THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
DESK FILE · 83 DISPATCHES · ALL SOURCED

Cyber

CVEs & zero-days · ransomware & threat groups · state actors · cyber policy

On this deskCISA · 26Cisco · 12Microsoft · 10ShinyHunters · 8Qilin · 5Fortinet · 4FBI · 4Palo Alto Networks · 4Canvas · 4Linux kernel · 3Meta · 3China · 3Federal Civilian Executive Branch · 3Windows · 3
Alleged Member of Criminal Cyber Hacking Group “Scattered Spider” Arrested in Fi
Generated illustration · not a photograph
CYBER · ransomware threat groups · 2026-07-01SCOOP 89

Alleged Member of Criminal Cyber Hacking Group “Scattered Spider” Arrested in Finland and Extradited to the United States

Alleged Scattered Spider member Peter Stokes, 19, was extradited from Finland to the U.S. over hacking, fraud, and extortion charges. Peter Stokes, 19, an alleged Scattered Spider member known online as “Bouquet,” has been extradited from Finland to the U.S. to face hacking, fraud, and extortion charges. Prosecutors say he took part in multiple cyberattacks, […]

exclusive✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-07-01SCOOP 60

Cisco Publishes July 1, 2026 Security Advisories: Catalyst Center File Read and ClamAV Flaws

Cisco PSIRT published its July 1 advisory bundle covering CVE-2026-20191, a Catalyst Center arbitrary file read vulnerability rated High with a CVSS base score of 7.5, and a set of ClamAV vulnerabilities affecting Cisco products (CVE-2026-20216, CVE-2026-20213, CVE-2026-20214, CVE-2026-20215, CVE-2026-20217, CVE-2026-20243 and CVE-2026-20244), also rated High at 7.5. Cisco stro

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-30SCOOP 77

CVE-2025-36372: IBM Db2 Information Disclosure Vulnerability (CVSS 5.5 MEDIUM)

Per the NVD entry published June 30, CVE-2025-36372 affects IBM Db2 11.5.0 through 11.5.9 and 12.1.0 through 12.1.4 for Linux, UNIX and Windows, including Db2 Connect Server. The flaw could disclose sensitive information to an authenticated user from the monitoring and event tables and is rated CVSS 5.5 MEDIUM.

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-30SCOOP 70

CVE-2026-49451: OpenAPI.NET SDK Circular Schema Reference Causes Process Termination (CVSS 7.5 HIGH)

Per the NVD entry published June 30, CVE-2026-49451 affects Microsoft's OpenAPI.NET SDK from 2.0.0-preview11 until 2.7.5 and 3.5.4. A small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi, affecting document parsing through the public reader APIs across both JSON and YAML paths. The flaw is rated

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-30SCOOP 55

Progress Kemp LoadMaster Flaw Could Let Attackers Run Root Commands Pre-Auth

The Hacker News reported on June 30 that a critical vulnerability in Progress Kemp LoadMaster, tracked as CVE-2026-8037, lets an unauthenticated attacker execute arbitrary commands as root on the appliance by sending a crafted request to its API. The flaw carries a CVSS score of 9.8 according to ZDI, and Progress published its advisory in June. A patch is available; per the rep

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-26SCOOP 66

CISA and FBI: Russian Intelligence Services Continue to Target Commercial Messaging Applications

CISA and the FBI issued an updated public service announcement on June 26 warning that Russian Intelligence Services cyber threat actors are targeting commercial messaging applications in ongoing phishing campaigns. The PSA updates a March 2026 announcement on the same activity and adds recent tactics, recommended mitigations, and samples of the phishing messages used.

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-26SCOOP 55

Hackers Exploit Critical PTC Windchill PLM Software Flaw

CSO Online reported on June 26 that hackers are exploiting CVE-2026-12569, a recently patched unsafe deserialization flaw enabling remote code execution in PTC Windchill and FlexPLM. The vulnerability sits in the web-based Windchill PDMLink product data management component and is rated 9.3 on the CVSS scale. The affected product lifecycle management software is used across def

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-25SCOOP 69

SSRF in OHIF DICOM Web Viewer Framework (CVE-2026-12473, CVSS 8.2)

Per CISA's June 25 medical advisory, the OHIF Viewers DICOM Web Viewer Framework from the Open Health Imaging Foundation carries a server-side request forgery flaw, CVE-2026-12473, rated CVSS v3 8.2. Two data sources shipped in the default configuration, DICOMWebProxy and DICOMJSON, are implicated, and successful exploitation in a custom integration version could let an attacke

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-25SCOOP 69

Path Traversal in pynetdicom Allows Unauthenticated Arbitrary File Write (CVE-2026-56445, CVSS 9.1)

CISA's June 25 medical advisory flags CVE-2026-56445, a path traversal flaw in the pydicom project's pynetdicom library (versions 1.0.0 and later) rated CVSS v3 9.1. Per the advisory, the qrscp application's C-STORE handler uses values from attacker-supplied DICOM datasets directly in file paths, allowing an unauthenticated attacker to write to arbitrary file paths. The library

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-24SCOOP 60

CISA Guidance: Using SASE in a Modern TIC 3.0 Solution

CISA published guidance titled "The Journey to Zero Trust — Using Secure Access Service Edge in a Modern TIC 3.0 Solution," detailing how the Trusted Internet Connections 3.0 initiative helps agencies modernize how users connect to applications, data and services. Federal agencies are the target audience, but CISA says the guidance also applies to any organization modernizing p

