CISA Adds Two Known Exploited Vulnerabilities to Catalog
The U.S. Cybersecurity and Infrastructure Security Agency has added two new vulnerabilities to its Known Exploited Vulnerabilities catalog after finding evidence of active exploitation. The newly added flaws include an improper input validation vulnerability in PTC Windchill and FlexPLM (CVE-2026-12569) and a Server-Side Request Forgery bug in Cisco Unified Communications Manager (CVE-2026-20230).
Federal civilian agencies have been mandated to apply patches within a specified timeframe. This alert underscores the immediate risk these vulnerabilities pose to enterprise environments and the critical need for organizations to prioritize these specific patches to prevent network compromise.
For any organization running PTC Windchill, FlexPLM, or Cisco Unified Communications Manager, this is a clear signal: these vulnerabilities are actively being exploited right now. Delaying patches increases the likelihood that attackers will compromise your environment before you can defend it.
FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation
A Russian-speaking initial access broker has orchestrated a massive credential-harvesting campaign dubbed “FortiBleed,” targeting vulnerable FortiGate firewalls. The threat actors successfully breached over 430,000 FortiGate devices, allowing them to quietly siphon an estimated 110 million user credentials.
The stolen data is highly likely to be sold to ransomware operators or other cybercriminal syndicates for secondary network intrusions. This staggering breach highlights the severe, compounding damage that compromised edge devices can cause.
Here’s what makes this particularly dangerous: your firewall is the entry point to your network. If it’s compromised, attackers have direct access to everything behind it. And the credentials they steal from your firewall or VPN can be used to access other systems in your environment or sold to other attackers.
For any organization running FortiGate appliances, this breach should trigger an immediate audit. Change credentials, review access logs, and ensure your firewalls are running the latest patches. This isn’t a theoretical risk. It’s active, right now, at massive scale.
Read more: https://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.html
Stealthy Mistic Backdoor Linked to Ransomware Access Broker KongTuke
Cybersecurity researchers have uncovered a new, highly stealthy backdoor named “Mistic” being utilized in attacks against the education, IT, and professional services sectors. The malware is attributed to KongTuke, a prolific initial access broker that specializes in compromising corporate networks and selling the access to notorious ransomware gangs like Black Basta, Qilin, and Akira.
Mistic is designed for long-term persistence, executing payloads directly in memory without writing files to disk to evade standard endpoint detection. This discovery shows the increasing sophistication of initial access brokers, requiring defenders to leverage advanced behavioral monitoring to detect memory-only threats.
The threat model is clear: KongTuke breaks into your network, installs Mistic, and then sells access to ransomware operators. By the time you discover the breach, attackers may have been inside your environment for months, mapping your systems and preparing for encryption.
Detection requires more than antivirus scanning. You need behavioral analysis that watches for suspicious activity patterns, even when malware tries to hide in memory.
macOS Weaknesses Chained to Silently Disable Endpoint Security Agents
Security researchers at XM Cyber have demonstrated a novel attack technique that allows standard, non-administrative macOS users to silently disable enterprise endpoint security tools, such as EDR and MDM agents. Rather than relying on software vulnerabilities or kernel exploits, the attack chains legitimate macOS behaviors—specifically abusing weakly-validated XPC connections and manipulating the kernel’s code-signing trust cache.
Once disabled, attackers can operate freely on the system without triggering security alerts. This research reveals a significant blind spot in macOS endpoint protections, pushing vendors to quickly roll out behavioral preventions to block the abuse of native system trust boundaries.
For organizations with macOS devices in their environment, this is a sobering finding. A regular user can disable your security tools using built-in system features. Your endpoint protection is only as strong as the operating system’s trust mechanisms, and macOS’s design can be weaponized against those protections.
This highlights why defense-in-depth matters. Don’t rely solely on endpoint tools. Layer in network monitoring, user behavior analysis, and access controls that catch suspicious activity even when endpoint tools are disabled.
Read more: https://www.securityweek.com/macos-weaknesses-chained-to-silently-disable-endpoint-security-agents/
CISA Adds Four More Known Exploited Vulnerabilities to Catalog
CISA has mandated federal agencies to patch four specific vulnerabilities that have been confirmed as actively exploited in the wild. The update to the KEV catalog includes a code injection flaw in Lantronix EDS5000 devices (CVE-2025-67038) alongside three maximum-severity vulnerabilities impacting Ubiquiti UniFi OS (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910).
These flaws range from improper access control to path traversal, granting attackers total control over compromised devices. Organizations outside the federal government are strongly urged to rapidly prioritize these patches, as edge devices and networking controllers remain top targets for cybercriminals.
Edge devices—firewalls, wireless controllers, serial device servers—are critical infrastructure. If they’re compromised, attackers can control traffic, intercept data, or move laterally into your core network. When CISA lists multiple vulnerabilities in these devices as actively exploited, this is a priority alert.
CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
Following an update to its KEV catalog, CISA is issuing warnings regarding the active exploitation of a critical vulnerability in Lantronix EDS5000 series edge devices. Tracked as CVE-2025-67038, the vulnerability allows remote attackers to execute arbitrary code via command injection.
Because these devices are frequently utilized in operational technology and industrial networks to connect serial equipment to IP networks, a compromise can have severe physical and operational consequences. The active targeting of this flaw reiterates the growing threat to critical infrastructure and IoT devices, making immediate firmware updates essential.
This is particularly dangerous in manufacturing, utilities, and healthcare environments where these devices bridge IT and operational systems. A compromised EDS5000 isn’t just a network problem. It’s a gateway to control systems that affect physical operations.
If your organization uses Lantronix EDS5000 devices, patch immediately. This isn’t a theoretical vulnerability. Attackers are actively exploiting it right now.
Read more: https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html