Exploited Device Flaws, Stealer Takedowns, and New Cloud Controls

Active exploitation of device and software flaws, coordinated takedowns of credential‑theft ecosystems, and fresh cloud controls shaped the day. Law enforcement reported large infrastructure seizures and recovered millions of stolen credentials, while new research highlighted stealthy initial‑access tools abusing familiar enterprise workflows. Major cloud vendors rolled out security and resilience features that tighten console access, simplify multi‑region protection, and reduce operational friction.

Patching Pressure: Exploited and High-Impact Flaws

The latest CISA KEV update warns of active exploitation against Ubiquiti UniFi OS and Lantronix EDS5000 devices, triggering BOD 26‑04’s three‑day remediation window for federal agencies. Ubiquiti patched CVE‑2026‑34908 (access control bypass), CVE‑2026‑34909 (path traversal), and CVE‑2026‑34910 (input validation leading to OS command injection); researchers showed the chain can lead to full remote code execution and released a free detection script. Lantronix addressed CVE‑2025‑67038, a critical root‑level command injection in EDS5000 firmware 2.1.0.0R3 caused by an unsanitized username passed to a shell command; upgrading to 2.2.0.0R1 is recommended. CISA has not shared exploitation details, but administrators are urged to apply vendor fixes and mitigations immediately.

JFrog researchers disclosed CVE‑2026‑8461, a heap out‑of‑bounds write dubbed PixelSmash in FFmpeg’s MagicYUV decoder, which can crash applications processing crafted media and, in demonstrated cases, enable remote code execution against services like Jellyfin and Nextcloud. The PixelSmash flaw impacts downstream projects that bundle or link libavcodec; confirmed crashes include Kodi, mpv, ffmpegthumbnailer (GNOME/KDE/XFCE), Emby, and OBS Studio. Immediate mitigation is to upgrade to FFmpeg 8.1.2 or disable the MagicYUV decoder at build time if not required.

Separately, a critical SSRF-related vulnerability in Cisco Unified Communications Manager (CVE‑2026‑20230, CVSS 8.6) is being exploited after public proof‑of‑concept code exposed a file‑write path to root. The Cisco flaw stems from improper input validation for certain HTTP requests; attackers abused the WebDialer component to determine hostnames and write arbitrary files. Successful exploitation requires WebDialer to be enabled (disabled by default). Cisco has issued fixes in Unified CM versions 14SU6 and 15SU5; where immediate patching is not feasible, disabling WebDialer is advised.

Crime Infrastructure Disrupted and Major Incidents

Between June 15 and 19, an international operation with private‑sector support dismantled key infrastructure for the Amadey and StealC malware ecosystems. According to Operation Endgame reporting, authorities seized or restricted over $47 million in criminal cryptocurrency, recovered roughly 27 million stolen credentials, and took down 326 servers and 142 domains. Microsoft reported more than 140,000 infected machines in early May and identified over 18,000 victim computers whose criminal control was severed. The action targeted loader‑and‑stealer pipelines that supply credentials, session cookies, and access for ransomware and fraud.

In a parallel financial disruption, the Department of Justice seized a cloud computing account tied to subsidiaries of Cambodia‑based HuiOne Group. The DoJ seizure is linked to HuiOne Guarantee, a Telegram‑based marketplace that handled billions in transactions for crimeware, stolen data, laundering services, and tools for deepfake‑enabled impersonation between 2021 and 2025. Independent analyses estimate more than $31 billion in crypto flowed through the marketplace, and despite HuiOne’s formal closure in May 2025, over 30 successor markets reportedly emerged. The action coincided with Treasury sanctions and FinCEN designations intended to block reentry into the U.S. financial system.

In the UK, two members of the Scattered Spider collective pleaded guilty for their roles in a 2024 cyberattack on Transport for London. The Scattered Spider case detailed service disruptions to in‑station signage and online portals, organization‑wide password resets for 28,000 employees, and an estimated £29 million ($38.2 million) in losses and recovery costs. A BBC investigation later determined that data on an estimated 10 million people was exposed. Sentencing is scheduled for July 22 at Woolwich Crown Court.

