# CTI Daily Brief — 2026-06-16

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Claude Opus 4.8, model ID `claude-opus-4-8`) with parallel research and verification by sub-agents (Claude Sonnet 4.6) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Claude Opus 4.8 (`claude-opus-4-8`) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Claude Opus 4.8, Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.60 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **Cisco Catalyst SD-WAN Manager actively exploited — CVE-2026-20262** (authenticated arbitrary file write → root RCE) added to the CISA KEV catalog on 2026-06-15; patch to the fixed train and review appserver upload logs. Full deep dive in § 5. ([BleepingComputer, 2026-06-15](https://www.bleepingcomputer.com/news/security/cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks/))
- **Council of Europe breached via the Oracle PeopleSoft zero-day (CVE-2026-35273)** — ShinyHunters claims 297 GB / ~429,000 files and set a 16 June leak deadline; the first European intergovernmental victim named in the 100+-organisation PeopleSoft campaign (§ 4 update). ([SecurityWeek, 2026-06-15](https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/))
- **PRC actor UNC6508 ran year-plus espionage through internet-facing REDCap research servers** and abused a Google Workspace content-compliance rule to silently BCC research/defence email to attacker Gmail — REDCap is widely run at Swiss/EU academic medical centres. ([Google GTIG, 2026-06-15](https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research))
- **WordPress supply-chain compromise via Awesome Motive's shared CDN** tampered OptinMonster / TrustPulse / PushEngage scripts on ~1.2M sites to auto-create rogue admins and a self-hiding backdoor plugin — "update your plugins" did not protect the exposure window. ([Sansec, 2026-06-13](https://sansec.io/research/optinmonster-supply-chain-attack))
- **LiteSpeed cPanel/WHM plugin CVE-2026-54420 in CISA KEV** — symlink-following on CloudLinux/CageFS shared hosting, exploited in the wild since May ([LiteSpeed, 2026-06-01](https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/)); added to CISA KEV on 2026-06-15 ([CISA, 2026-06-15](https://www.cisa.gov/news-events/alerts/2026/06/15/cisa-adds-two-known-exploited-vulnerabilities-catalog)). Patch to WHM PlugIn 5.3.2.1.

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### PRC UNC6508 ran year-plus espionage through internet-facing REDCap servers and a Google Workspace BCC rule

Google's Threat Intelligence Group attributes a September 2023 – November 2025 espionage campaign to **UNC6508**, a PRC-nexus cluster that compromised North American academic, medical and military-health organisations by exploiting externally-facing **REDCap** (Research Electronic Data Capture) servers, then dropping a bespoke PHP implant tracked as **INFINITERED** ([Google GTIG, 2026-06-15](https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research)). INFINITERED trojanises REDCap's own upgrade mechanism to survive platform updates, harvests credentials from the REDCap login page, and exposes a cookie-gated backdoor for shell, file, SQL and credential operations ([Help Net Security, 2026-06-15](https://www.helpnetsecurity.com/2026/06/15/chinese-hackers-redcap-medical-research-institutions-breach/)). The exfiltration tradecraft is the notable part: after pivoting to a Workspace admin account, the actor created a Google Workspace **content-compliance rule named "Patroit"** that silently BCC-forwarded any message matching ~150 research/defence keywords to an attacker-controlled Gmail address — abusing a legitimate administrative feature rather than dropping exfiltration malware (`T1114.003` Email Forwarding Rule), which evades most DLP that watches for new tooling ([SecurityWeek, 2026-06-15](https://www.securityweek.com/chinese-hackers-target-medical-military-and-ai-research-in-north-america/)). Initial access mapped to `T1190`; web-shell persistence to `T1505.003`; admin credential reuse to `T1078`.

**Why it matters to us:** REDCap is deployed across Swiss and EU university hospitals, cantonal research bodies and clinical-trial coordinators, and the Workspace BCC-rule technique is tenant-agnostic. Hunt now: Google Workspace admin audit logs for content-compliance/BCC rule creation by non-IT-admin accounts (especially rules with external Gmail recipients), and file-integrity-monitor the REDCap upgrade-staging directory and login handlers — standard web-root scanning misses the upgrade-path implant.

— *Source: [Google GTIG](https://cloud.google.com/blog/topics/threat-intelligence/prc-targets-us-medical-research) · Additional source: [Help Net Security](https://www.helpnetsecurity.com/2026/06/15/chinese-hackers-redcap-medical-research-institutions-breach/) · Additional source: [SecurityWeek](https://www.securityweek.com/chinese-hackers-target-medical-military-and-ai-research-in-north-america/) · Tags: nation-state, espionage, identity, china-nexus · Region: global, europe · Sector: healthcare, education, defense*

### WordPress supply-chain compromise via Awesome Motive's CDN backdoors ~1.2M sites

Sansec Forensics found malicious JavaScript appended to the CDN-served `api.min.js` files shared by three Awesome Motive WordPress plugins — **OptinMonster (1.2M+ installs), TrustPulse and PushEngage** — injected on 12 June and served from CDN edges into 13 June ([Sansec, 2026-06-13](https://sansec.io/research/optinmonster-supply-chain-attack)). The vendor confirmed the entry point was exploitation of an **UpdraftPlus vulnerability** on its own marketing server, which leaked the BunnyNet CDN API key used to tamper the scripts ([OptinMonster, 2026-06-14](https://optinmonster.com/security-incident-tampered-script-served-via-optinmonster-and-trustpulse/)). Because the tampering was at the CDN layer and not in the WordPress.org repository, "update your plugins" gave false assurance for the exposure window. The payload waited for a logged-in administrator, then created a hidden admin account and installed a self-hiding backdoor plugin masquerading as "Content Delivery Helper" or "Database Optimizer", concealed from the plugin list, update checks and API responses, beaconing harvested credentials to a `tidio.cc` lookalike domain ([Patchstack, 2026-06-15](https://patchstack.com/articles/supply-chain-attack-on-optinmonster-trustpulse-and-pushengage-tampered-cdn-scripts-auto-creating-rogue-admins/)). Mapped to `T1195.002`, `T1136.001` (create account) and `T1027.005` (indicator removal).

**Defender takeaway:** any site running these three plugins with an admin logged in during 12–13 June UTC should be treated as potentially backdoored. Audit for unexpected admin accounts, compare the active-plugin list in the database against the filesystem to surface hidden plugins, and pin externally-loaded CDN scripts to Subresource Integrity hashes.

— *Source: [Sansec](https://sansec.io/research/optinmonster-supply-chain-attack) · Additional source: [OptinMonster](https://optinmonster.com/security-incident-tampered-script-served-via-optinmonster-and-trustpulse/) · Additional source: [Patchstack](https://patchstack.com/articles/supply-chain-attack-on-optinmonster-trustpulse-and-pushengage-tampered-cdn-scripts-auto-creating-rogue-admins/) · Tags: supply-chain, data-breach, identity · Region: global · Sector: public-sector, technology · Status: patch-available*

### DPRK UNK_DeadDrop weaponises VS Code / Cursor auto-run to hit developers, including EU targets

Proofpoint details **UNK_DeadDrop**, a North-Korea-aligned cluster (related to but distinct from Contagious Interview / Famous Chollima) that sent 250+ recruitment-themed phishing emails to ~100 finance, crypto, education and technology organisations over April–May 2026 ([Proofpoint, 2026-06-15](https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal)); the targeted geographies are a US majority followed by the UK, Australia, **France, Germany and the Netherlands**, among others ([The Hacker News, 2026-06-16](https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html)). The lure links to attacker-controlled GitHub/GitLab repositories carrying a `.vscode/tasks.json` with `runOn: folderOpen`; VS Code shows a workspace-trust prompt, but **Cursor IDE executes the task silently with no prompt**, dropping the open-source **Overlord** Go C2 that steals browser credentials and crypto wallets ([The Hacker News, 2026-06-16](https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html)). Mapped to `T1566.002`, `T1195.001`, `T1059.004` and `T1555.003`.

**Why it matters to us:** public-sector and fintech development teams that have adopted Cursor are exposed to silent execution on repository open. Hunt for editor processes (`code`, `cursor`) spawning shell/script interpreters outside build directories (Sysmon EID 1 parent-image filter); enforce workspace-trust policy and restrict VSIX installation to an approved-publisher allowlist via enterprise policy.

— *Source: [Proofpoint](https://www.proofpoint.com/us/blog/threat-insight/dont-fear-repo-unkdeaddrop-phishing-campaign-targets-developers-steal) · Additional source: [The Hacker News](https://thehackernews.com/2026/06/north-korean-hackers-are-turning.html) · Tags: nation-state, supply-chain, infostealer, north-korea-nexus · Region: global, europe · Sector: finance, technology, education*

### iRhythm discloses data theft via social engineering of a third-party-hosted application (SEC 8-K) [SINGLE-SOURCE]

Cardiac-monitoring medtech firm iRhythm filed an SEC Form 8-K Item 1.05 on 2026-06-15 reporting that a threat actor used **social engineering against business applications hosted by a third party**, exfiltrated PHI, PII and proprietary data, and sent a ransom demand on 9 June; the company made its materiality determination on 10 June ([SEC EDGAR, 2026-06-15](https://www.sec.gov/Archives/edgar/data/0001388658/000138865826000055/irtc-20260610.htm)). iRhythm states clinical and device-monitoring systems were unaffected. `[SINGLE-SOURCE]` — only the SEC primary is available; no independent corroboration yet.

**Defender takeaway:** the access vector — social engineering aimed at SaaS/third-party-hosted business apps rather than the corporate perimeter — continues to dominate healthcare-sector disclosures. Confirm help-desk identity-verification controls and conditional-access on externally-hosted business applications, not just on-network systems.

— *Source: [SEC EDGAR — iRhythm Holdings 8-K](https://www.sec.gov/Archives/edgar/data/0001388658/000138865826000055/irtc-20260610.htm) · Tags: data-breach, phishing, organized-crime · Region: us · Sector: healthcare*

## 2. Trending Vulnerabilities

### CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: authenticated arbitrary file write to root RCE (CISA KEV)

A path-traversal weakness in the web UI of **Cisco Catalyst SD-WAN Manager** (formerly SD-WAN vManage) lets an authenticated, remote attacker create or overwrite any file on the underlying OS because the file-upload handler fails to validate the supplied filename ([NVD CVSS 6.5](https://nvd.nist.gov/vuln/detail/CVE-2026-20262); [Cisco PSIRT, 2026-06-15](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ)). Writing a JSP/WAR into the Tomcat deploy path yields a web shell and root-level execution, so the modest 6.5 base score understates impact on an exposed network-management plane. Cisco confirms active exploitation and CISA added it to the KEV catalog on 2026-06-15 ([BleepingComputer, 2026-06-15](https://www.bleepingcomputer.com/news/security/cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks/)). Patch to 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2. Full kill-chain, hunt and hardening detail in § 5.

— *Source: [Cisco PSIRT advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks/) · Additional source: [The Register](https://www.theregister.com/patches/2026/06/15/cisco-sd-wan-make-me-root-bug-under-attack/5255916) · Tags: vulnerabilities, actively-exploited, rce, path-traversal, cisa-kev · Region: global · Sector: telco, public-sector · CVE: CVE-2026-20262 · CVSS: 6.5 · Vector: zero-click · Auth: post-auth · Status: exploited, cisa-kev, patch-available*

### CVE-2026-54420 — LiteSpeed cPanel/WHM plugin: symlink-following on shared hosting, exploited in the wild (CISA KEV)

The **LiteSpeed cPanel plugin before 2.4.8** (fixed in the LiteSpeed WHM PlugIn version 5.3.2.1) mishandles symlinks supplied by a user with FTP or web-shell access on a CloudLinux/CageFS shared-hosting server, enabling cross-account file access and privilege escalation; NVD records exploitation in the wild in May 2026 ([NVD CVSS 8.5](https://nvd.nist.gov/vuln/detail/CVE-2026-54420)). CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-15 ([CISA, 2026-06-15](https://www.cisa.gov/news-events/alerts/2026/06/15/cisa-adds-two-known-exploited-vulnerabilities-catalog)). The exposure is most acute for hosting providers and any public-sector tenant on shared CloudLinux infrastructure. Patch to WHM PlugIn 5.3.2.1 / cPanel plugin 2.4.8.

— *Source: [LiteSpeed security update](https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/) · Additional source: [CISA KEV alert](https://www.cisa.gov/news-events/alerts/2026/06/15/cisa-adds-two-known-exploited-vulnerabilities-catalog) · Tags: vulnerabilities, actively-exploited, priv-esc, cisa-kev · Region: global · Sector: technology · CVE: CVE-2026-54420 · CVSS: 8.5 · Vector: local · Auth: post-auth · Status: exploited, cisa-kev, patch-available*

### CVE-2026-48611 / CVE-2026-48612 — phpBB: unauthenticated authentication bypass to admin, one HTTP request

Pentest-Tools.com disclosed two authentication flaws in **phpBB**, the open-source forum software common across European universities, municipalities and community portals ([Pentest-Tools.com, 2026-06-08](https://pentest-tools.com/research/phpbb-authentication-bypass)). **CVE-2026-48611** (NVD CVSS 9.8) is an improper-authentication flaw in the OAuth implementation that allows account hijacking — including admin accounts — **even when OAuth is not configured**, reachable by a single unauthenticated request given only a target username (publicly visible via the member list) ([NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-48611)). **CVE-2026-48612** (CVSS 8.0) chains improper OAuth state verification with CSRF to hijack a logged-in session on OAuth-enabled boards. Both affect phpBB 3.1.0 through 3.3.16 (a 10-year release span) and 4.0.0-alpha, and are fixed in **phpBB 3.3.17** ([phpBB, 2026-06-06](https://www.phpbb.com/community/viewtopic.php?p=16116763)). The disclosing source does not publish exploit code, and no in-the-wild exploitation is reported yet. Upgrade immediately for any internet-reachable instance; if upgrade is delayed, disable the OAuth integration even if unused.

— *Source: [Pentest-Tools.com research](https://pentest-tools.com/research/phpbb-authentication-bypass) · Additional source: [phpBB community announcement](https://www.phpbb.com/community/viewtopic.php?p=16116763) · Tags: vulnerabilities, auth-bypass, pre-auth, patch-available · Region: europe, global · Sector: public-sector, education · CVE: CVE-2026-48611, CVE-2026-48612 · CVSS: 9.8 / 8.0 · Vector: zero-click · Auth: pre-auth · Status: patch-available*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-20262 | Cisco Catalyst SD-WAN Manager | 6.5 | n/a | Yes | Yes (ITW) | 20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2 | [Cisco PSIRT](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ) |
| CVE-2026-54420 | LiteSpeed cPanel/WHM plugin | 8.5 | n/a | Yes | Yes (ITW, May 2026) | WHM PlugIn version 5.3.2.1 / plugin 2.4.8 | [LiteSpeed](https://blog.litespeedtech.com/2026/06/01/security-update-for-litespeed-cpanel-plugin-2/) |
| CVE-2026-48611 | phpBB 3.1.0–3.3.16, 4.0.0-alpha | 9.8 | n/a | No | No | phpBB 3.3.17 | [Pentest-Tools.com](https://pentest-tools.com/research/phpbb-authentication-bypass) |
| CVE-2026-48612 | phpBB (OAuth-enabled) | 8.0 | n/a | No | No | phpBB 3.3.17 | [Pentest-Tools.com](https://pentest-tools.com/research/phpbb-authentication-bypass) |

## 3. Research & Investigative Reporting

### Obsidian Security: a three-CVE chain turns any LiteLLM user into root on the AI gateway

Obsidian Security published a privilege-escalation-to-RCE chain in **LiteLLM** (BerriAI), the widely self-hosted AI gateway that proxies 100+ LLM providers behind one OpenAI-compatible API ([Obsidian Security, 2026-06-15](https://www.obsidiansecurity.com/blog/litellm-privilege-escalation-rce); [The Hacker News, 2026-06-15](https://thehackernews.com/2026/06/litellm-vulnerability-chain-lets-low.html)). The chain: **CVE-2026-47101** (authorization bypass) — the key-generation endpoint accepts a caller-supplied `allowed_routes` without checking the caller's role, so an `internal_user` can mint a key reaching admin routes; **CVE-2026-47102** (privilege escalation) — `/user/update` lacks field-level authorization, letting any authenticated user set their own `user_role` to `proxy_admin`; **CVE-2026-40217** (RCE) — the Custom Code Guardrails feature runs attacker-supplied Python via `exec()` with `__builtins__` available, giving arbitrary code execution. VulnCheck scores CVE-2026-47102 at CVSS 8.8 (3.1), and Obsidian rates the chained impact CVSS 9.9; chained, a default low-privilege account reaches the master key, the salt key decrypting stored secrets, the database URL and every configured provider API key — and can rewrite responses delivered to downstream AI agents ("man-in-the-gateway"). Fixed in **v1.83.14-stable**, but Obsidian reports broad under-deployment of the fix. Mapped to `T1078`, `T1548` and `T1059.006`.

**Why it matters to us:** Swiss/EU public-sector and research bodies increasingly centralise AI workflows on a gateway proxy; a compromised LiteLLM is both a credential-theft and an agent-manipulation vector. Pin LiteLLM to ≥1.83.14, keep admin endpoints off the internet, store provider keys in a secrets manager, and rotate all provider keys if any pre-1.83.14 instance was reachable by untrusted users.

— *Source: [Obsidian Security](https://www.obsidiansecurity.com/blog/litellm-privilege-escalation-rce) · Additional source: [The Hacker News](https://thehackernews.com/2026/06/litellm-vulnerability-chain-lets-low.html) · Tags: vulnerabilities, rce, priv-esc, ai-abuse, poc-public, patch-available · Region: global · Sector: technology · CVE: CVE-2026-47101, CVE-2026-47102, CVE-2026-40217 · CVSS: 8.8 · Vector: zero-click · Auth: post-auth · Status: poc-public, patch-available*

### Varonis "SearchLeak" (CVE-2026-42824): one-click M365 Copilot data exfiltration, now patched

Varonis Threat Labs disclosed **SearchLeak**, a three-stage chain in Microsoft 365 Copilot Enterprise Search that Microsoft patched server-side as **CVE-2026-42824** (command-injection / information-disclosure, NVD CVSS 6.5) ([Varonis, 2026-06-15](https://www.varonis.com/blog/searchleak); [Microsoft MSRC](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42824)). Stage 1: the `q` URL parameter is passed to Copilot as an executable instruction rather than a sanitised query (parameter-to-prompt injection). Stage 2: an injected `<img>` tag fires during a streaming-render race before the output sanitiser runs. Stage 3: the exfiltration request is relayed through Bing's server-side image-search fetch — `*.bing.com` is allowlisted in Copilot's CSP — bypassing the browser CSP and carrying mailbox content, calendar entries, SharePoint/OneDrive files and emailed MFA/OTP codes to an attacker domain, all from a single click on a genuine `microsoft.com` link ([The Hacker News, 2026-06-15](https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html)). No customer action is required for patched tenants and no in-the-wild exploitation was observed. Mapped to `T1566.002` and `T1071.001`.

**Why it matters to us:** M365 Copilot Enterprise is in active Swiss-federal and EU public-sector rollouts. The vulnerability class — prompt injection via URL parameter, streaming-render race, and SSRF-relay CSP bypass — will recur in other AI-augmented enterprise apps; build CASB/DLP detection for Copilot search URLs carrying HTML-encoded payloads in the `q` parameter and for Copilot sessions fetching to non-Microsoft domains.

— *Source: [Varonis Threat Labs](https://www.varonis.com/blog/searchleak) · Additional source: [The Hacker News](https://thehackernews.com/2026/06/one-click-microsoft-365-copilot-flaw.html) · Tags: vulnerabilities, ai-abuse, info-disclosure, identity, patch-available · Region: global · Sector: public-sector, technology · CVE: CVE-2026-42824 · CVSS: 6.5 · Vector: user-interaction · Auth: pre-auth · Status: patch-available*

## 4. Updates to Prior Coverage

### UPDATE: Council of Europe named as a victim of the Oracle PeopleSoft (CVE-2026-35273) campaign

> **UPDATE (originally covered 2026-06-12/2026-06-13):** ShinyHunters listed the **Council of Europe** — the 46-member Strasbourg human-rights body, of which Switzerland is a member — claiming **297 GB across ~429,000 files** taken via the Oracle PeopleSoft Environment Management Hub zero-day **CVE-2026-35273**, and set a **16 June leak deadline** ([SecurityWeek, 2026-06-15](https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/)). This is the first European intergovernmental institution named in the 100+-organisation PeopleSoft campaign previously covered as an education-sector wave.
>
> The claimed dataset spans payroll for 10,000+ current and former staff (2011–2026), 14,000+ CVs, and HR records with names, dates of birth, addresses, bank-account, tax/social-security and medical data. The Council of Europe confirmed it "is currently investigating the matter and assessing the situation" and has not confirmed exfiltration ([The Register, 2026-06-15](https://www.theregister.com/cyber-crime/2026/06/15/council-of-europe-hacked-in-shinyhunters-peoplesoft-heist/5255757); [BleepingComputer, 2026-06-15](https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/)). The vector — unauthenticated HTTP to the `/PSEMHUB/hub` servlet (`T1190`) — is unchanged; treat any externally-reachable PeopleSoft Environment Management Hub as compromised pending forensic review and block perimeter access to `/PSEMHUB/*`. Confidence on the victim claim is MEDIUM pending Council of Europe confirmation (extortion-site claim).
>
> — *Source: [SecurityWeek](https://www.securityweek.com/shinyhunters-claims-council-of-europe-hack/) · Additional source: [The Register](https://www.theregister.com/cyber-crime/2026/06/15/council-of-europe-hacked-in-shinyhunters-peoplesoft-heist/5255757) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/council-of-europe-investigates-shinyhunters-data-breach-claims/) · Tags: data-breach, organized-crime, identity · Region: europe · Sector: public-sector · CVE: CVE-2026-35273 · Status: exploited, cisa-kev*

### UPDATE: Novo Nordisk clarifies stolen-data scope — non-pseudonymised HCP data in play

> **UPDATE (originally covered 2026-06-13):** Novo Nordisk published an incident update on 2026-06-15 clarifying the scope of the theft: clinical-trial data taken was **pseudonymised** (limited direct re-identification risk for trial subjects) ([Novo Nordisk, 2026-06-15](https://www.novonordisk.com/news-and-media/latest-news/incident-update.html)), but separately stolen **healthcare-professional (HCP) data was non-pseudonymised** — names, registration numbers and contact details ([Security Affairs, 2026-06-15](https://securityaffairs.com/193650/security/novo-nordisk-confirms-data-theft-what-attackers-took-and-what-they-didnt.html)).
>
> The non-pseudonymised HCP records bring the incident within GDPR Article 33 breach-notification obligations and raise targeted-phishing risk against named medical professionals ([Security Affairs, 2026-06-15](https://securityaffairs.com/193650/security/novo-nordisk-confirms-data-theft-what-attackers-took-and-what-they-didnt.html)). Healthcare and pharma defenders should expect HCP-impersonation and credential-phishing lures referencing the breach.
>
> — *Source: [Novo Nordisk incident update](https://www.novonordisk.com/news-and-media/latest-news/incident-update.html) · Additional source: [Security Affairs](https://securityaffairs.com/193650/security/novo-nordisk-confirms-data-theft-what-attackers-took-and-what-they-didnt.html) · Tags: data-breach, phishing · Region: europe, dach · Sector: healthcare*

## 5. Deep Dive — Cisco Catalyst SD-WAN Manager CVE-2026-20262: authenticated arbitrary file write to root RCE

**Vulnerable component.** The flaw lives in the web UI of **Cisco Catalyst SD-WAN Manager** (formerly SD-WAN vManage), the centralised controller/management plane that pushes policy and configuration to every WAN-edge router in an SD-WAN fabric. The file-upload path in the management UI does not validate the user-supplied filename, so an authenticated request can traverse out of the intended directory and **create or overwrite an arbitrary file** on the appliance OS ([NVD, CVSS 6.5](https://nvd.nist.gov/vuln/detail/CVE-2026-20262); [Cisco PSIRT, 2026-06-15](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ)). The vulnerability affects on-premises, Cloud-hosted and FedRAMP deployment models. The 6.5 base score reflects the authentication requirement (a low-privilege/single-task account), but the *consequence* — arbitrary write into a path the application server reads — is what makes it a root-RCE primitive rather than a simple integrity bug.

**Exploitation chain.** Reporting describes the practical path as: (1) **Initial access** with valid low-privilege SD-WAN Manager credentials — obtained through prior phishing, credential reuse, or chaining an earlier auth-affecting SD-WAN bug ([T1078.004 Valid Accounts: Cloud Accounts](https://attack.mitre.org/techniques/T1078/004/)); (2) **Execution** by abusing the upload endpoint to write a `.jsp`/`.war` artefact into the Tomcat deployment directory, turning the file-write into a web shell ([T1190 Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190/) for the upload primitive, [T1505.003 Server Software Component: Web Shell](https://attack.mitre.org/techniques/T1505/003/) for the planted shell); (3) **Privilege escalation / impact** because the SD-WAN Manager application services run with high privilege, the web shell yields root-equivalent control of the management plane ([T1059 Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059/)). Control of SD-WAN Manager is control of every managed edge device's configuration — a single-pivot path to the entire WAN. Cisco Talos tracks a highly capable cluster it designates **UAT-8616** behind a 2026 wave of Cisco Catalyst SD-WAN exploitation (notably CVE-2026-20127, with software-downgrade post-compromise tradecraft) ([Cisco Talos, 2026](https://blog.talosintelligence.com/uat-8616-sd-wan/)); whether or not that cluster is behind CVE-2026-20262 specifically, the pattern means defenders should treat any SD-WAN Manager as a high-value target even where they believe an earlier intrusion was contained.

