Real-World Cloud Attack Intelligence

In June 2026, a critical vulnerability (CVE-2026-3300) in the Everest Forms Pro plugin for WordPress was actively exploited by attackers to gain unauthorized control over websites. The flaw, present in versions up to and including 1.9.12, resided in the plugin's Complex Calculation feature, which improperly handled user input, allowing unauthenticated remote code execution. Exploiting this, attackers created rogue administrator accounts, enabling them to modify content, install malicious plugins, and access sensitive data. The vulnerability was patched on March 18, 2026, but exploitation began on April 13, 2026, with over 29,300 attempts blocked by security tools. This incident underscores the persistent threat posed by vulnerabilities in widely-used WordPress plugins. Website administrators are urged to promptly update plugins and monitor for unauthorized access to mitigate such risks.

In June 2026, U.S. critical infrastructure sectors, including energy and transportation, faced cyberattacks targeting internet-exposed Automatic Tank Gauge (ATG) systems. These systems, essential for monitoring fuel and liquid levels, were compromised by threat actors exploiting vulnerabilities such as default passwords and command execution flaws. The attackers manipulated system settings, altered tank readings, and disabled alerts, posing significant operational and safety risks. In response, agencies like CISA, NSA, and FBI issued joint advisories urging organizations to secure ATG systems by removing them from public internet access, enforcing strong credentials, and applying necessary patches. This incident underscores the escalating threat to industrial control systems and the urgent need for enhanced cybersecurity measures to protect critical infrastructure from sophisticated cyber threats.

In June 2026, Microsoft faced a significant supply chain attack when the self-replicating Miasma worm compromised 73 of its GitHub repositories across organizations such as Azure, Azure-Samples, Microsoft, and MicrosoftDocs. The worm embedded malicious code that activated upon developers cloning and opening the affected repositories in AI coding agents, leading to the harvesting of credentials for platforms including AWS, Azure, GCP, Kubernetes, npm, and GitHub. This incident underscores the evolving nature of supply chain attacks, particularly targeting AI-assisted development tools. The Miasma worm, a variant of the Mini Shai-Hulud worm, exploits the inherent trust in authenticated maintainers and signed packages, highlighting the need for enhanced security measures in software development and distribution processes.

In early June 2026, an autonomous AI agent developed by security startup Depthfirst identified 21 zero-day vulnerabilities in FFmpeg, a widely used open-source media library. These vulnerabilities, including heap and stack overflows, had been present in the codebase for up to 23 years. Concurrently, Google released Chrome version 149, addressing a record-breaking 429 security flaws, with over 100 classified as critical or high severity. This surge in vulnerability discoveries underscores the growing role of AI in cybersecurity, enabling faster identification of longstanding security issues. Organizations must adapt to this accelerated pace by implementing more frequent patch cycles and enhancing their vulnerability management processes to mitigate emerging threats effectively.

In early June 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a high-severity vulnerability, CVE-2026-28318, affecting SolarWinds Serv-U, to its Known Exploited Vulnerabilities (KEV) catalog. This denial-of-service (DoS) flaw allows unauthenticated attackers to crash the Serv-U service by sending specially crafted POST requests with the 'Content-Encoding: deflate' header. The vulnerability has a CVSS score of 7.5 and is actively being exploited in the wild. ([nvd.nist.gov](https://nvd.nist.gov/vuln/detail/CVE-2026-28318?utm_source=openai)) The inclusion of this vulnerability in the KEV catalog underscores the critical need for organizations to promptly apply security patches. Unpatched systems remain susceptible to service disruptions, which can have significant operational and financial impacts. ([scworld.com](https://www.scworld.com/brief/hackers-actively-exploit-solarwinds-serv-u-flaw-to-crash-servers-cisa-warns?utm_source=openai))

In early June 2026, a critical vulnerability identified as CVE-2026-28318 was discovered in SolarWinds Serv-U software. This flaw allows unauthenticated attackers to send specially crafted POST requests with 'Content-Encoding: deflate' headers, leading to uncontrolled resource consumption and subsequent service crashes. The vulnerability has been actively exploited in the wild, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to add it to their Known Exploited Vulnerabilities (KEV) catalog. Organizations utilizing affected versions of Serv-U are at significant risk of service disruptions and potential data loss. The inclusion of CVE-2026-28318 in CISA's KEV catalog underscores the urgency for organizations to address this vulnerability promptly. With active exploitation observed, it is imperative for entities using SolarWinds Serv-U to apply the recommended patches or mitigations to prevent potential service outages and safeguard sensitive information.

