Date: 2026-06-11

Today's Takeaways

  • Edge devices remain the highest-risk target class this week: Check Point VPN actively exploited by a ransomware affiliate, Cisco SD-WAN zero-day with no patch, Arista EOS with no patch planned.
  • AI infrastructure platforms are accumulating exploitable attack surface: LiteLLM (second KEV in a month), Langflow (unpatched, active exploitation), and ServiceNow AI-adjacent API exposure all hit within 10 days.
  • Supply-chain trust mechanisms continue to fail despite provenance controls: the Miasma campaign abused SLSA-attested packages to distribute malware at scale.
  • Multiple KEV additions this week require immediate action; patch status alone is insufficient — several entries have no available fix.

__________________

Chrome V8 Zero-Day (CVE-2026-11645): Fifth 2026 Browser Memory-Corruption Exploit Hits KEV

Google shipped Chrome 149.0.7827.102/.103 on June 8 to address an out-of-bounds read/write in the V8 JavaScript and WebAssembly engine, confirming an exploit exists in the wild. The bug was reported by researcher 303f06e3 on April 27 and awarded a $55,000 bounty. A remote attacker can achieve code execution inside the renderer sandbox via a crafted HTML page. The flaw arises from incorrect bounds-check elimination during TurboFan JIT compilation. Because V8 confines its heap within a 4GB virtual address space, full system compromise requires chaining a second bug — this CVE alone does not escape the sandbox. Google withheld deeper technical detail pending patch propagation; no published IOCs or attribution. CISA added CVE-2026-11645 to KEV on June 9.

Assessment: This is the fifth Chrome zero-day patched in 2026, three of which are in V8. The frequency is consistent with sustained adversary interest in JIT engine memory corruption, a pattern documented in prior Project Zero research. Confidence: Medium — based on observed CVE pattern; no confirmed campaign linkage.

Defender action:

  • Verify Chrome 149.0.7827.103 or later is deployed fleet-wide.
  • Patch does not activate until browser restarts; enforce restart via policy or MDM.
  • Assets with unverified patch status should be treated as potentially exposed.

#vuln #dfir | Source: Google Chrome Security Advisory; NVD; Help Net Security (Jun 9)

__________________

Check Point VPN Auth Bypass (CVE-2026-50751): Qilin Affiliate Exploiting IKEv1 Gateways Since May 7

Check Point disclosed CVE-2026-50751 on June 8 — a logic-flow weakness in certificate validation during deprecated IKEv1 key exchange that allows an unauthenticated attacker to establish a VPN session without valid credentials. Affected surfaces: Remote Access VPN, Mobile Access, and Spark firewalls configured with IKEv1 for remote access, legacy client acceptance, and no machine-certificate requirement. Exploitation first observed May 7; attacks intensified in early June. Check Point confirmed one post-compromise incident linked to a Qilin ransomware affiliate — data exfiltration via Rclone and Tox protocol C2 — and identified victim-geography-correlated VPS infrastructure hosted by Kaupo Cloud HK, Shock Hosting, and Vultr. Rapid7 independently confirmed at least one case with high confidence. CISA added to KEV June 8; federal remediation deadline was June 11. Companion bug CVE-2026-50752 (CVSS 7.4) affects site-to-site IKEv1 and could enable MitM; no exploitation confirmed. Published IOCs: 45.63.104[.]106, 45.61.136[.]173.

Assessment: Check Point's Qilin attribution is single-vendor; treat as a working hypothesis. Reported infrastructure overlap with Fortinet, Palo Alto, and F5 VPN exploitation activity is consistent with a financially motivated actor running a broad edge-device targeting campaign rather than an exclusively Check Point-focused operation. Confidence: Medium.

Defender action:

  • Apply June 8 hotfix immediately.
  • Conduct log audit from May 7 onward.
  • Review IKEv1 configuration; the requires_authentication ServiceNow indicator is not relevant here — the vector is IKEv1-enabled gateway configs.
  • Hunt the two IOC IPs in transaction logs.

