This Week in Cybersecurity #56
No Patch Available: When the Answer Is Monitoring, Segmentation, and Living on Attacker Timelines, Your weekend catch-up on the most critical cybersecurity stories of the week, curated by James Azar
Good Morning, Security Gang!
Double espresso poured. This week’s briefing may be the most operationally dense we’ve produced in recent memory, four full episodes covering a threat landscape James described plainly: “Defenders are increasingly operating on attacker timelines rather than vendor timelines.”
This week that was not rhetorical. A federal whistleblower complaint alleged IBM and AT&T concealed APT10 federal cloud intrusions affecting billions in government contracts. Cisco disclosed its seventh SD-WAN zero-day of 2026, this time with no patch available. Hugging Face Transformers with 232 million installations received a critical RCE vulnerability disclosure where exploitation bypasses the control specifically designed to prevent it. The Miasma supply chain worm expanded into AI developer toolchains including Claude Code, Gemini CLI, and VS Code AI extensions. Check Point VPN attackers moved from initial access to domain controller compromise in under four hours. And researcher Nightmare Eclipse dropped “Rogue Planet,” a privilege escalation exploit achieving SYSTEM on fully patched Windows 10 and 11 effective even after June’s Patch Tuesday.
By the end of the week: Chrome logged its fifth actively exploited zero-day of 2026. SAP released a CVSS 9.9 NetWeaver SAML forgery vulnerability. ServiceNow disclosed unauthenticated API data access then revised its account. Veeam backup servers were found vulnerable to RCE by any authenticated domain user. ShinyHunters launched a large-scale PeopleSoft campaign hitting 300+ instances across 100+ organizations. And North Korea was attributed with 47% of all state-sponsored hands-on-keyboard intrusions in the technology sector.
The phrase that appeared more than any other across the week: “no patch currently available.”
James’s response: “Forget all the shiny tools. If we can’t do the fundamentals well, none of those tools are going to help. That’s the reality.”
Let’s get into it.
🌐 Infrastructure & Network Exploitation
Cisco SD-WAN: Seventh Zero-Day of 2026 — Root Code Execution, No Patch
Cisco disclosed another critical SD-WAN vulnerability enabling root-level code execution — the seventh SD-WAN zero-day disclosed this year. No patch is currently available. SD-WAN platforms control routing, connectivity, segmentation, and network visibility across enterprises. Seven zero-days targeting one product line in six months raises legitimate questions about attack surface management, secure development practices, and long-term vendor strategy. Restrict management plane access immediately, implement all published compensating controls, and review long-term vendor strategy for this infrastructure tier.
SolarWinds Serv-U Added to CISA KEV: Federal Deadline June 19
CISA added SolarWinds Serv-U FTP software to the KEV catalog following confirmed active exploitation. The vulnerability allows unauthenticated denial-of-service through crafted requests. Federal agencies face a June 19 remediation deadline. Upgrade to Serv-U version 15.5.4 Hotfix 1 and verify all internet-facing deployments are updated.
Chrome CVE-2026-111645: Fifth Actively Exploited Zero-Day of 2026
Google released an emergency update addressing CVE-2026-111645, a high-severity out-of-bounds memory flaw in Chrome’s V8 JavaScript engine actively exploited in the wild enabling arbitrary code execution through nothing more than a victim visiting a compromised webpage. This is Chrome’s fifth actively exploited zero-day of 2026. The browser is now the operating system for modern work, holding SaaS access, authentication tokens, cloud credentials, and financial systems. Deploy Chrome version 149.0.7827.102 or later immediately and ensure browsers are actually restarted, not just updated in the background.
Chrome 149 Ships 429 Security Fixes Including CVSS 9.6 Sandbox Escape
Alongside the emergency zero-day patch, Google’s Chrome 149 delivered 429 total security fixes including a critical sandbox escape vulnerability carrying a CVSS score of 9.6. Force browser updates across all managed endpoints and verify deployment.
CISA KEV Additions: Cisco SD-WAN, Chrome V8, Arista EOS Tunnel Bypass
CISA added three actively exploited vulnerabilities this week. The Arista EOS flaw is particularly notable: it allows unexpected tunneled traffic to bypass intended protocol validation controls in tunnel endpoint configurations and Arista’s mitigation guidance relies entirely on access control lists because no patch is currently planned. No patch. No timeline. ACLs only.
Oracle WebLogic Added to CISA KEV: Cobalt Strike and Ransomware Deployment Confirmed
CISA confirmed active exploitation of CVE-2024-21182 in Oracle WebLogic attackers are using it to deploy Cobalt Strike and ransomware. Patch immediately and review exposed WebLogic services.
ASUS Router Critical Vulnerabilities: Patches Expected End of June
Two critical ASUS Wave 7 mesh router vulnerabilities expose credentials and allow persistent backdoor installation. No patches until later this month. Restrict management interfaces to trusted IP ranges and implement network segmentation as interim controls.
🇨🇳 Chinese Threat Activity
IBM and AT&T Accused of Concealing APT10 Federal Cloud Intrusions — 56,000 Breaches Alleged
A newly unsealed federal whistleblower complaint filed by former IBM security analyst William Barlow alleges that IBM and AT&T concealed extensive APT10 intrusions affecting federal cloud infrastructure between 2013 and 2016. The complaint claims APT10 breached IBM systems more than 56,000 times while targeting subsidiaries managing sensitive federal healthcare and financial workloads, and that IBM leadership chose not to disclose the activity in order to protect federal business relationships worth billions of dollars. These remain allegations in a whistleblower filing. However, if proven true, the implications extend far beyond a breach disclosure potentially involving deliberate concealment of nation-state compromises affecting federal systems and reshaping expectations around vendor transparency, breach notification, and federal contractor accountability. Vendor risk is not simply about security controls. It is also about disclosure culture and governance.
UNC5221 / Verdant Bamboo: 18 Months Inside Microsoft 365, Re-Compromise After Remediation
Researchers documented UNC5221 maintaining access inside Microsoft 365 environments for more than 18 months while deploying two previously undocumented malware families: Pleanit (.NET-based backdoor blending into legitimate Microsoft communications) and AgentPSD (Python-based reverse shell disguised as a PowerShell diagnostic utility). One victim was re-compromised after a complete remediation effort suggesting credentials were not fully rotated, persistence mechanisms were missed, or alternate pathways were retained. The campaign also leveraged MSP relationships, potentially expanding downstream exposure. MSP security reviews, tenant monitoring, identity hardening, and comprehensive credential rotation following IR are essential.
OP512: 75-Day ICS Persistence Before Primary Operation Phase
ReliaQuest documented OP512, a newly tracked Chinese threat cluster that maintained access to an IIS web server for 75 days before initiating its primary operation. The group targeted end-of-life .NET environments and deployed cryptographically unique web shells, timestamp manipulation, memory-only payloads, privilege escalation tooling, and in-memory persistence mechanisms including malware files designed to appear years older than they actually were to complicate forensic timeline reconstruction. Chinese operators continue winning not because of advanced exploits but because organizations continue running unsupported internet-facing infrastructure long after it should have been retired.
JDY Botnet Doubles: 1,500 Compromised Devices Feeding Chinese Intelligence Reconnaissance
A China-linked botnet known as JDY expanded from approximately 650 to more than 1,500 compromised devices targeting Ubiquiti, Hikvision, DrayTek, Linksys, and other internet-connected infrastructure, rapidly scanning newly disclosed vulnerabilities and feeding reconnaissance data to threat actors linked to Chinese intelligence operations.
🤖 AI Infrastructure Under Attack
“If vendors won’t compete on transparency voluntarily, make it a procurement requirement.”
Hugging Face Transformers CVE-2026-4372: 232 Million Installations, Exploit Bypasses Safety Control
CVE-2026-4372 in Hugging Face Transformers (versions 4.56.0 through 5.2.x) allows arbitrary code execution through a maliciously crafted configuration file during model loading — and exploitation remains possible even when “trust_remote_code” is explicitly disabled, the control specifically intended to prevent these scenarios. This is one of the most significant AI security disclosures of the year given 232 million affected installations. AI models, configuration files, dependencies, and repositories are software supply chain assets requiring the same governance as traditional applications. Upgrade to Transformers version 5.3.0 and review all model ingestion workflows for externally sourced AI artifacts.
