Here are today’s top cybersecurity stories for Wednesday, June 24, 2026.
Operation Endgame Disrupts Amadey and StealC — 27 Million Stolen Credentials Recovered
International law enforcement, coordinated by Europol and including Canadian, US, German, and Dutch authorities, dismantled the infrastructure behind the Amadey botnet and StealC infostealer as the latest phase of Operation Endgame. Authorities seized 326 servers and 142 domains, recovered approximately 27 million stolen credentials from over 385,000 compromised systems, and identified more than €41 million in linked cryptocurrency. Canada was a named partner nation in the operation. BleepingComputer
CISA Adds Three CVSS 10.0 Ubiquiti UniFi OS Flaws and Lantronix RCE to KEV — Patch Deadline June 26
CISA added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-34908 (access control bypass), CVE-2026-34909 (path traversal), and CVE-2026-34910 (command injection) in Ubiquiti UniFi OS — each scoring a perfect CVSS 10.0 — plus CVE-2025-67038, a root RCE in the Lantronix EDS5000 device server scoring CVSS 9.8. Federal agencies must patch by June 26, 2026. Ubiquiti fixes are available in UniFi OS 5.0.8 or later. BleepingComputer
Cisco Unified CM CVE-2026-20230: SSRF Flaw Now Exploited to Drop Webshells
Threat actors are actively exploiting CVE-2026-20230 (CVSS 8.6), an SSRF vulnerability in Cisco Unified Communications Manager and Unified CM SME, to deploy webshells on affected systems. The exploit chain abuses the WebDialer service to reach the vulnerable endpoint, deploys a rogue Apache Axis service, then drops a command-execution JSP shell. Automated scans via Tor were observed by Defused, and public proof-of-concept code is now available. Organizations with WebDialer enabled should patch immediately and audit web roots for JSP files. BleepingComputer
Cordyceps: CI/CD Workflow Flaw Leaves 300+ Major GitHub Repositories Open to Supply Chain Compromise
Researchers at Novee Security disclosed a CI/CD misconfiguration class they named Cordyceps, where untrusted pull requests trigger privileged workflows that authenticate to cloud environments with full credentials. A scan of 30,000 high-impact repositories found more than 300 fully exploitable, including those owned by Microsoft, Google, Apache, and Cloudflare. Any GitHub user with a free account can exploit the flaw — no organizational membership required. GitHub updated its actions/checkout action on June 18 to block common pwn request patterns, but unpatched repositories remain at risk. The Hacker News
Xsolis Healthcare Data Breach Exposes 1.4 Million Patients’ Records
AI-driven healthcare revenue cycle firm Xsolis disclosed a breach affecting 1,396,519 individuals, stemming from a phishing attack that began January 20, 2026, and was detected two days later. Stolen data includes names, dates of birth, addresses, Social Security numbers, health insurance information, and medical treatment details. Xsolis provides AI-powered utilization management tools to more than 600 hospitals and health insurers. The company says it is not aware of any confirmed misuse of the data as of its notification date. SecurityWeek
Mistic Backdoor Tied to KongTuke Ransomware Access Broker
Symantec researchers identified a new stealthy backdoor called Mistic, linked to KongTuke (also tracked as Woodgnat), an initial access broker that sells network footholds to ransomware groups including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. Mistic runs payloads entirely in memory, writes nothing to disk, and includes a self-delete kill switch. In at least one observed intrusion, Mistic was deployed alongside ModeloRAT following a Microsoft Teams social engineering attack targeting insurance, education, IT, and professional services organizations. BleepingComputer
Splunk CVE-2026-20253: CISA Orders Patch by Sunday as Active Exploitation Confirmed
CISA confirmed active exploitation of CVE-2026-20253 (CVSS 9.8) in Splunk Enterprise and directed federal agencies to patch by June 28 under Binding Operational Directive 26-04. The flaw allows unauthenticated attackers to create or truncate arbitrary files via a PostgreSQL sidecar endpoint, a path to remote code execution. WatchTowr published a technical write-up and proof-of-concept on June 12, eight days after Splunk released patches. Shadowserver tracks over 1,400 internet-exposed Splunk instances, the majority in North America. BleepingComputer
Samsung KNOX CVE-2026-20971: Eight-Year-Old Kernel UAF Exposed Millions of Galaxy Devices
LucidBit Labs disclosed full technical details of CVE-2026-20971 (CVSS 7.8), an eight-year-old use-after-free vulnerability in the interaction between Samsung’s KNOX PROCA and FIVE kernel subsystems. The flaw affects Galaxy devices from the S9 through S25 series running Android 13 through 16, provides multiple memory corruption primitives, and gives any untrusted application a path to full device takeover. Samsung addressed the vulnerability in its January 2026 security update. Organizations with unmanaged Samsung devices in their mobile fleet should verify patch status. SecurityWeek
Stay tuned for today’s in-depth analysis posts.
