eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-06-29

TL;DR - KDDI disclosed a breach exposing up to 14.2 million email logins across six ISPs. - Multiple newly published CVEs with public exploit details affect edge and consumer networking gear. - Prioritize credential resets, patching, and monitoring internet-exposed devices today.

Top Stories

KDDI breach exposes up to 14.2 million email logins across six ISPs

KDDI disclosed a breach involving one of its email systems used by five other ISPs, with up to 14.2 million email logins exposed according to BleepingComputer (source).

Why this matters

This is the kind of incident that quickly turns into credential stuffing, targeted phishing, and account takeover risk, especially if affected users reused passwords across SaaS, VPN, webmail, or admin portals.

What defenders should do now

  • Identify whether your organization has users, partners, or customers relying on the impacted ISPs.
  • Force password resets where reused credentials are possible.
  • Review authentication logs for:
  • impossible travel
  • unusual IMAP/POP/Webmail access
  • spikes in failed logins followed by success
  • Enforce MFA on email, VPN, SSO, and admin accounts if not already mandatory.
  • Alert help desk teams to expect phishing and account recovery abuse.

AI security storylines remain centered on familiar risks

Several AI-related headlines today focus less on novel attack classes and more on the amplification of existing security problems:

  • Axios argues AI’s real cybersecurity threat is largely what defenders already know: scale, automation, and human error (source).
  • SecurityWeek reports on OpenAI’s GPT-5.6 Sol and its cybersecurity-oriented capabilities (source).
  • Help Net Security also highlights improved cybersecurity performance in GPT-5.6 (source).
  • Broader geopolitical competition around cyber-focused AI continues to intensify, as covered by The Verge and Seeking Alpha (The Verge, Seeking Alpha).

Operational takeaway

For most teams, AI risk management still comes down to standard controls:

  • access governance
  • prompt/data handling policies
  • logging and retention
  • output validation
  • third-party risk review
  • secrets exposure prevention

Do not let AI headlines distract from patching, identity hardening, and asset inventory.

Critical Vulnerabilities

CVE-2026-25707: libzypp path traversal can overwrite files

Severity: CVSS 8.8
Affected component: libzypp before 17.38.10
Summary: A relative path traversal flaw when processing repository metadata can let a remote attacker supplying repositories overwrite files, potentially causing denial of service or privilege escalation (bugzilla, commit).

Why it matters

If your environment consumes untrusted or insufficiently vetted repositories, package management infrastructure becomes an attack surface. This is especially relevant for dev, CI, lab, and internal mirror workflows.

Immediate actions

  • Upgrade libzypp to 17.38.10 or later where applicable.
  • Audit configured repositories and remove untrusted sources.
  • Review change windows for systems that auto-refresh metadata from external repos.
  • Monitor for unexpected file modifications during package operations.

Severity: CVSS 8.8
Affected component: D-Link DCS-935L 1.10.01
Summary: An OS command injection flaw in setconf.cgi via the UID POST parameter can be exploited remotely. Public exploit details are available (GitHub reference, VulDB entry).

Why it matters

Internet-exposed cameras and embedded devices are routinely swept by opportunistic actors. Public exploit disclosure increases the chance of near-term scanning and botnet-style abuse.

Immediate actions

  • Remove affected cameras from direct internet exposure.
  • Restrict management access to VPN or dedicated admin networks.
  • Check for vendor remediation guidance before re-exposure.
  • Rotate credentials on impacted devices and associated video platforms.

Severity: CVSS 8.8
Affected component: Wavlink WL-NU516U1-A M16U1_V240425
Summary: A stack-based buffer overflow in /cgi-bin/wireless.cgi involving the Guest_ssid parameter is remotely exploitable. Public exploit details are available, and a firmware update reference is listed (firmware, GitHub reference, VulDB).

Why it matters

SOHO and branch networking gear often sits outside normal enterprise patch SLAs. That makes it attractive for initial access, staging, or persistence.

Immediate actions

  • Upgrade firmware on affected devices.
  • Disable WAN-side admin interfaces.
  • Inventory branch and remote-office devices that may not be centrally managed.
  • Segment guest Wi-Fi administration from production networks.

CVE-2026-13519 and CVE-2026-13518: Tenda JD12L remote buffer overflows

Severity: CVSS 8.8 each
Affected component: Tenda JD12L 16.03.53.23
Summary: Two remotely exploitable stack-based buffer overflows affect /goform/NatStaticSetting via page and /goform/addressNat via page. Public exploit details are available (CVE-2026-13519, VulDB, CVE-2026-13518, VulDB).

