Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

Ubiquiti UniFi and Lantronix flaws now exploited; CISA sets June 26 deadline

CISA has confirmed active exploitation of four critical flaws in Ubiquiti UniFi OS and Lantronix EDS5000 devices, adding them to its Known Exploited Vulnerabilities catalog with a June 26 deadline for federal agencies. Three UniFi OS bugs (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910), each rated 10.0, can be chained for unauthenticated remote code execution and root; attackers were seen creating rogue admin accounts. The Lantronix flaw (CVE-2025-67038) is an unauthenticated root command injection in the EDS5000 serial console server. Ubiquiti patched UniFi OS Server in version 5.0.8, and Lantronix in firmware 2.2.0.0R1. Compromised network appliances let attackers pivot deep into internal networks.

Check
Inventory Ubiquiti UniFi OS consoles and gateways and any Lantronix EDS5000 device servers, confirm their firmware versions, and review logs for unexpected admin accounts or commands, especially on internet-reachable management interfaces.
Affected
UniFi OS devices before Server version 5.0.8 (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) and Lantronix EDS5000 on firmware 2.1.0.0R3 (CVE-2025-67038); unauthenticated attackers can reach root and pivot inward.
Fix
Update UniFi OS to 5.0.8 or later and Lantronix EDS5000 to firmware 2.2.0.0R1 before the June 26 deadline, and restrict device management interfaces to trusted networks until patched.

macOS trust-caching gap lets standard users silently disable EDR and MDM

Researchers at XM Cyber detailed a macOS technique that lets an attacker with only standard user privileges disable enterprise security tools and call privileged functions, with no admin credentials, kernel exploit, or alerts. It abuses how macOS caches an application's code signature: once cached, the system keeps trusting the app even after an attacker modifies its components, letting a normal user impersonate trusted code and reach privileged XPC services by injecting into interface files. The team showed it disabling CrowdStrike Falcon and Kandji's MDM agent. CrowdStrike and Kandji have fixed their products, with Kandji assigning CVE-2026-39118, but XM Cyber frames the root cause as a flaw in macOS itself.

Check
Confirm that macOS endpoint security and management agents, such as EDR and MDM, are updated to versions that address this technique, and identify any third-party macOS apps exposing privileged XPC services.
Affected
Organizations relying on macOS endpoint protection and MDM; any app exposing privileged XPC services with injectable interface files can be abused by a standard user to escalate and disable defenses.
Fix
Update CrowdStrike, Kandji, and other macOS security agents to patched versions, monitor for tampering with security tools, and apply Apple updates as they address the underlying trust-caching weakness.

ShinyHunters leaks Madison Square Garden Sports data on nearly 10 million people

The extortion group ShinyHunters has published data stolen from Madison Square Garden Sports, owner of the New York Knicks and Rangers, after the company did not pay. Have I Been Pwned indexed 9,796,738 unique email addresses spanning staff and customers, alongside extensive personal, employment, and customer-relationship records including names, addresses, phone numbers, and some dates of birth. Reporting on the leak describes an internal "Talent" file profiling former players, executives' family members, and celebrities, in some cases with so-called threat assessments. The intrusion reportedly began with voice-phishing of staff, the same social-engineering pattern behind ShinyHunters' wider 2026 campaign against large enterprises.

Check
People who interacted with Madison Square Garden venues or teams should check Have I Been Pwned for their email and watch for targeted phishing or fraud referencing tickets, accounts, or events.
Affected
Staff and customers of Madison Square Garden Sports whose contact and personal data was exposed (9,796,738 emails); high-profile individuals named in internal files face heightened targeting and impersonation risk.
Fix
Reset and avoid reusing affected account passwords, enable phishing-resistant MFA, and stay alert to convincing phishing. Organizations should harden help desks against voice-phishing with strict caller-identity verification.

Bajaj Auto confirms ransomware attack on its and subsidiary's systems

Bajaj Auto, one of India's largest makers of motorcycles and three-wheelers, has disclosed a ransomware attack that hit its systems and those of its wholly owned subsidiary Bajaj Auto Technology Limited on the morning of June 23. In a regulatory filing, the company said its technical team and outside experts responded quickly and that containment measures have so far been effective. Bajaj Auto has not disclosed the ransomware strain, whether data was stolen, or whether production was affected, and reported the incident to India's CERT-In. Its shares fell more than 2 percent, and the attack follows a separate breach at Tata Electronics.

Check
Manufacturers should review the resilience of production and IT systems against ransomware, confirm offline backups are tested, and watch for follow-on extortion or leaks tied to this and related Indian manufacturing attacks.
Affected
Bajaj Auto and its subsidiary Bajaj Auto Technology Limited; the strain, data impact, and operational effects are not yet disclosed, part of a wider wave of ransomware hitting Indian manufacturers.
Fix
Maintain tested offline backups, segment IT from production networks, enforce phishing-resistant MFA and least privilege, and prepare incident-response and regulatory-notification plans before an attack, not during one.

Edgecution malicious Edge extension escapes the browser sandbox to plant a backdoor

Zscaler detailed Edgecution, a malicious Microsoft Edge extension used in ransomware-linked intrusions that abuses Chrome's native messaging feature, which normally lets extensions talk to desktop apps, to break out of the browser sandbox and run a Python backdoor on the host. The extension beacons to a command server and relays commands to the backdoor, giving attackers filesystem access and code execution, while running in a hidden headless browser to stay invisible. Attacks start with social engineering on Microsoft Teams, where the actor poses as IT support and directs employees to a fake "Outlook Updates" page. Researchers tie the activity to an access broker linked to the Payouts King ransomware operation.

Check
Review which browser extensions are installed across the organization and audit native messaging host registrations, and treat unsolicited Microsoft Teams messages from supposed IT support directing software installs as suspicious.
Affected
Organizations whose employees can install browser extensions and be reached by external Microsoft Teams messages; the technique escapes the browser sandbox to give attackers host-level access for ransomware staging.
Fix
Restrict browser extension installation through policy, control native messaging host configurations, lock down external Teams contact, and train staff to reject IT-support prompts pushing browser or software updates.

Stealthy Mistic backdoor gives ransomware access broker KongTuke lasting footholds

Symantec and Zscaler detailed Mistic, a stealthy new Windows backdoor used in intrusions since April and tied to KongTuke, an initial access broker that sells footholds to ransomware crews including Qilin, Akira, and Rhysida. Mistic is side-loaded through a legitimate Microsoft executable and a malicious DLL named to mimic endpoint-security software, runs payloads only in memory with nothing written to disk, and includes a self-delete kill switch, all aimed at long-term, low-visibility access. It is delivered through social-engineering lures such as fake CAPTCHAs and Microsoft Teams help-desk pretexts that trick users into running PowerShell commands. Defenders should watch for the unusual DLL side-loading pattern.

Check
Hunt for the legitimate MpExtMs.exe process side-loading unexpected DLLs, in-memory-only payloads, and signs of paste-and-run PowerShell delivered through fake CAPTCHAs or Microsoft Teams help-desk messages.
Affected
Enterprises across insurance, education, IT, and professional services targeted by KongTuke; a quiet, in-memory backdoor establishes durable access that is later sold to ransomware affiliates for deployment.
Fix
Train users against paste-and-run and fake IT-support lures, restrict PowerShell and script execution, deploy behavioral detection for DLL side-loading and in-memory backdoors, and apply the published indicators of compromise.

Cisco Unified CM flaw now exploited to gain root on phone systems

A flaw in Cisco Unified Communications Manager, the system that runs enterprise phone and call infrastructure, is now being exploited in attacks. The bug (CVE-2026-20230) is a server-side request forgery that lets an unauthenticated attacker send a crafted HTTP request to write files onto the underlying system, which can then be used to escalate to root and fully take over the server. Cisco patched it on June 3 and rates it critical; public exploit code has been available since, and security firms now see active exploitation attempts. The flaw is only exploitable when the WebDialer service is enabled, which is not the default.

