Exploited VPNs, Kernel Flaw, and AWS Updates Define the Day

Security teams faced an active exploitation cycle across VPN and edge devices, fresh disclosures in core software, and significant cloud platform updates. Several vendors urged immediate mitigation steps as exploits and proof-of-concept code circulated. Meanwhile, cloud providers rolled out features aimed at cost control and analytics, and researchers highlighted ongoing social engineering and mobile threats that continue to bypass user defenses.

Exploited VPN and Edge Device Risks

Check Point reported active exploitation of a critical authentication-bypass flaw, CVE-2026-50751, in Remote Access and Mobile Access VPN deployments that still permit deprecated IKEv1 and legacy clients without machine certificates. The company’s investigation traced earliest exploitation to May 7, with attempts intensifying in early June; hotfixes and guidance are available for supported versions. A second issue, CVE-2026-50752, can weaken IKEv1 site-to-site VPN certificate validation under specific conditions, though it has not been observed exploited. Administrators are urged to apply fixes, audit forensic logs and configurations from the earliest observed date, and follow the vendor’s remediation steps detailed in the Check Point advisory.

Separately, Ubiquiti’s UniFi OS Server contained a chain of three vulnerabilities—CVE-2026-34908 (improper access control), CVE-2026-34909 (path traversal), and CVE-2026-34910 (command injection)—that can be combined to achieve unauthenticated remote code execution and rapid escalation to root on versions 5.0.6 and earlier. The chain stems from an authentication mismatch between request processing and Nginx routing, ultimately allowing command execution under a highly privileged service account with passwordless sudo. Ubiquiti mitigated the issues in UniFi OS Server 5.0.8. Researchers released a safe detection script and advised monitoring for requests to specific endpoints and suspicious child processes; organizations should upgrade and verify for compromise before trusting the update. Details are summarized by BleepingComputer.

The Git service Gogs patched a critical argument-injection zero-day enabling remote code execution in version 0.14.3, affecting all releases up to 0.14.2 and 0.15.0+dev. Authenticated, non-admin users could exploit default-open registration and permissive repository-creation settings to read private repositories, steal credentials, and alter code. Rapid7 recommended immediate upgrades and provided mitigations for environments unable to patch quickly, including disabling new registrations and tightening repository-creation limits, as highlighted by BleepingComputer.

Cisco warned that a high-severity vulnerability in Catalyst SD-WAN Manager, CVE-2026-20245 (CVSS 7.8), is being exploited in the wild. The CLI flaw can let an authenticated netadmin user upload a crafted file, trigger command injection, and escalate to root. While exploitation requires local access, attackers could pair it with previously fixed authentication bypasses. With no dedicated patch yet, Cisco advises upgrading to mitigate earlier bypasses, auditing edge configurations, preserving logs, and consulting published indicators of compromise in scripts.log. Confirmed compromises require TAC-guided cleanup beyond software updates, according to CSO Online.

High-Impact Software Vulnerabilities

Researchers disclosed public exploits for CVE-2026-23111, a Linux kernel use-after-free in nf_tables that enables unprivileged local users to gain root and escape containers when unprivileged user namespaces are allowed. The upstream fix landed on February 5, with technical reproductions and walkthroughs following in April and June. Demonstrations covered Debian and Ubuntu releases, with other vendors tracking and issuing fixes. There is no standalone remote vector; the bug is chiefly a post-foothold privilege escalation. Administrators should apply distribution kernels and reboot; where feasible, temporarily disabling unprivileged user namespaces can reduce exposure until patched. Technical context is provided by The Hacker News.

In the JavaScript ecosystem, Cyera detailed six vulnerabilities in protobuf.js, a popular implementation of Google Protocol Buffers. The most severe, CVE-2026-44291, arises from dynamic code generation via the Function() constructor, enabling code execution in Node.js when adversaries can influence protobuf descriptors or schemas. A related issue, CVE-2026-44295, affects the pbjs CLI, embedding malicious names into generated output. Additional findings include prototype pollution (CVE-2026-44292) and several denial-of-service conditions (CVE-2026-44289, CVE-2026-44290, CVE-2026-44294). Affected versions include 7.5.5 and earlier, plus 8.0.0–8.0.1; fixes are available in protobuf.js 7.5.6 and 8.0.2, with protobuf.js-cli updates 1.2.1 and 2.0.2. Because protobuf.js is often a transitive dependency in gRPC tooling and cloud libraries, teams should audit software supply chains and update promptly, as reported by CSO Online.

