eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Critical CVEs

Threat digests 9 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-06

TL;DR - Serv-U exploitation is now active and CISA added the flaw to KEV. - Multiple critical CVEs need triage now, including identity, web app, and network device issues. - Prioritize internet-facing assets, exposed OT, and suspicious login or token activity today.

Top Stories

SolarWinds Serv-U flaw now actively exploited

CISA confirmed active exploitation of CVE-2026-28318, an uncontrolled resource consumption vulnerability in SolarWinds Serv-U, and added it to the Known Exploited Vulnerabilities catalog (CISA). BleepingComputer reports attackers are using the bug to crash servers, turning this into an immediate availability and operational risk for exposed file transfer infrastructure (BleepingComputer).

Why it matters:
Serv-U is commonly internet-facing. Even if exploitation currently appears focused on service disruption, defenders should assume attackers may expand tradecraft once broad scanning identifies vulnerable hosts.

What to do next: - Patch or mitigate Serv-U immediately. - Review crash events, service restarts, and inbound request anomalies. - Restrict external exposure if the service is not strictly required.

Suspicious login prompts hit Toshiba and Muji sites

Visitors to Toshiba and Muji websites were warned about suspicious sign-in prompts that may have been collecting credentials, in a case linked to suspicious Polyfill-style behavior (BleepingComputer).

Why it matters:
This is another reminder that third-party script trust remains a major web risk. Even legitimate brands can become delivery points for credential phishing if frontend assets are tampered with.

What to do next: - Review third-party JavaScript dependencies across public sites. - Hunt for unauthorized login overlays, injected forms, and unexpected DOM changes. - Enable CSP reporting and monitor for new script origins.

Chinese APT expands Microsoft 365 persistence

BleepingComputer reports UNC5221 used the Brickstorm backdoor and previously undocumented malware called Plenet and AgentPSD to maintain access in compromised environments, including Microsoft 365-linked operations (BleepingComputer).

Why it matters:
Persistence in cloud identity and messaging environments often survives endpoint cleanup. If your incident response playbook is still endpoint-centric, this kind of tradecraft will outlast basic remediation.

What to do next: - Audit OAuth applications, service principals, mailbox rules, and delegated permissions. - Review sign-ins by geography, token use, and rare user agents. - Validate that incident response covers cloud identity persistence, not just malware removal.

Over 900 gas station tank gauge systems exposed online

Researchers found more than 900 automatic tank gauge systems exposed online in the U.S., creating risks for fuel monitoring and potentially broader operational disruption across critical infrastructure environments (BleepingComputer).

Why it matters:
These are not just “random embedded devices.” Exposed industrial and operational technology systems often bridge safety, environmental, and business continuity concerns.

What to do next: - Identify externally reachable OT and building/industrial systems now. - Remove direct internet exposure and enforce VPN or jump-host access. - Coordinate with operations teams before making changes that affect monitoring workflows.

Critical Vulnerabilities

CVE-2026-49777: Product Slider Pro for WooCommerce backdoor risk

  • CVSS: 10.0
  • Affected: Product Slider Pro for WooCommerce before 3.5.3
  • Issue: Patchstack describes an improper validation issue that allows malicious software implantation and notes that no reliably versioned patched release is available because the vendor reportedly fixed code without publishing a new version number (Patchstack).

Defender takeaway:
Treat this as a supply chain and integrity problem, not just a normal plugin patching task. If you cannot verify the exact fixed files, remove or isolate the plugin.

Immediate actions: - Disable the plugin if business impact is acceptable. - Compare installed files against a known-good source. - Review WordPress admin users, scheduled tasks, and web shell indicators.

CVE-2026-46389: UDS Identity Config client authentication bypass

  • CVSS: 10.0
  • Affected: UDS Identity Config 0.11.0 through 0.26.0
  • Issue: A logic error in the client-kubernetes-secret authenticator can let an attacker authenticate as a client using any client_secret if they know a valid client_id, potentially obtaining OAuth2 tokens scoped to the client service account (GitHub release, GHSA advisory).