#vuln #crimeware #dfir | Source: Check Point Security Advisory (sk185033); Rapid7 ETR; Help Net Security (Jun 8); BleepingComputer (Jun 9)

__________________

LiteLLM Command Injection (CVE-2026-42271) Chains to Unauth RCE via Starlette BadHost Bypass

CISA added CVE-2026-42271 (CVSS 8.7) to KEV on June 8 — a command injection flaw in BerriAI LiteLLM's MCP server preview endpoints (POST /mcp-rest/test/connection and /mcp-rest/test/tools/list). Both endpoints accepted raw command, args, and env fields used by stdio transport, then spawned those values as subprocesses with full proxy privileges and no input validation. Originally limited to authenticated users; Horizon3.ai disclosed that chaining with CVE-2026-48710 (CVSS 6.5), a host-header validation bypass in Starlette ≤ 1.0.0, removes authentication entirely. Fix is in LiteLLM v1.83.7, restricting the endpoints to PROXY_ADMIN role. This is the second LiteLLM exploitation in a month following CVE-2026-42208 (SQL injection, weaponized within 36 hours of disclosure).

Why this matters: LiteLLM centralizes credentials from multiple model providers — a single compromised instance exposes API keys for every connected provider simultaneously.

#vuln #crimeware | Source: The Hacker News (Jun 9); Help Net Security (Jun 9); Horizon3.ai research; CISA KEV (Jun 8)

__________________

Miasma Supply-Chain Worm Hits @redhat-cloud-services npm: 32 Packages, ~80K Weekly Downloads

On June 1, a supply-chain attack compromised 32 package releases under the @redhat-cloud-services npm namespace — frontend JavaScript libraries and API clients for the Red Hat Hybrid Cloud Console. A compromised Red Hat employee GitHub account was used to inject malicious GitHub Actions OIDC workflows across three RedHatInsights repositories, publishing Trojanized packages with valid SLSA provenance. The certificate was authentic; the pipeline contained malware. The payload — Miasma, a credential-stealing worm derived from the Mini Shai-Hulud malware family previously open-sourced by TeamPCP — fires via preinstall lifecycle hook before any application code executes. It targets GitHub tokens, npm tokens, AWS/GCP/Azure credentials, Kubernetes service account tokens, SSH keys, and CI/CD secrets, and self-propagates by stealing publishing tokens and republishing poisoned packages. Red Hat confirmed no enterprise product builds were contaminated due to version pinning. Blast radius: downstream consumers and CI/CD pipelines that ran npm install on affected versions on or after June 1. Independent technical analyses from Wiz Research, StepSecurity, Microsoft Security Blog, and Snyk corroborate root cause and payload behavior.

Defender action:

  • Any environment that installed @redhat-cloud-services packages on/after June 1 should treat all CI/CD secrets, cloud credentials, npm tokens, and SSH keys as compromised.
  • Rotate credentials before revoking to avoid triggering the malware's dead-man switch.
  • Audit for orphan commits, unexpected workflow modifications, and anomalous package publishing events.

#crimeware #dfir | Source: Wiz Research (Jun 1); Microsoft Security Blog (Jun 2); Red Hat RHSB-2026-006; Unit 42 / Snyk / Orca analysis

__________________

Cisco SD-WAN Zero-Day (CVE-2026-20245): No Patch, No Workaround — Seventh Exploited SD-WAN CVE of 2026

Cisco disclosed CVE-2026-20245 on June 5 — a privilege escalation flaw in Catalyst SD-WAN Manager's CLI stemming from insufficient input validation. An authenticated attacker with netadmin privileges can upload a crafted file and execute arbitrary commands as root. Exploitation has been observed in limited cases, including confirmed instances where configuration changes were pushed to edge devices. Mandiant (Chester Sng, Pete Boonyakarn, Logeswaran Nadarajan) discovered and reported the flaw. No patch exists; no workaround is available. The attack requires netadmin access, obtained via valid credentials or by chaining CVE-2026-20182 or CVE-2026-20127. Cisco has added specific log entry indicators of compromise. This is the seventh SD-WAN CVE flagged as actively exploited in 2026, following CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, and two others.

Assessment: Seven exploited CVEs in a single product line within one calendar year is consistent with sustained adversary interest in SD-WAN management infrastructure. Whether this reflects coordinated campaign activity or convergent opportunistic exploitation cannot be confirmed from public reporting. The confirmed post-exploitation behavior — configuration changes pushed to edge devices — suggests targeted network manipulation rather than opportunistic ransomware staging, but no threat-actor attribution has been published. Confidence: Low — insufficient public data to characterize actor intent or campaign scope.

Defender action:

  • Apply CVE-2026-20182 fixes if not already done; they address the prerequisite access path.
  • Run request admin-tech on edge devices to preserve potential IOCs before investigating.
  • Treat internet-exposed SD-WAN Manager deployments as elevated risk pending a patch.

