Cybersecurity News Digest — July 12, 2026

This week's cybersecurity roundup: a DHS platform breach, a Dutch telecom hack traced to an insider, six new U-Boot bootloader flaws, a critical Zimbra XSS bug, and two fresh CISA KEV additions.

Since our last update, the headline theme has shifted from opportunistic exploitation to trusted-access abuse: a federal information-sharing platform breached without a clear entry point, a telecom hack traced back to a Dutch-speaking caller posing as IT support, and state-linked groups quietly working inside police infrastructure for months. Here’s what changed.

Breaches at trusted infrastructure

  • DHS Homeland Security Information Network (HSIN) — The Department of Homeland Security confirmed hackers breached HSIN, the platform federal, state, local, and private-sector partners use to coordinate security operations, along with an internal SharePoint collaboration system. The intrusion is believed to have started between late May and early June and wasn’t publicly confirmed until July 1–2. DHS says classified systems weren’t touched and hasn’t attributed the attack, but the timing — during U.S. coordination of World Cup security — raises the stakes on what may have been exposed about interagency planning. BleepingComputer, July 2026
  • Odido (Netherlands) — Dutch police now have “strong indications” that Dutch-based hackers, not a foreign group, were behind February’s breach of 6.2 million Odido telecom customers. Investigators traced the intrusion to a phone call: a Dutch-speaking caller posed as an Odido IT employee to social-engineer a support agent, then used that foothold to reach the customer contact system. Exposed data spans names, addresses, phone numbers, email addresses, IBANs, and national ID details. BleepingComputer · NL Times

Neither incident started with a software exploit — both hinge on someone getting an already-authorized person or system to act on their behalf. Vishing and helpdesk pretexting keep working because they route around patch management entirely.

Newly added to CISA’s Known Exploited Vulnerabilities catalog

  • iCagenda unrestricted file upload (CVE-2026-48939) — Lets an attacker abuse the file attachment feature to upload and execute arbitrary PHP.
  • Balbooa Forms unrestricted file upload (CVE-2026-56291) — Unauthenticated arbitrary file upload leading to full remote code execution.

Both were added to KEV on July 10 based on confirmed in-the-wild exploitation. CISA

Patch priorities: Zimbra and U-Boot

  • Zimbra Classic Web Client stored XSS — Zimbra shipped version 10.1.19 on July 7 to fix a stored cross-site scripting flaw that lets a specially crafted email run malicious script in a victim’s session — enough to steal session data, account settings, or mailbox contents just by having the message opened. The bug was reported by Google’s Threat Analysis Group, which typically flags issues already being used by state-backed actors, and hasn’t yet been assigned a CVE. Any org still on the Classic Web Client should treat this as a same-week patch. BleepingComputer · Security Affairs
  • Six new U-Boot bootloader flaws — Researchers at Binarly (BRLY-2026-037 through 042) found six flaws in U-Boot’s firmware image signature verification — two enable code execution, four can crash a device — all reachable before the bootloader ever checks a signature. Most of the vulnerable code has shipped since 2013 across 50+ stable releases and countless vendor firmwares built on top of it. Patches merged upstream in June, but v2026.07 had already code-frozen and shipped without them; the next release isn’t due until October, so affected vendors need to backport manually. The Hacker News · Security Affairs

Nation-state watch: dual espionage against Pakistani police

SentinelLabs published research showing suspected China- and India-nexus threat actors have been separately, and simultaneously, inside several Pakistani law enforcement networks since February 2024, with activity continuing into April 2026. The Balochistan Police took the brunt of it, alongside Khyber Pakhtunkhwa police, Islamabad police, and the Punjab Safe Cities Authority, which runs regional surveillance systems. The China-nexus cluster leans on PlugX, ShadowPad, and Cobalt Strike; the India-nexus activity centers on Remcos RAT. Compromised systems reportedly included servers hosting biometric records, national-ID-linked hotel and tenant registrations, criminal case files, and personnel data — both operators apparently going after the same target set for different reasons, without any apparent coordination between them. The Hacker News · SentinelOne

Final thought

Three of this week’s five stories didn’t need a CVE at all — a phone call, stolen credentials, and long-dwelling access accounted for a federal platform breach, a 6.2-million-record telecom hack, and a multi-year espionage campaign inside police infrastructure. Vulnerability management still matters (patch Zimbra and check your U-Boot-based firmware), but detection has to cover identity and access abuse just as seriously as it covers CVEs. If you want a second opinion on whether your current logging would actually catch a social-engineered helpdesk reset or an access pattern that shouldn’t be there, see our Zero Trust implementation guide or book a discovery call.