SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefTuesday, June 09, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Active Exploitation of Check Point VPN Vulnerability | CRITICAL |
|
5 C2 IPs | 162 OTX IOCs | 37 ARTICLES |
|
■ ANALYST TLDR This brief highlights critical security threats, including active exploitation of CVE-2026-50751 in Check Point VPNs and the public release of exploits for the Linux kernel privilege escalation vulnerability CVE-2026-23111. Additionally, threat actors are targeting enterprise environments through sophisticated social engineering on Microsoft Teams, supply chain poisoning on PyPI, and malicious updates on GitHub. Organizations must prioritize immediate patching of exposed network interfaces and developer environments to mitigate these risks. |
|
■ CRITICAL STORIES Critical Check Point VPN Flaw Exploited to Bypass Passwords in IKEv1 Setups Attackers are actively exploiting CVE-2026-50751 in Check Point Remote Access VPN and Mobile Access deployments configured with the deprecated IKEv1 protocol, allowing them to bypass password authentication and gain unauthorized network access. |
One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public A use-after-free vulnerability (CVE-2026-23111) in the Linux kernel's nf_tables packet-filter allows unprivileged local users to escalate to root and break out of containers, with working exploits now publicly available. |
Gogs patches critical zero-day enabling remote code execution Gogs has patched a critical zero-day vulnerability that allows remote attackers to compromise Internet-facing instances and access private repositories, posing an immediate threat to development pipelines. |
New Shai-Hulud attack trojanizes 19 science-focused PyPI packages Threat actors compromised 19 widely used PyPI packages to deliver Shai-Hulud malware, designed to steal sensitive developer secrets and credentials, highlighting the ongoing risk of open-source repository poisoning. |
|
■ CVEs IDENTIFIED CVE-2026-50751 Check Point Remote Access VPN / Mobile Access — Password Bypass / Unauthorized Access |
CVE-2026-23111 Linux Kernel (nf_tables) — Local Privilege Escalation and Container Escape |
[CVE-TBD] Gogs Git Service — Remote Code Execution and Repository Access |
[CVE-TBD] Ubiquiti UniFi OS — Unauthenticated Remote Code Execution (Root) |
|
■ THREAT ACTORS NSO Group | Commercial Spyware Vendor |
Conducting spear-phishing campaigns targeting WhatsApp users |
Executing data theft extortion campaigns using vishing and physical intrusions |
VerdantBamboo | China-nexus APT |
Deploying BRICKSTORM, PLENET, and AGENTPSD malware on Linux appliances |
|
|
|
■ ATT&CK TTPs | T1195.002 | | Supply Chain Compromise: Compromised Software Dependencies | Trojanized PyPI packages (Shai-Hulud) and fake updates on GitHub |
| T1566.002 | | Phishing: Spearphishing Link | NSO Group targeting WhatsApp users with malicious links |
| T1068 | | Exploitation for Privilege Escalation | CVE-2026-23111 used to escalate to local root in Linux |
| T1212 | | Exploitation for Credential Access | CVE-2026-50751 exploited to bypass VPN password authentication |
| T1566.004 | | Phishing: Voice (Vishing) | UNC3753 and Teams-based attackers using social engineering lures |
| T1568.004 | | Dynamic Resolution: DNS Fast Flux | Silent Ransom Group hiding C2 infrastructure |
|
■ PATCH PRIORITY Check Point VPN — CVE-2026-50751 actively exploited to bypass passwords — THN |
Linux Kernel — CVE-2026-23111 use-after-free local root exploit public — THN |
Gogs — Zero-day RCE enabling complete repository compromise — BC |
Ubiquiti UniFi OS — Chained vulnerabilities allow unauthenticated root access — BC |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Disable deprecated IKEv1 key exchange protocol on Check Point Remote Access VPN and Mobile Access deployments to mitigate CVE-2026-50751, or apply the official vendor hotfix. |
| 2 | [P1] Apply security patches immediately to Linux systems running vulnerable kernels to mitigate CVE-2026-23111 local root escalation. |
| 3 | [P1] Update Gogs Git service instances to the latest patched version to remediate the critical remote code execution zero-day. |
| 4 | [P1] Patch Ubiquiti UniFi OS servers to resolve the chained vulnerabilities that allow unauthenticated root access. |
| 5 | [P2] Update the Everest Forms WordPress plugin to the latest secure version to prevent remote code execution. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |