Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs
TL;DR - Active exploitation remains the main theme today across enterprise collaboration and communications platforms. - Prioritize patching, OAuth app review, and internet-facing service exposure checks. - Urgency is high for SharePoint, Cisco Unified CM, and newly disclosed critical application flaws.
Top Stories
IBM-linked third-party incident affects 70,000 people
Singapore news outlet CNA reported that data belonging to roughly 70,000 people was compromised in a cybersecurity incident involving IBM, a vendor to Singapore’s SLA. Initial reporting matters here because it reinforces a recurring operational risk: vendor compromise can rapidly become customer compromise, even when your own perimeter is intact. Source: CNA via Google News.
Why it matters - Third-party access and data processing pipelines remain a top breach path. - Incident response plans often underestimate dependency on service providers. - Data stewardship questions quickly become contractual, regulatory, and reputational issues.
What defenders should do - Review all vendors with privileged network, IAM, or data access. - Validate logging coverage for vendor-managed systems and integrations. - Confirm whether your contracts require notification timelines, log retention, and forensic cooperation.
FBI seizes NetNut proxy infrastructure tied to botnet activity
KrebsOnSecurity reported that the FBI, with partners, seized hundreds of domains associated with NetNut and the Popa botnet ecosystem. Residential proxy infrastructure remains highly relevant to defenders because it is routinely used to hide abuse behind seemingly legitimate consumer IP space. Source: KrebsOnSecurity.
Why it matters - Residential proxies complicate IP reputation and blocking strategies. - Credential attacks, scraping, fraud, and account takeover often blend into normal traffic. - Disruption actions can produce short-term changes in attacker infrastructure and TTPs.
What defenders should do - Reassess controls that trust traffic purely based on geography or residential ASN heuristics. - Tune detections for impossible travel, session anomalies, and velocity-based abuse. - Expect fallback to alternate proxy providers or compromised SOHO devices.
ConsentFix and ClickFix accelerate Microsoft 365 account hijacking
BleepingComputer covered ConsentFix and ClickFix techniques that steal Microsoft 365 tokens within seconds using fake prompts and OAuth abuse. These attacks are especially dangerous because they can bypass user expectations around MFA by obtaining session tokens or consented access instead of stealing a password directly. Source: BleepingComputer.
Why it matters - OAuth abuse is often quieter than classic phishing. - Token theft can lead to mailbox access, business email compromise, and lateral SaaS abuse. - Help desks and end users may not recognize fake “fix” workflows as credential attacks.
What defenders should do - Audit enterprise consent settings and restrict user consent where possible. - Review app registrations, OAuth grants, and suspicious token issuance events. - Train users to avoid “paste this command” or “authorize this app to fix access” prompts.
Cisco confirms exploitation of Unified CM flaw
BleepingComputer reported that Cisco confirmed attackers are exploiting a Unified Communications Manager vulnerability patched in early June. If you run Unified CM, this shifts the task from normal patch hygiene to incident-focused validation. Source: BleepingComputer.
Why it matters - Voice infrastructure is often less monitored than identity or endpoint environments. - Exploited collaboration systems can expose call data, credentials, and internal network paths. - Public confirmation of exploitation typically raises the priority of scanning and follow-on attacks.
What defenders should do - Identify all Unified CM instances, including dormant or legacy nodes. - Patch immediately if not already updated. - Review admin access logs, unexpected config changes, and outbound connections from UC hosts.
CISA says Microsoft SharePoint RCE flaw is now actively exploited
BleepingComputer reported that CISA warned of active exploitation for a Microsoft SharePoint remote code execution vulnerability patched in May. SharePoint remains a high-value target because it often bridges document storage, internal workflows, and broad user trust. Source: BleepingComputer.
Why it matters - Internet-exposed SharePoint systems are attractive initial access targets. - Document-centric platforms can become malware staging or credential theft hubs. - CISA active exploitation warnings should trigger immediate validation, not just patch scheduling.
What defenders should do - Confirm patch status on every SharePoint farm and node. - Limit external exposure where business requirements allow. - Hunt for post-exploitation artifacts, suspicious web shells, and anomalous IIS activity.
Opera adds Paste Protect against ClickFix abuse
Opera introduced Paste Protect to help block ClickFix-style attacks that trick users into pasting malicious commands into local terminals or browser prompts. This is a useful example of browser-side mitigation, though it should complement, not replace, user education and endpoint controls. Source: BleepingComputer.
