|
CVEasy Weekly
This Week in Exposure
Week 27 · June 23 to June 29, 2026
|
|
There was a theme this week, and it was not subtle. The network gear at your edge, the sandbox that vets your traffic, and the AI assistant writing your code all turned into the way in. Three separate stories, one uncomfortable lesson: the systems we trust to inspect, protect, or accelerate us are attack surface too.
Here is what mattered, ranked by real risk, not just CVSS.
|
|
Top Exposures This Week
|
1. UniFi OS: a triple CVSS 10.0 chain, already in a botnet
CVE-2026-34908 · CVE-2026-34909 · CVE-2026-34910 · Ubiquiti UniFi OS
An nginx auth bypass, a path traversal, and a package-name command injection chain into a single unauthenticated request that drops a root shell on exposed UniFi gear.
Risk read: This is the worst quadrant. Unauthenticated, network-reachable, root, and no longer theoretical. A Mirai variant has been recruiting exposed devices since June 9, and CISA added all three to the KEV catalog on June 23. The blast radius is every UniFi appliance with a management interface facing the internet. Exploitation is live, so the window already closed.
Read the full TRIS walk →
|
|
2. FortiSandbox: the appliance that vets your traffic is handing out shells
CVE-2026-39813 · CVE-2026-39808 · CVE-2026-25089 · Fortinet FortiSandbox
A pipe character in the jid parameter on the job-detail tracer endpoint hands an unauthenticated attacker root on the box that issues verdicts to FortiGate, FortiMail, FortiClient, and FortiEDR.
Risk read: Under active exploitation since June 15. The danger is not just the box, it is the trust the rest of your Fortinet stack places in its verdicts. Own the sandbox and you can quietly bless malware across the whole fabric. That propagation path is exactly what CVSS misses and TRIS scores.
Read the full breakdown →
|
|
3. TrapDoor: 34 packages that weaponize your AI coding assistant
Supply chain · npm, PyPI, Crates.io
The TrapDoor campaign planted 34 malicious packages across 384 versions, poisoning .cursorrules and CLAUDE.md files so AI coding assistants quietly exfiltrate wallet keys, SSH keys, and cloud credentials.
Risk read: No single CVSS number captures this, which is the point. The payload does not target your machine, it targets the assistant you have already told to trust your repo. The exposure scales with how much you have automated, and it lands inside your most privileged context.
Read the TRIS scoring →
|
|
Threat Actor Spotlight
The Mirai operators behind the UniFi recruitment (scanning from 176.65.148.183 since June 9) are running the oldest play in the IoT botnet book: find internet-exposed edge devices the day a root bug drops, and absorb them before defenders patch. They do not need a novel technique, just your management interface on a public IP. Hardening takeaway: get device and appliance admin interfaces off the open internet entirely. VPN or a bastion in front of management planes turns a same-day mass-exploitation event into a non-event for you.
|
Patch This First
Ubiquiti UniFi OS. Three CVSS 10.0 flaws, on the CISA KEV list, already in a live botnet. If you run UniFi, update to a fixed UniFi OS build today and confirm no management interface is reachable from the internet. Everything else on this list can wait until after that is done.
|
|
The pattern this week is the whole reason we built CVEasy. A raw CVSS feed tells you three appliances scored 10.0 and shrugs. It does not tell you which one is in a botnet, which one poisons the rest of your stack, or which one is hiding inside your AI assistant. That is the gap TRIS exists to close, and it is the gap I want this letter to close for you every Monday.
Patch well, Chris Boker Founder, CVEasy AI
|
You are receiving CVEasy Weekly because you subscribed at cveasyai.com.
CVEasy AI · Unsubscribe
|
|