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-24SCOOP 55

Attackers Exploit Cisco Unified CM Flaw Weeks After Patch Release

CSO Online reported on June 24 that CVE-2026-20230, a critical Cisco Unified CM vulnerability with a CVSS base score of 8.6 that can grant attackers root access, is now under active exploitation. Threat intelligence firm Defused reported the activity on June 23 after observing it over the weekend, describing exploitation from a single source using an unvetted PoC with genuinely

✓ verifiednewSOURCE ↗
CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability
Generated illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-23SCOOP 99

CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft SharePoint Server flaw, tracked as CVE-2026-45659 (CVSS score v3.1 of 8.8), to its Known Exploited Vulnerabilities (KEV) catalog. At the end of May,

exclusive✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-23SCOOP 67

Linux Kernel Vulnerabilities Expose B&R APROL Products to Local Privilege Escalation (CVSS 7.8)

Per CISA's June 23 ICS advisory, publicly reported Linux kernel vulnerabilities affect kernel versions shipped with B&R products, including Linux for B&R APROL X20EDS410, rated CVSS v3 7.8. Successful local exploitation could allow privilege escalation on affected systems, and public proof-of-concept exploits are available for the flaws. B&R stated it had no evidence of active

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-23SCOOP 64

OpenSSL Stack Buffer Overflow (CVE-2025-15467) Affects Multiple Siemens Products

CISA's June 23 ICS advisory relays that a stack-based buffer overflow published by OpenSSL — tracked as CVE-2025-15467 for several listed products — allows a remote attacker to cause denial of service or potentially achieve remote code execution. Affected Siemens products include the AI Lightweight Inference Server, Connector for Azure, Databus, HiMed Cockpit and RUGGEDCOM RM12

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-22SCOOP 57

Cisco Packaged and Unified Contact Center Enterprise Cross-Site Scripting Vulnerabilities

Cisco's June 22 advisory covers multiple cross-site scripting flaws in the web-based management interfaces of Packaged Contact Center Enterprise (Packaged CCE) and Unified Contact Center Enterprise (Unified CCE). Per Cisco, the interfaces do not properly validate user-supplied input, letting an authenticated remote attacker inject malicious code into specific pages and execute

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-19SCOOP 60

Cisco Identity Services Engine Remote Code Execution and Information Disclosure Vulnerabilities

Cisco's June 19 advisory, rated Critical, covers multiple vulnerabilities in Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) that could let a remote attacker achieve remote code execution or conduct information disclosure attacks. The flaws are tracked as CVE-2026-20181 and CVE-2026-20190. Cisco has released software updates; there are no workarounds

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-19SCOOP 55

WhatsApp Accuses NSO of Fresh Pegasus Targeting

The Citizen Lab noted on June 19 that Meta's WhatsApp said it will ask a US court to hold NSO Group in contempt. Per the post, WhatsApp accuses NSO of using the messaging platform to lure targets into downloading the Pegasus surveillance spyware.

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-18SCOOP 72

CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure

CISA warned on June 18 that malicious actors are targeting internet-accessible Fortinet devices across government and private-sector organizations using compromised credentials. The activity, dubbed FortiBleed, involves leaked credentials tied to approximately 74,000 Fortinet devices, including firewalls and VPN gateways. CISA urges affected customers running FortiGate applianc

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-18SCOOP 57

NCSC Issues Advice Following Global Targeting of Fortinet Firewalls and VPN Gateways

The UK NCSC published an alert on June 18 (updated June 22) urging organizations using Fortinet services to take action against a global campaign hitting FortiGate firewalls and VPN gateways with SSL VPN enabled. Per the alert, a threat actor leaked a database of credentials assembled through brute-force, dictionary and credential-stuffing attempts, with some indications of pot

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-17SCOOP 60

Cisco Webex App Open Redirect Vulnerability

Cisco's June 17 advisory covers an open redirect flaw in the browser-based version of the Webex App that could have let an unauthenticated remote attacker send users to a malicious webpage via a crafted URL. The bug stemmed from improper input validation of URL parameters in an HTTP request. Cisco says it has already addressed the vulnerability in the app and no customer action

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-17SCOOP 57

Cisco Umbrella Virtual Appliance Privilege Escalation Vulnerability

Per Cisco's June 17 advisory, a flaw in the vmadmin CLI of the Umbrella Virtual Appliance could allow an authenticated local attacker to escalate privileges to root by issuing certain commands. The cause is insufficient validation of user-supplied commands, and exploitation requires existing vmadmin privileges. Cisco has released software updates; no workarounds are available.

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-16SCOOP 55

Pickle in the Middle: Hijacking Vertex AI Model Uploads for Cross-Tenant RCE

Palo Alto Networks' Unit 42 disclosed on June 16 a vulnerability in the Vertex AI Python SDK that allows remote code execution via bucket squatting. Per the research title, the technique hijacks Vertex AI model uploads to achieve cross-tenant RCE.

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-16SCOOP 55

Dozens of Malicious Wallpapers Found on Steam Workshop, Gamers' Accounts at Risk

Kaspersky's Securelist reported on June 16 that malware has been spreading rapidly through Steam Workshop, the platform's built-in service for sharing custom player content, since late 2025. Per the report, dozens of malicious wallpapers were found, and the attackers are primarily targeting gamers in China and Russia.

