eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 8 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-01

TL;DR - Microsoft fixed KB5089549 install failures, while WP Maps Pro exploitation and a reported Netlogon threat deserve immediate review. - Teams running OTRS, Teamwork Cloud, WordPress, or legacy routers should validate exposure now. - Prioritize internet-facing apps, unsupported devices, and admin-account abuse checks today.

Top Stories

Microsoft fixes KB5089549 Windows security update install issues

Microsoft has resolved a known issue causing some Windows 11 systems to fail when installing the May 2026 security update KB5089549, including errors such as 0x800f0922 (BleepingComputer).

Why it matters:
Patch reliability is a security issue. If endpoints silently fail or roll back security updates, defenders can end up with exposure they believe is already remediated.

What to do now: - Recheck deployment dashboards for failed or pending KB5089549 installs. - Confirm remediation on devices that previously showed 0x800f0922. - Validate patch state with both endpoint tooling and OS-level verification.

WP Maps Pro bug exploited to create admin accounts on WordPress sites

Attackers are actively targeting vulnerable WP Maps Pro plugin installations to create unauthorized administrator accounts without authentication, according to BleepingComputer (source).

Why it matters:
This is a direct path to full site compromise. Once attackers create an admin account, they can install malicious plugins, alter theme files, redirect traffic, steal data, or establish persistence.

What to do now: - Identify WordPress sites running WP Maps Pro. - Update or disable the plugin immediately. - Audit WordPress admin users for unexpected additions. - Review web server and CMS logs for account creation and plugin installation events.

Reported Windows Netlogon 0-click RCE exploitation

A CyberSecurityNews report says a Windows Netlogon zero-click RCE vulnerability is being actively exploited in the wild (Google News link).

Why it matters:
Netlogon sits in a highly sensitive part of Windows environments. If exploitation claims are confirmed in your environment or by your primary vendors, domain-wide impact is possible.

What to do now: - Treat this as a validation task, not a headline-only patch decision. - Check your vulnerability management feed, Microsoft advisories, and EDR detections for corroboration. - Increase monitoring on domain controllers and systems handling authentication traffic. - Escalate any anomalous Netlogon service behavior for immediate triage.

Carnival discloses passenger data exposure after cybersecurity incident

ABC11 reports Carnival said a cybersecurity incident affected passenger information, including passport details in some cases (Google News link).

Why it matters:
Travel and hospitality datasets often contain high-value identity attributes useful for fraud, account takeover, and social engineering.

What to do now: - If you support travel, hospitality, or booking systems, review data minimization and retention policies. - Reassess whether passport and identity fields are encrypted at rest and tightly access-controlled. - Monitor for downstream phishing campaigns referencing bookings or travel itineraries.

Policy and regulatory developments to watch

Several sector and policy developments are worth tracking: - Anthropic will reportedly provide the EU cybersecurity agency access to Mythos (Google News link). - New Zealand’s budget includes funding for digital health upgrades and cybersecurity (Google News link). - Help Net Security highlights growing compliance pressure on EU organizations (Google News link).

Why it matters:
For defenders, compliance pressure is increasingly translating into control validation, evidence retention, and governance around AI, identity, and incident reporting.

Critical Vulnerabilities

CVE-2026-7858: Teamwork Cloud and Magic Collaboration Studio unauthenticated RCE

  • CVSS: 9.8
  • Affected products: Teamwork Cloud from No Magic Release 2022x through 2026x, and Magic Collaboration Studio from CATIA Magic Release 2022x through 2026x
  • Issue: Deserialization of untrusted data can lead to unauthenticated remote code execution
  • Reference: 3DS security advisory

Defender takeaway:
If these platforms are internet-accessible or reachable from less trusted internal segments, move this to the top of the queue. Unauthenticated RCE on collaboration infrastructure can rapidly become a foothold for lateral movement.

Immediate actions: - Identify exposed Teamwork Cloud and Magic Collaboration Studio instances. - Apply vendor fixes or mitigations from the advisory. - Restrict network access until patching is verified. - Hunt for suspicious process launches, child processes, and unusual service behavior on affected hosts.

CVE-2026-48188: OTRS unauthenticated SQL injection leading to auth bypass

  • CVSS: 9.1
  • Affected products: OTRS 7.0.X, 8.0.X, 2023.X, 2024.X, 2025.X, 2026.X before 2026.4.X, and ((OTRS)) Community Edition 6.0.x
  • Condition: The issue applies when MySQL or MariaDB is configured with NO_BACKSLASH_ESCAPES SQL mode
  • Reference: OTRS Security Advisory 2026-02

Defender takeaway:
This is not just an app patching problem. Exposure depends partly on database configuration, so security and database teams need to validate both the application version and SQL mode settings.

Immediate actions: - Inventory OTRS and OTRS-derived deployments. - Check database SQL mode for NO_BACKSLASH_ESCAPES. - Patch affected versions, especially internet-facing help desk systems. - Audit for anomalous authentication events and suspicious ticketing-system access.

  • CVSS: 9.8
  • Affected product: Totolink N300RH 6.1c.1353_B20190305
  • Component: wireless.so, function setWiFiBasicConfig
  • Issue: Remote stack-based buffer overflow via the KeyStr argument
  • Reference: VulDB entry

Defender takeaway:
This is most relevant where low-cost routers remain deployed in small offices, branch sites, or unmanaged environments. Public exploit availability increases practical risk, especially for internet-exposed admin interfaces.

