Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Free apps turn smart TVs into hidden web-scraping proxies

Researchers at Include Security have shown how a software kit made by Bright Data, embedded inside free apps on Samsung, LG, and Roku smart TVs, quietly turns those always-on devices into relays for someone else's web-scraping traffic. Users opt in through a consent screen buried in the TV's menu, then their home internet connection is used to fetch web pages for Bright Data's paying customers, many of them AI firms. The researchers found the control channel barely checks who is issuing commands, weaker than many malware families, and on iPhones the traffic even slips past VPNs and normal monitoring tools.

Check
On managed mobile devices, scan apps for the Bright Data SDK using the binary symbols BrdWebSocketFacade and BrdNetwork.DNSResolver, and watch networks for unexplained outbound scraping traffic.
Affected
Samsung, LG, Roku, and other smart TVs plus iOS and Android phones running free apps that bundle the Bright Data (formerly Luminati) residential-proxy SDK.
Fix
Uninstall apps that bundle the proxy SDK, decline the bandwidth-sharing consent prompt, and block the SDK on managed devices via MDM app-vetting and outbound network policy.

Android spyware Asin targets Arabic journalists via fake news and map apps

Security firm ESET has detailed a new Android spyware it calls Asin that targets Arabic-speaking users, likely journalists and open-source investigators. Victims are lured to convincing fake websites posing as a government news service, a secure PDF reader, and live war-map tools, some promoted through Facebook and Telegram pages. The sites offer apps such as GovLens, WarMap, and Syria Defense Map that work as advertised but hide spyware underneath. Because the apps come from outside official stores, victims must manually install them and grant permissions. ESET has not tied the campaign to a known group, and its exact goals remain unclear.

Check
Review managed Android devices for sideloaded apps named GovLens, WarMap, or Syria Defense Map, and check DNS and proxy logs for the known Asin distribution domains.
Affected
Android users in Arabic-speaking regions, especially journalists and OSINT researchers, who sideloaded apps from govlens[.]net, pdf-reader[.]help, live-war-map[.]com, or syriadefensemap[.]com.
Fix
Remove the malicious apps, block the listed domains at your DNS or proxy, disable installation from unknown sources, and run a mobile security scan on affected phones.

AI-assisted audit finds 4-year Zcash flaw enabling unlimited counterfeit coins

A critical flaw in Zcash's Orchard privacy pool, the system that lets people send the ZEC cryptocurrency while hiding amounts and parties, could have let an attacker mint unlimited counterfeit coins without detection. Security researcher Taylor Hornby, hired by developer Shielded Labs to probe the code, found it on May 29 using Anthropic's Claude Opus 4.8 model paired with a custom auditing tool, and wrote a working exploit within a day. The bug had survived four years and multiple expert reviews. An emergency fix shipped by June 1. Because the pool hides balances, there is no way to prove whether anyone exploited it earlier.

Check
If you run a Zcash node, operate an exchange listing ZEC, or hold funds in the Orchard shielded pool, confirm your software version against the June 2026 emergency release.
Affected
Zcash Orchard shielded pool, active since May 2022. Node operators, exchanges, and wallets running pre-fix software exposed to undetectable double-spend and counterfeiting of ZEC.
Fix
Upgrade to the emergency-patched Zcash node release published by June 1, 2026, and follow Shielded Labs guidance on the proposed network upgrade adding supply-accounting checks.

FIFA World Cup 2026 fraud wave hits fans before June 11 kickoff

With the FIFA World Cup kicking off June 11 across the US, Canada, and Mexico, the FBI and researchers at Group-IB and Fortinet warn that a large fraud operation is already running. Group-IB tracked more than 4,300 fake FIFA websites and a Chinese-speaking crew, GHOST STADIUM, that cloned the official site pixel-for-pixel, fake login and all, across 300-plus domains. Scams include bogus ticket, merchandise, and hospitality sites, fake streaming apps that hide banking malware, and betting sites that harvest passport scans for identity theft. With tickets scarce and 150 million requests filed, scammers are exploiting fans' urgency to steal logins, money, and personal data.

Check
Warn staff and remind yourself to verify any World Cup ticket, merchandise, or streaming offer, and check security logs for employee visits to lookalike FIFA domains.
Affected
Anyone buying World Cup tickets, merchandise, hospitality, or streaming access, plus job seekers; employees using work devices or accounts to shop for the tournament.
Fix
Buy only via fifa.com typed directly into the browser, avoid sponsored search results and emailed links, and block known fraudulent FIFA domains at your web gateway.

Cisco SD-WAN Manager zero-day exploited to gain root, no patch yet

Cisco has warned of an actively exploited, unpatched zero-day in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) that enables root privilege escalation across all deployment types, including on-prem, Cloud, Managed, and FedRAMP Government. The flaw stems from insufficient validation of user-supplied input: an attacker who uploads a crafted file can perform command injection and run arbitrary commands as root. Exploitation requires netadmin privileges - obtained via valid credentials or by chaining CVE-2026-20182 or CVE-2026-20127. Mandiant reported the activity to Cisco's PSIRT in June. Cisco has observed limited cases where exploitation pushed configuration changes to edge devices, and published IoCs pointing to suspicious tenant-list uploads in scripts.log.

Check
Inventory Cisco Catalyst SD-WAN Manager instances (all deployment types). Check /var/log/scripts.log for suspicious tenant-list uploads per Cisco's IoCs. Verify netadmin accounts and confirm CVE-2026-20182/20127 are patched.
Affected
All Cisco Catalyst SD-WAN Manager deployments (on-prem, Cloud, Managed, FedRAMP). Root-level command injection via crafted file upload; requires netadmin privileges, obtainable by chaining CVE-2026-20182 or CVE-2026-20127. No patch yet.
Fix
No patch available. Restrict netadmin access, enforce strong credentials and MFA, and patch the chainable CVE-2026-20182/20127. Apply Cisco IoCs and monitor scripts.log and edge-device config changes.

SolarWinds Serv-U flaw exploited to crash file-transfer servers, now in CISA KEV

CISA has warned that attackers are actively exploiting CVE-2026-28318, a high-severity SolarWinds Serv-U denial-of-service flaw, and added it to the Known Exploited Vulnerabilities catalog. Serv-U is SolarWinds' Windows and Linux managed-file-transfer and FTP software. The flaw is an uncontrolled-resource-consumption weakness: specially crafted POST requests using Content-Encoding: deflate crash the Serv-U service without authentication, in low-complexity attacks needing no user interaction. SolarWinds shipped Serv-U 15.5.4 Hotfix 1 and advised admins who cannot patch to restrict access and block POST requests containing content-encoding. Shodan tracks over 12,000 exposed Serv-U servers (Shadowserver around 3,100). FCEB agencies must patch by June 19 under BOD 22-01.

Check
Inventory SolarWinds Serv-U servers, especially internet-exposed ones (Shodan shows 12,000+). Confirm Serv-U 15.5.4 Hotfix 1 is applied. Monitor for crashes and crafted deflate POST requests.
Affected
SolarWinds Serv-U MFT/FTP servers before 15.5.4 Hotfix 1. Unauthenticated, low-complexity DoS via POST requests using Content-Encoding: deflate. Over 12,000 instances exposed online per Shodan.
Fix
Apply Serv-U 15.5.4 Hotfix 1. If patching must wait, restrict access to known addresses and block POST requests containing content-encoding. FCEB agencies must remediate by June 19.

Chinese APT UNC5221 keeps 18-month Microsoft 365 access with Brickstorm backdoor

Volexity has detailed Chinese espionage group UNC5221 (also VerdantBamboo) maintaining access to a victim's Microsoft 365 environment using the Brickstorm backdoor plus previously undocumented malware named Plenet and AgentPSD. The actor sat on the network at least 18 months before detection and had also compromised the victim's MSP. UNC5221 has exploited edge-device zero-days since at least 2023; Brickstorm began as Golang, later Rust. In this case the group pivoted from a compromised Egnyte Storage Sync system through the victim's SSL VPN, then used Brickstorm proxying and stolen credentials to reach Microsoft 365 - deliberately blending with legitimate traffic to evade Conditional Access. It re-breached the org after remediation.

