Arista EOS CVE-2025-5088 - EU Advisory Burst Widens the Owner Assignment Queue
Finding 1: Arista EOS CVE-2025-5088 and CVE-2024-27889 clusters need network-owner assignment
Confidence: Low
Two Arista EOS advisory clusters entered today's intelligence from BSI/CERT-Bund. WID-SEC-2025-2639 covers CVE-2025-5088, CVE-2025-5089, CVE-2025-5090, and CVE-2025-8873. A separate advisory, WID-SEC-2024-0489, covers CVE-2024-27889 and CVE-2024-27892, and the current brief describes code-execution impact for that second cluster.
Keep the two queues separate. They point to the same product family, but the advisory IDs and CVE sets differ. Network teams should map EOS exposure, confirm versions, and record vendor-supported update or mitigation status before any severity language is raised.
Action: Ask network owners for EOS inventory, exposed management or routing-plane paths, affected version status, and planned update or mitigation evidence.
Sources: BSI/CERT-Bund advisories WID-SEC-2025-2639 and WID-SEC-2024-0489.
Finding 2: Keycloak, BigBlueButton, FRRouting, HTTP/2, and MISP expand the EU patch-routing queue
Confidence: Low
The BSI/CERT-Bund feed also added Keycloak CVE-2026-7500, BigBlueButton CVE-2026-46355, FRRouting CVE-2026-37460, HTTP/2 CVE-2026-49975, and MISP CVE-2026-10854. The common action is not a generic patch blast. Each item belongs to a different operational owner: IAM, collaboration, network availability, edge services, and security operations.
Keycloak deserves an IAM-first route, especially for internet-facing or administrator realms. BigBlueButton should go to collaboration and education-platform owners. FRRouting belongs with network availability teams. HTTP/2 needs edge-service mapping across reverse proxies and application platforms. MISP should not lag just because it is defensive infrastructure.
Action: Split the queue by owner and ask each team for asset match, affected version, patch availability, and exposure status.
Sources: BSI/CERT-Bund advisories WID-SEC-2026-1330, WID-SEC-2026-1804, WID-SEC-2026-1795, WID-SEC-2026-1791, and WID-SEC-2026-1800.
Finding 3: DbGate, Twig, TinyMCE, and Bugsink create a developer-platform patch queue
Confidence: Low
GitHub Security Advisories added several application and dependency items. DbGate includes CVE-2026-47668, CVE-2026-47669, CVE-2026-47670, and CVE-2026-48017. Twig includes CVE-2026-47732, CVE-2026-24425, and CVE-2026-47730. TinyMCE includes CVE-2026-47759, CVE-2026-47760, CVE-2026-47761, and CVE-2026-47762. Bugsink includes CVE-2026-47715, CVE-2026-47716, and CVE-2026-47728.
The useful cut is by exposure path. DbGate matters most where self-hosted database-admin tooling is reachable or where JSON Script Runner and archive paths are enabled. Twig should be checked where tenant-controlled templates, CMS plugins, or admin/developer consoles use Symfony or Twig. TinyMCE belongs in rich-text editor workflows that process customer or tenant content. Bugsink needs attention where self-hosted error tracking is used by multiple teams or projects.
Action: Match each advisory cluster against SBOMs, repos, containers, and self-hosted admin tools. Disable risky DbGate script or archive paths until fixed where exposure is confirmed.
Sources: GitHub Security Advisories GHSA-8v3q-9vmx-36vc, GHSA-h535-j5hr-mv56, GHSA-pr2w-4gpj-cpq4, GHSA-2q52-x2ff-qgfr, GHSA-q742-qvgc-gc2f, GHSA-mh5m-5hw4-5c69, GHSA-vx2f-6m6h-9frf, and GHSA-g5vc-q7qc-v939.
Finding 4: Cisco SD-WAN, Everest Forms Pro, and SolarWinds Serv-U are exposure-review triggers, not confirmed escalation items
Confidence: Low
Three exploitation-oriented reports are visible but remain low-confidence in this intelligence. The Register reports a Cisco SD-WAN no-CVE zero-day under attack with no patch in the current report. The Hacker News reports active exploitation of Everest Forms Pro CVE-2026-3300. BleepingComputer reports CISA warning that attackers are exploiting a recently patched SolarWinds Serv-U flaw to crash servers.
All three should be handled carefully. Cisco SD-WAN should trigger a management and control-plane exposure review whilst teams wait for Cisco or CISA advisory mapping. Everest Forms Pro should trigger a WordPress estate check, but P0 escalation should wait for stronger vendor, CISA, or Wordfence corroboration. SolarWinds Serv-U should trigger an exposure and patch-status review for internet-facing file-transfer services, without broadening the claim beyond reported crash exploitation.
Action: Identify internet-facing Cisco SD-WAN management or control-plane assets, check WordPress estates for Everest Forms Pro, and confirm whether SolarWinds Serv-U instances are exposed and patched. Keep all three in watch status until higher-authority corroboration appears.
Sources: The Register Cisco SD-WAN report, The Hacker News Everest Forms Pro CVE-2026-3300 report, and BleepingComputer SolarWinds Serv-U/CISA warning report.
Finding 5: Mandiant law-firm campaign and Hola Browser compromise need targeted monitoring and endpoint hygiene
Confidence: Low
Mandiant reports a targeted campaign against US law firms involving UNC3753, Luna Moth, Chatty Spider, or Silent Ransom Group naming in the current intelligence. The brief keeps this LOW / UNVERIFIED for this corpus, so the immediate value is to extract indicators and TTPs into a legal-sector watch pack before proposing detection engineering.
BleepingComputer also reports Hola Browser for Windows was compromised to deliver a cryptominer. That is an endpoint-hygiene item. Teams should inventory managed endpoints for Hola Browser for Windows, remove unapproved installs, and validate hashes or install source where an exception exists.
Action: Build a legal-sector watch pack from the Mandiant report and run an endpoint inventory query for Hola Browser for Windows.
Sources: Google Cloud Mandiant law-firm campaign report and BleepingComputer Hola Browser for Windows compromise report.
Finding 6: UPDATE: IronWorm/Miasma npm cluster expands to 50+ poisoned packages
Confidence: Medium
Previously covered 05 June 2026; today's delta: the scope expanded from the prior 36-package IronWorm item to a broader 50+ package IronWorm/Miasma npm cluster.
This is the one material update in today's intelligence. BleepingComputer and The Hacker News reporting now put the cluster above 50 poisoned npm packages and add the Miasma variant to the same supply-chain queue.
Treat this as package exposure work, not a blanket compromise claim. Search lockfiles, npm caches, developer endpoints, and CI build logs as package lists become available. Rotate tokens where malicious package installation is confirmed. Avoid unnecessary token churn where there is no install evidence.
Action: Send the updated IronWorm/Miasma package list to application security, developer platform, and CI owners. Ask for evidence of matching installs, cache hits, and token exposure before declaring incident scope.
Sources: BleepingComputer IronWorm npm report and The Hacker News IronWorm/Miasma report.
Why This Matters
Today's brief is a routing problem. The signal is spread across network infrastructure, IAM, collaboration platforms, developer dependencies, edge services, legal-sector monitoring, and endpoint hygiene. Most items are single-source or feed-level, so accuracy depends on exposure proof.
The safest order is simple: send Arista EOS and the wider BSI/CERT-Bund queue to the correct owners, run SBOM and dependency checks for the GitHub advisory clusters, keep low-corroboration exploitation reports in watch status, and treat IronWorm/Miasma as a scope expansion that needs package-level evidence.
- Recommended Actions
- P1: Route Arista EOS WID-SEC-2025-2639 and WID-SEC-2024-0489 to network owners for asset, version, exposure, and patch-status checks.
- P1: Assign Keycloak, BigBlueButton, FRRouting, HTTP/2, and MISP advisories to IAM, collaboration, network, edge-service, and security-ops owners.
- P1: Search lockfiles, npm caches, developer endpoints, and CI logs for IronWorm/Miasma package indicators as validated lists become available.
- P2: Match DbGate, Twig, TinyMCE, and Bugsink advisories against SBOMs, repositories, containers, and self-hosted services.
- P2: Treat Cisco SD-WAN and Everest Forms Pro as exposure-review items until stronger vendor or government corroboration appears.
- P2: Build a law-firm campaign watch pack and remove unapproved Hola Browser for Windows installs from managed endpoints.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 06 June 2026.