In June 2026, security researchers revealed that Bright Data's SDK, embedded in various consumer applications, transforms devices such as smart TVs and smartphones into residential proxy nodes. This setup allows these devices to relay web-scraping traffic for Bright Data's data collection services, which are heavily marketed to the AI industry. Users, often unaware, consent to this by opting into free apps that promise benefits like reduced advertisements. The SDK operates in the background, utilizing the device's internet connection to route third-party web requests, effectively turning personal devices into components of a vast proxy network. This incident underscores the growing trend of leveraging consumer devices for large-scale data collection, particularly to fuel AI model training. The practice raises significant privacy and security concerns, as users' home IP addresses and bandwidth are exploited without explicit, informed consent. The lack of transparency and potential for misuse highlight the urgent need for stricter regulations and user awareness regarding the permissions granted to applications and the data-sharing implications involved. ([techspot.com](https://www.techspot.com/news/111492-smart-tv-apps-quietly-scraping-web-data-ai.html?utm_source=openai))

In June 2026, Cisco disclosed a high-severity vulnerability (CVE-2026-20245) in its Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. This flaw arises from insufficient validation of user-supplied input, allowing authenticated local attackers with netadmin privileges to execute arbitrary commands as the root user by uploading crafted files. Exploitation of this vulnerability has been observed in limited cases, leading to unauthorized configuration changes pushed to edge devices. The ongoing exploitation of this zero-day vulnerability underscores the persistent targeting of network management systems by threat actors. Organizations utilizing Cisco's SD-WAN solutions should prioritize reviewing their systems for indicators of compromise and apply recommended mitigations promptly to prevent potential breaches and maintain network integrity.

In June 2026, over 900 Automatic Tank Gauge (ATG) systems across the United States were found exposed online, making them vulnerable to cyberattacks. ATG systems are critical for monitoring fuel and chemical storage tanks in various sectors, including energy and transportation. Threat actors exploited security flaws such as hardcoded credentials and authentication bypasses to gain unauthorized access, potentially leading to operational disruptions and safety hazards. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/over-900-us-gas-station-tank-gauge-systems-exposed-to-attacks/amp/?utm_source=openai)) This incident underscores the growing threat to critical infrastructure from cyberattacks targeting industrial control systems. Organizations must prioritize securing internet-exposed devices to prevent similar vulnerabilities from being exploited in the future.

In June 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported active exploitation of a high-severity vulnerability in SolarWinds Serv-U software, identified as CVE-2026-28318. This flaw allows unauthenticated remote attackers to crash the Serv-U service by sending specially crafted POST requests with the 'Content-Encoding: deflate' header. SolarWinds released Serv-U 15.5.4 Hotfix 1 to address this issue, advising immediate patching or, if not feasible, implementing mitigations such as restricting access to known addresses and blocking POST requests containing 'content-encoding'. The exploitation of CVE-2026-28318 underscores the persistent targeting of file transfer services by threat actors to disrupt operations. Organizations are urged to prioritize patching and enhance monitoring of their file transfer infrastructures to prevent potential service disruptions and data breaches.

In June 2026, the Chinese state-sponsored group UNC5221, also known as VerdantBamboo, was found to have infiltrated U.S. organizations using the Brickstorm backdoor and newly identified malware variants, Plenet and AgentPSD. The attackers maintained undetected access for over 18 months, compromising Microsoft 365 environments and managed service providers. Their tactics included exploiting zero-day vulnerabilities in edge devices and deploying advanced malware implants written in Golang and Rust. ([bleepingcomputer.com](https://www.bleepingcomputer.com/news/security/chinese-apt-deploys-new-malware-to-keep-access-to-hacked-networks/amp/?utm_source=openai)) This incident underscores the evolving sophistication of state-sponsored cyber-espionage campaigns, highlighting the need for organizations to enhance their detection capabilities, particularly in monitoring network appliances and implementing robust access controls to prevent prolonged unauthorized access.

In June 2026, Darren Hughes, a 39-year-old from San Jose, California, was sentenced to over 26 years in federal prison for trafficking fentanyl and methamphetamine via the dark web platform Nemesis Market. Hughes operated a vendor store on Nemesis Market, offering free samples of methamphetamine to attract clients. Between 2023 and 2024, he sold methamphetamine and fentanyl pills to undercover law enforcement agents on five occasions, accepting cryptocurrency as payment. His arrest in June 2024 led to the seizure of approximately 672 grams of methamphetamine and a loaded 9mm 'ghost gun' without a serial number. This case underscores the persistent threat posed by dark web marketplaces in facilitating the global distribution of illegal narcotics. Despite the takedown of Nemesis Market in March 2024, similar platforms continue to emerge, highlighting the ongoing challenges law enforcement faces in combating online drug trafficking.