eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 9 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-05

TL;DR - Cisco disclosed an actively exploited SD-WAN zero-day with root impact. - Defenders should prioritize edge devices, package ecosystems, and exposed web apps. - Urgency is high for internet-facing infrastructure and vulnerable plugins.

Top Stories

Cisco warns of unpatched SD-WAN zero-day exploited in attacks

Cisco warned of active exploitation of an unpatched flaw in Cisco Catalyst SD-WAN Manager, tracked as CVE-2026-20245, that can lead to root privilege escalation. This is the most operationally important item in today’s digest because it affects a network management platform that is commonly internet-reachable in real-world deployments. Source: BleepingComputer.

Why it matters:
A compromise of SD-WAN management infrastructure can cascade into device control, credential theft, configuration tampering, and long-term network persistence.

What to do now: - Identify all Cisco Catalyst SD-WAN Manager instances, especially externally accessible ones. - Restrict management interfaces to VPN or admin jump hosts immediately. - Review admin account changes, new SSH keys, scheduled tasks, and unexpected root-level activity. - Capture backups of configs and logs before making major remediation changes.

Leadership and policy watch: possible CISA leadership shift

Reporting indicates Trump is considering a Palantir executive to lead CISA. Source: Google News / The Record.

Why it matters:
This is not an immediate technical issue, but security teams that depend on CISA guidance, grants, joint advisories, and critical infrastructure coordination should monitor for strategic changes.

TA4922 expands cybercrime activity globally

Dark Reading reports that China-linked TA4922 is expanding cybercrime attacks globally. Source: Google News / Dark Reading.

Why it matters:
The practical takeaway is to expect overlap between espionage tradecraft and financially motivated intrusion methods, especially phishing, malware staging, and credential harvesting.

What to do now: - Review email security controls and user reporting workflows. - Hunt for unusual outbound connections from user workstations. - Revalidate MFA enrollment, conditional access, and impossible-travel alerting.

Hola Browser for Windows compromised in supply-chain attack

Researchers found the Windows version of Hola Browser was compromised to deliver an undeclared executable identified as a crypto miner. Source: BleepingComputer.

Why it matters:
This is a reminder that endpoint software outside standard enterprise allowlists can become a software supply-chain risk, even when the payload is “only” cryptomining. Secondary payloads are always possible.

Immediate actions: - Search software inventory for Hola Browser installations on Windows. - Isolate endpoints showing unexplained CPU spikes, GPU use, or mining pool traffic. - Review EDR telemetry for child processes, unsigned binaries, and persistence changes after browser updates.

Magecart campaign abuses Stripe infrastructure

A new web skimming campaign is abusing Stripe’s API infrastructure to host both payment theft payloads and exfiltrated data. Source: BleepingComputer.

Why it matters:
Security teams often trust well-known cloud and payment domains by default. Abuse of legitimate infrastructure makes domain-based blocking less effective and increases dwell time.

What merchants should do now: - Review third-party JavaScript on checkout pages. - Enforce Content Security Policy and Subresource Integrity where feasible. - Monitor for unauthorized script changes in ecommerce themes, plugins, and tag managers. - Inspect outbound requests from payment pages, even if they target reputable services.

DentaQuest breach reportedly exposed 2.6 million accounts

BleepingComputer reports that sensitive data tied to 2.6 million accounts was exposed in the DentaQuest breach. Source: BleepingComputer.

UN World Food Programme breach affects self-registration app

The UN World Food Programme disclosed a breach affecting its Palestine self-registration application and approximately 600,000 Gaza households. Source: BleepingComputer.

Why both matter:
These incidents reinforce that identity data, benefits data, and humanitarian records remain high-value targets. Organizations holding sensitive PII should review segmentation, data retention, and access logging.

IronWorm malware hits 36 npm packages

A supply-chain campaign infected 36 npm packages with infostealer malware called IronWorm. Source: BleepingComputer.

Why it matters:
Developer environments remain one of the fastest paths to cloud compromise because browser tokens, SSH keys, npm tokens, and CI secrets are often present on developer workstations.

What to do now: - Audit recently installed or updated npm packages in CI and developer environments. - Revoke and rotate exposed secrets, especially npm, Git, cloud, and signing credentials. - Enable lockfile review and package reputation checks in the build pipeline.

Critical Vulnerabilities

CVE-2026-43986: Tautulli unauthenticated SSRF via public image route

Tautulli versions prior to 2.17.1 expose a public /image/<hash> route that can be abused for persistent unauthenticated SSRF after a low-privilege user seeds a malicious URL into the lookup table. CVSS 9.9. References: release notes, advisory.

Risk:
This can turn an authenticated low-privilege action into an internet-reachable SSRF primitive, potentially exposing internal metadata services, admin panels, or cloud endpoints.

Action: - Upgrade to Tautulli 2.17.1 or later. - Restrict guest or low-trust access. - Review outbound HTTP requests from the Tautulli/Plex host to internal IP space, link-local addresses, and cloud metadata endpoints.

Technical Notes

Example detection ideas for suspicious SSRF destinations in reverse proxy or application logs:

grep -E '(/image/.*\.png)|169\.254\.169\.254|127\.0\.0\.1|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[0-1])\.' /var/log/nginx/access.log

Example egress controls on Linux hosts using nftables to block cloud metadata access from application servers:

nft add rule inet filter output ip daddr 169.254.169.254 drop

CVE-2026-4104: TeknoPass SQL injection through authorization bypass

TeknoPass is affected by an authorization bypass through a user-controlled SQL primary key issue that allows SQL injection. CVSS 9.8. Reference: TR-26-0309 advisory.

