Hello, stay ahead with CISO Brief 🚀

⚠️ A critical vulnerability (CVE-2026-3300) in Everest Forms Pro versions 1.9.12 and earlier allows unauthenticated attackers to execute arbitrary PHP on affected WordPress sites via the plugin's Complex Calculation feature. The issue stems from user-supplied values being inserted into an eval() string without properly escaping single quotes, enabling code injection. Wordfence telemetry shows active exploitation creating rogue administrator accounts, and a patch was issued by the developer on March 18.

🔒 OpenAI has started rolling out a new Lockdown Mode for eligible ChatGPT personal accounts to reduce the risk of data exfiltration from prompt injection attacks. The optional security setting restricts capabilities that can connect to the web or external services, including live web browsing, image support, agent mode, deep research, Canvas networking, and file downloads. Lockdown Mode is available across Free, Go, Plus, Pro, and self-serve ChatGPT Business plans but cannot be used simultaneously with Developer Mode. OpenAI warns the feature reduces but does not eliminate exfiltration risk and also launched enhanced account session management to help detect and terminate unauthorized access.

🔍 A reverse-engineered iOS SDK from Bright Data reveals free apps can turn devices, including always-on smart TVs, into exit nodes that relay web-scraping traffic. The SDK, embedded behind opt-in screens, uses peer channels with weak authentication and can bypass VPNs on iOS, allowing background relays that consume home bandwidth. Blocking a handful of SDK domains at the router or scanning apps on managed devices can stop the behavior.

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity DoS vulnerability in SolarWinds Serv-U (CVE-2026-28318, CVSS 7.5) to its Known Exploited Vulnerabilities catalog, citing active exploitation. The bug causes uncontrolled resource consumption and crashes the Serv-U service via specially crafted POST requests using Content-Encoding: deflate. SolarWinds released a fix in Serv-U version 15.5.4 HF1 and recommends limiting access and blocking requests with content-encoding as mitigations. Federal agencies must remediate by June 19, 2026.

🛡️ depthfirst's autonomous agent discovered 21 previously unknown zero-day vulnerabilities in FFmpeg, producing reproducible PoC inputs for each at a reported cost of about $1,000 for the run. In the same week, Google released Chrome 149 with fixes for a record 429 security bugs, over 100 of which are critical or high severity, following an overhaul of its bounty program to cope with a surge of AI-generated reports. The findings illustrate how AI is accelerating vulnerability discovery and increasing pressure on triage and patching processes across widely used software.

🛡️ Microsoft's GitHub organizations — including Azure, Azure-Samples, Microsoft, and MicrosoftDocs — were hit by the self-replicating Miasma supply chain campaign that affected 73 repositories, prompting GitHub to disable access. The incident notably re-compromised the durabletask package previously infected by TeamPCP, suggesting lingering credential exposure. Miasma, a variant of the Mini Shai-Hulud worm, has mutated rapidly and pushed malicious payloads both to registries and directly to GitHub source repos, leveraging AI coding tools and developer workflows to execute payloads. Security firms warn the campaign exploits trust in maintainers and signing rather than platform vulnerabilities, allowing widespread propagation across the open-source ecosystem.

🔒 Cisco has disclosed a high-severity vulnerability, CVE-2026-20245, affecting Catalyst SD‑WAN Manager deployments including on-premises and cloud variants. The flaw allows an authenticated local attacker with netadmin privileges to execute arbitrary commands as root by uploading a crafted file due to insufficient input validation. Cisco noted limited cases of configuration changes pushed to edge devices and advised applying fixes for related authentication bypass flaws (CVE-2026-20182) while monitoring /var/log/scripts.log for IoCs.

🖥️ Amazon Bedrock AgentCore Runtime introduces the InvokeAgentRuntimeCommandShell API, providing a persistent, PTY-backed terminal over WebSocket into running agent sessions. This complements existing one-shot execution via InvokeAgentRuntimeCommand and delivers a full terminal experience inside an isolated microVM with features like colors, tab completion, Ctrl+C, resize, and automatic reconnect. Developers hosting coding agents (for example, Claude Code, OpenAI Codex, Amazon Kiro) can now authenticate, drop into the agent microVM, inspect files, run ad-hoc commands, and debug while retaining session state across reconnects. Each interactive session uses a runtime session ID and shell ID for resume; up to 10 concurrent shells are supported per runtime.

🔐 Toshiba and Muji warned visitors about unexpected sign-in pop-ups generated by the external service polyfill.io, advising users to cancel and change passwords if they entered credentials. The prompts were caused by remnants of a 2024 incident when the polyfill domain served malicious scripts after changing hands; the domain began responding again in late May 2026 with HTTP 401 requests. Both companies suspended the service and removed the offending code, and other Japanese sites were also affected.

