SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefSaturday, June 06, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Active Exploitation of Cisco SD-WAN Zero-Day CVE-2026-20245 | CRITICAL |
|
5 C2 IPs | 10 OTX IOCs | 28 ARTICLES |
|
■ ANALYST TLDR Today's intelligence highlights critical zero-day and active exploitation campaigns, notably an unpatched privilege escalation flaw in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) and a PAN-OS vulnerability (CVE-2026-0257). State-sponsored Chinese threat actors (UNC5221) are actively maintaining persistence in Microsoft 365 environments using new custom malware, while cybercriminals target cloud infrastructure and supply chains. Immediate patching of exposed perimeter devices and robust monitoring of CI/CD pipelines are strongly advised. |
|
■ CRITICAL STORIES Cisco Warns of Unpatched SD-WAN Zero-Day CVE-2026-20245 Under Active Exploitation Threat actors are actively exploiting a high-severity, unpatched zero-day vulnerability in Cisco Catalyst SD-WAN Manager to execute arbitrary commands with root privileges, threatening enterprise network boundaries. |
Active Exploitation of Palo Alto Networks PAN-OS CVE-2026-0257 Unit 42 reports active in-the-wild exploitation of PAN-OS vulnerability CVE-2026-0257, requiring immediate mitigation and forensic investigation. |
SolarWinds Serv-U Flaw Exploited to Crash Enterprise Servers CISA has issued an alert that threat actors are actively exploiting a high-severity SolarWinds Serv-U vulnerability to cause denial-of-service conditions and crash critical servers. |
Chinese APT UNC5221 Deploys New Malware to Maintain Microsoft 365 Access Espionage group UNC5221 is utilizing the Brickstorm backdoor alongside newly discovered Plenet and AgentPSD malware to maintain persistent access to compromised Microsoft 365 environments. |
|
■ CVEs IDENTIFIED CVE-2026-20245 Cisco Catalyst SD-WAN Manager — Root privilege escalation and arbitrary command execution |
CVE-2026-0257 Palo Alto Networks PAN-OS — Active exploitation vulnerability leading to potential system compromise |
[CVE-2026-TBD] Everest Forms Pro WordPress Plugin — Arbitrary code execution leading to complete site compromise |
[CVE-TBD] SolarWinds Serv-U — Denial of service (server crash) via active exploitation |
|
■ THREAT ACTORS Accessing Microsoft 365 environments using Brickstorm, Plenet, and AgentPSD malware. |
Hijacking AWS, Google Cloud, and Azure servers to build a covert SMTP relay network. |
ShinyHunters | Cybercrime / Extortion |
Leaking 234 GB of stolen data from dental benefits administrator DentaQuest. |
|
|
|
■ ATT&CK TTPs | T1190 | | Exploit Public-Facing Application | Exploitation of Cisco SD-WAN (CVE-2026-20245), PAN-OS (CVE-2026-0257), and SolarWinds Serv-U. |
| T1195.002 | | Malicious Software Update / Supply Chain Compromise | Poisoned npm packages (IronWorm, Miasma) and Polyfill script injection on Toshiba/Muji sites. |
| T1505.003 | | Web Shell | OP-512 deploying custom web shell frameworks on IIS servers. |
| T1588.002 | | Tool | Use of Brickstorm, Plenet, and AgentPSD malware by UNC5221. |
| T1078.004 | | Cloud Accounts | UNC5221 accessing Microsoft 365 environments; PCPJack hijacking cloud instances. |
| T1204.002 | | Malicious File | Android "Asin" spyware distributed via fake news/war map apps; MSI background JPEG payload. |
|
■ PATCH PRIORITY Cisco — Catalyst SD-WAN Manager (CVE-2026-20245) — Unpatched zero-day allowing root privilege escalation and arbitrary command execution under active exploitation — Cisco |
Palo Alto Networks — PAN-OS (CVE-2026-0257) — Active exploitation of system compromise vulnerability — Unit 42 |
Everest Forms — Everest Forms Pro WordPress Plugin (CVE-2026-TBD) — Critical vulnerability allowing arbitrary code execution and site takeover — The Hacker News |
SolarWinds — Serv-U (CVE-TBD) — Active exploitation causing server crashes — CISA |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Apply mitigations or restrict access to Cisco Catalyst SD-WAN Manager to prevent exploitation of the unpatched zero-day CVE-2026-20245. |
| 2 | [P1] Patch Palo Alto Networks PAN-OS immediately to remediate CVE-2026-0257 under active exploitation. |
| 3 | [P1] Update SolarWinds Serv-U to the latest patched version to prevent server crashes from active exploitation. |
| 4 | [P1] Update Google Chrome to version 149 to patch critical use-after-free and input validation vulnerabilities. |
| 5 | [P2] Update Everest Forms Pro WordPress plugin to remediate the critical CVE-2026-TBD code execution vulnerability. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |