🚨 Critical Alerts
Russian Intelligence Services Now Steal Signal Backup Recovery Keys
Source: FBI / CISA / BleepingComputer / The Hacker News
The FBI and CISA warn of an evolution in a Russian intelligence-linked phishing campaign. Attackers are now coercing Signal users into divulging their Signal Backup Recovery Keys, enabling access to historical messages and account takeover. The stolen keys remain active, allowing continuous access.
CISA Mandates Urgent Remediation for Exploited Cisco Vulnerability
Source: BleepingComputer
CISA has issued an urgent directive for federal agencies to patch an actively exploited vulnerability in Cisco Unified Communications Manager Server by Sunday. This flaw allows attackers to execute arbitrary commands.
CISA Warns of Active Exploitation in Critical Lantronix EDS5000 Flaw
Source: The Hacker News
CISA has warned of active exploitation of CVE-2025-67038 (CVSS 9.8), a critical code injection flaw impacting Lantronix EDS5000 Series devices. Federal agencies are urged to apply fixes by June 26, 2026.
🔓 Breaches & Attacks
Polymarket Suffers $3 Million Loss in Supply-Chain Attack
Source: BleepingComputer
Prediction market platform Polymarket will reimburse customers for an estimated $3 million lost after hackers injected a malicious script into its frontend. The attack stemmed from a breach at a third-party vendor.
Cybersecurity Firms Targeted by Fraudulent OpenAI Organization Invites
Source: BleepingComputer
Threat actors are impersonating legitimate companies by creating fake OpenAI tenants and inviting employees of cybersecurity firms to join them. This tactic aims to trick targets into submitting sensitive company information via chats and projects.
Source: The Hacker News
A new cyberattack campaign, dubbed 'StrikeShark' by Kaspersky, is delivering a previously unknown malware family, SharkLoader. This loader deploys Cobalt Strike Beacon on compromised hosts, targeting diplomatic organizations in Indonesia and government entities in Taiwan.
🛡️ Vulnerabilities & Patches
CVE-2026-20245 (CVSS: 7.8 HIGH)
A high-severity flaw in Cisco Catalyst SD-WAN was exploited as a zero-day at least two months before public disclosure. An authenticated, local attacker can execute arbitrary commands with elevated privileges, potentially gaining root access.
Remediation: Organizations should apply the latest security updates for Cisco Catalyst SD-WAN as soon as they become available.
CVE-2026-28701 (CVSS: 9.3 CRITICAL)
Various versions of Daktronics Controller Firmware (VFC-DMP-5000, DMP-5000, DMP-8000 <v8.117.x.x, <v9.43.x.x, or <v10.34.x.x) are vulnerable to a Path Traversal flaw. This allows authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths, potentially leading to complete root-level access and control.
Remediation: Daktronics recommends updating device software to version 8.117.0.x, 9.43.0.x, or 10.34.0.x based on product configuration. Additionally, update default passwords to strong, unique credentials.
CVE-2026-40702 (CVSS: 9.3 CRITICAL)
WebSocket endpoints in EVoke Systems Charging Station Management System (CSMS) lack proper authentication, allowing attackers to impersonate charging stations, gain unauthorized administrative control, or disrupt services. This can lead to privilege escalation and system compromise.
Remediation: EVoke is migrating supported devices to OCPP Security Profile 2 (TLS with basic auth) or Profile 3 (Mutual TLS). For legacy chargers, server-side protections include allow-listing registered charger IDs and rejecting unknown identifiers. Implement a single active connection per charger ID, monitor session anomalies, and apply WebSocket gateway rate limiting. Contact EVoke for further support.
🥷 Threat Actor Spotlight
Russian Intelligence Services (RIS)
Targets: Signal users, government entities, and individuals with interest in Italian foreign policy.
Tactics: Phishing campaigns targeting commercial messaging applications (specifically Signal) to steal backup recovery keys, enabling access to historical messages and account takeover.
Turla (Russian state-sponsored)
Targets: Government and military organizations in Ukraine, and entities with an interest in Italian foreign policy.
Tactics: Deployment of a previously undocumented .NET backdoor named STOCKSTAY, continuously developed for espionage.
CL-STA-1062 (Chinese-speaking APT)
Targets: Government entities and critical infrastructure in Southeast Asia, particularly state-owned enterprises in the energy and government sectors.
Tactics: Deployment of a new custom backdoor called TinyRCT in cyberattacks.
📋 Compliance & Deadlines
CISA Directive on Cisco Unified Communications Manager Server Vulnerability Remediation
Deadline: Sunday (post-June 26, 2026)
Summary: Federal Civilian Executive Branch (FCEB) agencies are required by CISA to patch an actively exploited vulnerability in Cisco Unified Communications Manager Server by Sunday.
CISA Directive on Lantronix EDS5000 Series Vulnerability Remediation
Deadline: June 26, 2026
Summary: Federal Civilian Executive Branch (FCEB) agencies are urged by CISA to apply fixes for CVE-2025-67038 (critical code injection flaw in Lantronix EDS5000 Series devices) by June 26, 2026, due to active exploitation.
📰 Industry News
AI's Role in GRC: Enhancing Efficiency, Not Replacing Analysts
AI is poised to transform Governance, Risk, and Compliance (GRC) by automating repetitive tasks like control monitoring, evidence gap identification, and remediation task creation, rather than replacing GRC analysts.
Addressing Identity Governance Gaps for Autonomous AI Agents
The increasing deployment of autonomous AI agents in enterprise environments, which inherit permissions and execute decisions at machine speed, is creating a widening gap in traditional identity governance infrastructure designed for human access.
Stay secure. If you found this briefing useful, please subscribe to 0DayDaily and share.