Check
Check whether your Cisco Unified CM or Session Management Edition deployments have the WebDialer service enabled and confirm the software version, then review system logs for unexpected file writes or webshells.
Affected
Cisco Unified CM and Unified CM SME with the WebDialer service enabled (CVE-2026-20230); version 14 before 14SU6 and version 15 before 15SU5, especially with management interfaces reachable by attackers.
Fix
Patch to Cisco Unified CM 14SU6 or apply the version 15 interim fix, or disable the WebDialer service if it is not needed, and restrict management interfaces to trusted networks.

Eight-year-old Samsung KNOX kernel flaw exposed Galaxy S9 through S25

Researchers at LucidBit Labs detailed an eight-year-old use-after-free flaw in the kernel of Samsung's KNOX security framework that affected a huge range of Galaxy devices, from the Galaxy S9 to the S25, across A-series and both Exynos and Qualcomm models. The bug (CVE-2026-20971) sits in a race between two KNOX components that verify process integrity, and a malicious app could exploit it to corrupt kernel memory and potentially take full control of the device. Samsung quietly fixed it in its January 2026 security update. Exploitation requires local access and some user interaction, but a lost, borrowed, or stolen phone makes that realistic.

Check
Confirm that Samsung Galaxy devices in your environment have installed the January 2026 or later security update, and identify any older or unmanaged Galaxy phones that may still be missing it.
Affected
Samsung Galaxy devices from the S9 through S25, plus A-series models on both Exynos and Qualcomm chips (CVE-2026-20971), that have not applied the January 2026 security update.
Fix
Apply the January 2026 or later Samsung security update to all Galaxy devices, enforce update compliance through mobile device management, and retire devices no longer receiving security patches.

Cordyceps CI/CD weakness lets anonymous pull requests hijack build pipelines

Researchers at Novee disclosed Cordyceps, a systemic class of weaknesses in CI/CD pipelines, especially GitHub Actions workflows, that lets an attacker with nothing more than a free account hijack a project's build and release process. The danger is not a single bug but how workflows chain together: an untrusted pull request or comment feeds a low-privilege workflow whose output flows into a higher-privilege one, ending in stolen credentials, poisoned artifacts, or malicious releases. A scan of 30,000 repositories found over 300 fully exploitable, with fixes confirmed by Microsoft, Google, Apache, Cloudflare, and the Python Software Foundation. Standard scanners miss it because they check files in isolation.

Check
Audit your GitHub Actions and other CI/CD workflows for steps that pass untrusted pull-request or comment data into higher-privilege jobs, and inventory where workflow tokens grant cloud or registry access.
Affected
Organizations whose CI/CD pipelines run workflows triggered by untrusted pull requests or comments, particularly GitHub Actions setups where low-privilege and high-privilege jobs share data and tokens across trust boundaries.
Fix
Treat workflow files as security-critical code, apply least privilege to workflow tokens, isolate untrusted pull-request triggers, sanitize data crossing between jobs, and review CI/CD changes generated by AI coding tools.

Healthcare AI vendor Xsolis breach exposes data on 1.4 million people

Xsolis, a US healthcare technology company whose AI software is used by more than 600 hospitals and insurers for utilization management and reimbursement decisions, has disclosed a breach affecting 1,396,519 people. Attackers got in through a targeted phishing attack on an employee in January, accessing files containing patient data Xsolis handles for its clients. The exposed information includes names, dates of birth, addresses, Social Security numbers, health insurance details, and medical treatment information. Because Xsolis is a vendor, affected individuals may never have dealt with it directly; downstream health systems including Mayo Clinic are among those whose patients are impacted.

Check
Healthcare organizations should check whether they share data with Xsolis and confirm their breach-notification obligations; affected individuals should watch for medical, insurance, and identity fraud and any Xsolis-related notice.
Affected
Patients and health-plan members whose data Xsolis processed for hospitals and insurers (1,396,519 affected); exposed Social Security numbers and medical information carry lasting identity-theft and medical-fraud risk.
Fix
Affected people should enroll in the offered monitoring, freeze credit, and watch insurance statements. Healthcare organizations should strengthen phishing-resistant MFA, map which vendors hold patient data, and tighten access to health-data repositories.