Defender takeaway:
This is high impact because it targets identity trust boundaries. If exposed, it can cascade into client modification and privilege expansion.

Immediate actions: - Upgrade to 0.26.1. - Rotate client secrets for affected clients. - Audit token issuance and admin changes to clients in Keycloak.

CVE-2026-45744: Termix command injection

  • CVSS: 9.9
  • Affected: Termix before 2.3.2
  • Issue: The /ssh/file_manager/ssh/resolvePath endpoint is vulnerable to OS command injection through command substitution, allowing authenticated users with an active SSH file manager session to execute arbitrary commands on the connected remote host (GitHub release, GHSA advisory).

Defender takeaway:
This turns a management workflow into remote code execution on downstream systems. Environments using shared admin tools should treat this as lateral movement risk.

Immediate actions: - Upgrade to 2.3.2. - Review who had authenticated access to Termix. - Hunt for suspicious shell execution on managed hosts.

CVE-2026-6274: Redline WR3200 weak authentication

  • CVSS: 9.8
  • Affected: Redline WR3200 before 7.1.8
  • Issue: Improper authentication and missing authentication for critical functions may allow access beyond intended ACL constraints (advisory).

Defender takeaway:
Network edge and wireless infrastructure flaws can become quiet persistence points. If these devices are reachable from untrusted networks, patching urgency is high.

Immediate actions: - Upgrade to 7.1.8 or later. - Restrict administrative interfaces to management networks. - Check device configs for unauthorized changes.

CVE-2025-71317: NetMan 204 hard-coded backdoor credentials

  • CVSS: 9.8
  • Affected: NetMan 204
  • Issue: A hard-coded account with username and password eurek can grant administrative access via the login CGI endpoint, enabling config changes and service enablement such as Telnet or SSH (Exploit-DB, VulnCheck summary, vendor downloads page).

Defender takeaway:
This is exactly the kind of issue attackers love in infrastructure management gear: low complexity, high impact, and often forgotten by standard EDR coverage.

Immediate actions: - Remove internet exposure immediately. - Check whether Telnet or SSH was enabled unexpectedly. - Review access logs and configuration history.

What Defenders Should Do Today

1) Prioritize internet-facing services with active exploitation

Start with: - SolarWinds Serv-U - Public WordPress instances with commercial plugins - Externally reachable identity and admin portals - Network appliances and embedded management interfaces

Use a quick triage list: - Is it internet-facing? - Is there evidence of exploitation or public advisory attention? - Does exploitation lead to auth bypass, RCE, backdoor access, or service disruption?

2) Hunt for identity abuse, not just malware

The UDS Identity Config issue and UNC5221 reporting both reinforce the same point: identity-layer abuse can be more damaging than commodity malware.

Focus on: - Unexpected client token issuance - New OAuth apps or client changes - Service account activity outside baseline - Refresh token patterns from unusual IP ranges

3) Reassess third-party web script trust

The suspicious login prompt incidents affecting major brands show why frontend monitoring should be operationalized, not left as a one-time security review.

Minimum controls: - Content Security Policy with reporting - Subresource Integrity where feasible - Alerting on newly loaded script origins - Baselines for DOM changes on auth-related pages

4) Find and remove exposed OT and industrial systems

The exposed tank gauge story is a practical warning for any organization with facilities, fuel systems, building controls, or environmental monitoring.

Today’s checklist: - Enumerate externally accessible OT/IoT systems. - Confirm which ones are intentionally exposed. - Move management access behind VPN or private connectivity. - Document compensating controls where immediate segmentation is not possible.

Technical Deep Dive

Technical Notes: Serv-U crash and exploitation triage

If you run Serv-U, start by reviewing service health, recent crashes, and repeated requests from the same sources.