Check
Hunt for Brickstorm, Plenet, and AgentPSD indicators across edge devices and M365. Review Conditional Access logs for VPN-proxied logins blending with legitimate traffic. Audit MSP access paths into your environment.
Affected
Organizations (and their MSPs) running internet-facing edge devices and Egnyte/SSL-VPN infrastructure. UNC5221 maintains multi-year persistence via Brickstorm proxying and stolen credentials to reach Microsoft 365 undetected.
Fix
Apply Volexity IoCs. Harden Conditional Access against proxied logins, rotate credentials, and scrutinize MSP connections. Assume long dwell time - hunt historically and re-verify after remediation, since the group re-breached.

China-linked OP-512 hits Microsoft IIS servers with stealthy custom web shells

ReliaQuest has documented OP-512, a China-linked espionage cluster targeting Microsoft IIS web servers with a bespoke web-shell framework - the fourth such group after CL-STA-0048, DragonRank, and GhostRedirector to single out IIS in the past year. The framework uses three web shells that grant remote access while evading signature detection and complicating forensics: each deployment is uniquely generated, access is cryptographically restricted to the attacker, and compromised servers auto-report to centralized management. To hide, the web shells timestomp - scanning surrounding files, computing the median last-modified time, and overwriting their own timestamps to match. ReliaQuest notes close tactical proximity to CL-STA-0048, suggesting a revamped toolset or shared development.

Check
Hunt IIS servers for unfamiliar web shells, cryptographically-gated access, and timestomped files whose timestamps match the median of surrounding files. Apply ReliaQuest IoCs. Review IIS request logs for anomalous POSTs.
Affected
Internet-facing Microsoft IIS web servers, particularly at organizations aligned with China-linked intelligence priorities. OP-512's uniquely-generated, crypto-gated web shells evade signature detection and timestomp to hide.
Fix
Patch and harden IIS, restrict write access to web roots, and deploy file-integrity monitoring that flags timestomping. Hunt for the three-shell framework and centralized callback traffic per ReliaQuest.

Critical Everest Forms WordPress plugin flaw exploited to create rogue admins

Wordfence reports active exploitation of CVE-2026-3300 (CVSS 9.8), a remote code execution flaw in the Everest Forms Pro WordPress plugin (about 4,000 active installations) affecting all versions up to 1.9.12. The Calculation Addon's process_filter() function concatenates user-submitted form-field values into a PHP string and passes it to eval() without proper escaping; sanitize_text_field() does not escape single quotes, so unauthenticated attackers can inject and run arbitrary PHP by submitting a crafted value in any string-type field when a form uses the Complex Calculation feature. Exploitation began April 13; Wordfence has blocked 29,300+ attempts. The common payload creates a rogue admin named 'diksimarina.' Patch 1.9.13 shipped March 18.

Check
Inventory WordPress sites for Everest Forms Pro and confirm version 1.9.13 or later. Audit for a rogue admin named 'diksimarina' and review forms using the Complex Calculation feature.
Affected
Everest Forms Pro versions up to 1.9.12 using the Complex Calculation feature. Unauthenticated attackers inject PHP via any string-type field into an unescaped eval(). Exploited since April 13.
Fix
Upgrade Everest Forms Pro to 1.9.13 immediately. Remove rogue admins (e.g. 'diksimarina'), rotate admin credentials, and audit for web shells. Block the published attacker IPs.

Corporate travel firm BCD Travel breach exposes 396,000 accounts

Have I Been Pwned has added BCD Travel - one of the world's largest corporate travel-management companies - to its breach corpus with 396,313 unique email addresses. BCD Travel arranges business travel for large enterprises and government clients worldwide, so the exposed dataset likely skews toward corporate and frequent-traveler accounts. As is typical for HIBP additions, the underlying breach source and disclosure details are not published alongside the entry, but the listing lets individuals and organizations check whether their accounts appear in the leaked dataset. Affected travelers should anticipate travel-themed phishing - itinerary updates, booking confirmations, loyalty-program lures - and should rotate any reused passwords and enable MFA.

Check
Check whether your @company emails appear in HIBP's BCD Travel corpus. Warn business travelers about itinerary, booking-confirmation, and loyalty-program phishing over the next 60-90 days.
Affected
396,313 unique email addresses tied to BCD Travel corporate-travel accounts. Dataset likely skews toward enterprise and government frequent travelers, raising targeted travel-themed phishing risk.
Fix
Affected individuals: rotate BCD Travel passwords and any reused elsewhere, enable MFA, scrutinize unsolicited travel emails. Organizations: add BCD Travel to breach-monitoring watchlists and brief traveling staff.