In partnership with
|
Fact
|
Voice deepfake incidents in the United States rose 680% year over year in 2025, with more than 100,000 attacks recorded in a single year. (INTERPOL Global Financial Fraud Threat Assessment, March 2026)
|
|
Microsoft broke its own Patch Tuesday record today with 200 vulnerabilities, three of them zero-days. By the time the patches dropped, a researcher had already published a working exploit for a fourth one. Some days the news writes itself.
This edition is about velocity: attackers moving faster, more audaciously, and with increasingly sophisticated tools. Whether it is a same-day zero-day release, a deepfake that clones your colleague's voice on a Teams call, or software that swaps a scammer's face in real time on live video, the margin for slow responses is disappearing.
PS — Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe →
|
|
In this edition
|
|
|
|
|
| |
🏛 Privacy, Power & Policy |
|
|
|
|
|
|
Patch Tuesday
🛡 Microsoft's Record Patch Tuesday: 200 Vulnerabilities, Three Zero-Days, and One Same-Day Exploit Nobody Planned For
Intro
Microsoft shipped 200 security fixes in what is now the largest Patch Tuesday in the program's history, and a researcher decided to celebrate by releasing a working exploit for an additional unpatched vulnerability before anyone finished applying the updates.
What Happened
The June 2026 update patches 200 vulnerabilities, 33 of them critical, across Windows, Office, Exchange, and Azure. Three are actively known zero-days: YellowKey (CVE-2026-50507), a BitLocker bypass requiring physical device access; GreenPlasma (CVE-2026-45586), a local privilege escalation via CTFMON; and an HTTP/2 memory exhaustion flaw (CVE-2026-49160) that can force disproportionate memory allocation on HTTP.sys servers. Within hours of release, researcher “Chaotic Eclipse” publicly dropped a proof-of-concept for RoguePlanet, a separate Defender race condition that grants SYSTEM access on fully patched Windows 10 and 11.
Why It Matters
The 200-flaw milestone is not just a number. It reflects both an accelerating threat surface and what appears to be a deliberate Microsoft effort to batch fixes more aggressively. The HTTP.sys flaw carries a CVSS score of 9.8 and is unauthenticated and remotely exploitable, meaning any unpatched internet-facing Windows server running HTTP/2 is a candidate target.
The Other Side
Most of these vulnerabilities require specific conditions: local access, authenticated sessions, or chained exploits. The YellowKey BitLocker bypass needs physical device access, which limits its realistic attacker population to targeted or insider scenarios.
| |
👉 Takeaway
Prioritize HTTP.sys, BitLocker, and Remote Desktop patches this cycle. If your environment runs Defender on Windows endpoints, assume RoguePlanet exploitability until Microsoft patches it.
|
TL;DR: Microsoft fixed 200 vulnerabilities today, then a researcher immediately published a working exploit for a 201st one.
|
| |
Network security
CVE-2026-20245 gives attackers with netadmin-level access the ability to execute arbitrary commands as root in Cisco Catalyst SD-WAN Manager, and Cisco has no patch ready. Mandiant reported the flaw; Cisco has confirmed “limited cases” of exploitation, including configuration changes being pushed to edge devices. The attack requires prior credential access or chaining with two related Cisco CVEs (CVE-2026-20182 and CVE-2026-20127), making this more of a lateral movement accelerant than an initial entry point. If you have SD-WAN Manager internet-exposed without strict access controls, that assessment deserves immediate review.
→ Collect diagnostic files now, and contact Cisco support if you see unexpected configuration pushes to edge devices.
|
| |
Supply chain
The ongoing Shai-Hulud campaign compromised 37 malicious releases across 19 bioinformatics and scientific Python packages, including Dynamo, Spateo, and Napari-UFISH. The malware executes the moment Python launches by abusing a .pth startup file, then exfiltrates GitHub tokens, AWS credentials, SSH keys, Docker credentials, and Claude/MCP configuration files through auto-created GitHub Actions repositories. Security firm Socket identified the campaign, which now tracks 453 malicious items attributed to this threat group. Bioinformatics teams and data science environments are the primary targets, but any developer who ran pip install in the wrong environment needs to investigate.
→ If you installed any affected packages, rotate all secrets immediately and restore environments from clean backups.
|
| |
Browser security
CVE-2026-11645 is an out-of-bounds read and write flaw in V8, Chrome's JavaScript engine, that allows a remote attacker to execute arbitrary code inside Chrome's sandbox via a crafted HTML page. Google fixed 74 vulnerabilities total in this release and is withholding technical details until most users have updated. An anonymous researcher reported the flaw in April and earned a $55,000 bounty; exploitation in the wild was confirmed before the patch shipped. This is the fifth Chrome zero-day Google has patched in 2026.
