Cyber Threat Brief — June 8 2026
⚠️ This report is AI-generated. Always validate findings.
1. WP Maps Pro Privilege Escalation — CVE-2026-8732
TL;DR: CVE-2026-8732 (CVSS 9.8) allows unauthenticated admin account creation on WordPress sites running WP Maps Pro ≤6.1.0. Wordfence blocked 2,858 attacks in the last 24 hours; attackers mass-creating rogue admin accounts via exposed AJAX endpoint.
What’s New:
wpgmp_temp_access_ajaxAJAX action registered withwp_ajax_nopriv_— accessible without authentication- Nonce (
fc-call-nonce) embedded in frontend JS objectwpgmp_local— publicly readable, rendering the check useless - Invoking with
check_temp=falseunconditionally callswp_insert_user()with hardcodedadministratorrole - Two public PoCs on GitHub (Jenderal92/CVE-2026-8732, xShadow-Here/CVE-2026-8732)
- Patched in version 6.1.1 (May 20 2026); exploitation surge reported June 7-8
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| POST /wp-admin/admin-ajax.php?action=wpgmp_temp_access_ajax | HTTP | T1190 | WAF / web access logs | Block or alert on this AJAX action from unauthenticated sessions |
check_temp=false in POST body | HTTP param | T1190 | WAF / web access logs | Signature on parameter value |
wpgmp_local.nonce (fc-call-nonce) extraction | Recon | T1592 | JS/frontend logs | Indicator of pre-exploitation recon |
| New admin accounts created via wp_insert_user() | Account | T1136.001 | WordPress audit log / wp_users table | Hunt for unexpected admin account creation |
| wp-google-map-gold plugin directory | File path | T1190 | File integrity monitoring | Flag plugin versions ≤6.1.0 |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need rule for WordPress AJAX admin account creation via unauthenticated endpoint |
| Elastic | None | Need WordPress audit log correlation for admin creation from non-admin sessions |
| Sigma | None | Need web_application rule matching wpgmp_temp_access_ajax POST from unauthenticated source |
Sources: SecurityWeek, BleepingComputer, The Hacker News
2. Juniper PTX Unauthenticated Root RCE — CVE-2026-21902
TL;DR: CVE-2026-21902 (CVSS 9.8) allows unauthenticated remote code execution as root on Juniper PTX Series routers running Junos OS Evolved 25.4.x via the On-Box Anomaly Detection framework, which is exposed by default. No ITW exploitation yet, but no auth required and the service is externally accessible.
What’s New:
- Incorrect permission assignment in On-Box Anomaly Detection framework — exposed by default on all PTX routers
- Network-based attack vector, no authentication, no user interaction required
- Root-level code execution on affected routers — full device takeover
- Affects all Junos OS Evolved 25.4.x releases prior to 25.4R1-S1-EVO / 25.4R2-EVO / 26.2R1-EVO
- No public PoC yet; high weaponization likelihood given zero-auth attack surface
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| On-Box Anomaly Detection service port (externally exposed) | Service | T1190 | Network flow / firewall logs | Restrict access via ACLs to trusted management networks only |
| PTX routers running Junos OS Evolved 25.4.x | Asset | T1190 | Asset inventory | Identify and prioritize patching |
| Unexpected root-level processes on PTX devices | Process | T1059 | Junos system logs | Hunt for anomalous process execution |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need Juniper-specific anomaly detection service monitoring rule |
| Elastic | None | No Junos OS Evolved coverage |
| Sigma | None | No Juniper PTX detection content |
Sources: SecurityWeek, BleepingComputer, Singapore CSA
3. Cisco SD-WAN Controller Auth Bypass — CVE-2026-20182
TL;DR: CVE-2026-20182 (CVSS 10.0) is an authentication bypass in the vdaemon DTLS peering service on Cisco Catalyst SD-WAN Controller and Manager. UAT-8616 (sophisticated threat actor tracked by Talos since 2023) is actively exploiting it for admin access, NETCONF manipulation, and root escalation. Metasploit module available.
What’s New:
- Auth bypass in vdaemon DTLS control-plane peering service (UDP 12346) — attacker authenticates as high-privileged internal account
- Exploited by UAT-8616 (Talos high-confidence attribution) — same actor behind CVE-2026-20127 exploitation since 2023
- Post-exploitation: SSH key injection, NETCONF config manipulation, root privilege escalation
- Rapid7 discovered during CVE-2026-20127 research; Metasploit module published
- CISA KEV added May 14, federal deadline May 17 (passed); 6th SD-WAN CVE exploited in 2026
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| UDP 12346 (vdaemon DTLS) | Port/Service | T1190 | Network flow / firewall logs | Restrict to authorized SD-WAN peers only |
| Unauthorized SSH key additions | Persistence | T1098.004 | SD-WAN Manager auth logs | Hunt for unexpected SSH key changes |
| NETCONF configuration changes | Config manipulation | T1565.001 | SD-WAN Manager /var/log/nms/ | Alert on unauthorized NETCONF edits |
| vconfd script anomalies in /var/log/scripts.log | Execution | T1059 | SD-WAN Manager system logs | Monitor for unexpected script invocations |
| Metasploit module: exploit/linux/cisco/sdwan_rpa2_auth_bypass | Tool | T1190 | IDS/IPS | Deploy signature for DTLS auth bypass pattern |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Need SD-WAN vdaemon DTLS auth anomaly detection; need NETCONF unauthorized change correlation |
| Elastic | None | No Cisco SD-WAN control-plane detection content |
| Sigma | None | No SD-WAN peering auth bypass signatures |
Sources: Cisco Advisory, Rapid7, Talos Blog, The Hacker News
Status Updates
- CVE-2026-20245 (Cisco SD-WAN Manager CLI): 7th SD-WAN zero-day of 2026, still NO PATCH. Mandiant confirmed ITW exploitation for root escalation and unauthorized config pushes. Monitor /var/log/scripts.log. Original brief.
- CVE-2026-43284/CVE-2026-46300 (Dirty Frag / Fragnesia): New Fragnesia variant (CVE-2026-46300, CVSS 7.8) disclosed May 14 — patch regression in Dirty Frag fix exposed XFRM ESP-in-TCP page-cache corruption. Separate patch required; module blacklist esp4/esp6/rxrpc as interim mitigation. Original brief.
- CVE-2026-3300 (Everest Forms Pro): Exploitation ongoing; 16 new attempts in last 24h per Wordfence. Original brief.
- CVE-2026-28318 (SolarWinds Serv-U DoS): CISA KEV deadline June 19; 12,000+ exposed instances. Original brief.