Vulnerability Intelligence Report — July 6, 2026
New CISA KEV: 0 | KEV calendar still clear | FortiBleed traced to INC and Lynx ransomware | Cisco confirms Unified CM exploitation | Opera GX critical flaw auto-installs malicious mods | North Korean PolinRider: 108 malicious packages | AI-driven ransomware: JadePuffer automates attacks | Oracle EBS Payments under active exploitation
Previous reports: July 5, 2026 | July 4, 2026
Monday, July 6, 2026 — the CISA KEV calendar remains clear for the second consecutive day with no new additions and no active deadlines. But the start of the new week brings significant developments. The FortiBleed campaign has been traced to the INC and Lynx ransomware operations, with researchers also investigating a potential zero-day vulnerability in the attack chain. Cisco has finally confirmed that attackers are actively exploiting CVE-2026-20230 in Unified Communications Manager — the KEV overdue count now stands at 8 days. A critical Opera GX browser flaw allowed malicious websites to silently install mods capable of stealing data from visited pages, patched in version 130.0.5847.89. North Korean threat actors published 108 malicious packages and Chrome extensions in the PolinRider campaign, targeting npm, Packagist, and Go registries. And the JadePuffer ransomware group has deployed an AI agent to fully automate the attack chain — from initial access to data exfiltration and encryption — marking a concerning evolution in ransomware capability.
Quick Reference — Most Important Items Today
FortiBleed: Traced to INC and Lynx ransomware operations — 74K credentials, 12+ orgs, potential zero-day under investigation
Opera GX: Critical flaw — malicious websites auto-install mods to steal data from visited pages — patched in v130.0.5847.89
Cisco Unified CM CVE-2026-20230: Cisco finally confirms active exploitation — SSRF vulnerability — KEV 8 days overdue
North Korean PolinRider: 108 malicious packages across npm, Packagist, Go, and Chrome — ongoing supply chain campaign
JadePuffer Ransomware: AI agent used to automate entire attack chain — initial access to encryption — new threat evolution
Cisco SD-WAN: CISA warns of escalating attacks via CVE-2026-20262 and CVE-2026-20245 — Catalyst SD-WAN Manager
Oracle EBS CVE-2026-46817: Oracle Payments CVSS 9.8 — active exploitation attempts confirmed
Oracle PeopleSoft CVE-2026-35273: 21 days overdue KEV — ShinyHunters ransomware — breach data confirmed posted
SimpleHelp CVE-2026-48558: 4 days overdue KEV — exploited to deploy stealer malware
Microsoft SharePoint CVE-2026-45659: 2 days overdue KEV — deserialization RCE — active attacks
Overdue KEV: SharePoint +2 | SimpleHelp +4 | PTC Windchill +8 | Cisco Unified CM +8 | Cisco SD-WAN +7 | Ubiquiti +10 | Oracle PeopleSoft +21 | Ivanti Sentry +22 | Check Point +25 (ransomware) | Mirasvit +30 | PAN-OS +35
FortiBleed — Traced to INC and Lynx Ransomware Operations
Software affected: Fortinet FortiGate firewalls and VPN gateways — all models — compromised via stolen credentials and brute force.
CVE: No single CVE — this is a multi-vector credential campaign. Researchers are also investigating the role of a suspected zero-day vulnerability in the attack chain. Cybersecurity Dive reports that the FortiBleed campaign has been traced to the INC and Lynx ransomware operations. 74,000 stolen Fortinet credentials were advertised for sale in June.
Status: At least twelve organisations confirmed as ransomware victims. The INC and Lynx ransomware groups are known for aggressive extortion tactics and data leak operations. The attribution to established ransomware operations suggests this is not a one-off credential harvesting campaign but a sustained, professionalised operation. Researchers are actively investigating whether a zero-day vulnerability in FortiGate appliances is being used as part of the attack chain, in addition to credential-based access. The 74,000-credential leak remains a systemic risk to any organisation with internet-exposed FortiGate admin interfaces.
Recommended action: Immediately rotate all FortiGate administrative credentials. Enforce MFA on all administrative interfaces. Restrict admin access to trusted IPs. Apply latest FortiOS firmware. Audit VPN and firewall logs for signs of pre-existing compromise. Monitor for updates on the potential zero-day investigation.
Official source: Cybersecurity Dive: FortiBleed traced to INC and Lynx | Security.nl: Gehackte Fortinet-firewalls | Dedicated advisory
Opera GX — Critical Flaw: Auto-Install Mods Steal Data From Visited Pages
Software affected: Opera GX browser — the gaming-focused version of Opera. Fixed in version 130.0.5847.89.
CVE: No CVE assigned. Opera’s bug bounty team rated the issue P1 (critical severity) and paid the maximum $5,000 award. The flaw allowed a malicious website to silently install a browser add-on (GX Mod) without any user approval or click, and use it to extract specific data from pages the victim visits.
