SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefFriday, June 05, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Cisco Unified CM Root Flaw Exploited Globally | CRITICAL |
|
5 C2 IPs | 70 OTX IOCs | 37 ARTICLES |
|
■ ANALYST TLDR This brief highlights critical security concerns, including a public exploit for a high-severity Cisco Unified Communications Manager flaw (CVE-2026-20230) that allows unauthenticated remote file writes and root escalation. Additionally, supply chain attacks continue to escalate, with Hola Browser for Windows compromised to deliver cryptominers and 36 npm packages infected with IronWorm malware. Emerging threats also target agentic AI systems, exemplified by repository hijacking via Anthropic's Claude Code and account takeover risks in Meta's AI support bots. |
|
■ CRITICAL STORIES Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public A newly disclosed high-severity flaw in Cisco Unified Communications Manager allows remote, unauthenticated attackers to write arbitrary files and escalate privileges to root. With public proof-of-concept code already circulating, immediate patching is vital to prevent enterprise network compromise. |
Hola Browser for Windows compromised to deliver cryptominer A supply chain attack has successfully compromised the Windows version of Hola Browser, injecting a stealthy cryptocurrency miner. This highlights the ongoing threat of software supply chain compromises targeting consumer and enterprise endpoints. |
Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories A critical vulnerability in Anthropic's Claude Code GitHub Action allowed attackers to hijack public repositories using nothing more than a single malicious GitHub issue. This showcases the severe risks associated with integrating agentic AI tools into software development pipelines. |
Mirasvit Vulnerability Exploited to Execute Code on Magento Servers Attackers are actively exploiting a flaw in the Mirasvit Full Page Cache Warmer extension for Magento. The vulnerability allows unauthenticated remote code execution via serialized PHP object payloads, threatening e-commerce platforms. |
|
■ CVEs IDENTIFIED CVE-2026-20230 Cisco Unified Communications Manager — Remote SSRF, arbitrary file write, and privilege escalation to root |
[CVE-TBD] Mirasvit Full Page Cache Warmer (Magento Extension) — Unauthenticated remote code execution via serialized PHP object payloads |
[CVE-TBD] Anthropic Claude Code GitHub Action — Repository hijacking via a single malicious GitHub issue |
[CVE-TBD] Google Gemini Voice Assistant — Unauthorized control of smart home devices and applications via messaging notifications |
|
■ THREAT ACTORS TA4922 | Chinese Cybercrime Group |
Expanding phishing campaigns to UK, Germany, Italy, and South Africa with high operational tempo |
Magecart | Cybercrime Syndicate |
Abusing Stripe's API infrastructure to host credit-card stealing payloads and exfiltrate checkout data |
Conducting npm supply-chain attacks targeting 36 packages with infostealer malware |
|
|
|
■ ATT&CK TTPs | T1195.002 | | Supply Chain Compromise: Compromised Software Dependencies | Seen in Hola Browser compromise and npm IronWorm packages |
| T1566.001 | | Phishing: Spearphishing Attachment/Link | TA4922 campaigns targeting European organizations |
| T1584 | | Compromise Infrastructure | Magecart abusing Stripe's API infrastructure |
| T1114.002 | | Email Collection: Remote Email Querying | Five-month Outlook mailbox spying |
| T1204.001 | | User Execution: Malicious Link | Malvertising (Operation FlutterBridge) and fake open-source site TDS |
| T1059 | | Command and Scripting Interpreter | Exploiting Mirasvit serialized PHP object payloads |
|
■ PATCH PRIORITY Cisco — CVE-2026-20230 allows unauthenticated remote file write and root escalation with public PoC — Cisco / SecurityWeek |
Mirasvit — Full Page Cache Warmer extension unauthenticated RCE via serialized PHP payloads — SecurityWeek |
Anthropic — Claude Code GitHub Action repository hijacking vulnerability — The Hacker News |
Google — Gemini Voice Assistant messaging notification hijack — SecurityWeek |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Patch Cisco Unified Communications Manager immediately to address CVE-2026-20230 to prevent remote file write and root escalation. |
| 2 | [P1] Disable or update the Mirasvit Full Page Cache Warmer extension on Magento servers to block unauthenticated PHP object serialization exploits. |
| 3 | [P1] Audit GitHub repositories using Anthropic's Claude Code GitHub Action and apply security updates to prevent repository hijacking. |
| 4 | [P2] Audit and remove the 36 compromised npm packages associated with the IronWorm infostealer campaign. |
| 5 | [P2] Uninstall Hola Browser for Windows across the enterprise to mitigate the supply chain cryptominer compromise. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |