Android, WinRAR, WordPress Kirki: Three critical zero-days under active exploitation

Severity● High

ThreatsZero-Day Vuln Exploit APT Malware Ransomware

How to read this briefing

Verified facts — NVD & CISA KEV Partially verified — awaiting NVD enrichment AI analysis — synthesis, verify before acting ^[1]Inline citations — click any [N] to view the source

Actionable · Verified facts

NVD-published · CISA KEV cross-checked

CVE	CVSS	Vendor · Product	Exploitation	Refs
🛡️CVE-2025-48595	8.4 NVD 3.1	Google Android	In CISA KEV	[1] [2]
🛡️CVE-2025-8088	8.8 NVD 3.1	Rarlab Winrar	In CISA KEV	[1] [2]
🛡️CVE-2024-21182	7.5 NVD 3.1	Oracle Weblogic Server	In CISA KEV	[1] [2]

Actionable · Partially verified

CVE in source articles · NVD enrichment pending

CVE	CVSS	Vendor · Product	Exploitation	Refs
⏳CVE-2026-8206	9.8 NVD 3.1	WordPress Kirki Plugin	no reports	[1] [2]

Contextual · AI analysis Synthesized from 10 feeds · verify before acting

TL;DR

Google patched 124 Android vulnerabilities including one actively exploited zero-day (CVE-2025-48595, CVSS 8.4). Russian group Gamaredon weaponized WinRAR CVE-2025-8088 against Ukrainian targets. WordPress Kirki plugin privilege escalation under active exploitation.

THREAT LEVEL: HIGH – Multiple vulnerabilities under active exploitation across Android, WinRAR, and WordPress require immediate patching

Executive Summary

Google released patches for 124 Android flaws in June 2026, including one high-severity Framework vulnerability (CVE-2025-48595, CVSS 8.4) confirmed under active exploitation.
Russian threat actor Gamaredon is actively exploiting WinRAR path traversal vulnerability CVE-2025-8088 to deliver GammaWorm and GammaSteel malware targeting Ukraine.
Critical privilege escalation flaw CVE-2026-8206 in WordPress Kirki plugin is being actively exploited to hijack administrator accounts.
Oracle WebLogic Server vulnerability CVE-2024-21182 (CVSS 7.5) added to CISA's Known Exploited Vulnerabilities catalog following evidence of active in-the-wild exploitation.
A new AI-powered ransomware toolkit is automating Active Directory discovery and EDR evasion techniques.

Top Threats Today

1. Google Android Zero-Day Under Active Exploitation

Severity: HIGH Affected: Technology

Google released patches for 124 security vulnerabilities impacting Android in June 2026, including CVE-2025-48595 (CVSS score 8.4), a high-severity flaw in the Framework component that has come under active exploitation ^[1]^[2]. The vulnerability affects billions of Android installations globally ⚠^[2].
Sources:[1] The Hacker News[2] SecurityWeek

Recommended Action

Deploy Android security patch immediately to all managed devices
Prioritize devices running the Framework component affected by CVE-2025-48595
Monitor for any indicators of compromise on unpatched systems

2. Gamaredon APT Weaponizing WinRAR Against Ukraine

Severity: HIGH Affected: Government

Russian hacking group Gamaredon has been attributed to active exploitation of WinRAR vulnerability CVE-2025-8088, a path traversal flaw, to deliver multiple malware families including GammaWorm and GammaSteel aimed at data theft and propagation ^[1]. The activity targets Ukrainian organizations ^[1].
Sources:[1] The Hacker News

Recommended Action

Update WinRAR to patched version immediately
Block WinRAR if not operationally required; restrict file extraction privileges
Monitor for suspicious archive extraction activity and network indicators associated with Gamaredon operations

3. WordPress Kirki Plugin Privilege Escalation Under Attack

Severity: HIGH Affected: Technology

Hackers are actively exploiting critical privilege escalation vulnerability CVE-2026-8206 in the Kirki plugin for WordPress to take over any user account, including administrator accounts ^[1]. The flaw is being weaponized in the wild.
Sources:[1] BleepingComputer