Miasma Worm Expands Into AI Developer Toolchains: Claude Code, Gemini CLI, VS Code AI Extensions
The Miasma supply chain worm expanded its targeting to include AI developer toolchains including Claude Code, Gemini CLI, and VS Code AI extensions. Once installed through a compromised npm package, Miasma harvests API keys, session tokens, local credentials, and development secrets, then propagates by modifying additional projects found on the infected machine and pushing malicious commits upstream under the victim’s legitimate identity. Modern AI development environments contain direct cloud infrastructure access, source code repositories, CI/CD pipelines, and production credentials. A single infected developer workstation can cascade into an entire organization’s software supply chain.
Langflow CVE-2026-5027: 7,000 Internet-Accessible AI Agent Instances Under Active Attack
Attackers are actively exploiting CVE-2026-5027 in Langflow, a path traversal vulnerability enabling arbitrary file writes combined with the platform’s default unauthenticated auto-login behavior. Approximately 7,000 internet-accessible Langflow instances were identified. Langflow deployments typically contain AI model credentials, API tokens, cloud service access, development secrets, and proprietary business logic. Upgrade immediately, disable auto-login, implement authentication controls, and inventory whether development teams are running unauthorized AI infrastructure.
OpenClaw AI Agent: Five Zero-Days Patched
Five vulnerabilities in OpenClaw’s AI agent framework integrating with Slack, Teams, and Discord allowing user impersonation through identity handling weaknesses were patched. All updates applied.
OpenAI ChatGPT Lockdown Mode Launched
OpenAI introduced ChatGPT Lockdown Mode, disabling outbound communications and browsing capabilities to mitigate prompt injection and data exfiltration attacks for sensitive use cases including government, legal, and financial workloads.
OpenSSL Patches AI-Discovered Vulnerability
OpenSSL patched 18 vulnerabilities including CVE-2026-45447, a high-severity use-after-free in PKCS#7 verification discovered with assistance from Anthropic’s Claude AI. Update OpenSSL dependencies across all enterprise applications.
Anthropic Claude Fable 5 Jailbreak via Multi-Agent Decomposition
Researchers bypassed safety controls in Claude Fable 5 using multi-agent decomposition, Unicode manipulation, and narrative framing, exposing system instructions and generating exploit-related content. Highlights ongoing challenges in AI safety engineering as capabilities advance.
🧬 Supply Chain & Developer Ecosystem
Shai-Hulud Evolves: Miasma (npm) and Hades (PyPI) Infect 100+ Packages and 500+ Artifacts
Two new Shai-Hulud derivatives Miasma targeting npm via weaponized binding.gyp files that bypass post-install detection, and Hades targeting PyPI environments including machine learning, bioinformatics, and MCP ecosystems have infected more than 100 packages and nearly 500 compromised artifacts. A single infected developer workstation or CI/CD runner becomes a malware distribution point for countless downstream organizations. Hunt for Miasma and Hades indicators, restrict package installation scripts in CI/CD, and prepare for npm version 12’s upcoming default disabling of install scripts and remote dependency resolution.
Red Hat npm Miasma “Miasma” Campaign: 32 Packages, 117,000 Weekly Downloads
The “Miasma” campaign compromised 32 official Red Hat npm packages originating through a compromised Red Hat employee GitHub account, then leveraging GitHub Actions OIDC workflows to distribute malware through trusted pipelines. AWS, Azure, GCP credentials, GitHub tokens, SSH keys, and npm tokens harvested. Rotate all cloud and development credentials from affected packages and review all build pipelines for compromise indicators.
Gogs Zero-Day: Self-Hosted Git Repositories Vulnerable to Arbitrary Command Execution
A critical argument injection vulnerability in Gogs allows attackers to execute arbitrary commands as the Git user, potentially accessing every repository on the platform. Gogs is frequently deployed by development teams without the governance applied to enterprise platforms, yet hosted repositories often contain source code, IaC, API keys, credentials, and internal documentation. Update to version 0.14.3 and audit all self-hosted code repositories.
Polyfill.io Supply Chain Threat Returns on Toshiba, Muji, Samsung Smart TV Sites
The compromised JavaScript CDN Polyfill.io resurfaced on websites associated with Toshiba, Muji, and Samsung Smart TV platforms, presenting fake authentication prompts. Supply chain compromises can persist long after initial disclosure. Remove all remaining references to Polyfill.io from web properties.
💥 Ransomware & Destructive Operations
ShinyHunters PeopleSoft Campaign: 300+ Instances, 100+ Organizations, ERP Data Theft
ShinyHunters is actively targeting Oracle PeopleSoft environments through chained vulnerabilities combined with exposed administrative credentials attacking more than 300 PeopleSoft instances across 100+ organizations globally, including educational institutions. PeopleSoft contains employee records, payroll, tax data, financial operations, and student administration data. Attackers are establishing remote access via MeshCentral, running credential spraying against PSOFT/Oracle/Linux admin accounts, and creating long-term operational footholds not simply stealing data and leaving. Review published indicators of compromise, audit administrative accounts, search for unauthorized MeshCentral installations, and remove unnecessary PeopleSoft internet exposure immediately.
SAP NetWeaver CVE-2026-44748 CVSS 9.9: SAML Identity Forgery
SAP’s June patch day delivered 15 security notes including CVE-2026-44748 an XML Signature Wrapping vulnerability in NetWeaver’s SAML authentication framework allowing authenticated attackers to forge identity assertions while maintaining signature validation. Also notable: CVE-2026-27671 (CVSS 9.8), a memory corruption vulnerability in the SAP Kernel exploitable remotely without authentication. SAP systems control finance, procurement, logistics, and regulatory reporting. Prioritize these patches immediately and review SAML authentication configurations.
Veeam Backup CVE-2026-44963: Any Authenticated Domain User Achieves RCE
Veeam disclosed a CVSS 9.4 vulnerability in Backup & Replication servers any authenticated domain user can potentially achieve remote code execution against domain-joined backup infrastructure. Ransomware operators specifically target backup platforms to eliminate recovery options. Patch immediately.
NightSpire Ransomware: 175 Organizations, 28 Industries, Legitimate Tools Only
NightSpire continues through legitimate tooling only exposed RDP and FortiOS for entry; Chrome Remote Desktop, AnyDesk for persistence; MegaSync for exfiltration. No custom malware, no EDR triggers. Audit exposed RDP, unauthorized remote administration software, and FortiOS patching status.
🔓 Data Breaches & Identity Exposures
“Let’s say I’m a threat actor with this access and I can unlock all your doors. Now I can sell that access to a local crime group. They come in at midnight, raid your office, take everything they want and walk out. If I do that on a Friday night, you’re not going to find out until Monday morning. The connection between cyber threats and local gang monetization is one hundred percent real. Talk to your threat hunting team about this.”
ServiceNow Unauthenticated API Data Exposure — Then Narrative Revision
ServiceNow disclosed attackers queried customer data through an improperly configured API endpoint before a June 5 security update was deployed. Depending on organizational use, exposed data could include employee records, asset inventories, security incidents, support tickets, operational workflows, and credentials shared during troubleshooting. ServiceNow’s disclosure remained largely behind customer login portals while practitioners reconstructed attack paths through public forums. Later, ServiceNow revised its position attributing observed activity to bug bounty researchers rather than malicious actors though questions about disclosure timelines and transparency remain. Review logs, investigate API endpoint access, and rotate credentials that may have been shared through support cases.
Windows “Rogue Planet”: SYSTEM Privileges on Fully Patched Windows 10/11, No Patch Available
Researcher Nightmare Eclipse released “Rogue Planet,” a proof-of-concept privilege escalation exploit achieving SYSTEM on fully patched Windows 10 and Windows 11 systems through a race condition involving Microsoft Defender effective even after June Patch Tuesday updates. Multiple independent researchers validated successful exploitation. No patch is available. Previous disclosures from Nightmare Eclipse (Green Plasma, Yellow Key, Red Sun, Blue Hammer, Undefend) have subsequently appeared in active exploitation campaigns. Assume any successful local code execution could escalate to full SYSTEM-level compromise and adjust EDR monitoring accordingly.
Silent Ransom Group Targets Law Firms via Teams, Voice Phishing, 18-Country DNS Fast Flux
The Silent Ransom Group (Luna Moth) combined Microsoft Teams messaging, voice phishing, and DNS Fast Flux infrastructure spanning 18 countries to target law firms for data theft and extortion. Law firms hold M&A information, litigation strategies, attorney-client communications, and regulatory matters making them high-leverage targets. Security awareness programs focused exclusively on email are no longer aligned with today’s threat landscape. Teams-based phishing is an active, underdefended attack vector.
French Government Messaging Platform Tchap Breached: 650,000 Messages, 73,000 Users
France’s secure government messaging platform Tchap was compromised through a single account, allegedly exposing over 650,000 messages and 73,000 user records. One compromised identity creating disproportionate risk within centralized collaboration environments is a recurring pattern.
Oxford Career Connect: Second Breach This Year
Oxford University’s Career Connect platform suffered its second successful compromise of 2026, with attackers accessing student records, email addresses, degree information, and employment application history enabling highly targeted job-related phishing.
🌐 Geopolitical & Nation-State Threats
Check Point VPN: Domain Controller Compromise in Under Four Hours
Investigators documented attackers moving from Check Point VPN access to Domain Controller compromise in less than four hours. Historically, organizations measured dwell time in days or weeks. Sophisticated operators now achieve complete domain compromise within a single shift. Patch immediately, review logs, and implement additional authentication controls. VPN infrastructure must be treated as critical security infrastructure, not routine network equipment.
Ubiquiti Unifi Vulnerability Chain: Unauthenticated Root Access + Physical Security Convergence
Researchers disclosed a three-vulnerability chain in Ubiquiti Unifi OS allowing unauthenticated root-level access to controllers on the same network segment. Many organizations use Unifi to manage wireless networks, switching, security cameras, and physical access control systems simultaneously. Compromising the controller can provide operational control over doors, surveillance systems, and physical access infrastructure — not just network visibility. The convergence of cyber and physical security is no longer a future concern. Apply firmware updates, isolate management networks, and evaluate whether physical security systems share infrastructure with general IT operations.
Gamaredon Deploys USB Worm, Telegram C2, and Wiper Against Ukraine
Russia’s FSB-linked Gamaredon continued its WinRAR CVE-2025-8088 exploitation campaign delivering GammaLoad (downloader), GammaWorm (USB-propagating worm hiding via NTFS alternate data streams), GammaSteal (exfiltration to AWS S3 via Telegram C2), and GammaWipe (destructive wiper). Patch WinRAR for CVE-2025-8088, monitor Telegram outbound traffic, and watch for unexpected S3 uploads from endpoints.
Five Eyes Advisory: China Systematically Recruiting Government Insiders via LinkedIn
A joint advisory from intelligence agencies across the U.S., Canada, UK, Australia, and New Zealand documented Chinese intelligence systematically recruiting government employees, military personnel, contractors, and critical infrastructure workers through LinkedIn, Indeed, and Upwork — gradually escalating from harmless research to sensitive tasking, compensating through cryptocurrency and wire transfers, then migrating communications to Signal and Telegram. Classified access is not required. Facility layouts, contract details, budget information, and vendor relationships have significant intelligence value when aggregated. Communicate this advisory to all staff with sensitive access.
Mustang Panda Returns with PlugX via Fake Adobe Prompts
Chinese APT Mustang Panda resurfaced with fake Adobe Acrobat update prompts delivering PlugX malware using signed binaries and memory-only execution. Hunt for PlugX indicators across endpoints.
North Korea Attributed with 47% of State-Sponsored Tech Sector Intrusions
CrowdStrike attributed 47% of state-sponsored hands-on-keyboard intrusions against the technology sector to North Korean operators — many using deepfakes, stolen identities, and forged documentation to secure employment. Review hiring controls for remote technical positions and contractor onboarding procedures.
SafeLove Stealer: Ukrainian Intelligence Targets Russian Military Through Romantic Personas
Researchers disclosed SafeLove Stealer, targeting Russian military personnel through fake romantic personas to steal files, capture location data, access Telegram accounts, and activate microphones remotely for battlefield intelligence collection.
⚖️ Policy, Privacy & Industry
Anthropic Mythos Expands to 150 Organizations Including NATO, Critical Infrastructure
Anthropic’s Project Glasswing added 150 organizations across 15 countries — including NATO, ENISA, Samsung, healthcare providers, utilities, and critical infrastructure operators — to the Mythos vulnerability discovery platform. Mythos has identified 23,000+ potential vulnerabilities including thousands previously unknown. AI-assisted vulnerability discovery is becoming a strategic defensive advantage for organizations with access — and a structural risk for those without.
