote access trojan. This extensive command set allows for deep reconnaissance, data theft, and system manipulation. Task TypeCapability scan_walletsEnumerate and exfiltrate all cryptocurrency wallet browser extensions and standalone wallet applications. scan_filesScan the filesystem for files matching attacker-specified patterns. send_tdataCompress and upload Telegram Desktop session data. download_sshExfiltrate SSH keys directory, including id_rsa, id_ed25519, id_ecdsa, known_hosts, and authorized_keys. exec_commandExecute arbitrary shell commands using PowerShell on Windows or /bin/sh on Unix-like systems, supporting configurable timeouts and working directories. list_dirPerform directory listings on the compromised system. list_drivesEnumerate mounted drives and volumes. get_system_infoCollect detailed OS, CPU, RAM, network, and user information. get_folder_sizeGather reconnaissance on file and folder sizes. start_input_captureInitiate a cross-platform keylogger with clipboard capture, polling every 1 second. start_screenshot_hf_uploadEnable periodic screenshot uploads to HuggingFace every 60 seconds. clipboard_getRetrieve the current contents of the system clipboard. upload_folder_hfUpload arbitrary directories to HuggingFace datasets. Novel Data Exfiltration via HuggingFace A distinguishing characteristic of MicrosoftSystem64 is its abuse of HuggingFace for data exfiltration, a technique previously documented by JFrog Research. Instead of routing stolen data through its C2 server, the RAT creates private datasets under the attacker's HuggingFace account, committing stolen files using the platform's Git LFS API. This strategy offloads storage to HuggingFace's infrastructure, making exfiltration harder to detect since traffic appears as legitimate HTTPS requests to a trusted machine learning platform. After each upload, the agent notifies the C2 server with metadata about the uploaded content, directing the operator to the specific HuggingFace dataset. The current operation leverages the HuggingFace account jpeek998, an apparent pivot from an earlier account, Lordplay. Comprehensive Credential and Session Theft The malware executes a systematic _scanBrowserProfiles function, targeting credentials from 15 browser families across Windows, macOS, and Linux by searching %LOCALAPPDATA%, %APPDATA%, ~/Library/Application Support, and ~/.config paths. Before accessing credential databases, browser processes like Chrome, Brave, Firefox, Edge, Opera, and Vivaldi are forcibly terminated to release file locks. Over 80 cryptocurrency wallet browser extensions are specifically targeted, with the malware configured to steal both extension code directories and their localStorage data. Each stolen extension's data is copied, subject to a 100 MB per-file size cap, and compressed into a gzip archive for upload. This includes extensions for major chains like Ethereum, Solana, Bitcoin, and multi-chain wallets. For Telegram users, the handleSendTdata function targets the Telegram Desktop tdata directory, which contains session keys enabling full account takeover. The tdata directory is gzipped and uploaded to HuggingFace, accompanied by the victim's OS, IP address, and username as metadata. Additionally, the download_ssh task specifically exfiltrates the entire ~/.ssh directory, packaging and uploading crucial files like id_rsa, id_ed25519, id_ecdsa, known_hosts, and authorized_keys to a dedicated HuggingFace dataset. Persistent Surveillance and Self-Update The MicrosoftSystem64 RAT integrates a cross-platform keylogger using native OS-level input capture APIs. On Windows, it leverages SetWindowsHookEx; on macOS, it employs Core Graphics CGEventTap; and on Linux, it attempts xinput test-xi2 before falling back to raw /dev/input evdev reading. This keylogger operates in conjunction with a clipboard watcher that polls every second, capturing sensitive textual data. Furthermore, the malware supports both on-demand and periodic screenshot capture across all platforms, uploading images to HuggingFace every 60 seconds when enabled. Persistence is established across Windows, macOS, and Linux using various techniques. On Windows, it creates a scheduled task \MicrosoftSystem64 and a Run registry key; on macOS, a LaunchAgent plist ~/Library/LaunchAgents/com.launchkeeper.MicrosoftSystem64.plist; and on Linux, a systemd user service ~/.config/systemd/user/MicrosoftSystem64.service and an XDG autostart desktop entry. The malware also includes a self-update mechanism, checking the HuggingFace repository every 24 hours for newer versions and replacing its own executable if an update is available. This enables the threat actor to maintain control and evolve the malware's capabilities without direct re-infection. Attacker Infrastructure and Active Victim Data A live probe of the attacker's HuggingFace infrastructure on May 28, 2026, confirmed the active operation of the exfiltration pipeline with real victims. The FAMOUS CHOLLIMA group operates two HuggingFace accounts: Lordplay (created 2025-11-24), previously used for binary hosting and now disabled by HuggingFace, and jpeek998 (created 2026-05-15), which is currently fully active for data exfiltration. Using the embedded token, three private datasets were enumerated under jpeek998, containing data from two active victims: DatasetVictimTypeFilesTime Range (UTC)Size jpeek998/linux_ubuntu_f083ccb52684Linux (Ubuntu)Screenshots (base64 PNG)323May 27 23:51 to May 28 05:14~167 MB jpeek998/win_wulin_e8bc41d9aca8Windows (wulin)Screenshots (base64 PNG)94May 28 03:41 to May 28 05:14~16 MB jpeek998/win_wulin_e8bc41d9aca8_scan_filesWindows (wulin)Stolen credential files (gzip)1May 28 03:43500 MB Analysis of the wulin victim's 500 MB credential archive revealed 1,097 credential files, including SSH keys, Chrome and Edge login data, Claude Desktop app data, NVIDIA app credentials, WeChat session data, HuaYoungBrowser data, and Remote Desktop connection files. The Linux victim's desktop screenshots displayed a crypto trading terminal and Python scripts, while the Windows victim's showed ChatGPT, a JoinQuant algorithmic trading platform, and VS Code browsing cryptocurrency exchanges. Both profiles indicate cryptocurrency traders as targets, aligning with the RAT's specialized capabilities. More details on the broader campaign lineage and FAMOUS CHOLLIMA's tactics can be found in our APT Groups Tracking research. What Vulnerabilities are Threat Actors Exploiting in Palo Alto GlobalProtect VPNs? Palo Alto Networks is currently addressing a High-severity authentication bypass vulnerability, CVE-2026-0257, within its PAN-OS GlobalProtect VPN software, which is actively being exploited in the wild. This flaw enables attackers to establish unauthorized VPN connections, potentially breaching corporate networks. The CVE-2026-0257 vulnerability was initially rated Medium due to specific configuration prerequisites, namely requiring devices to have authentication override cookies enabled and a particular certificate setup. However, the severity rating was elevated to High after Palo Alto Networks confirmed active exploitation attempts against unpatched devices lacking mitigations. Security firm Rapid7 reported observing successful exploitation against numerous customers starting as early as May 17, 2026. These attacks involve threat actors authenticating to GlobalProtect gateways by forging authentication override cookies that target local administrator accounts. The initial waves of attacks were traced back to infrastructure hosted by Vultr on May 18, followed by a second wave from Dromatics Systems on May 21. The underlying mechanism of CVE-2026-0257 stems from PAN-OS's insufficient validation of authentication override cookies. When the same certificate is used for both HTTPS services and authentication override cookies, attackers can obtain the public key via the HTTPS session. This allows them to forge valid authentication cookies that the device accepts as legitimate without proper signature verification. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog, mandating federal agencies to mitigate the flaw by June 1, 2026. Organizations using affected GlobalProtect VPN devices are urged to install the latest security updates immediately or disable the authentication override feature, or utilize a distinct certificate for this feature. More information on addressing such vulnerabilities can be found in our Vulnerability Management Strategies guide. How Are State-Sponsored Groups Escalating Cyber Attacks on Critical Infrastructure? Cyber attacks against critical infrastructure sectors are increasingly shifting from espionage to physical disruption, with state-sponsored groups deploying more aggressive tactics. Recent reports highlight a surge in incidents attributed to Iranian-affiliated cyber actors and China-aligned actors, demonstrating advanced capabilities and intent to cause tangible damage. The Polish ABW warned on May 11, 2026, that cyberattacks are moving towards physical disruption, often exploiting poorly secured industrial systems. In March 2026, the LA County Metropolitan Transportation Authority (LACMTA), or LA Metro, experienced internal operational disruptions following a breach linked to Iranian state-sponsored hackers. The pro-Iran hacktivist group Ababil of Minab claimed responsibility, asserting they wiped hundreds of terabytes of data and exfiltrated over 1TB of files, though bus and rail services remained unaffected. Further, on April 7, CISA, the FBI, and the National Security Agency jointly warned that Iranian-affiliated APT actors, including the CyberAv3ngers (aka Shahid Kaveh Group), were exploiting programmable logic controllers across U.S. critical infrastructure in sectors such as Government Services, Water and Wastewater Systems, and Energy. The Stryker Corporation, a major medical technology giant, was hit by a destructive "wiper" attack in March 2026, attributed to an Iran-aligned hacktivist group. This attack, aimed at destroying systems rather than extortion, forced entire offices to shut down operations and exposed vulnerabilities in the healthcare supply chain. Simultaneously, China-aligned actors orchestrated campaigns like "Salt Typhoon" and UAT-7290. Salt Typhoon maintained deep, persistent access inside U.S. telecommunications carriers and government communications through early 2026, mapping critical digital routing infrastructure. UAT-7290 exploited unpatched vulnerabilities in edge network devices of U.S. and allied telecom providers, establishing permanent malware footholds capable of intercepting or shutting down data flows. Adding another layer of complexity, AI-driven ransomware campaigns, utilizing tools like the "Tsundere Bot" and automated scanning, have emerged in Q1/Q2 2026. These campaigns autonomously handle network reconnaissance, scan U.S. municipal utilities for vulnerabilities, and execute credential theft without human intervention, leading to a 62 percent higher cyber attack frequency in the U.S. compared to the global average. A ransomware attack on Brightspeed, a major U.S. broadband and telecommunications provider, in early 2026, disrupted back-end operations and highlighted the vulnerability of localized internet infrastructure to supply-chain extortion. Does a Critical RCE Flaw in Comet Backup Server Expose Customer Data? A critical Remote Code Execution (RCE) vulnerability, CVE-2026-32999, has been identified in Comet Backup server software, posing a severe risk to enterprise backup environments. This flaw carries an alarming CVSS score of 9.1, indicating its high potential for impact and ease of exploitation. The vulnerability affects all Comet Backup product versions prior to 26.4.3 and 26.5.0, making immediate patching essential for self-hosted administrators. The core issue resides in specific administrative branding permissions within the Comet Backup system. A tenant administrator, under certain conditions, can upload custom .dll or .so executables for code signing. Subsequently, the attacker can generate a malicious backup-tool client, which when executed, compromises the platform. This malicious action effectively bypasses established tenancy boundaries, allowing unauthorized code execution within the cometd process. Successful exploitation of CVE-2026-32999 grants threat actors extensive control and access. This includes full access to critical user data stored in the config.cfg file, the ability to harvest backed-up data from remote devices containing the backup-tool client, and the capability to stop, replace, or completely remove the Comet Server installation. Furthermore, the exploit permits code execution on behalf of a privileged user on any connected endpoint, presenting a profound risk to data privacy and system integrity. While Comet Hosted servers have already been automatically upgraded by the vendor, self-hosted deployment teams must manually update their instances to version 26.4.3, 26.5.0, or higher from the official download portal to mitigate the risk of active compromise. What is the Impact of the CIFSwitch Linux Privilege Escalation Flaw? A newly discovered local privilege escalation (LPE) vulnerability, dubbed CIFSwitch, impacts the Linux kernel CIFS subsystem and cifs-utils, allowing unprivileged users to gain root privileges on affected systems. This flaw, introduced nearly two decades ago in 2007, exploits a failure in the Linux kernel's CIFS subsystem to verify the origin of cifs.spnego key requests. The CIFS (Common Internet File System) protocol enables Linux systems to access remote files, folders, and devices over a network, often using Kerberos for authentication. An unprivileged user can forge a cifs.spnego request, which is normally used by the Linux keyring subsystem to obtain authentication data for the CIFS/SMB client. This forged request triggers the normal authentication workflow, deceiving the root-privileged cifs.upcall helper into trusting attacker-controlled fields. By manipulating these fields to force a namespace switch and then triggering a Name Service Switch (NSS) lookup before privileges are dropped, a local attacker can load a malicious NSS module and achieve root code execution. The CIFSwitch vulnerability is not universal and its exploitation depends on several factors, including a vulnerable kernel version (versions 6.14 and higher, with some older variants also affected), a vulnerable cifs-utils version, the availability of user namespaces, and permissive SELinux/AppArmor policies. Distributions confirmed as vulnerable with their default configurations include Linux Mint 21.3/22.3, CentOS Stream 9, Rocky Linux 9, AlmaLinux 9, Kali Linux 2021.4-2026.1, and SLES 15 SP7. Other distributions like Ubuntu, Debian, Pop!_OS, openSUSE, Oracle Linux, and Amazon Linux may also be vulnerable if cifs-utils is installed. A kernel patch (commit 3da1fdf4efbc490041eb4f836bf596201203f8f2) has been implemented upstream to add validation of cifs.spnego request origins. Organizations are advised to disable or blacklist the CIFS module if unused, remove the cifs-utils package if unnecessary, or disable unprivileged user namespaces to mitigate the risk. A proof-of-concept (PoC) exploit for CIFSwitch has been published to aid in validating applied patches and mitigations. Technical Takeaways The DPRK-linked actor FAMOUS CHOLLIMA is using MicrosoftSystem64, a multi-platform RAT, to actively compromise cryptocurrency traders, exfiltrating over 1TB of data including 1,097 credential files and 417 screenshots, leveraging HuggingFace for C2 and data exfiltration. Palo Alto Networks' PAN-OS GlobalProtect VPN is experiencing active exploitation of CVE-2026-0257, a High-severity authentication bypass flaw, with attacks observed from Vultr and Dromatics Systems infrastructure since May 17, 2026. State-sponsored groups, including Iranian-affiliated cyber actors (Ababil of Minab, CyberAv3ngers) and China-aligned actors (Salt Typhoon, UAT-7290), are escalating attacks on critical infrastructure, demonstrating intent for physical disruption and data wiping, as seen with LA Metro and Stryker Corporation. A critical Remote Code Execution (RCE) vulnerability, CVE-2026-32999 (CVSS 9.1), in Comet Backup server allows tenant administrators to achieve full server compromise and data exfiltration if not patched to versions 26.4.3 or 26.5.0 or higher. The CIFSwitch local privilege escalation flaw in the Linux kernel CIFS and cifs-utils allows unprivileged users to gain root access on multiple Linux distributions, stemming from a 19-year-old vulnerability now addressed by kernel patch 3da1fdf. --- ## Nova RALord Ransomware Activity Targets 3 Victims - URL: https://purple-ops.io/blog/nova-ralord-ransomware-activity - Date: 2026-05-30 - Category: Ransomware Report - Tags: nova-ralord, ransomware, threat-intelligence, cybersecurity - Reading time: 5 min **Summary:** Nova (RALord) ransomware led recent activity, impacting 3 new victims across diverse sectors and geographies in the last 24 hours. Nova RALord Ransomware Activity Targets 3 Victims Statistical Overview Victim Totals This month: 760 This quarter: 1538 Year to date: 4163 Last 24h: 16 Quarterly Breakdown Q1: 2631 | Q2: 1538 | Q3: 0 | Q4: 0 Ransomware activity continues to show high volume this quarter, though the last 24-hour period indicates a lower-volume but diverse set of attacks. Nova (RALord) was the most active group in this timeframe, followed by DragonForce and Lapsus. Introduction The past 24 hours saw 16 new ransomware victims reported across varied sectors and geographies. Nova (RALord) emerged as the most active group, followed by DragonForce and Lapsus. Attackers showed broad targeting, impacting industries from automotive and education to manufacturing and technology. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Nova (RALord)3Bc3 tecnologia, Daegu university ai department, Lti services and larick towingSouth Korea, United StatesAutomotive, Education 2DragonForce2Henry molded products likely to engage tag., Shoreline sightseeingUnited StatesManufacturing, Hospitality & Travel 3Lapsus2Github internal, Ingka group (ikea)Netherlands, United StatesRetail & Ecommerce, Technology / Software 4Bravox1Academyhealth ??United StatesGovernment / Public Sector 5CMD1Lee Law OfficesUnited StatesLegal 6Gunra1StarempireSouth KoreaMedia & Entertainment 7INC Ransom1www.labexpress.comUnited StatesHealthcare 8Kairos1Commune de camiersFranceGovernment / Public Sector 9Krybit1Ecci-srl.comItalyEducation 10PEAR1Plexsupply incUnited StatesRetail & Ecommerce 11Termite1Https://www.imminet.com/United StatesManufacturing 12Titan1Apex maritime co., inc.United StatesTransportation & Logistics Nova (RALord) led the activity with three victims, targeting entities like Daegu University in South Korea and an automotive service provider in the United States. DragonForce, a ransomware group, added two new victims including a manufacturing company and a hospitality business. Lapsus, which has carried out high-profile breaches, claimed two new victims, targeting Github internal and Ingka group (ikea), impacting technology and retail sectors. The CMD ransomware group also reported activity, targeting legal services. Further insights into DragonForce's operations can be found in our deep dive on DragonForce ransomware's real estate and healthcare targeting, and information on the CMD ransomware group is available in our CMD ransomware healthcare and nonprofit blog post. The victim pool showed high diversity across sectors and geographies. The United States experienced the highest concentration of attacks. Victim Distribution By Country United States: 10 South Korea: 2 Brazil: 1 France: 1 Italy: 1 Netherlands: 1 By Industry Software Development: 2 Government: 1 Education: 1 Retail: 1 Entertainment: 1 Higher Education: 1 Heavy-Duty Truck Customization and Repair: 1 Hospitality: 1 Legal Services: 1 Medical Laboratory Services: 1 The United States remains the primary target geography for ransomware operations, accounting for over half of all reported victims in this period. Industry targeting remains fragmented, with no single sector experiencing a concentrated surge. This suggests opportunistic or broadly distributed campaigns rather than specialized attacks. Ransomware News Topline - An in-depth review of a city's recovery from an Interlock ransomware attack shows the critical role of pre-existing incident response plans and effective recovery strategies. Campaigns & Operations - St. Paul, Minnesota, successfully recovered from an Interlock ransomware attack that occurred in July 2025 without paying the ransom. The city's response involved a cross-agency effort, including emergency management, state IT, federal investigators, private cybersecurity partners, and the Minnesota National Guard, all guided by a solid incident response plan and nightly backups. Vulnerabilities & TTPs - The recovery prioritized essential services like 911 and payroll, with full restoration by the third week of August. A full "Operation Secure St. Paul" initiative involved a large-scale password reset for over 3,000 employees, enforcement of multi-factor authentication (MFA), device checks, and enhanced endpoint detection. National Guard FirstNet connectivity provided support for these efforts. Analyst Note - This incident shows proactive preparedness, including strong incident response frameworks and complete backup regimes, helps mitigate ransomware impact and avoid ransom payments. Technical Takeaways Nova (RALord) was the most active ransomware group in the past 24 hours, observed with three new victims. Ransomware activity remains globally distributed, with new victims reported across North America, Asia, and Europe. The United States represents the main target geography, accounting for 10 of the 16 reported victims. Industry targeting is diverse, with no single sector experiencing significant concentration of