TL;DR
WordPress core flaw enables unauthenticated code execution on versions 6.9 and 7.0; patches (6.9.5 and 7.0.2) shipped Friday with forced updates. OpenSSL “HollowByte” flaw allows 11-byte DoS on unpatched servers. Fortinet FortiSandbox command-injection vulnerabilities now in CISA KEV catalog and actively exploited.
Executive Summary
- WordPress patched a core deserialization flaw affecting 6.9 and 7.0 instances; patches deployed via forced updates on Friday.
- OpenSSL “HollowByte” DoS flaw allows attackers to consume server memory with minimal payloads; patch shipped in June without prior disclosure.
- Two Fortinet FortiSandbox command-injection vulnerabilities (CVE-2026-25089, CVE-2026-39808) added to CISA’s Known Exploited Vulnerabilities catalog with federal remediation deadline of July 19.
- NadMesh botnet actively harvesting exposed AI services for AWS keys and Kubernetes tokens; operator dashboard shows 3,811 unique keys claimed.
- DigiCert breach attributed to GoldenEyeDog subgroup (CylindricalCanine); stolen code-signing certificates pose supply-chain risk.
Top Threats Today
1. WordPress wp2shell RCE – Unauthenticated Code Execution Patched
Severity: HIGH Affected: Technology
A vulnerability in WordPress core (dubbed wp2shell) allows unauthenticated attackers to execute arbitrary code on any site running version 6.9 or 7.0 [1]. The flaw is present in a bare WordPress installation with zero plugins, making scope extremely broad [1]. WordPress shipped patches 6.9.5 and 7.0.2 on Friday and enabled forced auto-updates to mitigate exposure [1].
Sources:[1] The Hacker News
Recommended Action
- Verify all WordPress instances are running 6.9.5 or 7.0.2 or newer; forced updates should have applied automatically.
- For air-gapped or manually-managed installations, apply the patch immediately if still on 6.9.x or 7.0.x.
- Monitor access logs for suspicious HTTP requests to vulnerable endpoints during the window before Friday’s patch.
- Enable core update notifications and automatic updates where feasible to catch future critical patches.
2. OpenSSL HollowByte DoS – Memory Exhaustion via Minimal Payload
Severity: HIGH Affected: Technology
An OpenSSL vulnerability termed “HollowByte” allows unauthenticated attackers to trigger denial-of-service on unpatched servers by sending just 11 bytes in a malformed TLS request [1][2]. On systems using glibc (which includes many Linux distributions), the allocated memory persists until the OpenSSL process restarts, potentially consuming up to 131 KB per request [1]. OpenSSL released the fix in June 2026 without a CVE assignment, advisory, or changelog entry, limiting visibility ⚠[1].
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Audit OpenSSL versions across all TLS endpoints (web servers, API gateways, load balancers) and update to the latest patched release.
- Consult the OpenSSL project’s release notes (June 2026+) to confirm the HollowByte fix is included in your target version.
- Monitor for sustained connection attempts that could indicate reconnaissance or DoS probing.
- Implement connection limits and rate-limiting on TLS handshake endpoints to reduce impact if exploited.
3. Fortinet FortiSandbox Command Injection – CISA KEV Additions, Active Exploitation
Severity: HIGH Affected: Technology
Two OS command-injection vulnerabilities in Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS (CVE-2026-25089 and CVE-2026-39808) now appear in CISA’s Known Exploited Vulnerabilities catalog [1][2]. Both flaws allow unauthenticated attackers to execute arbitrary commands via crafted HTTP requests [1][2]. Federal agencies must remediate by July 19, 2026 [1][2].
Sources:[1] CISA KEV[2] CISA KEV
Recommended Action
- Immediately identify and inventory all FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS instances in your environment.
- Apply the latest Fortinet security patches; consult Fortinet’s advisory for specific build versions.
- Restrict HTTP access to FortiSandbox management interfaces; enforce network segmentation and WAF rules if externally exposed.
- Review audit logs for suspicious HTTP requests (especially those with shell metacharacters) to detect prior exploitation.
4. NadMesh Botnet – Targeting Exposed AI Services for Cloud Credentials
Severity: HIGH Affected: Technology
A Go-based botnet called NadMesh emerged in early July 2026 systematically scanning and compromising exposed AI service instances to harvest AWS keys and Kubernetes tokens [1]. The operator’s dashboard shows 3,811 unique AWS keys claimed [1]. The botnet uses a Shodan harvester to maintain its scan queue, targeting ComfyUI, Ollama, n8n, Open WebUI, Langflow, and Gradio [1].
Sources:[1] The Hacker News
Recommended Action
- Audit all AI development and inference instances (ComfyUI, Ollama, LLM runners, etc.) for unnecessary external exposure; move to private networks where feasible.
- Rotate all AWS access keys and Kubernetes service account tokens if your environment has been exposed on Shodan or similar public indexes.
- Enable AWS GuardDuty and Kubernetes audit logging to detect anomalous credential usage and API calls.
- Implement network policies restricting outbound traffic from development containers to prevent credential exfiltration.
5. DigiCert Breach Linked to GoldenEyeDog Subgroup – Code-Signing Certificates Stolen
Severity: HIGH Affected: Technology
The April 2026 DigiCert security incident has been attributed to a threat activity cluster dubbed CylindricalCanine, identified as a subgroup of GoldenEyeDog (also known as APT-Q-27, Dragon Breath, and Miuuti Group), according to researchers at Expel [1]. The breach resulted in theft of code-signing certificates, creating supply-chain risk for any software signed with the compromised credentials [1].
Sources:[1] The Hacker News
Recommended Action
- If your organization uses DigiCert code-signing certificates, treat those certificates as compromised; revoke and reissue immediately.
- Audit all software signed with affected DigiCert certificates for signs of tampering or unauthorized deployment in your environment.
- Review logs for unexpected code-signing certificate imports or use in your CI/CD pipeline.
- Monitor threat intelligence feeds for indicators of compromise (IOCs) tied to CylindricalCanine/GoldenEyeDog and implement detection rules.
Today’s Action Checklist
- ☐ URGENT: Confirm WordPress instances running 6.9.x or 7.0.x have received patches 6.9.5 or 7.0.2 (check “About WordPress” or query database); if forced updates failed, apply manually.
- ☐ URGENT: Identify and patch all Fortinet FortiSandbox instances; fedal remediation deadline is July 19, 2026.
- ☐ Update OpenSSL on all TLS endpoints; verify the June 2026+ HollowByte fix is included in your target version.
- ☐ Audit AI development services (Ollama, ComfyUI, etc.) for external exposure and rotate AWS/Kubernetes credentials if exposed on public indexes.
- ☐ If using DigiCert code-signing certificates, review certificate status and revocation timelines with DigiCert support.