SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefWednesday, June 24, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Active Exploitation of Cisco CM and Samsung KNOX | CRITICAL |
|
5 C2 IPs | 37 OTX IOCs | 37 ARTICLES |
|
■ ANALYST TLDR Today's intelligence highlights a critical and diverse threat landscape, with active exploitation of Cisco Unified CM (CVE-2026-20230) and an 8-year-old Samsung KNOX flaw, alongside widespread AI supply chain threats via malicious skills and npm packages. Data breaches at Xsolis, Tata Electronics, LastPass, and a Texas state vendor underscore persistent phishing and supply chain risks, while a new macOS infostealer campaign targets users with silent DMG mounts. |
|
■ CRITICAL STORIES Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks This high-severity SSRF vulnerability is actively being exploited, posing an immediate threat to organizations using Cisco Unified Communications Manager Server. |
Eight-Year-Old Samsung KNOX Flaw Exposed Millions of Galaxy Devices to Kernel Attacks An 8-year-old use-after-free vulnerability in Samsung's KNOX security framework affecting a wide range of Galaxy devices (S9-S25) allows for kernel attacks, demanding urgent attention due to its severity and broad impact. |
FFmpeg PixelSmash Flaw Allows RCE on Video Players, Media Servers, NAS Appliances A newly disclosed RCE vulnerability in FFmpeg's libavcodec library allows attackers to execute code by sending crafted media files, impacting a wide array of video-processing applications and devices. |
OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threat Malicious AI skills bypassing automated scanners on platforms like ClawHub represent a significant and evolving supply chain threat, capable of deploying infostealers and executing financial fraud. |
|
■ CVEs IDENTIFIED CVE-2026-20230 Cisco Unified Communications Manager Server — SSRF, actively exploited |
[CVE-TBD] Anthropic Mythos Model Anthropic Mythos Model — Vulnerability discovery in classified US Government systems |
[CVE-TBD] OpenClaw Skill Marketplace OpenClaw Skill Marketplace — Malicious skills for infostealers, financial fraud |
[CVE-TBD] Tata Electronics IT Infrastructure Tata Electronics — Data leak |
|
■ THREAT ACTORS Russian-speaking initial access broker (IAB) | Financially Motivated |
Large-scale credential-harvesting operation (FortiBleed) targeting FortiGate firewalls. |
Scattered Spider | Cybercrime Group |
Pleaded guilty to hacking Transport for London systems in 2024. |
Abdellah Belmili | Cybercrime Individual |
Extradited for operating cybercrime marketplaces (Market0Day, Spoxy). |
|
|
|
■ ATT&CK TTPs | T1190 | | Exploit Public-Facing Application | SSRF in Cisco Unified Communications Manager Server (CVE-2026-20230) actively exploited. |
| T1195.002 | | Supply Chain Compromise: Software Supply Chain | Malicious AI skills on OpenClaw's marketplace, malicious npm packages, GitHub actions/checkout exploitation, Klue supply chain attack affecting LastPass. |
| T1566.001 | | Phishing: Spearphishing Attachment | Phishing attack against Xsolis, macOS ClickFix attack, WhatsApp VBScript campaign. |
| T1068 | | Exploitation for Privilege Escalation | Samsung KNOX flaw allowing kernel attacks on Galaxy devices. |
| T1203 | | Exploitation for Client Execution | FFmpeg PixelSmash flaw allowing RCE via crafted media files. |
| T1552.001 | | Unsecured Credentials: Credentials in Files | FortiBleed operation harvesting credentials from FortiGate firewalls. |
|
■ PATCH PRIORITY Cisco Unified Communications Manager Server — actively exploited SSRF vulnerability (CVE-2026-20230) — [BC] |
Samsung KNOX (Galaxy devices S9-S25) — 8-year-old use-after-free flaw allowing kernel attacks — [SW] |
FFmpeg libavcodec — RCE on video players, media servers, NAS appliances — [SW] |
Dify AI Platform — data exposure, internal API access — [SW] |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Immediately patch Cisco Unified Communications Manager Server to address CVE-2026-20230, as this high-severity SSRF vulnerability is actively being exploited. |
| 2 | [P1] Apply available patches for Samsung KNOX on all affected Galaxy devices (S9 through S25) to mitigate the 8-year-old use-after-free kernel vulnerability. |
| 3 | [P1] Update FFmpeg's libavcodec library to the latest version to prevent RCE attacks via crafted media files on video players, media servers, and NAS appliances. |
| 4 | [P2] Review and harden security policies for AI agent skill marketplaces, implementing strict vetting processes and continuous monitoring for malicious skills like those seen on OpenClaw's marketplace. |
| 5 | [P2] Educate users on identifying sophisticated phishing attempts, especially those distributing malicious files via messaging platforms like WhatsApp, to prevent installation of RMM tools or infostealers. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |