Coverage: Last 24 hours

Today’s Highlights

Active exploitation across Windows, ConnectWise, LiteLLM, and cPanel platforms defines today’s threat landscape. Attackers are moving with unprecedented speed to capitalize on newly disclosed vulnerabilities, leaving minimal time for defenders to react. Several incidents shed light on the risks inherent in SaaS and supply chain integrations: data breaches are impacting organizations indirectly through third parties. Meanwhile, threat actor tradecraft improves as OPSEC playbooks become more sophisticated, highlighting the critical need for rapid response, continuous monitoring, and regular review of both internal and external risk postures.

Table of Contents

1. Microsoft says backend change broke Teams Free chat and calls
2. Broken VECT 2.0 ransomware acts as a data wiper for large files
3. Video service Vimeo confirms Anodot breach exposed user data
4. US reportedly charges Scattered Spider hacker arrested in Finland
5. Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data
6. Microsoft to deprecate legacy TLS in Exchange Online starting July
7. CISA orders feds to patch Windows flaw exploited as zero-day
8. Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw
9. CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
10. LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure
11. Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately

Top Stories

Microsoft says backend change broke Teams Free chat and calls

Source: BleepingComputer | Risk: Medium | Impacted: Microsoft Teams Free users

Microsoft is working to resolve a known issue that prevents some Microsoft Teams Free users from chatting and calling others.

Why it matters: The disruption to Teams Free services can interrupt organizational workflows, forcing users to adopt unsupported alternatives or exposing internal operations to shadow IT risks.

Practitioner Perspective

IT teams using Microsoft Teams Free versions must anticipate degradation risks when major vendors make backend changes. Fallback communication plans and user guidance can minimize productivity loss and control information sprawl if outages persist. Maintaining a robust mechanism for service outage alerts is essential.

Recommended Actions

• Update all Teams Free client installations to mitigate compatibility risks
• Monitor Microsoft’s official service status channels for updates on Teams downtime

Broken VECT 2.0 ransomware acts as a data wiper for large files

Source: BleepingComputer | Risk: High | Impacted: Organizations with Windows endpoints, File servers, Incident response teams

Researchers are warning that the VECT 2.0 ransomware has a problem in the way it handles encryption nonces that leads to permanently destroying larger files rather than encrypt them.

Why it matters: Ransomware variants behaving as data wipers eliminate the prospect of data recovery, disrupting both incident response planning and business continuity for organizations relying on ransom payment as leverage.

Practitioner Perspective

Defenders should treat VECT 2.0 as a potentially destructive actor rather than a pure extortion play, especially given the broken implementation leading to irreversible data loss on large files. Traditional recovery tactics—such as paying for decryption—may be completely ineffective. This underscores the importance of uncompromised, offline, and regularly tested backups, and establishes a new precedent for attacker error resulting in unintentional wiper activity. Scrutinize your incident response runbooks to reflect this operational reality.

Recommended Actions

• Hunt for VECT 2.0-specific ransomware IOCs in recent EDR telemetry
• Verify the integrity and recoverability of offline and immutable backup solutions

Video service Vimeo confirms Anodot breach exposed user data

Source: BleepingComputer | Risk: Medium | Impacted: Vimeo business customers, SaaS admin teams, Privacy and compliance officers

Vimeo has disclosed that data belonging to some of its customers and users has been accessed without authorization following the recent breach at the Anodot data anomaly detection company.

Why it matters: A third-party SaaS analytics breach at Anodot cascades to client platforms like Vimeo, highlighting how data held by service providers can be compromised without direct attack on the client organization.

Practitioner Perspective

If your organization leverages SaaS or analytics vendors such as Anodot, you inherit their incident response shortcomings as part of your risk profile. This breach illustrates the need for real due diligence and continuous risk assessment of supply chain and service integrations. Without granular visibility and strong contract requirements around third-party data handling, your users’ privacy and business data are at stake through no direct failure of your controls. Review vendor risk management processes and monitor for follow-on phishing or downstream abuse using data leaked in such incidents.

Recommended Actions

• Review data exfiltration logs from Anodot or similar platforms integrated with your environment
• Initiate a risk review of all analytics and data anomaly detection SaaS providers

US reportedly charges Scattered Spider hacker arrested in Finland

Source: BleepingComputer | Risk: Medium | Impacted: Enterprises with distributed networks, SOC teams

A 19-year-old dual United States and Estonian citizen arrested in Finland earlier this month faces federal charges in the U.S. alleging he was a prolific member of the notorious Scattered Spider hacking collective.

Why it matters: Legal actions against high-profile cybercrime actors place additional attention on law enforcement’s cross-border reach, impacting threat group activity and shaping defensive posture.

Practitioner Perspective

High-profile takedowns do little to slow the broader ecosystem of cybercrime, but they can disrupt operations and shift group tactics. Organizations should treat coverage of these events as intelligence triggers: be on the lookout for copycats, splinters, or counter-offensive attacks by affiliated groups. Align detection priorities accordingly.

Recommended Actions

• Monitor for changes in TTPs among affiliates of Scattered Spider in threat intelligence feeds
• Update incident response playbooks to address group fragmentation or copycat activity

Checkmarx confirms LAPSUS$ hackers leaked its stolen GitHub data

Source: BleepingComputer | Risk: Medium | Impacted: Checkmarx customers, DevSecOps teams, Security operations centers

Application security company Checkmarx has confirmed that the LAPSUS$ threat group leaked data stolen from its private GitHub repository.

Why it matters: Exposure of source code and internal data from major security vendors like Checkmarx can fuel new attacker exploit development and erode trust in vendor update channels.

Practitioner Perspective

Checkmarx’s leak at the hands of LAPSUS$ shows that threat actors continue to target application security tool providers as stepping stones into wider supply chains. Open access to private GitHub repositories could enable attackers to discover undocumented vulnerabilities or poison the software distribution pipeline. Prioritize monitoring for repackaged or trojanized versions of affected vendor tools, and maintain vigilance around dependency updates from breached codebases. Communicate proactively with affected vendors to verify update integrity.

Recommended Actions

• Validate the code provenance of any Checkmarx artifacts and plugins pulled since the timeframe of the breach
• Monitor security channels for indicators of tampered or malicious updates referencing Checkmarx

Microsoft to deprecate legacy TLS in Exchange Online starting July

Source: BleepingComputer | Risk: Medium | Impacted: Mail admins using Exchange Online, Teams with legacy POP/IMAP integrations, Internal IT supporting old MUA programs

Microsoft says it will start blocking legacy TLS connections for POP and IMAP email clients in Exchange Online starting in July 2026.

Why it matters: Deprecation of legacy TLS in Exchange Online will disrupt connectivity for unsupported POP/IMAP email clients, potentially breaking automated workflows and creating visibility gaps if not proactively addressed.

Practitioner Perspective

Organizations relying on Exchange Online must inventory all inbound and outbound mail dependencies, since legacy clients and scripts will stop working once older TLS versions are blocked. This move is long overdue for reducing cryptographic downgrade risks but creates potential for sudden outages among overlooked systems or third-party integrations. The right play is to migrate or update clients now, before Microsoft’s enforcement causes operational impact. Visibility into authentication failures and transport logs will be critical after the cutover.

Recommended Actions

• Audit all Exchange Online client connections for legacy TLS usage
• Update or replace unsupported email clients before July enforcement

Emerging Signals

Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately

Source: The Hacker News | Risk: High | Impacted: cPanel web hosts, Web hosting providers, SMBs with hosted domains

cPanel has released security updates to address a security issue impacting various authentication paths that could allow an attacker to obtain access to the control panel software. The problem affects all currently supported versions, according to an alert released by cPanel on Tuesday. The issue has been addressed in the following versions – 11.110.0.97 11.118.0.63 11.126.0.54 11.132.0.29

Why it matters: A broadly exploitable cPanel authentication bug jeopardizes control over web servers, potentially exposing hosted client data and enabling further attacks via compromised admin interfaces.

Practitioner Perspective

Web hosting environments using cPanel—especially with shared tenants and limited isolation—are highly exposed when authentication mechanisms fail. With the issue present across all supported versions, attackers have ample opportunity to hijack sites, redirect client traffic, or launch phishing campaigns. You should prioritize the patched releases (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29) not just for internet-facing systems but also for internal segment boundaries where privilege escalation is a concern. Monitor for brute force or authentication anomalies even after patching, as exploitation attempts may persist.

Recommended Actions

• Upgrade cPanel installations to patched versions (11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29) immediately
• Audit authentication logs for suspicious or failed login attempts across vulnerable timeframes

Exploits & CVEs

CISA orders feds to patch Windows flaw exploited as zero-day

Source: BleepingComputer | Risk: High | Impacted: Windows fleets, Public sector networks, Enterprises with remote workforces

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to secure their Windows systems against a vulnerability exploited in zero-day attacks.

Why it matters: A publicly exploited Windows flaw gives attackers a straightforward initial access vector that can lead to system compromise, privilege escalation, or lateral movement—especially in large, decentralized environments or those lagging on patch management.

Practitioner Perspective

Federal mandates to patch are a strong signal the exploitation is nontrivial, and defenders in any Windows-heavy environment should treat similar flaws as high priority, even absent formal directives. These incidents often serve as a harbinger for broader criminal adoption and copycat exploits outside of government. If your Windows patch cadence is not tightly managed or you allow significant lag between vulnerability disclosure and remediation, you are at elevated risk. Now is the time to scrutinize detection coverage for post-exploitation behaviors, not just signature-based protections.

Recommended Actions

• Apply CISA-mandated Windows patches to all supported endpoints without deferral
• Hunt for suspicious process injection, privilege escalation, and outbound C2 patterns post-patch

Hackers are exploiting a critical LiteLLM pre-auth SQLi flaw

Source: BleepingComputer | Risk: High | Impacted: LiteLLM server admins, AI product teams, DevOps and MLOps pipelines

Hackers are targeting sensitive information stored in the LiteLLM open-source large-language model (LLM) gateway by exploiting a critical vulnerability tracked as CVE-2026-42208.

