Cisco Fixes SD-WAN Manager Zero-Day Exploited in the Wild
Cisco released patches for CVE-2026-20262, a zero-day in Catalyst SD-WAN Manager (formerly vManage) that has been actively exploited to escalate privileges to root, affecting all deployment types including on-prem, cloud-managed, and FedRAMP environments. The vulnerability stems from insufficient validation of user-supplied input during file uploads, allowing authenticated remote attackers with low privileges to overwrite arbitrary files and execute commands as root via crafted HTTP requests. Organizations running SD-WAN Manager should patch immediately, check vmanage-server and serviceproxy-access logs for attempts to upload .jsp and .war files, and treat any exposed management interfaces as potentially compromised given this is at least the fifth Cisco SD-WAN vulnerability to be exploited in active attacks this year.
ShinyHunters Claims Council of Europe Hack, Threatens to Leak 297GB of Employee Data
The ShinyHunters extortion group has added the Council of Europe to its leak site, claiming to have stolen 297GB of sensitive employee data including payroll records for more than 10,000 staff dating back to 2011, over 14,000 CVs, contract and purchase order records, bank account information, medical records, and performance evaluations. The group set a June 16 deadline for the Council to initiate ransom negotiations, with the Council confirming it is investigating the claims but offering no further details. The breach, if confirmed, would represent a significant compromise of one of Europe’s most prominent intergovernmental institutions — the same body that oversees the European Court of Human Rights — and follows ShinyHunters’ pattern of high-profile institutional targets after the European Commission, Carnival, Canvas, and Grafana earlier this year.
Attacker Backdoors Three Popular WordPress Plugins Affecting Millions of Sites
An attacker tampered with JavaScript files served by three WordPress plugins — PushEngage, OptinMonster, and TrustPulse — all owned by the same company, Awesome Motive, injecting malicious code that silently created attacker-controlled admin accounts and installed a hidden backdoor plugin whenever a logged-in site administrator visited an affected page. Security firm Sansec disclosed the campaign on June 13 after finding the same malicious code embedded across all three plugins’ CDN-served scripts, with PushEngage confirming an attacker had replaced its script and subsequently replaced the CDN key, cleared caches, and migrated to new infrastructure. Any WordPress site running these plugins should be treated as compromised — site administrators should audit for unexpected admin accounts, remove unrecognized plugins, and rotate all credentials, as ordinary visitor traffic was not required to trigger the malicious payload.
Ukrainian Conti Ransomware Member Pleads Guilty, Faces 20 Years
Oleksii Oleksiyovych Lytvynenko, a 44-year-old Ukrainian national extradited from Ireland, pleaded guilty to conspiracy to commit wire fraud for his role in the Conti ransomware operation, which infected more than 1,000 organizations worldwide and extorted at least $150 million in ransom payments between 2020 and 2022. Lytvynenko admitted to joining the conspiracy in September 2021, possessing stolen data from eight U.S. victims and four overseas victims, and helping develop a malware loader used in Conti attacks — continuing his cybercrime activity even after Conti disbanded when its members pledged support for Russia following the invasion of Ukraine. He faces up to 20 years in prison at sentencing scheduled for September 10, 2026, and the case follows a separate May sentencing of another Conti affiliate, signaling continued DOJ momentum in pursuing the group’s global membership.
ShinyHunters Claims Kodak Hack, Threatens to Leak 2.2 Million Records by June 18
ShinyHunters has listed Kodak on its dark web leak site, claiming to hold over 2.2 million records containing customer PII and internal corporate data, with a final warning deadline of June 18 before the group threatens to publicly leak the stolen information alongside unspecified “annoying digital problems.” The claim lands the same day the group also listed Sysco — the world’s largest food distributor — alleging theft of more than 61 million Salesforce records, continuing ShinyHunters’ prolific 2026 campaign that has already targeted the European Commission, Council of Europe, Carnival, Canvas, Grafana, CarGurus, 7-Eleven, and dozens of others. Organizations that use Salesforce or share infrastructure with known ShinyHunters targets should urgently audit their Salesforce access logs, review OAuth token activity, and verify whether any SSO credentials may have been compromised through the group’s ongoing vishing campaigns.
