CISA’s KEV update forced federal agencies to remediate CVE-2025-48595 and CVE-2022-0492 in Android and the Linux kernel before the June 5 deadline, or stop using the affected software. The directive turns the two flaws into an immediate compliance and exposure issue for government environments.

The customer-facing mortgage origination portal exposed an unauthenticated API that let callers enumerate tenant IDs and retrieve cross-tenant organization records. The exposed path returned data for every financial institution on the shared platform, plus the vendor's internal tenant, from a bank-branded subdomain. The same weakness was reachable from a visitor's browser because the platform's CORS policy allowed any third-party site to invoke the request without user interaction. A valid internal attribution code could also support submission forgery in the loan-origination pipeline.

SonicWall's MySonicWall cloud backup service was breached, exposing firewall configuration backup files that contained encrypted credentials and configuration data. SonicWall said the access was limited to a specific cloud environment and API call, and later said a state-sponsored threat actor was behind the theft. The stolen files created follow-on risk because they could help attackers understand and target customer firewalls. Marquis Software Solutions later said its August 14, 2025 ransomware attack came through a SonicWall firewall and was tied to configuration data taken from the cloud-backup breach. SonicWall completed its investigation with Mandiant and told customers to reset credentials and review backups, while Marquis said its notifications covered 74 U.S. banks and credit unions and more than 400,000 people.

A Visual Studio Code (VS Code) zero-day lets attackers steal GitHub OAuth tokens by abusing the editor's sandboxed webview message-passing system. The flaw is especially risky for github.dev users because a malicious link can install an extension that runs JavaScript, simulates keypresses, and extracts the token. With that token, an attacker can query the GitHub API and enumerate private repositories the victim can access. The vulnerability is unpatched and has no CVE ID yet.

A senior executive at a major global stock exchange suffered an email account compromise that enabled months of unauthorized mailbox access and data theft. The intrusion began in October 2025 and persisted until March 2026, creating a long dwell time consistent with espionage. Attackers used the compromised Outlook mailbox to collect information and exfiltrate data in small batches. The prolonged access increases the risk of sensitive negotiations, internal deliberations, and market-moving details being exposed.

Two maximum-severity zero-days in Acer Wave 7 mesh routers expose affected devices to plaintext credential disclosure and persistent backdoor access while firmware fixes are still pending. The flaws affect routers running T7c_GBL_1.01.000055 or earlier and are tracked as CVE-2026-49200 and CVE-2026-49201. No security patches are available yet, but Acer says fixes are planned for end of June 2026. Temporary risk reduction relies on disabling remote management or limiting Internet access to trusted IP addresses.

President Donald Trump signed a June 2 executive order creating a voluntary pre-release cybersecurity review for covered frontier AI models, giving the US government a new role in screening advanced models before release. The order tasks NSA, CISA, and NIST with building a classified benchmark to decide which models qualify, while also creating an AI cybersecurity clearinghouse for vulnerability scanning, validation, and patching. It matters because the framework targets models that can find and exploit software flaws at scale and pairs the review process with broader federal hardening actions.

Windows search: URI handler has an unpatched NTLMv2 hash disclosure flaw that can let an attacker capture a user's Net-NTLMv2 hash through a crafted `search:` link. The weakness is similar to CVE-2026-33829 and can trigger a connection to an attacker-controlled SMB server. Captured hashes may then be reused for relay attacks or authentication.

European and international law enforcement dismantled nine organized crime groups and arrested 29 suspects in Operation KRATOS 2, a cross-border crackdown on illegal streaming. The seven-month action spanned 13 countries and removed more than 27,000 illegal streaming URLs tied to pirated sports, film, and television content. Investigators also traced over 18,000 IP addresses and 4,370 domains linked to piracy, expanding the case beyond website takedowns to the wider criminal support network. The operation exposed how the services used multi-jurisdiction hosting and separate customer-facing sites to complicate detection and prosecution.

Anthropic expanded Project Glasswing on June 2, extending Claude Mythos Preview to 150 additional organizations and widening a security-focused AI program used to uncover vulnerabilities in critical software.

Google is rolling out fake call detection on Android 12 and later devices this month, giving users a built-in warning when a caller may be using AI voice-cloning or call spoofing to impersonate a contact. The feature adds real-time verification through Phone by Google, Contacts, and Google Messages with RCS, reducing the chance that a spoofed call can trick a user into engaging.

Researchers disclosed HTTP/2 Bomb, a remote denial-of-service vulnerability in default HTTP/2 configurations that can make NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora inaccessible. The flaw enables memory exhaustion by chaining a compression bomb with a Slowloris-style hold.

Calif issued mitigation guidance for NGINX and Apache HTTPD operators after HTTP/2 Bomb was found to enable a remote denial-of-service against default HTTP/2 configurations. The recommended response is to upgrade NGINX to 1.29.8+ or disable HTTP/2, while Apache HTTPD should move to mod_http2 v2.0.41 or fall back to Protocols http/1.1. The guidance is aimed at reducing memory exhaustion and service unavailability on exposed web servers.

CVE-2026-8206 in Kirki - Freeform Page Builder, Website Builder & Customizer is being actively exploited to hijack WordPress accounts, including administrator accounts. The flaw affects version 6.0.0 through 6.0.6 and was fixed in 6.0.7. Site owners should upgrade immediately or disable the plugin.

Kirki - Freeform Page Builder, Website Builder & Customizer shipped version 6.0.7 to fix CVE-2026-8206, a privilege-escalation flaw that could let attackers take over user accounts on affected WordPress sites. The release covered plugin versions 6.0.0 through 6.0.6, which were still present across a large installed base. Administrators were told to upgrade immediately or disable the plugin until patched systems were in place.

WeedHack is a Minecraft-focused malware-as-a-service (MaaS) campaign that uses YouTube and SEO poisoning to push malicious mods, clients, cheats, and utilities. McAfee Labs says the activity has been active since January 2026 and has identified 3,820 unique malicious JAR files and over 240 URLs used to distribute the malware. The campaign’s clear-net dashboard at weedhack[.]to exposes stolen credentials and system information, and supports custom payloads for Minecraft versions 1.21.0 to 1.21.11. Victims are concentrated in the United States, Germany, India, the UK, Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain, while the tooling includes both free infostealer features and paid remote-access capabilities.

WeedHack is a Minecraft-focused malware-as-a-service operation that has been active since January 2026 and uses SEO poisoning and YouTube to push malicious downloads that infect users. McAfee Labs says the campaign impersonates Minecraft clients and mods, has identified 3820 unique malicious JAR files and over 240 URLs, and uses weedhack[.]to to expose stolen data and manage compromised systems. The platform targets Minecraft versions 1.21.0 to 1.21.11, steals credentials and system information, and offers paid remote-access features including webcam access, keylogging, reverse shell execution, and screen sharing. Most infections are in the U.S., followed by Germany, India, the U.K., Italy, Vietnam, Canada, Norway, Sweden, Finland, and Spain.

A customer-detected AI-built ransomware toolkit is automating Active Directory discovery and EDR evasion, increasing the chance that payloads slip past security controls. The toolkit was found in a customer environment after artifacts appeared under `C:\Users\User\Documents\test`. Its development used Cursor and Claude Opus agents, and the malware was tested against Sophos, CrowdStrike, and Microsoft EDR products. The activity matters because it combines AI-assisted development, payload refinement, and operational evasion into a faster ransomware-building loop.

The CVE-2025-8088 WinRAR path traversal flaw is being actively exploited, enabling arbitrary file writes and malicious payload placement for persistence. Attackers abuse Alternate Data Streams (ADS) to hide payloads and drop files into locations such as the Windows Startup folder. The weakness can support initial access and execution of files like LNK, HTA, BAT, CMD, and scripts on user login. Exploitation has been observed since July 18, 2025 and remains ongoing.

A Gamaredon malware chain is using WinRAR CVE-2025-8088 to deliver GammaPhish, GammaLoad, GammaWorm, and GammaSteel, expanding persistence, C2 execution, and data theft against Ukrainian targets. The chain was observed in January 2026 and relies on staged payloads rather than a single dropper. GammaWorm establishes scheduled-task persistence and hides malicious shortcuts, while GammaSteel exfiltrates files to AWS S3 or an attacker-controlled fallback server. The modular design also supports reuse for additional payloads, including GammaWipe.