# Linux examples
journalctl -u serv-u --since "48 hours ago"
grep -Ei "crash|fatal|restart|exception" /var/log/* 2>/dev/null

# Check listening services and external exposure
ss -tulpn | grep -i serv
# Windows examples
Get-WinEvent -LogName Application | Where-Object {
  $_.TimeCreated -gt (Get-Date).AddDays(-2)
} | Select-Object TimeCreated, ProviderName, Id, LevelDisplayName, Message

Get-Service | Where-Object {$_.Name -match "Serv-U"}

Look for: - Repeated service termination and restart cycles - Spikes in requests before crashes - Source IP concentration against Serv-U endpoints

Technical Notes: Web injection and fake login prompt hunting

Search your frontend code and CSP reports for unauthorized domains and injected overlays.

<!-- Example CSP header -->
Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://trusted-cdn.example;
  object-src 'none';
  base-uri 'self';
  frame-ancestors 'none';
  report-uri https://csp-report.example/report;
// Example browser-side indicator hunting pattern
document.querySelectorAll('form, iframe, .modal, [role="dialog"]').forEach(el => {
  if ((el.innerText || '').match(/sign in|login|password/i)) {
    console.log('Review auth-like element:', el);
  }
});

Review for: - New modal dialogs requesting credentials - Off-domain form actions - Recently changed JavaScript includes - Obfuscated inline script additions

Technical Notes: Keycloak and token abuse checks

For environments using the affected UDS component, review token and client activity around the Keycloak token endpoint.

# Example grep for token endpoint access in reverse proxy logs
grep -E "/realms/.*/protocol/openid-connect/token" /var/log/nginx/access.log | tail -100
# Look for repeated token requests by client_id
awk '{print $7,$0}' /var/log/nginx/access.log | grep "openid-connect/token" | sort | uniq -c | sort -nr | head

Watch for: - Token requests from unusual IPs - Atypical request volume for service clients - Client admin changes or new secrets after suspicious activity

Technical Notes: Termix exploitation review

Because Termix can bridge an admin UI to downstream shell execution, you need to inspect both the application and the managed remote hosts.

# Example web access log review for the vulnerable endpoint
grep "/ssh/file_manager/ssh/resolvePath" /var/log/nginx/access.log

# Hunt for command substitution artifacts in captured requests
grep -E '\$\(|`' /var/log/nginx/access.log

On connected hosts, look for: - Unexpected shell histories - New cron jobs - New SSH keys - Recently dropped binaries in temp directories

# Host triage examples
find /tmp /var/tmp -type f -mtime -2 2>/dev/null
crontab -l
grep -R "ssh-rsa\|ssh-ed25519" ~/.ssh/authorized_keys /root/.ssh/authorized_keys 2>/dev/null

Technical Notes: Backdoor account exposure checks

For devices impacted by hard-coded or weak credentials, scan for management ports and verify exposure pathways.

# Basic reachability checks from a trusted admin host
nmap -Pn -p 80,443,22,23 <device-subnet>/24

If Telnet is present where it should not be, treat it as suspicious until proven otherwise.

So What Should SMBs and Lean IT Teams Do First?

If you do not have a full threat hunting team, keep today’s priorities simple:

  1. Patch Serv-U now if you use it.
  2. Review internet-facing admin tools for any of the listed critical CVEs.
  3. Disable or verify risky WordPress plugins with unclear patch status.
  4. Check cloud identity logs for unusual token activity.
  5. Remove direct exposure for industrial, facilities, UPS, and network management systems.

Final Takeaway

Today’s threat picture is not about one giant headline. It is about a familiar but dangerous mix: - active exploitation against exposed enterprise software, - critical vulnerabilities in identity and admin tooling, - web trust failures that can steal credentials, and - neglected operational technology sitting on the public internet.

For defenders, the priority is straightforward: internet-facing systems, identity infrastructure, and management planes go first.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-06-06

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.