- Cisco Unified CM critical vulnerability
ThreatNoir Afternoon Brief — June 24
Afternoon Review in IT Security — June 24, 2026
The security landscape continues to face mounting pressure from multiple fronts as critical vulnerabilities in widely-deployed systems are actively exploited, while new malware families establish footholds across enterprise networks. Today's threat intelligence reveals urgent risks spanning supply chain integrity, telecommunications infrastructure, endpoint security, and ransomware operations.
Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking
Critical security defects in continuous integration and continuous deployment systems have emerged that permit unauthenticated users to seize control of the open source software supply chain. These vulnerabilities represent a significant threat to the integrity of millions of code repositories globally, as threat actors can leverage the flaws to inject malicious code at scale without requiring valid credentials. The exposure underscores the systemic risks inherent in modern development workflows where security controls may be insufficient to prevent unauthorized access to sensitive build and deployment processes. Source: Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking
Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root
Threat actors have begun active exploitation of CVE-2026-20230, a critical vulnerability affecting Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition with a CVSS severity score of 8.6. The flaw stems from improper input validation in specific HTTP requests, allowing unauthenticated remote attackers to write files and escalate privileges to root level access. The public release of proof-of-concept code has accelerated the threat timeline, enabling malicious actors to rapidly weaponize the vulnerability against unpatched systems in production environments. Source: Cisco Unified CM Flaw Exploited After PoC Reveals File-Write Path to Root
Apple's MacOS Gap Lets Users Disable Security Tools
A security gap in Apple's macOS operating system allows attackers to disable integrated security and browser tools without requiring administrator privileges or executing kernel-level exploits. This vulnerability significantly lowers the barrier to entry for threat actors seeking to circumvent endpoint protections on compromised systems. The ability to disable security mechanisms without elevated permissions represents a critical gap in macOS's defense-in-depth architecture and poses particular risk to organizations relying on macOS as their primary endpoint platform. Source: Apple's MacOS Gap Lets Users Disable Security Tools
New 'Mistic' RAT Opens Door to Several Ransomware Families
A newly identified remote access trojan designated Mistic has become a preferred tool for Woodgnat, an initial access broker that maintains operational relationships with multiple ransomware-as-a-service gangs including Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta. The malware serves as an entry point into target networks, enabling downstream deployment of ransomware payloads and facilitating extortion campaigns. This collaborative ecosystem demonstrates the maturation of the ransomware threat landscape, where specialized actors coordinate across the attack chain to maximize operational effectiveness and revenue generation. Source: New 'Mistic' RAT Opens Door to Several Ransomware Families
Organizations must prioritize immediate patching of disclosed vulnerabilities, implement strict controls over CI/CD pipeline access, and strengthen detection capabilities for initial access broker activities to mitigate the converging risks evident in today's threat landscape.
Sources & IOCs
Source articles and extracted indicators (defanged where appropriate).
- MisticRemote Access Trojan (RAT) used by Woodgnat.
- MLTBackdoorAlias for the Mistic RAT.
- ModeloRATPreviously used by Woodgnat.