I've just created the Telegram and Discord chats for xmr.pw I'll leave the links below to join: Discord: discord.gg/kJXKrJqUjr Telegram: t.me/xmrpw If you have questions or issues I'll try my best to help you 😅 Happy mining ⛏️

ServiceNow unauthenticated API breach ⭐ An API endpoint that forgot to check for a login. ServiceNow confirmed attackers queried customer instance tables through an endpoint that allowed unauthenticated access (a “requires_authentication=false” misconfiguration). No CVE assigned. Those tables routinely hold IT tickets, employee records and the credentials and tokens people paste into ticket notes. Exploited around June 2–3, patched June 5. A bug-bounty report flagged a similar issue back on April 22. The catch: the advisory sat behind the customer support login for days, so many orgs never knew to go looking. An unauthenticated query path doesn’t bypass a login screen it bypasses the whole permission model behind it. If your SaaS vendor quietly patches a breach and hides the notice behind a portal, were you ever really notified? Source: @BleepinComputer @TheHackersNews · @VulnerabilityNw

The Gentlemen’ ransomware “The Gentlemen” is now the 2nd most active ransomware gang by victim count recruiting affiliates with a 90% cut. Krebs digs into clues pointing to the admin’s real-world identity. Affiliate economics are fueling the current ransomware surge. Source: KrebsInSecurity @VulnerabilityNw

Microsoft Exchange OWA zero-day Microsoft shipped the permanent fix for an exploited Exchange zero-day. CVE-2026-42897 (8.1) OWA XSS: a crafted email runs JavaScript in the victim’s session (token theft, mailbox impersonation). On-prem 2016/2019/SE; Exchange Online unaffected. The June SU replaces May’s emergency mitigation install it. Source: @BleepinComputer @VulnerabilityNw

Ivanti Sentry max-severity RCE Ivanti Sentry max-severity flaw is being exploited. CVE-2026-10520, CVSS 10 unauthenticated OS command injection -> root RCE. Public PoC is out; Shadowserver says many exposed gateways are already backdoored. Patch to R10.5.2 / R10.6.2 / R10.7.1 now (also fixes auth-bypass CVE-2026-10523). Source: @BleepinComputer @VulnerabilityNw

Oracle PeopleSoft zero-day Oracle PeopleSoft zero-day under active attack CVE-2026-35273 (CVSS 9.8), unauthenticated RCE over HTTP. ShinyHunters claims 100 orgs hit (mostly universities; Nottingham confirmed, 500K students’ data). Oracle pushed an out-of-band fix patch now, assume compromise if exposed. Affects PeopleTools 8.61/8.62. Source: @BleepinComputer @VulnerabilityNw

OpenClaw AI email agent falls for phishing A phishing test against an OpenClaw email AI agent found it falls for the same social-engineering tactics that work on humans across multiple config profiles and leaks user data. The lesson isn’t “AI is dumb.” It’s that autonomous agents with inbox access inherit the human attack surface without the human skepticism. Prompt-injection-as-phishing is now a real threat model. Deploying email agents? Scope their permissions like a junior hire who clicks everything. Source: @BleepinComputer @VulnerabilityNw

Anthropic Mythos / Fable 5 offensive-security angle Anthropic shipped Claude Fable 5 (public) and Claude Mythos 5 (restricted), and published research on what Mythos-class models do to the patch gap. The claim: Mythos Preview turns N-days into N-hours. In testing it wrote a working exploit in under an hour and built 16 across Firefox and Windows. Anthropic argues N-days can be worse than 0-days the patch is a roadmap via patch-diffing. Fable 5 ships with safeguards that bounce cybersecurity/bio/chem queries to Claude Opus 4.8 (triggers in <5% of sessions). Mythos 5 same model, safeguards lifted goes only to Project Glasswing partners. Independent take: XBOW found it strong at finding bugs in source code, weaker at validating exploits. Takeaway: monthly patch cadences were built on “weaponizing a patch takes expert-weeks.” That assumption is eroding. Source: @BleepinComputer @SecurityWeek @VulnerabilityNw