Why it matters - ClickFix social engineering continues to spread because it is simple and effective. - Clipboard-mediated attack chains reduce the need for traditional malware droppers. - Browser vendors are increasingly addressing user-manipulation techniques directly.
Alleged Scattered Spider member extradited to the United States
BleepingComputer reported the extradition of an alleged Scattered Spider hacker to the U.S. While this is primarily a law enforcement development, it remains operationally relevant because Scattered Spider-style tradecraft has influenced current intrusion patterns, especially around social engineering and identity abuse. Source: BleepingComputer.
Report says many cyber workers were told to conceal breaches
Cybersecurity Dive reported on findings that many cybersecurity workers have been told to conceal a breach. Governance failures create downstream technical risk because delayed disclosure often also means delayed containment, poor log preservation, and incomplete remediation. Source: Cybersecurity Dive via Google News.
Critical Vulnerabilities
CVE-2026-57624: Blocksy Companion Pro unauthenticated RCE
A critical vulnerability with CVSS 10.0 affects Blocksy Companion Pro versions up to 2.1.46, allowing unauthenticated remote code execution. Reference: Patchstack advisory.
Risk - Internet-exposed WordPress sites are routinely scanned within hours of disclosure. - Unauthenticated RCE can lead to full site takeover, web shell deployment, and redirect or malware injection.
Immediate actions - Identify affected WordPress instances and plugin versions. - Disable or restrict access until patched if updates cannot be applied immediately. - Inspect for unknown admin users, modified PHP files, and scheduled task abuse.
CVE-2026-50746: UniFi Connect command injection
This CVSS 10.0 flaw affects UniFi Connect Application and could allow a malicious actor with network access to execute command injection on the host device. Reference: Ubiquiti Security Advisory Bulletin 066.
Risk - Network-reachable management applications can become a pivot point into broader infrastructure. - Command injection on appliance-like systems often leads to overlooked persistence.
Immediate actions - Apply the vendor-provided fixes from the advisory. - Restrict management plane exposure to trusted admin networks only. - Rotate credentials used on or through the affected host if compromise is suspected.
CVE-2026-56004: obs-service-tar_scm shellcode injection
A CVSS 10.0 issue in the mercurial handler of the obs tar_scm source service before version 0.12.4 could allow attackers able to provide a malicious _service file to execute code as the source service or local user. Reference: GitHub change set.
Risk - Build and packaging pipelines are attractive supply chain targets. - Developer workstations and CI systems may execute malicious service definitions during normal workflows.
Immediate actions
- Update to 0.12.4 or later.
- Review trust boundaries around submitted _service files.
- Hunt for unexpected process launches tied to source checkout or package build events.
CVE-2026-50747: UniFi Talk authenticated SQL injection
This CVSS 9.9 flaw affects UniFi Talk Application and could allow a low-privileged attacker with network access to use authenticated SQL injection to escalate privileges on the host device. Reference: Ubiquiti Security Advisory Bulletin 066.
Risk - Low-privilege authenticated flaws are often exploitable after phishing, password reuse, or insider misuse. - SQL injection in management software can expose credentials and alter application state.
Immediate actions - Patch affected systems. - Review local user accounts and API usage for abnormal behavior. - Check for configuration exports or database access anomalies.
CVE-2026-50748: UniFi Access command injection
This CVSS 9.9 vulnerability affects UniFi Access Application and could allow a low-privileged attacker with network access to execute command injection on the host device. Reference: Ubiquiti Security Advisory Bulletin 066.
Risk - Access control systems blend physical and cyber impact. - Compromise may affect door control, credential workflows, and security operations continuity.
Immediate actions - Patch now and isolate access management interfaces. - Validate role assignments and recent admin actions. - Review whether access systems communicate with broader corporate infrastructure.
What Defenders Should Do Today
1) Triage externally reachable systems first
Focus on systems most likely to be scanned or exploited quickly:
- SharePoint
- Cisco Unified CM
- WordPress sites using Blocksy Companion Pro
- UniFi management applications
- Build or packaging services using vulnerable obs-service-tar_scm
Quick inventory ideas
# Find likely SharePoint or IIS hosts
nmap -p 80,443 --open -sV <subnet>
# Identify WordPress plugin directories on web servers
find /var/www -type d -name "blocksy-companion-pro" 2>/dev/null
# Search for obs tar_scm package versions on Linux systems
rpm -qa | grep -i tar_scm
dpkg -l | grep -i tar_scm
2) Review Microsoft 365 OAuth and token abuse exposure
Consent-based attacks deserve immediate review, especially in organizations that allow broad self-service app consent.
