Daily Digest

Cisco, Fortinet Exploits Escalate; Ransomware Surges in Europe

Cisco, Fortinet Exploits Escalate; Ransomware Surges in Europe

June 25, 2026
9 articles (7 new, 2 updated)
27 min read

Summary

This daily cybersecurity brief highlights critical vulnerabilities and active exploitation campaigns. Cisco Catalyst SD-WAN and Cisco Unified CM are under scrutiny, with zero-day flaws in the former actively exploited for root access and SSRF vulnerabilities in the latter being used to deploy webshells. Fortinet FortiGate firewalls are also heavily impacted by the 'FortiBleed' campaign, which has compromised over 430,000 devices and stolen millions of credentials, primarily sold to ransomware gangs. CISA has mandated urgent patching for actively exploited flaws in Lantronix and Ubiquiti devices, emphasizing immediate risk to enterprise and OT networks.

Ransomware attacks in Europe have surged by 55.1%, with manufacturing being the most targeted sector. The Qilin ransomware group remains prolific, and geographically concentrated campaigns are evident. A new, stealthy Windows backdoor named 'Mistic' has been identified, linked to initial access brokers who supply major ransomware groups. In the AI space, critical 'DifyTap' flaws in the Dify AI platform could expose cross-tenant data in over a million applications. Tata Electronics has confirmed a cyberattack, with hackers claiming to have leaked sensitive data related to Apple and Tesla, underscoring significant supply chain risks.

Finally, Google Chrome version 149 has been released, patching four Critical and fourteen High-severity vulnerabilities, including use-after-free bugs in core components. While not actively exploited, these updates are crucial for user security.

Filter by Category

New Articles (7)

CISA Mandates Urgent Patching for Actively Exploited Flaws in Lantronix and Ubiquiti Devices

CRITICAL

CISA Adds Critical Lantronix and Ubiquiti Vulnerabilities to KEV Catalog Amid Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four critical vulnerabilities affecting Lantronix EDS5000 device servers and Ubiquiti UniFi OS to its Known Exploited Vulnerabilities (KEV) catalog. The flaws, including a 9.8 CVSS command injection in Lantronix and a 10.0 CVSS chain in Ubiquiti, allow for unauthenticated remote code execution and full system compromise. CISA has issued a directive for federal agencies to apply patches by June 26, 2026, highlighting the severe and immediate risk these flaws pose to both enterprise and Operational Technology (OT) networks.

June 25, 2026
6 min read
KEVCISALantronixUbiquitiRemote Code Execution +5 more
CISA Mandates Urgent Patching for Actively Exploited Flaws in Lantronix and Ubiquiti Devices

Attackers Actively Exploit Critical Cisco Unified CM Flaw to Deploy Webshells

HIGH

Cisco Unified CM Flaw (CVE-2026-20230) Now Under Active Exploitation for Remote Access

A critical Server-Side Request Forgery (SSRF) vulnerability in Cisco Unified Communications Manager (Unified CM), tracked as CVE-2026-20230, is being actively exploited in the wild. Attackers are leveraging the flaw, which carries an 8.6 CVSS score, to write arbitrary files to the underlying OS, including test files and webshells. The attacks, observed originating from Tor exit nodes, allow unauthenticated remote attackers to gain access and potentially escalate privileges to root on systems where the non-default WebDialer service is enabled.

June 25, 2026
5 min read
CiscoCVE-2026-20230SSRFWebshellUnified CM +2 more
Attackers Actively Exploit Critical Cisco Unified CM Flaw to Deploy Webshells

Ransomware Attacks in Europe Skyrocket by 55% as Supply Chains Become Prime Targets

HIGH

European Ransomware Incidents Surge by 55% in Early 2026, Black Kite Report Finds

A new report from cyber risk management firm Black Kite reveals a staggering 55.1% year-over-year increase in ransomware attacks across Europe in the first four months of 2026. The manufacturing sector was the most heavily targeted industry. Five countries—Germany, the UK, France, Italy, and Spain—accounted for nearly 70% of all incidents. The Qilin ransomware group was the most prolific, while the SafePay group showed a strong focus on German targets, highlighting a trend of geographically concentrated campaigns.

June 25, 2026
5 min read
RansomwareEuropeBlack KiteQilinAkira +2 more
Ransomware Attacks in Europe Skyrocket by 55% as Supply Chains Become Prime Targets

Critical 'DifyTap' Flaws in Dify AI Platform Expose Cross-Tenant Data in 1M+ Apps

CRITICAL

Vulnerabilities in Dify AI Platform Allow Cross-Tenant Data Exposure and Internal Access

Four vulnerabilities, dubbed 'DifyTap,' have been discovered in the popular open-source AI application platform Dify. Two of the flaws are critical (CVE-2026-41947, CVE-2026-41948) and could allow attackers to break tenant isolation, enabling them to read private AI conversations, access documents from other users, and reach internal APIs. The vulnerabilities affect a platform used to build over one million AI applications, posing a significant data exposure risk for enterprises leveraging Dify's cloud service.

June 25, 2026
6 min read
DifyAI SecurityCloud SecurityVulnerabilityData Exposure +2 more
Critical 'DifyTap' Flaws in Dify AI Platform Expose Cross-Tenant Data in 1M+ Apps

Tata Electronics Confirms Cyberattack; Hackers Claim Leak of Apple and Tesla Data

HIGH

Tata Electronics Confirms Data Breach After 'World Leaks' Hacker Group Claims Theft of Apple, Tesla Trade Secrets

Indian manufacturing giant Tata Electronics, a key supplier for Apple, has confirmed it sustained a cyberattack. The admission follows claims by a hacking group called 'World Leaks' that it stole and published over 630GB of sensitive data. The leaked files allegedly include intellectual property, technical drawings, and manufacturing plans related to Tata's clients, including Apple and Tesla. The incident, which reportedly involved a ransom demand, highlights significant supply chain risks for global technology leaders.

June 25, 2026
6 min read
Tata ElectronicsAppleTeslaData BreachSupply Chain Attack +2 more
Tata Electronics Confirms Cyberattack; Hackers Claim Leak of Apple and Tesla Data

Stealthy 'Mistic' Backdoor Linked to Ransomware IAB KongTuke in Pre-Attack Campaigns

HIGH

New 'Mistic' Backdoor Used by Ransomware Access Broker KongTuke for Stealthy Infiltration

A new and sophisticated Windows backdoor named 'Mistic' (or MLTBackdoor) has been identified in financially motivated attacks since at least April 2026. Researchers from Symantec and Carbon Black have linked the malware with low-to-moderate confidence to KongTuke (aka Woodgnat), a known initial access broker (IAB). KongTuke specializes in selling network access to major ransomware groups like Qilin and Akira. Mistic is designed for stealth, using DLL side-loading and operating in memory to establish long-term, low-visibility persistence for future ransomware deployment.

June 25, 2026
6 min read
MisticKongTukeWoodgnatBackdoorMalware +3 more
Stealthy 'Mistic' Backdoor Linked to Ransomware IAB KongTuke in Pre-Attack Campaigns

Google Chrome 149 Update Patches 4 Critical and 14 High-Severity Flaws

CRITICAL

Google Patches 18 Severe Vulnerabilities, Including Four Critical, in Chrome 149 Security Update

Google has released a security update for its Chrome browser, version 149, to address 18 security vulnerabilities. The patch bundle includes fixes for four flaws rated Critical and fourteen rated High severity. A majority of the fixed vulnerabilities are use-after-free bugs in core components like WebGL and Autofill, which could be exploited by attackers to achieve remote code execution. While none of the flaws are listed as actively exploited, the high severity ratings warrant immediate patching for all users.

June 25, 2026
5 min read
Google ChromeVulnerabilityPatch ManagementUse-after-freeRemote Code Execution +2 more
Google Chrome 149 Update Patches 4 Critical and 14 High-Severity Flaws

Updated Articles (2)

‘FortiBleed’ Campaign Harvests Credentials from 86,000+ Fortinet Devices

CRITICAL

Global 'FortiBleed' Campaign Exposes Credentials from Over 86,000 Fortinet Devices

Update:

The 'FortiBleed' campaign has escalated significantly, now compromising over 430,000 Fortinet FortiGate firewalls and stealing more than 110 million credentials. Threat actors, identified as a Russian-speaking initial access broker, are deploying a custom Go-based network sniffer, 'FortigateSniffer', which abuses a built-in diagnostic command to capture credentials for 24 different protocols (e.g., NTLM, Kerberos, LDAP). This harvested access is then sold on dark web forums, primarily to ransomware gangs, indicating a direct link to more severe follow-on attacks. The campaign continues to exploit weak passwords and lack of MFA, not a zero-day.

June 24, 2026
Updated: June 25, 2026
5 min read
FortiBleedFortinetFortiGateCredential HarvestingBrute Force +2 more
‘FortiBleed’ Campaign Harvests Credentials from 86,000+ Fortinet Devices

Cisco Catalyst SD-WAN Zero-Day Flaw Actively Exploited for Root Access

HIGH

Cisco Warns of Actively Exploited Zero-Day (CVE-2026-20245) in Catalyst SD-WAN Manager

Update:

New details from Mandiant reveal the Cisco Catalyst SD-WAN zero-day (CVE-2026-20245) was actively exploited for at least two months prior to its public disclosure on June 4, 2026. The attacks targeted a communications service provider, where threat actors gained root access by uploading a malicious CSV file ('evil_tenant.csv') via the CLI. They established persistence by creating a rogue root-level user account named 'troot' and used anti-forensic methods to cover their tracks. This significantly escalates the perceived threat and impact of the vulnerability.

June 6, 2026
Updated: June 25, 2026
4 min read
CVE-2026-20245CiscoSD-WANZero-DayVulnerability +2 more
Cisco Catalyst SD-WAN Zero-Day Flaw Actively Exploited for Root Access

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.