eastbaycyber

Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs

Threat digests 9 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-07-04

TL;DR - NetNut proxy infrastructure was disrupted, cutting off access to roughly 2 million infected Android-based devices. - Gitea admins should prioritize updates for multiple high-severity flaws disclosed on July 3. - Microsoft 365 phishing tradecraft and exposed developer tooling remain active risks today.

Top Stories

NetNut proxy network disrupted, 2 million infected devices cut off

A joint disruption operation involving Google reportedly interrupted the NetNut residential proxy network, which allegedly monetized access to millions of compromised Android devices, including smart TVs and streaming boxes, according to BleepingComputer (source).

Why it matters

Residential proxy ecosystems are routinely used to hide attacker infrastructure behind legitimate-looking consumer IP space. If a network of this size is partially or fully degraded, defenders may see:

  • Reduced noise from commodity proxy traffic in the short term
  • Shifts to alternate residential proxy providers
  • Changes in geolocation, ASN, and reputation patterns tied to phishing, credential stuffing, and abuse campaigns

What to do next

  • Review detections that rely on IP reputation alone; displaced operators often rotate quickly.
  • Hunt for suspicious outbound traffic from unmanaged Android-based devices in offices, conference rooms, kiosks, or employee homes.
  • Reassess asset inventory for Android TV boxes, streaming hardware, and embedded consumer devices connected to business networks.

Technical Notes

Useful network triage patterns for proxy-style activity:

# Identify unusual outbound connections from IoT/Android-like devices
zeek-cut id.orig_h id.resp_h id.resp_p proto < conn.log | sort | uniq -c | sort -nr | head

# Find top external destinations by DNS queries from a subnet
cat dns.log | zeek-cut id.orig_h query | grep '^10\.|^192\.168\.' | sort | uniq -c | sort -nr | head

Example investigation questions:

  • Is a smart TV or streaming box making high-volume outbound connections?
  • Are devices resolving dynamic or low-reputation domains repeatedly?
  • Do consumer devices communicate directly with infrastructure in countries where you do not operate?

ARToken PhaaS exposes EvilTokens’ Microsoft 365 phishing toolkit

Researchers cited by BleepingComputer reported that a phishing-as-a-service platform called ARToken appears to expose tooling associated with EvilTokens and provides insight into Microsoft 365-focused credential theft operations (source).

Why it matters

Microsoft 365 remains one of the highest-value phishing targets for SMBs and enterprises. Exposed operator tooling helps defenders understand:

  • Landing page structure and phishing flow behavior
  • Session theft and token capture methods
  • Infrastructure reuse across affiliate-driven campaigns

What to do next

  • Enforce phishing-resistant MFA where possible.
  • Tighten conditional access around new devices, impossible travel, and unmanaged browsers.
  • Alert on sign-ins followed by suspicious mailbox rule creation, OAuth grants, or MFA method changes.
  • Refresh user awareness specifically around Microsoft 365 login prompts and fake document-sharing lures.

Technical Notes

High-value Microsoft 365 hunting pivots include:

// Recent inbox rule changes
OfficeActivity
| where Operation in ("New-InboxRule","Set-InboxRule")
| project TimeGenerated, UserId, Operation, Parameters, ClientIP

// Suspicious MFA changes
AuditLogs
| where OperationName has_any ("Update user", "Register security info", "Change default authentication method")
| project TimeGenerated, InitiatedBy, TargetResources, Result

Mailbox rule abuse often includes patterns such as:

  • Auto-forwarding to external domains
  • Deleting or moving security alerts
  • Marking phishing responses as read

Critical Vulnerabilities

CVE-2026-20896 - Gitea Docker image reverse proxy trust flaw

CVSS 9.8

Gitea Docker image versions up to and including 1.26.2 use REVERSE_PROXY_TRUSTED_PROXIES=* by default. If reverse-proxy authentication headers such as X-WEBAUTH-USER are enabled, any source IP may be able to impersonate a user. References: Gitea release notes (release), advisory (GHSA-f75j-4cw6-rmx4), fix PR (PR 38151), release tag (v1.26.3).

So what?

This is the highest-priority item in today’s digest for teams running self-hosted Gitea in containers behind reverse proxies or SSO/header-based auth layers. If your deployment trusts upstream identity headers incorrectly, authentication boundaries may collapse.

Immediate actions

  • Upgrade to a fixed Gitea release as documented by the project.
  • Audit whether header-based auth is enabled.
  • Restrict trusted proxy ranges explicitly instead of using wildcard trust.
  • Verify ingress, reverse proxy, and container environment defaults.

Technical Notes

Check for risky configuration:

docker inspect <gitea_container> | grep -i REVERSE_PROXY_TRUSTED_PROXIES
docker exec -it <gitea_container> env | grep REVERSE_PROXY_TRUSTED_PROXIES

Review app configuration for auth header usage:

grep -R "X-WEBAUTH-USER\|REVERSE_PROXY" /data/gitea/conf/app.ini

Safer pattern example:

[server]
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = 10.0.0.10/32,10.0.0.11/32

CVE-2026-22874 - Gitea incomplete SSRF protection

CVSS 9.6

Gitea versions up to and including 1.26.2 contain incomplete SSRF protection in webhook and migration allow-list filtering. References: Gitea release notes (release), advisory (GHSA-2r5c-gw76-rh3w), related fixes (PR 38059, PR 38173), release tag (v1.26.3).

So what?

SSRF in source code management platforms can become a bridge into internal services, cloud metadata endpoints, CI systems, and administrative interfaces. If webhook or migration features are exposed to untrusted users, impact can be significant.

Immediate actions

  • Patch Gitea promptly.
  • Review whether untrusted users can create webhooks or initiate migrations.
  • Block access from Gitea hosts to cloud metadata services and sensitive internal ranges where feasible.
  • Inspect recent webhook targets and migration events for internal IPs, localhost, or unusual hostnames.

Technical Notes

Review outbound connections from the Gitea host:

ss -tpn | grep gitea
journalctl -u gitea --since "2026-07-01" | grep -Ei "webhook|migrat|hook"

Look for targets such as:

  • 127.0.0.1
  • 169.254.169.254
  • RFC1918 internal addresses
  • Internal-only DNS names

Example egress hardening at the host firewall layer:

iptables -A OUTPUT -d 169.254.169.254 -j REJECT
iptables -A OUTPUT -d 127.0.0.0/8 -m owner --uid-owner gitea -j REJECT

CVE-2026-58426 - Gitea Actions artifact signed URL weakness

CVSS 9.6

Gitea Actions Artifacts V4 contains a signed URL HMAC ambiguity issue that can allow cross-repository artifact reads and cross-task upload-state writes. References: Gitea release notes (release), advisory (GHSA-hg5r-vq93-9fv6), fix PR (PR 37707), release tag (v1.26.2).

So what?

If you use Gitea Actions, this can undermine repository isolation and CI artifact confidentiality. In practical terms, that may expose build outputs, secrets embedded in artifacts, or pipeline state across repos.

Immediate actions

  • Update to the fixed version recommended by Gitea.
  • Review which repositories use Gitea Actions and artifact sharing.
  • Rotate secrets that may have been exposed through artifacts.
  • Inspect for unexpected artifact access or workflow anomalies.

Technical Notes

Repositories and runners to review:

grep -R "actions" /data/gitea/conf /var/lib/gitea 2>/dev/null

Questions for incident review:

  • Did artifacts contain .env files, config backups, tokens, or build secrets?
  • Were runners shared across projects with different trust levels?
  • Were there unusual download patterns across repositories?

CVE-2026-58289 - Microsoft Edge type confusion RCE

CVSS 9.0

Microsoft lists CVE-2026-58289 as a type confusion vulnerability in Chromium-based Microsoft Edge that may allow remote code execution over a network. Reference: Microsoft Security Response Center (MSRC).

So what?

Browser RCEs remain high-value because they pair well with phishing and watering-hole activity. While the provided reference does not, by itself, establish exploitation in the wild, it is still a priority patch for endpoints handling untrusted web content.

Immediate actions

  • Ensure Edge updates are being applied across managed endpoints.
  • Verify browser version compliance in EDR or endpoint management tooling.
  • Prioritize executive, finance, admin, and help desk systems that face high phishing volume.

Technical Notes

Quick enterprise checks:

Get-Item "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" | Select-Object VersionInfo

Intune or EDR validation should confirm:

  • Browser auto-update is enabled
  • Unsupported OS builds are identified
  • Users cannot indefinitely defer critical browser updates

CVE-2026-10054 - Eclipse Theia WebSocket terminal exposure

CVSS 8.8

Affected Eclipse Theia versions from 1.8.1 onward may expose privileged terminal RPC over WebSocket without service-level authentication, with fail-open origin validation under default conditions. References: advisory (GHSA-78g8-vm3p-97c6) and Eclipse tracking item (report).

So what?

This is particularly important for developer workstations, browser-accessible IDE deployments, training labs, and tunneled development environments. A user visiting a malicious page may expose a local or hosted Theia instance to command execution.

Immediate actions

  • Identify where Theia is deployed, including temporary dev environments.
  • Restrict network exposure and place strong authentication in front of hosted instances.
  • Monitor for unusual WebSocket access to terminal-related paths.
  • Track the vendor fix and deploy it as soon as available.

Technical Notes

Relevant paths called out in the advisory include:

/services/shell-terminal
/services/terminals/:id

Reverse proxy logging examples to hunt:

"$remote_addr - $host [$time_local] \"$request\" $status \"$http_origin\" \"$http_user_agent\""

Search for suspicious access:

grep -R "/services/shell-terminal\|/services/terminals/" /var/log/nginx /var/log/httpd 2>/dev/null

What Defenders Should Do Today

  1. Patch Gitea first if you run self-hosted instances, especially Docker-based deployments and those using reverse proxy authentication. Start with the fixes documented in Gitea’s July 3 release material (release).
  2. Review Microsoft 365 defenses against phishing and session theft. Focus on MFA strength, conditional access, inbox rule monitoring, and security alerting around account changes.
  3. Hunt for unmanaged Android-based devices that may generate unusual outbound traffic or act as abuse infrastructure within your environment.
  4. Inventory browser-accessible developer tooling such as Eclipse Theia and verify that terminal-capable services are not exposed without robust authentication.
  5. Validate browser patch compliance for Edge and other Chromium-based browsers across all managed endpoints.

Practical Priority Order

If you need a same-day execution plan, use this order:

  1. Internet-facing Gitea
  2. Hosted or tunneled Eclipse Theia
  3. Microsoft 365 monitoring and phishing controls
  4. Edge patch verification
  5. IoT and Android device inventory review

Bottom Line

Today’s most actionable risk is the cluster of Gitea vulnerabilities, especially for containerized deployments and environments with reverse-proxy authentication. The exposed Microsoft 365 phishing toolkit reinforces that identity remains a primary attack surface, while the NetNut disruption is a reminder that compromised consumer devices still power large-scale abuse infrastructure. For most defenders, the right move today is straightforward: patch exposed development platforms, tighten identity monitoring, and validate that unmanaged devices are not quietly expanding your attack surface.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you. ```

Last verified: 2026-07-04

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.