Fuel Tank Monitoring Systems Targeted in Cyberattacks, Warn US Agencies; Mirasvit Flaw Added to KEV with Three-Day Deadline; White House Issues EO on AI and Cyber

A fact sheet warning of "malicious cyber activity targeting US-based automatic tank gauge (ATG) systems" has been jointly published by The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), the Department of Energy (DOE), the Environmental Protection Agency (EPA), the Transportation Security Administration (TSA), the Department of Transportation (DOT), and the US Department of Agriculture (USDA). ATG systems are used in the Energy, Chemical, Food and Agriculture, and Transportation Systems Sectors "for automated and remote monitoring of storage tank parameters, including fuel and liquid levels, temperature, and possible leak detection." The fact sheet includes likely tactics, techniques, and procedures (TTPs) used by the threat actors targeting these systems. The threat actors are reportedly gaining access to the ATG systems and altering settings. They are targeting the systems through a variety of attack vectors including authentication bypass and hardcoded credentials to access device management interfaces; OS command execution and SQL injection to execute arbitrary code and manipulate databases; and privilege escalation to expand their presence once they have gained access initial access to the systems. Suggested mitigations include not exposing the ATG serial port or other applicable web interfaces directly to the internet; restricting access with firewalls, access control lists (ACLs), or virtual private networks (VPNs) where remote access is required; changing all default passwords and implementing "strong, unique security codes and administrative credentials for all interfaces;" applying patches; monitoring and reporting any suspicious activity; and urging third-party service providers to adopt CISA, FBI, EPA, and DOE’s Primary Mitigations to Reduce Cyber Threats to Operational Technology [CPG 1.E].

A critical remote code execution vulnerability in the Mirasvit Full Page Cache Warmer for Magento 2 extension is being actively exploited. CVE-2026-45247, CVSS 9.8, is described as a PHP object injection vulnerability that allows unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. The vulnerability was found by researchers at Sansec. Mirasvit released an updated version of the Full Page Cache Warmer for Magento 2 extension on May 25, 2026, and users are urged to update to version 1.11.12 or later. The US Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on Wednesday, June 3 with a mitigation deadline of June 6. Sansec writes that its "scans found roughly 6,000 stores running Mirasvit extensions. Real numbers are likely higher, since content delivery networks such as Cloudflare hide many installs from our fingerprinting."

On Tuesday, June 2, the White House published an AI Executive Order (EO) titled “Promoting Advanced Artificial Intelligence Innovation and Security.” The order instructs federal agencies to upgrade the country's systems for Advanced AI and to secure frontier model deployment. This includes "develop[ing] and maintain[ing] a classified benchmarking process to assess the advanced cyber capabilities of AI models" and creating a voluntary framework with AI developers to provide the federal government with access to certain AI models 30 days before they are released publicly, to assess those models for cybersecurity issues.

Cisco has published a security advisory warning of a critical server-side request forgery (SSRF) in Cisco Unified Communications Manager. CVE-2026-20230, CVSS score 8.6, is the result of improper input validation for specific HTTP requests. Despite the score, Cisco has deemed the vulnerability critical because "a successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root." WebDialer service is disabled by default, and successful exploitation requires that it is enabled. Cisco notes that proof-of-concept exploit code for the vulnerability exists. Cisco has released updates to address the vulnerability. Users running Cisco Unified CM and Unified CM SME release 14 with the WebDialer service enabled should update to 14SU6; an update for Cisco Unified CM and Unified CM SME release 15 is expected to be available in September. Users unable to update immediately are advised to disable the WebDialer service.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a four-year-old flaw in the Linux kernel to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2022-0492, CVSS score 7.8, allows an attacker to escalate privileges and bypass the namespace isolation, potentially also escaping from a container, by exploiting an improper authentication flaw in the cgroups v1 release_agent feature. This flaw has been fixed in Linux kernel versions 4.9.301+, 4.14.266+, 4.19.229+, 5.4.177+, 5.10.97+, 5.15.20+, 5.16.6+, and 5.17-rc3+. The same day, CISA also added CVE-2025-48595 (CVSS score 8.4) to the KEV, which allows an attacker to escalate privileges locally and achieve code execution in Android 14, 15, 16, and 16 QPR2, without user interaction needed, due to an integer overflow. Google's June 2026 security patch releases address this flaw. Federal Civilian Executive Branch (FCEB) agencies are required to remediate these exploited flaws by June 5.

Acer has published a security advisory noting that fixes will be released by the end of June 2026 for two CVSS 10.0 vulnerabilities in the firmware on Acer Wave 7 routers. CVE-2026-49200 allows an attacker to gain unauthorized system access by acquiring login credentials for web and Telnet, which are stored in cleartext within a file that is accessible from the web interface without authentication. CVE-2026-49201 allows an attacker to inject a persistent backdoor by decrypting, modifying, and re-encrypting system backups, because the binary responsible for processing device backups contains a hardcoded AES encryption key. These flaws were reported by an independent security researcher, and affect Acer Wave 7 router firmware version T7c_GBL_1.01.000055 and earlier. The advisory provides instructions for logging into the router's admin console to update the firmware once the update is released; in the meantime, BleepingComputer recommends that users mitigate risk by disabling remote management and/or restricting remote access over the internet to trusted IP addresses only.

On Monday, June 1, 2026, a credential-stealing worm was distributed in npm packages published in the official @redhat-cloud-services channel. According to ReversingLabs, "the affected packages collectively represent approximately 9.8 million total downloads and cover the full breadth of Red Hat's Hybrid Cloud Console JavaScript ecosystem," and were all published within a 72-second window starting at 10:54:09 UTC, suggesting an automated attack. Red Hat removed the packages immediately upon detecting the attack, and the company stated that all affected packages were "strictly limited to internal development, and the malicious code was never published for customer consumption via the console[.]redhat[.]com system." Investigation indicates that a compromised GitHub account pushed unauthorized commits to repos in the RedHatInsights GitHub organization, using preinstall hooks to attach the malware to packages. While Red Hat has not identified "any impact to customer or partner environments or Red Hat production systems," and while the company states that "no actions from customers are required," cybersecurity researchers recommend that users treat any system that installed an affected package as compromised and take action to mitigate risk. Socket recommends users identify exposure, isolate affected systems and suspend CI/CD workflows, remove malicious package versions and rebuild from clean environments, rotate all secrets and credentials, audit GitHub and npm activity, strengthen CI/CD and dependency controls, and hunt for indicators of compromise (IoCs) and signs of persistence.

On Monday, June 1, 2026, the support page for password manager Dashlane published a security advisory disclosing "a brute force attack against certain Dashlane user accounts" that began the previous day. Accounts targeted by the attack were temporarily locked when the company's security controls were triggered by a high volume of two-factor authentication (2FA) code login attempts trying to register new devices on existing user accounts. The attacker targeted device registration API endpoints to send the requests, and downloaded vaults belonging to fewer than 20 users of Dashlane's personal plan, which are encrypted with Argon2 + AES-256-CBC + HMAC-SHA256, and according to Dashlane "cannot be accessed without the Master Password." Dashlane has contacted all users who were directly impacted by this attack, and has not observed any evidence that internal systems were affected. The company has blocked traffic from the threat actor, reactivated suspended accounts, undertaken mitigation and security hardening measures, and is adding new layers of verification. The advisory recommends users remove any unrecognized registered devices on their accounts and enable 2FA.

On Thursday, June 4, 2026, Microsoft retired the master password feature in the password manager of its Edge browser. Instead, Edge will replace the password requirement with Windows Hello, which uses PIN, fingerprint, or facial recognition to sign in. Ignas Valancius, VP of engineering at NordPass, said that while there might be some resistance to the change, he sees the move "toward passwordless authentication is a positive development." The shift is in line with Microsoft's commitment to "reducing ... reliance on passwords and other phishable authentication methods by accelerating passkey adoption." It has been just over a year since Microsoft announced that new Microsoft accounts would be passwordless by default.

In April 2026, a security researcher styled “Nightmare Eclipse” began publishing proof-of-concept (PoC) exploits on GitHub for half a dozen previously unknown and undisclosed vulnerabilities in Microsoft products, described below. On May 27 Microsoft stated its opposition to what it described as "uncoordinated" and "not responsibly disclosed" findings, mentioning the company's Digital Crimes Unit bringing cases against "those that enable ... criminal activity." However, the researcher had disclosed the exploits in blog posts alleging mistreatment during previous attempts at coordinated vulnerability disclosure (CVD), including Microsoft's deletion of the researcher's reporting account and GitHub account. Following four days of "conversation around coordinated disclosure and the relationship between security researchers and vendors," Microsoft clarified, "We have no intention to pursue action against individuals conducting or publishing their security research. [...] Given the nature of this work, there will at times be misunderstandings. We remain committed to engaging in good faith and to providing a respectful and professional experience for all researchers, regardless of past interactions." This interaction has spurred discussion in the cybersecurity community around Microsoft's relationship with vulnerability reports and the role of vulnerability research at large. On June 2, a separate cybersecurity researcher expressing grievances with Microsoft's CVD process publicly disclosed a flaw in VS Code allowing theft of GitHub access tokens, claiming to have given GitHub an hour's notice. Microsoft merged a fix for this flaw on June 3.

Two of Nightmare Eclipse’s exploits target CVSS 7.8 vulnerabilities allowing privilege escalation in Microsoft Defender: "BlueHammer" (CVE-2026-33825), disclosed on April 2, and "RedSun" (CVE-2026-41091), disclosed April 15. "UnDefend," (CVE-2026-45498, CVSS 7.5), is a denial-of-service tool for Defender, disclosed April 12. Microsoft has released patches for these three. "YellowKey" (CVE-2026-45585, CVSS 6.8) targets a security feature bypass in BitLocker, disclosed on May 12 alongside "GreenPlasma," a privilege escalation flaw in the Windows CTFMON component, which has not yet been assigned a CVE. Microsoft has released mitigations for YellowKey. "MiniPlasma" was disclosed on May 15, and targets CVE-2020-17103, a CVSS 7.8 flaw allowing privilege elevation in Windows Cloud Files Mini Filter Driver, which is apparently exploitable in some current Windows builds despite it having been fixed in 2020.