Recommended Action

Update Kirki plugin to the latest patched version immediately
Disable or remove Kirki plugin if not actively required
Audit WordPress user accounts for unauthorized modifications; reset all admin credentials
Review access logs for suspicious privilege escalation activity

4. Oracle WebLogic Server Vulnerability Added to CISA KEV Catalog

Severity: HIGH Affected: Technology

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-21182 to its Known Exploited Vulnerabilities (KEV) Catalog on Monday based on evidence of active exploitation ^[1]. The high-severity vulnerability in Oracle WebLogic Server carries a CVSS score of 7.5 ^[1].
Sources:[1] The Hacker News

Recommended Action

Apply Oracle security patches for WebLogic Server without delay
Prioritize systems running affected versions identified in Oracle advisories
Segment WebLogic systems from less-trusted networks; restrict administrative access

5. AI-Powered Ransomware Toolkit Automates AD Discovery and EDR Evasion

Severity: HIGH Affected: Technology

A threat actor is using an AI-built ransomware attack toolkit that automates Active Directory discovery and helps evade endpoint detection and response (EDR) solutions ^[1]. The toolkit represents a significant escalation in attack automation capabilities.
Sources:[1] BleepingComputer

Recommended Action

Review and harden Active Directory permissions; apply principle of least privilege
Enhance EDR detection rules for lateral movement and privilege escalation patterns
Implement network segmentation to limit AD exposure; monitor for enumeration activity
Deploy behavioral analytics to detect anomalous AD queries and privilege escalation attempts

Today’s Action Checklist

☐ URGENT: Deploy Android security patch (CVE-2025-48595) to all managed devices
☐ URGENT: Update or disable WordPress Kirki plugin (CVE-2026-8206) and reset admin credentials
☐ URGENT: Update WinRAR to patched version; restrict file extraction privileges
☐ URGENT: Apply Oracle WebLogic Server patches; review CISA KEV for affected versions
☐ Harden Active Directory; review EDR detection rules for AI-powered attack patterns
☐ Monitor threat intelligence feeds for Gamaredon IOCs and malware signatures (GammaWorm, GammaSteel)

Editorial integrity

Verified facts (green zone): 4 CVE ID(s) verified verbatim against source articles; 3 published in NVD with full canonical data (vendor, product, CVSS, references); 1 awaiting NVD enrichment (1 reserved); 3 confirmed exploited (CISA KEV); 1 corroborated across 2+ sources.

Partially verified (yellow zone): CVE IDs are real and present in source articles, but NVD has not yet finished enrichment (vendor / product / CVSS). This is normal for vulnerabilities disclosed within the last 1–3 days. We re-check NVD daily and the page auto-updates when canonical data arrives.

AI analysis (purple zone): the narrative was generated by an AI model from 10 source feeds. Each threat description shows the sources it draws from, and individual claims include inline [N] citations linking to the originating source article. Verify specifics before acting in production.

Find an error? contact@defend.network

🤖 This briefing was compiled by defend.network using AI-powered analysis of multiple cybersecurity sources including CISA advisories, vendor security bulletins, and threat intelligence feeds. Always verify critical intelligence through official vendor channels before taking action.

TL;DR

Executive Summary

Top Threats Today

1. Google Android Zero-Day Under Active Exploitation

Recommended Action

2. Gamaredon APT Weaponizing WinRAR Against Ukraine

Recommended Action

3. WordPress Kirki Plugin Privilege Escalation Under Attack

Recommended Action

4. Oracle WebLogic Server Vulnerability Added to CISA KEV Catalog

Recommended Action

5. AI-Powered Ransomware Toolkit Automates AD Discovery and EDR Evasion

Recommended Action

Today’s Action Checklist

Get Tomorrow’s Briefing in Your Inbox