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-15SCOOP 79

CISA Adds Two Known Exploited Vulnerabilities to Catalog: Cisco Catalyst SD-WAN Manager and LiteSpeed cPanel Plugin

CISA added two actively exploited flaws to its KEV catalog on June 15: CVE-2026-20262, a directory/path traversal vulnerability in Cisco Catalyst SD-WAN Manager, and CVE-2026-54420, a UNIX symbolic link following vulnerability in the LiteSpeed cPanel plugin. Per the alert, both were added based on evidence of active exploitation, and BOD 26-04 requires federal civilian agencies

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-15SCOOP 57

Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability

Cisco's June 15 PSIRT advisory describes an arbitrary file write flaw in the web UI of Catalyst SD-WAN Manager (formerly SD-WAN vManage) that lets an authenticated remote attacker create or overwrite any file on the underlying operating system. The bug stems from improper validation of user-supplied input during a file upload process and is triggered via a crafted HTTP request

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-12SCOOP 55

Phishing Attack Volume Down 20%, but Risk Still Rising

Dark Reading reported on June 12 that phishing attack volume has dropped 20% even as overall risk keeps climbing. Per the report, attackers are prioritizing quality over quantity, using AI to upgrade individual phishing lures rather than to multiply them.

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-11SCOOP 78

CISA Adds One Known Exploited Vulnerability to Catalog: CVE-2026-10520 in Ivanti Sentry

CISA added CVE-2026-10520, an OS command injection vulnerability in Ivanti Sentry, to its Known Exploited Vulnerabilities catalog on June 11, citing evidence of active exploitation. Per the alert, this class of flaw is a frequent attack vector and poses significant risk to the federal enterprise. Binding Operational Directive 26-04, which updates BOD 22-01, requires Federal Civ

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-06-11SCOOP 65

CISA Flags Hard-Coded Credentials in Yarbo Mobile App and Cloud Infrastructure (CVSS 9.8)

Per CISA's June 11 ICS advisory, the Yarbo Android/iOS mobile application and the vendor's cloud MQTT infrastructure carry hard-coded credentials and missing-authorization flaws rated CVSS v3 9.8. Successful exploitation could let an attacker obtain the hard-coded credentials, access telemetry data, and potentially send operational commands to the robot fleet. All versions of t

✓ verifiednewSOURCE ↗
'RoguePlanet' Defender zero-day PoC drops hours after Microsoft's
Help Net Security
CYBER · cves zero days · 2026-06-10SCOOP 67

'RoguePlanet' Defender zero-day PoC drops hours after Microsoft's largest-ever Patch Tuesday

Hours after Microsoft shipped its largest Patch Tuesday ever — nearly 200 vulnerabilities fixed on June 9, including an actively exploited Exchange Server cross-site scripting flaw (CVE-2026-42897) — a researcher using the handle "Nightmare Eclipse" published a proof-of-concept exploit for an unpatched Microsoft Defender zero-day dubbed RoguePlanet. The exploit abuses a race co

✓ verifiednewSOURCE ↗
CISA gives federal agencies 3 days to patch Check Point VPN zero-day tied to Qil
via TechCrunch
CYBER · ransomware threat groups · 2026-06-09SCOOP 85

CISA gives federal agencies 3 days to patch Check Point VPN zero-day tied to Qilin ransomware

CISA ordered all Federal Civilian Executive Branch agencies to remediate CVE-2026-50751, a critical authentication bypass in Check Point Remote Access VPN, Mobile Access/SSL VPN and Spark gateways, by end of day June 11 — a three-day deadline far shorter than typical Known Exploited Vulnerabilities remediation windows. The flaw, rated CVSS 9.3 and rooted in a certificate-valida

exclusive✓ verifiednewSOURCE ↗
Microsoft's record June Patch Tuesday fixes 200 flaws, including 3 publicly
via BleepingComputer
CYBER · cves zero days · 2026-06-09SCOOP 72

Microsoft's record June Patch Tuesday fixes 200 flaws, including 3 publicly disclosed zero-days

Microsoft released its June 2026 Patch Tuesday updates on June 9, fixing 200 vulnerabilities in what BleepingComputer described as the largest single Patch Tuesday release in the program's history. The batch includes 33 Critical-rated flaws — 28 remote code execution, four elevation of privilege and one information disclosure — and three publicly disclosed zero-days, none known

✓ verifiednewSOURCE ↗
SAP patches 4 critical flaws up to CVSS 9.9 in NetWeaver and Commerce Cloud on J
via SecurityWeek
CYBER · cves zero days · 2026-06-09SCOOP 66

SAP patches 4 critical flaws up to CVSS 9.9 in NetWeaver and Commerce Cloud on June Patch Day

SAP's June 2026 Security Patch Day, released June 9, delivered 15 new security notes including four HotNews-rated vulnerabilities — an unusually critical batch for the ERP vendor. The most severe, CVE-2026-44748 (CVSS 9.9), is an XML Signature Wrapping flaw in SAML authentication for SAP NetWeaver AS ABAP and ABAP Platform that lets a low-privileged authenticated attacker obtai

✓ verifiednewSOURCE ↗
CrowdStrike: China-nexus actors drove 58% of state-sponsored intrusions against
via CrowdStrike
CYBER · state actors · 2026-06-09SCOOP 60

CrowdStrike: China-nexus actors drove 58% of state-sponsored intrusions against tech sector

CrowdStrike published its 2026 Technology Threat Landscape Report on June 9, finding China-nexus adversaries drove 58% of state-sponsored targeted intrusions against the technology sector — now the most-targeted industry globally — over the report's April 1, 2025 to March 31, 2026 window, with campaigns focused on stealing AI capabilities and intellectual property. Adam Meyers,

✓ verifiednewSOURCE ↗
Qilin affiliate exploited Check Point VPN zero-day since early May; CISA gives a
Help Net Security
CYBER · ransomware threat groups · 2026-06-08SCOOP 74

Qilin affiliate exploited Check Point VPN zero-day since early May; CISA gives agencies three days to patch

Check Point confirmed on June 8 that attackers are exploiting CVE-2026-50751, a critical (CVSS 9.3) authentication bypass in the deprecated IKEv1 key exchange used by its Remote Access VPN, Mobile Access/SSL VPN and Quantum Spark firewalls, and released an emergency hotfix. The logic flaw in certificate validation allows attackers to establish remote-access VPN sessions without

✓ verifiednewSOURCE ↗
ShinyHunters Dumps 234 GB From DentaQuest, Exposing PII/PHI of ~2.6 Million in &
Security Affairs
CYBER · cves zero days · 2026-06-07SCOOP 64

ShinyHunters Dumps 234 GB From DentaQuest, Exposing PII/PHI of ~2.6 Million in 'Pay-or-Leak' Extortion

The extortion group ShinyHunters published approximately 234 GB of data stolen from dental-benefits administrator DentaQuest, a subsidiary of Sun Life Financial, in a 'pay-or-leak' scheme, impacting roughly 2.6 million individuals. ShinyHunters posted DentaQuest to its Tor leak site in May 2026 and released the data after negotiations reportedly failed. The compromised informat

✓ verified
CISA orders agencies to patch SolarWinds Serv-U flaw being exploited to crash fi
Cybersecurity News
CYBER · cves zero days · 2026-06-06SCOOP 56

CISA orders agencies to patch SolarWinds Serv-U flaw being exploited to crash file-transfer servers

CISA added CVE-2026-28318, a SolarWinds Serv-U denial-of-service flaw under active exploitation, to its Known Exploited Vulnerabilities catalog late Friday, ordering federal civilian agencies to remediate by June 19 under Binding Operational Directive 22-01 as coverage spread through the weekend. The uncontrolled resource consumption bug (CWE-400, CVSS 7.5) lets unauthenticated

✓ verifiednewSOURCE ↗
Cisco discloses 7th SD-WAN zero-day of 2026 (CVE-2026-20245) exploited for root
CYBER · cves zero days · 2026-06-05SCOOP 82

Cisco discloses 7th SD-WAN zero-day of 2026 (CVE-2026-20245) exploited for root on Catalyst SD-WAN Manager; no patch

Cisco disclosed CVE-2026-20245 on June 5, 2026, a privilege-escalation/command-injection zero-day in the command-line interface of Cisco Catalyst SD-WAN Manager, the seventh SD-WAN zero-day Cisco has confirmed exploited in 2026. The flaw stems from insufficient validation of user-supplied input: an authenticated attacker holding 'netadmin' privileges can upload a crafted file a

✓ verifiedSOURCE ↗
May 2026 ransomware leak-site data: 661 attacks, ~115TB stolen; Qilin (97), The
CYBER · ransomware threat groups · 2026-06-05SCOOP 68

May 2026 ransomware leak-site data: 661 attacks, ~115TB stolen; Qilin (97), The Gentlemen (71), DragonForce (51) lead

Ransomware leak-site activity rose modestly in May 2026, with 661 incidents tracked globally (Comparitech data via Industrial Cyber), a 3% increase over April's 640, and nearly 115 TB of data claimed stolen across reported attacks. Qilin remained the most active operation with 97 claimed attacks, though down about 10% from April's 108; The Gentlemen ranked second with 71 (up ~1

✓ verifiedSOURCE ↗
Meta, Microsoft and DOJ-led strike force dismantles Southeast Asian scam-center
Meta
CYBER · cyber policy · 2026-06-04SCOOP 71

Meta, Microsoft and DOJ-led strike force dismantles Southeast Asian scam-center infrastructure; 63 arrested

Meta, Microsoft, Coinbase, SpaceX and other technology companies announced a joint disruption of criminal scam networks in Southeast Asia alongside the U.S. Department of Justice, the FBI and the Royal Thai Police, in coordinated operations spanning Washington, D.C. and Bangkok. The action, unveiled overnight into June 4, followed the first in-person meetings of the "Scam Cente

✓ verifiednewSOURCE ↗
Critical Magento RCE CVE-2026-45247 in Mirasvit Cache Warmer exploited within da
CYBER · cves zero days · 2026-06-03SCOOP 74

Critical Magento RCE CVE-2026-45247 in Mirasvit Cache Warmer exploited within days; CISA adds to KEV June 3

CISA added CVE-2026-45247 to its Known Exploited Vulnerabilities catalog on June 3, 2026, a critical (CVSS 9.8) PHP object-injection / deserialization-of-untrusted-data flaw in the Mirasvit Full Page Cache Warmer extension for Magento 2 (Adobe Commerce). Unauthenticated attackers can achieve remote code execution by supplying a crafted serialized PHP object inside the 'CacheWar

✓ verifiedSOURCE ↗
CISA adds 2022 Linux cgroups container-escape bug CVE-2022-0492 to KEV after fre
CYBER · cves zero days · 2026-06-03SCOOP 70

CISA adds 2022 Linux cgroups container-escape bug CVE-2022-0492 to KEV after fresh in-the-wild exploitation

CISA added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog on June 2, 2026, confirming active in-the-wild exploitation of a four-year-old Linux kernel flaw with a CVSS score of 7.8. The bug is an improper-authentication/missing-authorization defect (CWE-287, CWE-862) in the cgroup_release_agent_write() function of the cgroups v1 subsystem (kernel/cgroup/cgroup-v1.c

✓ verifiedSOURCE ↗
Microsoft reverses 'never justifiable' zero-day stance, vows not to pu
CYBER · cyber policy · 2026-06-02SCOOP 85

Microsoft reverses 'never justifiable' zero-day stance, vows not to pursue researchers as Nightmare-Eclipse feud spreads

Microsoft publicly walked back an aggressive disclosure stance on June 1-2, 2026 after community backlash. Days earlier (a blog post ~May 28) Microsoft had branded uncoordinated public zero-day disclosures 'never justifiable,' implied legal exposure for those enabling cybercrime, and noted its Digital Crimes Unit would keep bringing cases — language widely read as aimed at 'Nig

exclusivecorrected · see fileSOURCE ↗
Google patches 124 Android flaws including actively exploited CVE-2025-48595; CI
CYBER · cves zero days · 2026-06-02SCOOP 78

Google patches 124 Android flaws including actively exploited CVE-2025-48595; CISA orders federal fix by June 5

Google's June 2026 Android security bulletin patched 124 vulnerabilities, including CVE-2025-48595, an Android Framework integer-overflow bug (CVSS 8.4) that Google says is under 'limited, targeted exploitation' in the wild. The flaw enables code execution and local privilege escalation with no user interaction, the hallmark signature of commercial spyware vendor or nation-stat

✓ verifiedSOURCE ↗
Trump Signs AI Executive Order Creating Treasury-Run 'AI Cybersecurity Clea
Generated illustration · not a photograph
CYBER · cves zero days · 2026-06-02SCOOP 70

Trump Signs AI Executive Order Creating Treasury-Run 'AI Cybersecurity Clearinghouse' and 30-Day Frontier-Model Reviews

On June 2, 2026, President Trump signed an executive order titled 'Promoting Advanced Artificial Intelligence Innovation and Security,' directing national-security and civilian agencies to increase scrutiny of frontier AI models and to bolster federal cyber defenses against AI-enabled threats. A central provision tasks the Treasury Department—working with the NSA, CISA and othe

✓ verified
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · cves zero days · 2026-06-01SCOOP 60

May 2026 Ransomware: 646 Leak-Site Victims Across 61 Groups; Qilin Leads for Fifth Straight Month

Breachsense tracked 646 organizations listed on ransomware leak sites in May 2026, posted by 61 distinct groups across 73 countries and 59 industries. Qilin topped the rankings with 101 claimed victims, holding the number-one spot for the fifth consecutive month, followed by TheGentlemen (70), Akira (52), DragonForce (41) and INC_RANSOM (30). The United States was by far the mo

✓ verified
Pro-Iranian hackers tricked Meta's AI support bot into handing over high-pr
Krebs on Security
CYBER · state actors · 2026-05-31SCOOP 80

Pro-Iranian hackers tricked Meta's AI support bot into handing over high-profile Instagram accounts

Pro-Iranian hackers spent the last weekend of May seizing high-profile Instagram accounts by tricking Meta's AI support assistant into resetting their passwords, Brian Krebs reported. On May 31, word spread across several Telegram channels that Meta's AI bot would happily add a new email address to an existing account as part of its standard password-reset flow. A video circula

✓ verifiednewSOURCE ↗
PAN-OS GlobalProtect auth bypass under active exploitation as CISA adds CVE-2026
The Hacker News
CYBER · cves zero days · 2026-05-30SCOOP 63

PAN-OS GlobalProtect auth bypass under active exploitation as CISA adds CVE-2026-0257 to KEV

Exploitation of CVE-2026-0257, an authentication bypass in Palo Alto Networks' PAN-OS GlobalProtect VPN, moved to the top of defenders' weekend queue on May 30 after CISA added the flaw to its Known Exploited Vulnerabilities catalog late Friday and Rapid7 detailed in-the-wild attacks. The bug, first disclosed by Palo Alto Networks on May 13, affects firewalls with a GlobalProte

✓ verifiednewSOURCE ↗
Carnival confirms breach of 5,995,277 people after ShinyHunters social-engineers
CYBER · ransomware threat groups · 2026-05-29SCOOP 80

Carnival confirms breach of 5,995,277 people after ShinyHunters social-engineers employee account

Carnival Corporation disclosed a data breach affecting 5,995,277 people, per a notification filed in Maine, with breach-notice letters sent on or about May 27, 2026. According to Carnival, an attacker used social engineering on April 14, 2026 to trick an employee into granting access to part of the company's IT environment; by April 22, 2026 the intruder used the compromised ac

✓ verifiedSOURCE ↗
Charter confirms ShinyHunters breach via Entra vishing; group claims 40M+ Spectr
CYBER · ransomware threat groups · 2026-05-29SCOOP 79

Charter confirms ShinyHunters breach via Entra vishing; group claims 40M+ Spectrum records, Charter denies CPNI loss

Charter Communications confirmed a data breach after the extortion group ShinyHunters listed the company and threatened to leak stolen data. Per BleepingComputer, threat actors compromised an employee's Microsoft Entra account via voice phishing (vishing) on April 1, 2026, then used that access to export customer records from Charter's Salesforce environment. ShinyHunters claim

✓ verifiedSOURCE ↗
Carnival Confirms ~6 Million Affected After April Social-Engineering Breach Clai
Photo: Maryland GovPics · via Wikimedia Commons · CC BY 2.0
CYBER · cves zero days · 2026-05-28SCOOP 66

Carnival Confirms ~6 Million Affected After April Social-Engineering Breach Claimed by ShinyHunters

Carnival Corporation confirmed a data breach affecting approximately six million individuals, stemming from a social-engineering attack on an employee in April 2026. The company says an unauthorized actor used social engineering to deceive an employee and gain access to a limited portion of its IT systems on or around April 10, 2026; Carnival's security team identified the unau

✓ verified
FBI warns Silent Ransom Group is posing as IT helpdesks — and walking operatives
Getty Images via CyberScoop
CYBER · ransomware threat groups · 2026-05-27SCOOP 62

FBI warns Silent Ransom Group is posing as IT helpdesks — and walking operatives into US law firms