Microsoft is addressing a widespread Exchange Online service disruption that is delaying and failing email delivery for customers across North America and Germany. The issue is causing SMTP deferral errors and interrupted send/access attempts, with some messages left undelivered for over an hour. The outage is still under investigation, so mail flow reliability remains degraded while engineers work to identify the root cause.

Instagram accounts were hijacked after attackers abused Meta’s AI-powered support tools to pass recovery checks and change the recovery email, creating a direct failure in automated identity verification. The abuse reportedly leveraged selfie verification and AI-generated video and could bypass 2FA, leaving victims stuck in AI-only support loops with no human escalation. Reported targets included a White House team account, Jane Manchun Wong, @hey, and @korn, and Meta said the issue had been resolved and impacted accounts were being secured.

The Instagram accounts for the Obama White House and the Chief Master Sergeant of the U.S. Space Force were briefly defaced after attackers abused Meta’s AI support assistant to reset passwords, creating a public-facing account takeover risk. The reported workflow let the attacker link a new email address and receive a reset code, which enabled the hijack and message injection. Meta reportedly pushed an emergency patch, and the exploit reportedly failed when MFA was enabled.

Bayer has shifted to psychology-first security awareness and tiered AI access controls to blunt AI-generated social engineering across employees and suppliers. The program now trains staff to spot pressure, authority abuse, and process-breaking requests instead of relying on old phishing cues like spelling mistakes or suspicious URLs. It also gates access to myGenAssist, extends AI security annexes to suppliers, and pushes the SOC toward human-on-the-loop operations.

CISA ordered federal agencies to patch Oracle WebLogic Server against CVE-2024-21182 by June 4, creating an immediate remediation deadline for affected government systems. The directive followed CISA's addition of the flaw to its catalog of vulnerabilities exploited in attacks. The order applies to WebLogic deployments in the federal environment, while CISA also urged broader defenders to patch as soon as possible.

CVE-2024-21182 in Oracle WebLogic Server is actively exploited and can let a network-access attacker achieve unauthenticated remote compromise. The flaw affects versions 12.2.1.4.0 and 14.1.1.0.0, and Shodan tracks 1,592 exposed servers online and vulnerable. Oracle released security patches in July 2024, but successful attacks can still expose critical data or grant complete access to WebLogic-accessible data.

CISA and government partners issued a joint fact sheet with mitigations for automatic tank gauge (ATG) systems used by U.S. operators. The guidance tells owners and operators to use strong passwords, remove ATG systems from the internet, and audit and monitor logs. The measures are meant to reduce the risk of compromise that could disrupt tank monitoring, create undetected leaks, and cause environmental or physical damage. The advisory covers ATG systems used across the Energy, Chemical, Food and Agriculture, and Transportation sectors.

Google's June 2026 Android security patches address 124 vulnerabilities, including an actively exploited zero-day. The release ships as the 2026-06-01 and 2026-06-05 security patch levels and covers System, Framework, and Qualcomm components. One high-severity Android Framework flaw, CVE-2025-48595, can enable code execution and privilege escalation on devices running Android 14 or later.

Google's June 2026 Android security patches now cover CVE-2025-48595, an actively exploited Android Framework flaw that can lead to code execution and privilege escalation on Android 14 or later devices. Google said the vulnerability may be under limited, targeted exploitation, making timely patching important for exposed devices. The flaw was already tracked in the March 2025 Android Security Bulletin and is now fixed in the 2026-06-01 and 2026-06-05 patch levels.

A threat actor is using AI coding tools to build and refine EDR-evasion malware, accelerating the creation of custom loaders that can bypass endpoint defenses. The lab tested the tooling against Sophos, CrowdStrike and Microsoft EDR agents, showing a concrete focus on defender evasion rather than harmless experimentation. The activity raises the speed and scale of malware development and suggests the workflow may support stealthy post-exploitation operations.