attacks. Organizations including Github internal and Ingka group (ikea) were impacted by the Lapsus ransomware group. --- ## Palo Alto GlobalProtect CVE-2026-0257 Actively Exploited - URL: https://purple-ops.io/blog/cve-2026-0257-palo-alto-globalprotect - Date: 2026-05-30 - Category: CVE Analysis - Tags: palo-alto, globalprotect, cve-2026-0257, authentication-bypass, actively-exploited - Reading time: 5 min | CVSS: 9.8 **Summary:** Palo Alto Networks PAN-OS GlobalProtect CVE-2026-0257 is a critical authentication bypass actively exploited. Palo Alto GlobalProtect CVE-2026-0257 Actively Exploited Palo Alto Networks' PAN-OS, specifically its GlobalProtect VPN gateways, has a critical authentication bypass vulnerability, CVE-2026-0257. This flaw allows unauthenticated remote attackers to gain unauthorized access to enterprise networks, circumventing security perimeters. Active exploitation of CVE-2026-0257 has been confirmed, leading to its inclusion in the CISA Known Exploited Vulnerabilities catalog on May 29, 2026. The vulnerability stems from an insecure authentication token validation process within the GlobalProtect feature. A critical signature verification step is omitted after token decryption. Threat actors are using this defect to forge valid session cookies, bypassing normal authentication and gaining unauthorized access. Attacks have been observed in multiple waves, with initial signs dating back to May 17, 2026, and continuing with a secondary wave on May 21st. Organizations using affected Palo Alto Networks PAN-OS configurations should prioritize immediate patching or apply vendor-supplied mitigation steps. Failure to address CVE-2026-0257 can result in severe compromise, including full internal network access, as observed in active campaigns. What is CVE-2026-0257 and why is it critical? CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS appliances when configured with specific GlobalProtect VPN settings. It is critical because it permits unauthenticated remote attackers to bypass the authentication process, leading directly to unauthorized access to an organization's internal network resources. Its active exploitation makes it an immediate threat to any vulnerable environment. The flaw allows an adversary to assume an authenticated state without providing legitimate credentials, nullifying a primary security control. This direct circumvention of authentication mechanisms is a severe security defect; it undercuts the principle of verifying user identity before granting network access. Such vulnerabilities often enable attackers to establish a foothold for lateral movement, data exfiltration, deploying additional malicious payloads, or maintaining persistent access within the compromised network. The observed exploitation, including successful acquisition of VPN IP assignments and subsequent internal network access, shows the risk CVE-2026-0257 poses to corporate environments globally. Impact An attacker successfully exploiting CVE-2026-0257 can achieve a total authentication bypass on vulnerable Palo Alto Networks PAN-OS GlobalProtect VPN Gateways. This allows unauthorized access to enterprise perimeter networks, nullifying the security posture provided by the VPN. The direct consequence is that threat actors can establish an authenticated session, granting them a foothold within the corporate network. The real-world reach of this vulnerability is broad. Observed exploitation campaigns have demonstrated that attackers can obtain full internal network access after successfully receiving a VPN IP assignment through this bypass. This level of access can lead to severe compromises, including unauthorized access to sensitive data, deployment of malware, lateral movement within the network, and establishment of persistent access. Organizations that rely on GlobalProtect for secure remote access and have configurations vulnerable to CVE-2026-0257 are at immediate risk of network intrusion and internal system compromise. This type of authentication bypass, where cryptographic weaknesses allow for forged credentials, is similar to other critical vulnerabilities, such as the FortiOS authentication bypass that has also seen active exploitation. Exploitation chain Exploitation of CVE-2026-0257 by threat actors relies on a specific configuration and a critical validation flaw within the Palo Alto Networks PAN-OS GlobalProtect authentication override mechanism. The attack vector is remote and unauthenticated, targeting the server-side processing of authentication tokens. The vulnerability's technical foundation lies within a specialized access feature designed to simplify the user login experience for GlobalProtect portals and gateways. This feature enables the issuance of authentication cookies to previously authenticated users, allowing them to use these tokens for future web communications without re-supplying raw credentials. A critical validation defect exists within the core binary decryption handler responsible for processing these tokens. When an incoming authentication token is base64-decoded and subsequently decrypted using a private key, the decrypted content is then implicitly trusted. The critical flaw is the complete absence of any signature verification after this decryption process. The preconditions for successful exploitation are crucial: the vulnerability specifically affects devices configured to reuse the primary portal certificate across multiple network features. This includes scenarios where the primary portal certificate, typically used for public HTTPS services, is also employed for encrypting and decrypting GlobalProtect authentication tokens. In such cases, a remote unauthenticated attacker can capture the public key associated with this shared certificate. With the public key in hand, the adversary can then construct and encrypt their own forged, valid security cookies. When these maliciously crafted cookies are presented to the vulnerable PAN-OS appliance, the device processes them server-side, implicitly trusting the decrypted content due to the missing signature check. As a direct result, the appliance grants the attacker unauthorized access, leading to a total authentication bypass. Active exploitation of CVE-2026-0257 has been observed. Forensic investigators noted the earliest signs of unauthorized access attempts on May 17, 2026. During this initial wave, attackers launched authentication probes from the Vultr hosting infrastructure. A secondary wave of attacks was identified on May 21st, employing a different infrastructure provider, Dromatics Systems. Despite the shift in network location, investigators identified a consistent MAC address across both campaigns, suggesting a singular threat group is leading these operations. In the second observed wave, hackers successfully used the vulnerability to obtain full internal network access after being assigned a VPN IP. For further context on critical exploits in Palo Alto Networks products, refer to our prior analysis of CVE-2024-3400. Affected products and versions The CVE-2026-0257 authentication bypass vulnerability affects Palo Alto Networks PAN-OS when configured in specific scenarios related to its GlobalProtect feature. Product: Palo Alto Networks PAN-OS Component: GlobalProtect portal and gateway functionality. Affected Configurations: The vulnerability affects appliances running PAN-OS with GlobalProtect VPN configurations that reuse the primary portal certificate across multiple network features. Devices are vulnerable if the certificate used for public HTTPS services is also employed for issuing and validating GlobalProtect authentication tokens. Version Information: Research findings do not specify particular PAN-OS version numbers affected by CVE-2026-0257. The vulnerability's exploitability is tied to the certificate management configuration rather than a specific software version range. Detection Detecting exploitation of CVE-2026-0257 can be challenging; standard network monitoring tools might not immediately identify the underlying cookie validation anomaly. Several indicators can point to potential or active compromise: Unusual GlobalProtect VPN Connections: Monitor for successful GlobalProtect VPN connections from external IP addresses not typically associated with legitimate organizational users or established VPN client pools. This includes connections from known suspicious IP ranges or unexpected geographic locations. Anomalous Authentication Attempts: Review authentication logs for the GlobalProtect portal and gateway for unusual login patterns. Look for a high volume of authentication probes or successful logins from IP addresses associated with known hosting providers or suspicious autonomous systems, such as Vultr or Dromatics Systems, which have been linked to observed exploitation. VPN IP Assignment Without Credential-Based Authentication: Investigate any instances where a client or user account is assigned a GlobalProtect VPN IP address without a preceding successful credential-based authentication event. This indicates a potential bypass of the standard login process. Irregular Cookie Structures/Token Exchanges: If deep packet inspection or advanced network traffic analysis capabilities are in place, look for anomalies in the structure or exchange of GlobalProtect authentication cookies that might indicate tampering or forgery. This would involve identifying tokens that bypass typical signature validation flows. Certificate Usage Review: Review internal certificate management logs and configurations to identify instances where the primary portal certificate is being used for both public HTTPS services and GlobalProtect authentication token management. This specific configuration is a precondition for CVE-2026-0257 exploitation. While CVE-2026-0257 involves an authentication bypass, similar issues in other vendors have involved authentication bypasses, as discussed in our analysis of a Cisco SD-WAN flaw. Remediation Immediate remediation is critical for organizations operating Palo Alto Networks PAN-OS with affected GlobalProtect configurations, given the active exploitation of CVE-2026-0257. Patching: Upgrade Palo Alto Networks PAN-OS perimeter appliances to vendor-supplied patches urgently. Organizations should consult the official security advisory for CVE-2026-0257 provided by Palo Alto Networks for specific patch versions and deployment instructions. The vendor's advisory is available at security.paloaltonetworks.com/CVE-2026-0257. Workarounds (if immediate patching is not possible): Disable Authentication Override: As an emergency configuration adjustment, administrators can disable the authentication override feature within the GlobalProtect portal dashboard. This action will prevent the issuance and acceptance of authentication cookies, removing the vulnerability vector. Unique Certificate for Cookie Management: Alternatively, engineers can generate and configure a unique, dedicated certificate exclusively for GlobalProtect cookie management. This new certificate must not be reused across other public-facing HTTPS services, breaking the precondition that allows attackers to obtain the public key for forging tokens. Enhanced Monitoring: Implement continuous monitoring for unauthorized access attempts and post-exploitation activities, particularly focusing on GlobalProtect VPN gateways. This includes scrutinizing VPN connection logs, authentication failure/success events, and any unusual internal network activity from VPN-assigned IP addresses. Technical Takeaways CVE-2026-0257 is an actively exploited authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect. The vulnerability is a cryptographic bypass, stemming from the implicit trust of decrypted authentication tokens without subsequent signature verification. Successful exploitation relies on the misconfiguration of certificate management, specifically the reuse of the primary portal certificate across public-facing services and GlobalProtect cookie management. Observed attacks have resulted in threat actors gaining full internal network access after successfully bypassing authentication. Immediate patching or applying specific configuration workarounds, such as disabling authentication override or using a unique certificate for cookie management, are critical for reducing the threat. --- ## Palo Alto CVE-2026-0257 Exploit Bypasses GlobalProtect - URL: https://purple-ops.io/blog/palo-alto-cve-2026-0257-exploit - Date: 2026-05-30 - Category: Threat Intelligence - Tags: palo-alto, cve-2026-0257, globalprotect, vulnerability, ai-attacks - Reading time: 5 min **Summary:** Palo Alto Networks CVE-2026-0257, a medium-severity authentication bypass, is actively exploited, allowing unauthorized GlobalProtect VPN connections. Palo Alto CVE-2026-0257 Exploit Bypasses GlobalProtect Recent cybersecurity intelligence shows offensive capabilities have increased significantly. Attackers are actively exploiting critical network infrastructure vulnerabilities and using artificial intelligence in their operations. A medium-severity authentication bypass vulnerability, CVE-2026-0257, affecting Palo Alto Networks PAN-OS and Prisma Access GlobalProtect, is being actively exploited. This flaw allows unauthorized VPN connections and access to internal networks, creating an immediate, severe risk for organizations globally. Cybersecurity firm Rapid7 observed successful exploitation of CVE-2026-0257 across many customers. Initial attempts were recorded on May 17, 2026, followed by a second wave on May 21, 2026. The consistent tactics suggest a single, persistent threat actor is behind these campaigns, using the vulnerability to get direct entry into targeted environments. The observed activity involves attackers being assigned VPN IP addresses, confirming their ability to bypass authentication and establish unauthorized network presence. Beyond these critical infrastructure compromises, new, sophisticated Russian-linked actors like GREYVIBE integrate generative AI into multi-vector campaigns against Ukrainian entities. An unknown threat actor also used a large language model (LLM) agent to manage complex post-exploitation activities after a Marimo remote code execution (RCE) via CVE-2026-39987. At the same time, a large npm dependency confusion attack infiltrated corporate developer ecosystems, exploiting supply chain weaknesses to deliver reconnaissance payloads. These incidents show a dynamic threat environment where attackers quickly weaponize both known vulnerabilities and new attack methods. How attackers exploit CVE-2026-0257 in PAN-OS GlobalProtect Attackers are actively using CVE-2026-0257, an authentication bypass vulnerability within the Palo Alto Networks PAN-OS software and Prisma Access GlobalProtect portal and gateway, to establish unauthorized VPN connections. This flaw, with a CVSS score of 7.8, affects firewalls configured with the GlobalProtect portal or gateway when authentication override cookies are enabled and a specific certificate configuration is present. Successful exploitation of this vulnerability gives attackers the ability to bypass security restrictions at the network perimeter. Palo Alto Networks disclosed the vulnerability on May 13, 2026, and later confirmed active exploitation by May 29, 2026. Rapid7 provided more details, identifying successful exploitation attempts dating back to May 17, 2026, with a surge observed on May 21, 2026. The consistency in attack patterns suggests a single threat actor orchestrated both waves of exploitation. During these attacks, Rapid7 confirmed instances where attackers were successfully assigned VPN IP addresses, meaning they had established an unauthorized presence within victim internal networks. No immediate follow-on activity was reported in the directly compromised customer environments. However, establishing a VPN session represents a critical breach of perimeter defenses. An authentication bypass on an edge-facing enterprise VPN appliance can have severe implications, potentially serving as a persistent backdoor for future malicious operations. Organizations should apply vendor-supplied patches quickly. Temporary mitigation strategies include disabling the authentication override feature entirely or generating a new, unique certificate exclusively for the authentication override feature. This flaw directly compromises perimeter defenses, allowing adversaries to bridge external access to internal systems. The new Russia-linked GREYVIBE group and its AI-powered tactics GREYVIBE, a previously undocumented Russian-speaking threat actor, has targeted various Ukrainian and Ukraine-related entities since at least August 2025. The group uses generative artificial intelligence (GenAI) and large language models (LLMs) to improve its operations. Identified by WithSecure, the group's activities align with Kremlin state interests, focusing on intelligence gathering for the Russo-Ukrainian war. Victims include military, government, civilian, and business organizations, showing a broad mandate. GREYVIBE uses multiple attack vectors and custom tools. Its attack chains include: PhantomMail: Spear-phishing emails deliver malicious ZIP or RAR archives, often hosted on Google Drive or 4sync. These archives contain JavaScript-based loaders that launch decoy documents and deploy PhantomRelay, a PowerShell-based remote access trojan (RAT) for host profiling and script execution. PhantomClick: This vector uses ClickFix-style fake CAPTCHA pages on bogus domains that pretend to be legitimate services like Zoom or LAPAS. Users are tricked into executing commands that start a PhantomRelay infection. PrincessClub: Fake Ukrainian adult-club websites deliver malware. On Android, it deploys FallSpy, an Android spyware for sensitive data harvesting. On Windows, it delivers PhantomRelayV1 or LegionRelay, a lightweight PowerShell-based RAT capable of file enumeration, exfiltration, screenshot capture, browser data theft, and Telegram and WhatsApp data exfiltration. Later versions included WebRTC-based live call features to capture audio and video. DroneLink: Websites impersonating charitable foundations supporting the Armed Forces of Ukraine distribute WireGuard and LegionRelay. Nebo: A FallSpy sample mimicking a Russian-language login screen attempts to deceive Ukrainian military personnel into compromising their devices. The group uses AI platforms such as Ideogram AI, OpenAI ChatGPT, and Google Gemini for image generation, malware development (e.g., LegionRelay), obfuscation, loader scripts, backend infrastructure, and post-compromise commands. This AI integration helps GREYVIBE overcome technical expertise gaps, speed up development, and reduce reliance on known tools that could help with attribution. This shows a trend among threat actors, including those like APT28, who also use AI in their campaigns, as detailed in our analysis of APT28's LLM-powered phishing and custom malware. Despite its nation-state affiliations, GREYVIBE has ties to the broader Russian cybercrime ecosystem. Some members may be current or former cybercriminal actors. Evidence includes possible access to an ISO builder linked to the TrickBot gang and UAC-0098, the presence of PhantomRelay variants in unrelated cybercrime activities (such as Microsoft Teams voice phishing campaigns and KongTuke delivery chains), early development samples uploaded to VirusTotal, the use of internet slang in development artifacts, and the deployment of the XMRig miner on some infected machines. This group operates in a complex area between cybercrime and state-affiliated operations, making traditional attribution difficult. For more on the activities of Russian-linked APTs and new malware campaigns, further research provides context. The group's activities show an increasing trend of state-affiliated actors mixing with cybercriminal elements and using advanced AI for offensive purposes. How an LLM agent conducted post-exploitation after a Marimo RCE An unknown threat actor recently used a large language model (LLM) agent to automate sophisticated post-compromise actions. This development was observed after the exploitation of a publicly-accessible Marimo network via CVE-2026-39987. This critical pre-authenticated remote code execution (RCE) vulnerability affects all Marimo versions up to and including 0.20.4, allowing an unauthenticated attacker to execute arbitrary system commands. The flaw has been addressed in version 0.23.0. Sysdig documented this incident on May 10, 2026. The attack chain lasted just over an hour. The attacker first compromised a vulnerable Marimo notebook, then quickly moved through several stages: Credential Extraction: Two cloud credentials were taken from the compromised host. Key Retrieval: These credentials were used through a fanned-out egress pool to get an SSH private key from AWS Secrets Manager. SSH Pivoting: The retrieved SSH key was used for eight short, parallel SSH sessions against a downstream SSH bastion server. Data Exfiltration: During the bastion phase, the threat actor exfiltrated the schema and entire contents of an internal PostgreSQL database in under two minutes. Sysdig identified four key indicators that an LLM agent was driving the post-exploitation activity: Schema Agnosticism: The attacker improvised a database dump without prior knowledge of the PostgreSQL schema. The agent adapted to the database structure to find and exfiltrate sensitive data. Planning Comment Leak: A Chinese-language planning comment, "看还能做什么" (translating to "See what else we can do"), was leaked into the command stream during a credential search, indicating an automated planning process. Machine-Consumable Commands: Every command executed was designed for machine consumption, featuring "---" delimiters for separation, bounded output captures, disabled "less" command usage, and discarded error streams (stderr) to minimize