Important Tech News Roundup for June 5, 2026: SolarWinds, Cisco SD-WAN, Tank Gauges, npm Malware, and WordPress Security

June 5, 2026
 |  No Comments
Jennifer presenting the June 5 2026 technology news recap in a realistic newsroom with cybersecurity, cloud, developer, industrial, and browser-security screens

Daily technology news recap for Friday, June 5, 2026. Today’s technology news is heavier on security than convenience, but there are useful lessons for normal users and small businesses. CISA added a SolarWinds Serv-U flaw to its Known Exploited Vulnerabilities catalog, Cisco warned that a Catalyst SD-WAN Manager zero-day is already being used in attacks, federal agencies and Shadowserver are warning about exposed fuel-tank monitoring systems, researchers detailed long-running Microsoft 365 access by a China-linked group, and npm supply-chain malware continued to spread through developer packages. On the better-news side, some vendors are responding to browser bloat and security-tool fatigue with simpler options, and several of today’s stories have clear, practical fixes.

Listen to the local audio version of today’s technology recap. This podcast voice was generated locally with espeak-ng and ffmpeg, not OpenAI voice generation.

This recap is written for home users, freelancers, and small offices that want the practical version of tech news: what happened, why it matters, who should care, and what to do next. Not every headline applies to every reader, but the patterns do. Internet-exposed management tools keep getting found and abused. Cloud accounts remain valuable targets after a network breach. Developer tools are now part of the security perimeter. And “small” infrastructure, such as a phone system, file-transfer server, browser profile, or tank gauge, can become a business problem when it is forgotten.

In This Article

1. SolarWinds Serv-U Is Now On CISA’s Exploited-Vulnerability List

The most urgent patch-management item today is CVE-2026-28318, a SolarWinds Serv-U vulnerability that CISA added to the Known Exploited Vulnerabilities catalog on June 5, 2026. The catalog entry identifies it as an uncontrolled resource-consumption issue in SolarWinds Serv-U, with a federal due date of June 19, 2026. NVD and SolarWinds describe the bug as an unauthenticated denial-of-service problem where specially crafted POST requests using Content-Encoding: deflate can crash the Serv-U service.

Serv-U is used for managed file transfer, FTP, SFTP, and related business file-sharing workflows. That means it often sits close to sensitive data: accounting files, client uploads, medical or legal documents, vendor files, backups, logistics data, or internal reports. This particular vulnerability is primarily an availability issue, not a confirmed data-theft flaw. That still matters. A file-transfer service going down during payroll, billing, onboarding, shipping, tax work, legal discovery, or medical-document exchange can cause real operational pain.

The good news is that this is a patchable and containable problem. SolarWinds has release guidance for Serv-U 15.5.4 Hotfix 1, and CISA’s KEV listing gives defenders a clear priority signal. The bad news is that exploited file-transfer products have been a repeat target across the industry, and many small organizations do not realize when a vendor, bookkeeper, accountant, warehouse, or branch office is still exposing an old transfer server to the internet.

Local-business takeaway: if you use SolarWinds Serv-U, verify the exact version, apply the current hotfix, and confirm whether the service is exposed directly to the internet. If it must be reachable remotely, restrict access by VPN, firewall rules, IP allow-listing, or a managed secure-access service. Also review logs around the date CISA added the issue, because repeated crashes may be the visible symptom of probing or exploitation.

Home-user angle: most home users do not run Serv-U. But the same principle applies to home NAS devices, self-hosted file servers, remote desktop tools, and “temporary” file-sharing ports left open on a router. If a service does not need to be public, do not leave it public.

Sources: CISA Known Exploited Vulnerabilities Catalog, NVD entry for CVE-2026-28318, SolarWinds advisory for CVE-2026-28318, and Canadian Centre for Cyber Security advisory AV26-549.

