SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefSunday, June 07, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Unpatched Cisco SD-WAN Flaw Actively Exploited | CRITICAL |
|
5 C2 IPs | 124 OTX IOCs | 8 ARTICLES |
|
■ ANALYST TLDR Active exploitation of critical zero-days in Cisco Catalyst SD-WAN Manager (CVE-2026-20245) and Everest Forms Pro (CVE-2026-3300) poses immediate risks of network compromise and site takeover. Additionally, Microsoft GitHub repositories have been targeted by the self-replicating Miasma supply chain worm, while CISA warns of active exploitation against SolarWinds Serv-U. Organizations must prioritize immediate mitigation of unpatched Cisco flaws and audit GitHub environments. |
|
■ CRITICAL STORIES Cisco Catalyst SD-WAN Manager CVE-2026-20245 Actively Exploited with No Patch Attackers are actively exploiting a high-severity vulnerability in Cisco's SD-WAN management software, allowing potential network-wide compromise with no official patch currently available. |
Critical Everest Forms Pro Flaw Exploited to Take Over WordPress Sites Attackers are actively leveraging CVE-2026-3300 to gain complete administrative control over WordPress sites running the Everest Forms Pro plugin. |
Miasma Worm Hits 73 Microsoft GitHub Repositories in Supply Chain Attack A self-replicating worm has compromised dozens of Microsoft-owned GitHub repositories across Azure and other orgs, escalating supply chain security risks. |
CISA Adds SolarWinds Serv-U DoS Flaw to KEV Catalog Active exploitation of a Denial of Service vulnerability in SolarWinds Serv-U has prompted CISA to mandate federal agency remediation. |
|
■ CVEs IDENTIFIED CVE-2026-20245 Cisco Catalyst SD-WAN Manager — Unauthorized access / Active exploitation |
CVE-2026-3300 Everest Forms Pro — Complete site takeover / Remote Code Execution |
[CVE-TBD] SolarWinds Serv-U — Denial of Service (DoS) |
[CVE-TBD] FFmpeg — 21 Zero-Day vulnerabilities in media library |
|
■ THREAT ACTORS Miasma Worm | Malware / Worm |
Propagating self-replicating supply chain attacks across 73 Microsoft GitHub repositories |
Unknown Threat Actors | Cybercriminals |
Actively exploiting CVE-2026-3300 in Everest Forms Pro and CVE-2026-20245 in Cisco Catalyst SD-WAN Manager |
|
|
|
■ ATT&CK TTPs | T1190 | | Exploit Public-Facing Application | Exploitation of CVE-2026-3300 in Everest Forms Pro and CVE-2026-20245 in Cisco Catalyst SD-WAN Manager |
| T1195.001 | | Supply Chain Compromise: Compromise Software Dependencies and Development Tools | Miasma worm compromising Microsoft GitHub repositories |
| T1090.003 | | Proxy: Multi-hop Proxy | Bright Data SDK turning smart TVs and iOS devices into proxy exit nodes |
| T1499 | | Endpoint Denial of Service | Exploitation of SolarWinds Serv-U DoS flaw |
| T1020 | | Automated Exfiltration | Prompt injection risks in ChatGPT mitigated by Lockdown Mode |
|
■ PATCH PRIORITY WPEverest — Everest Forms Pro (CVE-2026-3300) — Actively exploited critical flaw leading to complete site takeover — [BC] |
Cisco — Catalyst SD-WAN Manager (CVE-2026-20245) — Actively exploited high-severity zero-day with no patch available — [THN] |
SolarWinds — Serv-U — Actively exploited DoS flaw added to CISA KEV catalog — [THN] |
Google — Chrome — Record 429 bugs patched in recent release — [THN] |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Apply immediate workarounds or configuration restrictions for Cisco Catalyst SD-WAN Manager to mitigate CVE-2026-20245 as no patch is currently available. |
| 2 | [P1] Update Everest Forms Pro plugin on all WordPress instances immediately to patch the critical CVE-2026-3300 vulnerability. |
| 3 | [P1] Patch SolarWinds Serv-U instances immediately to address the actively exploited DoS vulnerability added to the CISA KEV catalog. |
| 4 | [P2] Audit all Microsoft GitHub repositories, specifically Azure and Azure SDK orgs, for unauthorized commits or signs of the Miasma worm infection. |
| 5 | [P2] Enable the new ChatGPT Lockdown Mode on eligible personal and enterprise accounts to mitigate prompt injection and data exfiltration risks. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |