eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 11 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-25
Week of 25 JUN 2026

TL;DR - Active exploitation remains the priority, especially edge devices and browser abuse. - Patch exposed infrastructure, audit browser extensions, and review internet-facing app components. - Urgency is high for orgs running Cisco SD-WAN, Ubiquiti, Lantronix, Feast, Capgo, or vulnerable WordPress plugins.

Top Stories

1) Cisco SD-WAN zero-day attacks: new root-level persistence details

Mandiant published additional detail on how attackers abused a Cisco Catalyst SD-WAN zero-day, tracked as CVE-2026-20245, to gain root access and create rogue root accounts on targeted devices (BleepingComputer).

Why it matters:
This is the kind of network-edge compromise that can give an attacker durable administrative access, visibility into traffic, and a launch point for lateral movement. If you operate SD-WAN infrastructure, this is not just a patching story. It is a credential trust and device integrity story.

What defenders should do now: - Identify all Cisco Catalyst SD-WAN nodes exposed to management interfaces. - Apply vendor-recommended updates or mitigations cited in your Cisco advisories and the Mandiant reporting. - Rotate credentials that may have touched affected devices. - Review local user creation events, root account changes, and unexpected configuration drift. - Pull config backups from a known-good state and compare against current running configs.

Technical Notes

Example checks defenders may want to adapt for network device config review:

# Example workflow: archive running config for diffing
ssh admin@sdwan-device 'show running-config' > current-running-config.txt
diff -u known-good-config.txt current-running-config.txt

Look for: - Unexpected local admin or root-equivalent accounts - New SSH keys - Management ACL changes - Modified AAA or TACACS/RADIUS settings - Suspicious cron, script, or startup persistence if the platform exposes shell access


2) CISA warns of exploited Ubiquiti and Lantronix flaws

CISA warned that Ubiquiti UniFi OS and Lantronix serial-to-Ethernet flaws are being actively exploited in attacks (BleepingComputer).

Why it matters:
CISA advisories tied to active exploitation should move straight into emergency triage, especially for SMBs and distributed enterprises that rely on these devices for remote administration, branch connectivity, or surveillance/network operations.

What defenders should do now: - Inventory UniFi OS and Lantronix deployments. - Verify versions against CISA and vendor guidance. - Restrict management interfaces to trusted IP ranges or VPN-only access. - Review device logs for anomalous logins, config exports, firmware changes, or new admin accounts. - If compromise is suspected, treat the device as untrusted until rebuilt or reimaged.

Technical Notes

Basic internet exposure triage:

# Find externally exposed management services you may have missed
nmap -Pn -p 22,80,443,8443,8080,30718 <public-ip-range>

Firewall hardening example:

# Pseudocode only: restrict management plane to VPN subnet
allow from 10.10.10.0/24 to mgmt-interface port 443
deny from any to mgmt-interface port 443

3) Malicious Edge extension used to bridge to malware

A malicious Microsoft Edge extension dubbed “Edgecution” reportedly abused Native Messaging to escape the browser sandbox and deploy a Python-based backdoor during a ransomware attack (BleepingComputer).

Why it matters:
Browser extension governance is still weak in many organizations. Native Messaging is especially sensitive because it gives a path from browser context to local code execution through host applications.

What defenders should do now: - Audit installed Edge and Chrome extensions across managed endpoints. - Restrict extension installation to approved allowlists. - Hunt for Native Messaging host registrations. - Review endpoint telemetry for suspicious browser child processes, Python execution, or unusual extension install events. - If you do not need Native Messaging, disable or tightly control it.

Technical Notes

Windows registry locations commonly reviewed for Native Messaging hosts:

reg query "HKCU\Software\Microsoft\Edge\NativeMessagingHosts" /s
reg query "HKLM\Software\Microsoft\Edge\NativeMessagingHosts" /s
reg query "HKCU\Software\Google\Chrome\NativeMessagingHosts" /s
reg query "HKLM\Software\Google\Chrome\NativeMessagingHosts" /s

Look for suspicious process chains such as:

msedge.exe -> cmd.exe
msedge.exe -> powershell.exe
msedge.exe -> python.exe
msedge.exe -> wscript.exe

Example Microsoft Defender hunting concept:

DeviceProcessEvents
| where InitiatingProcessFileName in~ ("msedge.exe","chrome.exe")
| where FileName in~ ("cmd.exe","powershell.exe","python.exe","wscript.exe","cscript.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine

4) Google rolls out new privacy controls

Google announced new privacy controls for activity history and personalization across Search services and Google Play (BleepingComputer).