OpenSSL high-severity bug OpenSSL patched 18 bugs, including a rare high-severity one: CVE-2026-45447, a heap use-after-free in PKCS#7 verification. A crafted PKCS#7/S/MIME signed message with an empty digestAlgorithms SET can make PKCS7_verify() free a caller-owned BIO → use-after-free, heap corruption, possible RCE. High-severity in OpenSSL is rare only the 2nd of 2026. Notable: it was found by a Calif researcher working with Claude AI. AI-assisted code audit is quietly becoming standard practice. Update OpenSSL. Source: @SecurityWeek @VulnerabilityNews

Adobe 123 vulnerabilities Adobe shipped fixes for 123 vulnerabilities this month nearly half in Adobe Experience Manager (AEM), most allowing arbitrary code execution. AEM’s internet-facing footprint makes it a recurring target. If you run AEM, this is a priority-queue item, not a next-sprint task. Work through Adobe’s June bulletins and patch the code-execution flaws first. Source: @SecurityWeek @VulnerabilityNw

Microsoft June 2026 Patch Tuesday (record-breaker) Microsoft’s June 2026 Patch Tuesday is the largest on record 200 CVEs (~33 critical), beating the prior high of 167. Three publicly disclosed zero-days, none reported exploited in the wild yet: •CVE-2026-45586 — Windows CTFMON EoP to SYSTEM (“GreenPlasma”); flagged Exploitation More Likely •CVE-2026-50507 — BitLocker security feature bypass •CVE-2026-49160 — HTTP.sys (HTTP/2) DoS Updates: Win11 KB5094126 / KB5093998, Win10 KB5094127 (ESU). The Win10 update also tracks the Secure Boot certificate rollover — certs start expiring this month. Test, then deploy. Prioritize the zero-days and critical RCEs. Source: BleepingComputer, KrebsOnSecurity, SecurityWeek @VulnerabilityNw

ServiceNow security incident ServiceNow confirms a security incident: an unauthenticated API endpoint let attackers query data from customer instances. Fix applied to hosted instances Jun 5 the endpoint now requires authentication. ServiceNow detected “anomalous activity” and, for a subset of customers, evidence of successful queries against instance tables. Affected orgs were notified directly via support case. No CVE published. Admins peg it to a REST endpoint left with requires_authentication=false (unconfirmed by ServiceNow). Run ServiceNow? Check for a case and review API/transaction logs for unauthenticated queries. Source: BleepingComputer @VulnerabilityNw

Veeam Backup & Replication RCE Critical RCE in Veeam Backup & Replication. CVE-2026-44963, CVSS 9.4 any authenticated domain user can run code on the Backup Server. Low privilege bar, high-value target: backup infra is what ransomware crews hit first. Affects domain-joined VBR v12 (≤ 12.3.2.4465); v13.x not affected. Fixed in 12.3.2.4854. No in-the-wild reports yet, but VBR has a long history of being weaponized (Akira, Fog, Frag). Found by Sina Kheirkhah, watchTowr. Patch now; consider a workgroup config per Veeam’s hardening guide. Source: BleepingComputer @VulnerabilityNw

Chrome 5th zero-day of 2026 Google patched the 5th actively exploited Chrome zero-day of 2026. CVE-2026-11645 out-of-bounds read/write in the V8 engine, confirmed exploited in the wild. Fixed in 149.0.7827.102/.103 (Win/Mac/Linux). Google is withholding details until users update. Chromium browsers (Edge, Brave, Opera, Vivaldi) inherit the fix. Context: 8 exploited Chrome 0-days in all of 2025 already at 5 by June. Update and relaunch; don’t wait for the staged rollout. Source: BleepingComputer @VulnerabilityNw

Check Point VPN zero-day Check Point VPN auth bypass is being exploited in the wild. CVE-2026-50751, CVSS 9.3. Unauthenticated attackers can establish a Remote Access VPN session with no valid password. Affects only IKEv1-configured gateways (Mobile Access/SSL VPN, Remote Access VPN, Spark). Exploited since May 7; at least one case tied to a Qilin ransomware affiliate. Hotfix landed Jun 8. CISA added it to KEV feds must patch by Jun 11. Can’t patch immediately? Drop IKEv1, require machine certs, kill legacy RA client support. Patch-now, not patch-soon. Source: BleepingComputer @VulnerabilityNw