Last updated: July 6, 2026 at 12:53 AM UTC
All 559 Vulnerability 199 Breach 107 Threat 246 Defense 7

Google June Android update fixes 124 flaws including exploited Framework zero-day CVE-2025-48595 - also added to CISA KEV same day

Google has released the June 2026 Android security patches addressing 124 vulnerabilities, including CVE-2025-48595, a high-severity Android Framework flaw under limited, targeted exploitation. Local attackers can abuse it to gain code execution and escalate privileges on Android 14 or later. Google fixed 18 critical vulnerabilities this cycle across System, Framework, and Qualcomm closed-source components; the most severe is a critical Framework flaw enabling remote privilege escalation with no user interaction. Two patch levels shipped (2026-06-01 and 2026-06-05). CISA added CVE-2025-48595 to its KEV catalog the same day. Pixel devices get updates immediately; other vendors typically lag. Similar Android Framework flaws have historically been abused by commercial spyware.

Check
Inventory Android fleet by version and patch level. Confirm devices show the 2026-06-05 patch level. Prioritize Android 14+ devices for CVE-2025-48595; push updates via MDM where possible.
Affected
Android 14 and later unpatched against the June 2026 update. CVE-2025-48595 is under limited targeted exploitation; high-interest individuals face the greatest risk from likely-spyware abuse.
Fix
Apply the June 2026 Android update (2026-06-05 patch level). Non-Pixel users: pressure OEMs for timely rollout. FCEB agencies must remediate CVE-2025-48595 per CISA KEV deadline.

AI-built ransomware toolkit uses Cursor and Claude Opus agents to automate EDR evasion and Active Directory discovery, Sophos finds

Sophos has detailed a threat actor using an AI-assisted ransomware toolkit that automates Active Directory discovery and EDR evasion. Tool and payload development was aided by Cursor and Claude Opus agents across coding, analysis, and revision, with some agents tasked to scrape security-research posts for fresh bypass techniques; resulting malware was tested in VMs against Sophos, CrowdStrike, and Microsoft EDR. The framework includes Cobalt Strike profiles mimicking legitimate web traffic, a Telegram-bot C2, Python shellcode injectors preserving host-binary functionality, and a Cloudflare Worker front-end redirector. Despite the AI orchestration, the workflow is entirely human-driven. Operator logs and a ransomware-leak-site reference confirmed criminal, not red-team, use.

Check
Hunt endpoints for payloads under C:\Users\*\Documents\test, Telegram-bot C2 traffic, and Cobalt Strike beacons fronted by Cloudflare Workers. Apply Sophos IoCs across EDR-monitored hosts.
Affected
Organizations relying on EDR signatures alone. This toolkit was AI-tuned specifically to bypass Sophos, CrowdStrike, and Microsoft EDR, and routes C2 through Telegram and Cloudflare Workers to blend in.
Fix
Layer behavioral detection and AD-tiering on top of EDR. Block unauthorized Telegram API and anomalous Cloudflare Worker egress. Monitor for AD-discovery patterns and shellcode injection into signed binaries.

Gamaredon (FSB) exploits WinRAR to deliver GammaWorm and GammaSteel against Ukraine - resilient, highly obfuscated modular RAR chain

Sekoia has documented Gamaredon - a Russian state-sponsored intrusion set officially linked to the FSB - exploiting WinRAR via booby-trapped RAR archives to deliver the GammaWorm and GammaSteel malware against Ukrainian targets. The infection chain is described as resilient, massive, and highly obfuscated with a modular design whose configurations operators can update on the fly, making reuse likely. Gamaredon has a long history of targeting Ukrainian government, military, and critical-infrastructure entities through spear-phishing with malicious attachments. The disclosure coincides with related Ukraine-focused activity by UAC-0184 (PassMark BurnInTest LNK lures), UAC-0247 (HTA droppers against drone operators), and APT28's evolving PixyNetLoader delivering a COVENANT implant via CVE-2026-21509.

Check
Hunt for malicious RAR archives and WinRAR exploitation, GammaWorm and GammaSteel indicators, and spear-phishing with RAR attachments in Ukraine-facing operations. Apply Sekoia IoCs.
Affected
Ukrainian government, military, and critical-infrastructure entities - Gamaredon's persistent FSB-linked targets. Spear-phishing with booby-trapped RAR archives delivering modular, frequently-updated payloads is the vector.
Fix
Patch WinRAR to the latest version. Block RAR attachments at the email gateway where feasible. Restrict mshta and script execution. Hunt for GammaSteel exfiltration and GammaWorm persistence.