noise for an automated parser. Value Handoffs: Critical values, such as database passwords, were extracted and immediately fed as input into subsequent actions. This shows the agent's ability to chain commands dynamically based on previous outputs (e.g., cat ~/.pgpass followed by commands using the extracted password, or ls confirming an SSH key's presence before cat to print its contents). This incident shows a shift from scripted attacks to adaptive, agent-driven operations where the "bar becomes inference budget, not playbook authorship." While a human operator might abort or use hard-coded options when facing an unexpected environment, an AI agent can interpret the surprise, decide what to try next, and continue the attack. This incident is a documented example of an AI agent adaptively driving an entire post-exploitation sequence, showing a change in automated offensive capabilities. The recent npm dependency confusion attack against corporate networks A single threat actor, using the maintainer accounts mr.4nd3r50n, ce-rwb, and t-in-one, launched a large npm dependency confusion attack on May 28 and May 29, 2026. This sophisticated campaign targeted "prominent corporate environments" by impersonating internal corporate packages across nine different organizational scopes. Microsoft Threat Intelligence researchers identified dozens of rogue packages published during two concentrated bursts, designed to infiltrate modern software developer pipelines. The attacker registered multiple scopes that exactly mirrored real internal corporate namespaces, including cloudplatform-single-spa, payments-widget, and sber-ecom-core. To ensure the malicious code took precedence during dependency resolution, the actor used inflated version numbers, often 100.100.100. This technique exploits the common development practice where package managers prioritize higher version numbers, tricking developer systems into installing the malicious lookalike instead of the authentic internal asset. The infection chain activates automatically by abusing lifecycle hooks. The malicious packages declare an automatic install-time script hook, primarily using the postinstall parameter, which immediately executes a hidden script named postinstall.js upon standard installation. This stager, about seven kilobytes of heavily obfuscated JavaScript, uses complex obfuscator.io-style formatting, including string array encoding and control flow flattening, to avoid detection and manual analysis. It also includes self-defending routines to prevent modification or analysis. Before downloading its final spy payload, the deobfuscated stager processes an intricate eight-stage validation routine: CI Environment Check: Detects continuous integration environments to avoid monitored developer pipelines, quietly stopping if a testing environment is found. Node.js Version Check: Checks the active Node.js layout version for compatibility. Cache Deduplication: Creates a unique local folder path to log prior installations, exiting if a valid cache entry exists to prevent repeated network connections. If these checks pass, an HTTPS GET request retrieves the primary payload binary from a remote server. The payload operates silently in a "reconnaissance-only" mode by default, collecting system information, hostnames, environment variables, and developer context. The threat actor can remotely toggle an environment variable named RECON_ONLY to switch to full exploitation capabilities, enabling credential theft, data exfiltration, or secondary backdoor deployment. Forensic metadata analysis linked the three maintainer accounts to a single operator through a shared hardcoded authentication value, l95HdDaz3kQx1Zsg3WxH6HvKANf51RY1. This value was consistently sent as an X-Secret HTTP header on every outbound C2 request from all packages across the three accounts. Historical registry data also indicates the actor transitioned from a legitimate bug bounty researcher in April 2024 to deploying active malware two years later. The C2 domain used for payload retrieval is oob.moika.tech. This campaign shows that supply chain attacks targeting developer pipelines through dependency confusion remain effective. Technical Takeaways CVE-2026-0257 in Palo Alto Networks PAN-OS GlobalProtect is under active exploitation, allowing unauthorized VPN connections and internal network access. The GREYVIBE group, a newly identified Russian-linked threat actor, uses generative AI and large language models in its multi-vector cyber espionage campaigns targeting Ukrainian entities. An LLM agent orchestrated post-exploitation activities, including credential theft from AWS Secrets Manager and PostgreSQL database exfiltration, after exploiting Marimo CVE-2026-39987. A recent npm dependency confusion attack infiltrated "prominent corporate environments" by spoofing package names and using the postinstall lifecycle hook to deliver reconnaissance payloads. Threat actors are increasingly integrating AI into malware development and post-exploitation activities. This challenges traditional detection methods and speeds up offensive capabilities. --- ## IBM WebSphere CVE-2026-8633 RCE (CVSS 9.8) - URL: https://purple-ops.io/blog/ibm-websphere-cve-2026-8633-rce - Date: 2026-05-30 - Category: CVE Analysis - Tags: ibm, websphere, cve-2026-8633, rce, application-server - Reading time: 5 min | CVSS: 9.8 **Summary:** IBM WebSphere CVE-2026-8633 is a critical RCE vulnerability (CVSS 9.8) affecting WebSphere Application Server using web server plug-ins. IBM WebSphere CVE-2026-8633 RCE (CVSS 9.8) IBM has issued an urgent security bulletin about a critical remote code execution (RCE) vulnerability, CVE-2026-8633, in its WebSphere Application Server software. This vulnerability impacts installations using optional web server plug-ins. It has a CVSS base score of 9.8, which classifies it as critical severity. Administrators must act promptly to address this security flaw. The vulnerability allows an unauthenticated attacker to execute arbitrary commands on the host environment via a specially crafted request. This severely risks the confidentiality, integrity, and availability of systems running affected WebSphere Application Server instances. A secondary vulnerability, CVE-2026-8620, related to HTTP request smuggling, was also addressed alongside the primary RCE flaw. Administrators should prepare for immediate deployment of the latest software to mitigate these threats. IBM developed a permanent fix, APAR PH71342. This fix will be delivered through upcoming Fix Packs for affected WebSphere Application Server traditional and WebSphere Application Server Liberty versions. What is CVE-2026-8633 and why is it critical? CVE-2026-8633 is a critical remote code execution vulnerability affecting IBM WebSphere Application Server with a CVSS base score of 9.8. This high severity score reflects the potential for an unauthenticated attacker to execute arbitrary commands on the underlying host environment without requiring prior authentication. The flaw specifically resides within the Web Server Plug-ins component of WebSphere Application Server when they are in use. CVE-2026-8633 is critical for several reasons. First, arbitrary code execution grants attackers extensive control over a compromised system. This can lead to complete system compromise, data exfiltration, service disruption, or persistent access within an organization's network. Second, the attack is unauthenticated. Adversaries do not need valid credentials or to bypass existing authentication to exploit it. This lowers the barrier for attackers, making it a more accessible target for various threat actors. Third, the target is WebSphere Application Server, a core component in many enterprise infrastructures. It frequently handles sensitive data and business-critical applications. Compromising such a central component can have widespread, severe implications across an organization. The vulnerability's presence in Web Server Plug-ins indicates an issue in how these components process specially crafted requests. These plug-ins act as intermediaries between a web server (like Apache HTTP Server or IBM HTTP Server) and the WebSphere Application Server instance, directing requests to the correct application server. A flaw at this layer can allow malicious input to bypass security controls and reach the underlying application server or its host operating system in a way that facilitates code execution. The urgency of this vulnerability shows the immediate threat it poses to any organization running affected WebSphere Application Server versions with the optional web server plug-ins deployed. Impact An attacker exploiting CVE-2026-8633 can achieve full remote code execution on the host where IBM WebSphere Application Server runs. This allows them to run arbitrary commands, gaining control over the server. Such a compromise has extensive implications, affecting the system's confidentiality, integrity, and availability, and potentially other interconnected resources. The CVSS score of 9.8 rates the vulnerability as critical, its highest level of severity. Organizations using the optional web server plug-ins with WebSphere Application Server are at risk. These plug-ins are common in enterprise deployments for load balancing, routing, and other functions, expanding the attack surface. An unauthenticated attacker can use this flaw to: Execute System Commands: Run operating system commands with the privileges of the WebSphere Application Server process, potentially escalating privileges to gain root or administrator access. Deploy Malicious Payloads: Install malware, backdoors, or other malicious software on the server for persistent access or to establish a foothold for lateral movement within the network. Exfiltrate Sensitive Data: Access and steal confidential data processed or stored on the server, including customer information, intellectual property, and system configurations. Disrupt Services: Cause denial-of-service conditions by tampering with server configurations, deleting critical files, or overloading system resources. Establish Persistent Access: Create new user accounts, modify existing ones, or install web shells to maintain access even after initial exploitation. This vulnerability affects enterprise web applications and middleware solutions globally. IBM WebSphere Application Server is a foundational technology for many large organizations. Compromising these critical backend systems can lead to operational disruptions, financial losses, and reputational damage. This situation resembles other critical unauthenticated RCE vulnerabilities that have threatened enterprise infrastructure, as discussed in our prior analysis of CVE-2026-45695 RCE. Exploitation Chain Attackers exploit CVE-2026-8633 through specially crafted HTTP requests targeting the Web Server Plug-ins component of IBM WebSphere Application Server. An unauthenticated attacker can access the vulnerability; no prior credentials or session tokens are required to initiate the attack. This broadens the scope of adversaries, as anyone with network access to the vulnerable plug-in can attempt exploitation. Successful exploitation requires deploying the optional Web Server Plug-ins with WebSphere Application Server. These plug-ins usually integrate with external web servers like IBM HTTP Server, Apache HTTP Server, or Microsoft IIS, acting as a proxy or redirector for requests to WebSphere Application Server. When a specially crafted request is sent to the web server and forwarded to the plug-in, a vulnerability in the plug-in's parsing or handling logic allows arbitrary code injection and execution on the underlying WebSphere Application Server host. The public advisory does not detail the "specially crafted request." However, such vulnerabilities often involve malformed headers, unexpected parameters, or payload injection to bypass input validation. This unauthenticated RCE capability poses a critical threat, requiring prompt patching. Our research team previously covered a related vulnerability in this product; details on an IBM WebSphere RCE flaw are here. Also, a secondary vulnerability, CVE-2026-8620, introduces HTTP request smuggling opportunities. HTTP request smuggling exploits discrepancies in how two HTTP devices (e.g., a frontend proxy and a backend server) interpret HTTP request boundaries. This can lead to an attacker "smuggling" an additional request within a legitimate one, or causing the backend server to process part of the attacker's request as the start of a subsequent request. Successful HTTP request smuggling can have consequences such as: Bypassing security controls: Attackers can bypass web application firewalls (WAFs) or intrusion prevention systems (IPS) by concealing malicious payloads within legitimate traffic. Unauthorized access: Gaining access to sensitive endpoints or internal services that would otherwise be protected. Cache poisoning: Manipulating web caches to serve malicious content to other users. Cross-site scripting (XSS) or other injection attacks: Delivering payloads to other users through manipulated backend responses. Chaining with other vulnerabilities: Request smuggling can facilitate other attacks, potentially leading to further compromise. The advisory does not explicitly mention public Proof-of-Concept (PoC) exploits or confirmed in-the-wild exploitation for either CVE-2026-8633 or CVE-2026-8620 at publication. However, the "urgent security bulletin" designation and high CVSS score indicate a critical risk demanding immediate attention, regardless of public PoC availability. The potential for unauthenticated RCE makes these vulnerabilities attractive targets for adversaries. Which IBM WebSphere versions are affected by CVE-2026-8633? The IBM WebSphere Application Server versions affected by CVE-2026-8633 and CVE-2026-8620 include both traditional and Liberty profiles. Specific product lines and version ranges requiring immediate attention are: IBM WebSphere Application Server traditional: Version 8.5 (all fix packs). Version 9.0 (all fix packs). IBM WebSphere Application Server Liberty: Version 8.5 (all fix packs). Version 9.0 (all fix packs). Note that the vulnerability impacts "installations that utilize optional web server plug-ins." While the core WebSphere Application Server product is identified, the specific configuration involving these plug-ins is a prerequisite for CVE-2026-8633 exploitation. Organizations using these versions should check if their deployments include the optional web server plug-ins. Both traditional and Liberty versions are affected, demonstrating the flaw's pervasive nature across different deployment models of the WebSphere Application Server platform. WebSphere Application Server traditional is the long-standing, full-profile version, known for its complete feature set for large, complex enterprise deployments. WebSphere Application Server Liberty is a lightweight, dynamic, modular application server for cloud-native applications, microservices, and development environments, offering a smaller footprint and faster startup times. That both major deployment profiles are affected shows the vulnerability's fundamental nature. Detection Detecting exploitation attempts for CVE-2026-8633 and CVE-2026-8620 requires a full security monitoring strategy, especially without specific vendor-provided Indicators of Compromise (IOCs) or signature-based detection methods in the immediate public advisory. Since CVE-2026-8633 involves specially crafted requests to Web Server Plug-ins leading to remote code execution, monitoring network traffic and server logs for anomalous patterns is essential. Focus detection efforts on these key areas: Network Intrusion Detection/Prevention Systems (NIDS/NIPS): While no specific signatures are available at this time, NIDS/NIPS should flag unusual HTTP request patterns targeting WebSphere Application Server endpoints, especially those handled by web server plug-ins. Look for: Unexpected HTTP methods or headers. Unusually long or malformed URL paths and parameters. Rapid successive requests from a single source IP address targeting varied paths, potentially indicating probing or scanning activity. Requests containing shell commands or suspicious code snippets within HTTP headers or body, particularly if URL-encoded or obfuscated. Web Server and Application Server Logs: Review access logs from the web server (e.g., IBM HTTP Server, Apache HTTP Server) and the WebSphere Application Server for anomalies. Web Server Logs: Monitor for unusual HTTP status codes (e.g., 500-level errors following malformed requests) or requests to unusual resource paths. WebSphere Application Server Logs: Look for error messages, security exceptions, or logs indicating unexpected process execution, particularly if originating from unauthenticated sessions. Activity associated with newly created processes or execution of shell commands within the WebSphere Application Server process space highly indicates compromise. Endpoint Detection and Response (EDR) Systems: EDR solutions deployed on the WebSphere Application Server host are valuable for identifying post-exploitation activities. Monitor for unusual child processes spawned by the WebSphere Application Server process (e.g., cmd.exe, powershell.exe, bash, sh), and detect unexpected file writes, modifications to system configuration files, or creation of new executable files in unusual directories. Alert on outbound network connections initiated by the WebSphere Application Server process to suspicious external IP addresses or domains. Security Information and Event Management (SIEM) Systems: Aggregate logs from NIDS/NIPS, web servers, application servers, and EDR systems into a SIEM for centralized analysis and correlation. Develop correlation rules to detect sequences of suspicious events that could indicate an exploitation attempt followed by post-exploitation activity. For CVE-2026-8620 (HTTP request smuggling), detection is more complex. Monitoring for discrepancies in how different components interpret request lengths (e.g., Content-Length vs. Transfer-Encoding headers) can be challenging but critical. Look for: Frontend server logs showing different request sizes or truncated requests compared to backend server logs for the same transaction. Unexpected responses or errors from backend servers that do not correspond to the apparent request sent to the frontend. These critical vulnerabilities require ongoing proactive monitoring and establishing a baseline of normal server behavior to identify and respond to potential exploitation attempts effectively. Remediation Remediation for CVE-2026-8633 and CVE-2026-8620 involves applying official IBM patches. IBM developed a permanent fix, APAR PH71342, to address the underlying architectural flaws. This fix will integrate into upcoming Fix Packs for the affected WebSphere Application Server versions. The following steps outline the recommended remediation process: Patch Application: Monitor the official IBM support portal and security bulletins for the release of Fix Packs that include APAR PH71342. Once available, download and apply the relevant Fix Packs for all affected IBM WebSphere Application Server traditional and WebSphere Application Server Liberty installations. Ensure that both Version 8.5 and Version 9.0 instances are updated to the latest secure levels. Applying these Fix Packs is the most effective and recommended mitigation. Adhere strictly to IBM's official patching instructions for proper installation and to avoid operational downtime. Testing Updates: Prior to deploying patches in production, rigorously test the updates on non-production systems that mirror your production setup. This practice helps to identify and mitigate potential compatibility issues or regressions that could arise from the patch application. Verify that critical applications and functions continue to operate as expected post-patch. Mitigation for HTTP Request Smuggling (CVE-2026-8620): In conjunction with the Fix Packs addressing CVE-2026-8633, the vendor's official request smuggling patch should be implemented. While this is likely included in the Fix Packs, administrators should confirm its application. Review and configure intermediate network devices such as load balancers, proxies, and web application firewalls to strictly enforce HTTP protocol parsing. Ensuring consistent interpretation of HTTP request boundaries across all network components can help mitigate request smuggling attacks. System Hardening and Monitoring: After patching, conduct a thorough review of system configurations for security best practices. Implement strong monitoring solutions to detect any unusual activity that might indicate lingering vulnerabilities or new threats, such as unexpected errors, unauthorized access attempts, or unusual process executions. Regularly update all IT infrastructure components, not just WebSphere, to reduce the overall attack surface. This includes operating systems, underlying web servers, and other middleware. For instance, addressing vulnerabilities in other critical IBM products is also important, as shown in our analysis of IBM ELM Jazz CVE-2026-3660. Proactively applying these security fixes is crucial to securing corporate networks and ensuring the long-term integrity of enterprise web applications against these critical vulnerabilities. Technical Takeaways CVE-2026-8633 is an unauthenticated remote code execution vulnerability in IBM WebSphere Application Server with a CVSS score of 9.8. The vulnerability affects WebSphere Application Server traditional and WebSphere Application Server Liberty versions 8.5 and 9.0 when optional web server plug-ins are utilized. Exploitation involves a specially crafted request to the Web Server Plug-ins, allowing an attacker to execute arbitrary commands on the host environment. A related vulnerability, CVE-2026-8620, addresses HTTP request smuggling opportunities, which can be chained with other attacks. Remediation requires applying upcoming Fix Packs containing APAR PH71342 for both vulnerabilities, emphasizing urgent deployment after thorough testing. --- ## 25 New Ransomware Victims as Com Ecosystem Expands - URL: https://purple-ops.io/blog/ransomware-victims-com-ecosystem - Date: 2026-05-29 - Category: Ransomware Report - Tags: ransomware-victims, the-gentelman, com-ecosystem, extortion, ransomware-trends - Reading time: 5 min **Summary:** 25 new ransomware victims were reported as The Com ecosystem emerges, expanding the overall ransomware and extortion threat landscape. 