eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 11 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-08
Week of 8 JUN 2026

TL;DR - 20,225 Instagram accounts were hijacked via abuse of Meta’s AI-powered support workflow. - Defenders should prioritize exposed WordPress sites, internet-facing routers, and help desk social engineering defenses. - Urgency is high for vulnerable WordPress installs and any unmanaged edge devices.

Top Stories

1) More than 20,000 Instagram accounts hijacked in Meta AI support incident

Meta disclosed that attackers abused an AI-powered support process to reset passwords and hijack 20,225 Instagram accounts, according to BleepingComputer (source).

Why this matters

This is not just another consumer account takeover story. It highlights a growing operational risk: attackers are now targeting automated support and account recovery workflows, not only passwords and sessions. For organizations that run AI-assisted support desks, password reset bots, or automated identity verification, the lesson is direct: any workflow that can change account state is part of the attack surface.

What to do now

  • Review all automated support actions that can reset credentials, MFA methods, email addresses, or recovery channels.
  • Require stronger verification for high-risk actions, especially when recovery details change.
  • Alert on bursts of password reset approvals, atypical support interactions, and resets originating from new geographies.
  • For brand, creator, and executive social accounts, confirm MFA is enforced and recovery contacts are correct.
  • If you manage social media for clients, audit for recent password reset emails and unexpected session changes.

Technical Notes

Look for account recovery anomalies in identity and support platform logs:

event_type=password_reset
actor_type=automation OR actor_type=support_workflow
risk_signal=new_device,new_ip,geo_velocity
target=high_value_account
result=success

Useful detection ideas:

SELECT account_id, COUNT(*) AS reset_count
FROM support_workflow_events
WHERE action IN ('password_reset','recovery_email_change')
  AND ts > NOW() - INTERVAL '24 hours'
GROUP BY account_id
HAVING COUNT(*) > 3;

2) C0XMO botnet targets DD-WRT routers and removes rival malware

BleepingComputer reports that the C0XMO botnet, a new Gafgyt variant, is spreading through a DD-WRT router flaw and includes routines to kill competing malware on infected systems (source).

Why this matters

Compromised routers remain attractive because they are internet-facing, often unmonitored, and rarely patched on time. A botnet that can spread across architectures and clean out rivals is built for persistence and scale. For SMBs and branch offices, this is a practical reminder that edge devices are often the weakest link.

What to do now

  • Inventory all DD-WRT and similar embedded devices exposed to the internet.
  • Restrict remote administration to VPN-only access.
  • Review firmware versions and patch or replace unsupported hardware.
  • Rebooting alone is not sufficient; check startup persistence and management settings.
  • Watch for egress traffic anomalies, especially outbound scans or command-and-control connections from routers.

Technical Notes

Quick triage steps for Linux-based router infrastructure:

# Identify internet-exposed management interfaces
nmap -Pn -p 22,23,80,443,8080,8443 <router-subnet>

# Hunt for suspicious outbound connections
ss -plant
netstat -plant 2>/dev/null

# Review startup/persistence locations on Linux-based systems
ls -la /etc/init.d/
ls -la /etc/rc.local
find /tmp -type f -mtime -2

Look for common indicators of embedded compromise:

- Unexpected telnet enablement
- Unknown processes running from /tmp
- Repeated outbound connections to rare IPs over high ports
- iptables changes not made by admins
- Cron entries or init scripts added without change tickets

3) Silent Ransom Group uses fake IT support calls against law firms

BleepingComputer says the Silent Ransom Group is targeting U.S. law firms and professional services organizations with fake IT support calls that quickly lead to data theft and extortion (source).

A related report highlighted by Google News and The Hacker News says UNC3753 used vishing and physical intrusions in U.S. data theft extortion activity (source).

Why this matters

This is a help desk and user trust problem as much as a malware problem. Attackers are bypassing controls by convincing employees to grant remote access or surrender credentials. For firms handling sensitive client data, speed matters: once a user accepts the pretext, exfiltration can begin within hours.

What to do now

  • Require callback validation using an internal directory for all unsolicited IT support contacts.
  • Ban ad hoc remote access sessions unless initiated through approved ticketing workflows.
  • Add a user-facing rule: no one should install remote tools or approve MFA prompts based on an inbound call.
  • Review remote support tools, browser-based remote admin plugins, and OAuth grants.
  • For legal and professional services firms, monitor for unusual access to document management systems and file shares after support interactions.

