06/17/2026-06/24/2026 Cisco Unified CM Flaw Exploited, Malicious npm Packages, 4,300+ Outdated Routers Hijacked And More.

1. Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root

Threat actors are actively exploiting a critical Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition (Unified CM SME) vulnerability, tracked as CVE-2026-20230 (CVSS 8.6). The flaw stems from improper input validation in HTTP requests, enabling unauthenticated attackers to perform server-side request forgery (SSRF) attacks and write files to the underlying operating system, potentially leading to root-level access.

Security researchers at Defused Cyber observed real-world exploitation attempts using publicly available proof-of-concept code. However, attacks are only possible when the Cisco WebDialer service is enabled, which is disabled by default. Administrators should verify the service status through Cisco Unified Serviceability and disable it if immediate patching is not possible.

Cisco has fixed the vulnerability in Unified CM and Unified CM SME versions 14SU6 and 15SU5. Additional research from SSD Secure Disclosure indicates attackers can leverage the WebDialer component to write arbitrary files and potentially achieve remote code execution.

2. Malicious npm Packages Use PowerShell and VBS Chain to Drop Windows RAT

Threat actors are increasingly targeting developers through malicious npm packages. Researchers recently discovered a campaign using a typosquatted package, postcss-minify-selector-parser, to deliver a multi-stage Windows Remote Access Trojan (RAT). The package closely imitates the legitimate postcss-selector-parser, a widely used JavaScript dependency with over 150 million weekly downloads, making it difficult to spot during routine reviews. When imported, the package executes hidden JavaScript code that decrypts an embedded payload, writes a PowerShell script to disk, and runs it while bypassing execution policies. The script then downloads additional malware from the deceptive domain nvidiadriver[.]net, disguising files as Windows updates.

Once installed, the RAT performs extensive system profiling to detect virtual machines and security analysis environments. If no threats are detected, it establishes persistence and waits for commands. The malware primarily targets Google Chrome, stealing saved credentials and browser data using advanced decryption techniques before exfiltrating the information through encrypted command-and-control channels.

3. GitHub Updates actions/checkout to Block Common Pwn Request Attack Patterns

GitHub is enhancing software supply chain security by updating actions/checkout to block “pwn request” attacks that exploit insecure use of the pull_request_target workflow trigger. Starting June 18, 2026, actions/checkout v7 will refuse to fetch code from forked pull requests in pull_request_target and certain workflow_run workflows when unsafe checkout patterns are detected. The protection will be backported to supported versions on July 16, 2026.

The change addresses a common attack scenario where untrusted code from a forked repository is executed with the base repository’s privileges, potentially exposing secrets, write-enabled GITHUB_TOKENs, and other sensitive resources. Such attacks have been linked to several recent software supply chain compromises.

Developers can override the protection by explicitly enabling the allow-unsafe-pr-checkout flag, though this is discouraged. GitHub recommends using pull_request instead of pull_request_target when elevated permissions are unnecessary, limiting workflow permissions, and carefully reviewing workflows that process untrusted code. The update serves as an important safeguard, but not a complete security solution.

4. 4,300+ Outdated Routers Hijacked in Stealthy Spy Infrastructure by AryStinger malware

QiAnXin’s XLab detected IP 107.150.106.14 spreading a zero-detection Linux binary through two old vulnerabilities — CVE-2013-3307 and CVE-2016-5681 — targeting Realtek RTL819X-based routers, mainstream hardware from 2012–2015 that has received no firmware updates since. XLab named the malware AryStinger, after a source code path referencing “Ary-Attack.”

Unlike typical IoT malware, AryStinger doesn’t encrypt files or mine crypto. Instead, it turns infected routers into Executor nodes that perform distributed reconnaissance — port scanning, service identification, and subdomain enumeration — while hiding the attacker’s real location behind a relay layer.

Over 4,300 routers are currently compromised, predominantly D-Link DIR-850L devices. South Korea accounts for 48% of infections, followed by China at 32%. XLab has not attributed the campaign to any known threat actor, and the investigation remains ongoing.

5. F5 Patches Critical, High-Severity NGINX Vulnerabilities

F5 released out-of-band security updates addressing multiple NGINX vulnerabilities, including two critical flaws — CVE-2026-42530 and CVE-2026-42055 (CVSS 9.2) — affecting HTTP modules. Both can be exploited without authentication to trigger a use-after-free or heap-based buffer overflow, causing the NGINX worker process to restart and resulting in denial-of-service. If ASLR is disabled or bypassed, arbitrary code execution is also possible.

Patches cover NGINX Plus, NGINX Open Source, and NGINX Gateway Fabric. Two high-severity flaws — CVE-2026-11311 and CVE-2026-50107 — in NGINX Gateway Fabric allow authenticated attackers to inject arbitrary configuration directives, potentially exposing sensitive data, proxying traffic to attacker-controlled endpoints, or causing DoS. Two additional medium-severity bugs enable memory disclosure or worker process restarts.

F5 reports no active exploitation, but urges prompt patching given NGINX’s recent targeting in attacks.

6. Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

Threat actors are actively exploiting CVE-2026-4020 (CVSS 5.3), an information disclosure flaw in Gravity SMTP, a WordPress plugin with roughly 100,000 installations. An unauthenticated attacker can send a GET request to the plugin’s REST API endpoint with the ?page=gravitysmtp-settings parameter, triggering a 365 KB JSON response containing PHP version, active plugins, database details, WordPress configuration, and live API credentials for services including Amazon SES, Google, Mailjet, and Zoho.

Exposed credentials enable attackers to abuse connected email services or map the site’s software stack for follow-on attacks. Wordfence has blocked over 17 million exploit attempts since May 2026, peaking at 4 million requests per day in early June.

A patch is available in version 2.1.5. Site owners should update immediately, rotate all configured API credentials, and review server logs for requests from known attacker IPs.