Top 5 Cybersecurity News Stories June 05, 2026

By Editorial Team | June 5, 2026

This week’s Cybersecurity News Stories June 05, 2026 are not about novel techniques or sophisticated zero-days. They are about something more uncomfortable: infrastructure organisations have been managing — or believing they were managing — for years, now actively compromised. A two-year-old Oracle WebLogic patch that enterprises still haven’t applied. A Russian state-sponsored FSB group using WinRAR and USB drives as effective attack vectors in 2026. An Android framework zero-day under active exploitation before most corporate device policies will notice. Half a million WordPress sites carrying a CVSS 9.8 authentication bypass because plugin governance doesn’t exist at the organisational level. And a ransomware operation growing faster than any group on record because it outcompetes rivals on revenue share. The common thread is not technical sophistication. It is the gap between the security posture organisations believe they have and the one that actually exists.

1) Oracle WebLogic’s Two-Year-Old Patch Is Now Actively Exploited — and Your Enterprise Middleware Is Exposed

On June 1, 2026, CISA added CVE-2024-21182 to its Known Exploited Vulnerabilities catalog with a federal remediation deadline of June 4 — nearly two years after Oracle issued a patch in its July 2024 Critical Patch Update. The vulnerability allows unauthenticated attackers with network access via WebLogic’s T3 or IIOP protocols to compromise the server and access critical data on versions 12.2.1.4.0 and 14.1.1.0.0. Security researchers observed a measurable uptick in scanning and exploitation attempts beginning in mid-May 2026. The CISA listing confirms that exploitation has crossed from targeted to reliable and repeatable.

Oracle WebLogic Server is not fringe software. It is the Java EE application server underpinning enterprise workloads across banking, insurance, healthcare, logistics, and government procurement systems globally. Organisations running WebLogic typically do so not by preference but by inherited obligation — it arrived alongside an ERP, a banking platform, or a compliance system that has not been decommissioned. That same obligation routinely extends to patching timelines: WebLogic environments are frequently excluded from standard patch cycles because the applications running on them are too business-critical to risk a routine update without full regression testing. The result is a large population of WebLogic instances where patches from 2024 remain outstanding in 2026, and where T3 and IIOP remain exposed to the network because disabling them breaks functionality. Two years between patch availability and active exploitation appearing in the CISA KEV catalog is not evidence of a quiet vulnerability. It is evidence of a vulnerability circulating in private while the unpatched population remained stable — and now it is reliable enough to exploit at scale.

Cybersecurity News Stories June 05, 2026 — enterprise Java middleware server room with application stack visualisation and network protocol connections in a dark corporate data centre environment

Read more on: The Hacker News

2) Gamaredon Uses WinRAR and USB Drives to Spread a Worm Across Ukrainian Networks — and It Works

On June 2, 2026, researchers disclosed a new campaign by Gamaredon, the Russian state-sponsored threat group officially attributed to the Federal Security Service (FSB). The group exploited CVE-2025-8088, a path traversal flaw in WinRAR, to deliver two new malware families against Ukrainian government, military, and critical infrastructure targets. GammaWorm is a VBScript worm that establishes persistence via scheduled tasks and propagates by hiding legitimate directories on network shares and USB drives and replacing them with malicious Windows executables disguised as the original folder contents. GammaSteel is a modular infostealer that harvests files matching target extensions and exfiltrates them to an attacker-controlled AWS S3 bucket, with an attacker-operated server as a fallback.

GammaWorm’s propagation method exploits two governance assumptions simultaneously. The first is that WinRAR is patched — most organisations have not treated a file archiver as a critical patching priority, and CVE-2025-8088 has been exploitable since January 2026. The second is that removable media governance is a solved problem — USB drives and network share traversal remain viable propagation vectors in 2026 because AutoRun controls and network share isolation policies are inconsistently enforced even in environments that have formal policies on paper. GammaSteel’s choice of AWS S3 as the primary exfiltration channel is operationally significant: outbound HTTPS traffic to Amazon’s infrastructure blends with the legitimate cloud service usage present in virtually every corporate environment, and is rarely flagged by network monitoring tools calibrated to block known-malicious destinations. The technical sophistication required to achieve this is not high. The discipline required to not have patched WinRAR or enforced USB controls is, apparently, common.

Cybersecurity News Stories June 05 2026 image showing a USB drive connected to a corporate workstation with subtle visual indicators of unauthorised data propagation across a network in a muted industrial environment

Read more on: The Hacker News

3) An Android Framework Zero-Day Is Under Active Exploitation — and Your BYOD Program Isn’t Patching It

Google’s June 2026 Android security update, released June 2, addressed 124 vulnerabilities including CVE-2025-48595 (CVSS 8.4), an integer overflow in multiple Android Framework code locations that enables local privilege escalation without any user interaction. CISA added CVE-2025-48595 to its Known Exploited Vulnerabilities catalog on June 2 with a federal remediation deadline of June 5, noting the flaw is under limited, targeted exploitation. The vulnerability affects Android versions 14, 15, 16, and 16 QPR2. The attack path requires an attacker to first achieve code execution through a malicious or trojanized application, after which the Framework flaw enables privilege escalation without any additional user prompts.

The Android Framework is the foundational OS layer through which every application on the device executes. A privilege escalation vulnerability at that layer means that any malicious application that achieves initial code execution — through any method — can elevate to higher system privileges silently. The enterprise exposure is compounded by BYOD realities that most security architectures have not fully resolved: employees accessing corporate email, VPN credentials, file storage, and authentication applications on personal Android devices that are not subject to centralised patch enforcement. MDM platforms can mandate minimum OS versions on fully enrolled corporate devices, but BYOD enrolment in most organisations is partial, and the population of personal devices with access to corporate resources is rarely accurately inventoried, let alone actively patched. An Android zero-day added to CISA’s KEV under active exploitation is not a consumer concern. It maps directly to the credential theft and session hijacking scenarios that have driven a significant share of enterprise breaches in 2026.

Cybersecurity News Stories June 05 2026 image showing a modern Android smartphone on a corporate desk with enterprise security dashboard visible on a screen in the background and a subtle visual tension between personal device and corporate data access

Read more on: Help Net Security

4) Half a Million WordPress Sites Had a CVSS 9.8 Admin Takeover Flaw. The Patch Was Available for Two Weeks Before Anyone Used It.

CVE-2026-8206 (CVSS 9.8), a critical vulnerability in the Kirki — Freeform Page Builder plugin for WordPress, was confirmed under active exploitation on June 2, 2026. The flaw allows any unauthenticated attacker who knows a username to take over any registered account on the site — including administrator accounts — by supplying an attacker-controlled email address in the plugin’s password reset request, without any cross-validation that the email belongs to the identified user. Kirki is installed on more than 500,000 active WordPress sites globally; approximately 150,000 were running a vulnerable version (6.0.0 through 6.0.6) when active exploitation was confirmed. A patch (version 6.0.7) had been available since May 18, 2026 — fifteen days before exploitation began.

The fifteen-day gap between patch release and active exploitation is not a coincidence. It is a structural feature of the public vulnerability disclosure lifecycle: security researchers routinely analyse patch diffs to reconstruct the vulnerability, build proof-of-concept exploits, and begin active scanning before the majority of affected sites have updated. The governance failure this reveals is not that WordPress sites were running a vulnerable plugin version — that is an output of a deeper problem. Most SMEs and mid-market organisations do not manage their own WordPress infrastructure. They outsource web presence to an agency or a freelance developer under a maintenance agreement that may or may not include prompt security patching as an explicit deliverable. The organisation’s public digital presence — the primary point of contact for customers and prospects — operates under the patch governance of a third party whose response timelines are invisible to the organisation’s security program. A CVSS 9.8 unauthenticated admin takeover flaw in a plugin installed on 500,000 sites demonstrates, at scale, what that governance gap produces.

