██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

SimpleHelp Auth Bypass Exploited; CISA Adds to KEV

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 30, 2026

Share

cybr.cx Daily Digest — June 30, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-48558 | SimpleHelp | No CVSS yet
SimpleHelp's OIDC authentication flow accepts identity tokens without verifying their cryptographic signatures, meaning any unauthenticated remote attacker can bypass login entirely and impersonate any user. CISA added this to the KEV catalogue yesterday with a patch deadline of July 2 — that's 72 hours from now. If you're running SimpleHelp with OIDC enabled, treat this as an emergency. Update immediately.

⚠️ Actively exploited — CVE-2026-12569 | PTC Windchill & FlexPLM | No CVSS yet
An improper input validation flaw in PTC's Windchill PLM and FlexPLM platforms allows unauthenticated remote attackers to execute arbitrary code via a malicious network request. These systems are common in manufacturing and defence supply chains, making exploitation here a potential industrial espionage vector. Patch deadline has already passed (June 28) — if you haven't acted, you're overdue.

⚠️ Actively exploited — CVE-2026-20230 | Cisco Unified Communications Manager | No CVSS yet
A server-side request forgery vulnerability in Cisco Unified CM and Unified CM SME allows unauthenticated remote attackers to write arbitrary files to the underlying OS. File write primitives at this level typically lead to full system compromise. Another overdue KEV deadline — Cisco Unified CM is near-ubiquitous in enterprise telephony environments.

⚠️ Actively exploited — CVE-2026-34910 / CVE-2026-34909 / CVE-2026-34908 | Ubiquiti UniFi OS | No CVSS yet
Three actively exploited flaws hit UniFi OS simultaneously: command injection via improper input validation, path traversal enabling access to underlying system files, and improper access control allowing unauthorised system changes. Chained together, these are a full compromise path for anyone with network access to a UniFi controller. UniFi is extensively deployed in SMB and home-lab environments — patch or isolate management interfaces now.

⚠️ Actively exploited — CVE-2025-67038 | Lantronix EDS5000 | No CVSS yet
OS commands injected into the username parameter of the Lantronix EDS5000 execute with root privileges. This device is used for serial-to-network bridging in industrial and OT environments — root-level command injection here can mean access to serial-connected legacy infrastructure that has no other security controls.

CVE-2026-13518 | Tenda JD12L (16.03.53.23) | CVSS 8.8
A stack-based buffer overflow in the fromAddressNat function of /goform/addressNat is remotely exploitable and the exploit is publicly available. Consumer routers from Tenda regularly go unpatched; if this device is in your environment or on a network you're responsible for, assume no fix is coming and consider replacement.

CVE-2026-40521 | FrontAccounting < 2.4.20 | CVSS 8.8
An authenticated attacker can supply path traversal sequences (../../../shell.php) in the unique_name parameter of the attachment upload handler to write a PHP webshell directly into the web root, achieving remote code execution. Upgrade to 2.4.20 immediately — this is a textbook file upload bypass.

CVE-2026-57999 | luci-app-tailscale-community | CVSS 8.8
Improper shell quoting in the tailscale.do_login RPC method means authenticated users can inject arbitrary shell commands via the loginserver or loginserver_authkey parameters, executing as root. OpenWrt users running Tailscale via this community package should update or remove the package until a fix is confirmed upstream.

CVE-2026-56780 | Modoboa < 2.9.0 | CVSS 7.5
An insecure direct object reference in the password-reset API endpoint allows domain administrators to reset the password of any account — including the superadmin — by manipulating the pk parameter. Upgrade to 2.9.0; any Modoboa deployment with multiple admins should audit recent password-change logs.


Headline News

1 million passports leaked online
Roughly one million passport documents have appeared online following what appears to be a significant data exposure event. The scale places this in the upper tier of identity document breaches — passport data is particularly damaging because unlike a password, a passport number cannot be rotated, and the documents contain biographic data useful for identity fraud, account takeover, and social engineering at scale. For practitioners, this reinforces why systems handling government-issued identity documents require strict access controls, data minimisation, and retention limits. Organisations that rely on passport verification for onboarding should anticipate an uptick in fraudulent document submissions using this data.

KDDI breach exposes up to 14.2 million email accounts across six ISPs
Japanese telecommunications giant KDDI has disclosed a breach affecting up to 14.2 million email accounts after attackers exploited a vulnerability in third-party software used across six internet service providers. The breach highlights third-party dependency risk at carrier scale — a single unpatched component in a managed service created blast radius across multiple ISPs and millions of customers simultaneously. Exposed email accounts are a high-value target: they enable credential reset attacks, phishing campaigns, and account takeover across any service linked to those addresses. Affected users should rotate passwords and enable MFA on any accounts tied to their KDDI-managed email addresses. Practitioners managing third-party software dependencies in multi-tenant or carrier environments should treat this as a case study in supply chain exposure.


Schrödinger's Feed

IBM has released Qiskit Paulice, an open-source extension that embeds low-overhead spacetime error-detection codes — specifically Pauli checks — directly into near-term Clifford circuits. Error correction has long been the critical blocker between today's noisy intermediate-scale quantum hardware and the fault-tolerant machines that would threaten RSA and elliptic curve cryptography at scale; tooling that reduces that overhead matters. The approach uses ancilla qubits to monitor "spacetime" slices of a circuit for Pauli errors without the resource cost of full fault-tolerant codes. Practitioners planning post-quantum migration timelines should watch error-correction progress closely — every incremental reduction in overhead brings fault-tolerant quantum compute closer to practical reality.


/dev/random

Ever wondered what actually happens between typing kernel<<<blocks, threads>>>() and your GPU doing something useful? A deep-dive published this week walks through the full CUDA kernel launch pipeline: the driver validates the PTX or SASS binary, allocates a command buffer, pushes a kernel dispatch packet to a hardware queue on the GPU, and the GigaThread engine schedules thread blocks onto available streaming multiprocessors — all before a single shader core executes your code. The piece details how the CPU and GPU coordinate via a shared memory-mapped region and how the driver intercepts the launch to inject profiling hooks when tools like Nsight are attached. It's the kind of "I write GPU code but had no idea any of this was happening" explainer that makes you briefly appreciate that it works at all. Security researchers who've looked at GPU-based malware or side-channel attacks via the memory subsystem will find the dispatch and scheduling mechanics particularly illuminating.