Cisco has patched a server-side request forgery (SSRF) vulnerability in Unified Communications Manager (Unified CM) that allows an unauthenticated network attacker to write arbitrary files to the system and escalate privileges to root. The flaw is tracked as CVE-2026-20230 and public proof-of-concept exploit code is already available, significantly lowering the barrier to exploitation. Cisco’s PSIRT has not confirmed active exploitation in the wild, but the availability of working PoC code makes patching urgent.

Architect’s Take: Apply Cisco’s patch immediately and treat any internet- or untrusted-network-exposed Unified CM instances as highest priority. As an interim control, restrict network access to Unified CM admin interfaces to trusted management VLANs only, and review ingress firewall rules to limit the blast radius while patching is under way.

Original advisory: Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public

A flaw in Anthropic’s Claude Code GitHub Action allowed an attacker to hijack public repositories simply by opening a malicious GitHub issue, requiring no authentication or special access. Because Anthropic’s own repository used the same vulnerable workflow, a successful attack could have injected malicious code into the action itself, poisoning every downstream project that consumes it. Researcher RyotaK of GMO discovered and reported the issue.

Architect’s Take: Audit any GitHub Actions workflows that trigger on untrusted events such as ‘issues’ or ‘pull_request_target’ and ensure they do not have write permissions or access to secrets without explicit trust gates. If you use Claude Code GitHub Action, verify you are pinned to a patched version and review your workflow permissions using the principle of least privilege.

Original advisory: Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories

Passwords were found stored in plaintext within Active Directory user and computer description fields, making them trivially accessible to any authenticated user on the network. Because AD description fields are readable by all domain users by default, a low-privilege attacker or compromised account could harvest credentials at scale with a simple LDAP query. This represents a significant credential exposure risk in any hybrid or cloud-connected environment where AD is the identity backbone.

Architect’s Take: Audit your Active Directory environment immediately for plaintext credentials in description fields using tools such as BloodHound or a targeted LDAP query, and enforce a policy prohibiting sensitive data in AD attributes. In Azure AD/Entra ID hybrid environments, also check synced attributes to ensure no plaintext secrets have been replicated to the cloud directory.

Original advisory: All the passwords were stored in Active Directory description fields

Modern enterprise identity and access management (IAM) is increasingly fragmented across applications, machine identities, and decentralised teams, creating blind spots known as ‘Identity Dark Matter’ — activity that falls outside centralised IAM controls. Identity Visibility and Intelligence Platforms (IVIP) are emerging as a way to consolidate this visibility and reduce the exploitable attack surface. This matters because unmanaged identities are a primary vector for privilege abuse and lateral movement in cloud environments.

Architect’s Take: Audit your current IAM coverage gaps by mapping all human, machine, and federated identities across your cloud estate — then evaluate IVIP tooling to surface shadow identities and unmanaged service accounts that your existing IAM tooling cannot see.

Original advisory: Shrinking the IAM Attack Surface through Identity Visibility and Intelligence Platforms (IVIP)

CVE-2020-8561 is a vulnerability in the Kubernetes API server (kube-apiserver) that allows an attacker to redirect webhook traffic, potentially enabling server-side request forgery (SSRF) against internal network resources. By manipulating admission webhook configurations, a malicious actor could cause the API server to make requests to arbitrary internal endpoints, bypassing network controls. This affects Azure Kubernetes Service (AKS) and any Kubernetes environment where untrusted users can modify webhook configurations.

Architect’s Take: Review and restrict who has permission to create or modify ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects in your Kubernetes clusters — limit this to highly trusted administrators only. Audit existing webhook configurations for unexpected or suspicious target URLs, and consider network policies that restrict where the kube-apiserver can make outbound connections.

Original advisory: CVE-2020-8561 Webhook redirect in kube-apiserver

Google’s June 2026 Android security update addresses 124 vulnerabilities, including a high-severity privilege escalation flaw (CVE-2025-48595) in the Android Framework component that is actively being exploited in the wild. The flaw requires no user interaction, making it particularly dangerous as attackers can escalate privileges silently. Organisations with Android devices in their mobile fleet or BYOD programmes should treat this update as urgent.

Architect’s Take: Prioritise enforcement of this patch across managed Android devices via your MDM solution (e.g. Intune, Jamf, or Google Endpoint Management) — focus first on devices accessing corporate cloud resources or sensitive SaaS applications. Review your mobile threat defence policies to detect any exploitation attempts against unpatched devices in the interim.

Original advisory: Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited