Weekly Threat Bulletin – June 24th, 2026

Apple Patches High-Severity Eavesdropping Vulnerability in Beats Studio Buds

Apple has released Beats Firmware Update 1B211 to address CVE-2025-20701, a high-severity eavesdropping vulnerability (rated 8.8 out of 10) affecting its Beats Studio Buds wireless earbuds. This flaw, stemming from improper authentication in the firmware of Bluetooth-related chips manufactured by Airoha Systems, allowed attackers within Bluetooth range to impersonate previously paired devices and intercept audio from the earbud's microphone. The patch is automatically delivered when the earbuds are paired with an iPhone, iPad, or Mac. This vulnerability was initially disclosed 12 months prior by Insinuator researchers Dennis Heinze and Frieder Steinmetz, and other manufacturers like Jabra, Bose, and JBL have also issued updates for their affected devices. Beyond eavesdropping, the broader Airoha vulnerabilities could enable attackers to retrieve call history, contacts, and initiate calls, depending on the specific device. This issue is part of a wider landscape of Bluetooth vulnerabilities, including WhisperPair, which affects Google Fast Pair-enabled devices from manufacturers such as Sony, JBL, and Google, allowing for eavesdropping and device geolocation. While such attacks are complex and require continuous proximity, users are advised to disable Bluetooth when not in use to mitigate risks.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Direct all users with Apple Beats Studio Buds to immediately verify their firmware is updated to version 1B211 or later. Provide instructions on how to check this on their paired iPhone, iPad, or Mac by navigating to Settings > Bluetooth and tapping the info button next to their headphones.
• Instruct users with Jabra, Bose, or JBL branded Bluetooth headsets to immediately check for and apply the latest firmware updates using the manufacturers' respective mobile applications or support websites.
• Issue a company-wide security bulletin advising all employees to disable Bluetooth on their computers and mobile devices when it is not actively in use to reduce the risk of proximity-based attacks.

Compliance Best Practices

• Establish and maintain a comprehensive asset inventory of all Bluetooth-enabled peripheral devices, such as headsets and keyboards, used for business purposes to enable rapid impact assessment and response for future vulnerabilities.
• Develop and implement a secure procurement policy that requires a security review for any new models of wireless peripherals before they are approved for purchase and use within the company.
• Update the annual security awareness training program to include a specific module on the risks of wireless peripherals, covering Bluetooth eavesdropping, data theft, and best practices for their secure use.
• Investigate and configure Mobile Device Management (MDM) policies to restrict Bluetooth device pairing on company-managed mobile devices to only authorized and vetted peripherals, if the feature is supported.

Hackers Exploit Gravity SMTP WordPress Plugin Bug to Expose API Keys

A medium-severity information disclosure vulnerability, tracked as CVE-2026-4020 (CVSS score: 5.3), is being actively exploited in the Gravity SMTP WordPress plugin, which is installed on approximately 100,000 sites. This flaw allows unauthenticated attackers to extract sensitive data, including configuration details, API keys (for services like Amazon SES, Google, Mailjet, Resend, and Zoho), secrets, and OAuth tokens. The vulnerability stems from a REST API endpoint at `/wp-json/gravitysmtp/v1/tests/mock-data` that unconditionally returns true for its ``permission_callback`,` enabling any unauthenticated visitor to access it. By appending the `?page=gravitysmtp-settings` query parameter, the endpoint returns a 365 KB JSON system report containing extensive information such as PHP version, web server details, database type and version, WordPress version, active plugins and themes, and all configured API keys. Attackers can leverage this exposure to send emails on behalf of the site or plan further attacks. A patch was released in version 2.1.5 of the plugin, and bad actors have been exploiting this defect since early May 2026, with exploit attempts spiking dramatically around June 6, 2026, resulting in over 17 million blocked attempts by Wordfence from various IP addresses including 45.148.10.95 and 193.32.162.60. Site owners using vulnerable versions should update to 2.1.5 or later immediately, assume compromise, rotate all exposed credentials, and review server logs for suspicious requests originating from the identified attacker IP addresses.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Immediately update all instances of the Gravity SMTP WordPress plugin to version 2.1.5 or later.
• Rotate all API keys and OAuth tokens for services configured within the Gravity SMTP plugin, such as Amazon SES, Google, Mailjet, Resend, and Zoho.
• Add the following IP addresses to your firewall or WAF blocklist: 45.148.10.95, 193.32.162.60, 176.65.148.139, 173.199.90.188, 45.148.10.120, 185.8.107.155, 185.8.106.37, 185.8.106.92, 185.8.106.145, and 176.65.148.30.
• Review web server and WAF logs for any HTTP GET requests to the URI path '/wp-json/gravitysmtp/v1/tests/mock-data' to identify potential or successful exploitation attempts.

