Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Industry
Health
Banking and Finance
Public Sector
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Smart Cities
Cybersecurity Weekly Briefing, 20-26 June
Cisco Catalyst SD-WAN 0-day exploited to gain root access in service-provider infrastructure
Mandiant revealed that an unknown actor exploited CVE-2026-20245, a high-severity Cisco Catalyst SD-WAN vulnerability, as a 0-day at least two months before public disclosure. The activity affected the infrastructure of a communications service provider and allowed the attackers to escalate privileges to root through the upload of a malicious CSV file named evil_tenant.csv. After gaining access, the attackers changed administrative credentials, created a hidden account named troot, and exfiltrated SD-WAN network configurations. The operators also restored passwords and modified files, removed traces of the intrusion, and ran validation checks to confirm that the activity had gone unnoticed.
The case highlights the strategic value of SD-WAN controllers as an entry point into high-value network infrastructure.
CISA warns of active exploitation of three critical Ubiquiti UniFi OS vulnerabilities
CISA added three Ubiquiti UniFi OS vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming that they are being used in attacks. CVE-2026-34908 enables access-control bypass and unauthorized system changes; CVE-2026-34909 allows access to sensitive files through path traversal; and CVE-2026-34910 enables operating-system command injection. When chained, the vulnerabilities could allow an unauthenticated remote attacker to fully compromise exposed UniFi OS devices. Ubiquiti released updates to address the flaws, but their inclusion in the KEV catalog means patching should be treated as a priority.
Potentially affected assets include gateways, controllers, recording appliances, and other network components used by organizations and SMB environments.
Operation Endgame disrupts Amadey and StealC infrastructure
A new phase of Operation Endgame disrupted part of the infrastructure used by Amadey and StealC, two malware families sold as services and operated by multiple affiliates. The coordinated action affected around 50 domains and nearly 200 command-and-control servers linked to both threats. Amadey functions as a modular loader capable of deploying additional payloads, stealing credentials, monitoring the clipboard, and enabling remote access; StealC is mainly used to steal credentials, cookies, cryptocurrency wallets, and browser extensions. ESET contributed technical analysis, infrastructure tracking, campaign identifiers, and intelligence on affiliate ecosystems.
Although the operation temporarily reduces their operational capacity, the MaaS structure of both families makes it easier for affiliates to rebuild servers and continue campaigns using new infrastructure.
PixelSmash: FFmpeg vulnerability enables code execution through crafted media files
JFrog identified CVE-2026-8461, known as PixelSmash, an out-of-bounds write vulnerability in FFmpeg’s MagicYUV decoder with a CVSS score of 8.8. The flaw can be triggered when processing crafted AVI, MKV, or MOV files and affects products integrating libavcodec, including media players, video platforms, transcoding servers, NAS appliances, and thumbnail-generation systems. Researchers demonstrated remote code execution against Jellyfin and Nextcloud instances by uploading a malicious AVI file of approximately 50 KB.
The RCE demonstration was conducted with ASLR disabled, while the confirmed impact with ASLR enabled is denial of service. FFmpeg 9.0 fixes the flaw, although its reach may affect numerous services that automatically process user-provided media content.
DifyTap exposes conversations, documents, and cross-tenant data in AI applications
Zafran Labs researchers identified four vulnerabilities in Dify, an open-source platform used to develop and deploy large-language-model applications. The flaw set, named DifyTap, can expose user conversations, uploaded documents, and data belonging to other tenants. Two of the vulnerabilities allow unauthenticated access and information theft, while others affect tracing mechanisms, the Plugin Daemon, and document-preview functions. One of the flaws could enable attackers to manipulate tracing configurations and redirect conversations and responses to attacker-controlled infrastructure.
Dify fixed the vulnerabilities in version 1.14.2. The case illustrates the risks created by insufficient isolation and weak access controls in multi-tenant artificial intelligence platforms.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
