CyberSip™ — Issue 72 — June 25, 2026

Today’s picture

Novee Security published research today naming a systemic class of GitHub Actions CI/CD vulnerabilities Cordyceps, after the body-snatching parasitic fungus. The pattern allows any unauthenticated attacker with a free GitHub account to hijack privileged build workflows at major open-source repositories by exploiting how untrusted pull request content crosses into high-privilege automation contexts. Novee confirmed fully exploitable chains at Microsoft Azure Sentinel, Google’s AI Agent Development Kit, Apache Doris, Cloudflare’s Workers SDK, and the Python Software Foundation’s Black formatter, all of which have since been fixed, and scanned over 30,000 repositories to find more than 300 fully exploitable chains across the open-source ecosystem. Mandiant published details today on how CVE-2026-20245, a Cisco SD-WAN privilege escalation flaw from Issue 65, was exploited as a zero-day at least two months before Cisco disclosed it, with attackers creating a rogue root account named troot and pushing configuration changes to edge devices before carefully erasing their tracks. CISA added three Ubiquiti UniFi OS vulnerabilities to its Known Exploited Vulnerabilities catalog today with a federal remediation deadline of tomorrow, June 26.

Threat snapshot

3 active items · 2 monitoring

Cordyceps / GitHub Actions / unauthenticated / Microsoft Google Cloudflare Cisco SD-WAN CVE-2026-20245 / 2-month zero-day / Mandiant detail Ubiquiti UniFi OS / 3 CVEs / KEV deadline tomorrow 3 items this issue

TodayCordycepsGitHub Actions

Cordyceps: a free GitHub account is enough to hijack CI/CD pipelines at Microsoft, Google, Apache, and Cloudflare. No authentication, no org membership needed. Affects the foundational open-source plumbing the industry runs on. All named examples fixed. Millions of repositories still at risk.

Novee scanned 30,000 repositories, flagged 654, and confirmed over 300 fully exploitable chains. In Microsoft Azure Sentinel, a PR comment could steal a non-expiring GitHub App key with write access to customer Sentinel workspaces. In Google’s AI Agent Development Kit, a single PR could grant an attacker full owner-level Google Cloud permissions. AI coding agents are reproducing the insecure pattern exponentially across new repositories.

TodayCisco SD-WANMandiant

Mandiant reveals CVE-2026-20245 was exploited two months before Cisco disclosed it. Attackers chained prior SD-WAN auth bypass flaws, uploaded a malicious CSV to create a rogue root account named troot, pushed config changes to edge devices, and then erased their tracks.

Mandiant credited with the CVE discovery. Attackers changed default admin credentials during access to avoid triggering alerts, then quietly restored them. Anti-forensic cleanup was consistent throughout the intrusion. The vmanage-admin and admin default accounts are the pivot used in this attack chain.

TodayUbiquiti UniFi OSCISA KEVDeadline Tomorrow

CISA adds three Ubiquiti UniFi OS flaws to KEV today: improper access control, path traversal, and improper input validation. All allow network-adjacent attackers to make unauthorized changes, access underlying accounts, or inject commands. Federal deadline is June 26.

The flaws affect UniFi OS on UniFi Dream Machine and Cloud Gateway hardware. Ubiquiti patched all three in Security Advisory Bulletin 064. Apply the latest UniFi OS firmware immediately. Network access is required for exploitation, so these flaws are most relevant in environments where network access is not strictly controlled.

Detailed intelligence

Full analysis

01 Cordyceps GitHub Actions

Cordyceps: a systemic GitHub Actions vulnerability class lets any free account hijack privileged CI/CD workflows at the world’s largest open-source projects. Affects millions of repositories. Named examples fixed.

Cordyceps · Novee Security · June 25

Novee Security published the Cordyceps research today, naming a structural class of exploitable CI/CD misconfiguration that exists across GitHub Actions and equivalent workflow automation systems. The vulnerability lies not in any single bug but in how multiple workflows compose: untrusted external input from pull requests, comments, or branch names crosses into privileged workflow contexts that hold signing keys, cloud credentials, and publishing access.

Executive Impact

Any organization running GitHub Actions workflows that accept contributions from forks or external pull requests should audit those workflows for the Cordyceps pattern today. The specific risk is that low-privilege workflows triggered by external contributors can pass output, artifacts, or environment variables to high-privilege workflows that have cloud credentials, package signing keys, or release publishing rights. Organizations can use GitHub’s Security Settings at the repository level to restrict workflow permissions to read-only by default, require approval before running workflows from fork pull requests, and limit secrets to specific workflow jobs rather than the full workflow context.

Don’t Miss

Novee makes a specific observation about AI coding agents that directly connects to this brief’s ongoing coverage. AI coding tools and templates generate CI/CD configuration files rapidly, and they reproduce the same insecure workflow composition patterns across repositories at scale. The result is what Novee calls an agentic infection model: a small structural mistake gets propagated into thousands of new repositories through AI-generated YAML before any human audits the output. The NCSC warning from Issue 69 about AI-generated code introducing security vulnerabilities developers are not catching applies directly here. Developers who accept AI-generated GitHub Actions YAML without reviewing the workflow trust boundaries, specifically whether untrusted external inputs can reach privileged workflow steps, are propagating Cordyceps-style vulnerabilities faster than they can be found and fixed. Standard static analysis tools do not catch this class of vulnerability because they analyze individual workflow files in isolation and each individual step is technically valid. The attack only exists in how the steps compose across workflow boundaries.

CyberSip Take

The named examples at Microsoft, Google, Apache, and Cloudflare have been fixed. The underlying pattern has not been fixed and is actively being reproduced by AI coding tools across millions of repositories. Any team that uses GitHub Actions for CI/CD publishing, release signing, or cloud deployments and accepts external pull requests should audit workflow permission boundaries this week. The audit question is straightforward: can a pull request from an anonymous external contributor cause code to run in a workflow context that holds secrets or publishing credentials?

What happened

Novee Security published the Cordyceps research today, disclosing a systemic class of exploitable vulnerabilities across GitHub Actions workflows in major open-source repositories. The research is named after a parasitic fungus that takes control of its host, reflecting how the attack hijacks trusted build infrastructure to act on behalf of an attacker. The vulnerabilities are not a single CVE but a structural pattern: command injection into workflow shell steps, broken authentication logic in workflow triggers, artifact poisoning between workflow stages, and cross-workflow privilege escalation from low-trust triggers to high-trust credential contexts.

The core of Cordyceps is the treatment of GitHub Actions YAML as passive configuration rather than security-critical code. Workflows execute shell commands, authenticate to cloud providers, hold package signing keys, and publish releases to npm, PyPI, Docker Hub, and cloud marketplaces. When a workflow trigger such as pull_request_target or workflow_run processes untrusted external content without proper isolation, that content can traverse internal workflow trust boundaries and reach steps that operate with maintainer-level credentials.

Novee scanned approximately 30,000 high-impact repositories and confirmed more than 300 fully exploitable chains. Specific confirmed findings included Microsoft Azure Sentinel, where a PR comment could execute attacker code on Microsoft CI and steal a non-expiring GitHub App key with persistent write access to security content deployed to customer Sentinel workspaces; Google’s AI Agent Development Kit, where a crafted pull request granted full owner-level Google Cloud permissions; Apache Doris, with two zero-click attack paths through comments and forked PRs reaching credentials and write access; Cloudflare’s Workers SDK, where a crafted branch name triggered arbitrary command execution; and the Python Software Foundation’s Black code formatter, where a malicious PR could steal the project bot token and approve subsequent pull requests, creating a path to poisoning official Docker images. All named organizations confirmed and fixed the issues following Novee’s responsible disclosure.

Recommended actions

Audit all GitHub Actions workflows in your repositories for the Cordyceps trust boundary pattern. The specific question is whether untrusted pull request content, comments, branch names, or artifact outputs can reach workflow steps that have access to secrets, signing keys, cloud credentials, or package publishing rights.
Restrict default workflow permissions to read-only in GitHub repository security settings. Require explicit permission grants for specific steps that need elevated access rather than granting broad permissions at the workflow level.
For workflows triggered by pull_request_target or workflow_run, ensure that untrusted code from external forks is never checked out or executed in the same job context as steps that handle secrets or credentials. Use separate jobs with explicit permission boundaries.
Treat AI-generated CI/CD YAML with the same security review scrutiny as application code. Standard linters and YAML validators do not check cross-workflow trust boundaries.

Derived from The Hacker News, SecurityWeek, and Novee Security Cordyceps blog post, June 25, 2026.

02 Cisco SD-WAN Mandiant

Mandiant reveals CVE-2026-20245 was exploited as a zero-day two months before Cisco disclosed it. Attackers chained SD-WAN auth bypass flaws, created a rogue root account named troot, and pushed malicious configuration to thousands of edge devices.

CVE-2026-20245 · CVSS 7.8 · Mandiant

Mandiant published detailed technical findings today on how CVE-2026-20245 was exploited at a service provider network before Cisco was aware the vulnerability existed. The intrusion chain began with rogue SD-WAN peering connections, escalated to root via an uploaded malicious CSV file, resulted in a persistent root account being created, and was followed by careful anti-forensic cleanup designed to minimize the chance of detection.

Executive Impact

Organizations running Cisco Catalyst SD-WAN should review Mandiant’s published indicators of compromise and apply them to SD-WAN Manager logs now. The attack targeted the vmanage-admin default account as an entry point. If that account is enabled and has not been renamed or had its credentials rotated since deployment, it should be treated as a risk regardless of patch status. The attack chain described by Mandiant does not begin with CVE-2026-20245. It begins with unauthorized rogue peering connections established through prior SD-WAN authentication bypass flaws. Any SD-WAN environment that has not been audited for rogue peering connections since the prior authentication bypass disclosures in this brief should conduct that audit.

Don’t Miss

The specific anti-forensic technique the attacker used is worth understanding. During the intrusion, the threat actor changed the default admin account password, conducted their operation, and then quietly changed the password back to its original value before terminating their session. The goal was to ensure that an administrator logging in during or after the attack window would see the credentials they expected and not notice anything unusual. This is a sophisticated operational security technique that is effective against organizations whose primary compromise detection mechanism is noticing unexpected access. Mandiant notes the attacker also deleted all created files, restored altered configuration, and ran a validation script to confirm no evidence remained. Standard log review may not surface this intrusion without specifically checking for the rogue troot account in /etc/passwd, unauthorized peering connection entries, and Mandiant’s published IP addresses in network telemetry.

CyberSip Take

This brief has tracked Cisco SD-WAN Manager through nine documented exploitation events in 2026. The Mandiant report confirms what has been a consistent pattern all year: network management platforms receive sophisticated attacker attention precisely because they combine privileged access with limited endpoint detection coverage. An attacker with root on SD-WAN Manager can push configuration changes to thousands of edge devices with no further exploitation required. Check for the troot account. Check for rogue peering connections. Rename or disable the vmanage-admin default account.

What Mandiant found

Mandiant published a detailed technical blog post today documenting the exploitation chain they observed at a service provider beginning in late 2025 and continuing into early 2026. Mandiant credited itself with discovering CVE-2026-20245, having identified the vulnerability during the active investigation. The flaw exists in the command-line interface of Cisco Catalyst SD-WAN Manager, Controller, and Validator components, and it allows an authenticated attacker with local access to execute arbitrary commands as root by uploading a crafted file.

In the observed attacks, the threat actor first established unauthorized SD-WAN peering connections to the service provider’s SD-WAN Manager devices. Mandiant assessed this was likely accomplished by exploiting previously disclosed authentication bypass vulnerabilities CVE-2026-20127 or CVE-2026-20182, though the precise method in some cases remained unclear. With peering established, the attacker authenticated to the SD-WAN Manager web interface using the default vmanage-admin account and extracted configuration data for the entire SD-WAN fabric, including edge device configurations, controller settings, and SD-WAN deployment templates.

The attacker then exploited CVE-2026-20245 by uploading a malicious CSV file named evil_tenant.csv through the tenant-upload feature in the SD-WAN CLI. The payload first created backups of /etc/passwd and /etc/shadow, then created a new account named troot with full root-level shell privileges. After switching to the troot account and verifying root access, the attackers pushed unauthorized configuration changes to downstream edge devices managed by the SD-WAN controller. Before exiting, the attacker deleted all files created during the attack, restored modified system configurations, and executed a validation script to confirm no evidence remained. In a specific operational security step, the attacker changed the default admin account password during the attack window and then restored it to the original value before disconnecting, specifically to avoid triggering an alert to an administrator who might notice an unexpected password change.

Recommended actions

Review /etc/passwd and /etc/shadow on all SD-WAN Manager, Controller, and Validator instances for the presence of a troot account or any other unexpected accounts with root-level privileges.
Apply Mandiant’s published indicators of compromise, specifically the attacker IP addresses, to SD-WAN Manager authentication logs to identify whether the observed attack infrastructure connected to your environment.
Audit SD-WAN peering configurations for unauthorized peer connections, which are the initial access mechanism identified by Mandiant across all observed intrusions.
Rename or disable the vmanage-admin and admin default accounts on Cisco Catalyst SD-WAN Manager devices. These default accounts are the consistent entry point across the nine SD-WAN exploitation events this brief has documented in 2026.

Derived from BleepingComputer, The Hacker News, SecurityWeek, and Mandiant blog post on CVE-2026-20245 intrusion, June 25, 2026.

03 Ubiquiti UniFi OS CISA KEV Deadline Tomorrow

CISA adds three Ubiquiti UniFi OS vulnerabilities to KEV with a federal deadline of tomorrow. Improper access control, path traversal, and command injection, all exploitable by network-adjacent attackers without authentication.

CVE-2026-34908 · CVE-2026-34909 · CVE-2026-34910

CISA added three UniFi OS vulnerabilities to its Known Exploited Vulnerabilities catalog today and set a June 26 remediation deadline under BOD 26-04. All three affect the UniFi OS on UniFi Dream Machine and Cloud Gateway hardware. Ubiquiti patched all three in Security Advisory Bulletin 064. The flaws require network access but no authentication.

Executive Impact

Organizations running UniFi Dream Machine, Cloud Gateway, or similar UniFi OS hardware should apply the latest UniFi OS firmware update immediately. The federal deadline is tomorrow, which effectively means now for private sector organizations given confirmed active exploitation. For environments where UniFi hardware manages network routing and firewall policy, a compromise of the management interface could allow an attacker to modify firewall rules, intercept traffic, or pivot into managed networks.

Don’t Miss

The three Ubiquiti flaws span three distinct vulnerability classes: improper access control, path traversal, and improper input validation leading to command injection. Three different vulnerability classes patched simultaneously in the same hardware family suggests either a focused security audit that found multiple issues, or that an attacker-conducted research effort identified a cluster of related weaknesses and at least some were already being used in attacks before Ubiquiti was aware of them, consistent with the CISA KEV listing. UniFi hardware is extremely widely deployed in small and medium businesses, remote work environments, and enterprise campus networks because of its relative ease of configuration and low cost. That broad deployment footprint and the consistent combination of network management capability with limited security team oversight makes it a reliable target for attackers seeking footholds in distributed environments.

CyberSip Take

UniFi OS powers a large proportion of small business and distributed office networks. Three exploitable flaws with a tomorrow deadline and confirmed active exploitation means update tonight. Open the UniFi OS console, apply the latest firmware, and confirm the update completed. The deadline is not a recommendation; it is a binding directive for federal agencies and a strong signal for everyone else.

