Happy Friday, Security Gang!

Double espresso in hand. This week James returned to a theme that has defined 2026 in cybersecurity and it is not AI, not zero-days, and not nation-state sophistication. It is operational execution gaps. Attackers keep winning through problems we already know how to solve.

Splunk made CISA’s KEV for the first time ever days after disclosure, with public PoC code available within 48 hours. FortiBleed expanded to 86,644 verified Fortinet credentials across 194 countries, harvested not through a new vulnerability but through infostealer logs and stale default accounts. The Klue supply chain breach cascaded into HackerOne, Huntress, Recorded Future, Tanium, Snyk, LastPass, Jamf, OneTrust, and more tracing back to a pilot-project credential left active for four years after the pilot ended. Cisco Unified Communications Manager is being actively exploited despite a patch available for three weeks. And three Ubiquiti UniFi vulnerabilities carrying CVSS 10.0 scores were confirmed under automated mass exploitation with federal agencies facing a June 26 remediation deadline.

Operation Endgame delivered the week’s most significant positive news disrupting Amadey and StealC infrastructure across 326 servers, 142 domains, $47 million in seized cryptocurrency, and 27 million recovered stolen credentials. The DOJ announced the largest healthcare fraud takedown in U.S. history. And the Five Eyes alliance issued a direct warning: AI-accelerated cyber attacks are not a future scenario, they are the present state.

James’s through-line across all four episodes this week: “The basics are still the battlefield. Default Fortinet credentials. Unauthenticated Postgres endpoints. OAuth tokens nobody scoped down. None of this is exotic. All of it is preventable.”

Let’s get into it.

🌐 Infrastructure & Network Exploitation

Three Ubiquiti UniFi CVSS 10.0 Vulnerabilities: Automated Exploitation, June 26 Federal Deadline

Three critical Ubiquiti UniFi OS vulnerabilities all carrying perfect CVSS 10.0 scores are now confirmed under active exploitation and added to CISA’s KEV with a federal remediation deadline of June 26. Bishop Fox demonstrated a complete unauthenticated RCE chain: authentication bypass → path traversal exposing credentials and configuration files → command injection granting root-level execution. Researchers are already observing automated scanning creating unauthorized administrator accounts named “John Sim,” indicating mass internet exploitation is underway. Patches have been available since May 21. Upgrade to UniFi OS 5.0.8 or later immediately, restrict management interfaces to dedicated administrative VLANs, block external access to UniFi controller ports, and use Bishop Fox’s published detection tools to identify exposed systems before attackers do.

Cisco SD-WAN: Seventh Zero-Day — Mandiant Documents Full Enterprise Compromise

“Seven actively exploited zero-days in a single product line in six months isn’t bad luck. That’s structural failure.”

Mandiant published a detailed forensic analysis of a Cisco SD-WAN compromise at a communications provider, documenting exactly how attackers converted multiple vulnerabilities into complete network control over several months. Stage one: authentication bypass to establish administrative access and extract full SD-WAN configuration covering controllers, edge devices, and network architecture. Stage two: command injection via malicious CSV upload through tenant management interface, creating a hidden root account named “Truth” and achieving unrestricted management plane control. Once the management plane was owned, attackers could push malicious configurations across every connected branch and edge device. This is the seventh actively exploited Cisco SD-WAN zero-day of 2026. Security teams operating Cisco SD-WAN should treat this as an active incident response, not a routine patch cycle investigate administrator accounts, unauthorized configuration changes, NetConf activity, and unexpected peering relationships now.

Splunk CVE-2026-20253: First Splunk Vulnerability Added to CISA KEV

Splunk Enterprise administrators face urgent remediation after CISA added CVE-2026-20253, affecting Splunk’s PostgreSQL sidecar service to the KEV catalog just days after public disclosure, with public PoC exploit code appearing within 48 hours. The flaw enables unauthenticated arbitrary file operations chainable into full RCE. Splunk often serves as the backbone of enterprise detection and response, a compromise could allow log manipulation, detection disabling, forensic evidence erasure, and environment pivoting. This marks the first time a Splunk vulnerability has been added to CISA’s KEV. Upgrade to supported versions immediately, review all Splunk activity since June 10, and treat any unpatched internet-accessible instances as potentially compromised.

