Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
ENG
ENG
%402x.svg){kind=icon}
A week of maximum technical urgency: mass phishing exploiting the World Cup, two active CVEs in Palo Alto firewalls, an Android zero-day affecting the entire corporate mobile fleet, and a 19-year-old Linux kernel bug with a public exploit. The summary you need before the weekend.
🔴 2026 World Cup mass phishing: ESET detects fake FIFA websites draining bank accounts
With the World Cup kicking off on 11 June, cybercriminals have spent weeks deploying sites that replicate with near-perfect precision the official FIFA website — same colours, menus, payment forms — to steal banking and personal data from fans searching for tickets or merchandise. The FBI issued specific alerts. Domains with “FIFA” or “World Cup 2026” using .shop, .store or .site extensions are the red flag. The only official ticket website is FIFA.com/tickets. If an employee falls for the trap from a corporate device, the VPN, email and company credentials may be compromised.
→ What you should do: Communicate to all employees that the only official ticket website is FIFA.com/tickets. Review the corporate device use policy for personal purchases. Full analysis →
🔴 Palo Alto CVE-2026-0257: two confirmed attack waves and internal network access at multiple organisations
Rapid7 MDR documented two waves of active exploitation of CVE-2026-0257 (CVSS 7.8) on 17 and 21 May, confirming that attackers obtained VPN IP assignment and internal network access. The bug allows bypassing GlobalProtect authentication without prior credentials. CISA added it to the KEV with a federal deadline of 1 June — yesterday. PAN-OS versions 9.0, 9.1 and 10.0 are EOL and will not receive a patch: they must migrate.
→ What you should do: Check whether authentication override cookies are enabled. If patching today is not possible, disable Authentication Override in GlobalProtect or restrict access to trusted IPs. Review forensic logs from 17 May onwards. Full analysis →
🔴 Android zero-day CVE-2025-48595: active exploitation confirmed by Google on corporate and BYOD devices
Google confirmed active exploitation of CVE-2025-48595 (CVSS 8.4), an integer overflow in the Android Framework enabling privilege escalation without user interaction. Affects Android 14, 15 and 16. The problem: Android ecosystem fragmentation means most Samsung, Xiaomi, Realme or HONOR devices will take 4 to 10 weeks to receive the patch. The CISA deadline was yesterday, 5 June. Pixel devices already have the patch.
→ What you should do: Verify Android patch level 2026-06-01+ on all corporate devices. Configure MDM to block resource access if the patch level is below that. Manually update Pixel devices today. Full analysis →
🔴 CIFSwitch CVE-2026-46243: the 19-year-old Linux kernel bug that gives any local user root in a single command
Researcher Asim Manizada disclosed CIFSwitch on 28 May along with a functional PoC on GitHub. Any unprivileged user can obtain root in a single command on Linux systems with cifs-utils installed, user namespaces enabled and the CIFS module loaded. It is the fifth Linux kernel LPE in 2026. Patches available since 2 June for Red Hat, Ubuntu, Debian, SUSE and Amazon Linux.
→ What you should do: Verify exposure with rpm -q cifs-utils and lsmod | grep cifs. Update the kernel immediately. Rebootless mitigation available via KernelCare. Full analysis →
Every Friday we break down the news that really matters for your organisation’s security. If you want to know how exposed your business is to any of these threats, we’re one click away.
