eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 9 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-09
Week of 9 JUN 2026

TL;DR - CISA ordered rapid patching for an exploited Check Point VPN flaw, and Google fixed another Chrome zero-day. - Admins should prioritize internet-facing VPNs, browsers, Apache HTTP Server, and exposed management apps. - Urgency is high because multiple issues are either actively exploited or trivial to weaponize.

Top Stories

Check Point VPN bug gets emergency patch deadline

CISA added a critical Check Point Remote Access VPN and Mobile Access vulnerability to its operational priority list and directed U.S. federal agencies to remediate within three days, after reports that Qilin ransomware affiliates were exploiting it in zero-day attacks. This is the kind of issue defenders should treat as an edge-device emergency because exposed VPN infrastructure often becomes an initial access path for ransomware operations. Source: BleepingComputer.

Why it matters:
If you run Check Point remote access services exposed to the internet, assume active scanning and opportunistic exploitation are underway. Even if you are outside the federal space, CISA’s short remediation window is a strong signal of elevated risk.

What to do now: - Identify all internet-facing Check Point VPN and Mobile Access assets. - Apply the vendor-recommended fixes or mitigations referenced in your support portal and internal advisories. - Review authentication logs, admin actions, and unusual session creation around the disclosure window. - Reset credentials and rotate secrets for accounts with VPN or gateway admin access if compromise is suspected.

Google patches another Chrome zero-day exploited in the wild

Google released emergency Chrome updates for a zero-day vulnerability that was exploited in the wild, marking the fifth Chrome zero-day fixed this year according to reporting from BleepingComputer.

Why it matters:
Browser zero-days are high-value because they can deliver code execution or sandbox escape through common user activity. Even targeted exploitation matters for enterprises because a delayed browser patch window gives adversaries time to reuse public indicators and exploit chains.

What to do now: - Force Chrome and Chromium-based browser updates across managed endpoints. - Verify version compliance in EDR, MDM, or endpoint management tooling. - Monitor for suspicious child processes spawned by browsers and anomalous downloads. - Remind users not to postpone browser restarts after updates are deployed.

LiteLLM flaw reportedly exploited in the wild

A report highlighted active exploitation of CVE-2026-42271 in LiteLLM, with claims that it can be chained to unauthenticated remote code execution. Source: The Hacker News via Google News.

Why it matters:
LLM gateways increasingly sit near sensitive API keys, provider credentials, prompts, and internal workflows. An exposed LiteLLM deployment can quickly turn into credential theft, workload hijacking, or deeper lateral movement.

What to do now: - Inventory any LiteLLM instances, especially self-hosted deployments exposed to the internet. - Restrict access behind VPN, SSO, IP allowlists, or a reverse proxy. - Rotate API keys stored in the platform if exposure is possible. - Review upstream maintainer advisories and upgrade guidance before reopening access.

Critical Vulnerabilities

CVE-2026-44631: Apache HTTP Server buffer underwrite

Severity: CVSS 9.8
Affected versions: Apache HTTP Server 2.4.0 through 2.4.67
Fixed version: 2.4.68
Reference: Apache advisory, oss-security post

Apache disclosed a critical buffer underwrite issue triggered by crafted regular expressions in configuration. Because Apache is often internet-facing and heavily embedded in legacy estates, this deserves immediate attention, especially where complex rewrite or regex-driven rules are used.

So what? - Internet-facing web servers may be crashable or potentially exploitable depending on deployment specifics. - Reverse proxies and application front ends are especially important because they sit in front of many downstream applications. - Regex-heavy configuration should be reviewed during patching.

What next? - Upgrade to 2.4.68. - Audit custom configuration blocks that use regular expressions. - Stage the update on representative systems and validate rewrite behavior before broad rollout.

CVE-2026-25555: OpenBullet2 authentication bypass

Severity: CVSS 9.8
Affected versions: through 0.3.2
Reference: HackerNoon write-up, VulnCheck advisory

OpenBullet2 contains an API key authentication bypass where an empty X-Api-Key header can match an empty default admin API key string, giving unauthenticated attackers admin access.

So what? - This is the type of bug that is trivial to weaponize. - Exposed instances should be assumed compromised if reachable before patching and hardening. - Admin console access can expose stored configs, jobs, and downstream credentials.

What next? - Remove public exposure immediately. - Patch or upgrade to a fixed release once available from the project. - Set strong non-default API keys and place the service behind authentication and network controls. - Review admin activity logs and rotate secrets stored in the application.

CVE-2026-52778: YesWiki unsafe execution in calculator field

Severity: CVSS 9.8
Affected versions: prior to 4.6.6
Fixed version: 4.6.6
Reference: GitHub advisory, release notes, fix commit

YesWiki disclosed an unsafe execution flaw in the Bazar form field calculator. The root problem is architectural: user-defined formulas are sanitized and then passed to eval(), creating both ReDoS and potential code execution risk if sanitization is bypassed.

So what? - If your wiki is externally reachable or supports untrusted user input, this is a serious application compromise path. - The use of eval() means any bypass can become full PHP code execution.

What next? - Upgrade to 4.6.6 immediately. - Disable or restrict the affected functionality until patching is complete. - Review web server and PHP logs for suspicious calculator/form submissions.

Additional Risks to Track

UniFi OS unauthenticated root chain

Researchers reported that three fixed vulnerabilities in UniFi OS can be chained to gain unauthenticated root access on affected systems. Source: BleepingComputer.

Action:
Prioritize updates on internet-facing UniFi controllers and verify that management interfaces are not exposed unnecessarily.

Gogs critical zero-day patched

Gogs released a fix for a critical zero-day that could let attackers compromise exposed instances and access repositories, including private repos. Source: BleepingComputer.

Action:
Update immediately, review repository access logs, and rotate credentials or deploy keys if compromise is suspected.

PyPI supply-chain incident hits science packages

A Shai-Hulud campaign trojanized 19 science-focused PyPI packages with malware designed to steal developer secrets. Source: BleepingComputer.

Action:
Audit build pipelines for recent package pulls, inspect CI secrets exposure, and pin dependencies using approved internal mirrors where possible.

Android malware spreads through fake GitHub app updates

NFCShare Android malware is being distributed through fake banking app updates hosted on GitHub. Source: BleepingComputer.

Action:
Advise mobile users to avoid sideloaded updates, monitor MTD alerts, and block unapproved APK installation where enterprise controls exist.

WhatsApp says it disrupted NSO phishing activity

WhatsApp reported it disrupted spear-phishing campaigns linked to NSO Group after investigating user reports of social engineering attacks. Source: BleepingComputer.

Action:
For high-risk staff, reinforce anti-phishing procedures on mobile devices and validate that latest app and OS security updates are installed.

What Defenders Should Do Today

1) Patch internet-facing systems first

Prioritize: 1. Check Point Remote Access VPN and Mobile Access 2. Chrome and Chromium-based browsers 3. Apache HTTP Server 2.4.0 through 2.4.67 4. UniFi OS management systems 5. Gogs and YesWiki exposed to the internet

A practical order of operations is edge access, browsers, then externally reachable application services.

2) Hunt for exploitation signals

Focus on: - New or unusual admin sessions - Unexpected process execution under web server accounts - Browser-to-shell or browser-to-script-engine process trees - Configuration changes on VPN gateways and reverse proxies - Access to private repositories or secrets stores outside normal patterns

3) Reduce exposed attack surface

Immediate hardening steps: - Remove management interfaces from the public internet. - Put admin panels behind SSO, VPN, or IP allowlists. - Disable unused plugins, modules, or features tied to current advisories. - Enforce rapid restart cycles after browser patch deployment.

Technical Deep Dive

Technical Notes: Check Point and edge device triage

Start by inventorying internet-facing systems and validating patch status.

# Quick inventory examples
nmap -Pn -p 443,4443,10443 <external_ranges>
curl -kI https://vpn.example.com/

Review authentication and admin activity around the exposure period. Look for: - Logins from unfamiliar ASNs or geographies - New local admin creation - MFA disablement or policy changes - Unexpected configuration exports

If you centralize logs, useful queries include terms like:

("VPN" OR "Mobile Access" OR "Remote Access")
AND ("admin" OR "login" OR "policy" OR "gateway")
AND ("failed" OR "success" OR "changed" OR "export")

Technical Notes: Verifying Chrome patch deployment

On managed endpoints, verify installed browser versions and restart compliance.

# Windows example via PowerShell
Get-Item "C:\Program Files\Google\Chrome\Application\chrome.exe" | Select-Object VersionInfo

# Linux example
google-chrome --version
chromium --version

In EDR, hunt for suspicious browser child processes:

parent_process_name IN ("chrome.exe","msedge.exe","brave.exe")
AND process_name IN ("cmd.exe","powershell.exe","wscript.exe","cscript.exe","sh","bash")

Technical Notes: Apache HTTP Server upgrade validation

Check your current version:

apachectl -v
httpd -v

Search for regex-heavy configuration that may be relevant to the advisory:

grep -RinE "RewriteRule|RewriteCond|<LocationMatch|FilesMatch|ProxyPassMatch|SetEnvIfExpr>" /etc/httpd /etc/apache2 2>/dev/null

After upgrading, test configuration and reload safely:

apachectl configtest
systemctl reload apache2 || systemctl reload httpd

Useful log locations to review:

/var/log/apache2/error.log
/var/log/httpd/error_log
/var/log/apache2/access.log
/var/log/httpd/access_log

Watch for: - Repeated requests triggering 500 errors - Crashes or child process respawns - Strange paths or inputs targeting regex-based routing behavior

Technical Notes: OpenBullet2 exposure check

If the service is exposed, restrict access immediately and inspect reverse proxy or application logs for requests containing an empty API key header.

Example pattern to search for:

"X-Api-Key:"

If you proxy through NGINX, look for unusual admin endpoint access:

grep -Rin "X-Api-Key\|/api\|/admin" /var/log/nginx/

A defensive reverse proxy rule can help reduce exposure while patching:

location / {
    allow 10.0.0.0/8;
    deny all;
    proxy_pass http://openbullet2_backend;
}

Technical Notes: Python supply-chain triage

Check recent package installation history in CI runners and developer workstations:

pip list --format=freeze > /tmp/current-python-packages.txt
grep -Rin "pip install" /var/log /home/*/.bash_history 2>/dev/null

If a suspicious package may have been installed: - Rebuild from a clean base image - Rotate CI tokens, package registry credentials, and cloud secrets - Review outbound network connections from build agents

Bottom Line

Today’s highest-priority work is straightforward: patch exposed edge services, force browser updates, and review logs for signs that attackers got there first. The biggest risk clusters are still the familiar ones: internet-facing access infrastructure, browsers, and admin interfaces with weak defaults or unsafe code paths. If you can only do a few things today, start with Check Point VPN exposure, Chrome updates, and Apache version verification.

For more on identity and access management, check out our IAM glossary. Additionally, stay informed about CVE-2026-43898 and CVE-2026-9558 for further insights into critical vulnerabilities.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-09

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.