Welcome to Threat Thursday, Galactic's weekly threat intelligence roundup.
Every Thursday we cover the cybersecurity stories that matter most, breaking each one down into what happened and what it means for your organization.
This week's stories cover two problems that usually get treated separately: the flaws being exploited within days of going public, and the slower risks that don't announce themselves with a CVE number. This week, they showed up in the same edition. Three flaws were exploited within days of going public. Two more incidents trace back to a forgotten credential and a trusted security agent that turned out to be less trustworthy than expected.
Let’s dive in.
This Cycle's Stories
1. Critical Ubiquiti UniFi Flaws Exploited as Zero-Days (CVE-2026-34908, -34909, -34910)
Ubiquiti, a widely used maker of business and home network gear (its UniFi line covers Wi-Fi, switching, and security cameras), patched three critical flaws in the software that manages UniFi networks, each scoring a maximum 10 out of 10. Used together, they let an attacker take over the management console, the web interface used to control and monitor the entire network, with no password at all. Ubiquiti released a fix on May 21 but said nothing about active attacks. Users on Ubiquiti's own forums and Reddit reported that the flaws were being exploited before the patch shipped, with intruders creating hidden administrator accounts under the name "John Sim." On June 23, the U.S. government added all three to its Known Exploited Vulnerabilities catalog and gave federal agencies three days to patch.
Potential impact: The management console sits in the middle of everything and is trusted by every device it controls. From there an attacker can watch traffic, reach the systems behind the network, and move deeper into the business. The vendor's advisory was quiet on exploitation while users were already reporting rogue admin accounts; the government's catalog, not the vendor, is what confirmed real-world attacks.
What to do: Update UniFi OS Server to 5.0.8 right away. Where the management console is reachable from the internet, put it behind a VPN or restrict it to trusted networks. Check for administrator accounts nobody created, with "John Sim" as one reported marker, and review the console's logs for unexpected changes.
Source: SecurityWeek
2. A Breach at a Sales Vendor Exposes Data From Major Security Firms
A breach at Klue, a competitive-intelligence platform that companies connect to their sales systems, exposed business data belonging to roughly 15 organizations, most of them well-known security vendors including LastPass, BeyondTrust, Huntress, Jamf, and Tanium. An attacker called Icarus got in using an old, leftover login credential, then generated access tokens (digital keys that let one app act inside another) to reach the Salesforce accounts those companies had connected to Klue, copying names, email addresses, phone numbers, and sales records in bulk. No internal systems were broken into, and customer password vaults at LastPass were untouched. Huntress expects more victims to surface.
Potential impact: Contact and sales information is easy to wave off, but it's the raw material for convincing, targeted phishing when it carries the implied trust of a known vendor relationship. The attacker never broke Salesforce or these companies' own defenses. It abused a trusted connection between two software tools and a forgotten credential nobody was watching. Every business runs dozens of these connections, and each one is a door that stays unlocked long after anyone remembers it's there.
What to do: Inventory third-party services connected to your core platforms and revoke access for any connection no longer in use. Retire old credentials and service accounts rather than leaving them active. Review connected-app activity for unusual bulk data access, and brief staff that contact details from breaches like this routinely show up in later phishing campaigns.
Source: Cyber Security News
3. Researchers Show How to Silently Switch Off Mac Security Tools
Researchers at XM Cyber demonstrated a way to silently disable security software on Mac computers from an ordinary user account with no administrator rights. Two kinds of products were affected: EDR (endpoint detection and response, the software that watches a device for malicious activity) and MDM (mobile device management, the software that lets IT control company devices). Rather than exploiting a single bug, the technique strings together normal macOS behaviors to impersonate a trusted part of an app and issue commands that would normally require administrator-level access. In testing, the researchers fully disabled CrowdStrike's security agent and permanently switched off Kandji's MDM. CrowdStrike has added detection, Kandji has released a fix (CVE-2026-39118), and a third unnamed vendor is still working on one. No sign of real-world use yet, but the researchers plan to release a free testing tool and full presentation at Black Hat in August.
Potential impact: An attacker who can quietly disable endpoint security before doing anything else effectively blinds the defenders, and the rest of the attack happens in the dark. This technique needed no administrator access and set off no alerts, exactly the combination that makes something attractive to real attackers once it's public. The time to verify your Mac defenses hold is now, before the tooling goes public in August.
What to do: Confirm EDR and MDM agents on Macs are updated to versions with the new detections and fixes, and track the remaining vendor's patch. Add monitoring that alerts when a security agent is unloaded or stops reporting in, rather than relying on the agent's own tamper protection. Watch for the researchers' tool so you can test your own fleet.
