The Lyceum: Cyber Intelligence Daily — Jun 05, 2026

Today is a deadline day, and the deadlines are real. Google's June Android patch landed with a live zero-day already used in targeted attacks — and CISA's federal remediation clock on that exact flaw runs out today. Three more actively-exploited bugs joined the same catalog with deadlines this week, Mandiant named a five-month data-theft campaign against U.S. law firms, and Cisco's SD-WAN brain has a root-level flaw with no patch in sight. The connective tissue: attackers are abusing the things you already trust — your phone's OS, your network's control plane, your help desk — and the patch trains are moving faster than the stories explaining them.

• CVE-2025-48595 — Android Framework (14, 15, 16, 16-QPR2): patched in June bulletin, actively exploited, on CISA KEV. Integer overflow enabling local privilege escalation; Google says "limited, targeted exploitation." Federal deadline today.
• CVE-2024-21182 — Oracle WebLogic Server: actively exploited, added to KEV with a June 4 deadline. Legacy Java app server still running deep inside enterprise and government stacks.
• CVE-2022-0492 — Linux kernel: actively exploited, KEV deadline June 5. A four-year-old container-escape-class weakness finding new life.
• CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento): actively exploited, KEV deadline June 6. Deserialization flaw allowing unauthenticated compromise of e-commerce stores.
• CVE-2026-48778 — Notepad++ 8.9.6: patched (v8.9.6.1, May 26), public PoC live on Exploit-DB today. Config-hijack arbitrary code execution via config.xml; requires AppData write access.
• YAMCS 5.12.7 exploits: three fresh PoCs (no rate limiting, user enumeration, LDAP injection) against the satellite mission-control web interface. Researcher-published, not yet incident-confirmed.
• Microsoft NTLMv2 Hash Capture: turnkey exploit for forcing Windows clients to leak NTLMv2 auth hashes for relay or offline cracking. Toolsmith-level code, not yet a Metasploit module.

Someone is already exploiting a flaw in the core of your Android phone — and Google shipped the patch this week.

The June 2026 Android Security Bulletin fixes CVE-2025-48595, an elevation-of-privilege zero-day in the Android Framework — the core layer every app talks to, the operating system's nervous system. It's a high-severity integer overflow (CVSS 8.4) that, per SOCRadar, sits across multiple locations in the Framework, the layer of APIs and system services apps interact with directly. A malicious app can use this to quietly seize system-level control without the user touching anything.

Google described CVE-2025-48595 as possibly "under limited, targeted exploitation" — the language it uses when targeted attacks are confirmed but widespread exploitation isn't. CyberExpress notes this pattern usually points to commercial spyware vendors or nation-state actors going after journalists, activists, or officials. The flaw affects Android 14 through 16-QPR2 — the vast majority of phones in use. CISA added it to the Known Exploited Vulnerabilities catalog on June 2 with a remediation deadline of today.

What changes if defenders act: this stays a targeted-spyware problem.
What failure looks like: the exploit leaks into commodity malware, and a four-billion-device install base becomes the largest unpatched attack surface on earth. The signal to watch is attribution — if a named actor surfaces, the "limited" framing either holds or collapses.

Check your patch level now: Settings → About Phone → Android Security Update. If it doesn't say 2026-06-05, you're exposed. Pixel gets it immediately; Samsung and Motorola follow on their own schedules — historically, weeks.

Merger terms, litigation strategy, executive correspondence — exactly what financially motivated hackers want, and Mandiant just confirmed someone has been methodically collecting them since January.

In its "Seeking Counsel" report published today, Mandiant documented a financially motivated data-theft and extortion campaign against U.S. law firms running January through May 2026. No ransomware, no encryption, no locked files — the attackers got in, stayed quiet, and walked out with documents before anyone noticed. The hallmark was patience: persistence for days, lateral movement, repository reconnaissance, then exfiltration.

The tactics overlap with what the FBI attributes to the Silent Ransom Group — also tracked as Luna Moth, Chatty Spider, and UNC3753 — which has hit U.S. law firms since 2023 using fake help-desk calls and phishing. The Record reported the spring 2026 twist: when remote-access tricks fail, the group now sends a person to the victim's office, claiming they need to image a device, then copies data to external storage. Posing as internal IT, they talk employees into granting remote desktop access.

What changes if this lands: "we don't have anything worth encrypting" stops being a defense. Pure exfiltration extortion forces every firm to treat client confidentiality as a live attack surface, not a compliance checkbox. What failure of defense looks like: named victim disclosures this week — and the legal sector discovering it audited the wrong risk for years. Start with your shared legal-tech platform or managed IT provider.

