Cyber Threat Brief — June 11 2026
⚠️ This report is AI-generated. Always validate findings.
1. RoguePlanet Windows Defender Zero-Day LPE — CVE-2026-47281
TL;DR: Unpatched CVSS 9.6 TOCTOU race in Defender’s quarantine pipeline grants SYSTEM on fully-patched Win10/11. PoC binary public — expect commodity adoption within days.
What’s New:
- Nightmare Eclipse dropped compiled PoC and source hours after June Patch Tuesday (github.com/MSNightmare/RoguePlanet)
- Race condition in Defender real-time scan + quarantine redirects SYSTEM-context file op to overwrite
C:\Windows\System32\wermgr.exevia NTFS junction - WER
QueueReportingscheduled task then executes attacker payload as SYSTEM - Continuation of BlueHammer/RedSun/UnDefend Defender exploit chain series — same researcher
- Does NOT affect Windows Server (ISO mount required); variable success rate across hardware
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| RoguePlanet.exe | Filename | T1068 | Sysmon EID 1/11 | Hunt |
| wermgr.exe spawning cmd/powershell | Process chain | T1068, T1059 | Sysmon EID 1, Windows Security 4688 | Alert |
| wermgr.exe writing .exe to disk | File creation | T1068 | Sysmon EID 11 | Alert |
| NTFS junction to System32 from user-writable path | Directory junction | T1547.009 | Sysmon EID 11 | Hunt |
| EICAR string in mounted ISO | File content | T1204.002 | Defender EID 1116 | Hunt |
| QueueReporting task triggered post-junction | Scheduled task | T1053.005 | Task Scheduler EID 200/201 | Alert |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Wermgr Process Spawned CMD Or Powershell Process (e8fc95bc) | Covers post-exploitation; no rule for junction setup or ISO-triggered Defender abuse |
| Splunk ESCU | Wermgr Process Create Executable File (ab3bcce0) | Covers wermgr writing EXE; misses earlier TOCTOU stage |
| Splunk ESCU | Windows Process Injection Wermgr Child Process (360ae6b0) | Partial; designed for injection, not file replacement |
| Elastic | None specific | No Defender quarantine pipeline abuse rule |
| Sigma | proc_creation_win_werfault_susp_cmdline.yml (partial) | Adjacent — covers WerFault, not wermgr replacement |
| Sigma (technoherder) | BlueHammer suite (7 rules) | Covers NTFS junction + samlib.dll load; needs RoguePlanet-specific wermgr variant |
Sources: BleepingComputer, The Hacker News, Threat-Modeling.com, Cyderes
2. Langflow Path Traversal to Root RCE — CVE-2026-5027
TL;DR: CVSS 8.8 unauthenticated arbitrary file write via unsanitized filename in Langflow’s file upload API, chained to root RCE via cron injection. ~7,000 exposed instances, exploitation confirmed by VulnCheck honeypots.
What’s New:
- Tenable disclosed March 27 after 3 failed vendor contacts; Langflow patched in v1.10.0 June 10
POST /api/v2/filesaccepts../in multipartfilenameparam — no sanitization- Auto-login enabled by default provides auth token without credentials
- Attackers write cron job to
/etc/cron.d/for reverse shell as root within 60 seconds - VulnCheck honeypots detecting test-file drops on vulnerable instances
- Second Langflow ITW-exploited RCE in 2026 (after CVE-2026-33017 in March)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /api/v2/files with ../ in filename | HTTP request | T1190 | WAF / Reverse proxy | Block |
/api/v1/auto_login token acquisition | HTTP request | T1078.001 | Web server access log | Hunt |
New files in /etc/cron.d/ by web process | File creation | T1053.003 | Auditd / Sysmon for Linux | Alert |
Langflow process spawning /bin/sh or /bin/bash | Process chain | T1059.004 | Auditd / EDR | Alert |
| Port 7860 (default Langflow) exposed | Service | T1190 | Shodan/Censys/asset inventory | Reduce attack surface |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web or Application Server Spawning a Shell (generic) | Covers post-exploitation shell; no Langflow-specific URI pattern |
| Splunk ESCU | Linux Crontab File Modification (generic) | Covers cron write but not attribution to web process |
| Elastic | Linux Suspicious Child Process From Web Server | Generic; no Langflow process name match |
| Sigma | proc_creation_lnx_susp_child_process_from_web_server.yml | Generic; needs Langflow binary name |
Sources: BleepingComputer, The Hacker News, PoC — yahiahamza
3. Arista EOS Tunnel Decap Bypass — CVE-2026-7473
TL;DR: CISA KEV addition June 9 for CVSS 6.9 tunnel protocol validation bypass in Arista EOS. No patch planned — ACL mitigation only. Federal deadline June 23.
What’s New:
- CISA added to KEV June 9 with June 23 FCEB deadline, confirming active exploitation
- Devices configured as tunnel endpoints accept and decapsulate non-configured tunnel protocols to the same decap IP
- Arista explicitly states no patch planned — fix would break existing configurations
- Affects 7020R, 7280R/R2, 7500R/R2 series; some scenarios on 7280R3/7500R3/7800R3
- Mitigation: ACLs on upstream devices or on affected switches to allow only legitimate tunnel traffic
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Non-configured tunnel protocol traffic to decap IP | Network traffic | T1572 | NetFlow / sFlow / packet capture | Hunt |
| GRE/VXLAN/IP-in-IP traffic from unexpected sources | Network traffic | T1572 | Firewall / IDS | Alert |
| Missing ACLs on tunnel endpoint interfaces | Configuration | T1562.004 | Config audit / compliance scan | Remediate |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Arista EOS tunnel validation rule |
| Elastic | None | No tunnel protocol mismatch detection |
| Sigma | None | No coverage |
| Suricata | Custom rule needed | Alert on unexpected tunnel protocols to known decap IPs |
Sources: SecurityWeek, The Hacker News, Arista SA-0137
Status Updates
- CVE-2026-45657 (Windows Kernel): Wormable CVSS 9.8 use-after-free RCE patched June 10 Patch Tuesday. No PoC or ITW exploitation yet. Microsoft rates “exploitation less likely” but network-reachable SYSTEM-level — prioritize patching. Tenable analysis.
- CVE-2026-20245 (Cisco SD-WAN Manager): CISA KEV added June 9; no patch available; exploitation confirmed with config changes pushed to edge devices. THN. Original brief.
- CVE-2026-42897 (Exchange OWA XSS): Permanent patch delivered in June 10 Patch Tuesday after 26 days unpatched. Apply SU immediately. CISA KEV deadline July 1. Original brief.
- Miasma Supply Chain (Hades variant): PyPI wave hit June 8 — 37 malicious wheels across 19 packages using
.pthstartup hooks and Bun runtime credential stealer. 471 total malicious artifacts across npm+PyPI. Original brief.