June 9, 2026 by sig9

Hacker Wars - June 09, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Happy Tuesday. If you were hoping for a quiet start to the week, sorry to disappoint - today’s lineup features VPN zero-days, Chrome getting pwned for the fifth time this year, and AI tools being weaponized for unauthenticated RCE. Grab your coffee, it’s going to be a long one.

Check Point VPN Zero-Day Gets CISA’s Emergency Treatment

A critical authentication bypass in Check Point’s Remote Access VPN lets attackers connect without a valid password - and Qilin ransomware affiliates are already exploiting it in the wild. CISA has given federal agencies just 3 days to patch, which is basically the cybersecurity equivalent of “drop everything and fix this NOW.”

What to do: Patch your Check Point VPN and Mobile Access deployments immediately. If you can’t patch yet, disable remote access until you can.

Chrome Catches Its Fifth Zero-Day of 2026

Google pushed emergency updates for CVE-2026-11645, a vulnerability actively exploited in the wild - making it the fifth Chrome zero-day patched this year. We’re not even halfway through 2026 and Chrome is speedrunning the zero-day leaderboard.

What to do: Update Chrome to the latest version now. If you’re managing enterprise browsers, push the update through your MDM before lunch.

LiteLLM AI Tool Chains Bugs Into Unauthenticated RCE

CVE-2026-42271 (CVSS 8.7) in BerriAI’s LiteLLM - a popular AI model routing tool - has been added to CISA’s KEV catalog after active exploitation was confirmed. The flaw chains command injection with other weaknesses to achieve unauthenticated remote code execution. Your AI infrastructure is now an attack surface. Surprise.

What to do: Audit your LiteLLM deployments and patch immediately. If you’re running AI tools in production, treat them with the same security rigor as any other internet-facing service.

Silent Ransom Group Gets Physical With Law Firms

The Silent Ransom Group is hitting US law firms with a creative combo of vishing, IT helpdesk impersonation, and - wait for it - actually showing up in person at offices to steal data. When your threat model includes someone walking into your building pretending to be IT support, you know things have escalated.

What to do: Implement strict visitor verification procedures and train staff to verify IT support identities through out-of-band channels. No, the guy with a clipboard and a confident smile is not from your MSP.

NFCShare Malware Sneaks Onto Android via GitHub

New variants of the NFCShare Android malware are being distributed as fake banking app updates hosted on GitHub. Attackers are banking on users trusting “official-looking” update links, and honestly, it’s working. Supply chain attacks via trusted platforms are the gift that keeps on giving.

What to do: Only update banking apps through official app stores. If your bank sends you an update link via SMS or email, verify it independently before tapping.

Catch you tomorrow. In the meantime, go check your attack surface.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.