KDDI reported an intrusion into an email system it provides to multiple Japanese ISPs, likely via a third‑party software vulnerability. The KDDI breach may have exposed up to 14.22 million email addresses and associated passwords across providers including STNet (Pikara), KDDI Web Communications (CPI), JCOM, Chubu Telecommunications (COMINA), Nifty (@nifty), and Biglobe (BIGLOBE). KDDI said it modified systems to prevent further damage, implemented countermeasures, notified regulators, and urged customers to change passwords.

Initial Access and Browser Abuse

Symantec researchers detailed a new backdoor, Mistic, linked to an initial access broker known as Woodgnat/KongTuke. The Mistic backdoor is deployed via DLL sideloading by executing a signed Microsoft Defender binary (MpExtMs.exe) that loads a malicious DLL (EndpointDlp.dll), allowing fully in‑memory operation. It supports in‑memory code execution, file transfer and operations, and includes a kill switch; related activity involved a credential‑stealing .NET DLL and ModeloRAT. Initial access commonly leveraged ClickFix social‑engineering chains, fake system prompts, and Teams messages impersonating IT support, with heavy use of living‑off‑the‑land tools such as curl, reg.exe, net.exe, certutil.exe, PowerShell, and WMIC.

Zscaler reported a malicious Microsoft Edge extension dubbed Edgecution that bridges the browser to a host‑level Python backdoor using Native Messaging. The Edgecution campaign began with social engineering on Microsoft Teams, steering users to a fraudulent “Outlook Updates Management Console.” The payload delivered a bundled Python runtime with extension and native components; a hidden Edge instance relayed commands via the Native Messaging protocol to execute shell or PowerShell commands, run arbitrary Python, write files, enumerate processes, and harvest system details. Researchers attribute the deployment to an initial access broker linked to the Payouts Kings ransomware cluster and recommend tightening extension monitoring and native messaging host controls.

Cloud Controls and Resilience Updates

AWS introduced support for sign‑in resource‑based policies and Organizations resource control policies to restrict AWS Management Console and aws login CLI sessions to expected networks. The AWS sign-in update lets administrators define permitted corporate CIDRs, VPC IDs, and regions through generated permission statements rather than raw JSON, with policy management writes targeting us‑east‑1. Evaluation occurs pre‑authentication (with signin:PrincipalArn exemptions) and post‑authentication (using aws:PrincipalArn), and enforcement must be explicitly enabled. In multi‑account organizations, RCPs can be attached at the org, OU, or account level; CloudTrail logs label denials accordingly. The post positions these controls alongside AWS Management Console Private Access to help form a data perimeter for console access.

Google Cloud announced general availability of cross‑region backups in its Backup and DR Service. The Google Cloud capability allows customers to select specific recovery regions for backups, offering a middle ground between high‑cost multi‑region storage and single‑region risk. At launch it supports Compute Engine instances, Disks, and Filestore, with Cloud SQL and AlloyDB planned. The workflow integrates into existing processes by targeting a backup vault in the secondary region from a plan defined in the source region, reducing overhead while creating a restorable copy outside the primary region.

Amazon added operational agility to analytics pipelines by enabling live configuration changes for EMR Serverless applications without restarts. With EMR Serverless, adjustments such as maximum capacity and custom images apply to new workloads immediately while in‑flight jobs continue under prior settings. For graph workloads, CloudFormation now supports Neptune global databases via the AWS::Neptune::GlobalCluster resource, enabling infrastructure‑as‑code provisioning of multi‑region topologies; see the Neptune CFN update for details.

For large in‑memory database use cases, AWS expanded regional availability of its seventh‑generation High Memory instances. The EC2 U7in 24‑TiB instance (u7in‑24tb.224xlarge) is now available in Asia Pacific (Seoul), offering 896 vCPUs, DDR5 memory, up to 200 Gbps networking, 100 Gbps EBS bandwidth, and ENA Express for low‑latency networking, targeting in‑memory workloads such as SAP HANA, Oracle, and SQL Server.