Trump Signs Voluntary AI Security Review Executive Order
President Trump signed an executive order establishing a voluntary 30-day federal review framework for advanced AI models, with national security risk evaluation, AI cybersecurity capability benchmarking, and an AI cybersecurity clearinghouse. The practical value depends on whether government oversight can evolve at the pace of AI development.
Massachusetts Consumer Data Privacy Act Passes Unanimously
Massachusetts unanimously passed the MCDPA introducing restrictions on geolocation tracking, biometric data collection, data minimization requirements, and private rights of action. Begin assessing compliance exposure for organizations operating in Massachusetts.
European Commission Tech Sovereignty Package: Cloud and AI Localization Requirements
The European Commission unveiled a technology sovereignty initiative including expanded semiconductor investments and new cloud and AI localization requirements designed to reduce European dependence on foreign infrastructure providers. Organizations operating across U.S. and European markets should prepare for data residency requirements, regional architecture segmentation, and regulatory divergence.
Palantir CTO Reportedly Under Consideration for CISA Director
Reports indicate Shyam Sankar, Palantir CTO, is being considered for the long-vacant CISA Director position. CISA has operated without Senate-confirmed leadership since January 2025 while facing some of the most active threat periods in recent memory.
Proposal for Independent U.S. Cyber Force: 30,000 Personnel, $11 Billion
A policy report recommended creating a dedicated U.S. Cyber Force. Supporters argue cyber operations have grown sufficiently large to justify their own military branch.
WhatsApp v. NSO: Court Finds NSO in Contempt of Discovery Orders
NSO Group was found in contempt of court for failing to provide required technical documentation about Pegasus spyware operations. WhatsApp also alleges it identified additional NSO activity occurring during the discovery process itself.
NSA Appoints David Imbordino as Cyber Director, Bruce Jones to Lead CCC
NSA formally filled key leadership positions ending a prolonged gap and restoring continuity for government-private sector cybersecurity partnerships.
Adobe Patches 123 Vulnerabilities; ColdFusion Remains Highest Priority
Adobe released fixes for 123 vulnerabilities across 11 products — 57 affecting Experience Manager alone, two critical RCE vulnerabilities. ColdFusion remains the highest-priority remediation target given its exploitation history.
✅ This Week’s Priority Action List
Immediate (Do This Now)
Deploy Chrome 149.0.7827.102 or later and force restarts — fifth actively exploited zero-day of 2026
Patch SAP NetWeaver CVE-2026-44748 (CVSS 9.9 SAML forgery) and CVE-2026-27671 (CVSS 9.8 kernel RCE) — prioritize SAML configuration review
Patch Veeam Backup & Replication CVE-2026-44963 immediately — any domain user achieves RCE against backup infrastructure
Patch SolarWinds Serv-U to 15.5.4 Hotfix 1 — CISA KEV, June 19 federal deadline
Upgrade Hugging Face Transformers to version 5.3.0 — 232 million installs, exploit bypasses trust_remote_code control
Patch Oracle WebLogic CVE-2024-21182 — CISA KEV, Cobalt Strike and ransomware deployment confirmed
Upgrade Langflow immediately and disable auto-login — 7,000 internet-accessible instances under active attack
Patch WordPress Kirki plugin to version 6.0.7 or disable — CVSS 9.8, one million sites, no credentials required
Apply Check Point VPN patches immediately — domain controller compromise documented in under four hours
Apply Ubiquiti Unifi firmware updates and isolate management networks — three-vulnerability root access chain with physical security implications
Patch WinRAR CVE-2025-8088 — Gamaredon actively exploiting for USB worm and wiper deployment
Update Gogs to version 0.14.3 — arbitrary command execution as Git user
Review PeopleSoft environments for MeshCentral installations and ShinyHunters IOCs — 300+ instances actively targeted
Short-Term (This Month)
Upgrade Cisco SD-WAN with all available compensating controls — seventh zero-day, no patch, root code execution
Hunt for UNC5221 / Verdant Bamboo indicators within Microsoft 365 tenants — rotate all credentials following any IR
Implement Arista EOS ACL mitigations — no patch planned, exploit active, tunnel bypass in production
Monitor for Miasma and Hades supply chain worm indicators — rotate all npm and PyPI-related credentials
Remove all Polyfill.io references from web properties — resurfaced on Toshiba, Muji, Samsung platforms
Patch Adobe ColdFusion — highest-priority given exploitation history
Update OpenSSL dependencies across enterprise applications — AI-discovered use-after-free in PKCS#7