If you've been putting off patching because nothing looked on fire, CISA just lit the match. Four new KEV entries hit a wide slice of defenders: CVE-2026-45247 (Mirasvit Full Page Cache Warmer), CVE-2022-0492 (Linux kernel), CVE-2025-48595 (Android Framework), and CVE-2024-21182 (Oracle WebLogic Server). The deadlines are immediate — June 4, 5, and 6.

The Linux entry is the eye-catcher because it's old. CVE-2022-0492 is a container-escape-class kernel weakness that keeps finding new life wherever organizations forget how much Linux runs under the hood. The Android entry mirrors Google's own bulletin. WebLogic remains a perennial favorite when enterprises leave legacy Java infrastructure exposed longer than intended. And the Mirasvit plugin bug matters because it hits Magento e-commerce deployments — criminal groups after payment data won't wait for a government deadline.

What changes: KEV inclusion means exploitation is confirmed in the wild, not theoretical.
What failure looks like: missed deadlines surfacing weeks later as "unrelated" municipal ransomware and small-business breaches. The signal to watch is scanning telemetry — a WebLogic spike in the next 48 hours means opportunistic actors have already weaponized it.

Cisco customers got one of the least comforting phrases in security: a bug that leads to root access, with no patch or workaround yet.

Reporting on June 5, including Security Affairs, describes CVE-2026-20245 — a command-injection flaw in Cisco Catalyst SD-WAN Manager. An authenticated attacker with netadmin privileges can upload a crafted file and execute commands as root. The NVD record (CVSS 7.8) carries Cisco's own note that it has observed limited exploitation, with some cases resulting in configuration changes pushed to edge devices. That last detail reframes the bug: this isn't merely "root on an appliance" — it's a demonstrated path from management plane into downstream network manipulation.

SD-WAN Manager is the brain of a distributed corporate network. Root there is closer to getting the master key and the building blueprint at once. Cisco's recent remediation guidance for other SD-WAN issues underscores how central these controllers are. The honest caveat: details circulating in secondary reporting are richer than the directly retrievable Cisco advisory text, so attribute the "no fix yet" status to current reporting and watch Cisco's PSIRT channel.

What to watch: if Cisco doesn't ship a fix within days and CISA pairs a KEV listing with an emergency directive, exploitation has moved from targeted to opportunistic faster than guidance can keep up.

Russian-language outlet Xakep reported today that a malware campaign is using Steam user-profile comment sections as a covert command-and-control channel — the mechanism by which malware fetches instructions. The technique is elegant in a troubling way: Steam is a trusted, high-traffic gaming platform that most corporate firewalls wave through without inspection, and encoding commands in public comments lets attackers update their malware's behavior without touching infrastructure that looks suspicious. We've covered similar abuse of Discord, OneDrive, and GitHub in recent issues, but Steam's massive user base and near-universal firewall exemption make it a particularly durable channel — and the platform has little incentive to police comment sections for encoded traffic.

Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

Russian threat-intelligence firm F6, in reporting covered by Xakep today, documented a cluster it tracks as SiribClone running a mobile-spyware campaign aimed specifically at Russian military personnel via Telegram. The spyware collects location data, messages, and device information — intelligence with obvious value in an active conflict zone. The targeting is notable: Russian soldiers are being surveilled through the same app the Russian military has tried to restrict, suggesting either a foreign or domestic operation. F6 did not publicly attribute SiribClone to a specific actor in the available reporting; the campaign is documented only in Russian-language sources so far.

Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

Xakep reported overnight on a zero-day in Visual Studio Code that could let attackers steal GitHub tokens, compromising developer accounts and potentially private repositories. This is the same class of flaw tied to the GitHub 3,800-repo breach covered in earlier issues — the structural problem being that a single malicious extension can silently harvest authentication tokens. The disclosure has reignited the researcher-versus-vendor trust dispute around how these bugs get reported and patched. Details are still emerging; developers should review extension hygiene and GitHub token permissions now.

Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

Xakep detailed a denial-of-service technique dubbed "HTTP/2 Bomb" overnight: a small, specially crafted HTTP/2 request that forces a server to consume excessive resources, causing a quick shutdown. The insidious part is that it's nearly indistinguishable from legitimate traffic, which defeats traditional DoS mitigation. The new reporting suggests fresh tooling is circulating around a known attack class — any organization running internet-facing web servers without HTTP/2 request-size limits is potentially exposed.

Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

Today's lesson in misplaced trust: a phone's own nervous system turned against it, a Steam profile comment quietly issuing kill orders, and a stranger walking into a law firm to "image a device" with a USB drive in his pocket. The most honest threat model of 2026 is that the call really is coming from inside the help desk — and it's polite, well-dressed, and asking for remote desktop access. Patch what's on fire; the deadlines aren't suggestions.

Forward this to the colleague who still thinks "we don't have anything worth encrypting" is a security strategy.