Cloud Platform Updates and Cost Changes

AWS News announced 23 additions to the CloudWatch Logs Insights query language, including cryptographic hash functions (md5, sha256), extended string handlers (strcontains, split), conditional logic (if), numeric conversions (toNumber, toInt, toLong, toDouble), and IP utilities (ipv4ToNumber, isPrivateIP, isPublicIP, isReservedIP). New analytical capabilities—rate, count_over_time, sum_over_time, offset, histogram—arrive alongside parsing enhancements (parse CSV, parse XML, parse multi, values, addtotals). The service now supports fetching the first N results with a “limit any N” clause and up to 10 stats commands per query. The update, available across all commercial Regions, targets common needs in conditional processing, format parsing, IP handling, and time-series analysis.

AWS News also expanded Lambda Managed Instances (LMI) to all commercial Regions except Israel (Tel Aviv), Bahrain, UAE, and Auckland. LMI lets teams run Lambda functions on managed EC2 instances—retaining Lambda’s developer model while tapping specialized EC2 hardware and pricing. AWS manages OS/runtime patching, routing, load balancing, and auto-scaling, with parallel request processing inside each environment to improve utilization and price-performance. Integrations with event sources and observability/governance tools (e.g., CloudWatch, X-Ray, Config) are maintained. In addition, AWS News introduced incremental billing for Amazon Redshift manual snapshots on Serverless and RG instances, charging only for unique data blocks across snapshots. Applied automatically in all commercial and AWS GovCloud (US) Regions, the change lowers storage costs for disaster recovery and testing scenarios and encourages more frequent snapshotting without proportional cost growth.

Social Engineering and Mobile Threats

Microsoft observed a surge in social engineering campaigns that misuse AI brands and imagery—ChatGPT, Microsoft Copilot, DeepSeek, and Anthropic Claude—to drive phishing, malvertising, and SEO abuse. Campaigns in April and May used urgency, enforcement-style messaging, and multi-hop redirects through legitimate services to evade filters, with one effort linked to an initial access broker distributing stealers and loaders. Microsoft revoked fraudulently obtained code-signing certificates and coordinated disruptions, while recommending stronger, AI-enabled detection across email, identity, and endpoints; tighter URL and attachment handling; and faster revocation and takedowns. Details appear in the Microsoft report.

Unit 42 highlighted increasing phishing via Microsoft Teams and other collaboration tools, including operations by advanced actors who initiate chats from compromised or lookalike tenants to solicit MFA approvals or credentials. The report recommends reducing reliance on user scrutiny by tightening Teams settings (e.g., limiting external federation and unmanaged account chat), hardening identity with Conditional Access and just-in-time privileged access (such as Entra PIM), and improving monitoring and incident response around external chat initiation. Guidance and administrative controls are outlined by Unit 42.

On mobile, researchers tracked NFCShare, an evolving Android malware family delivered via phishing pages that impersonate banks and host counterfeit app updates on GitHub. The malware prompts a fake NFC verification, then uses IsoDep and EMV commands to read card details and capture a 4‑digit PIN, exfiltrating data over WebSocket to support payment relay and card-fraud schemes. Recent samples also employ malformed ZIP/APK path entries to disrupt automated static analysis. Users are advised to install banking apps only from Google Play, enable Play Protect, and treat unsolicited NFC-verification requests with suspicion, according to BleepingComputer.

Meta disclosed that a flaw in its AI-assisted High Touch Support account recovery tool was exploited to hijack Instagram accounts by sending password reset links to attacker-supplied emails even when they did not match the account on file. The company reported 20,225 impacted users, disabled the tool and vulnerable code path, invalidated reset links, and placed affected accounts behind a mandatory security checkpoint, while urging password resets and two-factor authentication. The incident and follow-up steps are described by Infosecurity.

WhatsApp said it disrupted spear-phishing activity it attributes to the NSO Group, which allegedly used malicious links and test accounts and groups on the platform in violation of a U.S. court injunction. Meta published three domains as indicators of compromise and took down related accounts, while advising users to keep software updated and consider hardening measures like Android Advanced Protection and iOS Lockdown Mode. Context and indicators are provided by BleepingComputer.

Oxford University reported a breach of its CareerConnect platform following a third-party compromise at Group GTI on May 28, exposing first and last names, email addresses, and encrypted passwords for locally authenticated accounts; passwords were invalidated and affected users will be prompted to reset them. The university cautioned about subsequent phishing risks and said there is no evidence of direct compromise to university systems, per BleepingComputer.

SoFi’s Hong Kong subsidiary disclosed a breach through a third-party vendor after attackers accessed a database on April 30. The company has not yet determined the full scope or categories of exposed data and advised customers to watch for phishing, update passwords, and enable two-factor authentication. Additional safeguards and monitoring have been implemented while the investigation proceeds, according to BleepingComputer.