The Lyceum: Cyber Intelligence Daily — Jun 05, 2026

Today is a deadline day with teeth. Two actively exploited flaws — one in every Android phone made in the last two years, one buried in the Linux kernel — hit their federal patching deadlines, while CISA's Magento exploit clock expires tomorrow with live attack payloads already confirmed in the wild. Layer on a 2.6-million-record Medicaid dental dump that ShinyHunters just published after a failed ransom, a ransomware crew willing to send fake IT staff to your front desk, and two espionage stories breaking in Russian-language press before the West catches up — and you have a genuinely loaded Friday, not a slow one.

• CVE-2026-45247 — Mirasvit Full Page Cache Warmer (Magento), all versions before 1.11.12: actively exploited, patched May 25, KEV deadline June 6. PHP deserialization flaw giving unauthenticated remote code execution; Imperva confirms live payloads.
• CVE-2025-48595 — Android Framework (Android 14 and later): actively exploited, patched in June bulletin, KEV deadline today. Integer overflow enabling local privilege escalation; Google confirms limited, targeted exploitation.
• CVE-2026-28318 — SolarWinds Serv-U: KEV-listed, patch available (update to 15.5.4+), deadline June 19. Uncontrolled resource consumption in an internet-facing managed file transfer product with a long state-actor history.
• CVE-2022-0492 — Linux kernel (cgroups v1): actively exploited, patched, KEV deadline today. Container-escape and privilege-escalation flaw still live in legacy and embedded systems.
• CVE-2024-21182 — Oracle WebLogic Server: actively exploited, patched July 2024, KEV deadline was June 4. Two-year-old fix now seeing observed exploitation.
• YAMCS yamcs-core 5.12.7 PoCs: three fresh Exploit-DB proofs-of-concept (LDAP injection, user enumeration, no rate limiting) against open-source aerospace mission-control software — researcher code, not yet field-confirmed.
• Notepad++ 8.9.6 ACE: Exploit-DB entry for arbitrary code execution in one of the most widely used Windows editors; no vendor advisory attached, behaves like a quietly dropped 1-day.

If your company runs an e-commerce store on Magento — or works with a vendor who does — this is the most urgent item on your plate today.

CISA added CVE-2026-45247, a critical flaw in Mirasvit Full Page Cache Warmer (a popular Magento caching extension), to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The vulnerability, rated CVSS 9.8, is a deserialization flaw — attackers feed the server a specially crafted cookie and get it to execute arbitrary PHP code. No login required, full server access. It affects every version before 1.1.12, and patches landed May 25. The gap between patch and active exploitation: under two weeks.

Imperva has observed live attack traffic carrying base64-encoded serialized PHP objects designed to trigger remote code execution through commonly abused gadget chains, with payloads attempting to invoke functions like system(). "In several observed cases, attackers used test commands designed to validate successful code execution," the company said. Activity has concentrated on gaming and business sites, with the U.S., U.K., France, and Australia most targeted.

Federal agencies have until tomorrow, June 6, to patch. What tells you which way this goes: if GreyNoise scanning telemetry against Cache Warmer instances spikes before the deadline, exploitation has shifted from targeted validation to mass opportunistic scanning — and every unpatched Magento checkout page is in the blast radius. Don't wait for a government deadline to tell you what attackers are already doing.

This one is directly about your patients, your employees, or possibly you.

DentaQuest, a U.S.-based dental benefits administrator that manages benefits for 32 million Americans, confirmed on June 2 that it was managing a cybersecurity incident involving unauthorized access to part of its network. The digital extortion group ShinyHunters claimed responsibility, said it exfiltrated 234 GB of data, attempted to negotiate a ransom, and — after failing to reach an agreement — published the lot.

Have I Been Pwned analyzed the leak and found 2.6 million unique email addresses, along with names, addresses, phone numbers, dates of birth, and genders. The healthcare enrollment files go further: some include Medicaid IDs, other government-issued IDs, Social Security numbers, and health information. BleepingComputer confirmed the exposure today.

The combination of Medicaid IDs, government IDs, and dental health records is a nastier class of stolen data than the usual email-and-password dump. It enables targeted fraud against people least equipped to deal with it. If this produces HIPAA breach notifications to state Medicaid programs in the next 30 days, the regulatory and class-action exposure will be substantial, and "Medicaid dental records" gets a formal price on criminal markets for the first time. Watch ShinyHunters' pace too: Charter (42M), Instructure, ADT, and now DentaQuest suggests they're operating at peak velocity. If you or a family member has used DentaQuest for Medicaid dental coverage, check haveibeenpwned.com now.

Most cybercrime still arrives by email. This crew shows up in person.