Source: SecurityWeek
4. A Splunk Flaw Was Attacked Within Days of Disclosure (CVE-2026-20253)
A critical flaw in Splunk Enterprise, software many organizations use to collect and analyze security logs, went from public disclosure to real-world attacks in days. The flaw comes from a database service left without any login check, so an attacker on the network can create or overwrite files on the server without credentials. Splunk released patches on June 10. Two days after disclosure, researchers published a working demonstration of how the attack works and showed it could be used to run their own commands on the server. Splunk confirmed limited exploitation on June 18, the same day the U.S. government added it to its Known Exploited Vulnerabilities catalog with a three-day federal deadline. It's the first Splunk flaw ever to land on that list.
Potential impact: The Splunk server often holds a central, privileged view of an organization's systems and stores the very logs defenders would use to investigate an incident. An attacker who takes it over gets both a deep foothold and the chance to tamper with the evidence. A working demonstration arrived within two days of disclosure, and attacks followed days after that.
What to do: Upgrade to fixed Splunk Enterprise versions (10.2.4 or 10.0.7) immediately. If patching has to wait, restrict network access to the affected service so only trusted systems can reach it. Review the server for unexpected new or altered files and check it against the technical indicators researchers have published.
Source: The Hacker News
5. Attackers Exploit a Cisco Phone-System Flaw (CVE-2026-20230)
Attackers have started exploiting a flaw in Cisco Unified Communications Manager, the system many organizations use to run their business phone and calling services. The flaw lets an attacker send a specially crafted request that the server mishandles, allowing them to write files onto it and work toward full administrator control. There's an important catch: the attack only works if an optional feature called WebDialer is switched on, and it's off by default. Cisco released patches earlier this month. A researcher reported seeing the flaw exploited on internet decoy systems, servers set up specifically to attract and observe attacks, using a publicly shared attack script, and a second firm published technical details shortly after.
Potential impact: Phone and communications servers rarely get the same security attention as laptops and email, yet they sit inside the network and are trusted by it, which makes them a useful stepping stone toward more valuable systems. A patch came out, a rough attack script followed, and opportunistic attackers began firing it at anything reachable. The saving grace is the default-off feature requirement: organizations that never enabled WebDialer aren't exposed, a useful reminder that turning off features you don't use is one of the cheapest defenses available.
What to do: Patch Unified CM to 14SU6 or 15SU5. If a patch can't be applied immediately, check whether WebDialer is enabled and turn it off if it's not needed, which closes the attack path entirely. Limit access to the system's web interface to trusted networks and review the server for unexpected files.
Source: The Hacker News
6. Worth Watching: A New Executive Order Puts Post-Quantum Encryption on a 2030 Clock
On June 22, President Trump signed an executive order setting firm deadlines for federal agencies to move their most sensitive systems to post-quantum cryptography, a new generation of encryption designed to resist future quantum computers. Agencies must update the way they exchange encryption keys by the end of 2030 and their digital signatures by 2031, pulling the previous 2035 target forward by four to five years. The urgency comes from a threat that doesn't require a working quantum computer yet: adversaries can copy encrypted data today and store it until a powerful enough machine can crack it later, a tactic known as "harvest now, decrypt later." The order also directs regulators to draft rules giving federal contractors their own 2030 deadline and requiring a "cryptographic bill of materials," a machine-readable list of the encryption inside a product, from software vendors.
Why it matters: Nothing changes this week for most organizations, and the deadlines are years out. But the direction points at everyone eventually. The practical groundwork worth starting now is knowing where your systems and your vendors' products use encryption, because you can't replace what you can't find. Companies that sell to the government should expect a compliance requirement once the rules are written.
Source: The White House
The Big Picture
Three of this week's flaws went from patch to active attack before most organizations' maintenance windows could move. When CISA started giving federal agencies three days to remediate rather than weeks, it was keeping pace with a timeline that already exists, not setting a new one.
The Klue breach and the macOS research tell a different but related story. A forgotten credential and a trusted security agent each became the way in, and neither of those problems announces itself with a CVE number or gets resolved on Patch Tuesday. They surface when someone decides to look at what the organization stopped watching, which is a different kind of discipline than patching fast. The post-quantum order is that same lesson stretched across a decade: a clock running quietly in the background, on encryption that quietly needs replacing before anyone's forced to replace it in a hurry. Speed matters this week. So does the slower work of auditing the things you've been trusting without checking.
Make sure to check back here next week for another Threat Thursday update. See you then!