25 New Ransomware Victims as Com Ecosystem Expands Statistical Overview Victim Totals This month: 744 This quarter: 1522 Year to date: 4147 Last 24h: 25 Quarterly Breakdown Q1: 2631 | Q2: 1522 | Q3: 0 | Q4: 0 Ransomware activity maintains a consistent pace and contributes to the overall victim count this quarter, with many new compromises reported. Introduction The past period saw 25 new ransomware victims, showing persistent activity across diverse sectors and geographies. The_Gentelman emerged as the most active group, accounting for four of these incidents. Primary target sectors included Legal Services and Healthcare, while the United States remained the most frequently impacted country. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1The Gentelman4Corporacion prokompra, Fonderia corra, Grupo premier (+1)Italy, MexicoAgriculture & Food, Manufacturing 2Akira2Interstate roofing, Schacht law officeUnited StatesConstruction & Engineering, Legal 3CMD2Capital Family Physicians, Heart of America Eye CareUnited StatesHealthcare 4Chaos2Entransinternational.com, Powerhousenow.comUnited StatesManufacturing, Professional Services 5Everest2Asopagos s.a., ЕрмUnited Kingdom, ColombiaGovernment / Public Sector, Professional Services 60day-syndicate1Braincell braincell.sa rfcargo.braincell.solutions rf.braincell.solutions governata.comSaudi ArabiaTechnology / Software 7AiLock1Restorative therapies, inc.United StatesManufacturing 8Genesis1Peña & brombergUnited StatesLegal 9Gunra1SomafixFranceRetail & Ecommerce 10INC Ransom1belimed.comSwitzerlandHealthcare 11Lamashtu1Shanpoornammetals.comMalaysiaEnergy & Utilities 12LeakedData1Fox rothschild llpUnited StatesLegal The_Gentelman was the most prolific group, claiming four victims across manufacturing and agriculture. Groups such as Akira, Chaos, CMD, and Everest each reported two new compromises. These targeted a mix of professional services, construction, healthcare, and government entities. CMD ransomware continued its targeting of the healthcare sector. Everest's compromise of Asopagos s.a. in Colombia indicates ongoing risk to the Government/Public Sector. Victim Distribution By Country United States: 14 Venezuela: 1 Colombia: 1 United Kingdom: 1 Switzerland: 1 Sri Lanka: 1 Saudi Arabia: 1 Mexico: 1 Malaysia: 1 Italy: 1 By Industry Legal Services: 3 Healthcare: 2 Retail: 2 Business Services & Supplies: 1 Wholesale Greenhouse: 1 Transportation Equipment Manufacturing: 1 Precious Metals Refining: 1 Medical Equipment Manufacturing: 1 Facilities Services: 1 Education: 1 The United States remains the primary target country for ransomware, representing over half of the reported victims. Targeting is diverse, but Legal Services and Healthcare sectors show a significant concentration, demonstrating persistent threats to professional and essential services. Ransomware News Topline The period shows complex criminal ecosystems are emerging alongside persistent ransomware and extortion campaigns, influencing cyber insurance market dynamics. Campaigns & Operations Flashpoint's analysis details "The Com," a diffuse neo-Nazi criminal ecosystem. Its "Hacker Com" wing is involved in breaches, DDoS attacks, and ransomware activity, recruits from gaming communities, and targets cloud and SaaS platforms. Separately, Qilin ransomware confirmed a cyber incident at Kennedy McLaughlin & Associates, an accounting firm, and DragonForce allegedly breached QLS Group, a Victorian retail logistics firm. ShinyHunters conducted a voice-phishing attack against Charter Communications, compromising an employee's Microsoft Entra identity and accessing a Salesforce instance, affecting 4.9 million accounts. A ransomware-style cyberattack also impacted Portraitbox GmbH, a German IT service provider for school photographers. Vulnerabilities & TTPs Threat actors are using sophisticated social engineering tactics, such as the voice-phishing attack ShinyHunters used to gain initial access via a compromised Microsoft Entra identity for Salesforce. The Com ecosystem targets critical cloud and SaaS platforms, including Okta, Salesforce, and Microsoft 365, showing a focus on widely adopted enterprise solutions. Analyst Note These incidents show threat actors are becoming more sophisticated, and strong defense is needed against social engineering and supply chain compromises. Technical Takeaways The_Gentelman is the most active group, claiming four new victims across manufacturing and agriculture. The United States is the primary target country, accounting for 14 of the 25 reported ransomware victims. Legal Services and Healthcare are consistently targeted by various ransomware groups, along with Manufacturing. Extortion campaigns continue to use social engineering techniques, specifically voice-phishing, to compromise cloud and SaaS platforms. New threat ecosystems, such as "The Com," are emerging, integrating ransomware with broader criminal activities like child exploitation and physical intimidation. --- ## FortiClient EMS CVE-2026-35616 (CVSS 9.1) Exploited - URL: https://purple-ops.io/blog/forticlient-ems-cve-2026-35616-exploit - Date: 2026-05-29 - Category: CVE Analysis - Tags: forticlient-ems, cve-2026-35616, credential-theft, exploitation, pre-authentication - Reading time: 5 min | CVSS: 9.1 **Summary:** FortiClient EMS CVE-2026-35616, a critical (CVSS 9.1) pre-authentication flaw, is actively exploited to steal credentials. FortiClient EMS CVE-2026-35616 (CVSS 9.1) Exploited Fortinet FortiClient Endpoint Management Server (EMS) is affected by CVE-2026-35616, a critical pre-authentication API access bypass vulnerability leading to privilege escalation, carrying a CVSS score of 9.1. This vulnerability allows unauthorized attackers to gain elevated privileges on the EMS server without prior authentication. The flaw enables threat actors to manipulate critical management functions within the FortiClient EMS environment. Recent intelligence indicates this vulnerability is actively exploited. Attackers use CVE-2026-35616 to deploy credential-stealing malware across managed endpoints. Attacks observed in May 2026 show attackers abusing the trusted endpoint management infrastructure to deliver malicious payloads disguised as legitimate Fortinet updates. The primary objective of these campaigns is information theft, specifically targeting sensitive user data such as browser-saved credentials, session cookies, and autofill information. Exploiting this vulnerability bypasses initial authentication, giving attackers control over the FortiClient EMS server and, subsequently, its managed endpoints. Impact Exploiting CVE-2026-35616 gives an attacker complete control over FortiClient EMS and its managed endpoints, which leads directly to data exfiltration. Successful exploitation of this pre-authentication API access bypass (CVSS score: 9.1) allows attackers to modify EMS management configurations in a privileged context. This capability is then used to push malicious scripts for execution across all managed endpoints connected to the compromised EMS server. The core malicious payload observed is a previously unreported Windows information stealer, identified as FortiEndpoint_Patch.exe, which masquerades as a Fortinet update. This information stealer harvests sensitive data from Chromium- and Gecko-based web browsers. Data targeted includes user passwords, session cookies, and autofill details such as credit card information, physical addresses, and phone numbers. The exfiltration of session cookies is a significant risk, as these can provide attackers with follow-on access to many cloud services, internal applications, and other authenticated resources. When session reuse is possible, these stolen session cookies may allow attackers to circumvent multi-factor authentication (MFA) prompts, giving them unauthorized, persistent access without needing actual credentials. Because attackers abuse the FortiClient EMS's trust and management pathways, every endpoint managed by the compromised server becomes a potential execution target for the malicious payload. This removes the need for separate intrusion paths for each device, greatly expanding attack reach and efficiency. The compromised environment effectively turns the organization's own endpoint management solution into a distribution mechanism for malware, making it challenging for security teams to differentiate between legitimate and malicious operations. This broad compromise risk shows the importance of addressing CVE-2026-35616 immediately. Exploitation Chain CVE-2026-35616 exploitation begins with a critical pre-authentication API access bypass vulnerability that gives attackers privilege escalation on the FortiClient EMS server. This allows attackers to interact with EMS functionality in a privileged context without needing to authenticate first. This initial access allows manipulation of EMS's configuration and distribution of malicious payloads to managed endpoints. Our prior analysis of Fortinet authentication bypass flaws details how such vulnerabilities can provide initial access and control. After compromising the FortiClient EMS server, attackers take these steps to prepare for malware delivery and maintain covert operations: Configuration Modification: Attackers modify EMS configurations. This includes deferring firmware upgrade reminders, likely to prevent legitimate updates from interfering or raising suspicion. Remote Access Profile Manipulation: A Remote Access Profile configuration is altered. This modification is critical, as it inserts a malicious script for execution on endpoint devices, using EMS's legitimate management pathway to push attacker-controlled code. Endpoint Policy Injection: Attackers further modify an endpoint policy to embed the malicious script, ensuring its widespread distribution and execution across all managed endpoints. This step effectively uses the trusted EMS system to propagate the threat, making it appear as a standard management task. Malware execution on endpoints then follows a specific, multi-stage process: Legitimate Executable Abuse: The attack uses fortitray.exe, a FortiClient executable, to launch a .cmd script file. This technique blends malicious activity with normal system processes, making detection more challenging. PowerShell Invocation: The .cmd script invokes a Base64-encoded PowerShell script. Base64 encoding obfuscates malicious commands and evades simple signature-based detection. Payload Delivery: The PowerShell script downloads the primary malicious payload. This payload, named FortiEndpoint_Patch.exe, is disguised as a Fortinet endpoint update, exploiting user trust in official patches. Malware Execution and Data Harvesting: FortiEndpoint_Patch.exe executes as a Windows information stealer. This malware does not have its own network-based exfiltration capabilities. Instead, it harvests sensitive data like passwords, cookies, and autofill details from Chromium- and Gecko-based browsers. The collected data is written to a log file in the ProgramData directory on the compromised endpoint. Data Exfiltration: The same PowerShell script that delivered the payload then transmits the captured data. It exfiltrates the log file's contents to an attacker-controlled infrastructure via an HTTP POST request. The observed attacker C2 server is 83.138.53[.]110. This execution pattern shows a sophisticated understanding of FortiClient EMS's operational mechanisms, allowing attackers to push malicious PowerShell commands that closely mimic legitimate management operations. This increases the attack's stealth and its ability to propagate across an organization's network. For more details on this vulnerability and its impact on Fortinet EMS, refer to our full analysis on CVE-2026-35616 and Fortinet EMS. Affected products and versions The vulnerability CVE-2026-35616 impacts specific versions of Fortinet FortiClient Endpoint Management Server (EMS). FortiClient Endpoint Management Server (EMS): All versions prior to 7.4.7. Organizations running FortiClient EMS versions earlier than 7.4.7 should consider their installations vulnerable and potentially compromised, given the active exploitation. Detection Detecting exploitation of CVE-2026-35616 requires a multi-layered approach focusing on network, endpoint, and server-side indicators. Since the attack uses legitimate management pathways, anomalies in system behavior and process execution are crucial indicators. Network Indicators: Outbound Connections to C2: Monitor all outbound network traffic from FortiClient EMS servers and managed endpoints for connections to 83.138.53[.]110. Specifically, look for HTTP POST requests from these devices, which indicate data exfiltration. Unusual EMS Traffic Patterns: Establish a baseline for normal FortiClient EMS network communication. Deviations like unexpected spikes in outbound data or connections to unusual external IP addresses require investigation. Encrypted Traffic Anomalies: While the observed exfiltration uses HTTP POST, attackers may pivot to encrypted channels. Monitor for unusual SSL/TLS certificate usage or connections to newly observed domains from EMS and managed endpoints. Endpoint Indicators (EDR/SIEM Queries): Process Creation Chains: Look for fortitray.exe (a FortiClient component) spawning cmd.exe. Then, investigate cmd.exe launching powershell.exe, especially with Base64-encoded arguments. Sample EDR query (pseudo-code): Process.parent.name == "fortitray.exe" AND Process.name == "cmd.exe" followed by Process.parent.name == "cmd.exe" AND Process.name == "powershell.exe" AND Process.command_line CONTAINS "EncodedCommand" Malicious Payload Presence: Search for files named FortiEndpoint_Patch.exe or similar suspicious executables in unexpected directories, especially in user profiles or the ProgramData directory. Monitor for the creation of new executable files that mimic legitimate Fortinet update names. PowerShell Script Execution: Detect PowerShell execution with EncodedCommand parameters. Decode and analyze commands for suspicious activities like downloading files from external URLs, modifying system configurations, or initiating network connections. Look for PowerShell scripts creating log files in the ProgramData directory, particularly those containing sensitive data patterns (e.g., "password", "cookie"). File System Changes: Monitor for creation or modification of files within the ProgramData directory that appear to be temporary log files, especially those containing harvested credentials or browser data. Look for suspicious .cmd script creations or modifications, particularly in directories associated with FortiClient or system startup. Registry and Configuration Changes: Monitor for modifications to FortiClient EMS configurations related to firmware upgrade reminders, Remote Access Profiles, or endpoint policies. These changes indicate post-exploitation activity on the EMS server. Detect unusual changes to FortiClient agent settings on managed endpoints that might allow for silent script execution or data collection. Server-Side (FortiClient EMS) Indicators: API Access Anomalies: Review FortiClient EMS server logs for unauthorized or unexpected API access attempts, especially those without prior authentication. Look for successful API calls from untrusted sources that modify configuration settings related to endpoint policies or remote access profiles. Administrative Account Usage: Monitor for unusual activity by administrative accounts on the EMS server, especially if it coincides with configuration changes that enable script injection. Log Integrity: Verify FortiClient EMS log integrity to ensure they have not been tampered with or cleared by an attacker. Organizations should integrate threat intelligence on known malware artifacts and C2 infrastructure into their detection systems to increase the likelihood of identifying these attacks. Remediation Because CVE-2026-35616 is actively exploited, immediate and complete remediation steps are critical to mitigate risk and restore environment integrity. Patching: The most urgent remediation is to upgrade all FortiClient Endpoint Management Server (EMS) installations to version 7.4.7 or later. Fortinet released patches for this pre-authentication API access bypass vulnerability. This update resolves the root cause of unauthorized access and privilege escalation. Compromise Assessment: Because CVE-2026-35616 is actively exploited, a thorough compromise assessment is mandatory for all environments running FortiClient EMS versions prior to 7.4.7. This assessment should include: Review FortiClient EMS server logs for unauthorized configuration changes, API access anomalies, and unusual administrative activity. Scan all managed endpoints for FortiEndpoint_Patch.exe (or similar suspicious executables) and related malicious files in the ProgramData directory. Analyze endpoint logs for the process execution chain involving fortitray.exe spawning cmd.exe and then Base64-encoded powershell.exe commands. Inspect network traffic logs for connections to the identified attacker C2 83.138.53[.]110 or other suspicious external IPs. Credential Rotation: If a compromise is suspected or confirmed, or if EMS was unpatched for an extended period, mandate a password reset for all users. Prioritize users with access to critical cloud services, internal applications, and sensitive authenticated resources, as their browser-saved credentials and session cookies may have been exfiltrated. MFA and Session Management Review: Re-evaluate multi-factor authentication (MFA) policy strength and enforcement across all critical systems. Since stolen session cookies can bypass MFA, consider implementing stricter session validity durations and re-authentication requirements for high-privilege access. Endpoint Clean-up and Re-imaging: For endpoints confirmed to have executed the malicious payload, perform thorough clean-up, which may include re-imaging affected devices to ensure complete removal of the infostealer and any persistence mechanisms. Enhanced Monitoring: Implement enhanced monitoring for the detection indicators outlined above. This includes continuous monitoring of EMS server logs, endpoint process execution, file system changes, and network traffic for suspicious activities even after patching. Review and Harden EMS Configuration: Review FortiClient EMS configuration best practices, including network segmentation of the EMS server, restricting management interface access, and ensuring all EMS-related services run with the principle of least privilege. Prompt action on these remediation steps will reduce the window of opportunity for attackers and limit the impact of this critical vulnerability. Technical Takeaways CVE-2026-35616 is a critical pre-authentication API access bypass vulnerability in FortiClient EMS, rated with a CVSS score of 9.1. It allows for privilege escalation. The vulnerability is actively exploited, allowing attackers to gain unauthorized, privileged access to FortiClient EMS servers. Exploitation involves modifying EMS configurations and policies to use its legitimate management pathways for distributing malicious Base64-encoded PowerShell scripts to managed endpoints. The primary payload is a Windows information stealer (FortiEndpoint_Patch.exe) disguised as a Fortinet update. It harvests browser-saved credentials, session cookies, and autofill data from Chromium- and Gecko-based browsers. Stolen session cookies can provide follow-on access to cloud services and internal applications, potentially circumventing multi-factor authentication (MFA). Patching FortiClient EMS to version 7.4.7 or later is the immediate remediation. However, a complete compromise assessment and credential rotation are crucial due to active exploitation. --- ## Microsoft Defender Three Zero-Days Exploited - URL: https://purple-ops.io/blog/microsoft-defender-three-zero-days-exploited - Date: 2026-05-29 - Category: Threat Intelligence - Tags: microsoft-defender, zero-day, windows-vulnerabilities, active-exploitation, chaotic-eclipse - Reading time: 5 min **Summary:** Microsoft confirms three Defender zero-days (CVEs 33825, 41091, 45498) are actively exploited after public disclosure, threatening Windows users. Microsoft Defender Three Zero-Days Exploited Microsoft faces controversy after the uncoordinated public disclosure of six Windows zero-day vulnerabilities by a researcher operating under the alias Chaotic Eclipse (also known as Nightmare-Eclipse). The technology giant confirms that at least three of these flaws - BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498) - affecting Microsoft Defender and BitLocker components, are currently under active exploitation, which directly threaten Microsoft's customers. This series of disclosures has started a debate about responsible vulnerability reporting, particularly as the researcher's accounts on GitHub and GitLab were then removed. The incident shows the ongoing tension between security researchers seeking prompt vendor action and software providers advocating for Coordinated Vulnerability Disclosure (CVD). Microsoft has publicly expressed strong opposition to these uncoordinated releases, stating that publishing proof-of-concept code