TechCrunch reported today that Google's Mandiant and Google Threat Intelligence Group published research on the Silent Ransom Group, describing attacks from January through May 2026 in which the gang targeted dozens of victims and, in some cases, used physical, in-person access as part of the intrusion chain. The FBI had already warned the group was targeting law firms via social engineering while impersonating IT support staff.

Sit with that for a second. We spend years teaching people not to click weird links — and now the lesson includes "verify the helpful person with the badge and the laptop bag." Law firms make especially rich targets: they hold mergers, lawsuits, contracts, and confidential documents that are valuable even if nobody ever encrypts a server. The perimeter is becoming social again, not just technical.

For anyone who manages people, the defensive takeaway is procedural. Front desks, reception teams, and help-desk escalation paths now matter as much as email filters. "Unexpected IT visit" should be something employees know to challenge. The signal to watch: if named law-firm victims emerge, expect copycat crews to adopt the in-person model, and physical verification quietly becomes a mainstream cybersecurity control.

SolarWinds Serv-U is back on the radar, and its history makes this worth your attention.

CVE-2026-28318 — an uncontrolled resource consumption flaw in Serv-U, SolarWinds' managed file transfer product — was added to the KEV catalog with a June 19 remediation deadline. Serv-U is internet-facing by design, which makes every KEV addition a high-urgency event. Over the last five years, multiple cybercrime and state-sponsored groups have targeted Serv-U flaws in data-theft campaigns, with the Clop gang having exploited a Serv-U remote code execution bug to breach corporate networks in ransomware attacks.

That lineage is the whole story here. Managed file transfer software is the soft underbelly of the supply chain — MOVEit and GoAnywhere proved that a single exposed transfer appliance can become a breach affecting thousands of downstream organizations who didn't even know their partners were running it. What separates a quiet patch cycle from a crisis: if exploitation of CVE-2026-28318 produces a named bulk-data-theft incident before the June 19 deadline, the MFT category re-enters MOVEit territory and the insurance repricing starts. If you run Serv-U, update to 15.5.4 or later now.

Russian threat-intelligence firm F6, in reporting published today by Xakep, documented a cluster it tracks as SiribClone running a mobile-spyware campaign aimed specifically at Russian military personnel. The group uses social engineering — including impersonating women on dating apps — to lure servicemen into downloading an app called SafeLoveStealer, which exfiltrates audio, video, and geolocation data; a companion tool, SiribGrabber, steals personal and technical information from computers. The name matches no existing Western APT designation, making this either a genuinely new cluster or a known group under a new identity. If Western firms confirm F6's infrastructure findings, SiribClone becomes the first publicly named cluster surveilling Russian military personnel through Telegram — with operational-security implications on both sides of the war. Source: Xakep — Russian. No English-language coverage confirmed at time of publication.

Russian investigative outlet Pervyi Otdel (First Department) reports the first confirmed infection of an anti-war activist's phone with Monokle — the FSB-linked mobile spyware first documented by Lookout in 2019 and attributed to a Russian defense contractor. Until now, Monokle had only surfaced on devices of people the Russian state was actively targeting in an intelligence capacity. This matters for two reasons: it confirms Monokle is still operational, and it's the first documented infection on a civilian dissident's device — suggesting either expanded targeting criteria or a deliberate escalation against domestic opposition. Monokle is a full-featured implant capable of intercepting calls, reading encrypted messages, exfiltrating files, and activating microphone and camera. Source: Pervyi Otdel via Russian-language feeds — Russian. No English-language coverage confirmed at time of publication.

Xakep reported overnight on a zero-day in Visual Studio Code that could let attackers steal GitHub access tokens, compromising developer accounts and potentially private repositories. The flaw sits in extension handling, where a malicious extension or crafted workspace could exfiltrate authentication tokens — opening the door to source-code theft or CI/CD tampering. No CVE has surfaced in the Russian reporting yet, but coming on the heels of recent poisoned-VS-Code-extension and GitHub repository breaches, it's another reminder that developer workstations are now core infrastructure. Source: Xakep — Russian. No English-language coverage confirmed at time of publication.

A caching plugin handing strangers your checkout page, a fake IT guy strolling past your reception desk with a laptop bag, and an FSB implant quietly switching on an activist's microphone in his own kitchen — that was Friday. The most honest line of the day belongs to a guy named Yohanes Nugroho, who spent $1,200 of his own money on GPU time to break Akira's encryption, knowing full well the operators will patch it out the moment they read the headline — which is to say, the good guys finally found a working decryptor and immediately started a countdown clock against themselves.

Stay patched, stay suspicious of helpful strangers.

Forward this to the colleague who still hasn't pushed the June Android update to the company phones — they have until end of business, and it's already afternoon.