TL;DR
Iranian MOIS-linked group deploys new Cavern C2 framework against Israeli IT providers; Linux KVM hypervisor flaw (CVE-2026-53359) enables guest-to-host escape on Intel/AMD; Adobe ColdFusion max-severity RCE now actively exploited in the wild.
Executive Summary
- Iranian threat actors affiliated with MOIS are deploying a previously undocumented modular command-and-control framework (Cavern/Cav3rn) against Israeli IT providers, marking a new toolset in state-sponsored operations.
- A 16-year-old use-after-free vulnerability in Linux KVM (CVE-2026-53359) allows guest virtual machines to escape and corrupt the host kernel’s shadow-page state on both Intel and AMD x86 systems.
- Adobe ColdFusion maximum-severity remote code execution vulnerability (CVE-2026-48282) is now being actively exploited by threat actors.
- Threat actors are probing a critical Docker/Gitea authentication bypass (CVE-2026-20896, CVSS 9.8) within 13 days of patch release, indicating rapid weaponization cycles.
- Phishing campaigns impersonating 30+ major brands (Adobe, Netflix, OpenAI) target Google account credentials from marketing professionals.
Top Threats Today
1. Adobe ColdFusion Remote Code Execution Under Active Attack
Severity: CRITICAL Affected: Technology
A maximum-severity vulnerability in Adobe ColdFusion (CVE-2026-48282) is being actively exploited by attackers in the wild [1]. The source does not detail patch availability or targeted organizations at this time.
Sources:[1] BleepingComputer
Recommended Action
- Prioritize ColdFusion instances for immediate vulnerability scanning and patch deployment
- Monitor firewall and IDS alerts for ColdFusion exploitation attempts
- Apply Adobe’s latest security updates immediately upon release
- If patching is delayed, implement network segmentation to isolate ColdFusion servers from untrusted traffic
2. Iranian State-Sponsored C2 Framework Targets Israeli IT Infrastructure
Severity: HIGH Affected: Government, Technology
An Iranian hacking group affiliated with Iran’s Ministry of Intelligence and Security (MOIS) has been operating a previously undocumented modular command-and-control framework dubbed Cavern (aka Cav3rn) [1]. The campaign has primarily targeted Israeli IT providers, indicating a focus on supply chain and infrastructure access ⚠[1].
Sources:[1] The Hacker News
Recommended Action
- IT service providers serving Israeli government and critical sectors should implement enhanced endpoint detection and response (EDR)
- Review outbound network connections for indicators of C2 communication
- Conduct immediate threat hunt for Cavern indicators of compromise once published by threat intelligence sources
- Increase logging and alerting on lateral movement and credential access
3. Linux KVM Hypervisor Use-After-Free Enables VM Escape
Severity: HIGH Affected: Technology
A use-after-free bug in Linux’s KVM hypervisor, dubbed “Januscape” and tracked as CVE-2026-53359, resides in the shadow MMU code shared across both Intel and AMD x86 systems [1]. The flaw can be triggered from a guest virtual machine to corrupt the shadow-page state of the host kernel [1], potentially enabling full host compromise.
Sources:[1] The Hacker News
Recommended Action
- Audit all Linux KVM deployments for guest isolation levels and untrusted workload placement
- Monitor Linux kernel security mailing lists and vendor advisories for patch availability
- Apply kernel updates to hypervisor hosts immediately once released
- Consider enhanced hypervisor isolation policies if patching cannot be expedited
4. Gitea Docker Authentication Bypass Exploited Within Days of Disclosure
Severity: HIGH Affected: Technology
Threat actors have been observed attempting to exploit CVE-2026-20896, a critical vulnerability in Gitea Docker images (CVSS 9.8), within 13 days of the patch’s public disclosure [1]. The vulnerability stems from the DevOps platform trusting the “X-WEBAUTH-USER” header, allowing authentication bypass [1].
Sources:[1] The Hacker News
Recommended Action
- Update all Gitea Docker deployments to the latest patched version immediately
- Review and disable reliance on untrusted authentication headers in reverse proxy configurations
- Monitor Gitea access logs for suspicious “X-WEBAUTH-USER” header manipulation
- Implement rate limiting and IP allowlisting on Gitea administrative endpoints
5. Phishing Campaign Impersonates Premium Brands to Harvest Google Credentials
Severity: HIGH Affected: Technology
A phishing campaign is impersonating more than 30 well-known brands, including Adobe, Netflix, Coca-Cola, and OpenAI, in fake job interview scenarios to steal Google account credentials from marketing professionals [1]. The social engineering approach exploits hiring processes at recognized organizations.
Sources:[1] BleepingComputer
Recommended Action
- Brief marketing and HR teams on fake job interview phishing indicators and verification protocols
- Deploy email filtering rules to block malicious job interview domains and phishing URLs
- Enforce mandatory multi-factor authentication (MFA) on all corporate Google Workspace accounts
- Monitor user account sign-in logs for suspicious geographic login locations and device activity
Today’s Action Checklist
- ☐ URGENT: Patch Adobe ColdFusion instances to address CVE-2026-48282 and monitor for active exploitation attempts.
- ☐ URGENT: Update all Gitea Docker images to the latest version to remediate CVE-2026-20896 authentication bypass.
- ☐ HIGH: Audit Linux KVM hypervisor configurations and prepare for kernel patching of CVE-2026-53359 once released.
- ☐ HIGH: Review threat intelligence feeds for Cavern C2 indicators and implement detection signatures in network monitoring tools.
- ☐ MEDIUM: Conduct phishing awareness training targeting marketing teams on job interview impersonation tactics and enforce MFA on Google Workspace.