SolarWinds Serv-U Hit by Unauthenticated DoS Attacks
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 07, 2026
cybr.cx Daily Digest — June 07, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-28318 | SolarWinds Serv-U | CVSS: N/A
Attackers are actively crashing Serv-U instances by sending unauthenticated POST requests with a Content-Encoding: deflate header, triggering uncontrolled resource consumption and taking the service offline entirely. No authentication is required, making this trivially weaponisable for denial-of-service against file transfer infrastructure. CISA added this to KEV on June 5 with a patch deadline of June 19 — if you're running Serv-U, patching is not optional right now.
⚠️ Actively exploited — CVE-2026-45247 | Mirasvit Full Page Cache Warmer (Magento/Adobe Commerce) | CVSS: N/A
Unauthenticated attackers can achieve remote code execution by supplying a crafted serialised PHP object in the CacheWarmer cookie — a classic PHP deserialisation chain with no auth barrier. CISA's due date has already passed (June 6), meaning any federal agency — and frankly any e-commerce operator running this extension — should treat this as emergency remediation. If you can't patch immediately, consider stripping or validating the CacheWarmer cookie at your WAF.
⚠️ Actively exploited — CVE-2022-0492 | Linux Kernel | CVSS: N/A
A four-year-old privilege escalation flaw in the Linux kernel's cgroups v1 release_agent feature has resurfaced on CISA's KEV — meaning someone is actively exploiting it now, likely in container escape scenarios. If your container workloads run on kernels below the fixed versions without AppArmor/SELinux profiles blocking this path, your isolation boundary is at risk. Audit kernel versions and harden cgroup access controls immediately.
⚠️ Actively exploited — CVE-2025-48595 | Android Framework | CVSS: N/A
An integer overflow in the Android Framework allows local privilege escalation to full code execution — and it's being exploited in the wild. Mobile device management teams should verify patch levels across the fleet and prioritise June's Android security bulletin. Unmanaged or BYOD Android devices are the blind spot here.
⚠️ Actively exploited — CVE-2024-21182 | Oracle WebLogic Server | CVSS: N/A
An unauthenticated attacker with network access via T3 or IIOP can fully compromise WebLogic Server, gaining access to all data and application functionality. Oracle WebLogic remains a perennial favourite for initial access in enterprise environments. If T3/IIOP are not firewalled at the perimeter, assume exposure and patch immediately.
CVE-2026-7654 | WordPress Admin Columns Plugin (≤7.0.18) | CVSS: 8.8
PHP Object Injection via unserialize() in the IdsToCollection::get_ids_from_string() function can lead to remote code execution — exploitable by any authenticated user with the ability to control post meta values. Contributor-level access is the typical bar, making this dangerous on multi-author sites. Update the plugin immediately; no workaround short of removal is reliable.
CVE-2026-11413 | JingDong JD Cloud Box AX6600 (firmware 4.5.3.r4546) | CVSS: 8.8
A stack-based buffer overflow in the set_macfilter function of /sbin/jdcweb_rpc is remotely exploitable and a public exploit already exists. The vendor did not respond to disclosure. If this router is in your environment, network-segment it aggressively and monitor for exploit attempts — a patch is not on the horizon.
CVE-2026-9290 | WP User Manager Plugin for WordPress (≤2.9.17) | CVSS: 7.5
Unauthenticated local file inclusion via a profile template scope function allows attackers to include and execute arbitrary PHP files already present on the server. This is a high-impact path for authentication bypass and RCE on shared hosting environments. Patch or disable the plugin.
Headline News
Pentagon Elevates Israeli Espionage Threat Assessment to Maximum Level
The U.S. Department of Defense quietly raised its internal threat assessment for Israeli intelligence operations against American targets to the highest possible tier, according to multiple sources with direct knowledge of the evaluation. The designation reflects sustained concern about collection efforts targeting sensitive U.S. defence programmes, military technology, and diplomatic communications — categories that go well beyond routine allied intelligence friction. For security practitioners, this is a reminder that insider threat and counterintelligence programmes need to account for allied-nation actors, not just adversaries; security clearance holders with dual national ties or frequent contact with foreign intelligence services warrant heightened monitoring under existing frameworks. The move has significant operational implications for defence contractors and cleared facilities who may need to revisit foreign national visit policies and data compartmentalisation controls.
SolarWinds Serv-U Actively Exploited Days After Patch — CISA Warns
Active exploitation of the SolarWinds Serv-U denial-of-service vulnerability (CVE-2026-28318) is confirmed, with attackers weaponising a single malformed HTTP POST request to crash the service without any credentials. The attack vector is deceptively simple: the Content-Encoding: deflate header triggers resource exhaustion in Serv-U's request handling pipeline, taking the file transfer service offline entirely. Organisations relying on Serv-U for managed file transfer — common in financial services, healthcare, and government — face operational disruption even without data exfiltration. Given SolarWinds' history as a high-value supply chain target, defenders should treat any Serv-U anomaly as potentially part of a broader campaign, not just opportunistic DDoS, and apply the available patch before CISA's June 19 deadline.
Instagram Accounts Compromised at Scale via Meta AI Chatbot Abuse
Meta has confirmed that thousands of Instagram accounts were hijacked through a novel attack path: adversaries abused Meta's AI chatbot to socially engineer account recovery flows and bypass authentication controls. The chatbot, intended to assist users with account support, was manipulated into providing information or taking actions that facilitated unauthorised account takeovers — a concrete demonstration of how AI-assisted customer service creates new trust boundaries that attackers will probe systematically. This is not a conventional phishing or credential-stuffing campaign; it represents a new attack surface introduced by the integration of large language models into identity and access management workflows. Security teams building or deploying AI-assisted support functions should model this threat explicitly: can your chatbot be coerced into leaking account state, initiating resets, or confirming identity information to an unauthenticated requester?
Schrödinger's Feed
IonQ has reported the simultaneous experimental execution of nine distinct quantum error-correcting code families — including qLDPC, topological, and concatenated codes — compiled onto a single, non-reconfigured trapped-ion architecture. This is a notable hardware milestone: demonstrating multiple error-correction schemes on one physical system without architectural changes narrows the gap between theoretical fault-tolerance models and practical quantum hardware. The relevance to cryptography is real but indirect for now — fault-tolerant quantum computers capable of running Shor's algorithm at scale remain dependent on exactly this kind of error-correction progress. Practitioners on long-timeline infrastructure decisions (PKI lifespans, HSM refresh cycles, encrypted archive retention) should treat milestones like this as a pacing signal for their post-quantum migration roadmaps.
/dev/random
Meta's AI chatbot has had a rough week in the credibility department: it turns out the "helpful assistant" integrated into Instagram's support flows could be socially engineered into facilitating account takeovers at scale — with thousands of users affected before the attack pattern was identified. The core irony is that the chatbot was deployed, at least in part, to improve account security UX, and instead introduced an entirely new unauthenticated attack surface. It's the security equivalent of installing a smart lock and accidentally leaving the window open. Somewhere, a threat modeller who flagged "AI chatbot as identity oracle" in a risk register is currently updating their résumé with "told you so."