for unpatched vulnerabilities introduces "unnecessary risk." The company's security teams have been working intensively to understand the impact, protect customers, and develop security updates for these issues. This news examines the details of these Windows zero-days, patches for Samba enterprise file servers, the GreyVibe threat group's use of AI in cyberespionage against Ukrainian entities, and a wave of software supply chain attacks using malicious NuGet and npm packages to steal sensitive credentials and cloud secrets from developers globally. What zero-day vulnerabilities were publicly disclosed, and how are they being exploited? The researcher Chaotic Eclipse publicly disclosed details for six zero-day vulnerabilities impacting various Windows components. Microsoft has confirmed that three of these, BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498), are actively being exploited in attacks targeting users of Microsoft Defender and other Windows functionalities. The other three disclosed flaws are YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma, which primarily affect BitLocker and other Windows mechanisms. BlueHammer (CVE-2026-33825) is a vulnerability in Microsoft Defender that has been actively exploited. Details surrounding its exploitation indicate methods allowing attackers to bypass security measures within the endpoint protection platform, which can facilitate further system compromise. This flaw shows the need for continuous monitoring and rapid patching of core security software. RedSun (CVE-2026-41091) and UnDefend (CVE-2026-45498) also pertain to Microsoft Defender and other Windows components, and both have confirmed active exploitation. While specific details of their in-the-wild exploitation remain limited, their active status signals that threat actors are using these weaknesses to circumvent defensive controls. These vulnerabilities often lead to privilege escalation or arbitrary code execution within affected systems. YellowKey (CVE-2026-45585), GreenPlasma, and MiniPlasma primarily impact BitLocker and other Windows privilege escalation avenues. YellowKey (CVE-2026-45585) is described as a BitLocker bypass vulnerability, which can allow unauthorized access to encrypted data. The specific methods of exploitation for GreenPlasma and MiniPlasma involve local privilege escalation, enabling lower-privileged users to gain SYSTEM-level access on fully patched Windows systems. The public release of proof-of-concept code for these vulnerabilities, particularly those actively exploited, poses a greater risk to organizations and individual users, as it provides malicious actors with blueprints for attack. The public disclosures by Chaotic Eclipse were made after the researcher alleged a breakdown in Microsoft's handling of the vulnerability disclosure process, citing a lack of communication and reward. In response, Microsoft reiterated its commitment to Coordinated Vulnerability Disclosure (CVD), stating that such uncoordinated disclosures create "unnecessary risk" for customers. The fallout from these events included the removal of Chaotic Eclipse's GitHub account, followed by the blocking of a newly created GitLab account where the exploit code had been re-uploaded, and escalated the dispute between the researcher and the vendor. The researcher has also indicated plans for further disclosures on July 14, 2026. What vulnerabilities affect Samba installations globally? The Samba Team has released security patches to address several vulnerabilities, including two remote code execution (RCE) flaws with a maximum CVSS score of 10.0, affecting Samba enterprise file servers worldwide. These patches are important for safeguarding corporate data and preventing unauthenticated attackers from gaining full control of affected domains. Deploying the official vendor fixes is needed to reduce these risks. The two most severe vulnerabilities are: CVE-2026-4480: This flaw affects the printing subsystem across all previous Samba software versions. It arises when print servers use a specific command line substitution option, allowing Samba to pass client-controlled job description strings to the 'print command' setting via the '%J' substitution character without properly escaping shell meta characters. This oversight enables guest users to execute arbitrary scripts on the host environment without any prior authentication, and directly compromising the system. CVE-2026-4408: This vulnerability exposes the platform's core password verification mechanism in classic domain controllers that run a non-standard background process as a system service. The system processes client-supplied usernames within an internal check script without filtering input tokens. Malicious actors can exploit this raw string handling to gain system privileges remotely, making it a serious threat to the integrity of domain controllers. These security updates also address several high-severity issues: CVE-2026-1933: This shows missing authorization checks during file reparse point processing, allowing users to convert normal files into functional symbolic links on read-only network shares, which can circumvent access controls. CVE-2026-3012: This flaw poses risks during automatic certificate enrollment routines. Domain members are observed fetching certificate chains over unencrypted HTTP channels instead of secure LDAP links, enabling local attackers to intercept cleartext traffic and install malicious root certificates. CVE-2026-3238: An unauthenticated denial of service (DoS) vulnerability allows an attacker to send a corrupted UDP packet to trigger a null pointer dereference, causing the Active Directory WINS server component to crash instantly. CVE-2026-2340: Found within the immutable storage module, this flaw permits local users to overwrite protected files by manipulating file rename functions, compromising data integrity. To eliminate these Samba vulnerabilities, administrators must upgrade their deployments to versions 4.22.10, 4.23.8, or 4.24.3. Manual workarounds, such as removing specific characters from print configuration files, can be applied if immediate patching is not feasible. How is the GreyVibe threat group using AI in its cyberespionage campaigns? The GreyVibe threat group, a likely Russian-speaking entity, is using AI tools, including ChatGPT, Ideogram AI, and Google Gemini, to generate highly realistic lures and custom malware for its cyberespionage campaigns. Active since at least August 2025, the group primarily targets Ukrainian and Ukraine-related organizations across military, government, civilian, and business sectors. This use of AI allows GreyVibe to craft diverse attack chains, increasing their success rate. GreyVibe's use of AI is evident in the quality and variety of their social engineering tactics, which include: PhantomMail: Spear-phishing emails delivering malicious ZIP/RAR archives via Google Drive and 4sync links. These emails use decoy PDFs or fake error messages while deploying malware and impersonate Ukrainian government, emergency, telecom, and energy entities. PhantomClick: Fake CAPTCHA/ClickFix pages disguised as Zoom and LAPAS sites, tricking victims into executing self-infecting commands through deceptive Cloudflare verification prompts. PrincessClub: Fake Ukrainian adult/dating websites that deliver FallSpy Android spyware and PhantomRelay/LegionRelay Windows malware. Operators behind these sites use fake female Telegram personas and have incorporated WebRTC-based live calls to capture victim audio/video. DroneLink: Counterfeit Ukrainian military charity websites themed around FPV drones and UAVs, sharing infrastructure and tooling with PrincessClub campaigns. Nebo: Fake "СПО НЕБО" Russian military communications login pages, designed to mislead Ukrainian military personnel into believing they are accessing a legitimate Russian military terminal. The group's custom malware, including obfuscators like LOOKVALPS, LOOKVALJS, DAYLIGHT, and TEASOUP, as well as the LegionRelay PowerShell-based Remote Access Trojan (RAT), were likely developed with AI assistance. LegionRelay enables file theft, screenshot capturing, browser credential theft, Telegram and WhatsApp data exfiltration, and RDP access setup. Another RAT, PhantomRelay, supports system fingerprinting, dynamic script loading, and PowerShell/Windows command execution. The FallSpy Android spyware deployed in PrincessClub and Nebo campaigns collects intelligence, such as contact lists, call logs, device information, location data, media files, and SIM information. Despite the sophistication, WithSecure researchers note that GreyVibe exhibits some inconsistencies not typical of mature nation-state actors, such as uploading development samples to public scanning platforms and deploying cryptocurrency miners on some victim machines. This suggests a hybrid nature, potentially involving current or former cybercriminal actors absorbed into or working independently with state-directed tasking, and aligns with trends in Russia-linked cyber campaigns. For more information on such activities, refer to PurpleOps' analysis of malware campaigns by Russian hackers. What new supply chain attacks target developer ecosystems with malicious packages? Recent cybersecurity research shows a surge in software supply chain attacks, with malicious packages actively infiltrating both the NuGet and npm registries to steal banking credentials and cloud secrets from developers. These campaigns demonstrate threat actors' sophistication beyond simple typosquatting, using manufactured legitimacy to compromise development workflows. One incident involves a malicious NuGet package named "Sicoob.Sdk" (versions 2.0.0 through 2.0.4), which masqueraded as a C# software development kit for Sicoob, one of Brazil's largest cooperative financial systems. This package was designed to exfiltrate sensitive information, including client IDs, PFX certificates (used for authenticating businesses with the Sicoob banking network), and raw Boleto API responses. The package, downloaded nearly 500 times, was even surfaced by Google Search AI Mode as a legitimate library, increasing its reach to unsuspecting developers. The profile behind the package, "sicoob," also listed 11 other NuGet packages with approximately 6,000 collective downloads. The Microsoft Defender Security Research Team identified 14 malicious npm packages published by a single threat actor, "vpmdhaj" (a39155771@gmail.com), on May 28, 2026. These packages typosquatted well-known OpenSearch, ElasticSearch, DevOps, and environment-configuration libraries. Their primary goal was to harvest sensitive data such as AWS credentials, HashiCorp Vault tokens, npm tokens, and CI/CD pipeline secrets from compromised host environments through a purpose-built credential harvester launched via a preinstall hook. Examples of these packages include "@vpmdhaj/devops-tools" and "app-config-utility". These specific attacks are part of a broader trend of supply chain compromises that have seen other campaigns emerge: 164 malicious npm packages across five scoped namespaces, featuring a postinstall payload that downloads and executes second-stage JavaScript, exfiltrating victim environment variables. 141 malicious npm packages published between May 7 and 27, 2026, which abuse npm as free static hosting for an ad-monetized web proxy, serving popunder ads to those accessing the pages. A malicious npm package called "forge-jsxy," assessed as a continuation of the "forge-jsx" campaign, capable of keylogging, clipboard monitoring, .env scanning, shell history exfiltration, host inventory, remote filesystem access, screenshot capture, and cryptocurrency wallet scanning. 176 malicious npm packages employing dependency confusion by using high version numbers (99.99.99) to distribute a postinstall script that fingerprints the host, downloads platform-specific JavaScript payloads, conducts reconnaissance, exfiltrates credentials and developer secrets, and runs second-stage binaries. The threat actor TeamPCP (also known as Replicating Marauder and UNC6780) has been identified as a key actor in these supply chain attacks, poisoning popular developer tooling across npm, PyPI, Docker Hub, and Packagist in a worm-like fashion. Their tactics involve exploiting automation and inherited trust within CI/CD workflows to push compromises further downstream, enabling victim-to-victim expansion. This reflects a shift where attackers design plausible and operationally routine package names to blend into modern software ecosystems, which makes detection challenging. Technical Takeaways Three Windows zero-day vulnerabilities (CVE-2026-33825, CVE-2026-41091, CVE-2026-45498) affecting Microsoft Defender and BitLocker are under active exploitation following uncoordinated public disclosure by Chaotic Eclipse. Samba has released patches for two Remote Code Execution vulnerabilities (CVE-2026-4480, CVE-2026-4408) with CVSS 10.0 scores, along with several high-severity access control and DoS flaws, requiring updates to versions 4.22.10, 4.23.8, or 4.24.3. The GreyVibe threat group, a likely Russian-linked entity, is using AI tools such as ChatGPT and Google Gemini to create spear-phishing lures and custom malware (e.g., LegionRelay, FallSpy) targeting Ukrainian organizations. Ongoing software supply chain attacks involve malicious NuGet (Sicoob.Sdk, ~500 downloads) and npm (14 packages from vpmdhaj) packages, designed to steal banking credentials, PFX certificates, AWS credentials, and CI/CD pipeline secrets from developers. Threat actors are increasingly using "manufactured legitimacy" in package naming and exploiting automated CI/CD workflows to cause widespread compromise in developer ecosystems, seen with groups like TeamPCP. --- ## Everest Ransomware Targets Healthcare, Utilities (7 Victims) - URL: https://purple-ops.io/blog/everest-ransomware-healthcare-utilities - Date: 2026-05-28 - Category: Ransomware Report - Tags: everest-ransomware, ransomware, healthcare-cybersecurity, critical-infrastructure - Reading time: 5 min **Summary:** Everest ransomware remains the most active threat, targeting healthcare and utility sectors with 7 recent victims, driving current attack trends. Everest Ransomware Targets Healthcare, Utilities (7 Victims) Statistical Overview Victim Totals This month: 720 This quarter: 1498 Year to date: 4123 Last 24h: 31 Quarterly Breakdown Q1: 2631 | Q2: 1498 | Q3: 0 | Q4: 0 Ransomware activity shows a significant count for Q1, with Q2 maintaining consistent but lower activity. This indicates persistent threat actor operations across diverse sectors. The current period's observed victim count of 31 reflects ongoing, targeted ransomware campaigns. Introduction Recent ransomware activity saw 31 new victims across various sectors. Groups like Everest (7 victims), Qilin (5 victims), Akira (4 victims), and DragonForce (4 victims) were primary drivers. The United States remains the most targeted country. Industries such as healthcare, manufacturing, construction, hospitality, and legal services were affected. This period shows diverse threats with varied TTPs and an ongoing shift towards data exfiltration-focused extortion. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1Everest7Advanced psychiatry associates, Akm, L&p aesthetics (+4)Netherlands, KuwaitEnergy & Utilities, Healthcare 2Qilin5Mainstreet organization of realtors, Otthon centrum, Roofing solutions (+2)United States, United KingdomConstruction & Engineering, Hospitality & Travel 3Akira4Alpine aerotech, General doors, Gs yuasa lithium power (+1)Germany, United StatesManufacturing, Retail & Ecommerce 4DragonForce4Ksmart.ca, Northbridge.com, President container group (+1)United States, United KingdomConstruction & Engineering, Manufacturing 5Krybit2Motofrenos.com, Smile-siam.comThailand, ColombiaManufacturing 6Medusa Locker2Mairie thiverval grignon demo, SitgroupFrance, ItalyManufacturing, Government / Public Sector 7Nova (RALord)2Casasafer, My english house academySpain, ItalyHospitality & Travel, Education 83AM1Amc.org.auAustraliaEducation 9CMD1Hospice SavannahUnited StatesHealthcare 10Chaos1Sterlingindustries.comCanadaManufacturing 11INC Ransom1lawantsSpainLegal 12LockBit1guBrazilLegal Everest was the most active group, targeting healthcare and energy sectors, including "Advanced psychiatry associates" and "L&p aesthetics." Qilin and Akira also showed significant activity across construction, hospitality, and manufacturing. Victims included "Hospice Savannah" by CMD ransomware, which shows continued threats to the healthcare sector, and "Mairie thiverval grignon demo" by Medusa Locker, impacting a government entity. For more details on DragonForce's activities in real estate and healthcare, refer to our analysis on DragonForce Ransomware Targeting. Victim Distribution By Country United States: 11 Germany: 3 Canada: 3 Spain: 2 United Kingdom: 2 Italy: 2 Thailand: 1 Australia: 1 Netherlands: 1 Kuwait: 1 By Industry Medical Practices: 2 Real Estate: 2 Manufacturing: 2 Hospitality: 2 Construction: 2 Legal Services: 2 Education: 1 Venture Capital and Private Equity: 1 Packaging and Containers Manufacturing: 1 Oil and Gas Data Analytics: 1 The United States continues to see the most ransomware attacks, with broad distribution across several industries; none significantly dominate. This suggests less concentrated sector-specific campaigns and more opportunistic or diverse targeting by various ransomware operators, consistent with previous observations of groups like Qilin and DragonForce, as shown in our recent ransomware victim updates. Ransomware News Topline The current period shows changes in cyber extortion, with a continued shift from data encryption to pure data exfiltration and diverse, sophisticated attack methods. Campaigns & Operations Silent Ransom Group operatives are increasingly engaging in in-person cyber extortion, physically appearing at victim offices to facilitate intrusions, often targeting law firms. The ShinyHunters gang, also known as Bling Libra, confirmed a social-engineering data breach affecting nearly 6 million Carnival Cruise customers, exfiltrating PII. Latin American cybercriminal groups are aggressively shifting towards exfiltrating government databases, with incidents like La Pampa Leaks affecting Uruguay's identity service and Chronus Group targeting Mexican government agencies. A ransomware incident at Wohnungsgenossenschaft Neukölln in Germany encrypted core property-management and financial systems, disrupting tenant services. Vulnerabilities & TTPs An analysis of Akira ransomware kill chains reveals initial access via brute-forcing forgotten local SSLVPN accounts lacking MFA. This is followed by lateral movement via RDP, credential access, and defense evasion, including security log clearance and shadow copy deletion. The broader cyber extortion economy shows a pivot, with extortion-only campaigns rising as threat actors use SaaS abuse, supply-chain compromises, and rapid data exfiltration, frequently bypassing traditional encryption methods. The FBI also warns about physical intrusion tactics by Silent Ransom Group, using methods like USB insertion or pressuring staff for remote sessions, often exfiltrating data via legitimate utilities like WinSCP or Rclone without encryption. Analyst Note These developments show the increasing sophistication and diversification of threat actor methods, from physical intrusions to advanced data exfiltration. This requires defensive strategies across both digital and physical security domains. Technical Takeaways Implement Phishing-Resistant MFA: Crucial for all remote access points (e.g., SSLVPN) and administrator accounts to mitigate brute-force and credential stuffing attacks. Enhance Data Exfiltration Detection: Deploy end-to-end Data Loss Prevention (DLP) across cloud, endpoint, and network environments to detect rapid data theft, especially given the pivot from encryption. Strengthen Network Segmentation and Backup Integrity: Rigorous network segmentation limits lateral movement, while immutable offline backups ensure recovery capabilities even if primary systems are compromised. Correlate Perimeter and Endpoint Logs: Integrate and analyze logs from firewalls (e.g., SSLVPN syslog) and endpoint events (e.g., Windows EVTX) with synchronized NTP to reconstruct full kill chains and identify anomalous activity. Prepare for Physical Intrusion Vectors: Develop and rehearse incident response plans that account for in-person social engineering tactics, including policies for unidentified individuals and unauthorized device connections. --- ## DAEMON Tools CVE-2026-8398 Supply Chain (CVSS 9.3) - URL: https://purple-ops.io/blog/daemon-tools-cve-2026-8398-supply - Date: 2026-05-28 - Category: CVE Analysis - Tags: daemon-tools, cve-2026-8398, supply-chain-attack, rat, trojan - Reading time: 5 min | CVSS: 9.3 **Summary:** DAEMON Tools supply chain compromise (CVE-2026-8398, CVSS 9.3) involved trojanized binaries signed with a legitimate certificate. DAEMON Tools CVE-2026-8398 Supply Chain (CVSS 9.3) AVB Disc Soft, the vendor of DAEMON Tools software, recently experienced a supply chain compromise, identified as CVE-2026-8398. This vulnerability, with a CVSS v4 score of 9.3, is a severe threat caused by unauthorized tampering with legitimate software binaries. The software supply chain's integrity was directly impacted, leading to the distribution of trojanized installers. Threat actors gained illicit access to AVB Disc Soft's build or distribution infrastructure. This access allowed them to inject malicious code into three DAEMON Tools binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These poisoned files were then digitally signed with the legitimate AVB Disc Soft code-signing certificate, making them appear authentic and helping them evade standard signature-based detection mechanisms. CVE-2026-8398 