# Today's Top Stories

Mandiant confirmed that CVE-2026-20245 (CVSS 7.8) in Cisco Catalyst SD-WAN was exploited as a zero-day at least two months before public disclosure, granting an unknown threat actor authenticated local privilege escalation to root on a communications service provider's network. This is the 7th Cisco SD-WAN vulnerability exploited in 2026, underscoring a sustained campaign targeting this platform. Security teams running Cisco SD-WAN should treat this as an active threat and audit for signs of rogue peering or unauthorized admin access.

Microsoft, Europol, and international partners disrupted the Amadey botnet and StealC infostealer infrastructure as part of Operation Endgame, taking down over 200 command-and-control servers in what Europol described as targeting more than 300 servers total. This is the first court-authorized takedown to simultaneously target two distinct cybercrime tools, both widely used together in ransomware delivery chains. ESET researchers contributed technical analysis and affiliate-level intelligence to the operation.

A newly disclosed Cisco Unified Communications Manager (CUCM) flaw enabling SSRF and privilege escalation to root was weaponized by attackers within 24 hours of public disclosure, affecting both Unified CM and Unified CM SME deployments. The rapid exploitation window gives defenders essentially no patch buffer and illustrates the continued targeting of Cisco unified communications infrastructure. Administrators should prioritize emergency patching and review CUCM exposure to the internet immediately.

A new Rust-based macOS implant dubbed 'Gaslight' embeds prompt injection payloads designed to manipulate AI-assisted malware analysis tools into aborting or refusing analysis of the artifact, representing a novel anti-analysis evasion technique. The malware also functions as an information stealer and was found to hide fake debugging data and adversarial strings within the executable. This is an early real-world example of malware authors actively weaponizing the limitations of AI-assisted reverse engineering workflows.

CISA issued an urgent warning on June 24 that CVE-2025-67038 (CVSS 9.8), a critical code injection flaw in Lantronix EDS5000 Series serial-to-IP converter devices, is being actively exploited in the wild. FCEB agencies were ordered to apply fixes by June 26, 2026, the same day the vulnerability was flagged by SecurityWeek as part of the April 2026 BRIDGE:BREAK OT research disclosure. The flaw is particularly concerning given Lantronix devices' prevalence in industrial and OT network environments bridging legacy serial equipment to IP networks.

CISA is actively warning of exploitation against two device families: Ubiquiti UniFi OS systems and Lantronix serial-to-ethernet servers, with flaws rated at maximum severity allowing remote unauthenticated attackers to make system changes, access underlying accounts, and inject arbitrary commands. The Ubiquiti vulnerabilities are particularly significant given the wide deployment of UniFi equipment across enterprise and SMB networks. Organizations should audit internet-facing Ubiquiti and Lantronix devices and apply available patches immediately.

ESET Research published a detailed 2025 analysis of Gamaredon (FSB-linked APT), documenting the group's adoption of DNS tunneling, Cloudflare Workers for C2 obfuscation, dead-drop resolvers on legitimate platforms, and new tooling alliances to evade detection and hide infrastructure. The group has significantly upgraded its operational security compared to prior campaigns, making traditional IOC-based defenses less effective against this persistent Ukraine-focused threat actor. Defenders targeting Gamaredon should focus on behavioral detection of tunneling protocols and abuse of legitimate cloud services.

A data breach involving Klue's Salesforce environment has impacted over a dozen downstream customers, including high-profile security vendors BeyondTrust and LastPass — both of which have been breach targets in prior incidents. The incident highlights the compounding supply chain risk when security-focused companies share CRM infrastructure with third-party SaaS providers. Organizations should review their Salesforce-connected third-party integrations and audit data access logs for the affected timeframe.

Researchers disclosed exploitable CI/CD vulnerabilities affecting millions of open source repositories, where unauthenticated users could hijack software supply chain pipelines by exploiting misconfigurations or flaws in build systems. The scope — millions of potentially affected repositories — makes this a systemic risk for any organization consuming open source dependencies built through affected CI/CD platforms. Security teams should audit pipeline permissions, enforce branch protection rules, and validate integrity of build artifacts from affected systems.

Researchers from Island discovered that 'Adblock for YouTube' (Chrome extension ID: cmedhionkhpnakcndndgjdbohmhepckk), which carries a Featured badge on the Chrome Web Store and has over 10 million installs, contains dormant capability to execute arbitrary JavaScript on user browsers. The extension has not been confirmed as actively malicious, but the hidden script injection capability represents a significant supply chain risk given its installation footprint. Users and enterprise security teams managing Chrome extension policies should evaluate or block this extension pending further investigation.