Cisco Unified Communications Manager CVE-2026-20230: Active Exploitation, Patch Available Three Weeks

Cisco warned that CVE-2026-20230, a CVSS 8.6 SSRF vulnerability in the Unified Communications Manager Web Dialer component, is under active exploitation, despite a patch being available since June 3rd. Unauthenticated attackers can write arbitrary files to the OS through crafted HTTP requests, then escalate to root-level control. Attackers can obtain required hostname information directly from the system before exploitation, significantly lowering the barrier. Reconnaissance and test-file-creation activity is already observed. CUCM is deployed across enterprise voice, collaboration, and call center environments globally. If you haven’t patched yet, you are operating on borrowed time. Patch immediately and audit all internet-facing Web Dialer deployments.

NGINX Critical Vulnerabilities: HTTP/3 Memory Corruption and Heap Buffer Overflow

F5 released patches for two critical NGINX vulnerabilities (both CVSS 9.2), an HTTP/3 processing memory corruption flaw and a heap-based buffer overflow in proxy and gRPC modules under specific configurations. Both are remotely exploitable without authentication and may enable RCE. NGINX underpins a significant percentage of internet-facing applications, APIs, and cloud-native services. Patch immediately and disable HTTP/3 functionality where updates cannot be deployed quickly.

Lantronix EDS5000 Added to CISA KEV: Legacy OT Bridge Devices

A critical command injection vulnerability in Lantronix EDS5000 Serial-to-Ethernet servers was added to CISA’s KEV. These devices frequently bridge legacy industrial equipment into modern IP networks, creating OT exposure pathways. Update firmware immediately and isolate management interfaces.

SolarWinds Serv-U CISA KEV: June 19 Federal Deadline

SolarWinds Serv-U FTP software remains in the KEV with a June 19 federal deadline. Upgrade to version 15.5.4 Hotfix 1 and verify all internet-facing deployments are fully updated.

🔥 Credential Exposure & Authentication Failures

“The basics are still the battlefield. Default Fortinet credentials. Unauthenticated Postgres endpoints. OAuth tokens nobody scoped down. None of this is exotic. All of it is preventable. And that’s the real warning. Patch what you can. Rotate what you should. Audit those third-party integrations. Security is ninety percent hygiene, ten percent fancy rules.”

FortiBleed: 86,644 Fortinet Devices Across 194 Countries — No New Vulnerability Required

The FortiBleed campaign expanded dramatically a Russian-speaking threat actor compiled a verified database of 86,644 active Fortinet administrative and SSL VPN credentials across 194 countries, representing roughly half of all internet-facing Fortinet firewalls discoverable through Shodan. The methodology was sophisticated: automated credential stuffing + packet sniffers intercepting VPN authentication hashes in transit + dedicated 45-GPU password-cracking infrastructure recycling recovered credentials. The most alarming finding from Hudson Rock: many recovered passwords exceeded 25 characters and fully complied with complexity requirements. They were not cracked. They were harvested directly from infostealer logs. Password complexity does not protect credentials that have already been stolen. Rotate all Fortinet administrative and VPN credentials immediately, remove all default and generic administrator accounts, verify migration to stronger password hashing mechanisms, enforce phishing-resistant MFA on all internet-facing management interfaces, and rotate any Active Directory credentials potentially associated with perimeter devices.

Scattered Spider Members Plead Guilty: Transport for London, £39M Recovery Cost

Two Scattered Spider members 20-year-old Tahala Jubair and 18-year-old Owen Flowers pleaded guilty to conspiracy charges related to the Transport for London attack. The breach forced password resets for 28,000 employees, exposed Oyster card refund data for approximately 10 million customers, and generated recovery costs estimated at £29–39 million. Evidence included screenshots showing active system access and video recordings of portions of the intrusion. The demographics continue to be remarkable: Scattered Spider repeatedly demonstrates that some of the most damaging global cyberattacks are conducted by teenagers. Authorities estimate approximately one in five UK children aged 10–16 has engaged in activities technically violating computer misuse laws. The next generation of cybercrime talent is already forming.

🧬 Supply Chain & Third-Party Trust

Klue/Icarus Supply Chain Campaign: LastPass, HackerOne, Huntress, Recorded Future, Tanium, Snyk, and More

The Klue supply chain breach escalated into one of the most significant SaaS-based compromises of 2026. The initial compromise originated from a credential issued to a third party during a limited pilot project in 2022, left active for four years after the pilot ended. Attackers used the dormant credential to access Klue’s infrastructure, steal OAuth tokens connected to Salesforce and Gong, and pivot into customer environments extracting CRM data, business intelligence, pricing information, opportunity notes, and sales strategies. The Icarus extortion group has now claimed victims including HackerOne, Huntress, Recorded Future, Tanium, Snyk, Jamf, OneTrust, Gong, Sprout Social, and LastPass. LastPass confirmed attackers accessed customer contact information, phone numbers, email addresses, physical addresses, and support case information stored in Salesforce password vaults were not compromised, but the stolen contextual intelligence enables precision phishing, executive impersonation, and social engineering campaigns. This is the third major Salesforce OAuth supply chain attack in less than a year. Audit every Salesforce connected application and OAuth permission, remove any integration your team cannot explain the current business purpose of, and rotate all tokens associated with Klue integrations.

North Korean npm Supply Chain: 60+ Packages Targeting Developer Credentials

Microsoft attributed a supply chain attack involving more than 60 npm packages to North Korean threat actors in the Sapphire Sleet cluster targeting developer credentials and cryptocurrency wallets through typosquatted dependencies. Review development environments and dependency trees immediately.

GentleKiller EDR-Killing Framework: 400+ Security Processes Across 48 Vendors

Researchers identified GentleKiller, an EDR-killing framework used by the Gentleman ransomware operation. The malware disables more than 400 security processes across 48 vendors using vulnerable signed drivers in classic bring-your-own-vulnerable-driver attacks. Enable Microsoft’s vulnerable driver block list and implement strict driver allow-listing controls.

Joomla JCE Editor and LiteSpeed Under Active Exploitation

Attackers are actively exploiting critical vulnerabilities in Joomla’s JCE Editor and LiteSpeed cPanel plugins enabling RCE and privilege escalation. Patch immediately.

Polyfill.io Resurfacing on Toshiba, Muji, Samsung Smart TV Sites

The compromised Polyfill.io JavaScript CDN continues resurfacing on websites associated with major brands. Remove all remaining Polyfill.io references from web properties.

🤖 AI Security & Development Ecosystem

Five Eyes Advisory: AI-Powered Cyberattacks Are Present State, Not Future Scenario

The Five Eyes intelligence alliance; U.S., UK, Australia, Canada, and New Zealand issued a joint advisory stating that AI is already being used offensively and that frontier models will soon accelerate vulnerability discovery, exploitation development, reconnaissance, and attack automation at unprecedented speed. Unlike previous theoretical warnings, this advisory is direct: the organizations struggling with basic cybersecurity today will be the least prepared for AI-accelerated attacks. The advisory recommended five foundational focus areas: reduce attack surface exposure, accelerate patch management, eliminate unsupported legacy systems, strengthen identity controls, and regularly test incident response capabilities. The timing coincides with a reported 400% increase in cyber activity targeting satellite operators following geopolitical tensions. The message: prepare now or face disproportionate impact later.

Trump Signs Post-Quantum Cryptography Executive Order

President Trump signed Executive Order 14409 establishing federal deadlines for post-quantum cryptography migration: high-value federal systems must adopt quantum-resistant key establishment by December 31, 2030, and quantum-resistant digital signatures by December 31, 2031. Federal contractors will face similar expectations. Begin post-quantum cryptography inventory and planning immediately.

Atomic macOS Stealer Expands ClickFix Campaigns Against Mac Users

A new ClickFix campaign targets macOS users victims are tricked into opening Terminal and executing malicious commands installing the Atomic macOS Stealer, which targets browsers, cryptocurrency wallets, Apple Keychain, Telegram, Discord, and hardware wallet software. No legitimate website should ever instruct users to paste commands into Terminal or PowerShell. Train users on this specific social engineering pattern.

OpenAI Daybreak Cybersecurity Initiative Expands

OpenAI announced major updates to its Daybreak cybersecurity initiative through partnerships with HackerOne and Trail of Bits, focusing on patch deployment and open-source software security acceleration.

OpenAI Custom AI Inference Chip “Jalapeño” Introduced

OpenAI unveiled its first internally designed inference processor built on TSMC’s 3-nanometer process. Custom AI silicon introduces new supply chain considerations for organizations evaluating AI infrastructure security.

Anthropic Mythos Expands to 150 Organizations Including NATO

Anthropic’s Project Glasswing added 150 organizations across 15 countries including NATO, ENISA, Samsung, healthcare providers, utilities, and critical infrastructure operators to the Mythos vulnerability discovery platform. AI-assisted vulnerability discovery is becoming a strategic defensive advantage.

🔓 Data Breaches & Identity Exposures

Tata Electronics Breach: Apple and Tesla Supply Chain Intelligence Stolen

Tata Electronics confirmed a breach by the WorldLeaks ransomware group allegedly stealing more than 630 gigabytes including Apple supplier documentation, Tesla manufacturing records, internal SAP data, corporate email communications, and operational engineering information. Tata assembles Apple products, supplies semiconductor components, and supports Tesla operations. As manufacturing ecosystems become more strategically important as part of China diversification strategies, they become more attractive cyber targets. Supply chain security now extends from software code to semiconductor fabrication and physical product assembly.

Texas Parks and Wildlife: Three Million Records via Third-Party Vendor

A third-party vendor supporting Texas Parks and Wildlife disclosed a breach exposing driver’s license numbers, passport information, email addresses, phone numbers, and physical addresses for more than three million individuals. The affected vendor has not yet been publicly identified, reinforcing ongoing third-party risk management challenges.

iPhone Unpatchable BootROM Exploit: USBlitter-V8 Targeting A12/A13 Chipsets

Paradigm Shift disclosed USBlitter-V8, a BootROM exploit targeting Apple’s SecureROM in A12 and A13 chipsets including iPhone XS, XR, and iPhone 11 lines and Apple cannot patch it, as the flaw resides in immutable silicon. Physical access and specialized hardware are required, limiting widespread exploitation. However, this represents a hardware lifecycle issue: devices approaching a decade in service carry risks that software updates can no longer address. Hardware refresh timelines matter as a security control.

Oxford Career Connect: Second Breach This Year

Oxford’s Career Connect platform suffered its second successful compromise of 2026, exposing student records, email addresses, degree information, and employment application history enabling highly targeted job-related phishing.

⚖️ Law Enforcement, Policy & Industry

Operation Endgame: Amadey and StealC Infrastructure Dismantled

International law enforcement, Europol, Microsoft, IBM X-Force, and Proofpoint dismantled infrastructure supporting the Amadey loader and StealC infostealer, disrupting 326 servers, seizing 142 malicious domains, identifying $47 million in criminal cryptocurrency assets, and recovering approximately 27 million stolen credentials from 385,000+ compromised systems. Microsoft’s Digital Crimes Unit used AI-assisted analysis to connect shared infrastructure, while Proofpoint and IBM X-Force identified weaknesses within the StealC C2 platform that law enforcement leveraged during the takedown. Operation Endgame’s strategy of targeting cybercrime infrastructure rather than individual actors is producing measurable, compounding results.

SocGholish Infrastructure Disrupted: 106 Servers Seized, 15,000 WordPress Sites Remediated

Authorities from the U.S., Canada, Germany, and Netherlands seized 106 servers and remediated nearly 15,000 compromised WordPress websites associated with SocGholish a major initial access broker feeding Evil Corp and RansomHub operations. Portions of the infrastructure are expected to reemerge.

DOJ Healthcare Fraud Takedown: $6.5 Billion, 455 Defendants

The DOJ announced charges against 455 defendants across 56 federal districts for more than $6.5 billion in fraudulent Medicare and Medicaid claims with $182 million in assets seized. Patient data breaches do not simply create privacy risks, they become raw material for organized financial crime at scale.

