Cyber Threat Brief — June 7 2026
⚠️ This report is AI-generated. Always validate findings.
1. Everest Forms Pro WordPress RCE — CVE-2026-3300
TL;DR: CVE-2026-3300 (CVSS 9.8) is an unauthenticated RCE in the Everest Forms Pro WordPress plugin’s Calculation Addon. Active exploitation ongoing since April 13 with 29,300+ blocked attempts; attackers creating rogue admin accounts via eval() injection through public-facing forms.
What’s New:
process_filter()in Calculation Addon concatenates user-submitted form field values into PHP string passed toeval()—sanitize_text_field()does not escape single quotes- Any string-type form field (text, email, URL, select, radio) is an injection vector when Complex Calculation is enabled
- Primary campaign creates admin account
diksimarina([email protected]) on compromised sites - 29,300+ exploit attempts blocked to date; 16 attempts in last 24 hours per Wordfence telemetry
- Patched in version 1.9.13 (March 18 2026); ~4,000 active installs, unknown patch adoption
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| 202.56.2[.]126 | IPv4 | T1190 | WAF / web access logs | Block at perimeter |
| 209.146.60[.]26 | IPv4 | T1190 | WAF / web access logs | Block at perimeter |
| POST /wp-admin/admin-ajax.php (with calc payload) | HTTP | T1190 | WAF / web access logs | Alert on eval-pattern payloads in form submissions |
Admin account diksimarina / [email protected] | Account | T1136.001 | WordPress user table / audit log | Hunt for unauthorized admin creation |
| PHP eval() execution from wp-content/plugins/everest-forms-pro/ | Process | T1059.004 | EDR / Sysmon | Alert on PHP eval originating from plugin path |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need WordPress admin account creation anomaly rule |
| Elastic | None | Need PHP eval() injection via form submission detection |
| Sigma | None | No coverage for WordPress Calculation Addon eval injection |
Sources: BleepingComputer, The Hacker News, Wordfence
2. SolarWinds Serv-U DoS — CVE-2026-28318
TL;DR: CVE-2026-28318 (CVSS 7.5) is an unauthenticated DoS in SolarWinds Serv-U triggered by a crafted POST with Content-Encoding: deflate. CISA KEV added June 5 with June 19 federal deadline. 12,000+ Serv-U instances exposed per Shodan.
What’s New:
- Uncontrolled resource consumption (CWE-400): malformed compressed payload in POST request with
Content-Encoding: deflateheader exhausts resources and crashes Serv-U service - No authentication required; single HTTP request causes complete service crash
- CISA KEV added June 5 2026, federal remediation deadline June 19
- 12,000+ Serv-U instances internet-exposed per Shodan
- SolarWinds historically targeted by nation-state actors (DEV-0322, Cl0p via CVE-2021-35211)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST requests with Content-Encoding: deflate to Serv-U | HTTP | T1499.004 | WAF / reverse proxy logs | Block Content-Encoding header on Serv-U endpoints (not required for normal operation) |
| Serv-U service crash/restart events | Event | T1499.004 | Windows Event Log (EID 7034/7036) | Alert on unexpected Serv-U service termination |
| Serv-U port exposure (TCP 21/22/443/8443) | Network | T1190 | Shodan / attack surface monitoring | Audit external exposure; restrict to known IPs |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need Serv-U service crash correlation rule |
| Elastic | None | No coverage for Serv-U DoS via Content-Encoding abuse |
| Sigma | None | Need HTTP Content-Encoding anomaly detection for file transfer services |
Sources: CISA KEV, The Hacker News, BleepingComputer
Status Updates
- CVE-2026-20245 (Cisco SD-WAN Manager): Still no patch; 7th SD-WAN zero-day of 2026; Mandiant-reported ITW exploitation ongoing; hardening guidance is only mitigation. Original brief.
- CVE-2026-41089 (Windows Netlogon): Active exploitation continues per Belgium CCB; all DCs must be patched in same maintenance window; PoC still public. Original brief.
- CVE-2026-42208 (LiteLLM Proxy): Federal CISA KEV deadline passed June 5; no new artifacts. Original brief.