A heavy week across the whole stack: an exploited mobile zero-day, perimeter VPN/SD-WAN flaws under active attack, a freshly weaponised container-escape bug, a VPN bug feeding ransomware, a memory-exhaustion DoS against the major web servers, and self-propagating npm supply-chain worms — against a regulator now expecting hours-not-weeks remediation.
1
Android Framework zero-day under targeted exploitation (CVE-2025-48595)
Google's June Android bulletin (124 fixes) patched an integer-overflow privilege-escalation flaw that needs no user interaction and is under "limited, targeted" exploitation — the signature of commercial spyware and nation-state operators. CISA added it to its Known Exploited Vulnerabilities catalogue on 2 June.
India exposureone of the most Android-dependent markets on earth — ministers, defence personnel, journalists and executives on unpatched handsets are exactly the high-value targets this class of bug is bought to reach.
Actionpush the June Android patch fleet-wide via MDM today; prioritise VIP and privileged-access devices; treat lagging OEM/carrier builds as exposed.
SourceAndroid Security Bulletin; Help Net Security and BleepingComputer (2 Jun 2026); CISA KEV (2 Jun 2026).
2
Palo Alto GlobalProtect authentication bypass exploited (CVE-2026-0257)
Active exploitation of PAN-OS GlobalProtect portals and gateways was confirmed, letting attackers forge authentication cookies to establish unauthorised VPN sessions. This is perimeter access, not just a patching item.
India exposureBFSI, IT/ITeS, pharma, GCCs, SaaS firms and government entities using GlobalProtect for remote access.
Actionpatch affected PAN-OS/Prisma Access versions and disable the authentication override immediately.
SourceeSentire (1 Jun 2026); BleepingComputer.
3
Cisco Catalyst SD-WAN Manager zero-day, exploited and then-unpatched (CVE-2026-20245)
Cisco warned of active exploitation of an SD-WAN Manager flaw allowing command execution as root once attackers obtain netadmin privileges, with configuration changes pushed to branch edge devices.
India exposuretelecom operators, large BFSI networks, government WANs and multi-site manufacturers running Cisco SD-WAN.
Actionrestrict SD-WAN Manager to admin networks, audit netadmin accounts, and hunt for unexpected configuration pushes to edge devices.
SourceCisco advisory; BleepingComputer (5 Jun 2026).
4
SolarWinds Serv-U exploited denial-of-service (CVE-2026-28318)
CISA warned that attackers are exploiting a Serv-U flaw — an unauthenticated request that crashes managed file-transfer servers. Outage and extortion pressure on MFT hits business operations quickly.
India exposureexporters, healthcare chains, banks, BPOs, legal firms and any partner-facing SFTP/MFT deployment.
Actionupgrade to Serv-U 15.5.4 Hotfix 1, or filter the malicious request pattern at the WAF/reverse proxy until patched.
SourceSolarWinds advisory (3 Jun 2026); CISA; BleepingComputer (5 Jun 2026).
5
Check Point VPN bypass feeding Qilin ransomware (CVE-2026-50751)
A critical pre-authentication bypass in Check Point Remote Access / Mobile Access VPN using deprecated IKEv1 let unauthenticated attackers open unauthorised VPN sessions. Exploitation surged in early June, with at least one intrusion tied to the Qilin ransomware operation — whose 2–3 June spree hit manufacturing across multiple continents.
India exposureenterprise and PSU VPN gateways as a ransomware front door; manufacturing and OT-adjacent firms matching Qilin's victim pattern.
Actionapply Check Point's hotfix and disable IKEv1; hunt anomalous VPN sessions and rotate credentials; validate offline, tested backups and IT/OT segmentation.
SourceCheck Point Research / BleepingComputer; Industrial Cyber (Qilin tracking, 2–3 Jun 2026).
6
Eight-year-old Linux container-escape flaw freshly weaponised (CVE-2022-0492)
CISA added this Linux-kernel cgroups privilege-escalation / container-escape vulnerability to its KEV catalogue on 2 June — evidence attackers are breaking out of containers on hosts still running cgroups v1, despite a 2022 patch.
India exposurefast-growing Kubernetes and cloud-native estates — fintech, e-commerce, GovCloud — that frequently run legacy node images; one escaped container can mean a compromised host and cluster-wide lateral movement.
Actioninventory container hosts for cgroups v1, patch kernels, and enforce seccomp/AppArmor and non-privileged container defaults.
SourceCISA KEV bulletin (2 Jun 2026).
7
HTTP/2 "Bomb" memory-exhaustion DoS against the major web servers (CVE-2026-49975)
A new HTTP/2 technique disclosed on 2 June abuses HPACK header compression and flow control so a single client can force massive server-side memory allocation — around 32GB in roughly 20 seconds against Apache httpd and Envoy — crashing default HTTP/2 configurations of nginx, Apache, Microsoft IIS, Envoy and Cloudflare Pingora.
India exposureinternet-facing portals where availability is the target — government services, exchanges, payment gateways, hospitals, universities, SaaS APIs and e-commerce.
Actionpatch where fixes exist (nginx 1.29.8 with max_headers; Apache mod_http2 2.0.41); otherwise cap HTTP/2 header counts, set worker-process memory limits, or disable HTTP/2 on exposed origins. IIS/Envoy/Pingora fixes were still landing at disclosure.
SourceCalif (2 Jun 2026); BleepingComputer, The Hacker News, oss-security (2–3 Jun 2026).
8
Self-propagating npm supply-chain worms hit Red Hat packages — Miasma and IronWorm
On 1 June, the "Miasma" worm compromised 32 @redhat-cloud-services npm packages (96 malicious versions), running a preinstall payload that harvests GitHub, cloud and CI/CD secrets and republishes itself via stolen npm OIDC tokens — built on the public "Shai-Hulud" worm code. A second wave hit 57 more packages (~647k monthly downloads), and a separate Rust-based worm, "IronWorm," spread an eBPF rootkit with Tor C2 across 37 packages.
India exposureSaaS, fintech, GCC engineering centres and DevOps teams — developer laptops and CI runners are the credential targets, and transitive dependencies pull the payload in silently.
Actionrevoke exposed npm/GitHub/cloud tokens, pin dependency versions, and block install scripts in CI except for vetted packages; audit for the affected package versions.
SourceWiz, Upwind, Snyk, Aikido (1–3 Jun 2026); The Hacker News (5 Jun 2026).
The takeaway: a heavy week across the whole stack — mobile, VPN, SD-WAN, file transfer, the container layer, web-server availability and the npm supply chain all under fire at once, against CERT-In's tightening expectation of hours-not-weeks remediation for known-exploited internet-facing flaws. Patch the perimeter, harden the handset, guard the build pipeline, and don't forget the cluster.
Nirad Bharat Threat Feed | Bharat-first threat intelligence