DraftKings Credential Stuffing: 18-Month Prison Sentence

A Minnesota man received an 18-month prison sentence for participating in the 2022 DraftKings credential stuffing campaign that compromised approximately 60,000 accounts and stole $600,000. Reinforces growing federal enforcement against credential stuffing fueled by breached password databases.

International Cybercrime Marketplace Operator Extradited to U.S.

Spanish authorities extradited Algerian national Abdullah Balami to the U.S. — accused of operating Market Zero Day and Spoxy cybercrime marketplaces facilitating stolen credentials, exploits, and cybercrime services.

Google Workspace Passkey Mandatory Migration: September 30 Deadline

Google announced all Workspace administrator accounts must transition to passkey-based authentication by September 30. Begin migration planning immediately to avoid last-minute operational challenges.

Massachusetts Consumer Data Privacy Act Passes Unanimously

Massachusetts unanimously passed the MCDPA with restrictions on geolocation tracking, biometric data collection, data minimization, and private rights of action. Assess compliance exposure for organizations with Massachusetts operations.

UK NCSC: 200+ Critical Infrastructure Incidents, 75% Nation-State Linked

The UK’s NCSC reported handling more than 200 critical infrastructure incidents over the past year, with approximately 75% linked to Russia, China, and Iran. Officials warned AI will accelerate vulnerability exploitation by 2028.

Accenture Acquires Dragos, RunZero, and NetRise in $4.1B OT Security Expansion

Accenture announced a $4.1 billion transaction combining a Dragos majority stake with RunZero and NetRise acquisitions. The deal signals growing institutional demand for integrated OT security as industrial environments face increasing cyber threats.

WhyNoPasskeys.com Launched by Scott Helme and Troy Hunt

Security researchers launched WhyNoPasskeys.com highlighting major consumer platforms still not supporting passkey authentication, calling attention to password-only services that remain vulnerable to credential stuffing and phishing.

✅ This Week’s Priority Action List

Immediate (Do This Now)

• Upgrade Ubiquiti UniFi OS to 5.0.8 or later — CVSS 10.0 x3, CISA KEV June 26 federal deadline, mass automated exploitation confirmed with “John Sim” unauthorized admin accounts being created

• Patch Cisco Unified Communications Manager CVE-2026-20230 immediately — patch available three weeks, active exploitation underway, recon activity already observed

• Rotate all Fortinet administrative and VPN credentials without exception — 86,644 devices exposed, many via infostealer logs, complexity requirements are irrelevant if credentials are already stolen

• Upgrade Splunk Enterprise — first Splunk KEV addition, public PoC within 48 hours, review all activity since June 10

• Treat Cisco SD-WAN as active incident response — audit all admin accounts, investigate unauthorized configuration changes, NetConf activity, and unexpected peering relationships

• Patch NGINX Open Source and NGINX Plus — CVSS 9.2, HTTP/3 memory corruption and heap buffer overflow, disable HTTP/3 where patches cannot be deployed immediately

• Audit every Salesforce connected application and OAuth permission — revoke any the team cannot explain current business purpose for; rotate all tokens associated with Klue integrations

• Remove all default and generic Fortinet administrator accounts and verify migration to current password hashing mechanisms

• Patch Joomla JCE Editor and LiteSpeed environments under active exploitation

• Update Lantronix EDS5000 firmware and isolate management interfaces — CISA KEV

Short-Term (This Month)

• Enforce phishing-resistant MFA on all internet-facing management interfaces — Fortinet, Cisco, Splunk, and all perimeter devices

• Restrict UniFi management interfaces to dedicated administrative VLANs with no internet exposure

• Review all temporary vendor credentials and pilot program accounts — Klue breach traced to a four-year-old forgotten credential

• Rotate dormant API keys and OAuth tokens across all SaaS integrations

• Alert executives and customer-facing teams to phishing risks from Klue/Icarus breach — LastPass contact data and sales intelligence are in attacker hands

• Audit npm dependencies for North Korean typosquatted packages — 60+ packages attributed to Sapphire Sleet