Why it matters:
This is not a breach story, but it matters for administrators responsible for consumer privacy, workforce awareness, and Google account baselines. Better controls can reduce data retention and minimize personalization exposure.

What defenders should do now: - Update end-user guidance for managed Google accounts where applicable. - Review whether organizational privacy policies should recommend reduced activity retention. - For shared or privileged accounts, confirm history and personalization settings align with policy.


5) DraftKings attacker sentenced

A 21-year-old associated with the alias “Snoopy” was sentenced to 18 months in prison for involvement in the 2022 DraftKings account hacking incident (BleepingComputer).

Why it matters:
Account takeover remains one of the most practical attack paths against consumer-facing businesses. This is a reminder to revisit MFA coverage, bot mitigation, credential stuffing defenses, and fraud telemetry.

What defenders should do now: - Tune impossible-travel, credential stuffing, and anomalous login detections. - Reassess password reset workflows. - Require phishing-resistant MFA for high-risk user groups where possible. - Confirm fraud and security teams share telemetry during active account abuse spikes.


6) Major events remain cyber targets

Dark Reading reported that the 2026 FIFA World Cup is facing a surge in cyber threats (Google News link).

Why it matters:
Large sporting events drive phishing, ticket fraud, brand impersonation, DDoS, and opportunistic intrusion activity. Even organizations not directly involved may see themed lures hit employees and customers.

What defenders should do now: - Pre-stage detections for event-themed phishing. - Register and monitor lookalike domains if you are a sponsor, broadcaster, travel provider, or hospitality brand. - Brief executives and customer-facing teams on likely scam themes.


Critical Vulnerabilities

CVE-2026-56121: Feast unsafe deserialization RCE

CVSS: 9.8
Affected: Feast before 0.63.0
Details: An unsafe deserialization flaw in the registry server can allow unauthenticated or unauthorized remote code execution via a crafted gRPC request. The vulnerable flow decodes user_defined_function.body from base64 and passes it to dill.loads() before authorization checks (commit, release, Huntr, VulnCheck advisory).

Why it matters:
If your ML feature store or registry services are reachable by untrusted users or flat internal networks, this is a direct code execution risk on infrastructure that may have access to data pipelines, service credentials, and model operations.

What to do: - Upgrade to Feast 0.63.0 or later. - Block direct internet exposure to Feast services. - Review gRPC access paths and enforce authentication before registry operations. - Hunt for suspicious feature view changes and unexpected service behavior.

Technical Notes

Potential network/service verification:

# Identify Feast services listening on expected ports
ss -lntp | grep -E '6566|6570|grpc|feast'

Kubernetes upgrade check example:

kubectl get deploy -A | grep -i feast
kubectl describe deploy <feast-deployment> -n <namespace> | grep -i image

CVE-2026-56237: Capgo broken authentication in API key generation

CVSS: 9.1
Affected: Capgo before 12.128.2
Details: API keys are exposed in frontend requests, and the backend fails to properly validate generation requests. Attackers can tamper with the API key parameter and generate arbitrary keys without proper authorization (GitHub advisory, VulnCheck advisory).

Why it matters:
This is an authentication boundary failure. If your deployment uses Capgo to manage app updates or protected endpoints, unauthorized key generation can undermine trust in your access model.

What to do: - Upgrade to 12.128.2 or later. - Revoke and rotate API keys issued from potentially vulnerable instances. - Audit logs for unexpected key creation and downstream API use. - Review whether frontend-exposed parameters influence privileged backend actions.

Technical Notes

What to look for in API logs: - Key generation requests with unusual client origins - Repeated requests changing the API key parameter - Key creation followed by immediate access to privileged endpoints

Example reverse proxy grep:

grep -E 'api.*key|generate.*key|x-api-key' /var/log/nginx/access.log

CVE-2026-56111: Marlin Firmware out-of-bounds write via M421

CVSS: 9.1
Affected: Marlin Firmware through 2.1.2.7, fixed in commit 1f255d1
Details: With MESH_BED_LEVELING enabled, an attacker can send crafted out-of-range M421 G-code coordinates and write past array bounds, causing memory corruption or denial of service (commit, issue, PR, VulnCheck advisory).

Why it matters:
For most enterprise defenders, this is niche. For labs, manufacturing environments, makerspaces, education, or any network-connected 3D printing environment, it is a real device integrity issue.

What to do: - Apply the fixed firmware revision. - Restrict who can send G-code over USB serial or network interfaces. - Validate slicer and print job sources. - Segment 3D printers from business-critical networks.

Technical Notes

Potentially suspicious G-code pattern:

M421 X999 Y999 Z1.0

Operational controls: - Disable unnecessary remote print submission - Require authenticated print management - Store approved firmware and config baselines


CVE-2026-12242: AdRotate Banner Manager PHP code injection

CVSS: 8.8
Affected: AdRotate Banner Manager for WordPress, up to and including 5.17.7
Details: The plugin is vulnerable to PHP code injection through the banner attribute of the adrotate shortcode when W3 Total Cache or Borlabs Cache support is enabled in AdRotate settings. The issue affects authenticated users with Contributor-level access and above (WordPress code reference).

Why it matters:
Contributor-level to code-execution chains are dangerous in multi-author WordPress environments, agencies, and marketing-operated sites.

What to do: - Update the plugin when a fixed release is available. - Disable vulnerable cache integration paths if you cannot patch immediately. - Audit shortcode usage in posts, drafts, reusable blocks, and scheduled content. - Reduce unnecessary Contributor accounts and enforce least privilege.

Technical Notes

Quick WordPress content hunting idea:

wp post list --post_type=post,page --format=ids | xargs -I % wp post get % --field=content | grep -n '\[adrotate'

CVE-2026-56232: Capgo subkey scope bypass

CVSS: 8.8
Affected: Capgo before 12.128.2
Details: Capgo fails to enforce limited_to_orgs and limited_to_apps restrictions on subkeys passed via the x-limited-key-id header, allowing use of an unrestricted parent key instead of the intended scoped subkey (GitHub advisory, VulnCheck advisory).

Why it matters:
This is a scope enforcement failure. Even if you issue limited subkeys correctly, backend handling can nullify those restrictions.

What to do: - Upgrade to 12.128.2 or later. - Review all integrations that rely on scoped keys. - Reissue subkeys after patching. - Add monitoring around x-limited-key-id usage.

Technical Notes

Header-centric review example:

grep -R "x-limited-key-id" /var/log/* 2>/dev/null

Look for: - Requests using unexpected subkey IDs - Cross-org or cross-app access patterns - Parent-key actions occurring where subkey limits should apply


What Defenders Should Do Today

Prioritize by exploitation and exposure

The most important theme in today’s cybersecurity threats is simple: actively exploited infrastructure beats theoretical risk.

Immediate priorities: 1. Patch and verify Cisco SD-WAN, Ubiquiti, and Lantronix devices exposed to untrusted networks. 2. Audit browser extensions in managed environments, especially Native Messaging hosts and suspicious Edge installs. 3. Upgrade high-risk app components like Feast and Capgo if present in your stack. 4. Review WordPress plugin attack surface on marketing and business sites. 5. Segment specialty devices such as printers, OT-adjacent tools, and appliances.

Technical Notes

Example triage checklist you can operationalize today:

# 1) Build an exposure inventory
nmap -Pn -p 22,80,443,8080,8443 <public-ranges>

# 2) Enumerate web tech or plugin clues where authorized
curl -I https://example-site.tld
curl -s https://example-site.tld | grep -iE 'wordpress|wp-content|plugin'

# 3) Hunt for suspicious browser child processes on Linux endpoints
ps -ef | grep -E 'chrome|edge|python|powershell|wscript'

So What for SMBs?

Small and midsize organizations often carry the same risk as larger enterprises with fewer staff and less segmentation.

If you only have one hour today: - Check whether any firewall, router, Wi-Fi, or remote management portal is internet exposed. - Confirm auto-update or maintenance status on edge appliances. - Remove unauthorized browser extensions from employee systems. - Patch WordPress plugins and reduce user roles on public websites. - Ask your MSP or internal admin to confirm there are no unexplained admin accounts on network gear.


Closing Takeaway

Today’s cybersecurity threats are a mix of edge-device exploitation, browser-to-endpoint abuse, and high-severity application flaws. The practical response is not to chase every headline equally. Focus first on what is internet-facing, actively exploited, and capable of granting persistence or privileged access.

For most teams, that means: - edge infrastructure first, - browser control second, - exposed app platforms third, - and content management hygiene right after that.

If you handle those four areas well today, you reduce a large share of the most realistic near-term risk.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-06-25

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.