Review ServiceNow instance logs and rotate credentials shared through support cases
Restrict ASUS router management interfaces to trusted networks — patches expected end of June
Remove ATG fuel monitoring systems from internet exposure
Brief all staff with sensitive access on Five Eyes China LinkedIn insider recruitment advisory
Train employees on Teams-based phishing and voice phishing — email-only awareness programs are misaligned with current threat landscape
Strategic (This Quarter)
Assess governance controls around AI model ingestion and deployment — Transformers exploit bypasses the dedicated safety control
Treat “no patch available” scenarios as requiring elevated compensating controls and monitoring — Cisco SD-WAN, Arista EOS, Rogue Planet are all current examples
Begin compliance assessment for Massachusetts Consumer Data Privacy Act and European Tech Sovereignty localization requirements
Prepare for npm version 12 security changes — test compatibility now before mandatory rollout
Expand insider threat monitoring to include financial market abuse, prediction markets, and LinkedIn recruitment scenarios
Evaluate physical security and IT infrastructure separation — Unifi root access with door/camera control convergence is the operational model for why this matters
🎙️ James Azar’s CISO’s Take
When I look across this week’s four episodes, the most important shift is the phrase that kept appearing: “no patch currently available.” Cisco’s seventh SD-WAN zero-day. Rogue Planet on fully patched Windows. Arista EOS with ACLs as the only mitigation. ASUS routers waiting until end of June. This is not occasional, it is becoming a recurring operational condition. Security programs built entirely around the patch-it-and-move-on model are increasingly operating in a world that no longer exists. Organizations must mature disciplines that have historically been secondary: network segmentation, behavioral monitoring, compensating controls, and rapid detection because when the patch doesn’t exist yet, those capabilities are all you have. The fundamentals have always mattered. They matter more now than they ever have.
The second major takeaway is that the attack surface has expanded permanently in ways that most security programs have not fully internalized. The Ubiquiti vulnerability chain demonstrates that a network compromise can now become a physical security incident unlocking doors, disabling cameras, and enabling physical theft. Miasma expanding into Claude Code and Gemini CLI demonstrates that AI development toolchains are now primary attack surfaces indistinguishable from traditional software supply chains. The IBM/AT&T whistleblower allegations demonstrate that vendor risk is also about disclosure culture whether your trusted partners will tell you the truth when something goes wrong. These are not edge cases. They are the operational reality security leaders need to be managing today.
📋 Week in Summary
This was the week “no patch available” became a defining operational condition rather than an exception. Cisco SD-WAN logged its seventh zero-day of 2026 with no remediation path. Rogue Planet achieved SYSTEM on fully patched Windows through a race condition Microsoft hadn’t addressed. Arista’s EOS tunnel bypass received ACLs as the permanent mitigation because no patch is planned. And Hugging Face Transformers with 232 million installations received a critical RCE disclosure where exploitation bypasses the safety control specifically designed to prevent it. Against that backdrop, Chrome logged its fifth actively exploited zero-day of 2026, ShinyHunters hit 300-plus PeopleSoft instances, SAP released a CVSS 9.9 SAML forgery vulnerability, and Veeam backup servers were found vulnerable to RCE by any authenticated domain user.
The human and physical dimensions were equally significant. Check Point VPN attackers moved from initial access to domain controller compromise in under four hours demonstrating that attacker velocity in 2026 is measured in hours, not days. A federal whistleblower alleged that IBM and AT&T concealed APT10 intrusions affecting federal systems for years to protect billion-dollar contracts, a reminder that vendor risk is also about disclosure culture. Ubiquiti’s three-vulnerability chain showed that compromising a network controller can mean unlocking doors. And a Five Eyes advisory documented China’s systematic LinkedIn recruitment of government insiders at scale. The attack surface is fully multi-domain. The organizations that adapt their security programs to that reality will be the ones that remain standing.
Stay informed. Stay prepared. Stay Cyber Safe. 🔐
© CyberHub Podcast | Subscribe on Substack | Watch on YouTube | Follow on LinkedIn