Here are today’s top cybersecurity stories for Wednesday, June 3, 2026.
HTTP/2 Bomb CVE-2026-49975: Remote DoS Flaw Hits nginx, Apache, IIS, Envoy, and Cloudflare Pingora
Researchers disclosed CVE-2026-49975, dubbed HTTP/2 Bomb, a remote denial-of-service vulnerability affecting most major web servers. A single attacker connection exhausts up to 32 GB of server memory in roughly 20 seconds by abusing HTTP/2 header table compression. nginx patched the issue in version 1.29.8; Apache fixed it in mod_http2 v2.0.41. Microsoft IIS, Envoy, and Cloudflare Pingora remained unpatched at the time of disclosure. The flaw was discovered by OpenAI Codex and publicly disclosed on June 3, 2026. The Hacker News
Kirki WordPress Plugin CVE-2026-8206: CVSS 9.8 Account Takeover Actively Exploited on 500,000+ Sites
Attackers are exploiting CVE-2026-8206, a critical unauthenticated privilege escalation flaw in the Kirki Freeform Page Builder plugin for WordPress, to hijack administrator accounts. The vulnerability affects versions 6.0.0 through 6.0.6 and allows a single HTTP request with a known username and attacker-controlled email to reset any account password. Wordfence blocked over 222 exploitation attempts in a 24-hour window. Approximately 150,000 sites remain on vulnerable versions of the 500,000-installation plugin. Administrators must update to version 6.0.7 immediately. BleepingComputer
DriveSurge Threat Actor Hijacks Thousands of Sites for ClickFix and FakeUpdates Campaigns
A newly identified threat actor tracked as DriveSurge has compromised thousands of websites to redirect visitors to ClickFix and FakeUpdates malware-delivery infrastructure. DriveSurge routes victims through a Traffic Distribution System called zTDS, which profiles visitors before serving fake browser update prompts or PowerShell clipboard-hijack lures. Researchers at SilentPush identified macOS-specific payloads in the campaign, confirming cross-platform targeting. DriveSurge operates as an initial access broker on a pay-per-install model. BleepingComputer
CISA Adds Oracle WebLogic CVE-2024-21182 to KEV: Federal Deadline June 4, 2026
CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities catalog, citing active exploitation of a two-year-old Oracle WebLogic Server vulnerability. Unauthenticated attackers with network access over T3 or IIOP protocols can gain full read access to all WebLogic-accessible data. Honeypot activity since mid-May 2026 recorded payloads deploying cryptocurrency miners, Cobalt Strike beacons, and Sodinokibi ransomware. Federal agencies must remediate by June 4, 2026. The Hacker News
CISA Adds Linux Kernel CVE-2022-0492 to KEV: Privilege Escalation in Container and Legacy Environments
CISA added CVE-2022-0492, a Linux kernel cgroups privilege escalation vulnerability, to its KEV catalog on June 2, 2026, with a federal remediation deadline of June 5, 2026. The flaw allows improper privilege escalation and is being actively exploited in unpatched legacy and embedded Linux systems as well as container hosts where the original 2022 fix was never applied. CISA
Sophos Exposes AI-Built Ransomware Toolkit Using Cursor and Claude Opus for EDR Evasion
Sophos researchers uncovered a Git repository containing an AI-assisted ransomware development environment built with Cursor and Claude Opus agents. The toolkit automates Active Directory discovery, generates malware tested against Sophos, CrowdStrike, and Microsoft Defender EDR tools in virtual environments, and deploys Cobalt Strike beacons disguised as legitimate web traffic. A Telegram-based command-and-control mechanism and a Cloudflare Worker backend complete the infrastructure. Sophos linked the activity to an active threat actor impacting organizations globally but declined to name the group pending investigation. BleepingComputer
Ransomware Activity June 3, 2026: DragonForce, INC_RANSOM, Qilin, and Play Hit Multiple Sectors
Ransomware groups continued active campaigns on June 3. DragonForce claimed Synex Group. INC_RANSOM listed the Champaign-Urbana Public Health District. Qilin claimed Clínica Maitenes. Play ransomware targeted Digitall Graphics and Hightower Communications. Healthcare, telecommunications, and services sectors account for the majority of observed victims today. BleepingComputer
Microsoft Pre-Publishes CVEs for Outlook, Word, OpenSSL, and Node.js Ahead of June 9 Patch Tuesday
Microsoft pre-published vulnerability advisories for CVE-2026-40361 affecting Outlook and Word ahead of the June 9, 2026 Patch Tuesday. New CVEs were also published for OpenSSL TLS 1.3 (CVE-2026-2673) and Node.js (CVE-2026-21711). No active exploitation was confirmed at the time of disclosure, but security teams should prioritize patching once updates release on June 9. BleepingComputer
Stay tuned for today’s in-depth analysis posts.
