██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

CISA Warns: Magento Cache Warmer Flaw Under Active Attack

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 04, 2026

Share

cybr.cx Daily Digest — June 04, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-45247 | Mirasvit Full Page Cache Warmer | CVSS: N/A
CISA added this one yesterday and the remediation deadline is Friday — treat it as urgent. The Mirasvit Full Page Cache Warmer Magento extension deserializes attacker-controlled PHP objects from the CacheWarmer cookie, giving unauthenticated attackers a straight path to remote code execution. No credentials required. If you're running any Magento/Adobe Commerce instance with this extension installed, pull it now and audit for indicators of compromise.

⚠️ Actively exploited — CVE-2022-0492 | Linux Kernel | CVSS: N/A
Yes, 2022 — and it's back on CISA's KEV list as of June 2nd, meaning someone is actively weaponising it right now. The flaw abuses the cgroups v1 release_agent feature for privilege escalation, a technique that also enables container escapes when cgroups v1 is accessible inside a container. Containerised workloads and shared Linux environments are the primary risk surface. Patch, and verify your container runtimes are not exposing cgroups v1 unnecessarily.

⚠️ Actively exploited — CVE-2025-48595 | Android Framework | CVSS: N/A
An integer overflow in the Android Framework is being exploited in the wild to achieve local privilege escalation and code execution. With CISA's remediation deadline already passed (June 5th), mobile device management teams should be pushing the relevant Android security update immediately — unmanaged BYOD devices are the exposure you can't fully control here.

⚠️ Actively exploited — CVE-2024-21182 | Oracle WebLogic Server | CVSS: N/A
Today is the CISA remediation deadline for this Oracle WebLogic vulnerability, which allows unauthenticated attackers to compromise servers via the T3 and IIOP protocols — both frequently exposed in enterprise Java deployments. Successful exploitation grants complete access to all data on the server. If you haven't patched or blocked T3/IIOP at the perimeter already, that window is closed.

CVE-2026-35082 / 35083 / 35084 / 35085 | Unidentified Gateway/Building Automation Platform | CVSS: 8.8
Four closely related vulnerabilities published in the last 24 hours, all scoring 8.8 and affecting what appears to be a unified gateway or building automation product. CVE-2026-35082 enables arbitrary local file read via the ugw-logread method. CVE-2026-35083, -35084 (dali-devconfig), and -35085 (gdv-serverconfig) are all stack buffer overflows that allow privilege escalation to root. The DALI and GDV component names suggest building/industrial control system relevance — OT security teams should identify whether these components are present in their environments.

CVE-2026-20230 | Cisco Unified Communications Manager (Unified CM / CM SME) | CVSS: 8.6
An unauthenticated remote attacker can trigger server-side request forgery (SSRF) through malformed HTTP requests to Cisco Unified CM. SSRF against a communications platform can be used to probe internal network segments, access metadata services in cloud-hosted deployments, or pivot further into enterprise infrastructure. No authentication required makes this broadly exploitable — patch or apply Cisco's recommended mitigations promptly.

CVE-2026-35076 / 35077 / 35078 | Same Gateway Platform | CVSS: 8.1
Three additional arbitrary file deletion vulnerabilities in the same platform as the 8.8 cluster above, affecting the bac-scanresult, ugw-delete-file, and ugw-logstop methods. Exploitation requires user-level privileges, but the ability to delete arbitrary files can be used to destroy logs, disable security controls, or destabilise a running system. Treat alongside the 8.8 findings.


Headline News

Meta's AI Support Bot Weaponised to Hijack Instagram Accounts

Attackers have found a novel account takeover technique that routes through Meta's own AI support assistant. By crafting social engineering prompts directed at Meta AI, threat actors were able to instruct the chatbot to update the email address on a target's Instagram account — effectively handing over the keys without ever needing the victim's password. Once the recovery email is changed, a standard password reset completes the takeover. The attack is particularly dangerous because it abuses a trusted, first-party support channel rather than a phishing site, making it harder for victims to identify what happened or dispute it. The incident is a sharp reminder that AI assistants with account management capabilities create entirely new attack surfaces that traditional authentication controls don't cover — and that prompt injection and social engineering against AI systems are real operational threats, not theoretical ones.

AI-Built Ransomware Toolkit Automates EDR Evasion and Active Directory Recon

A threat actor has been observed deploying a ransomware toolkit that was substantially constructed using AI — and it shows. The kit automates Active Directory enumeration and discovery, dramatically compressing the reconnaissance phase of an attack, while also incorporating AI-generated EDR evasion logic designed to defeat signature and behavioural detection. This isn't a script kiddie curiosity: the automation of what have historically been the most time-intensive phases of a ransomware intrusion — AD discovery and defence evasion — means dwell times could shrink significantly and the barrier to executing a sophisticated attack is falling. For defenders, this accelerates the case for detection strategies that don't rely on known-bad signatures, and for hardening AD environments against automated lateral movement tools that can rapidly enumerate trust relationships, privileged accounts, and high-value targets.

BadUSB Attack Delivered Acoustically via Speaker

Researchers have demonstrated a technique — dubbed Katana — that achieves a BadUSB-style attack by emitting precisely crafted audio from a speaker to electronically manipulate a USB controller into registering a malicious HID device on a nearby machine. The attack requires no physical USB connection; the speaker generates signals that interact with the target system's hardware at close range. This is a meaningful step beyond traditional BadUSB, which requires physical access to a port, and demonstrates that the physical/logical boundary of USB security is thinner than most assume. The research is currently proof-of-concept with range and reliability constraints, but the underlying principle — acoustic signal injection into hardware — is a reminder that air-gap assumptions deserve continued scrutiny.


Schrödinger's Feed

Atom Computing has demonstrated quantum error correction using a toric code configuration on its neutral-atom platform, with validation metrics showing that logical error rates actually decrease as error correction cycles increase — the key threshold that makes fault-tolerant quantum computing viable in principle. The toric code is a topological approach that encodes logical qubits across a lattice of physical qubits, making errors detectable and correctable without destroying the quantum state. This is the kind of hardware milestone that moves fault-tolerant quantum computing from "eventual" to "scheduled." For practitioners tracking the cryptographic horizon: demonstrations like this incrementally tighten the timeline on when cryptographically relevant quantum computers become plausible, making PQC migration planning less of a long-range exercise and more of an operational one.


/dev/random

The Katana research also earns its place here: the attack works by exploiting the fact that USB controller hardware can be influenced by carefully constructed electromagnetic signals induced by audio output — meaning a sufficiently motivated attacker could, in theory, make your own speakers register a fake keyboard on your machine. The USB spec was not designed with "what if sound attacks it" as a threat model. To be clear, this currently requires close physical proximity and specific hardware conditions, so your Spotify playlist is not yet a threat vector. But "BadUSB, now with audio" is exactly the kind of sentence that should make anyone who writes USB security policy feel mildly unsettled.