eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 10 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-27

TL;DR - Signal backup recovery keys, a Cisco flaw, and supply-chain abuse are driving today’s highest-priority risks. - Admins should patch exposed systems, harden identity workflows, and hunt for phishing and repository-based execution paths. - Urgency is high where exploitation is confirmed or user interaction is minimal.

Top Stories

1) FBI and CISA warn Russian actors are now targeting Signal backup recovery keys

The FBI and CISA warned that a phishing campaign linked to Russian intelligence services has evolved beyond account takeover attempts and is now targeting Signal Backup Recovery Keys, which can expose historical messages if stolen. BleepingComputer summarizes the alert here: https://www.bleepingcomputer.com/news/security/fbi-russian-hackers-now-target-signal-backup-recovery-keys/.

Why it matters

This is more damaging than a simple session hijack. If an attacker obtains a backup recovery key, they may gain access to prior communications, not just future chats. That changes the incident scope for journalists, executives, legal teams, activists, and security staff using Signal for sensitive coordination.

What defenders should do now

  • Treat Signal backup recovery material as a credential and a data exposure risk.
  • Alert high-risk users to phishing lures involving backup prompts, device re-linking, or account recovery.
  • Review mobile device management controls for managed users who rely on Signal.
  • Update incident response playbooks to include possible compromise of historical secure-message content.

Technical Notes

Look for signs of credential harvesting and follow-on access around users known to rely on secure messaging:

# Example: search secure email gateway logs for common lure terms
grep -Ei "signal|backup key|recovery key|secure chat|device link" /var/log/mail.log
Potential phishing indicators:
- Messages referencing "backup recovery"
- Device relinking or migration prompts
- Requests to verify codes outside normal Signal workflows
- Links to lookalike domains or URL shorteners

2) CISA sets an urgent deadline for a Cisco flaw under active exploitation

CISA has set a short remediation deadline for a Cisco Unified Communications Manager Server vulnerability that is reportedly being actively exploited. Coverage: https://www.bleepingcomputer.com/news/security/cisa-sets-urgent-deadline-to-fix-cisco-flaw-exploited-in-attacks/.

Why it matters

A CISA deadline usually means two things for defenders:

  1. Exploitation is credible enough to warrant immediate federal action.
  2. Private sector organizations running the same stack should assume opportunistic scanning is already underway.

Unified communications infrastructure is especially sensitive because it often bridges identity, voice, messaging, and internal administration.

What defenders should do now

  • Identify all Cisco Unified Communications Manager Server instances.
  • Prioritize internet-exposed or partner-accessible systems first.
  • Apply the vendor fix or mitigations immediately if patching cannot happen inside the change window.
  • Review admin account activity and outbound connections from the appliance or server.
  • Add detection for post-exploitation behavior such as account creation, configuration export, or unusual service restarts.

Technical Notes

Start with asset discovery and exposure validation:

# Example asset inventory query pattern
nmap -sV -Pn <ucm-subnet-range>
# Example: check for recent administrative changes on Linux-adjacent systems
grep -Ei "add user|useradd|sudo|ssh|scp|curl|wget" /var/log/* 2>/dev/null
Hunt priorities:
- Unusual administrator logins
- Unexpected config backups or exports
- Connections to unfamiliar IPs after successful login events
- Service crashes or restarts near suspected exploitation windows

3) Polymarket customers lost $3 million in a supply-chain attack

Polymarket said it will reimburse affected users after attackers allegedly injected malicious JavaScript into the platform’s frontend following a third-party vendor breach. Report: https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/.

Why it matters

This is a reminder that client-side supply-chain compromise remains one of the fastest ways to monetize trust. If a third-party script or build dependency is compromised, users can be redirected, manipulated into signing transactions, or served credential theft code without the primary platform itself being directly breached.

What defenders should do now

  • Review all third-party JavaScript inclusions and external dependencies.
  • Enforce Subresource Integrity where feasible.
  • Reduce the number of scripts with access to payment, wallet, or session flows.
  • Monitor for script hash changes and unexpected content delivery network behavior.
  • Segment release credentials and vendor access paths to limit blast radius.

Technical Notes

Use CSP and integrity controls to reduce browser-side risk:

<script
  src="https://cdn.example.com/app.js"
  integrity="sha384-REPLACE_WITH_HASH"
  crossorigin="anonymous"></script>
Content-Security-Policy:
  default-src 'self';
  script-src 'self' https://trusted-cdn.example;
  object-src 'none';
  base-uri 'self';
# Example: diff current third-party script responses
curl -s https://cdn.example.com/app.js | sha256sum

4) Fraudulent OpenAI organization invites are targeting cybersecurity firms

Threat actors are reportedly creating OpenAI tenants impersonating legitimate companies, then inviting employees to join and interact within the tenant. Coverage: https://www.bleepingcomputer.com/news/security/cybersecurity-firms-targeted-by-fraudulent-openai-organization-invites/.

Why it matters

This is a modern business-email-compromise style lure adapted to AI collaboration platforms. The risk is not only credential theft. Employees may disclose internal project names, customer data, code, procedures, or strategic details directly into an attacker-controlled workspace.

What defenders should do now

  • Warn users not to accept unexpected AI workspace or organization invites.
  • Restrict which SaaS tenants employees may join from corporate identities.
  • Monitor for OAuth grants, external collaboration invitations, and unusual tenant associations.
  • Update data loss prevention guidance for chat-based SaaS use.

Technical Notes

Key detections to add:

Monitor for:
- New SaaS tenant joins from corporate email accounts
- External invite acceptance outside approved domains
- Unusual OAuth consent grants
- Sensitive keywords pasted into unmanaged AI workspaces

Critical Vulnerabilities

CVE-2026-56028: Easy Elements for Elementor unauthenticated privilege escalation

  • CVSS: 9.8
  • Affected software: Easy Elements for Elementor - Addons & Website Templates versions up to and including 1.4.9
  • Reference: Patchstack advisory

So what?

An unauthenticated privilege escalation bug in a WordPress plugin is a high-risk combination for SMBs and agencies because exploitation can turn a public web presence into an admin foothold quickly.

What to do

  • Verify whether the plugin is installed anywhere in your WordPress fleet.
  • Update beyond 1.4.9 as soon as a fixed version is available from the maintainer.
  • Review WordPress admin users for unexpected additions.
  • Reset credentials and inspect plugins/themes if compromise is suspected.

Technical Notes

Quick WordPress checks:

wp plugin list | grep -i "easy-elements"
wp user list --role=administrator
-- Example: review recently created WordPress users
SELECT ID, user_login, user_email, user_registered
FROM wp_users
ORDER BY user_registered DESC
LIMIT 20;

CVE-2026-0685: Genshi Template Engine SSTI leading to RCE

So what?

Server-side template injection is dangerous because attacker-controlled input can be transformed into code execution in applications that render templates dynamically. If your Python applications expose template content or unsafe expression handling, this deserves immediate triage.

What to do

  • Identify any application dependency on Genshi 0.7.9.
  • Disable or restrict user-controlled template expressions where possible.
  • Isolate exposed services until patched or mitigated.
  • Review logs for suspicious template payloads and command execution markers.

Technical Notes

Dependency hunting examples:

pip freeze | grep -i genshi
python -c "import genshi; print(genshi.__version__)"
Look for payload characteristics such as:
- ${...}
- unexpected expression evaluation
- shell metacharacters embedded in template fields
- outbound callbacks after template rendering requests

CVE-2025-11919: Shared /tmp JVM classpath attack condition in Wolfram Cloud disclosure

So what?

This issue describes a local or shared-environment attack path in which classpath resolution can be manipulated via shared temporary directories. It is particularly relevant in multi-user or shared cloud instances where /tmp exposure between users is possible.

What to do

  • Review whether shared compute environments permit cross-user visibility into temporary directories.
  • Harden /tmp handling and isolate user temp spaces.
  • Investigate startup scripts and classpath order in sensitive JVM-based workflows.
  • Treat multi-tenant research and compute environments as higher risk.

Technical Notes

Basic validation targets:

mount | grep /tmp
ls -ld /tmp /tmp/UserTemporaryFiles 2>/dev/null
find /tmp -maxdepth 2 -type f -name "*.jar" -ls 2>/dev/null
Hunt for:
- Unexpected .jar files in shared temp paths
- JVM startups with anomalous classpath ordering
- Writable directories preceding trusted library paths

CVE-2026-33646: mise command execution via malicious .tool-versions

So what?

This is a developer workstation and CI/CD risk. A malicious repository can trigger command execution when a user changes into the directory if mise is active and non-paranoid trust settings allow .tool-versions parsing without prompts.

What to do

  • Update mise to 2026.3.10 or later.
  • Audit developer endpoints and build runners using mise.
  • Treat untrusted repositories as potential execution sources, not just code review items.
  • Consider stricter trust settings in shell initialization and onboarding docs.

Technical Notes

Find risky files in cloned repos:

find ~/ -type f -name ".tool-versions" 2>/dev/null
mise --version

Example review target:

# suspicious .tool-versions content should never be blindly trusted
node 20
python 3.12
# investigate any templating or unexpected expression syntax

CVE-2025-55017: Apache IoTDB path traversal

So what?

Path traversal vulnerabilities in data platforms can expose configuration, overwrite files, or open follow-on execution paths depending on deployment layout and service privileges.

What to do

  • Upgrade to Apache IoTDB 1.3.6 or 2.0.6.
  • Review file access patterns and service permissions.
  • Check whether IoTDB has access to sensitive directories beyond intended data paths.
  • Investigate for suspicious requests containing traversal sequences.

Technical Notes

Search for traversal patterns in logs:

grep -R "../" /var/log 2>/dev/null
grep -R "%2e%2e%2f" /var/log 2>/dev/null
Watch for:
- ../ or encoded traversal sequences
- Reads outside configured data directories
- Unexpected file-not-found errors near auth failures

What Defenders Should Do Today

1) Patch and validate exposure

Prioritize internet-facing systems and business-critical collaboration infrastructure.

  • Patch affected Cisco systems immediately if present.
  • Upgrade Apache IoTDB and mise where used.
  • Review WordPress plugin exposure across all hosted sites.
  • Inventory Python apps for Genshi 0.7.9.

2) Harden identity and user workflows

Today’s threat set relies heavily on trust abuse.

  • Train users on Signal backup recovery key phishing.
  • Block or review unexpected SaaS organization invites.
  • Enforce MFA everywhere it is supported, but remember MFA does not stop all phishing or session abuse.
  • Restrict unmanaged collaboration tenants and external app consent.

3) Hunt for supply-chain and execution abuse

Several items today share a common theme: trusted paths being turned against defenders.

  • Review third-party frontend scripts and build dependencies.
  • Monitor for new admin users, odd process launches, and abnormal outbound connections.
  • Treat repository metadata files and template engines as execution surfaces.

Technical Notes

A compact triage checklist for the day:

# WordPress plugin exposure
wp plugin list

# Python dependency check
pip freeze | grep -Ei "genshi"

# Developer tooling check
mise --version 2>/dev/null

# Fast log hunt for suspicious downloads or shells
grep -R -Ei "curl|wget|bash -c|sh -c|powershell|cmd.exe" /var/log 2>/dev/null

Bottom Line

The most important pattern in today’s cybersecurity threats is trust abuse: trusted messaging recovery flows, trusted enterprise appliances, trusted third-party scripts, trusted AI collaboration invites, and trusted developer tooling files.

That means defenders should respond on two tracks at once:

  1. Patch confirmed high-severity software issues fast.
  2. Reduce how much trust users, browsers, and developer tools automatically grant to external input.

For additional detail on the lead stories, review: - FBI/CISA Signal warning: https://www.bleepingcomputer.com/news/security/fbi-russian-hackers-now-target-signal-backup-recovery-keys/ - CISA Cisco deadline: https://www.bleepingcomputer.com/news/security/cisa-sets-urgent-deadline-to-fix-cisco-flaw-exploited-in-attacks/ - Polymarket supply-chain incident: https://www.bleepingcomputer.com/news/security/polymarket-customers-lose-3-million-in-supply-chain-attack/ - Fraudulent OpenAI invites: https://www.bleepingcomputer.com/news/security/cybersecurity-firms-targeted-by-fraudulent-openai-organization-invites/

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-06-27

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.