Why it matters: Unpatched LiteLLM environments facing the internet allow unauthenticated attackers to extract or modify sensitive LLM data and configuration, potentially exposing proprietary algorithms or user interactions.

Practitioner Perspective

Organizations experimenting with or deploying public-facing LLM infrastructure are rapidly becoming high-value targets for opportunistic attackers. CVE-2026-42208 impacts LiteLLM instances and is notable for being exploited within days of disclosure, underscoring limitations of reactive patch workflows in dev-heavy teams. If your environment includes this or similar open-source AI gateways, treat them as high-risk assets and validate all compensating controls. This category of flaw is likely to become an attacker favorite due to low technical barriers and critical data proximity.

Recommended Actions

• Patch all LiteLLM deployments for CVE-2026-42208 immediately—prioritize internet-exposed instances
• Audit access logs for pre-patch exploitation attempts and unusual API calls

CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV

Source: The Hacker News | Risk: High | Impacted: ConnectWise ScreenConnect operators, MSP environments, Remote IT and helpdesk teams

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities are listed below – CVE-2024-1708 (CVSS score: 8.4) – A path traversal vulnerability in ConnectWise ScreenConnect

Why it matters: The inclusion of ConnectWise ScreenConnect CVE-2024-1708 and a Windows flaw in the KEV catalog signals an elevated threat landscape for remote access and desktop management tools, which are commonly abused for initial access and persistence.

Practitioner Perspective

ScreenConnect’s path traversal vulnerability enables unauthenticated attackers to bypass key security controls, making exposed instances a magnet for both targeted and mass exploitation campaigns. Bugs like these are continually weaponized by ransomware operators and initial access brokers. If ConnectWise ScreenConnect is anywhere in your stack—ESPECIALLY internet-facing—you must act with the highest urgency. The same goes for the Windows vulnerability where slow response invites broad exploitation. Monitor for active exploit activity and disable or restrict access if patching is not immediately possible.

Recommended Actions

• Patch ConnectWise ScreenConnect for CVE-2024-1708 on all deployments—remove public exposure if delay is unavoidable
• Review usage logs for unusual connection activity or privilege escalation events post-disclosure

LiteLLM CVE-2026-42208 SQL Injection Exploited within 36 Hours of Disclosure

Source: The Hacker News | Risk: High | Impacted: BerriAI LiteLLM deployments, API gateway admins, Organizations exposing LLM endpoints

In yet another instance of threat actors quickly jumping on the exploitation bandwagon, a newly disclosed critical security flaw in BerriAI’s LiteLLM Python package has come under active exploitation in the wild within 36 hours of the bug becoming public knowledge. The vulnerability, tracked as CVE-2026-42208 (CVSS score: 9.3), is an SQL injection that could be exploited to modify the

Why it matters: Attackers moving within 36 hours of disclosure illustrate that any lag in mitigation exposes organizations to real-world risk, particularly where AI-related middleware bridges sensitive data and critical processes.

Practitioner Perspective

If you manage BerriAI’s LiteLLM Python package, operational response time is your only meaningful control against supply chain attack risks here. The pace of exploitation sets a new bar for how quickly AI infrastructure vulnerabilities are targeted. Built-in protections and classic web threat mitigations (like WAF or strict firewalling) are insufficient if instances are left unpatched and externally reachable. Validate your team’s ability to react at the speed of proof-of-concept code, not just vendor patch announcements.

Recommended Actions

• Deploy the patched version of LiteLLM for CVE-2026-42208 across all environments
• Search for exploitation IOCs in logs dating back to initial disclosure

Defensive Actions

• Shift threat hunting to look for infrastructure and credential reuse despite separation attempts (reference: OPSEC Playbook trends)
• Enhance behavioral analytics to flag persistent but low-and-slow attacker activity (reference: OPSEC Playbook trends)
• Pair intelligence analysis with advanced UEBA to identify weak OPSEC missteps across different layers (reference: OPSEC Playbook trends)
• Apply CISA-mandated Windows patches to all supported endpoints without deferral
• Hunt for suspicious process injection, privilege escalation, and outbound C2 patterns post-patch on Windows systems
• Patch all LiteLLM deployments for CVE-2026-42208 immediately—prioritize internet-exposed instances
• Deploy patched versions of BerriAI LiteLLM for CVE-2026-42208 across all environments
• Patch ConnectWise ScreenConnect for CVE-2024-1708 on all deployments and remove public exposure if delay is unavoidable
• Upgrade cPanel installations to patched versions immediately
• Review data exfiltration logs from all integrated SaaS platforms, especially those used for analytics or anomaly detection

What We’re Watching

Security teams should continue to monitor for rapid exploitation following disclosure, especially where vulnerabilities intersect with AI, remote management, or supply chain integration. OPSEC sophistication among attackers is likely to increase the use of low-and-slow tactics and complicate detection based on traditional IOCs or known bad infrastructure. Maintain a close watch on vendor patch releases, service outages with potential security impact, and emerging campaign indicators in telemetry aligned to the latest KEV and supply chain exposures.

Categories: Cybersecurity Blog, Cybersecurity News

Tags: cve, cybersecurity, daily briefing, Incident Response, Vulnerabilities