#vuln #apt | Source: Cisco PSIRT Advisory; Help Net Security (Jun 5); The Hacker News (Jun 5)

__________________

Langflow Path Traversal (CVE-2026-5027): Unpatched AI Workflow Platform, Active RCE Exploitation, ~7K Exposed Instances

VulnCheck confirmed active exploitation of CVE-2026-5027 (CVSS 8.8) — a path traversal in Langflow's POST /api/v2/files endpoint that does not sanitize the filename parameter, allowing ../ sequences to write files to arbitrary filesystem locations. Langflow ships with auto-login enabled by default; the /api/v1/auto_login endpoint returns a valid JWT without credentials. The full chain — auto-login → path traversal → cron job injection → root shell — is entirely unauthenticated. Tenable Research (TRA-2026-26) discovered the flaw, contacted maintainers three times between January and March without response, and disclosed in late March. No patch exists as of publication. Censys scans identified approximately 7,000 publicly exposed instances.

Assessment: This exploitation follows earlier in-the-wild activity against CVE-2026-0770, CVE-2026-33017, CVE-2026-21445, and CVE-2025-3248 — the last linked to MuddyWater. The frequency of incidents affecting AI infrastructure platforms (LiteLLM, Langflow, ServiceNow AI components) within a 10-day window suggests AI infrastructure is emerging as a distinct attack surface, though whether this reflects coordinated targeting or convergent opportunism is not established. Confidence: Low.

Defender action:

  • Upgrade Langflow immediately; check for available releases.
  • Disable auto-login if not required; it is the enabler for the unauthenticated chain.
  • If exposure cannot be confirmed clean, treat the host as compromised and audit for cron job modifications.

#vuln #apt | Source: BleepingComputer (Jun 11); The Hacker News (Jun 10); Tenable TRA-2026-26; VulnCheck analysis

__________________

ServiceNow API Breach: Unauthenticated Endpoint Exposed Customer Instance Tables June 2–3

ServiceNow disclosed via internal support bulletin (KB3067321) that attackers exploited a misconfigured Scripted REST Resource endpoint (/api/now/related_list_edit/create) deployed with requires_authentication=false. Unauthenticated HTTP requests were able to query customer instance tables, exposing IT support tickets, employee records, security incident data, workflow configurations, and asset inventories. Confirmed suspicious activity: June 2–3. ServiceNow applied a silent server-side fix June 5, enforcing authentication on the endpoint. Affected scope: customers on the Australia platform release or older releases with specific configuration changes applied. Exploit traffic appears in transaction logs under the Guest user account; primary IOC IP is 51.159.98[.]241. No CVE assigned at time of writing. Third significant authentication-related ServiceNow vulnerability in eight months; first confirmed to have resulted in data access before patching.

Assessment: Multiple independent sources document that ServiceNow logged the underlying issue internally as early as April 7 — five weeks before the June 5 patch and seven weeks before June 9 customer notification. The disclosure timeline warrants scrutiny, particularly for customers in regulated industries. Whether the internal logging constitutes actionable prior knowledge is not confirmed. Confidence: Medium — timeline is documented; characterization of internal response is not.

Defender action:

  • If notified by ServiceNow via support case, conduct a transaction log review from June 2 onward.
  • Filter logs for 51.159.98[.]241 and the /api/now/related_list_edit path.
  • Guest-account activity in transaction logs during the June 2–3 window is the primary indicator; it does not require credentials, so no authentication event precedes it.

#dfir #vuln | Source: ServiceNow KB3067321 (gated); Triskele Labs advisory (Jun 10); Ampcus Cyber IOC analysis; BleepingComputer (Jun 10)

__________________

Arista EOS Tunnel Bypass (CVE-2026-7473): KEV Entry With No Patch Planned

CISA added CVE-2026-7473 (CVSS 6.9) to KEV on June 9 — an incomplete tunnel-protocol-type validation bug in Arista EOS affecting devices with tunnel decapsulation configured (VXLAN, GRE, or decap-groups). The switch fails to verify the encapsulation protocol type, allowing crafted traffic targeting a configured decapsulation IP to be incorrectly processed and forwarded. Arista has confirmed no patch is planned. CISA's guidance: apply vendor-supplied mitigations or discontinue affected devices.

