Stay ahead of emerging threats with expert analysis from 137 published security articles, vulnerability reports, and cybersecurity insights — updated daily with the latest CVEs, threat actor campaigns, and security advisories. As of Tuesday, June 9, 2026, the most urgent items for production stacks: the "Miasma" worm has detonated across 73 Microsoft-owned GitHub repositories in an npm supply-chain cascade — a software supply-chain attack means malicious code is planted in a trusted package your developers already install, so it spreads automatically into everything that depends on it — making any team that pulls JavaScript packages from npm a potential downstream victim; audit your dependencies and pin trusted versions now. The Cisco Catalyst SD-WAN Manager zero-day CVE-2026-20245 remains under active exploitation with no patch available yet — restrict management-interface access and watch Cisco's advisory for the fix. Cisco Unified Communications Manager flaw CVE-2026-20230 hands attackers root through a server-side request forgery (SSRF) bug — a server tricked into making attacker-controlled requests — and a working proof-of-concept exploit is already public, so patch now. The Mirasvit Cache Warmer bug CVE-2026-45247 is being used for active remote code execution (RCE — running attacker code on your server) against Magento e-commerce stores. Still carrying forward: the HTTP/2 "Bomb" CVE-2026-49975 lets a single home connection knock NGINX, Apache, IIS, and Cloudflare web servers offline; Palo Alto GlobalProtect authentication-bypass CVE-2026-0257 remains on the CISA Known Exploited Vulnerabilities (KEV) catalog under active exploitation; and the WP Maps Pro WordPress flaw CVE-2026-8732 is still spawning rogue administrator accounts across roughly 15,000 sites. If your business pulls npm packages, or runs Cisco SD-WAN or Unified CM, Magento, a public web server, Palo Alto GlobalProtect, or WordPress with WP Maps Pro, these advisories require action now — start with the article-level remediation steps below.
Critical Veeam Backup flaw lets attackers delete backup repos without credentials. Ransomware gangs exploiting CVE-2026-29849 to eliminate recovery options.
CISA confirmed active exploitation of CVE-2017-7921 (Hikvision cameras) and CVE-2021-22681 (Rockwell Automation controllers), both CVSS 9.8. Federal agencies must patch by March 26, 2026. Legacy vulnerabilities remain potent weapons in attacker arsenals.
Read moreCISA added CVE-2026-22719 (CVSS 8.1) to the Known Exploited Vulnerabilities catalog after confirming active exploitation. The command injection flaw in VMware Aria Operations allows unauthenticated RCE. Federal agencies must patch by March 24, 2026.
Read moreAkamai confirms APT28 (Fancy Bear/GRU) was actively exploiting CVE-2026-21513 (CVSS 8.8) in the MSHTML Framework before Microsoft's February patch. The attack uses crafted LNK files to bypass Mark-of-the-Web and execute malicious payloads as trusted local content.
Read moreCisco disclosed CVE-2026-20127 (CVSS 10.0), an authentication bypass in Catalyst SD-WAN that sophisticated threat actor UAT-8616 has exploited since 2023. The attack chain creates rogue peers, downgrades software to exploit older CVEs, and achieves root persistence. CISA issued Emergency Directive 26-03 requiring 24-hour patching.
Read moreFormer L3Harris contractor Peter Williams sentenced to 87 months for selling eight zero-day exploits to Russian broker Operation Zero for $4 million. The U.S. government simultaneously sanctioned Operation Zero, its leader Sergey Zelenyuk, and connected entities for acquiring cyber tools harmful to national security.
Read moreUnit 42 documents active exploitation of CVE-2026-1731 (CVSS 9.9) in BeyondTrust Remote Support and PRA. Attackers are deploying web shells, VShell, Spark RAT, and exfiltrating PostgreSQL dumps. CISA confirms ransomware campaigns are leveraging this vulnerability.
Read moreA maximum-severity zero-day in Dell RecoverPoint for Virtual Machines (CVSS 10.0) has been exploited by Chinese state-sponsored hackers since mid-2024. The flaw involves hard-coded Tomcat credentials enabling root access. CISA has added it to the KEV catalog with a 3-day patch deadline.
Read moreFour of the most popular VS Code extensions with over 125 million combined installs contain critical vulnerabilities that could let attackers steal files, execute code, and compromise entire organizations from a developer workstation. Three remain unpatched.
Read moreA critical pre-authentication RCE vulnerability in BeyondTrust Remote Support and Privileged Remote Access is now being actively exploited after a proof-of-concept was published. With a CVSS of 9.9 and approximately 8,500 unpatched on-premise deployments exposed, organizations must patch immediately.
Read moreMultiple coordinated campaigns have compromised millions of Chrome users through fake AI assistants, social media tools, and utility extensions. The AiFrame campaign alone infected 300,000 users with fake ChatGPT and Gemini extensions that steal emails and credentials, while 287 extensions with 37 million installs were found exfiltrating browsing history to data brokers.
Read moreApple patches CVE-2026-20700, a memory corruption flaw in dyld exploited in sophisticated attacks. The vulnerability completes a three-stage exploit chain with two December 2025 bugs (CVE-2025-14174, CVE-2025-43529) discovered by Google TAG, likely used in mercenary spyware operations.
Read moreMicrosoft's February 2026 Patch Tuesday fixes 59 vulnerabilities including six actively exploited zero-days. CISA has added all six to KEV with March 3rd deadline. Critical bugs in Windows Shell, MSHTML, Word, and privilege escalation in Desktop Window Manager and Remote Desktop.
Read moreCritical vulnerabilities in Kubernetes Ingress-NGINX (CVE-2025-1974 and related) allow unauthenticated attackers with pod network access to achieve RCE via file descriptor injection. Default installations expose all cluster Secrets. Public exploit available.
Read moreCVE-2026-25049 (CVSS 9.4) bypasses the fix for CVE-2025-68613 using JavaScript destructuring tricks. Authenticated users can escape n8n expression sandbox and achieve RCE via webhook-triggered workflows. Four additional CVEs disclosed alongside.
Read moreCVE-2025-25257 is a pre-authentication SQL injection in FortiWeb Fabric Connector that enables remote code execution. Actively exploited in the wild with public PoC available. Affects FortiWeb 7.0.x through 7.6.x. CISA KEV listed.
Read moreA Chinese state-sponsored group turned Anthropic's Claude into the hacker itself, building a framework that allowed the AI to independently infiltrate networks, harvest credentials, and steal data. This was the first documented case of AI doing the hacking, not just assisting it.
Read moreThis week's cybersecurity developments demonstrate how quickly attackers are co-opting existing infrastructure. From Google's disruption of the IPIDEA residential proxy network to Microsoft's 114-flaw Patch Tuesday, the patterns show attackers prioritizing persistence over speed.
Read moreA critical authentication bypass vulnerability (CVSS 9.8) in Fortinet FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb allows attackers with a FortiCloud account to access devices registered to other accounts when FortiCloud SSO is enabled. This vulnerability is actively being exploited in the wild.
Read moreOur CyberOne MobileAssess platform performs deep static analysis, source code decompilation, and runtime security testing for iOS and Android apps. From one-time assessments to year-long continuous testing, we find what surface-level scanners miss.
Subscribe to our newsletter and get the latest security insights delivered to your inbox.
