Cyber Toolkit Ltd, a UK Registered Company - 16938415
This is the Cyber Toolkit weekly roundup of key cyber security news, covering the most relevant vulnerabilities, breaches and incidents affecting organisations in the UK and beyond over the past week (2nd June - 9th June 2026).
Cisco was among the vendors issuing warnings this week after researchers disclosed a vulnerability affecting SD-WAN systems that has already been exploited in zero-day attacks. Technologies like SD-WAN have become increasingly common as organisations connect offices and remote workers, meaning vulnerabilities affecting them can have far-reaching consequences if left unaddressed. The fact that exploitation was observed before many organisations had an opportunity to patch reinforces how little time organisations now have to assess, prioritise and remediate newly disclosed vulnerabilities.
Acer warned customers about multiple maximum-severity vulnerabilities affecting its Wave 7 routers, while researchers separately reported on the continued spread of the c0xmo botnet through vulnerable DD-WRT devices. Network devices often receive less attention than servers or endpoints, yet they continue to feature regularly in both vulnerability disclosures and active attack campaigns. As organisations expand their digital ecosystem, maintaining visibility over these systems remains an important part of reducing overall exposure.
CISA also added vulnerabilities affecting both Magento and SolarWinds products to its Known Exploited Vulnerabilities catalogue this week. Inclusion on the list indicates there is evidence of active exploitation, making these announcements particularly important for organisations using the affected products. Once vulnerabilities begin appearing on exploited vulnerability lists, attackers often increase efforts to identify organisations that have yet to apply available updates.
Researchers reported that China-linked threat group TA4922 has expanded its phishing activity, targeting organisations across a range of sectors and countries, including the UK. Phishing remains one of the most effective methods for gaining initial access to corporate environments, and state-linked groups continue to invest heavily in increasingly convincing campaigns designed to bypass both technical controls and user awareness training.
The University of Oxford disclosed a data breach affecting its CareerConnect platform following unauthorised access to the system. While investigations remain ongoing, the incident serves as another reminder that third-party platforms can often become an unexpected source of risk, particularly where large volumes of personal information are involved.
One of the common threads running through this week's stories is the continued focus on access. Whether through exploiting vulnerable devices and systems or targeting users through phishing campaigns, attackers remain focused on identifying the easiest route into an organisation. For organisations, maintaining visibility of their systems and ensuring security updates are applied promptly continues to be one of the most effective ways of reducing exposure.
We'll see what next week brings.