Technical Notes

Build detections around remote support tooling and suspicious identity activity:

Signals to watch:
- New installation of remote administration software
- Browser downloads followed by execution from Downloads or Temp
- MFA fatigue or repeated push approvals
- New OAuth consent grants
- Access to large document repositories outside normal working patterns

Windows triage examples:

Get-WinEvent -LogName Security | Where-Object {$_.Id -in 4624,4688} | Select-Object -First 50

Get-ChildItem "$env:USERPROFILE\Downloads" | Sort-Object LastWriteTime -Descending | Select-Object -First 20

Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run

Critical Vulnerabilities

CVE-2023-54352: WordPress Seotheme unauthenticated RCE

  • CVSS: 9.8
  • Issue: Seotheme is described as vulnerable to unauthenticated arbitrary file upload leading to PHP code execution.
  • References: Exploit-DB (source), VulnCheck advisory (source)

So what?

If this theme is deployed and reachable, compromise may be trivial. Unauthenticated file upload to a web-accessible theme directory is often quickly weaponized for webshell placement, follow-on malware, spam operations, or credential theft.

Immediate actions - Identify any WordPress sites using Seotheme. - Remove or disable the vulnerable theme if no fixed version is available from a trusted source. - Search theme directories for unexpected .php files, especially newly created ones. - Rotate WordPress admin, database, and hosting credentials if compromise is suspected.

Technical Notes

Fast hunt on a web server:

find /var/www -path "*/wp-content/themes/*" -name "*.php" -mtime -7
grep -R "eval\|base64_decode\|system\|shell_exec" /var/www/*/wp-content/themes/ 2>/dev/null

Look for suspicious requests in web logs:

POST /wp-content/themes/.../*.php
POST /wp-content/themes/.../upload*
GET /wp-content/themes/.../mar.php

CVE-2024-58348: WordPress Background Image Cropper 1.2 unauthenticated file upload/RCE

  • CVSS: 9.8
  • Issue: The plugin is reported as allowing arbitrary file upload via ups.php, enabling remote code execution.
  • References: WordPress plugin page (source), Exploit-DB (source), VulnCheck advisory (source)

So what?

Plugins with exposed upload endpoints are routinely mass-exploited. If the plugin is installed on internet-facing systems, assume scanning is either underway or imminent.

Immediate actions - Disable the plugin immediately if present. - Block direct web access to plugin upload endpoints where feasible. - Review the plugin directory and uploads path for .php, .phtml, or similarly executable files. - Put vulnerable sites behind WAF rules while you clean up and patch.

Technical Notes

Example Apache hardening for upload directories:

<Directory "/var/www/html/wp-content/uploads">
    php_admin_flag engine off
    Options -ExecCGI
    AllowOverride None
</Directory>

Nginx example to prevent PHP execution in uploads:

location ~* /wp-content/uploads/.*\.php$ {
    deny all;
}

Log pattern to hunt:

POST */wp-content/plugins/background-image-cropper/*/ups.php
200 responses followed by GET requests for uploaded .php files

CVE-2024-58349: WordPress Theme Travelscape arbitrary file upload leading to RCE

  • CVSS: 9.8
  • Issue: Travelscape 1.0.3 is described as vulnerable to unauthenticated arbitrary file upload.
  • References: Exploit-DB (source), VulnCheck advisory (source)

So what?

This is another high-risk WordPress edge-case that becomes a broad exposure problem because themes are often abandoned, inherited from contractors, or left untracked in asset inventory.

Immediate actions - Enumerate all sites using Travelscape 1.0.3. - Remove the theme from inactive but installed environments too, including staging. - Scan for webshells and unauthorized admin users. - Review outbound connections from web servers for post-exploitation activity.

Technical Notes

WP-CLI inventory example:

wp theme list --allow-root
wp plugin list --allow-root
wp user list --allow-root

Search for recently added admin users:

SELECT user_login, user_registered
FROM wp_users
ORDER BY user_registered DESC
LIMIT 20;

CVE-2026-11499: Tenda HG7/HG9/HG10 stack-based buffer overflow

  • CVSS: 9.8
  • Issue: A flaw in formDOMAINBLK within /boaform/formDOMAINBLK may allow remote stack-based buffer overflow through manipulation of blkDomain.
  • References: GitHub reference (source), VulDB entry (source)

So what?

Tenda gear is commonly found in small office and ISP-provided deployments where patch discipline is weak. If management interfaces are internet-exposed, remote exploitation may present a direct path to edge compromise.

Immediate actions - Remove Tenda web admin interfaces from internet exposure. - Restrict access by IP or VPN. - Check for firmware updates or vendor guidance. - If the device is unsupported, replace it rather than relying on filtering alone.

Technical Notes

Quick external exposure validation:

nmap -Pn -p 80,443,8080,7547 <public-ip-range>

Reverse proxy or firewall policy example:

Allow: admin access only from VPN subnet
Deny: all WAN access to router management paths
Monitor: repeated POSTs to /boaform/*

CVE-2026-11498: Tenda HG7/HG9/HG10 web management buffer overflow

  • CVSS: 8.8
  • Issue: A flaw in asp_voip_OtherSet at /boaform/voip_other_set may allow remote stack-based buffer overflow via the funckey_transfer argument.
  • References: GitHub reference (source), VulDB entry (source)

So what?

Even when exploitation details are immature, internet-facing SOHO router management bugs deserve immediate containment because compromise at the perimeter enables traffic interception, DNS tampering, and staging for additional attacks.

Immediate actions - Apply the same exposure reduction steps as CVE-2026-11499. - Disable WAN administration if enabled. - Audit DNS settings, port forwards, and admin accounts for unauthorized changes. - Replace factory credentials everywhere, even on backup devices.

Technical Notes

Configuration checks to prioritize on suspected-compromised routers:

- DNS servers changed to unknown resolvers
- New port forwarding rules
- Unknown admin users
- Remote management re-enabled
- SIP/VoIP settings altered without ticketed change

What Defenders Should Do Today

1) Triage internet-facing WordPress first

The highest immediate defender payoff today is checking WordPress estates for exposed, unmaintained themes and plugins tied to unauthenticated file upload. Prioritize: - Seotheme - Background Image Cropper - Travelscape 1.0.3

If you cannot verify patch status quickly, disable or isolate the affected component and inspect for signs of webshell activity.

2) Lock down edge devices and branch routers

The botnet and Tenda issues both reinforce the same point: unmanaged edge infrastructure is still a prime target.

Action checklist - Disable WAN-side administration. - Restrict management access to VPN or management VLANs. - Patch firmware or replace unsupported devices. - Monitor for unusual DNS, egress, and config changes.

3) Tighten help desk and support workflows

The Meta and vishing-related stories show how support channels are becoming direct attack paths.

Action checklist - Require ticket numbers and callback verification. - Add step-up verification for account recovery and credential resets. - Train staff not to trust inbound support calls. - Review all tooling that can remotely access endpoints or identity platforms.

4) Hunt for post-exploitation indicators

If you operate WordPress or embedded edge devices, assume opportunistic scanning is active.

Priority hunt areas - Newly created PHP files in web roots, theme folders, and upload paths - Web requests to unusual upload endpoints - Router config changes without change tickets - Remote support tool installations - Unusual access to sensitive file repositories after support contacts

Technical Notes

Sample bash one-liners for rapid webshell triage:

find /var/www -type f -name "*.php" -mtime -3
find /var/www -type f \( -name "*.php" -o -name "*.phtml" \) | xargs grep -l "base64_decode\|eval\|assert\|shell_exec" 2>/dev/null
grep -R "POST .*ups.php\|POST .*boaform" /var/log/nginx /var/log/apache2 2>/dev/null

Sample Sigma-style logic ideas:

title: Suspicious PHP File Upload Followed by Execution
logsource:
  category: webserver
detection:
  selection_upload:
    cs-method: POST
    cs-uri-stem|contains:
      - "/ups.php"
      - "/wp-content/themes/"
  selection_exec:
    cs-method: GET
    cs-uri-stem|endswith: ".php"
  condition: selection_upload and selection_exec
level: high

Bottom Line

Today’s most actionable cybersecurity threats center on three themes: insecure automated support workflows, social engineering through fake IT assistance, and easily exploitable edge-facing software. For most defenders, the right sequence is simple: audit WordPress exposures, lock down routers, and harden support-driven account recovery and remote access processes.

Additional Resources

For more information on cybersecurity best practices, check out our articles on vulnerability management and data governance.

Sources

  • BleepingComputer: Meta AI support incident affecting Instagram accounts (source)
  • BleepingComputer: C0XMO botnet targeting DD-WRT routers (source)
  • BleepingComputer: Silent Ransom Group fake IT support calls (source)
  • Google News / The Hacker News item on UNC3753 (source)
  • Exploit-DB and VulnCheck references for CVE-2023-54352 (source), (source)
  • WordPress, Exploit-DB, and VulnCheck references for CVE-2024-58348 (source), (source), (source)
  • Exploit-DB and VulnCheck references for CVE-2024-58349 (source), (source)
  • GitHub and VulDB references for CVE-2026-11499 (source), (source)
  • GitHub and VulDB references for CVE-2026-11498 (source), (source)

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-08

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.