Cyware Daily Threat Intelligence - June 29, 2026

A single flaw in a device management platform can open the door to an entire organization. Cyware spotlights how attackers could seize control of fleets of endpoints by exploiting Dell Wyse Management Suite vulnerabilities, with one bug rated CVSS 9.8. A successful exploit could let an intruder push malicious payloads across every managed device, threatening network-wide compromise.
Real-time phishing is slashing the effectiveness of multi-factor authentication. Ghostwriter has rolled out a WebSocket relay that intercepts both passwords and one-time codes as victims type them, enabling immediate account takeover—even when SMS MFA is enabled. The campaign has already targeted high-profile political and government accounts in Ukraine and Belarus.
Ransomware-as-a-service is accelerating with new tooling. The Gentlemen group is pairing custom Go-based backdoors with rapid intrusions, hitting manufacturing, healthcare, and logistics firms across five countries. Their hybrid cryptography and fast lateral movement are driving a surge in downtime and disruption.
Top Vulnerabilities Reported in Last 24 hours
Remote Code Execution and Path Traversal in Dell Wyse Management Suite
CVE-2026-41120 is an Acceptance of Extraneous Untrusted Data With Trusted Data vulnerability in Dell Wyse Management Suite (CVSS 9.8), while CVE-2026-49506 is a path traversal flaw (CVSS 7.2). Successful exploitation of CVE-2026-41120 allows a remote, low-privileged attacker to push malicious changes or payloads through the management interface, potentially compromising entire device fleets. CVE-2026-49506 requires high privileges and remote access for exploitation. The report does not confirm in-the-wild exploitation for either vulnerability. Dell disclosed both issues and released a fix in WMS 5.5 HF1, which should be applied to all affected deployments.
CVE-2026-55200: Critical Heap Overflow in libssh2 SSH Client Library
CVE-2026-55200 is a critical heap overflow vulnerability in the libssh2 SSH client library (CVSS 9.2). Successful exploitation allows a malicious SSH server to corrupt memory on a connecting client and potentially execute arbitrary code. CVE-2026-55200 is tracked as CWE-680 (integer overflow to buffer overflow) and resides in the ssh2_transport_read() function. A public proof-of-concept exists, but it is incomplete and reliable exploitation depends on the target binary and allocator. No in-the-wild exploitation has been reported, and CISA rates exploitation likelihood as “none.” The issue is patched in commit 97acf3d.
CVE-2026-25874: Unauthenticated RCE in Hugging Face LeRobot
CVE-2026-25874 is an unauthenticated remote code execution vulnerability in the Hugging Face LeRobot framework. Successful exploitation allows attackers to run arbitrary commands on servers hosting the AsyncInference PolicyServer (no CVSS score provided). CVE-2026-25874 arises from deserializing untrusted data with pickle.loads() over an unauthenticated gRPC channel, enabling a single crafted request to compromise the inference service. No active exploitation has been reported. SecureLayer7 documented the issue and noted the vulnerability can be bidirectional, allowing a compromised server to send malicious pickle data to clients. The fix is available in PR #3048.
Top Threat Actors Reported in Last 24 hours
Ghostwriter (UNC1151): Real-Time Phishing Bypasses SMS MFA
Ghostwriter (also tracked as UNC1151) is a suspected Eastern European threat group focused on credential theft and account takeover. Ghostwriter has deployed a WebSocket-based relay to intercept both passwords and one-time passcodes in real time, bypassing SMS and OTP-based multi-factor authentication. Ghostwriter leverages CDN services to conceal and harden its phishing infrastructure. The group has targeted Belarusian politician Yury Hubarevich and multiple Ukrainian portals, aiming for direct account takeover rather than resale of credentials. The campaign enables immediate access to inboxes, admin panels, and publishing systems, even when MFA is enabled. Researchers highlighted Ghostwriter's use of resilient infrastructure and synchronous interception as key differentiators.
The Gentlemen: Ransomware-as-a-Service Surge with Go-Based Malware
The Gentlemen is a ransomware-as-a-service (RaaS) operation of suspected global origin, motivated by financial gain. The Gentlemen employs custom Go-based backdoors and ransomware, rapidly moving from initial access to encryption. The Gentlemen typically exploits exposed online services and weak or stolen credentials, using tools like SharpADWS, NetScan, Advanced IP Scanner, and netsh for reconnaissance and lateral movement. The group targets manufacturing, IT services, healthcare, financial services, construction, and logistics sectors, with activity concentrated in Brazil, China, Indonesia, Taiwan, and Thailand. Recent campaigns feature hybrid cryptography built around Curve25519 and XChaCha20, with attempts to weaken defenses before encryption. Securelist reported The Gentlemen's rapid expansion and impact across multiple industries.
Frequently Asked Questions
What is CVE-2026-41120? Attackers could take over organizations’ endpoint management infrastructure via critical flaws in Dell Wyse Management Suite, including CVE-2026-41120 (CVSS 9.8) and CVE-2026-49506 (CVSS 7.2). In practical terms, a successful exploit could let an intruder push malicious changes or payloads through the same centralized system administrators use to manage fleets of devices, opening the door to wider network compromise.
What is CVE-2026-55200? A critical bug in the libssh2 SSH client library (CVE-2026-55200, CVSS 9.2) means a malicious SSH server can corrupt memory on a connecting client and potentially achieve code execution. The issue sits in ssh2_transport_read(), where an unchecked packet_length can trigger an out-of-bounds heap write, tracked as CWE-680 (integer overflow to buffer overflow).
What is CVE-2026-25874? An unauthenticated remote code execution flaw in Hugging Face’s LeRobot framework (CVE-2026-25874) allows attackers to run arbitrary commands on servers hosting the AsyncInference PolicyServer. The risk comes from deserializing untrusted data with pickle.loads() over an unauthenticated gRPC channel, meaning a single crafted request can turn an exposed inference service into an entry point for full system compromise.
What is Ghostwriter? Ghostwriter (also tracked as UNC1151) has rolled out a phishing approach designed to defeat SMS and one-time-passcode multi-factor authentication by relaying victims’ logins in real time. They do this with a WebSocket-based relay that turns the usual “collect credentials and try later” workflow into synchronous interception, letting them capture both the password and second factor as the victim types it.
What is The Gentlemen? The Gentlemen are a ransomware-as-a-service (RaaS) operation that has quickly climbed into the top tier of 2026 activity by pairing fast break-ins with custom Go-based backdoors and ransomware. They typically gain access through exposed online services and weak or stolen credentials, then move quickly from reconnaissance to encryption.