Status: Researchers demonstrated a proof-of-concept where they reconstructed a signed-in user’s full Gmail address from a single page visit, with zero clicks required. The attack works because Opera GX’s mod pipeline automatically downloads and enables mods with no approval prompt. A malicious page can load a hidden iframe pointing at a .crx file to trigger the installation. GX Mods cannot run JavaScript and hold no permissions, but they can inject custom CSS that restyles sites — which is sufficient to exfiltrate visible page content. Opera says it found no evidence of exploitation in the wild. Users on current builds (130.0.5847.89+) are protected.
Recommended action: Ensure Opera GX is updated to version 130.0.5847.89 or later. Check at opera://about. This is a critical browser security issue — while the attack surface is limited to Opera GX users, the zero-click, no-approval nature of the exploit makes it exceptionally dangerous.
Official source: The Hacker News: Opera GX Flaw | Opera GX changelog (v130.0.5847.89)
Cisco Unified CM — CVE-2026-20230 (SSRF, Confirmed Active Exploitation)
Software affected: Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME).
CVE: CVE-2026-20230 | CISA KEV added June 25 — deadline was June 28, now 8 days overdue | SSRF vulnerability allowing unauthenticated remote attackers to conduct server-side request forgery attacks. Cisco has finally confirmed active exploitation after weeks of researchers reporting attacks.
Status: Cisco confirmed that attackers are actively exploiting this vulnerability. The KEV deadline passed on June 28 — organisations that have not patched are now 8 days past the CISA-mandated deadline. Cisco Unified CM is a core telephony infrastructure component deployed in enterprise environments; exploitation can lead to network reconnaissance, credential harvesting, and lateral movement. The delayed confirmation from Cisco is notable — researchers had been reporting exploitation for weeks before the vendor formally acknowledged it.
Recommended action: Apply the Cisco Unified CM security update immediately. The KEV deadline has passed — patch before enforcement action is taken. Restrict access to Unified CM management interfaces to trusted IPs. Audit logs for signs of SSRF-based reconnaissance.
Official source: BleepingComputer: Cisco confirms Unified CM exploitation | NVD: CVE-2026-20230 | CISA KEV Catalog
North Korean PolinRider Campaign — 108 Malicious Packages Across npm, Packagist, Go, Chrome
Software affected: npm (JavaScript), Packagist (PHP), Go modules, and Google Chrome extensions — any development environment using these registries.
CVE: No single CVE — this is a coordinated supply chain attack campaign. The North Korean threat actors linked to the Contagious Interview campaign have published 108 unique malicious packages and browser extensions spanning 19 npm libraries, 10 Composer packages, 61 Go modules, and one Google Chrome extension. 162 malicious release artifacts have been identified.
Status: Socket security researcher Karlo Zanki reports that the campaign remains active, with new malicious packages continuing to appear. The attackers are compromising maintainer accounts, modifying legitimate repositories, and publishing infected package versions. The campaign targets software developers through fake job recruitment — the “Contagious Interview” tactic — tricking them into downloading malicious packages disguised as technical assessments or coding challenges. The breadth of the campaign (108 packages across 4 registries) makes it one of the largest North Korean software supply chain operations disclosed this year.
Recommended action: Audit all npm, Composer, and Go dependencies for packages matching the known indicators of compromise. Implement a minimum package age policy — do not adopt newly published packages without vetting. Verify maintainer account integrity. Use registry scanning tools like Socket, Snyk, or npm audit to detect malicious packages.
Official source: The Hacker News: PolinRider Campaign | Socket Research Report
JadePuffer Ransomware — AI Agent Used to Automate Entire Attack Chain
Software affected: Multiple organisations targeted by the JadePuffer ransomware group — no specific software vulnerability.
CVE: No CVE — this is a TTP (tactics, techniques, and procedures) advisory. The JadePuffer ransomware group has deployed an AI agent to fully automate the attack chain from initial access to data exfiltration and encryption.
Status: BleepingComputer reports that the JadePuffer ransomware group used an AI agent to automate the entire attack lifecycle. This represents a significant evolution in ransomware capability: rather than requiring human operators to manually execute each stage of the attack, the group has deployed an AI-driven system that can autonomously move from initial compromise to data theft to encryption. This reduces the time-to-ransom, increases the scale of attacks a single operator can manage, and makes detection more difficult as the AI agent can adapt its behaviour. The use of AI agents in offensive operations is a rapidly emerging threat that security teams must prepare for.
Recommended action: Implement AI-aware detection controls that monitor for unusual automation patterns in authentication, lateral movement, and data access. Review endpoint detection and response (EDR) rules for behaviour that could indicate automated attack sequences. Ensure incident response playbooks account for the possibility of AI-driven, adaptive attack chains.