→ Update Chrome now. Version 149.0.7827.102 or later is the safe target across Windows, macOS, and Linux.
|
|
Your accounting should keep pace with your business. BELAY's Financial Experts handle books, payroll, and reporting so you can lead with confidence. Download the Free Guide
| |
Social engineering
Microsoft Teams allows cross-tenant collaboration by default, which means attackers can message employees from external accounts while impersonating IT staff. The new development: AI-generated voice clones of known colleagues are following up initial text contact, making the social engineering significantly harder to dismiss than a chat message alone. The attack chain escalates from a Teams message to malware deployment to lateral movement and exfiltration using standard Windows tooling, with the 2024 Arup incident (a $25 million deepfake transfer) as the established playbook. The gap between “this sounds suspicious” and “this sounds exactly like Dave from IT” is closing fast.
→ Audit cross-tenant Teams access, restrict Quick Assist permissions, and establish out-of-band verification before anyone gets remote access to any system.
|
| |
AI defense
Google is rolling out “fake call detection” to Android 12 and later devices globally this month, using RCS encryption to verify whether an incoming call's number matches the actual originating device. If the verification signal is absent or mismatched, the recipient sees a warning before answering. The feature works when both parties use Phone by Google with RCS enabled, is on by default for Pixel phones, and is rolling out broadly over the coming weeks. Impersonation fraud losses reached $2.95 billion in the United States in 2024 alone.
→ Confirm RCS is enabled on Android devices in your organization and verify that the Phone by Google app is installed for the feature to work.
|
|
|
🏛 Privacy, Power & Policy
|
|
| |
Surveillance
WIRED found that Meta had quietly embedded facial recognition technology called “NameTag” into the Meta AI companion app installed on more than 50 million phones, where it had been sitting dormant since at least January 2026. The code was designed to identify strangers captured by the smart glasses camera and surface personal information in real time. Meta removed it within 48 hours of the report publishing after more than 70 advocacy groups, including the ACLU, demanded it be scrapped. The EFF's Threat Lab independently verified the findings through static analysis. Internal documents from 2025 show Meta had timed the rollout to coincide with a “dynamic political environment” to reduce criticism.
→ Meta removing the code is not the same as Meta abandoning the capability. The technology works. Expect it to return in a different packaging.
|
| |
Privacy law
Oregon Senate Bill 1587, effective June 5, prohibits state and local government bodies from sharing personally identifiable information with data brokers unless those brokers first provide written attestation that the data will not be used for federal immigration enforcement. The law covers names, addresses, dates of birth, Social Security numbers, and biometric data. Public bodies can reject attestations they believe contain misrepresentations. This is a direct legislative counter to the documented practice of ICE and CBP purchasing location data from the commercial advertising ecosystem to track and arrest individuals.
→ This is a state-level counter-move to federal surveillance infrastructure, and it will face legal challenges. Seven other states are watching closely.
|
|
| |
Practical play
🔒 Patch or Block: The Three-Day Window on a Critical VPN Zero-Day
CISA gave federal civilian agencies until June 11 to patch CVE-2026-50751, an authentication bypass in Check Point Remote Access VPN being actively exploited by Qilin ransomware affiliates. The vulnerability allows an unauthenticated attacker to establish a VPN session on affected Mobile Access and SSL VPN deployments. Exploitation started May 7 and surged over the weekend, with at least one confirmed Qilin post-compromise case. The key condition is running the deprecated IKEv1 key exchange without mandatory machine certificate authentication.
→ If you are not a federal agency, the June 11 deadline does not apply legally, but attackers are not checking your compliance calendar. Patch now, or verify you are not running IKEv1 without machine certs, or both. Full details: BleepingComputer
|
|
Want to get the most out of ChatGPT?
ChatGPT is a superpower if you know how to use it correctly.
Discover how HubSpot's guide to AI can elevate both your productivity and creativity to get more things done.
Learn to automate tasks, enhance decision-making, and foster innovation with the power of AI.
|
Strange but real
😶 Meet Haotian AI: The Software That Lets Scammers Swap Their Face, Race, and Voice on Live Video Calls
Intro
Someone built software called Haotian AI, marketed it to fraudsters, and now scammers can show up to a live Zoom or WhatsApp call as an entirely different person. Beard, skin tone, voice, and all.
What Happened
404 Media obtained a copy of Haotian AI, a Chinese-developed realtime deepfake platform that runs on a gaming laptop and allows a fraudster to replace their face, race, facial hair, and voice during live video calls with no visible lag. A journalist tested it and found the impersonation convincing at the level of five o'clock shadow detail. The platform is being used for “Hello Boss” wire transfer scams, romance fraud, and real-time identity verification bypass. It is sold openly as software with ongoing technical support.
Why It Matters
This eliminates “just hop on a video call to verify” as a meaningful security control. That defense became popular after text-based phishing exploded. Attackers adapted. They always do.
The Other Side
Running Haotian AI requires a gaming laptop and some technical setup, which limits access to more sophisticated actors for now. The gap between “available to sophisticated actors” and “commodity tool” in this space has historically been short.
| |
👉 Takeaway
A live video call is no longer reliable identity verification. Any process that depends on visual or audio confirmation alone needs a secondary out-of-band verification step added immediately.
|
TL;DR: Chinese deepfake software lets scammers swap their face and voice on live calls, and it already works well enough to fool real people.
|
