SimpleHelp Auth Bypass Exploited Wildly; CISA Demands Immediate Action
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. July 01, 2026
cybr.cx Daily Digest — July 01, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-48558 | SimpleHelp | No CVSS in NVD feed
SimpleHelp's OIDC authentication flow accepts identity tokens without verifying their cryptographic signatures, meaning any unauthenticated remote attacker can bypass login entirely when OIDC is configured. CISA added this to KEV on June 29 with a remediation deadline of July 2 — that's tomorrow. If you run SimpleHelp for remote support, treat this as a fire drill right now.
⚠️ Actively exploited — CVE-2026-12569 | PTC Windchill & FlexPLM
An unauthenticated remote attacker can send a malicious network request to achieve arbitrary code execution against PTC's Windchill PLM and FlexPLM platforms — both widely deployed in manufacturing, aerospace, and defence supply chains. The CISA remediation deadline has already passed (June 28), so if you haven't patched, you're overdue. Internet-exposed PLM systems in OT-adjacent environments should be treated as compromised until proven otherwise.
⚠️ Actively exploited — CVE-2026-20230 | Cisco Unified Communications Manager
An unauthenticated attacker can abuse an SSRF vulnerability in Cisco Unified CM and Unified CM SME to write arbitrary files to the underlying operating system, effectively enabling remote code execution at the OS level. This affects a product that sits at the core of enterprise telephony infrastructure, making it an attractive pivot point for lateral movement. Deadline has passed — patch or isolate immediately.
⚠️ Actively exploited — CVE-2026-34908 / 34909 / 34910 | Ubiquiti UniFi OS
Three separate KEV-listed flaws in UniFi OS cover improper access control, path traversal, and command injection respectively. Together they represent a chained attack surface: gain access, traverse to sensitive files, then inject OS commands. UniFi gear is ubiquitous in SMB and prosumer network environments, many of which have management interfaces reachable from the LAN or even the internet.
⚠️ Actively exploited — CVE-2025-67038 | Lantronix EDS5000
OS command injection via the username parameter, executed with root privileges, no authentication barrier described. The EDS5000 is a serial-to-Ethernet device server common in industrial and OT environments — exactly the kind of forgotten hardware that never gets patched and sits directly adjacent to critical systems.
CVE-2026-48307 | Adobe ColdFusion 2025.9 / 2023.20 and earlier | CVSS 8.8
A reflected XSS bug that can lead to arbitrary code execution in the victim's browser context — high severity because of the potential for session hijack and privilege escalation in ColdFusion admin interfaces. Requires user interaction via a malicious link, so phishing delivery is the expected attack vector. Patch to the latest release.
CVE-2026-10129 | IBM Langflow OSS 1.0.0–1.9.3 | CVSS 8.5
An authenticated attacker with only flow-author privileges can bypass SSRF protections by enabling follow_redirects and pointing to a public URL that redirects internally. The SSRF guard introduced in 1.9.3 is defeated by redirect chaining — a classic implementation gap. Cloud metadata endpoints (IMDS) are the obvious target.
CVE-2026-11714 | IBM WebSphere Liberty 17.0.0.3–26.0.0.7 | CVSS 8.5
SSRF vulnerability activated when the apiDiscovery-1.0 feature is enabled. Audit your Liberty feature configuration; if you don't need API discovery, disable it as a mitigation until patching is possible.
CVE-2026-13759 | IBM WebSphere Extreme Scale 8.6.1.0–8.6.1.6 | CVSS 7.5
Three ObjectInputStream subclasses ship with no JEP-290 deserialization filter. When Oracle Coherence is on the classpath, confirmed RCE gadget chains exist. Post-login exploitation, but in grid/cache infrastructure that's often trusted implicitly between internal services.
Headline News
ShinyHunters' Oracle PeopleSoft Campaign Widens — Nissan and NAIC Disclose Breaches
The ShinyHunters extortion group's exploitation of a zero-day vulnerability in Oracle PeopleSoft continues to claim victims, with both Nissan and the National Association of Insurance Commissioners (NAIC) disclosing breaches this week. Nissan confirmed that current and former employee data was exfiltrated — a significant exposure for a company with a large global workforce — while NAIC characterised its stolen data as limited to publicly available records, outdated logs, and configuration files. The distinction matters less than it might seem: configuration files and logs can contain credential fragments, internal hostnames, and service architecture details that dramatically accelerate follow-on attacks. PeopleSoft deployments are common across large enterprises, insurers, and public-sector organisations, and the zero-day nature of the initial access means many organisations may not yet know they were hit. Security teams running PeopleSoft should be pulling logs for anomalous authentication and data export activity going back at least 90 days.
Anonymous Researcher Drops "Exploitarium" — A Public Zero-Day Repository
An anonymous researcher published a GitHub repository described as an "exploitarium" containing multiple zero-day vulnerabilities, with at least two confirmed as already being actively exploited in the wild at the time of publication. The move mirrors the philosophy of full disclosure but without any coordinating vendor notification period, immediately handing offensive capability to any threat actor capable of reading a README. For defenders, the practical implication is the same as a surprise KEV addition: treat affected systems as actively targeted from the moment the repo went public. The incident reignites the perennial debate about responsible disclosure norms, particularly as AI tooling increasingly lowers the bar for weaponising published proof-of-concept code. Blue teams should monitor the repository for any systems in their inventory and assume exploitation timelines measured in hours, not days.
New OT/ICS Exploitation Framework Surfaces on PyPI with 1,160+ Modules
A package named industrialxpl-forge appeared on PyPI advertising itself as an OT/ICS/SCADA/HMI/IIoT security assessment and exploitation framework with over 1,160 modules, coverage of 79 MITRE ATT&CK for ICS techniques, 12 malware family implementations, support for 150+ vendors, and more than 50 industrial protocols. Whether positioned as a legitimate pen-testing tool or not, the public availability of a framework with this level of OT-specific offensive capability is a material threat escalation for industrial operators — particularly smaller utilities and manufacturers without dedicated OT security programmes. The MITRE ATT&CK for ICS alignment means adversaries can operationalise it against documented attack patterns with minimal adaptation. OT security teams should review whether their detection logic covers the protocols and techniques enumerated in the framework's module list.
Schrödinger's Feed
StarkWare has published a roadmap to make Starknet — a major Ethereum Layer 2 network — quantum-safe, joining a growing list of blockchain and financial infrastructure projects racing to harden against cryptographically-relevant quantum computers before they arrive. The urgency is real: current elliptic-curve cryptography underpinning most blockchain signatures would be broken by a sufficiently powerful fault-tolerant quantum machine, and "harvest now, decrypt later" attacks mean adversaries may already be stockpiling transaction data. StarkWare's approach leans on STARKs (Scalable Transparent Arguments of Knowledge), which are already considered quantum-resistant due to their hash-based construction — giving Starknet a structural head start over chains reliant on elliptic-curve-based SNARKs. Practitioners managing long-lived digital assets or blockchain-adjacent infrastructure should track PQC migration timelines: the window between "theoretically possible" and "practically exploitable" tends to close faster than planning cycles accommodate.
/dev/random
Installing the Cursor AI code editor on iOS was found to silently and irreversibly toggle privacy settings on the device — specifically, changes that persist after the app is removed and cannot be undone through standard Settings menus. Users who discovered the behaviour reported being unable to restore original configurations without a full device reset. It's a masterclass in why "just install the app and try it" is no longer a casual act, especially on devices that also hold corporate credentials, MDM profiles, or personal authentication apps. Cursor's iOS implementation has since attracted the kind of attention that usually precedes a very apologetic blog post.