Ubiquiti UniFi Flaws Exploited — Patch Before Tomorrow's Deadline
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 25, 2026
cybr.cx Daily Digest — June 25, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-34910 / CVE-2026-34909 / CVE-2026-34908 | Ubiquiti UniFi OS | CISA KEV
Three separate vulnerabilities in Ubiquiti's UniFi OS are being actively exploited in the wild and carry an immediate CISA remediation deadline of June 26 — tomorrow. CVE-2026-34910 allows command injection via improper input validation; CVE-2026-34909 enables path traversal to access and manipulate underlying system files; CVE-2026-34908 permits unauthorised system changes through broken access control. Any threat actor with network access to an exposed UniFi controller can chain these. If you manage UniFi gear, patch or isolate now — these are trivially reachable on networks where the controller UI is accessible to users.
⚠️ Actively exploited — CVE-2025-67038 | Lantronix EDS5000 | CISA KEV
A command injection flaw in the Lantronix EDS5000 serial device server allows attackers to inject arbitrary OS commands via the username parameter, executing them with root privileges. CISA's remediation deadline was June 26 — today. EDS5000 devices are commonly deployed in industrial and OT environments bridging serial devices to IP networks, making exploitation here particularly dangerous. Prioritise isolation or replacement of any internet-facing units immediately.
⚠️ Actively exploited — CVE-2026-20253 | Splunk Enterprise | CISA KEV
An unauthenticated attacker can create or truncate arbitrary files on Splunk Enterprise instances via an exposed PostgreSQL sidecar service endpoint — no credentials required. CISA's remediation deadline has already passed (June 21), meaning organisations still running unpatched Splunk should assume risk is elevated. Given how deeply Splunk is embedded in SOC and SIEM workflows, compromise here could blind defenders or manipulate log data at scale.
CVE-2026-7761 | WordPress Ultimate Member plugin (≤ 2.11.4) | CVSS 8.8
A three-bug chain — an MD5 hash fallback, a strstr() parsing flaw, and a third logic error — allows unauthenticated attackers to trigger password reset link disclosure and fully take over arbitrary user accounts. With Ultimate Member installed on hundreds of thousands of WordPress sites, the attack surface is enormous. Update to 2.11.5 or later and audit recent password reset activity.
CVE-2026-56232 | Capgo (< 12.128.2) | CVSS 8.8
The middlewareKey middleware fails to enforce limited_to_orgs and limited_to_apps scope restrictions on subkeys passed via the x-limited-key-id header. An attacker with any valid subkey can cause downstream handlers to operate under the unrestricted parent key, effectively bypassing all scoped access controls. Upgrade to 12.128.2 and rotate any API keys issued to third parties.
CVE-2026-56351 | n8n (< 2.4.0) | CVSS 8.2
Authenticated users with workflow creation permissions can inject arbitrary SQL through unescaped table or column name identifiers in MySQL, PostgreSQL, and MSSQL node configurations. In many n8n deployments, "workflow creation" is granted broadly — treat this as a near-privilege-escalation issue. Upgrade to 2.4.0 and audit which users hold workflow creation rights.
CVE-2026-56270 | Flowise (≤ 3.0.13) | CVSS 7.5
An unauthenticated GET request to /api/v1/loginmethod with a known organizationId returns the full SSO configuration including OAuth client secrets in cleartext. This hands attackers ready-made credentials for Google and other OAuth providers without any authentication. Upgrade to 3.1.0 immediately and rotate all exposed OAuth secrets.
CVE-2026-56231 | Capgo (< 12.128.2) | CVSS 7.6
A broken object-level authorisation (BOLA) flaw in the /build/start/:jobId and /build/cancel/:jobId endpoints allows an attacker to issue privileged builder commands against jobs belonging to other tenants by supplying their own app_id in the request body — the server never verifies job-to-app ownership. Upgrade to 12.128.2 alongside the sibling CVE-2026-56232 fix.
CVE-2026-56244 | Capgo (< 12.128.2) | CVSS 7.1
Insufficient row-level security policies on the webhooks table allow non-admin API keys to read webhook signing secrets via the Supabase REST API. An attacker who retrieves the secret can forge valid X-Capgo-Signature headers and inject arbitrary webhook events into configured receivers. A third reason to upgrade Capgo to 12.128.2 without delay.
Headline News
Brazil's Emergency Alert System Hijacked to Announce Alien Invasion
Attackers gained unauthorised access to Brazil's national emergency alert infrastructure and broadcast fake warnings of an alien invasion to thousands of mobile users. The incident is more than a prank — it demonstrates that emergency broadcast systems, which typically carry implicit public trust and bypass notification filters, remain a high-value target for manipulation. From a threat modelling perspective, the same access that delivered absurdist content could trivially be used to trigger mass evacuation, suppress legitimate warnings, or create cover for a concurrent physical or cyber operation. Practitioners responsible for critical national infrastructure communications should treat this as a live case study in alert system authentication and integrity controls — the technical mechanisms preventing spoofed or injected alerts warrant immediate review.
Meta Halts Employee Monitoring Programme After Internal Data Leak
Meta has suspended an internal employee-tracking initiative following a security breach in which data from the programme was leaked internally. The incident is notable not just for its irony — a surveillance tool becoming the subject of a leak — but for what it signals about the insider threat surface of monitoring platforms themselves. Aggregated behavioural telemetry on employees represents a high-value, sensitive dataset: in the wrong hands it can expose productivity patterns, organisational structure, dissent indicators, and personal habits. Security teams building or procuring internal monitoring tooling should scrutinise the data governance and access control model of those platforms with the same rigour applied to any sensitive data store.
Healthtech Firm Xolis Breached via Phishing, 1.4 Million Individuals Affected
Healthcare technology company Xolis has disclosed that a phishing attack granted threat actors persistent access to its network, compromising sensitive data belonging to approximately 1.4 million people. Healthcare records remain among the most valuable on criminal markets, combining PII, insurance details, and clinical history into a dossier that enables identity fraud, targeted social engineering, and insurance abuse. The phishing vector underscores the continued effectiveness of credential harvesting against organisations handling highly regulated data — even mature security programmes frequently underestimate the blast radius of a single compromised mailbox when lateral movement controls are weak. Incident responders should note the network-access framing in the disclosure, which suggests the attacker moved beyond the initial email foothold before detection.
Schrödinger's Feed
STMicroelectronics has introduced the ST54M, a secure mobile chip designed to help smartphone manufacturers meet upcoming post-quantum cryptography requirements. The chip is engineered to support PQC algorithm suites in hardware, offloading quantum-resistant cryptographic operations from the application processor — a necessary move as NIST's standardised PQC algorithms (FIPS 203/204/205) begin appearing in compliance frameworks. This is the supply chain side of the PQC transition that often gets less attention than protocol upgrades: the moment PQC lands in silicon at consumer scale, the hardware refresh cycle becomes a security deadline. Practitioners managing device fleets, MDM policies, or long-lifecycle embedded systems should factor silicon PQC readiness into procurement criteria now, before the window closes.
/dev/random
OpenAI has unveiled its first custom silicon, the inference chip built in partnership with Broadcom — and the security community's eyebrows are gently raised. Custom AI accelerators create entirely new firmware and supply chain attack surfaces that sit beneath the hypervisor, the OS, and every layer of software security tooling defenders are familiar with. When your threat model includes the chip itself — its microcode, its out-of-band management interface, its trust root — "patch Tuesday" starts to feel quaint. At least when the alien invasion warnings arrive, we'll have very fast hardware to process our denial.