ServiceNow has quietly warned customers that attackers exploited an unauthenticated API endpoint to query data from customer instances. A June 5 update locked the endpoint to authenticated users only. Admins point to /api/now/related_list_edit set to requires_authentication=false.
Nightmare Eclipse has released "RoguePlanet," a Microsoft Defender race-condition zero-day that spawns a SYSTEM shell on fully patched Windows 10 and 11 — including systems with this week's June updates. ThreatLocker independently reproduced it against patched Windows 11. No fix exists yet.
SAP's June 2026 Security Patch Day addresses 15 vulnerabilities, four of them critical — led by a CVSS 9.9 XML Signature Wrapping flaw enabling SAML authentication bypass in NetWeaver and an unauthenticated CVSS 9.8 memory corruption bug exploitable via crafted RFC requests.
"Ghost-Sender" lets attackers send email as any address — internal or external — to orgs running Exchange Online or hybrid Exchange behind a third-party MX record. SPF, DKIM, and DMARC are all bypassed, fewer than half of exposed orgs have mitigations, and Microsoft says no patch is coming.
Veeam has patched CVE-2026-44963, a CVSS 9.4 flaw in Backup & Replication that lets any authenticated domain user execute remote code on the backup server. All version 12 builds are affected — version 13 is immune due to architectural changes. Ransomware groups routinely target Veeam first.
Microsoft's June 2026 Patch Tuesday addresses 200 vulnerabilities, including three publicly disclosed zero-days covering a CTFMON privilege escalation, the "HTTP/2 Bomb" denial-of-service technique, and the YellowKey BitLocker bypass released by Nightmare Eclipse.
Google Mandiant attributes a sustained data theft and extortion campaign to UNC3753, combining voice phishing, IT impersonation, and in-person office break-ins to compromise US law and financial firms — progressing from initial contact to ransom demand in under an hour.
Google has released emergency Chrome 149 updates to patch CVE-2026-11645, a high-severity V8 out-of-bounds read/write zero-day exploited in the wild — the fifth Chrome zero-day patched this year.
Three chained vulnerabilities in Ubiquiti UniFi OS Server allow attackers to bypass authentication, execute commands, and escalate to root with no credentials or user interaction — granting full control over network infrastructure, surveillance cameras, and door access systems.
Check Point has disclosed active exploitation of a critical authentication bypass vulnerability in its Remote Access VPN and Mobile Access products, tracked as CVE-2026-50751 with a CVSS score of 9.3. The flaw allows an unauthenticated remote attacker to establish a VPN session without a valid password by
GitHub has disabled 73 Microsoft repositories after the Miasma worm infiltrated Azure infrastructure through a compromised contributor account, breaking CI/CD pipelines across the Azure Functions ecosystem and triggering remote code execution on developer machines that opened the infected repos in IDEs and AI coding tools. The attack began on
A False Claims Act lawsuit originally filed under seal in 2020 has been unsealed after the federal government declined to join as co-plaintiff, revealing explosive allegations from IBM's former Vice President of Threat Intelligence that both IBM and AT&T systematically concealed nation-state hacking incidents