Immediate actions: - Identify Totolink devices in edge locations and SMB environments. - Remove management interfaces from internet exposure. - Replace unsupported or untrusted network gear where feasible. - Review firewall rules and management VLAN segmentation.

CVE-2026-10179 and CVE-2026-10181: TRENDnet TEW-432BRP remote overflows on EOL hardware

  • CVSS: 8.8 each
  • Affected product: TRENDnet TEW-432BRP 3.10B20
  • Issues: Stack-based buffer overflows in /goform/formSetWlanEncrypt and /goform/formSysCmd
  • References: CVE-2026-10179, CVE-2026-10181

The vendor response, as recorded in the CVE description, says the product has been EOL since 2009 and is unsupported.

Defender takeaway:
These findings are a reminder that legacy network devices are often unpatchable risk. If they are still present, the right answer is usually replacement, not compensating controls alone.

What Defenders Should Do Today

1. Validate patching success, not just patch deployment

Windows teams should confirm KB5089549 actually installed on targeted devices rather than assuming the rollout completed successfully (BleepingComputer).

Technical Notes

Use PowerShell to verify update presence on endpoints:

Get-HotFix -Id KB5089549

For broader validation in enterprise scripting:

$kb = "KB5089549"
if (Get-HotFix -Id $kb -ErrorAction SilentlyContinue) {
  Write-Output "$kb installed"
} else {
  Write-Output "$kb missing"
}

Common eventing to review during failed Windows update installs:

Error code: 0x800f0922
CBS.log
WindowsUpdate.log
Event Viewer -> Applications and Services Logs -> Microsoft -> Windows -> WindowsUpdateClient

2. Hunt for rogue WordPress administrators

Because the WP Maps Pro issue allows unauthorized admin creation, focus on account integrity first, then plugin patching (BleepingComputer).

Technical Notes

WP-CLI can quickly enumerate admins:

wp user list --role=administrator --fields=ID,user_login,user_email,registered

Search for recently added users:

wp user list --fields=ID,user_login,user_email,registered --format=csv | sort

Check plugins and versions:

wp plugin list

Review web logs for suspicious account creation or plugin writes:

grep -Ei "wp-admin|user_new|admin|plugin-install|theme-editor" /var/log/nginx/access.log
grep -Ei "wp-admin|user_new|admin|plugin-install|theme-editor" /var/log/apache2/access.log

3. Prioritize internet-facing collaboration and ticketing platforms

Teamwork Cloud and OTRS are business-critical platforms that often sit close to users, partners, or support channels. That makes them attractive entry points.

Recommended triage order: 1. Internet-facing Teamwork Cloud / Magic Collaboration Studio 2. Internet-facing OTRS and community forks 3. Internal-only instances with external identity or VPN access 4. Legacy edge routers and branch devices

Technical Notes

Quick Linux exposure checks for listening services:

ss -tulpn

Reverse proxy and access log review for suspicious requests:

grep -Ei "POST|/api|/login|/rpc|/rest" /var/log/nginx/access.log
grep -Ei "POST|/api|/login|/rpc|/rest" /var/log/apache2/access.log

If OTRS uses MySQL or MariaDB, verify SQL mode carefully:

SELECT @@GLOBAL.sql_mode;
SELECT @@SESSION.sql_mode;

Look specifically for:

NO_BACKSLASH_ESCAPES

4. Remove or isolate unsupported routers

The Totolink and TRENDnet issues are a practical reminder to clean up forgotten infrastructure. Unsupported routers frequently survive in branch offices, labs, temporary sites, and small-business networks long after formal refresh cycles.

Immediate steps: - Export asset inventory for router and wireless edge devices. - Flag EOL hardware with internet-reachable admin interfaces. - Move management access behind VPN or dedicated jump hosts. - Replace devices with supported hardware on a defined deadline.

Technical Notes

Basic nmap discovery for web management interfaces:

nmap -Pn -p 80,443,8080,8443 192.168.0.0/16

Search configuration backups or inventories for known models:

grep -R "N300RH\|TEW-432BRP" /srv/network-inventory/

5. Treat headline exploitation claims as a trigger for validation

The reported Netlogon exploitation item is important, but defenders should verify through primary advisories, internal telemetry, and trusted vendor channels before making architecture-impacting changes based only on an aggregated report (Google News link).

Technical Notes

Useful Windows checks on domain controllers and related systems:

Get-Service Netlogon
Get-WinEvent -LogName System -MaxEvents 200 | ? {$_.Message -match "Netlogon"}

Review security logs for authentication anomalies:

Get-WinEvent -LogName Security -MaxEvents 500 | ? {$_.Id -in 4624,4625,4672,4740}

Bottom Line

The practical priorities for June 1 are clear:

  • Confirm Windows patch success for KB5089549, especially on systems that previously failed.
  • Audit WordPress administrators immediately if WP Maps Pro is present.
  • Patch or isolate Teamwork Cloud and OTRS where affected.
  • Replace unsupported routers instead of trying to live with permanent exposure.
  • Verify reported active exploitation claims with your own telemetry and primary vendor guidance before acting at scale.

For many teams, the highest-risk pattern today is not one single bug. It is the combination of internet-facing business apps, weak plugin hygiene, and forgotten infrastructure that cannot be patched at all.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-06-01

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.