Official source: BleepingComputer: JadePuffer AI Ransomware
Cisco Catalyst SD-WAN — CISA Warns of Escalating Attacks via CVE-2026-20262 and CVE-2026-20245
Software affected: Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage), Cisco Catalyst SD-WAN Controller (formerly vSmart), Cisco Catalyst SD-WAN Validator (formerly vBond).
CVE: CVE-2026-20262 — Authenticated remote attacker can create or overwrite any file on the filesystem. CVE-2026-20245 — CLI vulnerability in SD-WAN Controller, Manager, and Validator. Both added to CISA KEV catalog (deadline June 23, now 7 days overdue for the second round, and June 29 for CVE-2026-20262, now 7 days overdue).
Status: CISA and researchers have warned of escalating attacks targeting these Cisco Catalyst SD-WAN vulnerabilities. The SD-WAN infrastructure is a critical networking component — successful exploitation can give attackers deep access to corporate network segmentation and routing. The KEV deadlines have passed, and CISA has explicitly warned that attacks are intensifying. Organisations using Cisco SD-WAN should treat this as an active threat.
Recommended action: Apply Cisco patches for CVE-2026-20262 and CVE-2026-20245 immediately. Restrict management access to SD-WAN controllers and managers to trusted IPs. Monitor for signs of file manipulation or unauthorised configuration changes.
Official source: Cybersecurity Dive: CISA warns of escalating SD-WAN attacks | NVD: CVE-2026-20262 | CISA KEV Catalog
KEV Deadline Watch
NO ACTIVE KEV DEADLINES: The CISA KEV calendar remains fully clear for the second consecutive day. No new KEV additions have been made since July 1.
Overdue — July 4 (+2 days): Microsoft SharePoint CVE-2026-45659 — deserialization RCE, actively attacked. Dedicated advisory.
Overdue — July 2 (+4 days): SimpleHelp CVE-2026-48558 — authentication bypass, exploited to deploy stealer malware. Dedicated advisory.
Overdue — June 29 (+7 days): Cisco Catalyst SD-WAN Manager CVE-2026-20262 — file overwrite, escalating attacks.
Overdue — June 28 (+8 days): PTC Windchill CVE-2026-12569. Cisco Unified CM CVE-2026-20230 — SSRF, exploitation confirmed.
Overdue — June 26 (+10 days): Ubiquiti UniFi OS CVE-2026-34908/909/910 — CISA warning, active exploitation.
Overdue — June 23 (+13 days): Cisco Catalyst SD-WAN CVE-2026-20245. Chromium V8 CVE-2026-11645. Arista EOS CVE-2026-7473.
Overdue — June 15 (+21 days): Oracle PeopleSoft CVE-2026-35273 — ransomware, ShinyHunters.
Overdue — June 14 (+22 days): Ivanti Sentry CVE-2026-10520 — OS command injection, actively exploited.
Overdue — June 11 (+25 days): Check Point CVE-2026-50751 — known ransomware use.
Updates on Items from Previous Reports
FortiBleed: Traced to INC and Lynx ransomware operations. Potential zero-day under investigation. 12+ orgs confirmed victims. Dedicated advisory.
FortiSandbox CVE-2026-25089 + CVE-2026-26083: Both CVSS 9.8 — active exploitation continues. Dedicated advisory.
Oracle EBS CVE-2026-46817: Oracle Payments CVSS 9.8 — active exploitation attempts on honeypots. Dedicated advisory.
Cisco Unified CM CVE-2026-20230: Cisco finally confirmed active exploitation. 8 days overdue KEV.
SharePoint CVE-2026-45659: 2 days overdue. Active attacks. Dedicated advisory.
SimpleHelp CVE-2026-48558: 4 days overdue. Exploited to deploy stealer malware. Dedicated advisory.
CitrixBleed CVE-2026-8451: Exploited within 24 hours of June 30 disclosure. Dedicated advisory.
Bad Epoll CVE-2026-46242: Linux kernel 0-Day — root LPE affecting servers, desktops, and Android. Dedicated advisory.
Oracle PeopleSoft CVE-2026-35273: 21 days overdue. ShinyHunters breach data confirmed posted by insurance body.
WinRAR: Code execution via recovery volumes — patch to 7.23. No auto-update. Dedicated advisory.
Exchange Online CVE-2026-54998 + 365 Copilot CVE-2026-41106: Cloud-side patched. No customer action required.
FBI TeamPCP Warning: Developer tool supply chain attacks — ongoing campaign.
AI Agent Poisoning: SEO + hidden HTML prompt injection — new threat vector class.
FatFs: 7 CVEs in embedded filesystem — millions of IoT devices. No upstream fix for memory-corruption bugs.
Adobe ColdFusion: 6 CVSS 10.0 vulnerabilities — patch window expired.
Microsoft Defender: BlueHammer ransomware campaign continues + disable-Defender campaign.
Medtronic/ShinyHunters: 3.8 million patients affected — ShinyHunters claimed responsibility.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.
