██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

PTC PLM Systems Under Active Attack: Patch Now

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 26, 2026

Share

cybr.cx — Daily Digest // June 26, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-12569 | PTC Windchill & FlexPLM | CVSS: N/A (KEV)
An unauthenticated remote code execution vulnerability in PTC Windchill and FlexPLM is being actively exploited in the wild. The flaw stems from improper input validation, allowing attackers to send a malicious network request and achieve full code execution — no credentials required. CISA's remediation deadline was June 28; if you're running either product and haven't patched, treat this as a fire drill right now.

⚠️ Actively exploited — CVE-2026-20230 | Cisco Unified Communications Manager | CVSS: N/A (KEV)
Cisco Unified CM and Unified CM SME contain an SSRF vulnerability that lets unauthenticated remote attackers write arbitrary files to the underlying OS — effectively a remote write primitive without authentication. Active exploitation means threat actors are already staging on vulnerable systems. Patch immediately or isolate the management interface behind strict network controls.

⚠️ Actively exploited — CVE-2025-67038 | Lantronix EDS5000 | CVSS: N/A (KEV)
OS command injection via the username parameter in the Lantronix EDS5000 serial device server, with injected commands executing as root. Today is the CISA remediation due date. These serial-to-Ethernet devices often sit deep in OT/industrial networks where patching is slow — if you have EDS5000 units, prioritise them or isolate them now.

⚠️ Actively exploited — CVE-2026-34908 / 34909 / 34910 | Ubiquiti UniFi OS | CVSS: N/A (KEV)
Three UniFi OS vulnerabilities being actively exploited together: improper access control allowing unauthorised system changes (34908), path traversal enabling file access and account compromise (34909), and command injection via network access (34910). The combination is a credible takeover chain for any network-accessible UniFi controller. Patch UniFi OS immediately; today is the CISA deadline.

⚠️ Actively exploited — CVE-2026-20253 | Splunk Enterprise | CVSS: N/A (KEV)
An unauthenticated attacker can create or truncate arbitrary files on a Splunk Enterprise host via an exposed PostgreSQL sidecar service endpoint that requires no authentication. Active exploitation is confirmed. CISA's deadline already passed (June 21) — if you haven't patched, assume exposure and investigate for indicators of compromise.


CVE-2026-56766 | THC Hydra ≤ 9.7 | CVSS: 8.8 — HIGH
A stack buffer overflow in Hydra's NTLM authentication handling affects SMTP, POP3, IMAP, NNTP, HTTP, and HTTP-Proxy modules. A malicious server can craft an NTLM Type-2 challenge with an oversized domain string, overflowing a fixed 500-byte stack buffer via base64-decoded response data. Red teams running Hydra against attacker-controlled infrastructure are at risk of compromise. Fixed in commit 9cc84c2.

CVE-2026-56767 | Maxun < 0.0.42 | CVSS: 8.8 — HIGH
A cross-tenant IDOR in Maxun's storage and webhook API handlers lets any authenticated user access other tenants' robots and read plaintext Google and Airtable OAuth tokens — no privilege escalation required, just a valid account. The exposure of third-party OAuth tokens significantly extends the blast radius. Upgrade to 0.0.42 immediately and rotate all connected OAuth credentials.

CVE-2026-56768 | Seahub < 13.0.23 | CVSS: 8.8 — HIGH
Seahub (Seafile's web frontend) fails to enforce the SHARE_LINK_LOGIN_REQUIRED setting on the GET /api/v2.1/share-link-zip-task/ endpoint. Anyone with a folder share-link token — even if they're unauthenticated — can obtain a fileserver zip token and download the entire shared directory tree. A configuration intended to restrict access is silently ignored. Upgrade to 13.0.23.

CVE-2026-56123 | socat 1.8.0.0–1.8.1.1 | CVSS: 8.1 — HIGH
A sign-extension flaw in socat's SOCKS5 DOMAINNAME reply parser causes a domain name length byte to be read as a signed char, producing a negative bytes_to_read value that converts to a massive size_t, enabling heap buffer overflow by a malicious proxy server. Socat is widely used in security tooling and DevOps pipelines — check your versions and update.


Headline News

'Edgecution': Browser Extension as Ransomware Delivery Vehicle
A ransomware campaign has been documented using a malicious Microsoft Edge extension — dubbed "Edgecution" — to escape the browser sandbox and deliver a Python-based backdoor to victim hosts. The attack abuses Native Messaging, a legitimate browser API that allows extensions to communicate with locally installed applications, effectively using the browser as a trusted bridge into the OS. This technique sidesteps many endpoint controls because the communication channel is sanctioned by the browser itself. For defenders, this reinforces the need to audit approved Native Messaging hosts on managed endpoints and restrict browser extension installation to vetted, allowlisted items. The Python backdoor's post-compromise behaviour is consistent with pre-ransomware staging, making early detection critical.

LastPass Discloses Another Breach
LastPass has notified users of yet another data breach — the company's third major incident in recent years. The notification, issued this week, continues a pattern that has severely eroded trust in a product whose entire value proposition depends on securing credentials. The specific data exposed in this incident has not been fully detailed publicly, but given the 2022 breach's consequences — where encrypted vaults were exfiltrated alongside metadata that enabled targeted attacks — practitioners should assume worst-case exposure. If you or your organisation still has LastPass deployed, this is the moment to accelerate migration to an alternative and treat any stored credentials as potentially compromised. Force password rotations on any high-value accounts managed through the service.

Operation Endgame Returns: StealC, Amadey, and SocGholish Infrastructure Dismantled
A renewed phase of Operation Endgame has struck the infrastructure underpinning three major malware families — StealC, Amadey, and SocGholish — resulting in server seizures and the recovery of millions of stolen credentials. StealC is a widely deployed infostealer sold as-a-service; Amadey functions as a loader facilitating secondary payload delivery; SocGholish is the JavaScript-based drive-by framework responsible for countless fake browser update lures. The coordinated disruption of all three simultaneously suggests law enforcement had significant visibility into shared hosting and operational overlap between the groups. SOC teams should cross-reference any StealC or Amadey indicators in their telemetry against recent alerts — credential theft from these campaigns frequently precedes ransomware deployment by days to weeks.


Schrödinger's Feed

WISeKey and its semiconductor subsidiary SEALSQ have incorporated a jointly owned entity — Quantisimo Corp. — specifically to commercialise post-quantum cryptography hardware and pursue a Nasdaq listing via SPAC. The move signals that PQC is graduating from standards bodies into dedicated capital market plays, with investors now betting real money on the transition timeline. NIST's finalised PQC standards have created a tangible product roadmap, and companies like SEALSQ, which produce secure elements and root-of-trust hardware, are positioned at the integration layer where PQC algorithms meet real-world devices. Practitioners planning long-lifecycle hardware procurement — especially in IoT, industrial, and identity infrastructure — should track which vendors are baking PQC into silicon now, because retrofitting it later is rarely straightforward.


/dev/random

A project called OpenKnowledge landed on GitHub this week billing itself as an open-source, AI-first alternative to Obsidian and Notion. The interesting wrinkle for the security-minded: it's built around an "inkeep" architecture that pipelines your notes through AI retrieval layers, which raises the obvious question of where your second-brain's data actually lives during inference. The project is early-stage and the README is optimistic in the way that early-stage READMEs tend to be. Still, the real entertainment is watching the perennial "but can I self-host it fully?" thread ignite in the issues within approximately four hours of the post going live — some things are reliably constant.