Now Playing
OceanLotus Supply Chain, Defender Zero-Day & Ivanti CVSS 10 Exploited
Audio is available on Spreaker — see link below.
A five-month OceanLotus supply chain attack hit Vietnamese stock investors, a Windows Defender zero-day is already being exploited in the wild, and Ivanti Sentry's CVSS 10 flaws were backdoored within 24 hours of PoC release. Today's briefing also covers a 206-CVE Patch Tuesday, CISA's new 3-day patching directive, and a disputed VRChat breach filing.
Audio is available on Spreaker — see link below.
A threat actor just spent five months poisoning a financial platform's update mechanism, and tens of thousands of stock investors may never know their machines were compromised. That's where we start today.
Separately, the same group maintained covert access to an unnamed Vietnamese infrastructure and transport firm from November twenty twenty-four through February twenty twenty-six. That's fifteen months of persistent access, likely achieved through SQL Server remote code execution, with SPECTRALVIPER variants deployed throughout.
Shifting to a different kind of urgency: a researcher who goes by Nightmare Eclipse released a working exploit on June tenth for a race condition vulnerability in Windows Defender. The flaw, tracked as RoguePlanet, targets a TOCTOU condition, that's time-of-check to time-of-use, allowing an unprivileged user to redirect SYSTEM-level file operations and achieve full privilege escalation on Windows ten and eleven.
Moving to confirmed active compromise: two critical vulnerabilities in Ivanti Sentry, CVE-2026-10520 and CVE-2026-10523, both carrying a CVSS score of ten point zero, were confirmed exploited within twenty-four hours of a public proof-of-concept going live. Shadowserver detected at least two backdoored instances by June eleventh.
On June tenth, Microsoft released two hundred and six security updates for Patch Tuesday, including thirty-three critical CVEs and patches for three previously undisclosed zero-days across Windows, Office, and Exchange. Exchange Server also received separate updates for the twenty nineteen and twenty sixteen versions, though the latter only applies to customers enrolled in Extended Security Update programs.
One anomaly to flag before we close: a breach notice filed with the Maine Attorney General claimed two point four million VRChat users were compromised between May tenth and twelfth. VRChat denies filing the notice and denies any system compromise.
The thread running through today's briefing is timing. PoC publication to confirmed exploitation in twenty-four hours on Ivanti.
Chapter summary auto-generated from the verified script. Listen to the full episode for the complete content.