Risk:
This is the kind of issue that can become full database compromise quickly if the affected interface is public or weakly segmented.

Action: - Locate affected TeknoPass deployments from versions 20210501 through 20260429. - Restrict access to management interfaces. - Review WAF, database, and app logs for authentication bypass and anomalous query patterns. - If exposure is confirmed, assume credential and data access may have occurred.

Technical Notes

Simple SQLi and auth-bypass triage patterns:

grep -Ei "union select|sleep\(|or 1=1|information_schema|benchmark\(|xp_cmdshell|%27|%22" /var/log/nginx/access.log

Look for response code changes that suggest bypass and data extraction:

awk '{print $7, $9}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head

CVE-2019-25727: WordPress ad manager wd arbitrary file download

WordPress Plugin ad manager wd 1.0.11 contains an unauthenticated arbitrary file download issue through edit.php with export=export_csv and a manipulated path parameter. CVSS 9.8. References: Exploit-DB, advisory summary.

Risk:
This can expose wp-config.php, database credentials, salts, and other sensitive files accessible to the web server.

Action: - Remove or replace the plugin if still present. - Review web logs for requests hitting edit.php with export=export_csv and suspicious path traversal strings. - Rotate WordPress database credentials and auth salts if compromise is suspected.

CVE-2019-25729: PDF Signer 3.0 server-side template injection

PDF Signer 3.0 contains an unauthenticated server-side template injection vulnerability via the CSRF-TOKEN cookie parameter, potentially enabling code execution. CVSS 9.8. References: Exploit-DB, advisory summary.

Risk:
If this product is still deployed, treat it as internet-facing RCE risk.

Action: - Remove public exposure immediately. - Search for suspicious cookie values and template-expression syntax in logs. - Inspect for web shells, spawned shell commands, and modified application files.

CVE-2019-25738: WordPress Hybrid Composer unauthenticated option changes

WordPress Hybrid Composer 1.4.6 allows unauthenticated attackers to change settings via admin-ajax.php and hc_ajax_save_option, potentially enabling user registration and setting administrator as the default role. CVSS 9.8. References: Sucuri research, Exploit-DB.

Risk:
This is effectively a site takeover path if registration and default role changes are successful.

Action: - Remove or upgrade the plugin if still installed. - Check WordPress options for unauthorized changes to users_can_register and default_role. - Review recently created administrator accounts and reset all admin passwords if abuse is detected.

Technical Notes

WordPress triage commands:

wp option get users_can_register
wp option get default_role
wp user list --role=administrator --fields=ID,user_login,user_email,registered

Search access logs for common exploit paths:

grep -E "admin-ajax\.php|edit\.php" /var/log/apache2/access.log | grep -E "hc_ajax_save_option|export=export_csv|path="

What Defenders Should Do Today

1) Prioritize internet-facing management systems

Start with SD-WAN, remote management, VPN, hypervisor, and SSO admin portals. Today’s Cisco item is a reminder that management planes remain prime targets.

Checklist: - Remove direct internet exposure where possible. - Enforce MFA and source-IP restrictions. - Capture volatile evidence before emergency patching if compromise is suspected.

2) Audit third-party software and package ecosystems

Today’s Hola Browser and npm stories show the same pattern through different channels: trusted software becomes the intrusion path.

Checklist: - Inventory nonstandard endpoint software. - Review recent package additions and updates in npm environments. - Rotate developer and CI secrets after any suspected package compromise.

3) Revisit ecommerce and web app integrity controls

Magecart remains effective because many organizations still lack robust monitoring of client-side changes.

Checklist: - Baseline all checkout-page JavaScript. - Alert on changes to script sources and inline handlers. - Test CSP enforcement in report-only mode, then tighten.

4) Hunt for signs of credential and configuration abuse

Several items today involve admin control, privilege escalation, or settings manipulation.

High-value indicators: - New local or app admin accounts - Unexpected role changes - New scheduled tasks or cron jobs - Outbound connections from servers to unusual destinations - Web requests with traversal, SSTI, SQLi, or admin-ajax abuse patterns

Technical Notes

Starter hunting commands for Linux servers:

lastlog | head
crontab -l
systemctl list-timers --all
find /var/www -type f -mtime -2
ss -plant
journalctl --since "24 hours ago"

Basic web shell and suspicious PHP scan:

find /var/www -type f \( -name "*.php" -o -name "*.phtml" \) -mtime -7 -print
grep -RniE "base64_decode|eval\(|shell_exec|system\(|passthru\(|assert\(" /var/www

Bottom Line

The biggest immediate operational issue is the actively exploited Cisco SD-WAN Manager zero-day reported today. Close behind are the supply-chain risks in Windows software and npm, plus old but still dangerous web application flaws that may persist in forgotten systems.

For most teams, the right order of operations today is simple: 1. Lock down exposed management interfaces. 2. Patch or isolate affected apps and plugins. 3. Hunt for suspicious admin, package, and outbound network activity. 4. Rotate secrets if developer tooling or web apps may have been exposed.

Learn more about cybersecurity risks and strategies in our glossary of cybersecurity terms and find out how to perform a cybersecurity risk assessment step-by-step.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-06-05

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.