Weekly CISO Digest — Week of 2026-06-10: Federal VPNs Under Siege

Headline Incident: CISA orders US federal agencies to patch VPN vulnerability exploited by Qilin ransomware gang

A critical vulnerability in remote access tools, firewalls, and VPNs used by U.S. federal agencies is under active exploitation by the Qilin ransomware group. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated all civilian federal agencies—including the Department of Homeland Security, State, and Treasury—to remediate the flaw by June 11, 2026, after exploitation was confirmed since May 7. The attack surface includes products from Check Point Software and other vendors, with the potential for widespread lateral movement and data exfiltration. This incident highlights the ongoing risk posed by unpatched perimeter devices and the speed with which ransomware actors exploit known vulnerabilities. Agencies are urged to prioritize patching and review remote access configurations immediately to prevent further compromise.

This Week's Incidents

LiteLLM CVE-2026-42271 Exploited, Chains to Unauthenticated RCE

What: BerriAI's LiteLLM Python SDK and gateway suffered active exploitation of CVE-2026-42271, enabling command injection and unauthenticated RCE via Starlette (CVE-2026-48710).
Who's at risk: Organizations using LiteLLM or Starlette in North America.
Action: Patch both LiteLLM and Starlette to latest versions immediately.

Jaguar Land Rover Hit by Costly Ransomware Attack

What: Jaguar Land Rover experienced a ransomware attack in September 2025, forcing a company-wide password reset for 30,000 staff and disrupting production and sales for weeks.
Who's at risk: Automotive manufacturers and large supply chain partners in Europe.
Action: Review ransomware response plans and enforce strong credential hygiene.

New Veeam vulnerability exposes backup servers to RCE attacks

What: Veeam Backup & Replication (CVE-2026-44963) allows any authenticated domain user to execute code on backup servers; no exploitation yet, but threat is imminent.
Who's at risk: Global Veeam customers with domain-joined backup servers.
Action: Apply the latest Veeam security patch and restrict server access.

Napoleon Perdis Data Breach: 339K Australian Customer Records Leaked

What: Over 339,000 Napoleon Perdis customer records, including names, emails, phone numbers, and addresses, were leaked in a database breach.
Who's at risk: Australian retail and e-commerce organizations.
Action: Notify affected customers and monitor for targeted phishing attempts.

Spratley’s of Mortimer Hit by PrinzEugen Ransomware Attack

What: PrinzEugen ransomware encrypted hundreds of gigabytes of company data at Spratley’s of Mortimer, with decryption key offered upon request.
Who's at risk: Global SMBs with exposed file shares.
Action: Isolate affected systems and contact incident response teams.

Cyberattack Against Le Vieux Campeur

What: Le Vieux Campeur was hit by a significant cyberattack on June 2, 2026, but rapid containment limited impact and no customer data was compromised.
Who's at risk: European retailers and e-commerce platforms.
Action: Review incident response playbooks and test containment procedures.

PrinzEugen Ransomware Encrypts Spratleys Data

What: PrinzEugen group publicly claimed responsibility for encrypting Spratleys’ file shares, offering a decryption key.
Who's at risk: Organizations with unsegmented file shares and weak backups.
Action: Validate backup integrity and segment file storage.

Akira ransomware targets Spray Equipment & Service Center

What: Akira ransomware encrypted data at Spray Equipment & Service Center, threatening to leak 26GB of sensitive corporate and partner information.
Who's at risk: Industrial and service sector firms globally.
Action: Assess exposure of sensitive files and prepare for potential data leaks.

Ransomware Incident at Auburn Electrical Construction Company

What: Auburn Electrical Construction Company suffered a ransomware attack by the embargo threat actor, disrupting U.S. operations.
Who's at risk: U.S. construction and critical infrastructure firms.
Action: Ensure offline backups and review endpoint protection.

Lloyds Bank reports rise in phishing scams via Meta platforms

What: Lloyds Bank reported 68% of customer fraud originates from Meta platforms, causing £66 million in annual losses, mainly via scam ads.
Who's at risk: UK financial sector and Meta platform users.
Action: Increase customer phishing awareness and monitor social media fraud trends.

French govt messaging service breached in account hijacking attack

What: Hackers breached Tchap, the French government’s encrypted platform, stealing 13.5GB of documents and 650,000 messages via social engineering.
Who's at risk: Government agencies using internal comms platforms in Europe.
Action: Enforce MFA and conduct social engineering training for staff.

ServiceNow Discloses Security Incident Exposing Customer Data

What: ServiceNow patched a REST API flaw allowing unauthenticated access to customer instance data, affecting users on the Australia release or specific configs.
Who's at risk: Global ServiceNow customers, especially on legacy releases.
Action: Update to the latest ServiceNow release and audit API access logs.

Active Exploitation of PAN-OS CVE-2026-0257 Authentication Bypass

What: PAN-OS CVE-2026-0257 is being exploited to bypass GlobalProtect VPN authentication, enabling unauthorized VPN sessions.
Who's at risk: Palo Alto Networks GlobalProtect customers worldwide.
Action: Patch PAN-OS immediately and review VPN access logs for anomalies.

WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine

What: Russia-aligned actors exploited WinRAR CVE-2025-8088 to deploy GIFTEDCROOK and GammaSteel stealers via malicious RAR archives against Ukrainian targets.
Who's at risk: Organizations in Ukraine and those using outdated WinRAR globally.
Action: Update WinRAR and educate users on archive-based phishing threats.

This Week's Pattern

• Ransomware remains the top threat, with coordinated attacks on automotive, supply chain, and SMB targets across multiple regions.
• Zero-day and recently patched vulnerabilities (LiteLLM, Veeam, PAN-OS, WinRAR) are being exploited rapidly, underscoring the need for accelerated patch cycles.
• Social engineering and third-party platform abuse (Meta, Tchap) are driving large-scale data breaches and fraud, highlighting persistent human factor risks.