Critical Lantronix flaw actively exploited

Severity High

How to read this briefing

Verified facts — NVD & CISA KEV Partially verified — awaiting NVD enrichment AI analysis — synthesis, verify before acting ^[1]Inline citations — click any [N] to view the source

How our verification pipeline works →

Actionable · Partially verified

CVE in source articles · NVD enrichment pending

CVE	CVSS	Vendor · Product	Exploitation	Refs
⏳CVE-2026-20245	awaiting NVD	Cisco Catalyst SD-WAN	In the wild In CISA KEV	NVD →

Contextual · AI analysis Synthesized from 10 feeds · verify before acting

TL;DR

Lantronix EDS5000 critical flaw actively exploited; CISA mandates patching by June 26. Amadey and StealC malware networks dismantled in law enforcement operation recovering 27M credentials. Cordyceps CI/CD weakness exposes 300+ GitHub repositories to supply-chain compromise.

THREAT LEVEL: HIGH – Active exploitation of critical infrastructure device combined with major malware takedown and emerging supply-chain CI/CD risks require immediate patching and workflow review.

Executive Summary

CISA warns of active exploitation of Lantronix EDS5000 Series devices; federal agencies ordered to patch by June 26, 2026.
Microsoft and law enforcement partners disrupted Amadey and StealC malware infrastructure, recovering 27 million stolen credentials.
Cordyceps CI/CD vulnerability pattern discovered affecting 300+ GitHub repositories, enabling supply-chain workflow hijacking.
New malicious Microsoft Edge extension (Edgecution) abuses Native Messaging to escape sandbox and deploy Python backdoor in ransomware attacks.
Cisco SD-WAN zero-day (CVE-2026-20245) exploited to create rogue root accounts on targeted systems.

Top Threats Today

1. Lantronix EDS5000 Critical Flaw in Active Exploitation

Severity: CRITICAL Affected: Government Infrastructure

CISA has warned of active exploitation of a critical security flaw in Lantronix EDS5000 Series devices and is mandating that Federal Civilian Executive Branch agencies apply fixes by June 26, 2026 ^[1]. The vulnerability details remain limited in available reporting, but the active-exploitation status and federal remediation deadline indicate imminent risk to operational technology and critical infrastructure networks.
Sources:[1] The Hacker News

Recommended Action

Identify all Lantronix EDS5000 Series devices in your network inventory immediately.
Apply available security patches before June 26 deadline or isolate affected devices if patching is not feasible.
Monitor CISA advisories and Lantronix vendor bulletins for detailed patch guidance and technical indicators.
Review network segmentation around serial-to-ethernet and out-of-band management devices.

2. Amadey and StealC Malware Networks Dismantled; 27M Credentials Recovered

Severity: HIGH Affected: Technology

A coordinated law enforcement operation involving Microsoft, Bitdefender, Bitsight, and ESET has resulted in the takedown of criminal infrastructure powering Amadey ⚠ and StealC malware families ^[1]^[2]. The operation disrupted more than 300 servers and recovered 27 million stolen credentials ⚠^[1]^[2]. According to Microsoft, the operation targeted the full cybercrime “supply chain” of these malware operations ^[2]. This represents a significant disruption of widely-used credential-stealing malware families that have targeted enterprise and consumer systems globally.
Sources:[1] The Hacker News[2] The Record[3] SecurityWeek

Recommended Action

Check Microsoft and Bitdefender threat intelligence feeds for indicators of compromise linked to Amadey and StealC command-and-control infrastructure.
If your organization uses credentials that may have been in compromised lists, reset passwords and review account access logs for unauthorized activity.
Deploy or update antimalware signatures to detect Amadey and StealC variants and monitor for command-and-control callbacks.
Review your incident response logs to determine if your systems were infected by either malware family before the takedown.

3. Cordyceps CI/CD Pattern Exposes 300+ GitHub Repositories to Supply-Chain Hijacking

Severity: HIGH Affected: Technology

Cybersecurity researchers at Novee Security have identified a new class of CI/CD workflow weakness codenamed “Cordyceps” that enables attackers to hijack GitHub workflows and compromise open-source supply chains ^[1]. The critical exploitable pattern has been found affecting 300 or more GitHub repositories ^[1]. The flaw allows full attacker control of repositories, representing a supply-chain attack vector that can inject malicious code into widely-distributed software.
Sources:[1] The Hacker News

Recommended Action

Audit your GitHub Actions workflows for overly permissive permissions and external trigger conditions that could enable unauthorized code injection.
Implement branch protection rules requiring code review and limiting who can modify workflow definitions.
Monitor GitHub Actions execution logs for anomalous workflow runs or commits from unexpected sources.
Review dependencies on third-party GitHub Actions and consider pinning versions to specific commit SHAs rather than branch tags.

4. Malicious Microsoft Edge Extension Deploys Python Backdoor via Native Messaging

Severity: HIGH Affected: Technology

A malicious Microsoft Edge extension dubbed “Edgecution” has been used in ransomware attacks to escape the browser sandbox and deploy a Python-based backdoor ^[1]. The attack abuses Native Messaging functionality to bridge from the browser into the broader system, enabling installation of persistent malware on compromised systems.
Sources:[1] BleepingComputer

Recommended Action

Audit installed Microsoft Edge extensions across your organization and remove any unfamiliar or suspicious extensions.
Implement policies to restrict Edge extension installation to an approved organizational list.
Monitor for suspicious Native Messaging activity between browser processes and system executables.
If ransomware recovery is needed, isolate affected systems and engage incident response before restoring from backups.

5. Cisco SD-WAN Zero-Day Used to Create Rogue Root Accounts

Severity: HIGH Affected: Technology

Mandiant has revealed details on exploitation of a Cisco Catalyst SD-WAN vulnerability tracked as CVE-2026-20245 in zero-day attacks to create rogue root accounts on targeted devices ^[1]. The flaw provides attackers with persistent administrative access to SD-WAN appliances, which control critical network traffic across enterprise networks.
Sources:[1] BleepingComputer

Recommended Action

Contact Cisco immediately for availability of patches for Catalyst SD-WAN appliances in your environment.
Review Cisco SD-WAN device logs for suspicious user account creation or administrative access from unfamiliar sources.
Implement out-of-band monitoring and segmentation of SD-WAN management interfaces to limit attack surface.
If compromise is suspected, plan for device reimaging and credential rotation across affected network segments.

Today’s Action Checklist

☐ URGENT: Identify and patch all Lantronix EDS5000 Series devices before June 26 deadline or implement compensating controls.
☐ URGENT: Audit Cisco Catalyst SD-WAN appliances for unauthorized root accounts and check Mandiant/Cisco threat feeds for CVE-2026-20245 IOCs.
☐ HIGH: Review GitHub Actions workflows and branch protection settings; audit Edge extensions across organization.
☐ HIGH: Check if organization credentials appear in 27M-record set recovered from Amadey/StealC takedown; reset passwords if exposed.
☐ STANDARD: Update antimalware signatures for Amadey and StealC variants and block known C&C infrastructure.

Editorial integrity

Verified facts (green zone): 1 CVE ID(s) verified verbatim against source articles; 1 awaiting NVD enrichment (1 pending); 1 confirmed exploited (CISA KEV).

Partially verified (yellow zone): CVE IDs are real and present in source articles, but NVD has not yet finished enrichment (vendor / product / CVSS). This is normal for vulnerabilities disclosed within the last 1–3 days. We re-check NVD daily and the page auto-updates when canonical data arrives.

AI analysis (purple zone): the narrative was generated by an AI model from 10 source feeds. Each threat description shows the sources it draws from, and individual claims include inline [N] citations linking to the originating source article. Verify specifics before acting in production.

Find an error? contact@defend.network

🤖 This briefing was compiled by defend.network using AI-powered analysis of multiple cybersecurity sources including CISA advisories, vendor security bulletins, and threat intelligence feeds. Always verify critical intelligence through official vendor channels before taking action.

Critical Lantronix flaw actively exploited; Cisco SD-WAN zero-day; 27M credentials recovered

TL;DR

Executive Summary

Top Threats Today

1. Lantronix EDS5000 Critical Flaw in Active Exploitation

Recommended Action

2. Amadey and StealC Malware Networks Dismantled; 27M Credentials Recovered

Recommended Action

3. Cordyceps CI/CD Pattern Exposes 300+ GitHub Repositories to Supply-Chain Hijacking

Recommended Action

4. Malicious Microsoft Edge Extension Deploys Python Backdoor via Native Messaging

Recommended Action

5. Cisco SD-WAN Zero-Day Used to Create Rogue Root Accounts

Recommended Action

Today’s Action Checklist

Get Tomorrow’s Briefing in Your Inbox

TL;DR

Executive Summary

Top Threats Today

1. Lantronix EDS5000 Critical Flaw in Active Exploitation

Recommended Action

2. Amadey and StealC Malware Networks Dismantled; 27M Credentials Recovered

Recommended Action

3. Cordyceps CI/CD Pattern Exposes 300+ GitHub Repositories to Supply-Chain Hijacking

Recommended Action

4. Malicious Microsoft Edge Extension Deploys Python Backdoor via Native Messaging

Recommended Action

5. Cisco SD-WAN Zero-Day Used to Create Rogue Root Accounts

Recommended Action

Today’s Action Checklist

Get Tomorrow’s Briefing in Your Inbox

Related briefings