Critical Kirki WordPress flaw CVE-2026-8206 exploited to hijack admin accounts via password-reset redirect - 500,000 installs, 222+ attacks blocked

Hackers are exploiting CVE-2026-8206, a critical privilege-escalation flaw in the Kirki - Freeform Page Builder WordPress plugin, to take over any account including administrators. Defiant's Wordfence blocked over 222 attempts against customers in 24 hours. The plugin is active on more than 500,000 sites; the bug was introduced in version 6.0.0 and affects up to 6.0.6 (nearly 40% of the userbase). It stems from a custom REST password-reset endpoint that accepts an arbitrary email: when a username is supplied, the plugin sends a valid reset link to the attacker-controlled address instead of the owner's. The vendor fixed it in 6.0.7 on May 18; admins should upgrade or disable immediately.

Check
Inventory WordPress sites for the Kirki plugin and confirm version. Audit user accounts and password-reset logs for reset links sent to unfamiliar email addresses since version 6.0.0 deployment.
Affected
Kirki - Freeform Page Builder versions 6.0.0 through 6.0.6 (nearly 40% of 500,000+ installs). The REST password-reset endpoint sends valid reset links to attacker-supplied email addresses for any user.
Fix
Upgrade Kirki to 6.0.7 or disable the plugin immediately. Remove unauthorized admin accounts, rotate all admin credentials, and audit for web shells, malicious plugins, and backdoors.

Dashlane confirms attackers downloaded encrypted vaults of fewer than 20 users in brute-force campaign; Master Password still protects data

Dashlane has updated its brute-force-attack disclosure with a material escalation: attackers successfully downloaded a copy of the encrypted vaults belonging to fewer than 20 personal-plan users. The campaign aimed to break two-factor authentication and register new devices on existing accounts; the high volume of attempts triggered the temporary suspensions reported earlier. Dashlane says it directly notified each affected user and that anyone who did not receive a vault-risk message is unaffected. Crucially, vault data cannot be decrypted without the Master Password, so unless a password is trivial and predictable, cracking attempts are unlikely to succeed. Dashlane's internal systems were not compromised. Users should review registered devices and enable 2FA.

Check
If your team uses Dashlane, confirm whether anyone received a vault-risk notification. For notified users, treat the encrypted vault as exposed and rotate all stored credentials promptly.
Affected
Fewer than 20 Dashlane personal-plan users whose encrypted vaults were downloaded. Vaults are useless without the Master Password; weak or predictable Master Passwords are the residual risk.
Fix
Notified users: rotate every stored credential and change the Master Password to a long, unique one. All users: review registered devices, remove unknown ones, and enable 2FA.

SideCopy (APT36) Operation XENOFISCAL hits Afghanistan Finance Ministry with Pashto-lure Xeno RAT via mshta.exe and Edge-mimicking persistence

Seqrite Labs has documented Operation XENOFISCAL, a campaign by the Pakistan-linked SideCopy group (under the Transparent Tribe / APT36 umbrella) targeting Afghanistan's Ministry of Finance, provincial revenue and finance directorates, and Pashto-speaking government officials. The attack opens with spear-phishing delivering a ZIP archive containing a malicious LNK file bearing a Pashto-language filename - a deliberate choice reflecting familiarity with Afghan government circles. The LNK uses mshta.exe to fetch a remote HTA from a compromised Afghan education domain, running obfuscated in-memory JavaScript. It establishes Registry persistence mimicking Microsoft Edge and drops Xeno RAT 1.8.7 plus a decoy document via a DLL loader. Xeno RAT supports keylogging, screenshots, and SOCKS5 tunneling.

Check
Hunt for LNK files with Pashto filenames, mshta.exe fetching remote HTA, Edge-mimicking Registry persistence, and Xeno RAT 1.8.7 TCP C2. Apply Seqrite IoCs in South Asia government environments.
Affected
Afghanistan's Ministry of Finance, provincial revenue/finance directorates, and Pashto-speaking government officials. SideCopy (APT36 umbrella) uses language-tailored spear-phishing reflecting deep target familiarity.
Fix
Block ZIP-with-LNK email attachments and restrict mshta.exe for standard users. Hunt for Xeno RAT scheduled-task persistence and SOCKS5 tunneling. Monitor compromised education-domain callbacks.

WeedHack malware-as-a-service infostealer infects 116,000+ Minecraft systems via YouTube and SEO-poisoned fake mods and cheat clients

McAfee has detailed WeedHack, a malware-as-a-service infostealer campaign that has infected more than 116,000 systems since January by targeting Minecraft players. The malware spreads through malicious Minecraft mods, clients, cheats, and utilities promoted via YouTube videos (some with voice-over narration and thousands of views) and SEO poisoning of keywords matching popular clients like Meteor, Wurst, LiquidBounce, and Impact. WeedHack averages 2,000-3,000 infections daily, mostly in the US, Germany, India, and the UK, across 240+ distribution URLs and 3,820 unique malicious JAR files. It offers customers a dashboard to view stolen credentials and victim data. Some fake sites even link to legitimate GitHub repos to fabricate credibility.

