eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 10 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-23
Week of 23 JUN 2026

TL;DR - Multiple high-risk issues landed today, including critical Langflow and Grafana CVEs. - Defenders should prioritize exposed app platforms, FortiGate review, and user phishing controls. - Urgency is high for internet-facing systems and high-trust admin endpoints.

Top Stories

Five Eyes warns on threats from new AI models

The Five Eyes intelligence alliance issued a warning about the risks posed by emerging AI models, highlighting the likelihood that hostile actors will use more capable systems to improve phishing, malware development, reconnaissance, and influence operations. For defenders, the practical takeaway is not abstract AI policy. It is that existing controls against social engineering, account compromise, and automation abuse need to assume better adversary tooling now. Source: Al Jazeera via Google News.

Why it matters - Phishing payload quality will continue to improve. - Low-skill actors can scale campaign volume faster. - Security teams should expect more convincing lures in email, chat, and collaboration apps.

What to do next - Tighten attachment and script execution policies. - Expand awareness training to collaboration platforms, not just email. - Review detections for automation-heavy account abuse and mass messaging patterns.

WhatsApp phishing campaign pushes fake business documents

BleepingComputer reported an ongoing campaign targeting WhatsApp users with fake business document lures that deliver VBScript files and can lead to remote access on victim systems: source.

This matters because users often treat WhatsApp as a trusted communications channel, especially in SMB environments where procurement, invoicing, and customer communication may happen outside managed email.

Defender takeaways - Block or restrict .vbs, .js, and similar script launch paths where possible. - Train users that document delivery through chat apps is a common malware vector. - Review endpoint telemetry for script interpreters spawning from user download directories.

JaredFromSubway MEV bot hack shows application-logic risk in crypto

A $15 million theft tied to the JaredFromSubway Ethereum MEV bot appears to have exploited manipulated opportunity-detection logic rather than a traditional endpoint or network intrusion, according to BleepingComputer: source.

For enterprise defenders, this is a reminder that high-value automated systems fail in business logic too. The lesson applies to trading, workflow automation, AI agents, and API-driven decision engines.

What to do next - Add abuse-case testing for automation logic. - Require guardrails for high-trust autonomous actions. - Alert on outlier transaction paths and sudden strategy deviations.

FFmpeg fixes “PixelSmash” flaw with downstream app risk

BleepingComputer reported a newly disclosed FFmpeg flaw dubbed “PixelSmash” that may lead to remote code execution in some server-side media processing conditions and denial of service in downstream apps such as Jellyfin, Kodi, Emby, Nextcloud, PhotoPrism, and OBS Studio: source.

This is important because FFmpeg is deeply embedded in media stacks. Even if your team does not deploy FFmpeg directly, an exposed application may ship it.

Prioritize if - Users can upload media files to your application. - You run media indexing, thumbnailing, or transcoding on untrusted content. - Your stack includes self-hosted media or collaboration platforms.

FortiBleed campaign used custom FortiGate sniffer tooling

BleepingComputer cited SOCRadar findings that a large-scale FortiBleed campaign used custom sniffers on compromised FortiGate devices to harvest authentication secrets and steal credentials: source.

The key issue is not just initial device compromise. It is post-compromise credential collection from a network security appliance sitting in a privileged path.

Immediate actions - Audit administrative access to FortiGate devices. - Rotate credentials potentially exposed through firewall login paths. - Review firmware status, local admin accounts, and unusual packet capture or diagnostic activity.

AI and cyber policy headlines worth tracking

Two broader AI security stories also surfaced today: - Council on Foreign Relations published a policy-focused piece on U.S. AI credibility: source - Axios reported OpenAI rolled out a more capable cyber model: source

Both reinforce the same operational theme: expect more capable offensive experimentation, but focus controls on concrete misuse paths such as phishing, vulnerability research abuse, and automated reconnaissance.

Windows 11 26H2 is coming soon

Microsoft confirmed Windows 11 version 26H2 is the next feature update, with an enablement-package style upgrade path for devices already on 24H2 and 25H2, according to BleepingComputer: source.

This is not a breach story, but it matters operationally. Security teams should use the smaller upgrade path to reduce lag in testing security baselines and endpoint tooling compatibility.

Critical Vulnerabilities

CVE-2026-10561 - IBM Langflow OSS unauthenticated RCE

  • CVSS: 10.0
  • Affected: IBM Langflow OSS 1.0.0 through 1.9.3
  • Summary: IBM states improper isolation of Python execution combined with an authentication bypass can allow unauthenticated arbitrary code execution on the host, leading to complete compromise: advisory.

Why it matters Langflow commonly sits close to data sources, API keys, model connectors, and internal workflows. If internet-exposed, this is a high-priority patch candidate.

What to do now 1. Identify internet-facing Langflow instances. 2. Upgrade or apply vendor guidance immediately. 3. Remove public exposure where possible. 4. Rotate secrets stored or accessible from the platform.

CVE-2026-7664 - IBM Langflow OSS improper authorization in MCP endpoint

  • CVSS: 9.8
  • Affected: IBM Langflow OSS 1.0.0 through 1.8.4
  • Summary: Improper authorization in the Streamable MCP transport endpoint may let unauthenticated attackers access protected MCP project resources and execute MCP operations: advisory.

Why it matters Even if RCE controls are mitigated separately, unauthorized access to MCP resources can expose data, workflows, and trusted operations.

What to do now - Patch versions in scope. - Restrict MCP-related endpoints behind authentication and network controls. - Review logs for unexpected anonymous access to project resources.

CVE-2026-28381 - Grafana Snowflake datasource file transfer risk

  • CVSS: 9.6
  • Summary: Grafana disclosed that the Snowflake datasource allows GET and PUT commands, enabling users with query access to read or write files between the local Grafana server and the connected Snowflake host: advisory.

Why it matters This is a privilege-boundary problem. Users assumed to have query-only access may gain file movement capabilities that can expose server-side data or alter downstream state.

What to do now - Review which users can run queries against Snowflake through Grafana. - Limit datasource access to trusted roles. - Apply the vendor fix or advisory guidance. - Audit dashboards and saved queries for suspicious file transfer use.

CVE-2026-10789 - Autodesk Fusion Desktop MCP extension RCE

  • CVSS: 9.6
  • Summary: Autodesk states that a malicious webpage, visited while Fusion Desktop is running with the MCP extension enabled, could trigger arbitrary code execution with current-user privileges: advisory.

Why it matters This combines local application state with a browser-driven trigger, which is exactly the sort of chain users do not recognize during normal browsing.

What to do now - Update Fusion Desktop and related components per Autodesk guidance. - Disable the MCP extension if not required. - Advise users not to browse untrusted sites while high-trust desktop engineering tools are active.

CVE-2026-11373 - Net::Statsite::Client metric injection

  • CVSS: 9.1
  • Summary: Net::Statsite::Client through 1.1.0 for Perl permits metric injection because metric names and values are not sufficiently sanitized for control characters and newlines: reference, patch.

Why it matters This will be most relevant in environments that trust metrics as operational truth. Poisoned telemetry can affect alerting, dashboards, automated scaling, and incident triage.

What to do now - Patch the library where used. - Validate upstream metric sources. - Sanitize externally influenced metric names and values before emission.

What Defenders Should Do Today

1) Triage internet-facing application platforms first

Prioritize: - Langflow instances - Grafana systems with Snowflake datasource access - Public media-processing apps that bundle FFmpeg - Remote-access or admin systems receiving files through chat workflows

A practical order of operations: 1. Inventory exposure. 2. Patch or isolate. 3. Review secrets. 4. Hunt for suspicious access since the advisory window opened.

2) Harden script execution against chat-delivered payloads

The WhatsApp campaign is a reminder that users do not distinguish strongly between managed and unmanaged communication channels.

Recommended controls - Block Windows Script Host where business use is unnecessary. - Prevent execution from download, temp, and archive extraction paths. - Strip or quarantine risky script attachments at web and endpoint layers.

Technical Notes

Example checks for Windows Script Host activity:

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" |
  Where-Object { $_.Message -match "wscript.exe|cscript.exe" } |
  Select-Object TimeCreated, Id, Message -First 20

Example process hunt with Microsoft Defender for Endpoint advanced hunting:

DeviceProcessEvents
| where FileName in~ ("wscript.exe","cscript.exe")
| where ProcessCommandLine has_any (".vbs",".js",".jse")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

3) Review FortiGate devices for post-compromise indicators

Because reported activity involved credential harvesting on compromised FortiGate devices, treat firewall review as both a device and identity problem.

Check for - Unexpected local admin accounts - Unauthorized configuration changes - Strange diagnostic or sniffer use - Authentication failures followed by successful logins - Evidence of credential reuse against VPN or admin portals

Technical Notes

Sample operational checks on a FortiGate device may include reviewing administrators, configuration deltas, and system events:

show system admin
show full-configuration
execute log filter category 1
execute log display
diagnose debug config-error-log read

If you export logs to a SIEM, look for patterns such as: - New admin creation outside maintenance windows - Logins from new geographies or ASNs - Diagnostic commands executed by nonstandard admin accounts

4) Patch FFmpeg-dependent services with untrusted upload paths

If your application accepts user-submitted media, treat FFmpeg updates as urgent even if your own product is not named directly in news coverage.

Focus on - Media transcoders - Thumbnail generators - Video preview workers - Self-hosted collaboration or media platforms

Technical Notes

On Linux, quickly identify FFmpeg versions and common dependents:

ffmpeg -version
dpkg -l | grep -i ffmpeg
rpm -qa | grep -i ffmpeg
ps aux | egrep 'jellyfin|emby|kodi|nextcloud|photoprism|obs'

5) Prepare for more AI-enabled phishing and recon

Do not wait for “AI-specific” controls. Most mitigations are standard security hygiene applied consistently.

Priority controls - MFA resistant to phishing where possible - Better detections for impossible travel and token abuse - User reporting workflows for suspicious chat messages - DLP and access reviews for internal knowledge stores exposed to AI-connected workflows

Technical Deep Dive

Technical Notes: Exposure checks for Langflow and Grafana

For external exposure assessment, defenders can start with DNS, asset inventory, and reverse proxy configs.

Example quick checks:

# Find known hosts in inventory exports
grep -Ei 'langflow|grafana' assets.csv

# Check exposed titles and headers
curl -kI https://example-host/
curl -sk https://example-host/ | head -50

If you have centralized reverse proxy logs, look for: - Anonymous requests to Langflow endpoints - Sudden increases in requests to MCP-related routes - Requests to Grafana datasource APIs from unusual users

Example generic log review pattern:

zgrep -Ei 'langflow|grafana|mcp|api/datasources' /var/log/nginx/*access*.log*

Technical Notes: Signs of suspicious query behavior in Grafana

If the Snowflake datasource is deployed, review who can issue ad hoc queries and whether saved queries include file transfer semantics.

Patterns to review: - GET or PUT usage in query text - Queries run by service accounts outside normal schedules - Newly created dashboards touching Snowflake unexpectedly

Pseudo-query review checklist:

Search saved queries / dashboards for:
- PUT
- GET
- stage references
- file:// style paths
- unusual local path strings

Technical Notes: Telemetry poisoning risk from metric injection

For environments using Net::Statsite::Client, a vulnerable metric path can corrupt monitoring truth.

Risk scenarios include: - User-controlled values passed directly into metric names - Newline injection creating multiple fake metrics - Control-character injection altering tags or values

Example unsafe pattern:

my $metric = "signup.$user_input";
$stats->gauge($metric, $value);

Safer approach: - Remove control characters - Enforce allowed characters in metric names - Normalize values before sending

Example sanitization concept:

$metric =~ s/[^a-zA-Z0-9_.-]//g;
$value  =~ s/[
:|]//g;

Bottom Line

Today’s biggest operational risks are not theoretical. They are exposed application platforms, script-based phishing delivered through trusted chat channels, and privileged infrastructure like firewalls that can become credential collection points after compromise.

If you only do three things today: 1. Patch or isolate Langflow and review Grafana Snowflake datasource exposure. 2. Hunt for script execution tied to chat-delivered files. 3. Review FortiGate devices and rotate credentials if compromise is suspected.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-23

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.