Cyber Threat Brief — June 5 2026
⚠️ This report is AI-generated. Always validate findings.
1. Cisco Unified CM SSRF-to-Root — CVE-2026-20230
TL;DR: Public PoC exploit code dropped June 3-4 for CVE-2026-20230 (CVSS 8.6) — an unauthenticated SSRF in Cisco Unified CM WebDialer that chains file write to root-level privilege escalation. No ITW exploitation yet, but weaponization is imminent.
What’s New:
- SSRF in WebDialer
/webdialer/endpoint on port 8443 — crafted HTTP request forces server to write attacker-controlled files to arbitrary filesystem paths - Exploitation chain: SSRF → loopback adapter redirect → write to
/etc/cron.d/→ root shell - Working PoC circulated publicly within hours of Cisco’s June 3 advisory
- Affects Unified CM and Unified CM SME; only exploitable when WebDialer service is enabled (“Started” status in Serviceability)
- Fixed in Unified CM 14SU6; version 15 interim COP patch available (15SU5 full fix September 2026)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
GET/POST /webdialer/ with loopback URLs in parameters | TTP | T1190, T1610 | Web access logs (port 8443) | Hunt for SSRF patterns targeting localhost/127.0.0.1 |
New files in /etc/cron.d/ | IOC | T1053.003 | FIM / auditd | Alert on unexpected cron file creation |
| WebDialer service status “Started” | Exposure | — | Cisco Unified Serviceability | Audit; disable if not required |
| Outbound connections from Unified CM to unexpected IPs | TTP | T1071 | Firewall / netflow | Monitor for C2 post-exploitation |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Unified CM SSRF rule; need custom SPL for port 8443 access log anomalies |
| Elastic | None | No coverage; custom rule for WebDialer HTTP anomalies needed |
| Sigma | None | No coverage; community rule for web server cron.d file creation needed |
Sources: BleepingComputer, The Hacker News, Cisco Advisory, CyberSecurityNews
2. Cisco SD-WAN Manager CLI Zero-Day — CVE-2026-20245
TL;DR: Mandiant reported active exploitation of CVE-2026-20245 (CVSS 7.8) to Cisco in June — an authenticated CLI privilege escalation to root in SD-WAN Manager. No patch or workaround available. This is the 7th SD-WAN zero-day of 2026.
What’s New:
- Insufficient input validation in SD-WAN Manager CLI allows local
netadmin-privilege users to execute arbitrary commands as root - Exploitation observed ITW: unauthorized configuration changes pushed to SD-WAN edge devices
- Affects all deployment types: On-Prem, Cloud-Pro, Cloud (Cisco Managed), FedRAMP
- No patch available; Cisco plans fix in future release
- Check
/var/log/scripts.logfor attempts to upload tenant config data to vSmart controllers
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Anomalous entries in /var/log/scripts.log | IOC | T1059 | SD-WAN Manager syslog | Hunt for tenant config upload attempts to vSmart |
| Unauthorized config changes on edge devices | TTP | T1565.002 | SD-WAN vManage audit logs | Alert on unexpected policy/config pushes |
| CLI sessions from non-standard users | TTP | T1078 | SD-WAN Manager auth logs | Monitor netadmin account usage patterns |
| vSmart controller receiving unexpected tenant data | TTP | T1021 | SD-WAN control plane logs | Alert on anomalous tenant config uploads |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No SD-WAN Manager CLI abuse rule; need custom SPL for scripts.log anomalies |
| Elastic | None | No coverage for SD-WAN Manager |
| Sigma | None | No coverage; need syslog-based rule for SD-WAN CLI escalation patterns |
Sources: BleepingComputer, CyberPress, Cisco Advisory
3. Kirki WordPress Plugin Account Takeover — CVE-2026-8206
TL;DR: CVE-2026-8206 (CVSS 9.8) enables unauthenticated admin account takeover on 500K+ WordPress sites via a broken password reset flow. Wordfence blocked 222+ attacks in the past 24 hours. Patch to 6.0.7 immediately.
What’s New:
handle_forgot_passwordaccepts attacker-controlled email with valid username — reset link sent to attacker’s inbox- Single HTTP request: supply known username + attacker email → full admin account takeover
- No authentication, no user interaction, trivially exploitable at scale
- ~150,000 sites running vulnerable versions (6.0.0–6.0.6 of Kirki Freeform Page Builder)
- Fixed in version 6.0.7
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST to /wp-admin/admin-ajax.php with action=kirki_forgot_password | TTP | T1190 | WAF / web access logs | Block requests with mismatched email parameter |
| Rapid password reset requests with varying email addresses | TTP | T1110 | WordPress application logs | Alert on password reset abuse patterns |
| New admin accounts created after reset exploitation | IOC | T1136.001 | WordPress user audit / DB | Monitor for unexpected admin account creation |
Webshell uploads post-takeover (*.php in wp-content/uploads/) | IOC | T1505.003 | FIM | Alert on PHP file creation in uploads dir |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator (generic, post-exploitation) | No WordPress password reset abuse rule |
| Elastic | None | No coverage for WordPress plugin-specific attacks |
| Sigma | None | Need WAF/web log rule for kirki_forgot_password action abuse |
Sources: BleepingComputer, CyberSecurityNews, Patchstack
4. HTTP/2 HPACK Bomb — CVE-2026-49975
TL;DR: A single client on 100 Mbps can exhaust 32GB of server RAM in ~20 seconds by abusing HTTP/2 HPACK indexed references with zero-byte flow-control windows. PoC public. nginx and Apache patched; IIS, Envoy, and Cloudflare Pingora remain vulnerable.
What’s New:
- One byte on the wire → thousands of bytes server-side (Envoy 5,700:1 amplification, Apache 4,000:1)
- Attack: insert header into HPACK dynamic table once, reference it thousands of times per request, hold server with zero-byte flow-control window preventing memory release
- Default HTTP/2 configurations vulnerable — no special server settings required
- PoC released June 2 by Calif Security Research (Quang Luong)
- Patched: nginx 1.29.8 (
max_headersdirective), Apache mod_http2 2.0.41. Unpatched: IIS, Envoy, Cloudflare Pingora
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| HTTP/2 connections with thousands of HPACK indexed references per request | TTP | T1499.001 | Reverse proxy / load balancer logs | Rate-limit HPACK dynamic table references |
| Single client holding zero-byte WINDOW_UPDATE | TTP | T1499.001 | HTTP/2 debug logs | Alert on connections with stalled flow control |
| Sudden memory exhaustion on web frontends | Impact | T1499.001 | Infrastructure monitoring (Prometheus/Datadog) | Alert on RAM spike correlating with HTTP/2 connections |
| Requests with abnormally high header count but low wire bytes | TTP | T1499.001 | WAF / HTTP/2 frame inspection | Detect header amplification ratio anomalies |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No HTTP/2 protocol abuse rules |
| Elastic | None | No HPACK-specific detection |
| Sigma | None | Need rule for HTTP/2 flow-control stall + memory exhaustion correlation |
Sources: BleepingComputer, SecurityWeek, Calif Blog, Imperva
Status Updates
- CVE-2025-48595 (Android Framework): Federal CISA KEV deadline TODAY June 5. Limited targeted exploitation ongoing. Original brief.
- CVE-2026-42208 (BerriAI LiteLLM Proxy): Federal CISA KEV deadline TODAY June 5. SQLi exploitation ongoing from AS200373. Original brief.
- CVE-2026-41089 (Windows Netlogon): ITW exploitation ongoing via CLDAP oversized packets to DCs. No new artifacts. Original brief.