Why it matters

Even when these devices are not used in core enterprise environments, they frequently appear in SMB sites, temporary offices, and unmanaged remote deployments.

Immediate actions

  • Identify and isolate exposed Tenda devices.
  • Apply updates if available, or replace unsupported hardware.
  • Disable remote administration.
  • Pull configs and preserve logs before rebooting potentially compromised devices.

What Defenders Should Do Today

1) Prioritize identity defenses after the ISP breach

If any affected users are in your ecosystem, assume follow-on abuse is likely.

Recommended checklist

  • Force password resets for exposed accounts.
  • Enforce phishing-resistant MFA where possible.
  • Hunt for suspicious webmail, VPN, and SSO activity.
  • Notify executives and support teams about potential impersonation attempts.

2) Patch or isolate internet-facing edge and embedded devices

The highest practical risk in today’s CVE set is not abstract severity, but exposure plus public exploit information.

Recommended checklist

  • Enumerate D-Link, Wavlink, and Tenda assets.
  • Confirm firmware versions.
  • Remove public admin access.
  • Place devices behind VPN, ACLs, or management VLANs.
  • Replace end-of-life hardware.

3) Review package repository trust in Linux environments

For teams using SUSE/openSUSE ecosystems or workflows built around libzypp:

  • verify repository sources
  • restrict who can add repos
  • inspect automation that pulls package metadata
  • alert on unusual writes during update operations

4) Keep AI governance grounded in normal security controls

Use today’s AI headlines as a reminder to tighten:

  • model access controls
  • audit logging
  • DLP around prompts and outputs
  • secret scanning in prompts, chat logs, and generated code
  • vendor risk assessment for AI-enabled services

Technical Deep Dive

Technical Notes: Hunt for credential abuse after a breach

Look for common authentication anomalies in identity and mail logs.

# Example: grep webmail or IMAP auth failures/successes from mail logs
grep -Ei "imap|pop3|webmail|login|auth" /var/log/maillog | tail -n 200

# Example: identify repeated failures followed by success in auth logs
grep -Ei "failed|failure|accepted|success" /var/log/auth.log | tail -n 500

Example patterns to review:

Failed password for user@example.com from 203.0.113.24
Accepted password for user@example.com from 203.0.113.24
IMAP login: user=<user@example.com>, rip=198.51.100.44
Webmail login success for user@example.com from new geo/location

Technical Notes: Find potentially exposed embedded web interfaces

Quick triage for devices exposing common admin services:

# Scan a known asset range for HTTP/HTTPS admin surfaces
nmap -Pn -p 80,443,8080,8443 10.0.0.0/24

# Identify potential router/camera web banners
curl -k -I https://device-ip/
curl -I http://device-ip:8080/

If you manage inventories via CMDB or network discovery, pivot on:

  • manufacturer strings
  • HTTP title/header fingerprints
  • MAC OUI
  • UPnP / SSDP identifiers

Technical Notes: Validate Linux repository configuration

For systems using zypper/libzypp, review repository sources and refresh behavior:

zypper lr -u
zypper ref
rpm -q libzypp

Sample output to verify:

# | Alias        | Name         | Enabled | GPG Check | URI
1 | repo-main    | Main Repo    | Yes     | (r ) Yes  | https://trusted.example/repo/
2 | temp-testing | Temp Testing | Yes     | ----      | http://untrusted.example/repo/

Red flags:

  • HTTP instead of HTTPS
  • disabled or missing GPG verification
  • temporary or unknown repositories left enabled
  • automation pulling from test mirrors in production

Technical Notes: Example containment ACL concept

If replacement or firmware upgrades cannot happen immediately, at least constrain management exposure.

permit mgmt-vlan -> device-admin-ip tcp/443
permit vpn-subnet -> device-admin-ip tcp/443
deny any -> device-admin-ip any
deny device-admin-ip -> internet any except vendor-update-endpoints

Bottom Line

Today’s highest-value work is straightforward:

  1. Respond to potential credential fallout from the KDDI-linked breach.
  2. Patch or isolate exposed D-Link, Wavlink, Tenda, and libzypp-affected systems.
  3. Keep AI security discussions tied to concrete control improvements, not hype.

For most defenders, exposure management and identity hardening will reduce more risk today than any new tooling purchase.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-06-29

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.