End-of-Day report
Timeframe: Dienstag 30-06-2026 18:00 - Mittwoch 01-07-2026 18:00
Handler: Michael Schlagenhaufer
Co-Handler: Guenes Holler
News
CitrixBleed To Infinity And Beyond (Citrix NetScaler Pre-Auth Memory Overread CVE-2026-8451)
For those that don-t start violently wretching when the phrase -Citrix NetScaler- is uttered, we have another word to whisper: -CitrixBleed-. As many know, the term CitrixBleed now refers to not a single vulnerability, but an entire class of Memory Disclosure-esque vulnerabilities in Citrix NetScaler devices, many of which have played roles in breaches and incidents in recent memory. [..] We-ve given up counting the numbers, and so we-ve decided to call this vulnerability -CitrixBleed To Infinity And Beyond-.
https://labs.watchtowr.com/citrixbleed-to-infinity-and-beyond-citrix-netscaler-pre-auth-memory-overread-cve-2026-8451/
Over 900 Oracle E-Business instances exposed to ongoing attacks
Over 900 Oracle E-Business Suite (EBS) instances have been found exposed online amid ongoing attacks exploiting a critical security flaw.
https://www.bleepingcomputer.com/news/security/over-900-oracle-e-business-instances-exposed-to-ongoing-attacks/
The SOC Files: ScreenConnect masked as freeware. An inside look at a large-scale campaign
Kaspersky experts have uncovered a malicious network infrastructure for delivering AsyncRAT. The Trojan is dropped via compromised ScreenConnect software. In this post, we break down the infection chain and analyze the C2 infrastructure.
https://securelist.com/tr/the-soc-files-screenconnect-campaign-with-asyncrat/120472/
Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data
New Microsoft research shows how attackers can hijack AI agents that act on a users behalf, using nothing more than a poisoned tool description to make the agent quietly hand over company data to an outsider.The trick is that the agent never breaks a rule. Every step looks routine, so in a default setup no alarm may fire.
https://thehackernews.com/2026/06/microsoft-warns-poisoned-mcp-tool.html
RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS
A new two-stage malware family called RustDuck is hijacking home routers, IP cameras, Android boxes, and poorly secured servers, then stitching them into a network built to knock websites and online services offline. [..] RustDuck does not lean on a single clever trick. It sprays a mix of old, well-known weaknesses and hopes one sticks. The first is the oldest in the book: devices left on the internet with weak or default passwords on their remote-login services (Telnet and SSH). Guess the password, walk in.
https://thehackernews.com/2026/06/rustduck-botnet-rebuilds-in-rust-to.html
Phantom Squatting: AI-Hallucinated Domains as a Software Supply Chain Vector
Unit 42 researchers found that large language models (LLMs) consistently hallucinate web domains for legitimate brands. Adversaries are actively weaponizing this vector by registering these nonexistent domains to intercept traffic generated by AI systems. We call this phenomenon phantom squatting, and it poses a significant risk to the software supply chain.
https://unit42.paloaltonetworks.com/phantom-squatting-hallucinated-web-domains/
ARToken: Inside an EvilTokens affiliate panel targeting Microsoft 365
Cisco Talos identified a fully-featured phishing-as-a-service (PhaaS) operator panel, branded "ARToken," that shares infrastructure, API contracts, and operational patterns with the EvilTokens platform documented by Sekoia and Microsoft in early 2026.
https://blog.talosintelligence.com/artoken-inside-an-eviltokens-affiliate-panel-targeting-microsoft-365/
Browser-Only Ransomware: From LLM Hallucinations to a Practical Attack Technique
In this research, DeepSeek connected unrealistic browser-malware concepts with a real browser capability, turning an AI-generated malware hallucination into a plausible browser-native ransomware technique. Although the generated sample was incomplete, it exposed a practical abuse path based on the File System Access API and access to photo directories.
https://research.checkpoint.com/2026/browser-only-ransomware-from-llm-hallucinations-to-a-practical-attack-technique/
Vulnerabilities
Adobe patches seven max severity ColdFusion, Campaign flaws
Adobe has released security patches for seven maximum-severity vulnerabilities in the ColdFusion web app development platform and the Campaign Classic marketing automation platform.
https://www.bleepingcomputer.com/news/security/adobe-patches-seven-max-severity-coldfusion-campaign-flaws/
Riesiges Update: 382 Sicherheitslücken in Google Chrome entdeckt
Die neueste Chrome-Version schließt fast 400 teils kritische Sicherheitslücken. Auch für Edge, Vivaldi und Brave dürften entsprechende Updates folgen.
https://www.golem.de/news/riesiges-update-382-sicherheitsluecken-in-google-chrome-entdeckt-2607-210372.html
Citrix Patches Six NetScaler Flaws Allowing File Read and Denial-of-Service
Citrix on Tuesday released security updates to address multiple flaws in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that could be exploited by an attacker to facilitate arbitrary file reads or trigger a denial-of-service (DoS) condition. CVE-2026-8451 (CVSS score: 8.8) - An insufficient input validation vulnerability leading to memory overread when NetScaler ADC or NetScaler Gateway is configured as a SAML IDP.
https://thehackernews.com/2026/07/citrix-patches-six-netscaler-flaws.html
Root-Sicherheitslücken in alternativer Router-Firmware OpenWRT geschlossen
Die OpenWRT-Entwickler haben in einer aktuellen Version unter anderem mehrere kritische Sicherheitslücken geschlossen. [..] Am gefährlichsten gilt eine -kritische- Lücke mit einem CVSSS Score 9.9 von 10 in LuCI. Eine CVE-Nummer wurde offensichtlich bislang nicht vergeben. Voraussetzung für eine Attacke ist, dass der VPN-Dienst Tailscale installiert ist.
https://www.heise.de/news/Root-Sicherheitsluecken-in-alternativer-Router-Firmware-OpenWRT-geschlossen-11350761.html
HCL BigFix: PC-Fernverwaltung: Man-in-the-Middle-Attacken auf HCL BigFix möglich
https://www.heise.de/news/PC-Fernverwaltung-Man-in-the-Middle-Attacken-auf-HCL-BigFix-moeglich-11350301.html
LWN: Security updates for Wednesday
https://lwn.net/Articles/1080689/
mozilla: Security Vulnerabilities fixed in Thunderbird 140.12.1
https://www.mozilla.org/en-US/security/advisories/mfsa2026-64/
mozilla: Security Vulnerabilities fixed in Thunderbird 152.0.1
https://www.mozilla.org/en-US/security/advisories/mfsa2026-63/
Genucenter: Publish SBA-ADV-20260424-01: Genucenter Disclosure of SNMP Credentials
https://github.com/sbaresearch/advisories/commit/d78bf80a4103af68e8c17ba027e813efc3780d50