The FBI warned in a May 26 advisory that the Silent Ransom Group (SRG) — the data-theft extortion crew also tracked as Luna Moth, Chatty Spider and UNC3753 — has "consistently targeted U.S.-based law firms" and has recently begun posing as employees from victims' own IT departments, with the alert rippling through the legal and security trade press on May 27. According to the b

✓ verifiednewSOURCE ↗
Charter (Spectrum) Confirms Breach After ShinyHunters Vishing Hits Salesforce; H
BleepingComputer
CYBER · cves zero days · 2026-05-26SCOOP 75

Charter (Spectrum) Confirms Breach After ShinyHunters Vishing Hits Salesforce; Hackers Claim Up to 42M Records

Charter Communications confirmed a data breach after the extortion group ShinyHunters claimed to have stolen up to 40-42 million records in an attack dated on or around April 1, 2026. According to ShinyHunters' account to BleepingComputer, the actors used a voice-phishing (vishing) call to compromise an employee's Microsoft Entra account, then accessed Charter's Salesforce inst

✓ verified
ShinyHunters Leaks 7-Eleven Franchise-Applicant Data on ~185,000 People After Fa
Help Net Security
CYBER · cves zero days · 2026-05-26SCOOP 58

ShinyHunters Leaks 7-Eleven Franchise-Applicant Data on ~185,000 People After Failed Extortion

Data on approximately 185,000 people was exposed in a cyberattack on convenience-store chain 7-Eleven that was later claimed by the ShinyHunters extortion gang. 7-Eleven discovered unauthorized third-party access on April 8, 2026; on May 1, CISO Jim Kastle confirmed the breach involved documents individuals had submitted during the franchise-application process. ShinyHunters pu

✓ verified
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-25SCOOP 55

Mandiant: KnowledgeDeliver LMS exploited via ViewState deserialization for unauthenticated remote code execution

Per Mandiant's May 25 write-up on Google Cloud's threat-intelligence blog, responders investigating a late-2025 incident found a compromised web server running KnowledgeDeliver, a learning management system from Digital Knowledge commonly used in Japan. Mandiant identified a critical vulnerability allowing unauthenticated remote code execution, stemming from identical pre-share

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-25SCOOP 55

GTIG maps maturing Chinese-language phishing-as-a-service ecosystem rivaling Russian-speaking market

Google Threat Intelligence Group's May 25 report analyzes a dozen current phishing-as-a-service offerings in the Chinese-language underground, all mature services and many likely tied to the broader criminal ecosystem in the region — a fast-growing rival to the historically dominant Russian-speaking PhaaS landscape. Per GTIG, these services lower the barrier to entry for Chines

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-22SCOOP 58

Congress demands answers as CISA struggles to contain GovCloud credential leak

KrebsOnSecurity reported May 22 that lawmakers in both houses of Congress are demanding answers from CISA following the outlet's report that a contractor intentionally published AWS GovCloud keys and a vast trove of agency secrets on a public GitHub account. Per the report, the congressional inquiry comes as CISA is still struggling to contain the breach and invalidate the leak

✓ verifiednewSOURCE ↗
Microsoft Patches Actively Exploited Defender Zero-Days After 'Nightmare-Ec
BleepingComputer / Microsoft
CYBER · cves zero days · 2026-05-21SCOOP 79

Microsoft Patches Actively Exploited Defender Zero-Days After 'Nightmare-Eclipse' Dumps Windows Exploits; Researcher Accounts Wiped

On May 20, 2026, Microsoft released patches for two actively exploited Microsoft Defender zero-days: CVE-2026-41091 ('RedSun'), a privilege-escalation flaw in the Malware Protection Engine (1.1.26030.3008 and earlier) abusing improper link resolution to obtain SYSTEM-level access, and CVE-2026-45498 ('UnDefend'), a denial-of-service issue in the Antimalware Platform (4.18.26030

✓ verified
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-21SCOOP 55

Alleged Kimwolf IoT botnet operator 'Dort' arrested in Ottawa, charged in US and Canada

Per KrebsOnSecurity's May 21 report, Canadian authorities arrested a 23-year-old Ottawa man on suspicion of building and operating Kimwolf, a fast-spreading Internet-of-Things botnet that enslaved millions of devices for a series of massive DDoS attacks over the prior six months. Krebs had publicly named the suspect in February 2026 after the accused launched DDoS, doxing and s

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-18SCOOP 58

CISA contractor exposed AWS GovCloud keys and internal agency systems in public GitHub repository

KrebsOnSecurity reported May 18 that a contractor for CISA maintained, until the preceding weekend, a public GitHub repository exposing credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Per the report, the archive included files detailing how CISA builds, tests and deploys software internally. Security experts quoted by

✓ verifiednewSOURCE ↗
Microsoft Confirms Active Exploitation of Unpatched On-Prem Exchange Zero-Day (C
SecurityWeek
CYBER · cves zero days · 2026-05-15SCOOP 76

Microsoft Confirms Active Exploitation of Unpatched On-Prem Exchange Zero-Day (CVE-2026-42897) via Crafted Email

Microsoft disclosed CVE-2026-42897 on May 14, 2026, a spoofing and cross-site-scripting (XSS) zero-day in on-premises Microsoft Exchange Server that it confirmed is being actively exploited in the wild. Microsoft characterizes the flaw as 'improper neutralization of input during web page generation' that allows an unauthorized attacker to perform spoofing over a network; Securi

✓ verified
GTIG details 'BlackFile' vishing extortion operation by UNC6671 target
Photo: KK IN HK · via Wikimedia Commons · Public domain
CYBER · ransomware threat groups · 2026-05-15SCOOP 55