is included in the CISA Known Exploited Vulnerabilities (KEV) Catalog, which shows its widespread impact. This designation confirms active exploitation and mandates urgent remediation for Federal Civilian Executive Branch (FCEB) agencies. Its inclusion in the KEV Catalog means this compromise poses an immediate and serious risk to any organization or individual using the affected DAEMON Tools versions. What is CVE-2026-8398 and why is it critical? CVE-2026-8398 identifies a severe supply chain vulnerability in DAEMON Tools software, with a CVSS v4 score of 9.3, caused by the compromise of the vendor's build and distribution infrastructure. The issue is critical because a supply chain attack abuses trust: seemingly legitimate software delivers malicious payloads, bypassing typical security controls meant to validate software authenticity. Threat actors gained unauthorized access to AVB Disc Soft's development or distribution environment. This allowed them to modify the official DAEMON Tools software packages, injecting malicious code into DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Distributing these trojanized binaries, which kept their legitimate digital signatures from AVB Disc Soft, created a deceptive infection method. Users installing these compromised versions unknowingly introduced malware into their environments. The high CVSS score reflects the broad impact, ease of exploitation, and serious consequences for confidentiality, integrity, and availability. Impact An attacker exploiting CVE-2026-8398 can achieve extensive system compromise, including reconnaissance, persistent remote access, and data exfiltration. The primary risk is the deployment of a modular Python-based Remote Access Trojan (RAT). This RAT can fingerprint the host system and establish a persistent command-and-control (C2) channel, including mapping Active Directory environments. This access allows adversaries to encrypt stolen data and await further operator commands, enabling various post-exploitation activities. Such a compromise has severe consequences. Organizations face risks of major data breaches, intellectual property loss, and extensive network disruption. Individual users may experience credential theft, surveillance, and their systems could be used in larger botnets or attack infrastructure. Because the attack exploited the supply chain, any entity that installed DAEMON Tools software during the compromise period is a potential victim, regardless of their internal security. The malicious software arrived appearing legitimate, so the trust placed in signed software was used against users, creating a major challenge for detection and response. Exploitation Chain The CVE-2026-8398 exploitation chain begins with a compromise of the software vendor's infrastructure, not a direct attack on end-users. Threat actors first gained unauthorized access to AVB Disc Soft's build or distribution environment. This important step allowed them to manipulate the software before it reached users. Once inside, the attackers trojanized three DAEMON Tools binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. They injected malicious code into these executables, making them tools for malware delivery. The deceptive aspect of this attack is that these trojanized files were then digitally signed with AVB Disc Soft's legitimate code-signing certificate. This digital signature made the malicious installers appear trustworthy to operating systems and many endpoint security solutions, allowing them to bypass typical signature-based detections and security prompts. As discussed in our analysis of supply chain attacks involving poisoned software, using legitimate signing certificates is a recurring tactic that reduces trust and makes detection difficult. When a user downloads and executes these compromised DAEMON Tools installers, a multi-stage infection process begins. The malicious code within the trojanized binaries first deploys a VBScript loader. This loader acts as an initial access point, fetching and executing the primary payload. The ultimate payload is a modular Python-based Remote Access Trojan (RAT). This RAT is designed for stealth and persistence. It performs reconnaissance by fingerprinting the infected host and mapping the Active Directory environment if present. It then establishes a persistent command-and-control (C2) communication channel, encrypting any stolen data before exfiltrating it and awaiting further instructions from the attackers. This approach ensures covert operation and sustained access to the compromised system. Affected Products and Versions The CVE-2026-8398 vulnerability impacts DAEMON Tools software because a supply chain compromise affected its official binaries. The core components identified as trojanized are: DTHelper.exe DiscSoftBusServiceLite.exe DTShellHlp.exe Research indicates that attackers gained unauthorized access to the vendor's build or distribution infrastructure and then tampered with these executables. This means any version of DAEMON Tools software distributed from the compromised infrastructure during the attack period, which included these trojanized binaries, is affected. While precise version numbers are not detailed in available intelligence, users should consider any installation of DAEMON Tools software that occurred after the infrastructure compromise and before clean versions were released or the certificate was revoked as potentially affected. The compromise relates to the integrity of the distributed software package rather than a flaw within the software's code. Detection Detecting the CVE-2026-8398 compromise requires a multi-layered approach. This approach focuses on identifying anomalous behavior instead of relying solely on signature-based detection of the legitimately signed, trojanized binaries. Analysts and engineers should implement full monitoring strategies. Endpoint Detection and Response (EDR) Queries: Monitor for VBScript files (.vbs) executing from the DAEMON Tools installation path or directories where legitimate installers extract temporary files. Unusual VBScript activity, especially that which initiates PowerShell or Python processes, is suspicious. Look for unexpected execution of Python interpreter binaries (e.g., python.exe, pythonw.exe) from non-standard locations, especially if associated with DAEMON Tools processes or after installation, as this indicates RAT execution. Identify processes spawned by DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe that are not typical for disc imaging software, such as network connections to suspicious external IPs, file writes to unusual directories, or process injection attempts. Search for newly created files or modifications in system directories related to persistence mechanisms (e.g., registry run keys, startup folders) initiated by DAEMON Tools components or directly by Python processes. Monitor for attempts to enumerate Active Directory (AD) information or perform host fingerprinting activities originating from Python processes. This could involve queries to AD services or collection of detailed system configuration data. Network Indicators: Analyze network logs for outgoing C2 communications from systems running DAEMON Tools software to unusual or unknown IP addresses and domains. The Python RAT encrypts stolen data before transmission, so look for abnormal data volumes or unusual protocols to external endpoints. Monitor for DNS requests to newly observed or suspicious domains made by processes related to DAEMON Tools or Python. Implement network segmentation to limit lateral movement capabilities of a compromised host. Log Signatures and System Artifacts: Review Windows Event Logs for security events related to certificate validation failures. Although legitimate signing complicates this initially, post-revocation, any attempt to execute these binaries should trigger alerts if OCSP/CRL checks are enforced. Examine file system timestamps and attributes for anomalies in the DAEMON Tools installation directory. Unexpectedly recent modifications to core executables, or additional, unrecognized files, could indicate tampering. Check for the presence of the specific trojanized binary hashes. While the initial legitimate signing might bypass basic checks, if the original clean hashes are known, any deviation indicates compromise. Use threat intelligence feeds for Indicators of Compromise (IOCs) associated with the modular Python RAT, including C2 domains, IP addresses, and specific file hashes. Code-Signing Certificate Monitoring: Ensure real-time Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL) checks are enforced at execution time for all signed executables. This is important for detecting when the compromised certificate has been revoked. Without real-time checks, revocation provides limited protection. Proactive detection requires continuous vigilance, integrating EDR telemetry with network and log analysis to identify subtle deviations that show a supply chain compromise like CVE-2026-8398. Remediation Remediating the CVE-2026-8398 supply chain compromise requires immediate and complete action to contain, eradicate, and prevent future infections. Given the nature of a trojanized installer signed with a legitimate certificate, standard patching alone may not suffice without forensic validation. Patch and Reinstall Clean Versions: Obtain and deploy the latest, verified clean versions of DAEMON Tools software directly from the official vendor website, ensuring no intermediary downloads are used. This assumes AVB Disc Soft has remediated its infrastructure and is distributing untampered binaries. Before reinstalling, all existing installations of DAEMON Tools deployed during the suspected compromise window must be completely uninstalled and their directories cleaned to ensure no lingering malicious components remain. If available, deploy vendor-provided tools or instructions for verifying the integrity of the installed software and system post-remediation. System Isolation and Forensic Analysis: Immediately isolate all systems suspected of having installed the trojanized DAEMON Tools software. This prevents lateral movement and further data exfiltration. Conduct a complete forensic analysis on all potentially compromised systems. This should include memory forensics, disk image analysis, and network traffic review to identify the complete extent of the infection, any data exfiltrated, and potential persistence mechanisms established by the Python RAT. Identify and remove all components of the Python RAT, including loaders, configuration files, and any modifications to the system (e.g., scheduled tasks, registry entries, new user accounts) that provide persistence or privilege escalation. Certificate Revocation and Reissuance: The compromised code-signing certificate (registered under Xiamen Lunwei Huage Network Co.(Sectigo), Ltd.) used to sign the malicious binaries has been revoked. Organizations should verify that their systems enforce OCSP or CRL checks to honor this revocation and prevent future execution of old, compromised binaries. AVB Disc Soft must work with the Certificate Authority to revoke any other potentially compromised certificates and issue new ones for future software releases. Organizations should be prepared to update their trust stores accordingly. Enhanced Supply Chain Security: Implement and enforce Software Bill of Materials (SBOM) practices to maintain an inventory of all components, dependencies, and their origins within applications. Establish strict third-party software validation procedures, including independent security audits and integrity checks for all software consumed by the organization. Consider implementing application whitelisting solutions that restrict software execution to only approved binaries, preventing unauthorized code from running, even if signed. Strengthen developer and build environment security, including multi-factor authentication, least privilege access, and continuous monitoring for anomalous activities within infrastructure related to software development and distribution. Account and Credential Review: Assume that any credentials on compromised systems may have been exfiltrated. Force a password reset for all user accounts and service accounts that had access to affected machines. Review and rotate API keys and other secrets stored on or accessible from compromised systems. Technical Takeaways CVE-2026-8398 is a supply chain compromise impacting DAEMON Tools software (CVSS v4: 9.3). Attackers gained access to AVB Disc Soft's infrastructure, trojanizing DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. The malicious binaries were digitally signed with a legitimate certificate, enabling them to bypass signature-based endpoint detection. Exploitation leads to the deployment of a modular Python-based Remote Access Trojan (RAT) for reconnaissance, Active Directory mapping, and command-and-control (C2). The incident shows the urgent need for strong supply chain security practices and real-time validation of software integrity, beyond just digital signatures. --- ## AI Exploit Development Speeds to 0.5 Days - URL: https://purple-ops.io/blog/ai-exploit-development-speeds - Date: 2026-05-28 - Category: Threat Intelligence - Tags: ai, exploit-development, vulnerability-management, threat-intelligence, cve - Reading time: 5 min **Summary:** AI accelerates exploit development to 0.5 days, creating critical visibility gaps for security teams struggling with traditional detection methods. AI Exploit Development Speeds to 0.5 Days Research by Cogent Research shows exploit development has accelerated due to artificial intelligence. Threat actors can now generate working exploits for common vulnerabilities and exposures (CVEs) in 0.5 days, a significant reduction from the average of 125.3 days in January 2025. This quick exploit generation creates detection and response challenges for security teams worldwide, impacting thousands of CVEs across platforms. The analysis, which covered 69,159 CVEs, found that traditional vulnerability scanners from vendors like Tenable, Qualys, and Rapid7 struggle to keep pace with this faster exploit timeline. 83.2% of critical vulnerabilities had a "visibility gap," meaning exploits were active before detection signatures were available. This trend changes defensive strategies, demonstrating that proactive threat intelligence and continuous software inventory analysis are needed to counter threats driven by AI. This roundup details the disruption of the GlassWorm malware campaign, which targeted software developers and compromised over 300 GitHub repositories through supply chain attacks. A newly identified financially motivated threat actor, JINX-0164, uses social engineering and custom macOS malware to target cryptocurrency organizations, showing persistent and adaptable tactics. A critical Remote Code Execution (RCE) vulnerability in the Windows DNS Client with a CVSS score of 9.8 now has a public proof-of-concept (PoC) exploit released, increasing risk for affected systems. How Quickly is AI Developing Exploits for Known Vulnerabilities? AI develops exploits for known CVEs in an average of 0.5 days, a significant decrease from 125.3 days in January 2025. Cogent Research measured this acceleration by analyzing 69,159 common vulnerabilities and exposures, focusing on 57,860 CVEs published in 2025 and 2026. The research indicates that widely available large language models (LLMs) can now process patch diffs (code changes published when a software vulnerability is fixed) and generate functional proof-of-concept (PoC) exploits. This capability marks a major change in how quickly vulnerabilities can be weaponized. The impact of this faster exploit generation on traditional vulnerability management is significant. Cogent Research identified that 83.2% of critical vulnerabilities created a "visibility gap" for defenders. More than half of critical CVEs (55.7%) never received detection coverage from major scanning technologies. Among the vulnerabilities that did eventually receive signatures, 62% already had exploits circulating before detection became available. This shows that relying on conventional scanning cycles is increasingly insufficient against current threats. Leading commercial scanning technologies, including Tenable, Qualys, and Rapid7, showed varying response times. Tenable recorded a median detection lag of 0.1 days after disclosure, Qualys 2.9 days, and Rapid7 5.1 days. However, even with quick responses, exploits often preceded detection. For critical CVEs, 62.5% were exploited before Tenable's signatures shipped, 64.5% before Qualys', and 73.5% before Rapid7's. This data suggests the challenge comes from scanner vendor detection latency, not only organizational scanning frequency. The future outlook indicates further shortening of exploit development timelines. Geng Sng, co-founder and CTO of Cogent Security, stated that the observed 0.5-day exploit development will become the baseline once Anthropic's Claude Mythos becomes widely accessible. This AI is reported to develop working exploits at the level of an experienced security researcher, with its proliferation anticipated within six to twelve months. This capability, often seen with agentic AI threats, alters the timeline for zero-day exploitation and overall threat response. To counter this trend, Cogent Research recommends that organizations implement software inventory analysis as an early warning layer. This involves continuously mapping software assets against newly disclosed CVEs within minutes of publication, enabling proactive mitigation before scanner signatures are available. Developing a parallel detection path, integrating software bill of materials (SBOM) matching with threat intelligence feeds, offers a quicker way to identify affected assets. This rapid generation of exploits by AI shows the need for new breach detection mechanisms, moving beyond traditional scanner reliance. Which Financially Motivated Group Targets Cryptocurrency Developers with Custom macOS Malware? JINX-0164, a previously untracked financially motivated threat actor, targets cryptocurrency organizations and their developers with custom macOS malware and social engineering. Wiz CIRT and Wiz Research have detailed JINX-0164's operations, active since at least mid-2025. The group's campaigns use convincing LinkedIn profiles for initial contact, often masquerading as recruiters offering virtual meetings, to lure victims into downloading malicious files. The attack chain typically begins with social engineering via LinkedIn, where the threat actor impersonates business partners or recruiters to propose virtual meetings. These invitations link to malicious domains disguised as legitimate teleconferencing platforms, like Microsoft Teams. Upon clicking the link, the victim unknowingly downloads and executes AUDIOFIX. This Python-based macOS infostealer and remote access tool (RAT) is delivered via a bash script hosted on a fake driver store domain such as apple.driver-store[.]com. The payload, often named ChromeUpdater, masquerades as a system audio driver (coreaudiod) and achieves persistence via launchctl. Once AUDIOFIX gains control, it harvests many credentials and sensitive data. This includes information from macOS Keychain files, browser-stored credentials from seven different browsers, local admin credentials, SSH keys, and configuration files. The malware targets 51 cryptocurrency wallet browser extensions, including MetaMask, Phantom, Coinbase Wallet, and Binance Chain, plus two desktop wallet applications. The threat actor also hijacks active sessions from communication applications such as Discord, Slack, and Telegram. It exfiltrates cloud infrastructure secrets like AWS, GCP, and Azure keys, and Cloudflare API tokens. JINX-0164 demonstrated lateral movement capabilities by injecting AUDIOFIX into internal code repositories after compromising a developer's endpoint. They employed deceptive Git tactics, such as modifying committer names to impersonate other developers, pushing malicious code directly to main branches in unprotected repositories, or inserting payloads into existing branches. This tactic turned the organization's development infrastructure into a propagation vector, infecting additional machines when employees updated their code. In one instance, GitHub's Vigilant Mode detected unverified commits, which revealed the impersonation and allowed intervention. Beyond direct developer targeting, JINX-0164 has also conducted supply chain operations. On April 7, 2026, the group trojanized version 4.9.1 of the npm package @velora-dex/sdk. This malicious package appended code to dist/index.js that downloaded MINIRAT, a lightweight Go-based backdoor, whenever the package was imported. MINIRAT performs basic system reconnaissance and establishes persistence. It also offers fundamental backdoor functionality to upload, download, and execute shell commands. The threat actor masks their cloud activity and C2 communications by routing connections through VPN services such as Mullvad VPN, Astrill VPN, and Express VPN. What Disruptions Hit the GlassWorm Developer Supply Chain Campaign? A coordinated takedown by CrowdStrike, Google, and the Shadowserver Foundation disrupted all four command-and-control (C2) channels associated with the GlassWorm malware campaign. This collaborative effort neutralized the strong infrastructure that supported a persistent software supply chain attack targeting software developers since at least early 2025. The campaign poisoned over 300 GitHub repositories, using compromised developer credentials for broader impact. GlassWorm operators systematically targeted software developers, recognized for their access to critical assets such as source code repositories, cloud platforms, CI/CD pipelines, and package registries. The