Supply Chain Attack
Three disclosures this cycle share one thesis: attackers borrowing the trust of legitimate channels. A Rust-written npm worm (IronWorm), a cryptominer slipped into Hola Browser, and a Magecart skimmer hosted inside Stripe each hide in traffic defenders are inclined to allow.
Cyber Attacks
Hunt.io found that a threat actor called PCPJack hijacked about 230 AWS, Google Cloud and Azure servers into a covert SMTP relay network — quietly converting business servers into verified mail proxies synced to a downstream consumer every five minutes.
Vulnerabilities
Cisco warns that CVE-2026-20245, a zero-day in Catalyst SD-WAN Manager, is being exploited to gain root, with no patch available. Exploitation needs netadmin access — obtainable by chaining CVE-2026-20182 — making it Cisco's seventh exploited SD-WAN zero-day of 2026.
Critical Infrastructure
CISA, the FBI, NSA, Department of Energy and other US agencies warn that hackers are targeting internet-exposed automatic tank gauge (ATG) systems that monitor fuel storage, modifying device settings via command execution. The fix: get them off the public internet.
Vulnerabilities
Two more plugin RCEs are under active exploitation: Everest Forms Pro CVE-2026-3300 (CVSS 9.8), a PHP-injection flaw Wordfence has blocked tens of thousands of times, and Magento's Mirasvit Cache Warmer CVE-2026-45247 (CVSS 9.8), now added to CISA's KEV catalog.
Vulnerabilities
Cisco patched CVE-2026-20230, an unauthenticated server-side request forgery flaw in Unified Communications Manager that lets a network attacker write files and escalate to root. Public proof-of-concept code is already out; Cisco's PSIRT reports no in-the-wild exploitation yet.
Vulnerabilities
Belgium's national cybersecurity authority warned on May 29 that CVE-2026-41089, a critical pre-auth buffer-overflow RCE in Windows Netlogon, is now being exploited against unpatched domain controllers. Microsoft patched the flaw in its May 12 Patch Tuesday release.
Vulnerabilities
CVE-2026-8732, a CVSS 9.8 flaw in the WP Maps Pro WordPress plugin, lets any unauthenticated attacker mint an administrator account on 15,000 affected sites. Wordfence blocked 2,858 exploitation attempts in a single 24-hour window. Patch is in v6.1.1.
Cyber Attacks
Dutch Politie and NCSC-NL took down 200 Netherlands-based servers running Asocks, a residential proxy service built from at least 17 million infected consumer devices. The takedown weakens the IP-reputation assumptions every defender relies on.
Vulnerabilities
Obsidian Security published proof-of-concept code on May 30, 2026 for CVE-2026-40933, a CVSS 10.0 remote code execution flaw in Flowise. A malicious chatflow import owns the server. Patch 3.1.0 contains the fix.
Vulnerabilities
Palo Alto Networks has confirmed that attackers are actively exploiting CVE-2026-0257, an authentication-bypass flaw in PAN-OS GlobalProtect that lets them set up VPN sessions on internet-facing firewalls with no credentials. Rapid7 has observed successful intrusions.
Vulnerabilities
A new Linux kernel LPE called CIFSwitch lets unprivileged local users forge a cifs.spnego key description and hijack the kernel key-request mechanism, getting cifs.upcall to run attacker-controlled NSS code as root. PoC is public; CVE assignment is pending.