Compliance Best Practices

• Implement a comprehensive vulnerability management program that includes maintaining an inventory of all WordPress plugins and establishing a process for promptly testing and deploying security patches.
• Configure your Web Application Firewall (WAF) with a default-deny rule for unauthenticated access to non-public API endpoints, particularly those under paths like '/wp-json/'.
• Establish a quarterly review process to audit the permissions of all API keys used in web applications, ensuring they are scoped to the minimum required functionality.
• Configure automated alerting in your SIEM or log management platform to detect and notify security personnel of suspicious requests to sensitive API endpoints or patterns matching known information disclosure vulnerabilities.

Cisco Identity Services Engine RCE and Information Disclosure Vulnerabilities (CVE-2026-20181 CVE-2026-20190)

Cisco has released security updates addressing two vulnerabilities, CVE-2026-20181 and CVE-2026-20190, impacting Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). CVE-2026-20181 is a critical (CVSS 9.1) remote code execution vulnerability stemming from insufficient user-supplied input validation, allowing an authenticated attacker with administrative credentials to gain user-level access to the underlying operating system, elevate privileges to root, and potentially cause a denial-of-service condition in single-node deployments. CVE-2026-20190 is a high-severity (CVSS 7.5) information disclosure vulnerability caused by improper authorization checks, which could allow an attacker to access sensitive information, including hashed credentials. Cisco is currently unaware of any public exploitation of these vulnerabilities. Affected versions require specific patches: for CVE-2026-20181, ISE 3.3 requires Patch 11, ISE 3.4 requires Patch 6, and ISE 3.5 requires Patch 4 (August 2026); for CVE-2026-20190, ISE 3.4 requires Patch 6, and ISE 3.5 requires Patch 3, while versions earlier than 3.3 and 3.3 are not vulnerable to this specific CVE. Migration to a fixed release is necessary for versions earlier than 3.3.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Use a vulnerability scanner with QIDs 317859 and 317860 to identify all vulnerable Cisco Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) instances on the network.
• Apply patch 11 to all Cisco ISE and ISE-PIC instances running release 3.3 to remediate CVE-2026-20181.
• Apply patch 6 to all Cisco ISE and ISE-PIC instances running release 3.4 to remediate both CVE-2026-20181 and CVE-2026-20190.
• Apply patch 4 or higher to all Cisco ISE and ISE-PIC instances running release 3.5 to remediate both CVE-2026-20181 and CVE-2026-20190.
• For Cisco ISE and ISE-PIC instances running releases earlier than 3.3, immediately begin planning the migration to a supported and patched release.
• Restrict network access to the Cisco ISE and ISE-PIC administrative web interfaces to a dedicated management network or a limited set of authorized IP addresses.

Compliance Best Practices

• Implement mandatory multi-factor authentication (MFA) for all administrative access to critical network infrastructure, including Cisco ISE.
• Establish a recurring quarterly process to audit all administrative accounts on Cisco ISE, ensuring the principle of least privilege is enforced and removing any dormant or unnecessary accounts.
• Evaluate and implement a high-availability (HA) configuration for the Cisco ISE deployment to ensure service continuity and prevent denial-of-service conditions resulting from node failure.
• Ensure all Cisco ISE and ISE-PIC system and application logs are forwarded to a centralized SIEM and develop correlation rules to alert on anomalous administrative activity or suspicious HTTP requests targeting the devices.

The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes

The Gentlemen ransomware-as-a-service (RaaS) operation, active since March 2025 and attributed to Alexander Andreevich Yapaev (aka hastalamuerte), employs a sophisticated suite of endpoint detection and response (EDR) killers for its affiliates, having claimed 504 victims primarily in Southeast Asia, South America, and Western Europe. This arsenal is built around the in-house GentleKiller framework, which features eight variants designed to mimic legitimate products and abuse vulnerable drivers via the bring your own vulnerable driver (BYOVD) technique, targeting over 400 processes across 48 distinct security programs. GentleKiller utilizes a shared defense-evasion layer, impersonating security vendors with fake version information, copied certificates, and icons, and protects its binaries with packers like Enigma or Themida. Specific drivers abused include "eb.sys" (Kaspersky), "nseckrnl.sys" (FACEIT Anti-Cheat), "GameDriverX64.sys" (Valorant), `"stpm_old.sys"` or `"stpm_new.sys"` (Javelin), "dmx.sys" (WatchDog), `"360netmon_wfp.sys"` (Network Blocker), "IMFForceDelete.sys" (Cleaner), and "PoisonX.sys" (G11), with "PoisonX.sys" also used to kill CrowdStrike Falcon EDR. The operation also integrates third-party tools like HexKiller ("googleApiUtil64.sys"), ThrottleBlood ("ThrottleBlood.sys"), and HavocKiller ("havoc.sys"), and rapidly operationalizes newly disclosed BYOVD proof-of-concept exploits. Additionally, The Gentlemen uses OxideHarvest (aka buildx641), a Rust-based credential stealer targeting numerous web browsers. This centralized EDR-killer suite lowers the entry barrier for affiliates, making The Gentlemen a technically agile RaaS group. A related CERT/CC advisory highlights a Secure Boot bypass vulnerability in UEFI applications from vendors like Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill, also leveraging BYOVD, which can be mitigated by updating the UEFI Forbidden Signature Database (DBX).

