██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

SolarWinds Serv-U Under Active Attack — Patch Now

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 08, 2026

Share

cybr.cx Daily Digest — June 08, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-28318 | SolarWinds Serv-U | CVSS: N/A
SolarWinds Serv-U is being hammered in the wild right now. An unauthenticated attacker can crash the Serv-U service by sending a crafted POST request with a Content-Encoding: deflate header — no credentials required. CISA added this on June 5 with a remediation deadline of June 19; if you're running Serv-U in any internet-facing capacity, treat this as a fire drill and patch or isolate immediately.

⚠️ Actively exploited — CVE-2026-45247 | Mirasvit Full Page Cache Warmer (Magento/Adobe Commerce) | CVSS: N/A
Unauthenticated remote code execution via a crafted serialized PHP object stuffed into the CacheWarmer cookie. CISA's remediation deadline has already passed (June 6), meaning affected e-commerce operators are overdue. Any Magento or Adobe Commerce deployment running the Mirasvit Full Page Cache Warmer extension should be considered compromised until patched and audited.

⚠️ Actively exploited — CVE-2024-21182 | Oracle WebLogic Server | CVSS: N/A
An unauthenticated attacker with network access over T3 or IIOP can fully compromise Oracle WebLogic — read all data or take complete control. This one's been in the KEV since June 1 with a June 4 due date, and active exploitation continues. If you haven't blocked T3/IIOP at the perimeter and applied Oracle's patch, this is your reminder that threat actors are not waiting.

⚠️ Actively exploited — CVE-2022-0492 | Linux Kernel | CVSS: N/A
A four-year-old Linux kernel flaw is back in active exploitation — improper authentication in the cgroups v1 release_agent feature enabling local privilege escalation. Containerised environments are particularly relevant here since escaping certain container configurations is achievable via this path. Verify your kernel versions and check whether cgroups v1 release_agent is accessible in your deployment.

⚠️ Actively exploited — CVE-2025-48595 | Android Framework | CVSS: N/A
An integer overflow in the Android Framework allows local privilege escalation to code execution. Given the scale of Android deployments in enterprise MDM environments, unpatched devices represent a significant endpoint risk. Apply the relevant Android security patch level as soon as your device OEM makes it available.

CVE-2026-49494 | Comodo Internet Security (Inspect.sys) | CVSS: 7.5 — HIGH
Comodo's firewall kernel driver contains an integer underflow in its IPv6 packet parser — a specially crafted packet with a declared payload length smaller than the sum of its extension headers can trigger the underflow. Given this lives in a kernel driver, the consequences of exploitation could be significant. Comodo users should verify whether a patched driver version is available.

CVE-2026-11450 / 11451 / 11452 | GL.iNet GL-MT3000 (firmware ≤ 4.4.5) | CVSS: 7.3 — HIGH
Three separate command injection vulnerabilities in the GL-MT3000's web interface: one via the dev_name argument in the Path Normalization Handler, one via media_dir in the FTP Protocol Handler, and one via the password field in the SET_USER_PWD handler. All are remotely exploitable. GL-MT3000 is a popular travel router, meaning many of these will be sitting on hotel and conference networks. Upgrade to at least firmware 4.7 (4.8.1 for the latter two).

CVE-2026-11460 | Boost Serialization ≤ 1.91 | CVSS: 7.3 — HIGH
A remotely exploitable input validation flaw in the widely used Boost C++ Serialization library. A public exploit exists, and the maintainer acknowledged the issue — reported in August 2025 — but has yet to ship a fix. Any C++ application that deserializes untrusted data using Boost Serialization should be treated as potentially exposed. Monitor upstream for a patch and consider input sanitisation controls in the interim.


Headline News

Miasma Worm Tears Through 73 Microsoft GitHub Repositories

A self-replicating worm dubbed Miasma has compromised at least 73 GitHub repositories belonging to Microsoft, with confirmed impact across Azure and MicrosoftDocs project spaces. GitHub staff were forced to disable access to several high-profile repositories — including Azure Functions — while the incident was contained. The worm's self-replicating behaviour is the notable concern here: rather than a targeted intrusion, Miasma appears designed to propagate laterally across repository networks, potentially poisoning downstream dependencies consumed by developers worldwide. Supply chain attacks via compromised repositories have matured considerably as an attack surface, and this incident underscores why organisations need integrity verification for any upstream code dependencies, including those from major vendors. Teams consuming Microsoft-sourced packages or referencing affected repositories should audit their dependency trees and check for unexpected commits or modified workflow files in the affected timeframe.

Carnival Cruise Data Breach Exposes 6 Million Passengers

The world's largest cruise operator has confirmed a major cyberattack resulting in the exposure of personal data — including passport information — belonging to approximately 6 million passengers. The breadth of data compromised is significant: passport numbers combined with other PII creates a strong foundation for identity fraud, fraudulent travel document applications, and targeted phishing campaigns. For practitioners, this is another reminder that hospitality and travel verticals frequently hold rich identity datasets with security postures that lag behind the value of the data they hold. Affected individuals should be advised to monitor for identity fraud and consider whether passport renewal is warranted if the combination of exposed data is sufficient for document abuse in their jurisdiction.

Pink Extortion Group Weaponises Vishing to Bypass MFA on Microsoft 365

A newly identified threat actor tracked as the Pink Extortion Group is using voice phishing (vishing) as its primary initial access method, targeting Microsoft 365 environments to exfiltrate cloud-stored files for extortion. The technique is straightforward but effective: operatives call employees directly, impersonating IT support or vendors, and social-engineer victims into approving MFA prompts or divulging session tokens — bypassing technical controls entirely. Once inside, the group moves quickly to stage and exfiltrate documents from SharePoint and OneDrive before making extortion demands. This is a human-layer attack, and it highlights that MFA alone is insufficient against adversaries willing to pick up the phone. Defenders should review conditional access policies, enforce phishing-resistant MFA (FIDO2/passkeys), and ensure staff are trained to never approve unsolicited authentication requests.


Schrödinger's Feed

Italy's quantum technology sector is undergoing a notable growth phase, with the Quantum Computing & Communication Observatory at Politecnico di Milano documenting a rapid expansion of both academic and commercial activity across the country. This positions Italy as an emerging player in European quantum infrastructure — relevant as the EU continues to invest heavily in sovereign quantum capability as part of its strategic technology independence agenda. From a security standpoint, national quantum programs feed directly into the post-quantum cryptography timeline: the more nations achieving meaningful quantum compute milestones, the more urgency attaches to PQC migration across critical infrastructure. Security teams who haven't yet mapped their cryptographic inventory against NIST's finalised PQC standards should treat the accelerating global quantum race as a forcing function, not background noise.


/dev/random

A project called Silurus/ooxml is making the rounds — it's a browser-based renderer for Office Open XML documents that aims for pixel-faithful output without a server-side Office installation or a Microsoft API call in sight. The interesting angle for security folk: it parses OOXML directly in the browser, which means all the quirky complexity of the format (macros aside) is now being handled client-side in JavaScript. Given that OOXML is one of the most weaponised document formats in phishing campaigns, watching how a clean-room parser handles malformed or adversarially crafted documents is genuinely useful threat research territory. Someone is going to fuzzy this thing against known malicious document samples — if they haven't already.