eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 12 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-24

TL;DR - Cisco Unified CM flaw CVE-2026-20230 is now under active exploitation. - Multiple high-impact breaches and a new macOS ClickFix campaign raise near-term risk. - Patch exposed AI workflow tools immediately and review identity, OAuth, and phishing controls today.

Top Stories

Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks

A high-severity SSRF issue in Cisco Unified Communications Manager Server, tracked as CVE-2026-20230, is now being exploited in the wild according to BleepingComputer. For defenders, the key point is not just the CVSS rating but the shift from theoretical exposure to observed attacker use.

Why this matters:
Unified communications platforms often sit deep inside enterprise networks and have access to sensitive internal services. SSRF on these systems can become a pivot point for internal discovery, credential theft, or chaining into higher-impact compromise.

What to do now: - Identify any exposed or internet-adjacent Unified CM deployments. - Prioritize Cisco guidance and patching for affected versions. - Review reverse proxy, WAF, and outbound filtering controls around Unified CM. - Hunt for suspicious requests originating from the application toward internal services.

Technical Notes

Look for unusual server-side requests to internal IP ranges or metadata-style endpoints in proxy and application logs:

grep -E "169\.254\.169\.254|127\.0\.0\.1|10\.|172\.(1[6-9]|2[0-9]|3[0-1])|192\.168\." /var/log/* 2>/dev/null

If Unified CM is behind a reverse proxy, review request patterns for attacker-controlled URLs, callback domains, or unexpected query parameters.


Tata Electronics confirms cyberattack as hackers leak data

Tata Electronics confirmed a cyberattack affecting parts of its IT infrastructure, with attackers reportedly leaking data, per BleepingComputer.

Why this matters:
Manufacturing and electronics organizations remain attractive targets because they combine high-value intellectual property, supply chain leverage, and operational downtime pressure.

What to do now: - Reassess third-party and supplier connectivity. - Review data exfiltration monitoring on engineering, ERP, and file-sharing systems. - Validate incident response playbooks for extortion scenarios involving leaked data.

Technical Notes

Useful immediate checks for exfiltration review:

# Large outbound transfers in proxy logs
grep -Ei "upload|put|post" /var/log/proxy/* | awk '{print $1,$2,$NF}' | sort | uniq -c | sort -nr | head

# Recent archive creation on Linux servers
find /tmp /var/tmp /home -type f \( -name "*.zip" -o -name "*.7z" -o -name "*.rar" -o -name "*.tar.gz" \) -mtime -7 2>/dev/null

Healthtech firm Xsolis suffers data breach impacting 1.4 million people

Healthcare technology company Xsolis disclosed a breach impacting nearly 1.4 million individuals after a phishing attack led to network access, according to BleepingComputer.

Why this matters:
This is another reminder that phishing still works, especially where identity protections, mailbox hardening, and privilege boundaries are weak. In healthcare-related environments, the regulatory and operational consequences are amplified.

What to do now: - Enforce phishing-resistant MFA where possible. - Review mailbox auditing, OAuth app consent, and inbox rule abuse. - Check whether privileged users can access sensitive data from standard workstations. - Audit lateral movement after initial mailbox compromise.

Technical Notes

High-value Microsoft 365 checks after suspected phishing:

# Inbox forwarding rules
Get-InboxRule -Mailbox user@company.com

# Recently consented enterprise apps
Get-MgServicePrincipal | Select-Object DisplayName,AppId

# Unified audit log for suspicious mailbox actions
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations New-InboxRule,Set-InboxRule,MailItemsAccessed

Log patterns worth reviewing: - New inbox forwarding to external domains - Suspicious OAuth consent events - Impossible travel or unusual ASN logins - MailItemsAccessed spikes after phishing events


New macOS ClickFix attack silently mounts DMGs to push infostealer

A new macOS ClickFix campaign is using Terminal commands to silently download, mount, and launch infostealing malware from malicious DMG files, as reported by BleepingComputer.

Why this matters:
ClickFix-style social engineering keeps succeeding because it abuses user trust and normal admin workflows. On macOS, Terminal-driven execution combined with DMG mounting can bypass user suspicion, especially in developer or power-user environments.

What to do now: - Alert macOS users to fake verification and “paste this into Terminal” lures. - Monitor hdiutil, osascript, curl, and open activity chains. - Restrict execution of unsigned apps where business-appropriate. - Verify EDR visibility on script interpreters and mounted volumes.

Technical Notes

Example process chains to hunt on macOS:

log show --last 24h --predicate 'process == "Terminal" OR process == "hdiutil" OR process == "osascript" OR process == "curl"'

Look for sequences like:

Terminal -> curl -> hdiutil attach -> open /Volumes/<name>/<app>

File system checks:

ls /Volumes
find ~/Downloads -name "*.dmg" -mtime -3

Scattered Spider members plead guilty in Transport for London hack

Two alleged Scattered Spider members pleaded guilty to hacking Transport for London, covered by KrebsOnSecurity and BleepingComputer.

Why this matters:
Legal developments do not reduce the operational threat. Scattered Spider-linked techniques, especially social engineering against help desks and identity infrastructure, remain highly relevant to enterprises and service providers.

What to do now: - Review help desk identity verification procedures. - Harden password reset and MFA reset workflows. - Require strong logging around IAM changes, SIM swaps, and remote support actions. - Run tabletop exercises for identity-centric intrusion scenarios.

Technical Notes

Prioritize detections for: - MFA device re-registration - Password resets followed by VPN access - Entra ID / Okta admin role changes - New remote management enrollment after account recovery

Example IAM review workflow:

# Pseudocode / workflow concept
1. Pull all MFA reset events for last 14 days
2. Join with successful VPN or SSO logins within 2 hours
3. Enrich with help desk tickets and source IP reputation
4. Escalate mismatches or no-ticket resets

LastPass confirms data breach in Klue supply chain attack

LastPass said attackers accessed customer data in its Salesforce environment after stealing OAuth tokens during the Klue supply chain incident, according to BleepingComputer.

Why this matters:
This is a strong example of modern identity and SaaS compromise: attackers do not always need passwords if they can steal or abuse trusted OAuth tokens and connected app permissions.

What to do now: - Inventory all OAuth app integrations tied to sensitive SaaS platforms. - Revoke unused or high-risk app grants. - Review conditional access around admin actions in CRM and support platforms. - Monitor token issuance and unusual API usage.

Technical Notes

Immediate SaaS identity review items: - Recently authorized OAuth apps - Overprivileged scopes - Service accounts with broad CRM access - API access from new IP space or geographies

Example review checklist:

[ ] Export connected apps from identity provider and SaaS platforms
[ ] Validate business owner for each app
[ ] Remove redundant OAuth grants
[ ] Rotate secrets and revoke tokens tied to affected integrations
[ ] Review admin audit logs for exports, searches, and mass record access

Critical Vulnerabilities

Several newly disclosed critical issues affect popular AI workflow and security tooling. These are especially important if your teams run self-hosted AI orchestration, crawling, or model-safety components.

CVE-2026-56274: Flowise command injection leading to host compromise

Flowise advisory describes multiple OS command injection issues before version 3.1.2 in the Custom MCP Server feature. The bug stems from incomplete command-flag validation and bypasses in local file access restrictions.

Risk summary:
An authenticated Flowise user, or API access with suitable permissions, may be able to execute arbitrary commands on the host.

Defender action: - Upgrade Flowise to 3.1.2 or later. - Disable or tightly restrict Custom MCP Server functionality until patched. - Review who has chatflow update permissions. - Inspect hosts for child processes spawned by the Flowise service.

Technical Notes

Process hunting on Linux:

ps -ef | grep -E "flowise|node"
journalctl -u flowise --since "7 days ago"

Suspicious child process examples: - docker build - npx --yes - shell interpreters launched by Node.js


CVE-2026-55255: Langflow IDOR allows execution of other users’ flows

The Langflow advisory says versions before 1.9.2 expose an IDOR in /api/v1/responses, allowing an authenticated attacker to execute flows belonging to other users by specifying a victim flow ID.

Risk summary:
This is not just unauthorized access. In multi-user deployments, flow execution may expose data, trigger actions, or become part of a larger privilege escalation path.

Defender action: - Upgrade Langflow to 1.9.2. - Review whether multi-tenant or shared deployments are exposed. - Audit API logs for cross-user flow execution. - Rotate tokens if API abuse is suspected.

Technical Notes

Search for mismatches between authenticated user and flow owner:

grep "/api/v1/responses" /var/log/* 2>/dev/null

Useful logic for SIEM correlation:

IF request_path = "/api/v1/responses"
AND authenticated_user != flow_owner
THEN alert: possible IDOR exploitation

CVE-2026-56315: picklescan bypass can enable arbitrary command execution

According to the picklescan advisory, versions before 1.0.4 fail to block several Python standard library modules, enabling malicious pickle files to bypass safety validation and achieve remote code execution.

Risk summary:
Any environment relying on picklescan as a trust boundary for untrusted pickle files should assume that protection is incomplete on vulnerable versions.

Defender action: - Upgrade to picklescan 1.0.4 or later. - Treat untrusted pickle deserialization as dangerous even with scanning. - Search pipelines, notebooks, and ML workflows for pickle ingestion. - Prefer safer serialization formats when practical.

Technical Notes

Repo and pipeline discovery:

grep -R "pickle\.load\|joblib\.load\|torch\.load" . 2>/dev/null
grep -R "picklescan" . 2>/dev/null

CVE-2026-53753: Crawl4AI unauthenticated RCE via sandbox escape

The Crawl4AI advisory states that versions before 0.8.7 contain an AST validation weakness in _safe_eval_expression() that can be abused for sandbox escape and arbitrary code execution. The advisory notes JWT is disabled by default, increasing exposure risk.

Risk summary:
If exposed, this may be a straight-to-RCE issue requiring no authentication in default configurations.

Defender action: - Upgrade to 0.8.7 immediately. - Restrict network exposure to trusted sources only. - Enable authentication if supported in your deployment model. - Check for suspicious POST requests to /crawl.

Technical Notes

Quick exposure check:

grep -R "/crawl" /var/log/* 2>/dev/null
ss -lntp | grep -E ":80|:443|:3000|:8000"

Suspicious indicators: - Repeated POST requests with large JSON payloads - Unexpected schema fields tied to computed expressions - Child processes launched by the crawler service


CVE-2026-48519: Langflow public flow feature can lead to unauthenticated RCE

A second Langflow advisory covers a critical RCE flaw before 1.9.2 in the Shareable Playground/Public Flows feature. The vulnerable route /api/v1/build_public_tmp may allow arbitrary custom Python code execution through crafted node data.

Risk summary:
If Public Flows is enabled and reachable, this is potentially internet-reachable unauthenticated RCE.

Defender action: - Upgrade to 1.9.2 immediately. - Disable Public Flows if not strictly required. - Review access logs for /api/v1/build_public_tmp. - Isolate Langflow hosts from sensitive internal systems.

Technical Notes

Simple access log review:

grep "/api/v1/build_public_tmp" /var/log/* 2>/dev/null

If compromise is suspected, check for: - new cron jobs - Python child processes - dropped scripts in /tmp - outbound connections from the Langflow host

crontab -l
find /tmp -type f -mtime -3 2>/dev/null
netstat -plant 2>/dev/null

What Defenders Should Do Today

1) Triage active exploitation first

Start with CVE-2026-20230. Active exploitation should outrank theoretical criticals if the affected platform is in your environment.

Priority order: 1. Internet-facing systems under active exploitation 2. Unauthenticated RCE on exposed AI workflow services 3. SaaS identity and OAuth trust relationships 4. Phishing-resistant identity controls

2) Patch exposed AI tooling this week, not this month

Flowise, Langflow, Crawl4AI, and picklescan issues show a pattern: fast-moving AI ecosystems often ship with features that can become security boundaries before they are fully hardened. If these tools are developer-managed rather than centrally managed, they may already be exposed.

Immediate steps: - Inventory self-hosted AI apps - Check versions against the advisories - Restrict external access - Move them behind SSO, VPN, or IP allowlists - Review admin and API tokens

3) Recheck phishing and OAuth defenses

The Xsolis and LastPass/Klue reports both point back to identity compromise paths. One begins with phishing; the other with token theft and SaaS trust abuse.

Minimum control set: - Phishing-resistant MFA for admins and privileged users - Conditional access and impossible-travel detections - OAuth app approval workflow - Centralized mailbox and SaaS audit logging - Fast token revocation playbooks

4) Brief users on current social engineering lures

The macOS ClickFix campaign is a practical awareness topic for today. Users should know that “verification,” “repair,” or “security fix” prompts that ask them to paste commands into Terminal are a red flag.

Suggested user message:

If a website or pop-up asks you to open Terminal and paste commands, stop and report it. Do not run copy-and-paste fixes from untrusted pages.

5) Validate your incident response assumptions

The day’s news spans active exploitation, phishing-led breach, supply chain compromise, and extortion-linked intrusion. If your IR process assumes malware alerts will always come first, you may miss the quieter paths like OAuth abuse, inbox rule changes, or public app RCE.


Final Takeaway

Today’s cybersecurity threats picture is defined by three themes: active exploitation of enterprise infrastructure, identity-centric compromise, and insecure AI application exposure. The most practical response is to patch what is exposed, tighten identity and OAuth controls, and hunt for the operational signals attackers leave behind in logs, process trees, and API activity.

For source reporting and primary references, review: - Cisco Unified CM exploitation report via BleepingComputer - Tata Electronics incident via BleepingComputer - Xsolis breach via BleepingComputer - macOS ClickFix campaign via BleepingComputer - Scattered Spider case via KrebsOnSecurity and BleepingComputer - LastPass/Klue supply chain breach via BleepingComputer - Flowise advisory for CVE-2026-56274 - Langflow advisory for CVE-2026-55255 - picklescan advisory for CVE-2026-56315 - Crawl4AI advisory for CVE-2026-53753 - Langflow advisory for CVE-2026-48519

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-06-24

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.