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Use your endpoint detection and response (EDR) or application control software to create block rules for the known malicious and vulnerable driver files mentioned in the report, including: eb.sys, nseckrnl.sys, GameDriverX64.sys, stpm_old.sys, stpm_new.sys, dmx.sys, 360netmon_wfp.sys, IMFForceDelete.sys, PoisonX.sys, googleApiUtil64.sys, ThrottleBlood.sys, and havoc.sys.
• Prioritize applying the latest firmware and OS updates to systems from Acer, AMD, ASUS, ECS, Getac, GIGABYTE, Toshiba, and Uniwill to update the UEFI Forbidden Signature Database (DBX) and mitigate the Secure Boot bypass vulnerability.
• Execute threat hunting queries in your security information and event management (SIEM) and EDR tools for file names, process names, or command-line arguments containing 'OxideHarvest' or 'buildx641' to detect the presence of the credential stealer.
• Configure a detection rule in your SIEM to generate a high-priority alert if multiple security agent processes (e.g., EDR, antivirus) are terminated on a single endpoint within a short time frame, such as 60 seconds.

Compliance Best Practices

• Develop and deploy an application control policy, such as Windows Defender Application Control (WDAC), to enforce a list of authorized drivers and block all others from loading on endpoints.
• Plan and execute the phased deployment of Hypervisor-Protected Code Integrity (HVCI), also known as Memory Integrity, on all compatible endpoints to prevent unauthorized or vulnerable drivers from being loaded into the Windows kernel.
• Establish a program to enforce the principle of least privilege by systematically removing local administrator rights from standard user accounts and implementing a just-in-time (JIT) access solution for administrative tasks.
• Implement a quarterly security audit process to verify the integrity of installed security tools on endpoints. This process should include checking file hashes, digital signature validity, and version numbers against vendor-provided baselines.

Klue OAuth Breach Linked to 'Icarus' Salesforce Data Theft Attacks

A Klue OAuth breach has facilitated the "Icarus" threat actors in stealing Salesforce CRM data from multiple organizations, leading to an ongoing extortion campaign. The attack involved compromising Klue's backend systems to steal OAuth tokens, which were then used with automated Python scripts to query Salesforce's REST API. Threat actors conducted reconnaissance via the '/services/data/v59.0/sobjects' endpoint before exfiltrating data using '/services/data/v59.0/query'. Stolen data includes CRM-related information such as business contacts, sales communications, price quotes, and competitive intelligence, with cybersecurity firm Huntress confirming their Salesforce data was exfiltrated. Salesforce has since disabled the Klue Battlecards integration, and Klue has disabled integrations with platforms including HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. Organizations are advised to review Salesforce and related SaaS logs for activity originating from IP addresses 138.226.246.94, 212.86.125.24, 213.111.148.90, and 94.154.32.160, revoke and rotate OAuth tokens, terminate active sessions, and review Salesforce logs for unusual API activity.

Severity: Critical

Threat Details and IOCs

Mitigation Advice

• Add the IP addresses 138.226.246.94, 212.86.125.24, 213.111.148.90, and 94.154.32.160 to the network firewall blocklist.
• Query SIEM, firewall, and Salesforce logs for any connections or API activity from the IP addresses 138.226.246.94, 212.86.125.24, 213.111.148.90, and 94.154.32.160.
• If your organization uses the Klue Battlecards integration with Salesforce, immediately revoke all associated OAuth tokens and terminate all active sessions for the integration within the Salesforce platform.
• Review Salesforce API logs for anomalous activity, specifically looking for queries to the '/services/data/v59.0/sobjects' endpoint followed by a high volume of queries to the '/services/data/v59.0/query' endpoint from a single service account.
• If using Klue, immediately review and consider revoking OAuth tokens for all other connected third-party platforms, such as HubSpot, SharePoint, and Google Drive, until Klue confirms the issue is fully remediated.

Compliance Best Practices

• Establish a recurring security review process to audit all third-party SaaS applications that use OAuth to connect to critical systems like Salesforce, ensuring they are actively maintained and necessary.
• For all third-party Salesforce integrations, reconfigure their OAuth permissions to enforce the principle of least privilege, granting access only to the specific API endpoints and data objects required for their function.
• Develop and implement SIEM detection rules to alert on anomalous SaaS API activity, such as a sudden high volume of queries from a single OAuth integration or access to an unusually broad range of data objects in a short time frame.
• Implement and enforce a credential lifecycle management policy for all non-user accounts, including service accounts and API keys, that includes periodic review, rotation, and automated disabling of dormant accounts after a defined period of inactivity.
• For critical SaaS platforms like Salesforce, configure API access controls to only allow connections from an explicit allowlist of trusted IP address ranges belonging to your approved third-party integrators.