Defender action:

  • Review Arista EOS deployments for tunnel decapsulation configurations.
  • Apply Arista's published mitigations; see Security Advisory 0137.
  • If mitigations cannot be applied, assess whether the device can be removed from internet-facing positions.

#vuln | Source: SecurityWeek (Jun 10); CISA KEV (Jun 9); Arista Security Advisory 0137

__________________

RoguePlanet: Nightmare-Eclipse Drops Defender Zero-Day Hours After Record Patch Tuesday

Microsoft shipped its largest-ever Patch Tuesday on June 10 — nearly 200 vulnerabilities. Within hours, the researcher known as Nightmare-Eclipse published RoguePlanet, a proof-of-concept exploit for an unpatched TOCTOU race condition in Microsoft Defender's real-time scanning engine. The technique exploits the timing window between Defender's file-path verification and its subsequent action, redirecting a SYSTEM-level Defender file operation to attacker-controlled code via a VHD/ISO trigger and NTFS junction. Result: a command shell running as NT AUTHORITY\SYSTEM. Multiple independent researchers confirmed the exploit achieves LPE on fully updated Windows 10 and 11 (KB5094126). Success rate is variable due to race condition timing; does not work on Windows Server in its current form. No CVE assigned; no patch. Microsoft pushed Defender definition update 1.453.20.0, which researchers assess as bypassable with minor modifications. June's Patch Tuesday also fixed two prior Nightmare-Eclipse disclosures — GreenPlasma (CVE-2026-45586) and YellowKey (CVE-2026-50507, a BitLocker bypass). Earlier disclosures BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498) have seen in-the-wild exploitation.

Assessment: The researcher has publicly cited Microsoft's disclosure handling as motivation. The cadence of approximately one zero-day per 10 days since April, combined with same-day Patch Tuesday publication, is consistent with deliberate signaling, though intent cannot be confirmed from public statements alone. ThreatLocker independently reproduced the PoC; default allowlisting controls blocked execution. Confidence: Medium — behavioral pattern is documented; intent is inferred.

#vuln #dfir | Source: BleepingComputer (Jun 10); SecurityWeek (Jun 10); Help Net Security (Jun 10); The Hacker News (Jun 10)

__________________

MuddyWater False-Flag: Chaos Ransomware Branding Used to Mask MOIS Espionage Operation

Rapid7 published a full intrusion timeline in May detailing a hybrid operation attributed with moderate confidence to MuddyWater (Mango Sandstorm / Seedworm), an APT affiliated with Iran's Ministry of Intelligence and Security. The campaign initially presented as a Chaos ransomware incident. Attack chain: Microsoft Teams chat requests to employees → interactive screen-sharing → credential harvesting via user-typed plaintext files (credentials.txt, cred.txt) → attacker-controlled device enrolled in MFA → lateral movement via compromised accounts → persistence via AnyDesk and DWAgent → delivery of ms_upd.exe → custom RAT Game.exe → data exfiltration → Chaos ransomware branding applied for extortion optics. No file encryption occurred. Technical attribution rests on the "Donald Gay" code-signing certificate (previously associated with MuddyWater's Stagecomp downloader) and the moonzonet[.]com C2 domain, both tied to earlier MuddyWater infrastructure.

Assessment: Rapid7's attribution is single-firm and rated moderate confidence. The certificate and C2 domain are specific technical indicators, but a false-flag operation by definition anticipates forensic correlation — the possibility that TTP reuse is deliberate misdirection cannot be ruled out, though it is lower probability given the specificity of the certificate. The practical operational point is more durable: when ransomware branding accompanies an intrusion, defenders may treat it as financially motivated cybercrime and deprioritize the espionage collection phase. Confidence: Medium — technical indicators are documented; strategic attribution is single-vendor.

#apt #dfir | Source: Rapid7 Blog (May 6); The Hacker News (May 6); SC Media (May 8)

Jonathan Brown | Border Cyber Group bordercybergroup.com | Support independent security reporting.

Easy way to support our work... Subscribe (free or paid), or buy us a coffee! https://bordercybergroup.com/#/portal/support

Analysis and defender guidance in this digest are informational only. BORDER CYBER GROUP has no visibility into reader environments, patch states, or operational constraints. Nothing published here constitutes professional cybersecurity, legal, or compliance advice. All remediation and response decisions should be evaluated by qualified personnel against your organization's specific context. BCG assumes no responsibility for actions taken or not taken in reliance on this content.