Ubiquiti RCE, Zcash bug, French ID breach

Ubiquiti patched three CVSS 10.0 vulnerabilities (CVE‑2026‑34908‑10) in UniFi OS that let attackers bypass Nginx auth and execute commands, gaining root access without credentials. Bishop Fox demonstrated a full exploit chain on version 5.0.6, highlighting risks to network, camera, and access control systems.

Security researcher Taylor Hornby used Anthropic’s Claude Opus 4.8 to uncover a critical flaw in Zcash’s Orchard privacy pool that allowed creation of counterfeit ZEC. The bug, present since May 2022, was patched with an emergency fix on June 1 2026, though it’s impossible to confirm if it was ever exploited.

FortiGuard Labs uncovered C0XMO, a Gafgyt‑derived botnet that exploits the unauthenticated UPnP buffer overflow (CVE‑2021‑27137) in outdated DD‑WRT router firmware to spread across IoT devices. It copies itself to hidden locations, creates cron jobs for persistence, and kills competing botnets and red‑team tools, extending its reach to multiple Linux architectures.

Meta said it detected and blocked spear‑phishing campaigns on WhatsApp tied to Israeli spyware firm NSO Group, and is filing a federal contempt order for violating a court injunction that bans NSO from targeting the app. The company also removed test accounts and listed malicious domains used in the attacks.

France’s National Agency for Secure Documents (ANTS) confirmed a breach of its ants.gouv.fr portal, affecting roughly 11.7 million accounts. A hacker claims to have stolen personal data—including names, addresses, and birth details—and is offering it for sale, prompting alerts from CNIL, ANSSI and the public prosecutor.

A recent analysis highlights that Wispr Flow lacks an offline mode and continuously captures active‑window screenshots, sending them along with voice recordings to its cloud servers. This behavior can expose sensitive on‑screen content and keystrokes, posing significant privacy risks for users handling confidential data.

A recent analysis highlights that Wispr Flow lacks an offline mode and continuously captures active‑window screenshots, sending them along with voice recordings to its cloud servers. This behavior can expose sensitive on‑screen content and keystrokes, posing significant privacy risks for users handling confidential data.

Researchers demonstrate FROST, a browser‑only side‑channel that leverages the Origin Private File System API to measure SSD access latency. By analyzing timing spikes, a malicious site can infer visited websites with ~89% accuracy and running applications with ~96% accuracy, all without native code or user permissions.

The U.S. and Iran extended a kinetic ceasefire, but Iranian‑backed hacking groups continued targeting U.S. critical infrastructure, exposing a loophole in international law that doesn’t regulate cyber operations. Experts argue the Geneva Conventions need a cyber extension to bind state‑aligned hackers to ceasefire rules.

UK Prime Minister Keir Starmer announced a three‑month deadline for Apple, Google and other tech firms to activate built‑in features or software updates that stop children from taking, sending or viewing nude images on smartphones and tablets. The government warns non‑compliance will trigger legislation, fines or possible criminal liability.

New regulations from Russia's Ministry of Digital Development broaden the technical standards of the SORM system, adding searchable data like full names, passports, device IDs, and location coordinates. The changes aim to create comprehensive digital profiles for rapid linking of individuals, devices, and online activity, sharpening state monitoring of citizens.

Apple announced the integration of post‑quantum ML‑KEM and ML‑DSA algorithms into its corecrypto library and released the C and ARM64 implementations along with full formal verification proofs against FIPS 203/204. The company also open‑sourced the verification libraries and tools used to certify the correctness of the widely‑deployed cryptographic code.