GTIG details 'BlackFile' vishing extortion operation by UNC6671 targeting Microsoft 365 and Okta

Per Google Threat Intelligence Group's May 15 report, threat actor UNC6671 — operating under the "BlackFile" brand — is running an expansive extortion campaign that pairs voice phishing with single sign-on compromise. GTIG says the group uses adversary-in-the-middle techniques to bypass perimeter defenses and multi-factor authentication, gaining deep access to cloud environment

✓ verifiednewSOURCE ↗
Cisco Patches Maximum-Severity Catalyst SD-WAN Auth Bypass (CVE-2026-20182, CVSS
Rapid7
CYBER · cves zero days · 2026-05-14SCOOP 78

Cisco Patches Maximum-Severity Catalyst SD-WAN Auth Bypass (CVE-2026-20182, CVSS 10.0) Amid China-Nexus Exploitation

Cisco disclosed and patched CVE-2026-20182, a maximum-severity (CVSS 10.0) authentication bypass in the Catalyst SD-WAN Controller (formerly vSmart) and SD-WAN Manager (formerly vManage), affecting on-premises and cloud deployments including FedRAMP 'SD-WAN for Government.' The flaw resides in the 'vdaemon' peering-authentication service over DTLS (UDP port 12346). Rapid7 resea

✓ verified
CVE-2026-0246: Prisma Access Agent flaw lets non-admin users escalate to root or
Photo: Namaste jinx · via Wikimedia Commons · CC BY-SA 4.0
CYBER · ransomware threat groups · 2026-05-13SCOOP 57

CVE-2026-0246: Prisma Access Agent flaw lets non-admin users escalate to root or SYSTEM (Severity: MEDIUM)

Palo Alto Networks' May 13 advisory for CVE-2026-0246 describes a privilege-management flaw in the Prisma Access Agent that enables a locally authenticated non-administrative user to escalate to root on macOS and Linux, or NT AUTHORITY\SYSTEM on Windows, allowing arbitrary code execution and access to sensitive information otherwise reserved for privileged accounts. Per the adv

✓ verifiednewSOURCE ↗
Microsoft's May 2026 Patch Tuesday Fixes ~120+ Flaws With No Zero-Days — Fi
Malwarebytes / Microsoft
CYBER · cves zero days · 2026-05-13SCOOP 52

Microsoft's May 2026 Patch Tuesday Fixes ~120+ Flaws With No Zero-Days — First Since June 2024

Microsoft's May 13, 2026 Patch Tuesday addressed a large batch of vulnerabilities with no actively exploited or publicly disclosed zero-days—the first such cycle since June 2024. Tallies varied slightly by source: BleepingComputer and several outlets reported approximately 120 CVEs including 17 critical (with 14 remote-code-execution flaws, two elevation-of-privilege and one in

✓ verified
Instructure Pays Ransom After ShinyHunters Breaches Canvas Twice, Claiming 275 M
Inside Higher Ed
CYBER · cves zero days · 2026-05-12SCOOP 84

Instructure Pays Ransom After ShinyHunters Breaches Canvas Twice, Claiming 275 Million Records From ~8,800 Schools

Instructure, operator of the Canvas learning-management system, paid a ransom to the extortion group ShinyHunters after two breaches of Canvas within roughly ten days, in what reporting describes as the largest education-sector data incident on record. ShinyHunters claimed to have stolen 3.65 TB of data on approximately 275 million users across about 8,809 institutions worldwid

✓ verified
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-12SCOOP 55

Fortinet: FortiClient Windows flaw lets local attacker decrypt a logged-in user's saved VPN password (CVSSv3 2.1)

Fortinet advisory FG-IR-26-129, revised May 12, describes a missing-authorization weakness (CWE-862) in FortiClient for Windows that may allow an authenticated local attacker to decrypt a currently logged-in user's VPN password via an unprotected DLL function. The advisory title ties the issue to a hardcoded encryption key used for saved VPN passwords. Fortinet scores it CVSSv3

✓ verifiednewSOURCE ↗
SAP May 2026 Patch Day Fixes Critical S/4HANA SQL Injection (CVE-2026-34260, CVS
Onapsis
CYBER · cves zero days · 2026-05-12SCOOP 50

SAP May 2026 Patch Day Fixes Critical S/4HANA SQL Injection (CVE-2026-34260, CVSS 9.6) and NetWeaver XSS

SAP released its May 2026 Security Patch Day on May 12, 2026, publishing 17 new and updated Security Notes, including three HotNews notes and one High Priority note. The most severe issue, CVE-2026-34260, is a SQL-injection vulnerability in the SAP Enterprise Search component for ABAP (relevant to S/4HANA), rated CVSS 9.6: an authenticated attacker can inject malicious SQL thro

✓ verified
UK NCSC publishes 10 questions for organisations using AI models to find vulnera
GOV.UK · Open Government Licence v3.0
CYBER · ransomware threat groups · 2026-05-11SCOOP 60

UK NCSC publishes 10 questions for organisations using AI models to find vulnerabilities

The UK NCSC's May 11 blog sets out ten questions organisations should ask before deploying AI models for vulnerability discovery, warning that finding flaws alone does not improve security and that fundamental cyber hygiene often matters more than hunting zero-days. Per the guidance, teams need processes to receive, prioritise and fix findings — the NCSC notes only around 400 o

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-11SCOOP 55

Google GTIG tracks shift to industrial-scale adversary use of AI for vulnerability exploitation and initial access

Google Threat Intelligence Group's May 11 AI Threat Tracker, building on its February 2026 report and drawing on Mandiant incident-response engagements, Gemini insights and proactive research, describes a maturing transition from nascent AI-enabled operations to industrial-scale application of generative models inside adversarial workflows. Per GTIG, the current environment is

