Cisco confirmed a zero-day in Catalyst SD-WAN Manager being actively exploited right now — with no fix available and no workaround. Apple unveiled a Gemini-powered Siri at WWDC and nobody asked about the attack surface. A hacker sold 340 million "stolen" OnlyFans records — and admitted he never actually hacked OnlyFans. WordPress site owners are one unpatched plugin away from losing everything. And your smart TV may already be someone else's scraping infrastructure.
☕ ~5 minute read · 5 stories todayOn Thursday, Cisco confirmed that CVE-2026-20245, a high-severity vulnerability in Catalyst SD-WAN Manager, is being actively exploited in the wild. CVSS score: 7.8. No patch available. No workaround. The seventh Cisco SD-WAN flaw to be actively exploited this year alone.
The flaw sits in the command-line interface and stems from insufficient validation of user-supplied input. An authenticated attacker with netadmin privileges can upload a crafted file and execute arbitrary commands as root — full control of the underlying system. Mandiant reported the vulnerability to Cisco after observing limited real-world exploitation, including cases where attackers pushed unauthorised configuration changes to SD-WAN edge devices.
The attack chain is the real concern. CVE-2026-20245 requires netadmin credentials — but those can be obtained by chaining it with two other already-exploited authentication bypass flaws: CVE-2026-20182 and CVE-2026-20127. An attacker with no initial access can chain all three to go from the internet to root on an SD-WAN device managing up to 6,000 network endpoints.
request admin-tech on all SD-WAN control components to preserve indicators of compromise before touching anything. Then upgrade to the fixed software documented in the CVE-2026-20182 advisory — it's the closest available mitigation. Verify the configuration of all edge devices afterward.
A threat actor using the alias Euphoric_Reply_5727 listed a dataset of 340 million alleged OnlyFans user records on a cybercrime forum, asking 0.313 BTC — roughly $76,000. The listing triggered widespread panic among creators and subscribers. The actual story is more interesting than the headline.
When Hackread researchers contacted the seller directly, he admitted that he never breached OnlyFans. The dataset was assembled by correlating data from previous breaches of Twitter, Instagram, Spotify and other platforms with publicly visible OnlyFans profiles. Old credentials matched to known usernames. Not a hack — a very large, very methodical compilation.
OnlyFans denied any breach of its own systems. Security researcher Tat Thang identified structural evidence suggesting the record count is inflated. But even a fraction of 340 million real, cross-referenced profiles is a significant threat to people who use the platform under any expectation of anonymity.
Tim Cook delivered his final WWDC keynote today. The headline: Siri has been entirely rebuilt on a custom Gemini model licensed from Google at roughly $1 billion per year — eight times larger than anything Apple built internally. iOS 27, macOS 27, and a multi-model Extensions system letting users choose between Gemini, ChatGPT, or Claude are all announced. The coverage is overwhelmingly positive.
The question nobody is asking: what does an AI-native operating system look like as an attack surface? Siri now has deeper access to contacts, messages, calendar, files, and third-party apps than any previous version. The model processes on-device where possible but routes complex requests through external inference infrastructure. Every prompt is a potential data exfiltration vector. Every app integration is a permission boundary to be tested.
The multi-model Extensions system compounds this. Three different AI providers, each with their own data retention policies, each processing user queries — potentially the same query routed differently depending on the task. The security and privacy implications of this architecture will take months to properly surface. Expect the first researcher disclosures by autumn.
Threat actors are actively exploiting CVE-2026-3300, a critical remote code execution vulnerability in Everest Forms Pro — a WordPress plugin with approximately 4,000 active installations. CVSS score: 9.8. Unauthenticated. No user interaction required.
The flaw lives in the plugin's process_filter() function, which concatenates user-submitted form field values into a PHP string and passes it directly to eval() without proper escaping. Any text input field on any form — text, email, URL, select, radio — can be used to inject and execute arbitrary PHP code on the server. A patch was released on 18 March 2026 in version 1.9.13.
Research published 5 June by Include Security and independent researcher Buchodi revealed that a software development kit shipped inside free apps on Samsung, LG, and Roku devices is quietly enrolling home televisions into a residential proxy network of more than 150 million IP addresses.
The SDK is presented to users behind an opt-in consent screen, described as allowing "bandwidth sharing." In practice, the user's home IP address and internet connection are used to route third-party web scraping traffic — making it appear to originate from a residential address rather than a data centre. The company behind it, Bright Data, argues this is consensual and disclosed. The researchers argue the disclosure is buried deeply enough to be functionally invisible to most users.
This is the soft edge of the threat landscape — not a breach, not malware in the traditional sense, but a steady erosion of the boundary between "your device" and "their infrastructure." The pattern will intensify as more devices ship with SDK monetisation baked in as a default.