2. Cisco Warned About An Unpatched SD-WAN Manager Zero-Day

Cisco Catalyst SD-WAN Manager is back in the spotlight. BleepingComputer reported today that Cisco warned about CVE-2026-20245, a high-severity, unpatched zero-day in Cisco Catalyst SD-WAN Manager that has been exploited in limited attacks. Cisco says exploitation requires netadmin privileges, valid credentials, or prior exploitation of related SD-WAN vulnerabilities such as CVE-2026-20182 or CVE-2026-20127. A successful attack can allow command injection and privilege escalation to root.

This is not a normal home Wi-Fi router issue. It matters to organizations that use Cisco SD-WAN to manage branch offices, remote sites, retail locations, warehouses, medical offices, schools, municipal facilities, or distributed networks. The uncomfortable part is that SD-WAN systems are meant to control connectivity. When the management layer is compromised, attackers may be able to change network behavior, push configuration changes, or use trusted infrastructure to move deeper.

The bad news is that Cisco had not released patches for CVE-2026-20245 at the time of the report. The better news is that Cisco published indicators and guidance for customers, and the attack path appears to require an existing privileged foothold or another exploited SD-WAN vulnerability. That means credential hygiene, older patch levels, and management-plane exposure matter even more than usual.

Local-business takeaway: if a telecom provider, MSP, or network vendor manages your SD-WAN, ask three questions today: do we use Cisco Catalyst SD-WAN Manager, were our controllers patched for CVE-2026-20182 and CVE-2026-20127, and has anyone reviewed Cisco’s indicators for CVE-2026-20245? Also make sure administrative access is limited to trusted networks and that dormant admin accounts are disabled.

What to avoid: do not assume “cloud-managed” means “not our problem.” Cloud-managed network gear still needs patch tracking, access review, MFA, and a named responsible vendor. Small businesses often outsource network management, which is fine, but outsourced does not mean unowned.

Sources: BleepingComputer: Cisco warns of unpatched SD-WAN zero-day exploited in attacks and Cisco Catalyst SD-WAN remediation guidance.

3. More Than 900 U.S. Automatic Tank Gauge Systems Were Found Exposed

One of today’s most practical critical-infrastructure stories involves automatic tank gauge systems, or ATGs. These are devices used to monitor fuel or liquid levels, temperature, leak status, and related tank data. They are common at gas stations, but they can also appear in industrial, agricultural, transportation, and chemical environments. On June 3, CISA, the FBI, NSA, Department of Energy, EPA, TSA, DOT, and USDA released guidance urging owners and operators to harden ATG systems after malicious activity targeting U.S.-based systems.

BleepingComputer reported today that Shadowserver observed 1,061 accessible ATG IPs on June 5 after filtering out likely honeypots, with 909 in the United States. The risk is not just someone seeing a fuel level. Federal guidance warns that attackers may compromise exposed systems and modify them through command execution, potentially changing settings, labels, alarm thresholds, or other data that operators rely on for safety and compliance.

The bad news is that these are operational-technology systems, and many were never meant to be placed directly on the open internet. The good news is that the basic mitigations are clear: remove direct internet exposure, use firewall or VPN controls, change default passwords, patch supported systems, monitor logs, and verify that alarms and thresholds have not been changed.

Local-business takeaway: if your business has fuel tanks, generators, fleet equipment, agricultural tanks, chemical storage, or any other monitored tank system, do not treat it as “not IT.” Put it on the asset list. Ask who installed it, whether remote access is required, how it is protected, and whether vendor access is restricted. If a vendor says they need remote access, require a safer method than exposing the device directly to the internet.

Broader lesson: small connected devices can become big business risks. The same review should happen for security cameras, gate controllers, HVAC panels, alarm systems, payment terminals, badge systems, and building automation gear.

Sources: NSA release on hardening automatic tank gauge systems, BleepingComputer: Over 900 U.S. gas station tank gauge systems exposed to attacks, and CISA incident reporting.

4. A China-Linked Group Used Long-Term Access To Reach Microsoft 365 Environments

BleepingComputer also reported today on activity tied to UNC5221, also tracked as VerdantBamboo, using the Brickstorm backdoor and newly described malware named Plenet and AgentPSD. The important small-business lesson is not the malware names. It is the path: the attackers reportedly maintained long-term access, used stolen credentials, accessed Microsoft 365 environments, and may have pivoted through a managed services provider.

That matters because many businesses now think of Microsoft 365 as “the cloud,” separate from the local network. Attackers do not see it that way. A foothold in a firewall, NAS, synchronization appliance, old server, or MSP environment can become a path into email, SharePoint, OneDrive, Teams, or administrative portals. If Conditional Access rules are weak or if traffic appears to come from a trusted location, stolen credentials may go farther than expected.

The bad news is that long dwell time changes the cleanup job. If an attacker has been present for months, replacing one password and rebooting one device is not enough. The better news is that this story reinforces specific defenses: MFA that resists phishing, Conditional Access policies that check device health and risk, admin-account separation, audit logging, mailbox-rule review, OAuth app review, and MSP access controls.

Local-business takeaway: ask your IT provider how their access to your tenant is controlled. Do they use named accounts, MFA, device controls, audit logs, and least privilege? Are emergency admin accounts documented and protected? Are old vendor accounts removed? Do you have a way to review sign-ins from your tenant, not just from your computers?

Home-user angle: for families and individuals, the same idea applies to email and cloud storage. If a device is compromised, check cloud account sessions, connected apps, forwarding rules, recovery options, and recent sign-ins. Cloud cleanup is part of device cleanup.

Source: BleepingComputer: Chinese APT deploys new malware to keep access to hacked networks.

5. IronWorm And Miasma Show Why Developer Package Security Matters

Developer security stayed in the news today. The Hacker News reported on June 5 that multiple npm supply-chain attacks have hit the ecosystem, including IronWorm and a new Miasma worm variant. The report describes malicious and poisoned versions of more than 50 legitimate packages being used to distribute a Rust-based information stealer and a self-spreading worm. BleepingComputer also reported June 4 that IronWorm had infected 36 npm packages.

npm is the package ecosystem behind a large amount of JavaScript and Node.js work. For non-developers, the key point is simple: modern apps are assembled from many reusable components. If attackers poison one component, the damage can spread through developer machines, build servers, internal tools, and production workflows. Stolen developer secrets can include API tokens, GitHub tokens, package-manager credentials, cloud keys, SSH keys, and environment files.

The bad news is that supply-chain attacks can reach businesses indirectly. Your business may never install npm packages by hand, but your website developer, software vendor, automation contractor, or ecommerce maintainer might. The good news is that mature controls are not mysterious: lock dependencies, review package changes, use package scanning, avoid running random install commands, keep production secrets out of developer laptops, and rotate keys when exposure is suspected.

Local-business takeaway: if you have a custom website or app, ask your developer or vendor how they handle dependency updates. You do not need to know every technical detail, but someone should be able to answer whether packages are pinned, scanned, reviewed, and built in a controlled environment. Also ask whether production credentials are separate from development credentials. They should be.

For developers: treat “npm install this quick tool” like installing a program with access to your working directory. Use isolated test environments when possible, review package reputation, check maintainer changes, and avoid long-lived secrets in plain-text .env files.

Sources: The Hacker News June 5 npm supply-chain coverage and BleepingComputer: New IronWorm malware hits 36 packages in npm supply-chain attack.

6. A Critical WordPress Form-Plugin Flaw Is Being Exploited

Website owners also have a WordPress-specific item today. The Hacker News reported June 5 that attackers are actively exploiting CVE-2026-3300, a critical remote-code-execution flaw in Everest Forms Pro. The report says the issue affects versions up to and including 1.9.12, with a patch released in version 1.9.13 on March 18, 2026. The plugin has about 4,000 active installations, so this is not a “whole internet” problem, but for an affected site it is serious.

The practical risk is complete site compromise. A vulnerable form plugin can become an entry point even if the rest of the site looks normal to visitors. Attackers often use plugin flaws to create admin accounts, drop web shells, inject spam, redirect visitors, skim payment pages, or use the site as infrastructure for other attacks.

Local-business takeaway: do not only update WordPress core. Review plugins, themes, abandoned add-ons, form builders, page builders, ecommerce extensions, backup plugins, and security plugins. Remove anything unused. For business sites, keep a list of who is responsible for plugin updates and how often they are checked. If a critical plugin is patched months before active exploitation becomes public, your update process should catch that before attackers do.

Small site checklist: confirm plugin versions, remove inactive plugins, check for unknown admin users, review recently modified files, verify backups, and ask your host whether web application firewall rules are in place for known exploited plugin flaws.

Source: The Hacker News June 5 WordPress plugin exploitation coverage.

7. Brave Origin Is A Useful Browser-Choice Story, With A Buying Caution

Not every story today is a breach or zero-day. Brave released Brave Origin, a paid minimalist version of its browser that removes cryptocurrency, AI, rewards, VPN, and other monetization-focused extras. BleepingComputer described it as a paid, bloat-free browsing experience, while other coverage noted the one-time $59.99 price and the criticism that many of the same features can be hidden or disabled in the free browser.

This is good news in one narrow way: users are asking for simpler software. A browser is now the work surface for email, banking, accounting, school portals, customer records, Microsoft 365, Google Workspace, cloud storage, password managers, AI tools, and remote support. Fewer distractions and fewer bundled services can be a real advantage, especially for work computers.

The buying caution is just as important. Do not buy a browser because it sounds “secure” without checking the basics. A safer browser setup still needs automatic updates, a good password manager, MFA on important accounts, limited extensions, safe DNS if appropriate, and a clear policy for work versus personal profiles. Paying for a stripped-down browser does not replace those fundamentals.

Local-business takeaway: browser standardization is worth discussing. Small businesses should decide which browsers are supported, which extensions are allowed, how password saving is handled, and how personal browsing is separated from work accounts. Browser clutter is not just annoyance; it can become an account-security and support problem.

Sources: BleepingComputer: Brave Software releases Origin, Digital Trends: Brave Origin pricing and feature discussion, and Thurrott: Brave releases paid Origin version.

Today’s Practical Checklist

  • If you use SolarWinds Serv-U: verify whether CVE-2026-28318 applies, install the current hotfix, and check whether the service is directly exposed to the internet.
  • If you use Cisco SD-WAN: ask your provider about CVE-2026-20245, CVE-2026-20182, and CVE-2026-20127, then review admin accounts and management-plane exposure.
  • If you own fuel, chemical, generator, or fleet tank systems: confirm whether any automatic tank gauge is internet-accessible, and move remote access behind safer controls.
  • If you use Microsoft 365: review sign-ins, MFA, admin accounts, Conditional Access, connected apps, mailbox rules, and MSP/vendor access.
  • If you develop or pay someone to develop software: ask about dependency scanning, package pinning, build-system secrets, and key rotation after suspicious package events.
  • If you run WordPress: patch or remove vulnerable form plugins, check for unknown admin users, and make plugin updates part of routine maintenance.
  • If browser clutter is hurting productivity or security: standardize browsers, limit extensions, separate work profiles, and decide whether paid minimalist options are worth the cost.

Quick FAQ

Do home users need to worry about SolarWinds Serv-U or Cisco SD-WAN?

Usually no. Those are business and infrastructure products. The home-user lesson is to avoid exposing remote-access tools, file-sharing services, NAS devices, and admin panels directly to the internet unless there is a strong reason and proper protection.

Why should a small business care about npm malware?

Because small businesses often depend on custom websites, ecommerce add-ons, dashboards, and automation scripts maintained by developers or vendors. A poisoned developer package can expose credentials or source code even if attackers never touch the live website directly.

What is the fastest win from today’s news?

Make a short list of internet-facing systems: firewall, VPN, remote desktop, file transfer, phone system, camera system, building controls, tank gauges, websites, and cloud admin portals. Then assign an owner to each one. Unknown ownership is where patching and access review usually fail.

Sources

Cybersecurity, Small Business IT, Tech News, Tech Tips
 |  Tags: , , , , , , , , , , , , skt-it-consultant