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · cves zero days · 2026-05-09SCOOP 57

Qilin Lists Food-Distribution Giant Sysco on Leak Site With May 12 Deadline

The Qilin ransomware group publicly claimed responsibility for a cyberattack on Sysco, the world's largest food distributor, listing the company on its dark-web leak site on or about May 6, 2026, posting alleged Sysco documents and starting a countdown clock set to expire May 12, 2026. Sysco operates 333 distribution facilities worldwide, employs more than 71,000 people, and se

✓ verified
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-08SCOOP 55

Queensland students locked out of QLearn as Canvas access paused after cybersecurity breach

Per ABC Australia's May 8 report, tens of thousands of students and teachers lost access to Queensland's QLearn platform after access to the underlying Canvas system was paused following a cybersecurity breach, with the report citing hundreds of thousands of students unable to reach schoolwork or submit assessments. The primary article could not be retrieved; further incident d

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-08SCOOP 55

Canvas back online after cyberattack; hacking group claims nearly 9,000 schools affected

Per CNA's May 8 report, the Canvas learning system used by thousands of schools was restored after a cyberattack disrupted studies. A hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed, according to a cybersecurity firm threat analyst cited by the outlet. The school count and data-access fi

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-07SCOOP 55

ShinyHunters linked to Instructure breach claimed to affect nearly 275 million Canvas users

Per Hindustan Times' May 7 report, the ShinyHunters group claimed responsibility for a cyberattack on Instructure, the company behind the Canvas learning platform used widely by schools, asserting impact on nearly 275 million users. The user figure is the attackers' claim as relayed by the outlet; the primary article could not be retrieved and no independent confirmation appear

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-06SCOOP 65

CERT-EU: critical PAN-OS flaw enables unauthenticated remote code execution as root, limited exploitation observed

CERT-EU's May 6 advisory (2026-006) flags a critical vulnerability in Palo Alto Networks PAN-OS, disclosed the same day in a Palo Alto security advisory, that allows an unauthenticated attacker to execute arbitrary code with root privileges. Per the advisory, Palo Alto has observed limited exploitation in the wild. CERT-EU strongly recommends updating affected appliances as soo

✓ verifiednewSOURCE ↗
DOJ Case Says Karakurt Ransomware Gang Leveraged Russian Government Databases; L
TechCrunch
CYBER · cves zero days · 2026-05-06SCOOP 62

DOJ Case Says Karakurt Ransomware Gang Leveraged Russian Government Databases; Latvian Operative Gets 102 Months

The U.S. Department of Justice detailed a case alleging that the Karakurt ransomware gang—also operating as TommyLeaks and SchoolBoys—relied on access to Russian government databases and law-enforcement connections to intimidate victims, underscoring ties between Russian cybercriminals and the state. Latvian national Deniss Zolotarjovs, who served as a negotiator and money laun

✓ verified
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-06SCOOP 60

Cisco Unity Connection flaws CVE-2026-20034 and CVE-2026-20035 allow remote code execution and SSRF

Cisco's May 6 PSIRT advisory discloses multiple vulnerabilities in Unity Connection, tracked as CVE-2026-20034 and CVE-2026-20035, that could let a remote attacker execute arbitrary code on an affected device or conduct server-side request forgery attacks through it. Cisco has released software updates and rates the security impact High; per the advisory, no workarounds address

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-05SCOOP 57

Cisco warns of stored XSS flaws in Identity Services Engine web management interface

Cisco's May 5 PSIRT advisory discloses multiple stored cross-site scripting vulnerabilities in the web-based management interface of Identity Services Engine (ISE). Per the advisory, the flaws stem from insufficient validation of user-supplied input: an authenticated remote attacker could inject malicious code into specific interface pages, executing arbitrary script in the con

✓ verifiednewSOURCE ↗
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-05SCOOP 55

Anthropic CEO warns of cyber 'moment of danger' as Mythos exposes vulnerabilities

Per CNBC's May 5 report, Anthropic CEO Dario Amodei warned that AI has created a narrow window for software firms, governments and banks to fix tens of thousands of vulnerabilities, in remarks tied to vulnerability exposure attributed to Mythos. The primary article could not be retrieved; details beyond the syndicated summary are unverified in this brief.

✓ verifiednewSOURCE ↗
'Copy Fail' Linux Kernel Root-Escalation Flaw (CVE-2026-31431) Added t
Microsoft Security Blog
CYBER · cves zero days · 2026-05-03SCOOP 80

'Copy Fail' Linux Kernel Root-Escalation Flaw (CVE-2026-31431) Added to CISA KEV as PoC Spreads

CISA added CVE-2026-31431, dubbed 'Copy Fail,' to its Known Exploited Vulnerabilities catalog on May 1, 2026, citing evidence of active exploitation, and set a May 15, 2026 remediation deadline for Federal Civilian Executive Branch agencies under BOD 22-01. The flaw is a local privilege-escalation bug (CVSS 7.8) in the Linux kernel's cryptographic subsystem. According to Micros

✓ verified
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · ransomware threat groups · 2026-05-03SCOOP 55

CISA adds 9-year-old Linux kernel root-access flaw CVE-2026-31431 to KEV catalog amid active exploitation

Per Forbes' May 3 report, CISA is urging users to patch a nine-year-old Linux kernel flaw tracked as CVE-2026-31431 (dubbed "Copy Fail"), added to the Known Exploited Vulnerabilities catalog within 24 hours of disclosure based on evidence of active exploitation. The bug, present in kernels shipped since 2017, is a logic flaw in the kernel's authentication cryptographic template

✓ verifiednewSOURCE ↗

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.