Cyber Threat Brief — June 6 2026
⚠️ This report is AI-generated. Always validate findings.
1. Windows Netlogon 0-Click RCE — CVE-2026-41089
TL;DR: CVE-2026-41089 (CVSS 9.8) is a pre-auth stack buffer overflow in Windows Netlogon giving unauthenticated attackers SYSTEM-level RCE on domain controllers via a single malformed packet. Belgium’s CCB confirmed active exploitation June 1; PoC is public.
What’s New:
- Stack-based buffer overflow in
BuildSamLogonResponse— single crafted network packet, no credentials or user interaction required - Affects all Windows Server 2012 R2 through 2025 acting as domain controllers
- PoC exploit code shared publicly by security researchers; Belgium CCB confirmed ITW exploitation June 1
- Post-exploitation path: DC compromise → forest-wide takeover (“half-patched forests are not a defensible state”)
- Patched in May 2026 Patch Tuesday — all DCs in forest must be patched in the same maintenance window
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Netlogon service crash/restart | Event | T1210 | Windows EID 7031 (Service Control Manager) | Alert on unexpected Netlogon service recovery |
| Anomalous Netlogon traffic from non-DC IPs | Network | T1210 | Zeek/Suricata on port 135 | Hunt for Netlogon protocol from non-DC sources |
Abnormally long ComputerName strings in Netlogon | Network | T1210 | Suricata (community sig) | Deploy Suricata signature for oversized ComputerName |
| Auth failures + domain trust errors post-suspicious traffic | Event | T1210 | Windows Security log | Correlate auth failures with preceding anomalous Netlogon |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need Netlogon service crash correlation + non-DC source traffic rule |
| Elastic | None | Need anomalous Netlogon traffic detection |
| Sigma | Community rule for CVE-2026-41089 Netlogon event anomalies | Convert and deploy; gaps in network-level detection |
Sources: Help Net Security, BleepingComputer, CybersecurityNews
2. Magento Mirasvit Cache Warmer RCE — CVE-2026-45247
TL;DR: CVE-2026-45247 (CVSS 9.8) is an unauthenticated PHP Object Injection in Mirasvit Full Page Cache Warmer for Magento 2, exploitable via a crafted CacheWarmer cookie. CISA added to KEV; Imperva confirms active exploitation attempts.
What’s New:
- Unsafe
unserialize()on attacker-controlled data fromCacheWarmercookie — no auth, no admin session required - Existing Magento gadget chains escalate PHP Object Injection to full RCE
- CISA added to KEV catalog based on confirmed active exploitation
- Imperva observed serialized PHP object payloads in the wild targeting Magento storefronts
- Fixed in Mirasvit Full Page Cache Warmer version 1.11.12
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
CacheWarmer cookie matching (Tz|Qz|YT) (base64 serialized PHP) | HTTP | T1190 | WAF / web proxy logs | Block/alert on CacheWarmer cookie with serialized PHP patterns |
| POST requests to Magento storefront with crafted cookies | HTTP | T1190 | Web server access logs | Hunt for oversized or encoded CacheWarmer cookie values |
| PHP gadget chain execution (file writes, shell spawns) | Endpoint | T1059.004 | Sysmon / auditd | Alert on php-fpm spawning shell or writing to webroot |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator (generic) | Need Magento-specific CacheWarmer cookie deserialization rule |
| Elastic | None | Need PHP deserialization via cookie detection |
| Sigma | None | Need WAF/proxy rule for serialized PHP in cookie headers |
Sources: The Hacker News, Sansec, Imperva
3. Miasma Worm Hits Microsoft GitHub — Supply Chain Expansion
TL;DR: The Miasma npm supply chain worm expanded to Microsoft’s GitHub organizations on June 5, disabling 73 repositories across four Azure orgs after a compromised contributor account pushed malicious commits.
What’s New:
- Malicious commit pushed to
Azure/durabletaskvia previously compromised contributor account, then self-propagated - GitHub disabled 73 repositories across 4 Microsoft GitHub organizations
- Same “Phantom Gyp” technique:
binding.gyptriggers code execution duringnpm install, bypassing install-script security checks - Credential exfil to GitHub account
liuende501(236 repos as dead-drops) — stolen creds uploaded as encrypted JSON toresults/directories - Repositories created by malware carry description “Miasma: The Spreading Blight” — use as fingerprint
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
GitHub user liuende501 repos | Exfil endpoint | T1567.001 | GitHub audit logs | Block/alert on any interaction with liuende501 repos |
| Repo description “Miasma: The Spreading Blight” | Fingerprint | T1204.003 | GitHub API / audit logs | Scan org repos for this description string |
binding.gyp in unexpected npm packages | Supply chain | T1195.002 | CI/CD build logs | Audit dependencies for binding.gyp without native addons |
| Commits from compromised accounts to Azure/* repos | Persistence | T1098 | GitHub audit logs | Review recent commits to forked/upstream Azure repos |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need GitHub audit log correlation for anomalous commit patterns |
| Elastic | None | Need npm install binding.gyp execution monitoring |
| Sigma | None | Need CI/CD pipeline supply chain integrity rules |
Sources: The Hacker News, StepSecurity, Wiz
Status Updates
- CVE-2026-20245 (Cisco SD-WAN Manager): No patch still available; 7th SD-WAN zero-day of 2026 with confirmed ITW exploitation and config push to edge devices. Original brief.
- CVE-2026-20230 (Cisco Unified CM): PoC public since June 3-4; no ITW exploitation confirmed yet; patch available (14SU6). Original brief.
- CVE-2026-42208 (LiteLLM): Federal CISA KEV deadline passed June 5. No new artifacts. Original brief.