**Affected and patched versions.** Cisco has released fixed trains **20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1 and 26.1.1.2**; consult the PSIRT advisory for the exact mapping of your running train to its fixed build ([Cisco PSIRT, 2026-06-15](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ)). CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities catalog on 2026-06-15, confirming exploitation in the wild ([BleepingComputer, 2026-06-15](https://www.bleepingcomputer.com/news/security/cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks/)).

**Hunt and detection concepts.** Because exploitation is authenticated and post-foothold, the highest-value telemetry is on the appliance itself, not the perimeter. Review the SD-WAN Manager appserver and service-proxy logs for **HTTP uploads referencing `index.jsp`, `*.jsp` or `*.war` filenames or path-traversal sequences**, and for **newly written files in the Tomcat webapps/deploy directories** that do not correspond to a vendor update. Correlate file-write events with the authenticating account — single-task/low-privilege accounts performing uploads are anomalous. Watch for **unexpected outbound connections from the SD-WAN Manager host** (a web shell beaconing) and for new processes spawned by the application-server user. Because the attacker needs valid credentials first, surface **authentication anomalies** for management-plane accounts: logins from new source ranges, off-hours admin activity, and use of service/automation accounts interactively. No IOCs are reproduced here — hunt on the behaviour.

**Hardening / mitigation.** Patch to the fixed train as the only durable fix. Until patched: restrict management-plane reachability so SD-WAN Manager's web UI is **never internet-exposed** and is reachable only from a hardened management network or jump host; enforce MFA on all SD-WAN Manager accounts and prune low-privilege/single-task accounts that retain upload capability; rotate credentials for any account that could authenticate during the exposure window; and validate the integrity of the Tomcat deploy directory against a known-good baseline before returning a controller to service. Given the management plane's blast radius across the WAN fabric, treat a suspected compromise of SD-WAN Manager as a fabric-wide event and review pushed configurations for tampering.

— *Source: [Cisco PSIRT advisory](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/cisco-fixes-sd-wan-vmanage-flaw-exploited-in-zero-day-attacks/) · Additional source: [The Register](https://www.theregister.com/patches/2026/06/15/cisco-sd-wan-make-me-root-bug-under-attack/5255916) · Additional source: [Cisco Talos — UAT-8616](https://blog.talosintelligence.com/uat-8616-sd-wan/) · Tags: vulnerabilities, actively-exploited, rce, path-traversal, cisa-kev · Region: global · Sector: telco, public-sector · CVE: CVE-2026-20262 · CVSS: 6.5 · Vector: zero-click · Auth: post-auth · Status: exploited, cisa-kev, patch-available*

## 6. Action Items

- **Patch Cisco Catalyst SD-WAN Manager now (CVE-2026-20262)** — actively exploited, CISA KEV. Move to a fixed train (20.9.9.2 / 20.12.7.2 / 20.15.4.5 / 20.15.5.3 / 20.18.3.1 / 26.1.1.2), take the management UI off the internet, enforce MFA, and review appserver upload/deploy logs and the Tomcat deploy directory for planted `.jsp`/`.war` web shells. See § 5 and § 2.
- **Patch the LiteSpeed cPanel/WHM plugin (CVE-2026-54420)** to WHM PlugIn version 5.3.2.1 / plugin 2.4.8 — exploited in the wild on shared CloudLinux/CageFS hosting since May. Prioritise any public-sector tenant on shared hosting. See § 2.
- **Upgrade phpBB to 3.3.17 (CVE-2026-48611 / CVE-2026-48612)** on any internet-reachable forum, especially university and municipal deployments; if upgrade is delayed, disable the OAuth integration even when unused. See § 2.
- **Pin LiteLLM to version ≥ 1.83.14 and keep admin endpoints off the internet (CVE-2026-47101/-47102/-40217)** — rotate all provider API keys if any pre-1.83.14 instance was reachable by untrusted users; move keys into a secrets manager. See § 3.
- **Audit WordPress sites running OptinMonster / TrustPulse / PushEngage** active during 12–13 June UTC — hunt for unexpected admin accounts and for plugins present on disk but hidden from the admin list; pin external CDN scripts to Subresource Integrity hashes. See § 1.
- **Hunt Google Workspace for rogue content-compliance / BCC rules** with external Gmail recipients created by non-IT-admin accounts, and file-integrity-monitor the REDCap upgrade-staging directory and login handlers (UNC6508). See § 1.
- **Hunt editor-spawned shells** — `code`/`cursor` processes launching shell or script interpreters outside build directories — and enforce VS Code workspace-trust + VSIX allowlist policy (UNK_DeadDrop). See § 1.
- **Confirm M365 Copilot tenants are on the patched build (CVE-2026-42824)** and add CASB/DLP detection for Copilot search URLs carrying HTML-encoded `q` parameters or fetching to non-Microsoft domains. See § 3.
- **Block perimeter access to `/PSEMHUB/*` on Oracle PeopleSoft** and treat any externally-reachable Environment Management Hub as compromised pending forensic review (CVE-2026-35273). See § 4.

— *Source: [Cisco PSIRT](https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-arbfw-c2rZvQ) · Additional source: [Sansec](https://sansec.io/research/optinmonster-supply-chain-attack) · Tags: actively-exploited, vulnerabilities, supply-chain · Region: global, europe · Sector: public-sector*

## 7. Verification Notes

- **Items dropped:**
  - *CVE-2026-20251 — Splunk Secure Gateway jsonpickle deserialization RCE (CVSS 8.8):* did not clear a § 2 inclusion gate — no in-the-wild exploitation, post-auth/low-privilege, surfaced only via an NCSC-NL advisory. Holding for a future brief if exploitation emerges.
  - *Velvet Ant "Operation Highland" (Sygnia, 2026-06-08):* already covered in the 2026-W24 weekly summary (long-running campaigns) with the 2026-06-13 daily deep dive on the related Linux-authentication-stack subversion; no in-window (14–16 June) delta, so excluded per PD-8.
  - *FileFix / KongTuke MotW-bypass transition (Intel 471, 2026-06-03):* outside the 36 h recency window; the underlying FileFix research predates June 2026. Not pursued.
  - *Astral (Russia) service disruption; Mackay Sugar (AU) incident; Grafana breach claim; Infinite Campus 137k school-staff breach:* lower Swiss/EU public-sector relevance; not pursued this run.
- **Single-source items:** iRhythm Holdings breach (§ 1) — SEC Form 8-K Item 1.05 primary only; no independent corroboration yet (national-disclosure carve-out does not apply; flagged inline).
- **Reduced-confidence items:** Council of Europe breach (§ 4) — extortion-site (ShinyHunters) claim; the Council confirms an investigation but not exfiltration. Confidence MEDIUM pending victim confirmation; the 16 June leak deadline should resolve it by the next cycle.
- **Contradictions:** phpBB CVE-2026-48611 CVSS — Pentest-Tools.com rated it 9.4; NVD assigns 9.8. Brief reports the NVD value. LiteLLM fix timing — sources gave differing fix dates (25 April vs 2 May 2026); brief cites the fixed version (v1.83.14-stable), not a date, to avoid the discrepancy. LiteSpeed CVE-2026-54420 fixed-version — NVD describes the vulnerable range as "before WHM PlugIn 5.3.2.0", while the LiteSpeed vendor advisory states the fix shipped in **WHM PlugIn 5.3.2.1** (bundled with cPanel plugin 2.4.8); the brief uses the vendor's 5.3.2.1 as the safe patch target. CVE-2026-48612 CVSS — NVD has not yet scored it; the 8.0 used here is a third-party (HackerOne) score (Pentest-Tools.com assigned 8.3).
- **Sub-agents:** all four research sub-agents (S1–S4, Claude Sonnet 4.6) returned within the wall-clock cap. S2 and S3 completed their research but their findings-YAML writes did not persist on first return; the main agent recovered both files verbatim from the sub-agent transcripts and the run's URL-liveness ledger before composition (no content was fabricated). Verifier: 4 iterations with model rotation (iterations 1 and 3 Claude Opus 4.8; iterations 2 and 4 Claude Sonnet 4.6); verdict CLEAN at iteration 4 after three remediation rounds (phpBB PoC claim, LiteLLM per-CVE CVSS phrasing, LiteSpeed fixed-version 5.3.2.1, UAT-8616 Talos citation, LiteSpeed KEV citation, DPRK targeted-geography attribution, Novo Nordisk HCP-clause citation).
- **Coverage gaps:** inside-it-ch (bridge 403 — no unique in-window content); databreaches-net (bridge returned no output); ncsc-ch-weekly-week24 (HTTP 404 — Week 24 report not yet published as of run time); anssi-fr-actu (CERT-FR actualité feed stale, no 2026 bulletins); sophos-xops (no new X-Ops research post in-window); rapid7-research (RSS feed returned empty); cnil-fr (no in-window enforcement notices).