🚨 Critical Alerts
CISA Adds Exploited PTC Windchill RCE Flaw to KEV
Source: The Hacker News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability impacting PTC Windchill PDMlink and PTC FlexPLM software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation through web shell attacks. Organizations are urged to remediate this flaw immediately.
CISA Adds Cisco Unified CM SSRF Flaw to KEV After Active Exploitation
Source: All CISA Advisories
CISA has added CVE-2026-20230, a critical Server-Side Request Forgery (SSRF) vulnerability impacting Cisco Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME), to its KEV catalog. The flaw, which allows an unauthenticated, remote attacker to achieve arbitrary file-write leading to root access, is actively being exploited.
🔓 Breaches & Attacks
Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack
Source: The Hacker News
A new evolution of the Mini Shai-Hulud, Miasma, and Hades malware family is conducting supply chain attacks, compromising npm packages (LeoPlatform, RStreams) and abusing GitHub Actions workflows. The activity has also propagated to the Go ecosystem.
Photo ZIP Phishing Campaign Targets Hotels with Node.js Implant
Source: The Hacker News
An active phishing campaign, running since April 2026, is targeting hospitality organizations across Europe and Asia. Attackers are using photo-themed ZIP files to drop a Node.js implant on front-desk machines, with the end goal currently unclear.
New Mistic Backdoor Deployed in Financially Motivated Campaigns
Source: The Hacker News
A new, stealthy backdoor called Mistic (also MLTBackdoor) is being deployed as part of suspected financially motivated attacks by the initial access broker KongTuke. Campaigns have targeted organizations in insurance, education, IT, and professional services sectors since April 2026.
🛡️ Vulnerabilities & Patches
CVE-2026-46331
A flaw in the Linux kernel's traffic-control subsystem, nicknamed 'pedit COW,' is an out-of-bounds write in the packet-editing action (act_pedit) that corrupts shared page-cache memory. This allows a local unprivileged user to gain root access on affected systems. A public, working exploit appeared within a day of CVE assignment.
Remediation: Apply available Linux kernel patches to address this flaw.
CVE-2026-43503 (CVSS: 8.8 HIGH)
The 'DirtyClone' Linux kernel privilege escalation vulnerability (part of the DirtyFrag family) allows a local user to corrupt file-backed memory through a cloned network packet and gain root access. A working exploit walkthrough has been publicly demonstrated.
Remediation: Apply the latest Linux kernel patches addressing this flaw.
CVE-2026-12957 (CVSS: 8.5 HIGH)
A high-severity flaw in Amazon Q Developer's handling of Model Context Protocol (MCP) servers could allow a malicious repository to run commands and steal a developer's cloud credentials if a developer opens and trusts the workspace.
Remediation: Amazon has patched this vulnerability. Ensure your Amazon Q Developer client is updated to the latest version.
CVE-2026-31928 (CVSS: 9.3 CRITICAL)
Daktronics DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.
Remediation: Update device software to one of the following versions: 8.117.0.x, 9.43.0.x, or 10.34.0.x. Additionally, update the default passwords and encourage the use of strong, unique credentials per device.
CVE-2026-56445 (CVSS: 9.1 CRITICAL)
A Path Traversal vulnerability in the pydicom pynetdicom Library (versions >=v1.0.0|<v3.0.4) allows an unauthenticated attacker to write to arbitrary file paths. The 'qrscp' application's C-STORE handler uses attacker-supplied DICOM datasets directly in os.path.join() without sanitization.
Remediation: The maintainer has not responded to CISA requests for mitigation. Refer to the project's GitHub page (https://github.com/pydicom/pynetdicom) for any available updates or workarounds. Consider minimizing network exposure.
🥷 Threat Actor Spotlight
Turla
Targets: Government and military organizations in Ukraine, and entities with an interest in Italian foreign policy.
Tactics: Deploys a new, continually developed .NET backdoor named STOCKSTAY.
KongTuke
Targets: Organizations in the insurance, education, IT, and professional services sectors.
Tactics: Initial access broker (IAB) deploying the stealthy Mistic (MLTBackdoor) backdoor in financially motivated attacks.
📋 Compliance & Deadlines
CISA Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk
Deadline: Ongoing
Summary: Requires Federal Civilian Executive Branch (FCEB) agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by CVEs listed in CISA’s KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation. CISA encourages all organizations to adopt similar risk-based vulnerability management.
Executive Order 14409 (US Federal Post-Quantum Cryptography Migration)
Deadline: Key establishment by December 31, 2030; Digital signatures by December 31, 2031.
Summary: President Trump signed an executive order setting hard deadlines for federal agencies to migrate high-value assets and high-impact systems to post-quantum cryptography. National security systems are on a separate track.
📰 Industry News
AI Agents Reshaping Enterprise Identity Governance
AI agents are increasingly operating autonomously within enterprise environments, inheriting permissions, traversing systems, and executing decisions at machine speed with minimal oversight. The existing identity infrastructure, designed for human access, was not built for autonomous actors, leading to a rapidly widening gap in governance programs.
New CI/CD Flaws Expose GitHub Repositories to Supply-Chain Attacks
Cybersecurity researchers have identified 'Cordyceps,' a new class of CI/CD workflow weakness that allows attackers to hijack workflows and compromise open-source supply chains. This critical exploitable pattern could allow full attacker control of repositories at numerous large organizations globally.
Stay secure. If you found this briefing useful, please subscribe to 0DayDaily and share.