Cyber Threat Brief — June 24 2026
⚠️ This report is AI-generated. Always validate findings.
1. FFmpeg PixelSmash — CVE-2026-8461
TL;DR: Heap OOB write in MagicYUV decoder enables near-zero-click RCE via crafted AVI/MKV/MOV files. JFrog demonstrated full RCE against Jellyfin and Nextcloud with a 50KB file.
What’s New:
- JFrog published full technical writeup and PoC June 22-23
- MagicYUV slice_height rounding mismatch between frame allocator and decoder causes one-row chroma overwrite past heap buffer
- Near-zero-click on desktops: browsing a folder triggers ffmpegthumbnailer
- Confirmed crashes in Kodi, mpv, Jellyfin, Emby, Nextcloud, Immich, PhotoPrism, OBS Studio
- Fixed in FFmpeg 8.1.2+; interim mitigation: rebuild with MagicYUV decoder disabled
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Crafted AVI/MKV/MOV with malformed slice_height | Exploit vector | T1203 (Exploitation for Client Execution) | Endpoint / file events | Block/quarantine files with MagicYUV codec from untrusted sources |
| ffmpegthumbnailer, ffprobe auto-invocation | Near-zero-click trigger | T1204.002 | Process creation logs | Monitor for ffmpeg/ffprobe child processes spawning shells |
| Jellyfin/Emby/Nextcloud/Immich media ingest | Server-side trigger | T1190 | Web server logs, container logs | Audit media server FFmpeg version, upgrade to 8.1.2+ |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for ffmpeg/ffprobe spawning suspicious child processes on media servers |
| Elastic | None | No specific FFmpeg exploitation rule |
| Sigma | proc_creation_lnx_susp_child_process_from_web_server.yml (generic) | Does not cover ffmpegthumbnailer or desktop thumbnail scenarios |
Sources: JFrog PixelSmash Blog · SecurityWeek · BleepingComputer
2. Cisco Unified CM SSRF Escalates to ITW Exploitation — CVE-2026-20230
TL;DR: Previously covered SSRF in Cisco Unified CM WebDialer (June 5) is now confirmed exploited in the wild. Attackers writing files to OS for root escalation.
What’s New:
- Defused Cyber confirmed active exploitation over June 21-22 weekend
- Single attacker IP using file:// payloads to write arbitrary files to OS
- Current activity appears to be reconnaissance + weaponization for root escalation via /etc/cron.d/ writes
- SSD Secure published full PoC with technical details
- WebDialer is disabled by default — only instances with it enabled are vulnerable
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| POST to /webdialer/ with 127.0.0.1, localhost, or file:// in params | Exploitation indicator | T1190 | Tomcat access logs (CUCM) | Hunt in Tomcat logs for SSRF payloads |
| /tmp/cve-2026-20230-test.txt | Recon artifact | T1595.002 | File integrity monitoring | Alert on unexpected files in /tmp on CUCM |
| Files written to /etc/cron.d/ | Root escalation | T1053.003 | Auditd / file integrity | Monitor cron directory writes on CUCM appliances |
| WebDialer service on port 8443 | Attack surface | T1190 | Network scan data | Disable WebDialer if not required |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Cisco UCM-specific SSRF or WebDialer rule |
| Elastic | None | No coverage |
| Sigma | None | No coverage for Cisco UCM exploitation |
Sources: BleepingComputer · The Hacker News · Cisco Advisory
Status Updates
- CVE-2026-50656 (Microsoft Defender RoguePlanet): Still UNPATCHED zero-day. Microsoft confirmed working on patch June 16 with no ETA. WDAC/AppLocker remains primary mitigation. Original brief.
- Klue/Icarus Supply Chain: Salesforce disabled Klue Battlecards integration June 24 after OAuth token abuse exposed CRM data at Huntress, Recorded Future, Tanium, and others. Original brief.
- FortiBleed Credential Harvest: Campaign scope expanded — 110M+ credentials harvested from 430K FortiGate firewalls via 659 sniffing pipelines (May 31–June 15). Original brief.
- CVE-2026-55200 (libssh2): Detailed technical analysis published June 24 by borecraft.com covering heap overflow mechanics. Still no official release — only commit-level fix. Original brief.