campaign used several approaches, including trojanized VS Code extensions published on both the Microsoft VS Code Marketplace and Open VSX. This allowed them to target users of VS Code forks like Cursor, Positron, Windsurf, and VSCodium. Malicious code was also introduced through compromised npm and Python packages, significantly expanding the attack surface. The primary objective of the GlassWorm campaign was to deliver a data-theft framework. This framework incorporated capabilities for credential harvesting, cryptocurrency wallet exfiltration, and system profiling. Subsequent iterations of GlassWorm deployed a Websocket-based JavaScript RAT known as GlassWormRAT. This RAT was designed to steal web browser data. It could install a Google Chrome extension to collect sensitive information, including screenshots, keystrokes, and clipboard content from infected systems. The malware also converted infected hosts into covert infrastructure, acting as SOCKS proxies, hidden VNC (HVNC) servers, and remote execution nodes. A key characteristic of the GlassWorm operation was its strong C2 infrastructure, comprising four distinct channels designed to withstand takedown attempts. These channels included using the Solana blockchain as a dead drop resolver, storing C2 server addresses in the memo fields of blockchain transactions. The malware also queried the BitTorrent Distributed Hash Table (DHT) peer-to-peer network for configuration data. Google Calendar also served as a dead drop resolver, fetching C2 server addresses from event titles. Direct connections to C2 infrastructure hosted on commercial VPS providers completed the quartet of communication channels. The coordinated takedown simultaneously neutralized all four C2 channels, preventing infected machines from receiving new instructions or payloads. CrowdStrike attributed the GlassWorm activity to likely Russia-based cybercriminals, citing the malware's termination of execution on systems located in Commonwealth of Independent States (CIS) countries and Russian-language comments within the code. The disruption shows the ongoing challenge of securing the software supply chain against well-resourced and persistent adversaries. Is a Critical RCE Vulnerability Affecting Windows DNS Clients Actively Exploited? A critical Remote Code Execution (RCE) vulnerability affecting the Windows DNS Client, with a CVSS score of 9.8, now has a publicly disclosed proof-of-concept (PoC) exploit. While specific details on active exploitation are not provided, the public release of a PoC escalates the risk to affected systems. Such vulnerabilities, especially those with a critical CVSS rating and public PoC, are frequently adopted by threat actors for widespread exploitation. The vulnerability involves a heap overflow within the Windows DNS Client component. A heap overflow condition can enable an attacker to overwrite adjacent memory, which can lead to arbitrary code execution with the privileges of the affected service or user. Given the pervasive nature of DNS Client functionality in Windows environments, successful exploitation could lead to system compromise. The absence of detailed exploitation specifics does not diminish the severity. The prompt availability of a PoC typically lowers the barrier for attackers to develop reliable exploits, increasing the urgency for patch deployment and mitigation. Organizations using Windows DNS Client across their infrastructure face an immediate threat from opportunistic and targeted attacks using this flaw. Technical Takeaways AI has significantly shortened exploit development time for known CVEs from 125.3 days to 0.5 days, changing the speed of threat emergence. Traditional vulnerability scanners and their detection signatures frequently lag behind AI-driven exploit generation, creating "visibility gaps" for over 83% of critical vulnerabilities. Financially motivated threat actor JINX-0164 employs LinkedIn social engineering, custom macOS malware (AUDIOFIX, MINIRAT), and CI/CD pipeline hijacking to target cryptocurrency organizations and developers. The GlassWorm malware campaign, which poisoned over 300 GitHub repositories, used strong C2 infrastructure across the Solana blockchain, BitTorrent DHT, and Google Calendar before its disruption. A critical RCE vulnerability (CVSS 9.8) in the Windows DNS Client now has a public PoC, requiring immediate attention for patching and mitigation due to its potential for widespread impact. --- ## IBM ELM Jazz CVE-2026-3660 (CVSS 9.8) Auth Bypass - URL: https://purple-ops.io/blog/ibm-elm-jazz-cve-2026-3660 - Date: 2026-05-28 - Category: CVE Analysis - Tags: ibm-elm, jazz-foundation, cve-2026-3660, authentication-bypass, critical-vulnerability - Reading time: 5 min | CVSS: 9.8 **Summary:** IBM ELM Jazz Foundation CVE-2026-3660, a critical authentication bypass with CVSS 9.8, enables unauthenticated remote attackers to gain unauthorized access. IBM ELM Jazz CVE-2026-3660 (CVSS 9.8) Auth Bypass IBM has issued a security bulletin addressing a critical authentication bypass vulnerability, designated CVE-2026-3660, within its Engineering Lifecycle Management (ELM) - Jazz Foundation. This flaw carries a maximum CVSSv3.1 score of 9.8, categorizing it as critical. The vulnerability allows an unauthenticated remote attacker to gain unauthorized access by manipulating server property files. The security defect stems from incorrect authorization logic within the software's core identity layer, enabling adversaries to bypass standard authentication checks. This bypass facilitates unauthorized modification of configuration files, potentially leading to compromise of active corporate application deployments. While the vendor has released full iFix updates to fix the vulnerability, the potential for severe impact on intellectual property and development lifecycles requires organizations to act immediately. The remote and unauthenticated nature of this exploit pathway makes it urgent for administrators to deploy the recommended patches. What is CVE-2026-3660 and why is it critical? CVE-2026-3660 is an authentication bypass vulnerability affecting IBM Engineering Lifecycle Management - Jazz Foundation, stemming from incorrect authorization logic. It is rated with a CVSSv3.1 score of 9.8, indicating a critical severity due to its significant impact and ease of exploitation. This vulnerability specifically allows an unauthenticated remote attacker to update server property files, subsequently enabling unauthorized access to the application. The criticality of CVE-2026-3660 arises from its potential to allow threat actors to circumvent foundational security controls without any prior authentication or user interaction. In an engineering platform like IBM ELM - Jazz Foundation, unauthorized access translates directly into significant risks for intellectual property, product designs, and the integrity of ongoing development lifecycles. An attacker using this flaw could view proprietary information, alter critical configurations, or potentially disrupt development processes, making its remediation an immediate priority for all affected deployments. Impact An attacker successfully exploiting CVE-2026-3660 can achieve unauthorized access to the IBM Engineering Lifecycle Management (ELM) application. This access is gained by altering server property files without requiring any authentication or user interaction. The primary risk lies in the compromise of an organization's intellectual property and the integrity of its engineering and development processes. Organizations utilizing the IBM Jazz Foundation as a core component of their engineering solutions are at risk. Attackers could view sensitive product designs, manipulate active development lifecycles, or gain insights into proprietary information. Such unauthorized access can lead to intellectual property theft, operational disruption, and potential supply chain vulnerabilities if compromised systems are used in broader development pipelines. The ability to hijack user sessions silently after altering configuration files amplifies the risk, making the scope of potential damage extensive. This kind of authentication bypass poses a direct threat to the confidentiality, integrity, and availability of critical enterprise assets. Exploitation chain The exploitation chain for CVE-2026-3660 begins with an unauthenticated remote attacker. The core vulnerability is an issue of incorrect authorization logic within the IBM Jazz Foundation framework. Specifically, the software's identity layer fails to properly validate changes to its configuration files. The attack vector is entirely remote, requiring no local access or prior privileges on the part of the attacker. There is also no user interaction required from a legitimate user for the exploit to succeed. The attacker directly targets the server, using the flaw where configuration files lack proper validation. By exploiting this weakness, adversaries can alter specific server property files. This modification then enables them to bypass standard authentication mechanisms and gain unauthorized access to the application, effectively hijacking user sessions or establishing persistent access. There is no information in the provided research about a publicly available Proof of Concept (PoC) exploit or active exploitation in the wild for CVE-2026-3660 specifically, though the nature of the flaw indicates it is readily exploitable. Organizations should consider similar authentication bypass vulnerabilities, such as those discussed in our prior analysis of a critical RCE flaw in IBM WebSphere, which also show the severe consequences of identity-related vulnerabilities. Affected products and versions The critical authentication bypass vulnerability, CVE-2026-3660, impacts specific releases of the IBM Engineering Lifecycle Management - Jazz Foundation product line. Organizations running these versions are strongly advised to apply the necessary updates immediately to mitigate the risk of exploitation. The affected product and version ranges are as follows: IBM Engineering Lifecycle Management - Jazz Foundation versions: 7.0.3 through iFix021 7.1.0 through iFix009 7.2.0 through iFix001 Newer installations or systems that have been fully patched beyond these specified iFix levels are not vulnerable to this particular flaw. Administrators should verify their current installed versions against these ranges to determine exposure. Detection Given the nature of CVE-2026-3660 as an authentication bypass achieved by altering server property files, detection efforts should focus on identifying anomalous access patterns, unauthorized modifications to critical system files, and suspicious authentication attempts. While the provided research does not detail specific Indicators of Compromise (IOCs) or EDR queries, general principles of security monitoring can be applied. Detection strategies should include: Log Monitoring: Regularly review application, authentication, and system logs for unusual activity. Look for: Unauthenticated access attempts to sensitive administrative interfaces or configuration endpoints. Log entries indicating modification of server property files (e.g., teamserver.properties, server.startup, or other core configuration files) by unauthorized users or processes. Successful logins by accounts that do not correspond to legitimate user activity or without proper authentication events preceding them. Errors related to authorization or authentication that might precede a successful bypass attempt. File Integrity Monitoring (FIM): Implement FIM on critical IBM Jazz Foundation server directories, especially those containing configuration and property files. FIM tools can alert administrators to any unauthorized changes to these files, which is the core mechanism of this exploitation. Network Monitoring: Observe network traffic for unusual connections to the IBM Jazz Foundation server from unknown or untrusted IP addresses. While the exploit itself modifies internal files, the initial access would traverse the network. EDR/XDR Solutions: Configure Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) solutions to flag suspicious process activity originating from the IBM Jazz Foundation application. This includes processes attempting to modify configuration files outside of standard administrative tools or scheduled updates. Organizations should also correlate these observations with threat intelligence sources that might release specific IOCs if CVE-2026-3660 is found to be actively exploited in the future. Proactive monitoring of such events can provide early warning of potential compromise, much like the methods applicable for detecting other critical authentication bypasses, as explored in our article on CVE-2026-20182 impacting Cisco SD-WAN. Remediation IBM has released full iFix updates to fix the threat from CVE-2026-3660. Immediate application of these patches is the primary and most effective remediation strategy. The following steps outline the required remediation and mitigation actions: Patching: Administrators using IBM Engineering Lifecycle Management - Jazz Foundation version 7.0.3 must immediately upgrade their installations to iFix022 or later. For deployments running version 7.1.0, the mandatory upgrade is to iFix010 or later. For version 7.2.0, administrators must install iFix002 or later. The latest iFix releases encompass all prior fixes and are designed to address the incorrect authorization logic that allows for the authentication bypass. Detailed upgrade instructions and access to the iFix packages are typically available through the official IBM Support portal. Workarounds: The provided research does not specify any effective workarounds for this critical vulnerability that would eliminate the need for patching. Due to the fundamental nature of the authorization flaw, a patch is the only definitive resolution. However, if immediate patching is not feasible, organizations should consider implementing temporary network-level restrictions to limit access to the IBM Jazz Foundation application to only trusted internal networks or specific IP ranges. This is a partial mitigation and does not fully secure the underlying vulnerability. Continuous Monitoring: After applying patches, maintain enhanced monitoring for any unusual activity as described in the detection section. This includes ongoing log analysis and file integrity monitoring to confirm that the vulnerability is no longer exploitable and that no residual compromise exists. Failing to apply these updates leaves company assets exposed to unauthorized access, potentially impacting intellectual property and the integrity of development lifecycles. Technical Takeaways CVE-2026-3660 is a critical authentication bypass vulnerability in IBM Engineering Lifecycle Management - Jazz Foundation, assigned a CVSSv3.1 score of 9.8. The flaw originates from incorrect authorization logic, allowing an unauthenticated remote attacker to modify server property files. Exploitation requires no user interaction or prior privileges, facilitating direct unauthorized access to the application. Affected versions include 7.0.3 through iFix021, 7.1.0 through iFix009, and 7.2.0 through iFix001. IBM has provided specific iFix updates (iFix022 for 7.0.3, iFix010 for 7.1.0, iFix002 for 7.2.0) as the definitive remediation. --- ## DragonForce Ransomware 19 Real Estate Healthcare Victims - URL: https://purple-ops.io/blog/dragonforce-ransomware-real-estate-healthcare - Date: 2026-05-27 - Category: Ransomware Report - Tags: dragonforce-ransomware, real-estate, healthcare, ransomware-activity, threat-intelligence - Reading time: 5 min **Summary:** DragonForce ransomware claimed 19 victims in the Real Estate and Healthcare sectors this period, highlighting ongoing threats. DragonForce Ransomware 19 Real Estate Healthcare Victims Statistical Overview Victim Totals This month: 689 This quarter: 1467 Year to date: 4092 Last 24h: 36 Quarterly Breakdown Q1: 2631 | Q2: 1467 | Q3: 0 | Q4: 0 Ransomware activity shows consistent levels this quarter, with DragonForce being a contributor in this period. The sustained victim count shows threat actors continue operating across diverse sectors. Introduction In the last 24 hours, 36 new ransomware victims have been reported. DragonForce was the most active group, accounting for over half of these incidents, followed by 0day-syndicate. Primary affected sectors include Real Estate, Healthcare, and Technology, with a significant concentration of incidents observed in the United States and the Netherlands. Ransomware Summary Table #GroupVictims (24h)Sample VictimsGeosSectors 1DragonForce19Delbrook capital advisors, Dentonfirm.com, Duboisag.com (+16)Netherlands, United StatesReal Estate, Healthcare 20day-syndicate4Dxon.com.br, Gokids gokidspublishing.com dev.redpilotstudio.com gokidsmobile.com, Xgenize.com (+1)Brazil, NigeriaTechnology / Software, Professional Services 3Medusa Locker3Baeaoai, Baeaxai, BakaxahNone, United StatesTechnology / Software, Manufacturing 4Akira2Gone fishin' marine, Northwest woodworksUnited StatesConstruction & Engineering, Retail & Ecommerce 5Space Bears2Gestordes, Ridge law firmSpain, United StatesLegal, Professional Services 6Anubis1Exceed energyUnited KingdomEnergy & Utilities 7Doommageddon1InnovanoIndiaTechnology / Software 8INC Ransom1Distrigaz Vest S.A.RomaniaEnergy & Utilities 9M3RXDLS1Jichasa.comMexicoTransportation & Logistics 10Nova (RALord)1Textile testing services of americaMexicoProfessional Services 11The Gentelman1TechmarNetherlandsConstruction & Engineering DragonForce was the most active in ransomware activity during this period, claiming 19 victims primarily in the Real Estate and Healthcare sectors across the United States and Netherlands. Other active groups, including 0day-syndicate, Medusa Locker, and Akira, contributed to a diverse range of victims spanning Technology, Professional Services, and Manufacturing. INC Ransom targeted Distrigaz Vest S.A. in Romania, showing a continued threat to critical infrastructure within the Energy & Utilities sector. For more on DragonForce's operations and targeting profiles, see our recent analysis. Victim Distribution By Country United States: 13 United Kingdom: 4 Netherlands: 3 None: 3 Mexico: 2 Canada: 2 Spain: 1 Romania: 1 Brazil: 1 Germany: 1 By Industry Legal Services: 2 Construction: 2 Accounting: 1 Natural Gas Distribution: 1 Manufacturing: 1 Oil and Gas: 1 Staffing and Recruiting: 1 Telecommunications and Traffic Management: 1 Architectural Services: 1 Architecture and Planning: 1 The United States remains the most targeted country, followed by the United Kingdom and the Netherlands. Industry targeting is diversified, with significant activity across professional services like Legal and Accounting, as well as critical sectors such as Natural Gas Distribution and Oil and Gas. More information on ransomware group activity, including Medusa Locker and Akira, is in recent threat intelligence updates. Ransomware News Topline Ransomware developments include warnings of in-person data theft tactics by the Silent Ransom Group, reported ransomware incidents affecting municipalities, a Qilin group victim claim, and new cryptojacking campaigns using AI chatbots. Campaigns & Operations The FBI issued a warning regarding the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, for an extortion scheme targeting U.S. law firms. This scheme combines social engineering tactics, such as posing as IT support for remote access, with a fallback of actors physically inserting USB drives to exfiltrate data. Incidents include a ransomware attack on Casalp's Livorno operations in Italy on May 11, 2026, and a partial compromise of Nandrin Municipality's IT infrastructure in Belgium around March 15, 2026. The Qilin ransomware group also named New Zealand's Alpha Group Holdings as a victim, providing limited incident details. Analysis of the wider ransomware field and quarterly trends is in our recent activity updates. Vulnerabilities & TTPs SRG's tactics involve impersonating IT personnel via phone, email, or live chat to gain initial access, then escalating privileges to deploy ransomware or exfiltrate data for double extortion, often blending with legitimate IT workflows. Separately, an active cryptojacking campaign is using AI chatbot interactions and SEO poisoning to redirect users to attacker-controlled download sites, delivering a rogue DLL via a packed ScreenConnect installer to establish persistence and run miners while bypassing Microsoft Defender. Analyst Note These events show the threat environment is changing, marked by sophisticated social engineering, persistent infrastructure targeting, and the exploitation of emerging technologies and search vectors for malicious purposes. Technical Takeaways DragonForce led reported ransomware activity this period, affecting mainly Real Estate and Healthcare sectors. The United States remains the most frequent target country, with a broad distribution of victim industries. The Silent Ransom Group (SRG) uses a varied extortion approach, blending social engineering with potential physical access to victim networks for data exfiltration. Emerging attack vectors include cryptojacking campaigns that manipulate AI chatbot recommendations and search engine optimization to distribute malware. Critical infrastructure entities, such as Distrigaz Vest S.A., continue to be targeted by ransomware groups like INC Ransom. --- ## SharePoint Server CVE-2026-45659 RCE (CVSS 8.8) - URL: https://purple-ops.io/blog/sharepoint-server-cve-2026-45659-rce - Date: 2026-05-27 - Category: CVE Analysis - Tags: none - Reading time: 9 min | CVSS: 8.8 **Summary:** Microsoft SharePoint Server CVE-2026-45659 is a critical RCE vulnerability scoring CVSS 8.8. Learn the risks, affected versions, and how to patch now. SharePoint Server CVE-2026-45659 RCE (CVSS 8.8) Microsoft has