• Enable Microsoft’s vulnerable driver block list — GentleKiller EDR-killing framework targets 400+ security processes across 48 vendors

• Train users on ClickFix / Terminal-based social engineering — Atomic macOS Stealer is expanding

• Remove all Polyfill.io references from web properties

• Begin planning Google Workspace administrator passkey migration for September 30 deadline

Strategic (This Quarter)

• Begin post-quantum cryptography inventory within the next 90 days — EO 14409 sets December 31, 2030 federal deadline for quantum-resistant key establishment

• Assess hardware refresh timelines for older Apple A12/A13 devices — BootROM exploit is unpatchable through software

• Develop third-party credential lifecycle management processes — Klue/Icarus and FortiBleed both trace to governance failures around stale credentials

• Implement management plane segmentation across all network infrastructure — Cisco SD-WAN Mandiant analysis is the operational case study

• Assess compliance exposure for Massachusetts Consumer Data Privacy Act

• Train employees at all levels on Five Eyes AI advisory recommendations — reduce attack surface, patch faster, eliminate legacy systems, strengthen identity, test IR

🎙️ James Azar’s CISO’s Take

When I look across this week’s four episodes, the most consistent story is that attackers keep succeeding through problems we already know how to solve. FortiBleed wasn’t powered by a new exploit it was powered by default credentials and stale accounts. The Klue breach didn’t start with a sophisticated attack chain it started with a vendor offboarding process that never happened. Cisco CUCM is being exploited despite a patch available for three weeks. Ubiquiti UniFi systems with perfect-10 CVSS scores are being mass-scanned by automated tools. None of these failures require advanced adversary capabilities to exploit. They require only that defenders continue to deprioritize hygiene in favor of the next security tool on the evaluation list. The fundamentals are not optional. They are the floor. And right now, too many organizations are operating below it.

The second takeaway is structural: the attack surface has expanded permanently into third-party integrations, credential ecosystems, manufacturing supply chains, and hardware trust anchors in ways most security programs have not fully internalized. The Icarus/Klue cascade hitting LastPass, HackerOne, Huntress, and Recorded Future simultaneously demonstrates that one forgotten pilot-project credential can become a weapon against dozens of downstream organizations. The Five Eyes are not issuing theoretical warnings about AI-accelerated threats anymore, they are describing the present operational environment. The organizations that treat the fundamentals as survival requirements rather than aspirational best practices are the ones that will still be standing when AI compression of attack timelines becomes fully operational at scale.

Stay Cyber Safe. 🔐

📋 Week in Summary

This was the week the fundamentals asserted themselves as the defining variable in cybersecurity — not zero-days, not nation-state sophistication, not AI tools. The FortiBleed campaign compiled 86,644 valid credentials without exploiting a single new vulnerability. The Klue/Icarus cascade that compromised LastPass, HackerOne, Huntress, and Recorded Future began with a four-year-old forgotten pilot credential. Splunk made the CISA KEV for the first time with a vulnerability that received public PoC code within 48 hours of disclosure. Cisco CUCM is being actively exploited three weeks after a patch was available. And Ubiquiti UniFi systems with perfect-10 CVSS scores are being automatically scanned and compromised at internet scale with a federal remediation deadline of June 26.

Against that backdrop, Operation Endgame delivered one of the most significant positive enforcement outcomes of the year recovering 27 million stolen credentials, disrupting 326 servers, and seizing $47 million in criminal assets by targeting cybercrime infrastructure rather than individual actors. The Five Eyes issued their most direct AI cybersecurity warning to date. The Trump administration established federal post-quantum cryptography deadlines. And the DOJ announced the largest healthcare fraud takedown in U.S. history. Progress is real. But it remains outpaced by the volume of preventable failures that attackers continue to exploit with remarkable efficiency. The organizations that will navigate what is coming AI-accelerated exploitation, quantum cryptographic risks, cascading supply chain trust failures are the ones building their security programs on a foundation of executed fundamentals today.

Stay informed. Stay prepared. Stay Cyber Safe. 🔐

© CyberHub Podcast | Subscribe on Substack | Watch on YouTube | Follow on LinkedIn