🔒 AWS Glue Data Catalog now supports IAM-based authorization for Amazon S3 Tables and Apache Iceberg materialized views in AWS GovCloud (US) Regions. This change lets you consolidate required permissions for storage, catalog, and query engines into a single IAM policy. The capability eases integration with analytics services such as Amazon Athena, Amazon EMR, Amazon Redshift, and AWS Glue. You can still opt in to AWS Lake Formation for fine-grained access controls.

🔔 Amazon OpenSearch Service now offers its modernized operational analytics UI in AWS GovCloud (US-East) and AWS GovCloud (US-West), enabling unified access to managed domains and serverless collections from a single endpoint. The release introduces Workspaces for team collaboration and a revamped Discover experience with multi-source data selection, PPL and SQL support, DQL and Lucene compatibility, updated visuals, and query autocomplete. The UI updates are available regardless of the underlying managed cluster or collection version.

⚠️ CISA warns that threat actors are actively exploiting a recently patched high-severity SolarWinds Serv-U flaw (CVE-2026-28318) that allows unauthenticated attackers to crash Serv-U file-transfer services via specially crafted POST requests using Content-Encoding: deflate. SolarWinds issued Serv-U 15.5.4 Hotfix 1 to address an uncontrolled resource consumption weakness and advised mitigation steps for admins who cannot immediately patch. Shodan and Shadowserver show thousands of Serv-U instances exposed online, prompting CISA to add the flaw to its Known Exploited Vulnerabilities Catalog and require federal agencies to remediate by June 19 under BOD 22-01.

🛡️ Volexity researchers attribute prolonged intrusions to the Chinese espionage group UNC5221 (aka VerdantBamboo), which used the Brickstorm backdoor plus previously undocumented malware Plenet and AgentPSD to maintain access. The actor compromised an MSP and victim systems, remaining undetected for at least 18 months and returning after remediation. Plenet is a cross-platform .NET backdoor; AgentPSD is a Python reverse shell used as fallback persistence.

🔍 A California man received a 26-year federal prison sentence after trafficking fentanyl and methamphetamine through Nemesis Market. Darren Hughes, 39, was convicted in November 2025 and sentenced on May 26 for operating a dark web store that offered free samples and sold drugs to undercover agents for cryptocurrency. Authorities arrested Hughes on June 28, 2023, seizing 672 grams of methamphetamine and a loaded ghost gun during his arrest. The case was part of a broader international investigation that took down Nemesis Market in March 2024.

🔍 Microsoft has expanded its Taxonomy of Failure Modes in Agentic AI Systems with seven newly identified ways agentic AI can be compromised. The update cites rapid adoption, maturation of the Model Context Protocol (MCP) ecosystem, proliferation of computer-use agents, and increased empirical evidence as drivers. New failure modes include supply chain compromise, goal hijacking, inter-agent trust escalation, visual attacks on CUAs, session context contamination, MCP/plugin abuse, and capability disclosure. Microsoft recommends inventorying agent supply chains, issuing cryptographic attestations, adding these modes to red-team exercises, and auditing human-in-the-loop controls.

🛡️ A joint bulletin from the FBI, MI5, ASIO, CSIS and NZSIS warns that Chinese military intelligence is using professional networking sites and job platforms to recruit Western workers into sharing sensitive information. The advisory details fake cover companies, targeted outreach on platforms like LinkedIn, and staged hiring processes that escalate from innocuous reports to requests for privileged material via encrypted messaging. Targets include military personnel, academics, journalists, and think-tank staff, and payments are made through common money-transfer and crypto services. The agencies urge scepticism toward unsolicited, well-targeted approaches and rapid moves to encrypted apps.

🔐 This article demonstrates how to implement enterprise-grade authentication and authorization for a Streamlit sample application using Amazon Cognito for identity and Amazon Verified Permissions with Cedar policies for fine-grained access control. It outlines a layered architecture that separates identity verification, authorization evaluation, application logic, and enforcement to reduce blast radius. The post explains Cedar policy anatomy and common patterns—ownership, role-based, hierarchical, and emergency access—plus evaluation precedence where forbid policies take priority. Practical guidance covers required tools, provisioning steps, policy design tips, and testing recommendations to help developers scale secure applications.

🔒 The RubyGems team added a cooldown option to Bundler to delay installing recently published gems, aiming to reduce exposure to software supply-chain attacks. The feature checks timestamps and ignores gems until they have been published for a configurable number of days, allowing time for malicious modifications to be discovered. Administrators can override the delay when rapid patching is required, balancing security and operational needs.