released an out-of-band patch addressing CVE-2026-45659, a critical remote code execution (RCE) vulnerability affecting SharePoint Server. This flaw, stemming from the deserialization of untrusted data, carries a CVSS score of 8.8, indicating high severity and potential for significant impact. An authenticated attacker, requiring only minimal privileges such as Site Member permissions, can exploit CVE-2026-45659 remotely. Although Microsoft initially described exploitation as "less likely," the company's decision to issue an immediate, out-of-band patch outside of its regular Patch Tuesday cycle confirms the perceived significant risk associated with this vulnerability. As of the current reporting, no public exploit code has surfaced, nor has there been any indication of in-the-wild exploitation. However, the history of SharePoint Server as a high-value target for cyber adversaries, coupled with the rapid development of proof-of-concept (PoC) exploits for similar disclosures, requires immediate attention to patching by affected organizations. What is CVE-2026-45659 and why is it critical? CVE-2026-45659 is a remote code execution vulnerability in Microsoft SharePoint Server that carries a CVSS score of 8.8. This vulnerability is classified as critical due to its potential to allow an authenticated attacker to execute arbitrary code on the affected server. The flaw specifically involves the deserialization of untrusted data, a well-documented vulnerability class. When an application deserializes data without proper validation, it can be tricked into interpreting malicious input as executable code or commands, leading to full compromise of the server. The criticality of CVE-2026-45659 is amplified by several factors despite Microsoft's initial assessment of "less likely to exploit." These include low attack complexity, a lack of user interaction required for successful exploitation, and the minimal privileges (Site Member permissions) needed by an attacker. The combination of these attributes significantly lowers the barrier for a potential attacker. Microsoft's proactive release of an out-of-band patch, rather than waiting for scheduled updates, further shows the urgency and severity the vendor attributes to this vulnerability. For a review of similar critical SharePoint vulnerabilities, refer to our prior analysis of a critical RCE vulnerability in Microsoft SharePoint Server. Impact of CVE-2026-45659 A successful exploitation of CVE-2026-45659 could have a high impact on the confidentiality, integrity, and availability of the affected SharePoint Server system. An authenticated attacker who achieves remote code execution can potentially gain full control over the server. This level of compromise enables various malicious activities, ranging from data exfiltration to the deployment of further malicious payloads. The confidentiality of sensitive documents, project data, employee records, and intellectual property stored within SharePoint environments could be severely compromised. The integrity of these same data sets and the server's operational state could be altered or corrupted, while availability could be disrupted through denial-of-service or ransomware attacks. SharePoint Server installations, particularly on-premises deployments, represent high-value targets for cyber adversaries. These platforms frequently serve as central repositories for vast amounts of critical enterprise data, making them attractive for both intellectual property theft and financial extortion. The extensive integration of SharePoint with other crucial Microsoft services, such as Active Directory, Teams, and Outlook, means a successful breach often provides a strategic beachhead for lateral movement across an entire enterprise network. This expands the potential blast radius of an exploit far beyond the initial SharePoint Server. Our prior insights into a SharePoint zero-day vulnerability and critical mitigation steps further illustrate the persistent threats surrounding this product. Historically, SharePoint vulnerabilities have been actively exploited by sophisticated threat actors. China-linked groups, including Linen Typhoon and Violet Typhoon, have used SharePoint flaws for intellectual property theft, showing the strategic value of compromised SharePoint environments. Ransomware operators, such as Storm-2603, have also exploited these vulnerabilities to deploy extortion campaigns, demonstrating the direct financial motivations behind such attacks. In July 2025, a critical zero-day vulnerability chain, dubbed ToolShell, was actively exploited against on-premises SharePoint deployments. These attacks targeted various sectors, including government agencies, universities, corporations, and even the US Nuclear Weapons Agency, emphasizing the severe real-world implications of SharePoint vulnerabilities. APT groups and financially motivated cybercriminals consistently target on-premises Microsoft SharePoint environments. This is largely due to the challenges organizations face in maintaining fully patched, properly configured, and consistently monitored systems. Legacy integrations, outdated software, and excessive privileges often present exploitable security gaps. For additional context on another critical SharePoint vulnerability, consider reviewing our post on CVE-2026-32201, a SharePoint spoofing vulnerability that also required urgent patching. Exploitation Chain of CVE-2026-45659 The exploitation chain for CVE-2026-45659 begins with an authenticated attacker possessing a minimum of Site Member permissions on the target SharePoint Server. This initial authentication requirement differentiates it from unauthenticated vulnerabilities but does not make it significantly more difficult for a determined attacker, given that internal or compromised credentials can satisfy this precondition. The attack vector is network-based, implying that the vulnerability can be triggered over the network without direct physical access to the server. The core of the vulnerability lies in the deserialization of untrusted data within Microsoft Office SharePoint. Deserialization is the process of converting a stream of bytes back into an object in memory. Insecure deserialization occurs when an application deserializes data from an untrusted source without verifying its integrity or authenticity. An attacker can craft a malicious serialized data payload that, when processed by the vulnerable SharePoint component, leads to arbitrary code execution. This malicious payload effectively "tricks" Microsoft SharePoint into executing code that the attacker specifies, enabling them to remotely run commands on the underlying server. Microsoft has characterized the attack complexity as low. This assessment indicates that an attacker does not require extensive prior knowledge of the system's intricate workings or highly specialized skills to devise an effective exploit. The vulnerability does not require user interaction, meaning a user does not need to click a malicious link, open a file, or perform any specific action for the exploit to succeed once the malicious payload is delivered to the vulnerable component. The low privileges required also contribute to easier exploitation, as an attacker does not need to escalate privileges to administrative levels to initiate the attack. These factors allow for repeatable success with the payload against the vulnerable component. This makes CVE-2026-45659 a significant threat despite the lack of public exploitation reports to date. The bug's discovery is attributed to a security researcher operating under the name MEOW. Which products are affected by CVE-2026-45659? CVE-2026-45659 specifically affects Microsoft SharePoint Server. The research findings indicate that the vulnerability is present in general "SharePoint Server" environments, with particular emphasis on "on-premises SharePoint deployments." The provided research does not specify particular version numbers or cumulative updates that are affected by CVE-2026-45659. Organizations should refer to the official Microsoft Security Response Center (MSRC) update guide for CVE-2026-45659 to identify the exact product versions and updates that mitigate this vulnerability. The broad mention of SharePoint Server implies that multiple versions or configurations of the on-premises product could be at risk. Detection for CVE-2026-45659 The research findings do not provide specific detection guidance such as log signatures, Indicators of Compromise (IOCs), EDR queries, or network indicators tailored to CVE-2026-45659. Due to the nature of remote code execution vulnerabilities, detection typically relies on monitoring for anomalous process creation, unusual network connections originating from the SharePoint Server, or suspicious file modifications. Organizations should implement full logging and monitoring solutions for their SharePoint Server environments. This includes: System and Application Event Logs: Scrutinize SharePoint ULS logs, Windows Event Logs (System, Security, Application, and particularly PowerShell operational logs if PowerShell is used in exploits) for error messages, unexpected process creations, or unusual activity originating from the SharePoint service accounts. Network Traffic Analysis: Monitor network traffic to and from SharePoint Server for unusual protocols, connections to unknown external IP addresses, or large data transfers that could indicate data exfiltration. Endpoint Detection and Response (EDR) Systems: EDR solutions can help detect post-exploitation activities, such as suspicious command execution, unauthorized file access, or attempts at privilege escalation that might occur after successful RCE. File Integrity Monitoring (FIM): Implement FIM on critical SharePoint directories and configuration files to detect unauthorized changes that could indicate compromise. While direct IOCs are not available from the provided research, maintaining strong security monitoring practices on SharePoint Server instances is crucial for identifying potential exploitation attempts or post-exploitation activities related to CVE-2026-45659 or similar threats. Remediation for CVE-2026-45659 The primary and most critical remediation step for CVE-2026-45659 is the immediate application of the patch provided by Microsoft. Apply Microsoft's Out-of-Band Patch: Organizations operating SharePoint Server deployments should promptly deploy the out-of-band patch issued by Microsoft for CVE-2026-45659. This patch is specifically designed to address the deserialization of untrusted data vulnerability and prevent remote code execution. Administrators should consult the official Microsoft Security Response Center (MSRC) update guide for CVE-2026-45659 to obtain the correct security updates for their specific SharePoint Server versions and apply them without delay. Regular Patching and Update Management: Beyond this immediate patch, maintaining a consistent and timely patch management strategy for all SharePoint Server deployments is essential. This includes applying all subsequent monthly security updates to ensure continuous protection against newly discovered vulnerabilities. Security Configuration Review: Review and enforce least-privilege principles for all SharePoint user accounts and service accounts. Ensure that accounts, particularly those with Site Member permissions, are not over-privileged. Network Segmentation and Access Control: Isolate SharePoint Server instances within network segments to restrict unauthorized access. Implement strict network access controls to limit communication paths to and from the server to only those absolutely necessary for its function. Enhanced Monitoring: Implement and continuously review logs from SharePoint Server for any anomalous behavior. This includes monitoring for unexpected process executions, unusual network connections, or modifications to critical system files, which could indicate a successful exploit attempt or post-exploitation activity. Technical Takeaways CVE-2026-45659 is a critical Remote Code Execution (RCE) vulnerability in Microsoft SharePoint Server with a CVSS score of 8.8. The vulnerability is rooted in the insecure deserialization of untrusted data, enabling an authenticated attacker with Site Member permissions to execute arbitrary code remotely. Attack complexity for CVE-2026-45659 is low, requiring no user interaction and only minimal privileges, allowing repeatable exploitation against vulnerable components. Despite Microsoft's "less likely to exploit" assessment, an out-of-band patch was released, showing the vendor's perception of CVE-2026-45659 as a significant risk due to SharePoint's history as a high-value target for nation-state actors and ransomware groups. Immediate application of Microsoft's provided patch is the primary remediation; the research does not specify affected versions beyond general "SharePoint Server" or provide specific detection guidance. --- ## CVE-2026-26980: Ghost CMS SQL Injection (CVSS 9.4) - URL: https://purple-ops.io/blog/cve-2026-26980-ghost-sql-injection - Date: 2026-05-27 - Category: CVE Analysis - Tags: cve-2026-26980, ghost-cms, sql-injection, active-exploitation, clickfix - Reading time: 9 min | CVSS: 9.4 **Summary:** Ghost CMS CVE-2026-26980, a critical SQL injection (CVSS 9.4), is actively exploited to steal API keys and inject malware onto 700+ websites CVE-2026-26980 (CVSS 9.4) Ghost SQL Injection Actively Exploited Threat actors actively exploit CVE-2026-26980, a critical SQL injection vulnerability in Ghost CMS versions prior to 6.19.1. This vulnerability, with a CVSS score of 9.4, lets unauthenticated attackers read arbitrary data from the database, including administrative API keys. Its severity increases due to ongoing exploitation, first detected on May 7, 2026. Exploitation targets over 700 websites globally, in sectors like universities, blockchain, artificial intelligence, software-as-a-service (SaaS), security research, media, and financial technology. The campaign injects malicious JavaScript code into compromised Ghost CMS articles, which then redirects visitors through traffic distribution systems before delivering Windows malware. This analysis details CVE-2026-26980, its exploitation chain, and guidance for detection and remediation. Organizations using Ghost CMS should implement recommended patches and security measures to reduce exposure to these threats. Impact CVE-2026-26980 allows an unauthenticated attacker unauthorized data access, specifically targeting the Ghost CMS admin API key. With this key, threat actors gain the ability to directly modify articles published on the content management system, leading to widespread site poisoning. The primary objective observed is injecting malicious JavaScript loaders into compromised pages, which then starts ClickFix attacks. This campaign affects over 700 websites in sectors like universities, blockchain, artificial intelligence, SaaS, security research, media, and financial technology, where trust and data integrity are important. Compromised sites face immediate defacement and pose a significant risk to visitors. Users accessing infected pages are subjected to a multi-stage attack that begins with fake CAPTCHA verification, leading to malicious commands executing on their Windows systems. The outcome is the delivery of Windows executables designed for persistence and remote control. This turns legitimate web properties into channels for malware distribution. The compromise of reputable websites further increases the success rate of these attacks by using inherent user trust. How CVE-2026-26980 Facilitates Attacks CVE-2026-26980 is an SQL injection vulnerability in Ghost CMS's Content API. It is critical because it allows an unauthenticated attacker to read arbitrary data from the database. The initial step in the exploitation chain involves using this vulnerability to steal a target site's Admin API Key without authorization. This key is crucial because it grants control over the Ghost Admin API, enabling an attacker to perform actions typically reserved for legitimate administrators. After acquiring the Admin API Key, threat actors tamper with articles in bulk across the compromised Ghost CMS instance. This bulk modification injects malicious JavaScript loaders at the bottom of web pages. Our prior analysis of similar attack techniques, for example, our analysis of React2Shell CVEs and AI scams, shows the effectiveness of client-side script injection for initial compromise. The injected JavaScript acts as a two-stage loader, designed to retrieve the main payload from an external domain: clo4shara[.]xyz/11z77u3.php. This modular architecture allows attackers to dynamically change payloads while maintaining the loader across many compromised sites. For more on SQL injection vulnerabilities in content management systems, refer to our analysis of a Drupal SQL injection vulnerability. The external PHP script hosted on clo4shara[.]xyz functions as a traffic distribution system, powered by Adspect, a commercial cloaking service. This script collects user browser fingerprint information and uses cloaking techniques to differentiate legitimate victims from security scanners or crawlers. Only intended targets receive the actual malicious payload. The script supports 19 different commands, enabling the threat actor to execute arbitrary JavaScript code and maintain remote control over the victim's browser. Malicious JavaScript for payload delivery is a common technique, like those explored in our post on an Exchange Cross-Site Scripting (XSS) zero-day. Victims identified as targets see a fake CAPTCHA verification page within an iframe. This page lures users through social engineering, instructing them to copy and paste a Base64-encoded command into the Windows Run dialog. This command acts as a dropper, retrieving and extracting a ZIP archive. Inside the archive, a Windows batch script executes a PowerShell command. This PowerShell command downloads a DLL file from a remote domain and launches it using rundll32.exe. As a distraction, a bogus web page simultaneously opens for the user. Later versions of this attack have replaced the DLL payload with a JavaScript payload, but the goal remains dropping a Windows executable. The observed executables include a PuTTY client with a valid code-signing certificate or a modified Inno Setup installer for an Electron application. This application, a tampered version of the open-source Grape desktop client, achieves persistence and regularly polls a remote server, web-telegram[.]ug, every 30 seconds for further instructions, including executing additional JavaScript code or executable files. Which Ghost CMS Versions Are Affected? The CVE-2026-26980 vulnerability affects specific Ghost CMS versions. The security flaw was addressed in version 6.19.1. Affected product line: Ghost CMS Affected versions: All versions prior to 6.19.1 Organizations running any Ghost CMS instance older than 6.19.1 are vulnerable to this SQL injection and the associated ClickFix attacks. Detection Strategies for CVE-2026-26980 Detecting CVE-2026-26980 exploitation and subsequent ClickFix attacks requires a multi-layered approach, focusing on web application logs, network traffic, and endpoint activity. Web Application and Server Logs Monitor Ghost CMS access logs for unusual requests to the Content API, especially those indicating SQL injection attempts or unauthorized access patterns. Examine Ghost CMS audit logs for unauthorized modifications to articles or templates, specifically looking for bulk changes or insertions of new script tags. Analyze HTTP server access logs for requests originating from potentially compromised Ghost instances to external domains like clo4shara[.]xyz or web-telegram[.]ug. Look for POST requests containing Base64-encoded commands or unusual parameters that might indicate an attacker trying to use the Admin API. Network Indicators (IOCs) Domains: clo4shara[.]xyz (Malicious JavaScript loader and traffic distribution) web-telegram[.]ug (Command and Control for the Grape desktop client) IP Addresses: Monitor DNS queries and network connections to IP addresses associated with these domains. Traffic Patterns: Look for outbound HTTP/HTTPS connections from internal networks to the listed malicious domains, especially from user workstations. Identify traffic associated with unexpected file downloads (ZIP archives, DLLs, executables). Proxy/Firewall Logs: Configure firewalls and proxies to block or alert on connections to the identified malicious domains. Endpoint Detection and Response (EDR) / SIEM Queries Process Execution Anomalies: Detect instances of cmd.exe or powershell.exe being launched with Base64-encoded commands, especially with browser processes. Monitor for rundll32.exe executing unusual DLL files from non-standard directories or external network locations. Look for the creation and execution of .bat or .ps1 scripts in temporary directories following web browser activity. File System Activity: Monitor for new ZIP archives, DLLs, or executables created in user download directories or temporary folders that are not associated with legitimate software installations. Identify the installation of the "Grape desktop client" or "PuTTY client" via unexpected installation paths or without user initiation, particularly if they show unusual network activity. Registry/Persistence: Detect new or modified registry keys related to startup items, scheduled tasks, or services designed for persistence for the modified Grape desktop client or other malware. Network Connections from Endpoints: Alert on network connections from powershell.exe, rundll32.exe, or the Grape desktop client to the C2 domain web-telegram[.]ug. Content Monitoring and Web Scanners Regularly scan Ghost CMS instances for injected JavaScript code, especially at the bottom of article pages. Look for