Check
Brief staff and family-device users that Minecraft mods, cheats, and clients from YouTube links or search results frequently carry infostealers. Hunt endpoints for the 3,820 known WeedHack JAR hashes.
Affected
Minecraft players (often younger users on shared/home devices) installing third-party mods, cheats, and clients. 116,000+ infected since January, mostly US, Germany, India, UK. MaaS dashboard tracks victims.
Fix
Source Minecraft tools only from official project pages. Apply McAfee WeedHack IoCs and block known distribution URLs. Rotate credentials on any system that ran an untrusted JAR.

HP Poly VVX VoIP phones: unauthenticated root RCE CVE-2026-0826 via oversized ICE candidate in SIP INVITE, patches available

Rapid7 has disclosed CVE-2026-0826, a critical unauthenticated stack-based buffer overflow in HP Poly VoIP phones that gives a remote attacker root-level code execution. Discovered during zero-day research against a Poly VVX 450, the flaw sits in SDP parsing for ICE-enabled phones: the device copies a candidate attribute into a 256-byte stack buffer without a length check, so an oversized ICE candidate in a crafted SIP INVITE overflows the stack and can overwrite the program counter. NX is enabled but ASLR misbehaves, loading shared libraries at fixed addresses that make a ROP chain practical. An attacker needs no authentication. Patches are available for affected models.

Check
Inventory HP Poly VoIP phones (VVX and ICE-enabled models) by firmware. Confirm SIP/VoIP interfaces are not reachable from untrusted networks. Apply the CVE-2026-0826 patch for affected models.
Affected
HP Poly VoIP phones (VVX 450 confirmed) with ICE enabled. An unauthenticated SIP INVITE carrying an oversized ICE candidate triggers a root-level stack overflow; fixed-address libraries make ROP practical.
Fix
Apply Rapid7-referenced patches immediately. Place VoIP phones on a dedicated VLAN with strict ACLs. Block SIP from untrusted networks and monitor for malformed INVITE traffic.

CISA adds 4-year-old Linux kernel cgroups container-escape CVE-2022-0492 to KEV after active exploitation evidence

CISA has added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The four-year-old Linux kernel flaw is an improper-authentication issue in the cgroups v1 release_agent feature that can be abused for container escape and privilege escalation to root on the host. It is well known among container-security researchers as a path to breaking out of misconfigured containers lacking AppArmor/SELinux or seccomp restrictions. Its appearance on KEV signals active in-the-wild abuse, likely in cloud and container environments. FCEB agencies must remediate by the BOD 22-01 deadline; all organizations running container workloads on older kernels should patch and verify hardening immediately.

Check
Inventory container hosts running kernels unpatched against CVE-2022-0492. Check for containers running without AppArmor/SELinux or seccomp confinement, which makes the release_agent escape exploitable.
Affected
Linux hosts on older kernels with the cgroups v1 release_agent flaw, especially containers lacking AppArmor/SELinux or seccomp restrictions. Active exploitation now confirmed via CISA KEV listing.
Fix
Patch host kernels. Enforce seccomp and AppArmor/SELinux on all containers. Drop CAP_SYS_ADMIN where unneeded. FCEB agencies must remediate by the CISA KEV deadline.

FBI-flagged Kali365 phishing-as-a-service expands reach - Microsoft 365 OAuth device-code consent abuse grows beyond April campaigns

Dark Reading reports that Kali365 - the phishing-as-a-service platform the FBI flagged for fueling Microsoft 365 attacks in April - is expanding its reach. Rather than stealing passwords, Kali365 captures OAuth access and refresh tokens by tricking victims into completing attacker-initiated Microsoft device-login requests, granting immediate mailbox access. The service generates branded lures impersonating Adobe, DocuSign, and SharePoint in many languages and sells in tiers from $250 for 30 days to $2,000 annually. Its continued growth signals that OAuth device-code consent phishing remains a high-yield technique, and that defenders should prioritize blocking device-code flows for non-mobile platforms and enforcing phishing-resistant MFA across Microsoft 365 tenants.

Check
Search Microsoft 365 logs for unfamiliar device-login completions and OAuth consent grants. Hunt for inbox rules hiding security alerts. Block Adobe/DocuSign/SharePoint-themed device-code lures.
Affected
Microsoft 365 tenants where users can complete attacker-initiated device-login flows. Kali365's branded multi-language lures and tiered pricing keep OAuth device-code phishing scalable and growing.
Fix
Block device-code flow in Conditional Access for non-mobile platforms. Enforce phishing-resistant FIDO2 MFA. Train users to verify device-login codes. Audit OAuth-granted apps regularly.