Three Ubiquiti Flaws Hit KEV: Patch by Tomorrow
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 24, 2026
cybr.cx Daily Digest — June 24, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-34910 / CVE-2026-34909 / CVE-2026-34908 | Ubiquiti UniFi OS | CVSS: N/A (KEV)
Three UniFi OS vulnerabilities have landed in CISA's KEV catalog simultaneously, all added yesterday with a remediation deadline of June 26 — that's tomorrow. CVE-2026-34910 is a command injection flaw exploitable by anyone with network access; CVE-2026-34909 is a path traversal that can expose system files and facilitate account compromise; CVE-2026-34908 is an improper access control issue enabling unauthorised system changes. UniFi gear is ubiquitous in SMB and mid-enterprise environments — if you're running a UniFi controller or gateway, patch or isolate now.
⚠️ Actively exploited — CVE-2025-67038 | Lantronix EDS5000 | CVSS: N/A (KEV)
Lantronix EDS5000 serial device servers are being actively exploited via a command injection vulnerability in the username parameter. Injected commands execute as root, handing attackers full control over devices that typically sit in industrial, OT, and data centre out-of-band management networks — precisely where you don't want an uninvited shell. Patch immediately; if patching isn't possible, restrict management interface access to trusted hosts.
⚠️ Actively exploited — CVE-2026-20253 | Splunk Enterprise | CVSS: N/A (KEV)
Unauthenticated attackers can create or truncate arbitrary files on Splunk Enterprise instances via a PostgreSQL sidecar service endpoint that requires no credentials. This was added to KEV on June 18 with a due date that has already passed — if you haven't acted on this one yet, stop what you're doing. Splunk sitting on your SOC infrastructure being exploited unauthenticated is a particularly bad day.
⚠️ Actively exploited — CVE-2026-48907 | Joomla Content Editor (Widget Factory) | CVSS: N/A (KEV)
Unauthenticated users can create new editor profiles and subsequently upload and execute arbitrary PHP code. Web shells on public-facing Joomla sites via an unauthenticated path is as bad as it sounds. If you're running JCE, patch to a fixed version immediately and audit for indicators of compromise.
CVE-2026-35018 | NetComm NF20MESH Routers (firmware ≤ R6B031) | CVSS: 8.8
Authenticated attackers can execute arbitrary commands as root by injecting shell metacharacters into the username JSON parameter in dalStorage_addUserAccount. The authenticated requirement reduces urgency slightly, but default or weak credentials on consumer/SMB routers make the effective bar for exploitation low. Update firmware if available; otherwise, disable remote management.
CVE-2020-9695 | Adobe Acrobat Reader (multiple legacy versions) | CVSS: 7.8
A six-year-old out-of-bounds write vulnerability in Acrobat Reader has surfaced in the NVD feed — a reminder that legacy PDF versions remain in wide deployment. Exploitation requires a user to open a malicious file, making phishing delivery the obvious vector. If any users in your environment are still on 2020.009.20074, 2020.001.30002, 2017.011.30171, or 2015.006.30523, update immediately.
CVE-2026-48502 / 48510 / 48511 / 48512 / 48513 | MessagePack for C# (< 2.5.301 / 3.1.7) | CVSS: 7.5 each
Five distinct denial-of-service and memory exhaustion vulnerabilities in MessagePack-CSharp, all fixed in versions 2.5.301 and 3.1.7. The issues span stack allocation based on attacker-controlled extension lengths, LZ4 decompression bomb conditions, ExpandoObject quadratic-complexity insertion, and missing recursion depth enforcement in JSON conversion and union deserializers. Any .NET service that deserialises untrusted MessagePack data is exposed. Update the NuGet package.
Headline News
FortiBleed Campaign: Custom Sniffers, Stolen Credentials, Compromised Firewalls
A large-scale intrusion campaign targeting Fortinet FortiGate devices — now being tracked as "FortiBleed" — has been found to deploy custom-built network sniffers directly on compromised firewall hardware to harvest authentication secrets in transit. The sniffers were purpose-built to intercept credentials passing through the devices, meaning attackers weren't just gaining a foothold — they were turning enterprise perimeter security kit into passive credential-harvesting infrastructure. The sophistication of the tooling suggests a threat actor with deep familiarity with FortiOS internals. Organisations running FortiGate devices should treat any unpatched or recently patched instance as potentially compromised and rotate credentials for all systems whose traffic may have transited those firewalls, not just the firewall management accounts themselves.
North Korea's Fake IT Worker Problem Reaches Australia's Healthcare Sector
The well-documented North Korean tactic of placing fake IT workers inside Western organisations has expanded its reach in Australia, with healthcare now emerging as an unexpectedly prominent target sector alongside the tech companies that have historically dominated headlines. The campaign mirrors patterns seen in the US and Europe: operatives pose as remote contractors, secure employment, and use their legitimate access to exfiltrate data or pre-position for future intrusions. Healthcare organisations are attractive targets due to their rich stores of sensitive personal data, typically under-resourced security teams, and cultural norms around trusting contracted specialists. Practitioners responsible for contractor vetting and identity verification in the healthcare space should revisit their onboarding processes — video verification, document checks, and monitoring of remote access behaviour are no longer optional hygiene for this threat model.
Klue Breach Exposes Hundreds of Customers via Salesforce-Linked Integrations
Competitive intelligence platform Klue has been compromised by a threat actor identified as the extortion group Icarus, with hundreds of customer organisations confirmed affected — including, notably, security firms. The attack vector involved Salesforce-linked integrations, consistent with a broader pattern of attackers targeting the connective tissue between SaaS platforms rather than core systems directly. The fact that security vendors appear among the victim list is a pointed reminder that the security industry is not immune to supply chain and third-party integration exposure. Practitioners should audit active Salesforce integrations and third-party data-sharing permissions across their SaaS stack, paying particular attention to platforms that aggregate sensitive competitive or business intelligence.
Schrödinger's Feed
The U.S. Department of Energy has announced the Quantum Genesis initiative, an ambitious programme targeting the world's first fault-tolerant, scientifically relevant quantum computer for research and development purposes. Fault tolerance is the critical threshold that separates today's noisy, error-prone NISQ devices from machines capable of running the long-depth circuits that would threaten current asymmetric cryptography. The announcement coincides with IQM Quantum Computers separately claiming a significant achievement in quantum error correction using directional tile codes — two datapoints in the same week pointing toward the fault-tolerance frontier closing faster than many roadmaps anticipated. Practitioners who haven't started a post-quantum cryptography migration inventory should note that the policy and hardware communities are now moving in lockstep — the window for comfortable planning is shrinking.
/dev/random
Stanford researchers have published findings showing that AI hiring tools exhibit measurable racial bias at scale — specifically, Black applicants faced rejection rates approximately 26% higher than baseline, and Asian applicants around 15% higher, with the disparity attributed to pattern-matching on proxy variables baked into training data. The systems weren't explicitly programmed to discriminate; they learned to do it by optimising for outcomes correlated with historically biased hiring decisions. This is less a story about malicious design and more a textbook demonstration of how garbage-in-garbage-out scales alarmingly when you automate it and call it objective. If your organisation is evaluating AI-assisted recruitment tooling, "it passed the vendor's fairness audit" is not the same as "it doesn't have this problem."