Cybersecurity News Stories June 05 2026 image showing a WordPress website admin dashboard interface on a monitor with a subtle visual indication of unauthorised access in a clean modern office environment

Read more on: BleepingComputer

5) The Gentlemen Ransomware Group Offers Affiliates 90% Revenue Share — and Is Growing Faster Than Any RaaS on Record

The Gentlemen ransomware-as-a-service operation, first observed in mid-2025, has become the fastest-growing RaaS group on record. Check Point Research and Microsoft Security published analyses confirming 182 attacks in Q1 2026 alone — a 420% quarter-on-quarter increase — with at least 320 confirmed victims and over 1,570 victim entries visible in a backend database that was compromised and leaked in May 2026. The group’s locker is a self-propagating Go binary targeting Windows, Linux, NAS devices, BSD, and ESXi hypervisors. Its defining structural feature is an affiliate revenue split of 90% to affiliates and 10% to core operators — the highest mainstream affiliate share ever offered in the RaaS market, exceeding the 70-80% typical of competing programs. The Gentlemen impose no sector restrictions: healthcare, critical infrastructure, and manufacturing are all active target categories.

The 90% affiliate share is not a marketing tactic. It is a market intervention that pulls experienced affiliate operators away from competing RaaS programs. RaaS affiliate talent — individuals with established network access, working EDR bypass techniques, and ransomware negotiation experience — is a finite resource in the criminal ecosystem. An operation offering 90% outcompetes every rival offering 70-80%, and that competitive advantage translates directly into faster recruitment and higher attack volume. The absence of sector restrictions on healthcare removes the informal deterrent that several previous groups exercised, increasing the exposure for hospitals and healthcare operators that had become accustomed to being treated as lower-priority targets by some criminal organisations. The May 2026 compromise and public leak of The Gentlemen’s own backend database — 1,570 victim entries, internal affiliate account credentials, operational documentation — did not slow the group. The operation continued without interruption. That operational resilience under active compromise of their own infrastructure demonstrates a maturity level that most law enforcement strategies targeting smaller groups cannot reach.

Cybersecurity News Stories June 05 2026 image showing an abstract visualisation of a criminal marketplace with interconnected nodes representing affiliates and operators in a dark analytical style without identifiable faces or symbols

Read more on: Check Point Research

If this week tells us anything, it’s this:

The five stories in this week’s Cybersecurity News Stories June 05, 2026 do not share a technical class of attack. They share a governance assumption that is failing. The Oracle WebLogic flaw was patched in 2024. The WinRAR vulnerability exploited by Gamaredon has been patchable since January 2026. The Android zero-day requires a monthly security update that many corporate BYOD devices are not receiving. The Kirki flaw had a patch available for two weeks before exploitation began. And The Gentlemen ransomware is not innovating technically — it is innovating economically, and outcompeting rivals on a metric that organisations have no visibility into. In each case, the exposure is not a product of novel attacker capability. It is a product of governance assumptions that have not kept pace with the actual attack surface.

The pattern that emerges from this week is that defenders consistently underestimate the categories of infrastructure they do not directly control: enterprise middleware acquired with a legacy application, a file archiver installed by an employee, personal mobile devices accessing corporate systems, third-party plugin ecosystems governing the organisation’s public web presence, and a criminal marketplace optimising its talent acquisition model faster than any enterprise can adjust its security posture. The attack surface in 2026 includes all of these layers simultaneously — not as edge cases, but as standard operating conditions. Organisations that have accurate inventories, consistent patch governance across all of these categories, and explicit contractual accountability for third-party web and software management are the minority. For the majority, this week’s five stories describe active conditions, not hypothetical risks.
For more information, please contact us now!

Posted in DIESEC™ and tagged , , , , , , , , ,