Checkpoints - Restrict user consent to verified or approved apps. - Review recent app consents and service principals. - Investigate suspicious mailbox access or token issuance patterns.
Technical Notes
Useful Microsoft 365 investigation pivots
# Exchange Online PowerShell example concept
Get-EXOMailboxStatistics -Identity user@company.com
# AzureAD / Entra related reviews will vary by module and tenant configuration.
# Validate recent enterprise app consents, app registrations, and risky sign-ins.
Suspicious indicators to review - Newly consented apps with broad mail or file scopes - Interactive logins followed by unusual API access - Sign-ins from atypical devices shortly before mailbox rule creation
3) Hunt for signs of post-exploitation, not just missing patches
Patching closes the door, but it does not tell you whether someone already came in.
Look for - Unexpected admin users - New scheduled tasks or cron jobs - Web shell-like files in application directories - Outbound connections from servers that usually do not initiate internet traffic - Security tooling disablement or tampering
Technical Notes
Linux persistence checks
# New or unexpected cron entries
crontab -l
ls -la /etc/cron* /var/spool/cron 2>/dev/null
# Recently changed web files
find /var/www -type f -mtime -7 | sort
# Suspicious listening or outbound connections
ss -plant
lsof -i -P -n
Windows checks
# Scheduled tasks modified recently
Get-ScheduledTask | Get-ScheduledTaskInfo | Sort-Object LastRunTime -Descending | Select-Object -First 20
# Local admins
Get-LocalGroupMember Administrators
# Recent IIS logs path example
Get-ChildItem "C:\inetpub\logs\LogFiles" -Recurse | Sort-Object LastWriteTime -Descending | Select-Object -First 20
4) Revisit vendor and third-party risk assumptions
The SLA vendor incident is a reminder to verify, not assume, third-party control maturity.
Ask today - Which vendors can access customer or employee data? - Which vendors can authenticate into production or support environments? - Which vendors are exempt from MFA, IP restrictions, or session monitoring? - What evidence do we require after a vendor-side incident?
5) Update user guidance on ClickFix-style prompts
End users are increasingly being told to “fix” issues by pasting commands or approving suspicious prompts.
Awareness message to send - Do not paste commands from websites into Terminal, PowerShell, CMD, or Run dialogs. - Do not approve Microsoft 365 permissions prompts unless you requested the app and recognize the publisher. - Contact IT through known channels if a page claims your system or account needs urgent manual repair.
Technical Deep Dive
Technical Notes: SharePoint and web app log review
For SharePoint and other IIS-backed web apps, start with recent anomalous requests, especially to uncommon endpoints, upload paths, or administrative pages.
# Basic IIS log grep for suspicious patterns
Select-String -Path "C:\inetpub\logs\LogFiles\*\*.log" -Pattern "cmd=|powershell|/layouts/|/admin/|.aspx|.ashx" |
Select-Object -First 100
Look for:
- Requests followed by child process creation from IIS worker processes
- Unexpected .aspx or script files written to web roots
- Bursts of requests from a single IP across multiple application paths
Technical Notes: Cisco and unified communications visibility
Unified communications servers often fall outside standard EDR or log pipelines. Validate: - Administrative login history - Config changes - Unexpected SSH or shell access - External callbacks from UC nodes
If your monitoring is weak on voice systems, treat them as potentially blind spots during active exploitation periods.
Technical Notes: WordPress compromise review
For critical WordPress plugin RCEs, verify both application and hosting-layer indicators.
# Find recently modified PHP files
find /var/www -type f -name "*.php" -mtime -7 -ls
# Search for suspicious eval/base64 patterns
grep -RInE "base64_decode|eval\(|gzinflate|shell_exec|system\(" /var/www 2>/dev/null
Review:
- Unknown administrator accounts
- Unauthorized plugin or theme installation
- Redirect injections in .htaccess
- New files in wp-content/uploads that should not be executable
Bottom Line
Today’s cybersecurity threats picture is straightforward: active exploitation and social engineering are outpacing slow patch cycles. Defenders should spend July 3 prioritizing exposed collaboration platforms, Microsoft 365 consent abuse controls, and newly disclosed critical application flaws. If you own SharePoint, Cisco Unified CM, WordPress, UniFi management applications, or package build infrastructure, this is a same-day validation and remediation problem, not a next-week task.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.