What happened

CISA added three Ubiquiti UniFi OS vulnerabilities to its Known Exploited Vulnerabilities catalog on June 25, 2026, with a remediation deadline of June 26 under Binding Operational Directive 26-04. The three vulnerabilities affect UniFi OS on UniFi Dream Machine and Cloud Gateway hardware.

CVE-2026-34908 is an improper access control vulnerability. A malicious actor with network access could make unauthorized changes to the system by exploiting insufficient access validation on UniFi OS management interfaces. CVE-2026-34909 is a path traversal vulnerability allowing a network-adjacent attacker to access files on the underlying system that could be used to access an underlying account. CVE-2026-34910 is an improper input validation vulnerability that could allow a network-adjacent attacker to conduct command injection against the device. All three were addressed by Ubiquiti in Security Advisory Bulletin 064. None of the three require authentication for exploitation, though all require network access to the management interface.

Recommended actions

Apply the latest UniFi OS firmware update to all UniFi Dream Machine and Cloud Gateway hardware immediately. The CISA deadline is tomorrow, June 26.
After updating, restrict management interface access to trusted management networks or VPN-protected connections rather than allowing access from the general network or internet.
Review UniFi OS access logs for unexpected configuration changes, new accounts, or access from unfamiliar IP addresses, which may indicate prior exploitation of these flaws.

Derived from CISA KEV catalog and The Hacker News reporting on Ubiquiti UniFi OS CVEs, June 25, 2026.

Still watching

Aging items · days 2–4

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

FortiBleed (Issues 68–71). Russian IAB, multi-vendor, 19,000 active sniffers confirmed June 24. Patch FortiGate, invalidate active sessions, rotate credentials, audit for rogue accounts. Operation continues. Day 2

Squidbleed CVE-2026-47729 (Issue 70). 29-year-old Squid Proxy heap overread. No patch yet. Disable FTP in squid.conf. Squid 7.7 will contain the fix. Not yet confirmed exploited in the wild. Day 4

Cross-source standouts

Cordyceps is the supply chain risk that lives in the infrastructure used to build everything else

The Mastra npm attack in Issue 66 used a hijacked account to publish malicious packages. Cordyceps does not need a hijacked account. It uses the workflow automation system itself as the delivery mechanism, triggered by a pull request from a free anonymous account. Novee’s confirmed examples span security monitoring infrastructure at Microsoft Sentinel, AI development tooling at Google, database infrastructure at Apache, edge networking at Cloudflare, and code formatting tools used by over 130 million Python developers per month. One compromised workflow in any of those repositories would have been sufficient to push malicious packages to npm, PyPI, Docker Hub, or cloud marketplaces relied on by downstream organizations that have no direct relationship with the compromised project. The fix for the named examples is already applied. The pattern continues to be reproduced by AI coding agents across new repositories. CI/CD configuration is code, and it needs to be reviewed as code.

Cisco SD-WAN has had nine documented exploitation events in 2026. Mandiant says this is the living-off-the-edge paradigm at scale.

CVE-2026-20245 today is the ninth Cisco SD-WAN vulnerability with confirmed exploitation documented in this brief since January. Mandiant concludes their report with a broader observation: threat actors are increasingly targeting network devices and management infrastructure specifically because those systems rarely run endpoint detection and response tools, they offer persistent access to the entire fabric of networks they manage, and their forensic record is limited. The Mandiant CTO specifically called out that advanced adversaries primarily target systems that do not natively support EDR solutions. SD-WAN Manager can control up to 6,000 edge routers from a single dashboard. A root account on that dashboard is not an endpoint compromise. It is a network-wide compromise that requires no further exploitation, only configuration commands. Organizations treating Cisco SD-WAN patches as ordinary scheduled maintenance rather than emergency response items have spent 2026 in a consistent pattern of exploitation windows that closed later than they should have.