🚨 Critical Alerts
CISA Warns of Actively Exploited Critical Vulnerabilities in Lantronix EDS5000 and Ubiquiti UniFi OS
Source: CISA
The U.S. CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, citing active exploitation of critical flaws in Lantronix EDS5000 Series devices (CVE-2025-67038) and Ubiquiti UniFi OS (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910). Federal agencies are urged to remediate these by June 26, 2026.
Cisco Catalyst SD-WAN Zero-Day (CVE-2026-20245) Actively Exploited to Gain Root Access
Source: The Hacker News / BleepingComputer
A recently disclosed high-severity zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN has been actively exploited for at least two months. Threat actors are leveraging this flaw to create rogue root accounts and execute arbitrary commands with elevated privileges on targeted devices.
New macOS 'Gaslight' Malware Uses Prompt Injection to Evade AI Analysis Tools
Source: BleepingComputer / The Hacker News
A newly discovered macOS malware, dubbed 'Gaslight,' is designed to confuse AI-assisted malware analysis tools. It embeds prompt injection strings and fake debugging data within its executable, aiming to trick AI into aborting or refusing analysis.
🔓 Breaches & Attacks
Amadey and StealC Malware Operations Disrupted, 27M Stolen Credentials Recovered
Source: The Hacker News / BleepingComputer
A coordinated international law enforcement effort, 'Operation Endgame,' successfully disrupted the infrastructure supporting the Amadey and StealC malware operations. This action led to the recovery of 27 million stolen credentials, targeting cybercriminal services and ransomware gangs.
FortiBleed Credential Harvesting Operation Targets 430,000 FortiGate Firewalls
Source: The Hacker News
A Russian-speaking initial access broker is behind 'FortiBleed,' a large-scale credential-harvesting operation active since February 2026. This campaign has targeted over 430,000 FortiGate firewalls globally, collecting credentials, searching for exposed services, and brute-forcing accessible systems.
Malicious Edge Extension 'Edgecution' Used in Ransomware Attacks
Source: BleepingComputer
A malicious Microsoft Edge extension, dubbed 'Edgecution,' has been observed in ransomware attacks. It abuses the Native Messaging feature to escape the browser sandbox and deploy a Python-based backdoor, indicating a sophisticated method of initial access and persistence.
🛡️ Vulnerabilities & Patches
CVE-2025-67038 (CVSS: 9.8 CRITICAL)
A code injection vulnerability in Lantronix EDS5000 Series devices that could lead to the execution of arbitrary code. This flaw is actively being exploited in the wild.
Remediation: Apply vendor fixes immediately to all affected Lantronix EDS5000 Series devices. Minimize network exposure for all control system devices.
CVE-2025-15467 (CVSS: 9.8 CRITICAL)
A stack-based buffer overflow in OpenSSL's CMS AuthEnvelopedData message parsing. Exploiting this vulnerability with maliciously crafted AEAD parameters can trigger a crash (Denial of Service) or potentially lead to remote code execution.
Remediation: Update affected Siemens products using OpenSSL to the latest available versions. Do not accept files from untrusted and unvalidated sources in affected applications. Restrict device connection proxy ports to secure destinations. Ensure connected email servers are secured with encrypted communication, restricted access, strong authentication, and up-to-date patches.
CVE-2026-40702 (CVSS: 9.3 CRITICAL)
Multiple vulnerabilities in EVoke Systems Charging Station Management System, including missing authentication for critical WebSocket functions, excessive authentication attempts, insufficient session expiration, and insufficiently protected credentials. These can enable unauthorized administrative control or denial-of-service attacks on charging stations.
Remediation: Work with charger OEM partners to migrate supported devices to stronger OCPP Security Profiles (2 or 3). Implement additional server-side protections, including allowing only registered charger IDs, permitting only a single active connection per charger ID, monitoring session anomalies, and implementing connection rate limiting at the WebSocket gateway. Develop a lifecycle policy for legacy chargers that cannot support modern security profiles. Contact EVoke Systems for more information.
CVE-2026-28701 (CVSS: 9.3 CRITICAL)
A combination of vulnerabilities in Daktronics Controller Firmware (including CVE-2026-28701 for path traversal, CVE-2026-33560 for unrestricted file upload, and CVE-2026-31928 for hard-coded credentials) that could provide an unauthenticated user with complete root-level access and control of the system.
Remediation: Update device software to one of the following versions: 8.117.0.x, 9.43.0.x, or 10.34.0.x. Update all default passwords and encourage using strong, unique credentials per device. Minimize network exposure for all control system devices.
CVE-2026-20245 (CVSS: 7.8 HIGH)
A privilege escalation vulnerability in Cisco Catalyst SD-WAN that allows an authenticated, local attacker to execute arbitrary commands with elevated privileges, including creating rogue root accounts. This is an actively exploited zero-day vulnerability.
Remediation: Apply vendor patches for Cisco Catalyst SD-WAN devices immediately. Implement least privilege principles and restrict local access to these devices.
🥷 Threat Actor Spotlight
Gaslight
Targets: macOS users, potentially those with AI-assisted security tools.
Tactics: Newly discovered Rust-based macOS implant and information stealer that embeds prompt injection payloads and fake debugging data to confuse AI-assisted malware analysis tools and prevent analysis.
Mistic / MLTBackdoor (linked to KongTuke IAB)
Targets: Multiple organizations across insurance, education, IT, and professional services sectors.
Tactics: Stealthy backdoor deployment for financially motivated attacks, often involving initial access brokers. Tactics include leveraging existing vulnerabilities and persistence mechanisms.
📋 Compliance & Deadlines
CISA TIC 3.0 Guidance for Secure Access Service Edge (SASE)
Deadline: N/A
Summary: CISA has released guidance on 'The Journey to Zero Trust – Using Secure Access Service Edge in a Modern TIC 3.0 Solution.' This guidance helps federal agencies (and is recommended for all organizations) modernize perimeter-based architectures, advance Zero Trust adoption, and enhance visibility and control in distributed environments.
Federal Post-Quantum Cryptography Migration (Executive Order 14409)
Deadline: December 31, 2030 (Key Establishment), December 31, 2031 (Digital Signatures)
Summary: President Trump signed an Executive Order establishing hard deadlines for federal agencies to migrate high-value assets and high-impact systems to post-quantum cryptography. Key establishment systems must migrate by December 31, 2030, and digital signatures by December 31, 2031.
📰 Industry News
Microsoft Extends Free Windows 10 ESU Support to October 2027
Microsoft has quietly extended its free Windows 10 Extended Security Updates (ESU) program for consumers by an additional year. Enrolled devices will now continue to receive security updates until October 12, 2027, providing a longer support window for those unable to upgrade to Windows 11 immediately.
Evolving AI-Assisted Threat Landscape and Security Challenges
The cybersecurity landscape is seeing new threats specifically designed to interact with or subvert AI tools. This includes 'Gaslight' macOS malware using prompt injection to confuse AI analysis, and reports of fake AI agent skills successfully bypassing security scans to reach thousands of agents, highlighting the increasing need for robust AI security measures.
Stay secure. If you found this briefing useful, please subscribe to 0DayDaily and share.