MAGNET S2 WEEKLY SNAPSHOT – 260628-1200z

Download a PDF version of this report

MAGNET S2 WEEKLY SNAPSHOT — 260628-1200Z

MAGNET S2

Weekly OSINT Intelligence Snapshot

DTG: 260628-1200Z │ Reporting Period: 21–28 June 2026 │ United States Focus

www.magnethf.com

MAGCON STATUS

MAGCON

LEVEL 3

ELEVATED

MAGCON HOLDS AT LEVEL 3 – ELEVATED. TRENDING WORSENING. The MOU signed 18 June 2026 is under severe operational stress. This week saw the most significant post-MOU escalation: Iranian one-way attack drones struck Singapore-flagged M/V Ever Lovely (June 25) and Panama-flagged M/T Kiku (June 27) in the Strait of Hormuz. US CENTCOM launched retaliatory strikes on Iranian military infrastructure on June 26 and June 27 — the first US strikes on Iran since the MOU was signed. Iran then launched drone and missile attacks on Bahrain and Kuwait (June 27–28). Trump threatened Iran’s non-existence on Truth Social. Iran’s IRGC threatened a “complete halt to all diplomatic processes.” Despite this, CENTCOM reports commercial vessel transits through Hormuz continue under US escort, and JMIC widened a transit lane near Oman on June 27. A new US–Israel–Lebanon framework agreement was signed by Rubio on June 26 in Washington — but Hezbollah called it “null and void,” rejected it, and protests erupted in Beirut. NEW KEV CRITICAL DEADLINES TODAY: Cisco UCM CVE-2026-20230 (CVSS 8.6, SSRF-to-root) and PTC Windchill/FlexPLM CVE-2026-12569 (deserialization RCE) — both BOD 26-04 deadlines June 28. PASSED: Ubiquiti UniFi OS (3 × CVSS 10.0) and Lantronix EDS5000 (deadline June 26). Delaney Hall 37+ day hunger/labor strike; Father’s Day vigil disrupted by vehicle strike June 22. FIFA World Cup enters Week 3; July 4th convergence window approaching.

TREND VS LAST WEEK: WORSENING — MOU UNDER FIRE / US–IRAN EXCHANGE OF STRIKES / BAHRAIN & KUWAIT TARGETED / DUAL KEV DEADLINE TODAY / HORMUZ TRANSIT CONTESTED / LEBANON FRAMEWORK DISPUTED

PRIMARY RISK DRIVERS

NEW — CRITICAL ESCALATION — US–Iran Exchange of Strikes in Hormuz (June 25–27): Iranian drones struck M/V Ever Lovely (June 25) and M/T Kiku (June 27). CENTCOM struck Iran June 26 and June 27 (10 targets). Iran struck Bahrain (June 27) and Kuwait (June 27–28). Trump threatened Iran’s non-existence. IRGC threatened halt to all diplomatic processes. Commercial transits continue under CENTCOM escort.
Israel–Lebanon Framework Agreement SIGNED (June 26, Washington): Rubio signed trilateral framework with Israeli and Lebanese ambassadors. Ceasefire contingent on Hezbollah complete cessation and disarmament. Does NOT mandate Israeli withdrawal from occupied southern Lebanon. Hezbollah: “null and void.” Fighting continued June 27–28.
US–Iran Hormuz Communications Line Established (June 26): Iran and US established direct communications line to prevent further incidents — hours after Iran struck Ever Lovely. Switzerland roadmap and Lebanon de-confliction cell agreed (June 21–23); now under stress from June 25–27 exchanges.
JMIC Widened Hormuz Transit Route (June 27): US Navy JMIC announced widened route near Oman — direct challenge to Iran’s sole routing authority claim. Iran insists only its designated coastal route is authorized. Oman’s IMO-coordinated lanes also rejected by Iran.
NEW KEV — Cisco UCM CVE-2026-20230 — DEADLINE TODAY (June 28): CISA added June 25. SSRF via WebDialer → unauthenticated file write → root escalation. CVSS 8.6, Cisco-rated CRITICAL. Active exploitation confirmed by Defused (June 21 week). Apply cisco-sa-cucm-ssrf-cXPnHcW. Disable WebDialer if patch unavailable.
NEW KEV — PTC Windchill/FlexPLM CVE-2026-12569 — DEADLINE TODAY (June 28): CISA added June 25. Deserialization RCE in industrial PLM. Manufacturing, aerospace, automotive, defense sectors. All versions through 11.0 and 11.1–13.0 branches. Apply PTC advisory CS473270 immediately.
PASSED — Ubiquiti UniFi OS × 3 CVSS 10.0 + Lantronix EDS5000 (Deadline June 26): Four BOD 26-04 deadlines passed. Three Ubiquiti CVEs confirmed exploited by CISA and NCSC Netherlands. Treat unpatched as compromised; rotate credentials immediately.
GCC Statement — Iran Deal Must Address Missile Capability (June 26): GCC foreign ministers declared any final Iran deal must limit ballistic missile capability — not addressed in current MOU. External pressure on 60-day window.
US Senate War Powers Resolution Passed: First successful Senate passage of war powers resolution rebuking Trump during the Iran conflict. Growing congressional scrutiny as exchange of strikes resumes.
FIFA World Cup Week 3 / July 4th Window Approaching: Flashpoint (June 22) updated threat landscape: “dynamic.” Iran-themed protests at host cities. Round of 16 complete; Quarterfinals July 3–5 — maximum threat convergence with US 250th anniversary remains highest-risk window.
Delaney Hall — 37+ Days / Father’s Day Vigil Disrupted (June 22): Protester struck by vehicle (reportedly GEO Group employee); ICE deployed pepper spray. 50th ICE custody death under Trump (Georgian national, Winn Correctional LA). GAO Camp East Montana report: “significant, pervasive issues.”
Section 702 — STILL LAPSED: No emergency session, no executive order. SIGINT gap persists through active military exchange of strikes with Iran.

DELTA SUMMARY – CHANGES FROM LAST REPORT (260621-1200Z)

TOPIC	DELTA FROM 260621-1200Z	STATUS
Hormuz — US/Iran Exchange of Strikes (June 25–27)	CRITICAL NEW ESCALATION. Ever Lovely struck June 25. CENTCOM struck Iran June 26. Kiku struck June 27. CENTCOM struck Iran June 27 (10 targets). Iran struck Bahrain/Kuwait June 27–28. Trump threatened Iran’s non-existence. IRGC threatened halt to diplomacy. Transits continue under CENTCOM escort.	WORSENING / CRITICAL
JMIC Widened Hormuz Route (June 27)	NEW. US Navy JMIC widened Omani route — direct challenge to Iran’s sole routing authority. Iran contested immediately. Oman’s IMO lanes also rejected.	NEW / ONGOING
Israel–Lebanon Framework (June 26)	NEW. Rubio signed trilateral framework Washington. Hezbollah: “null and void.” Protests in Beirut. IDF retains full freedom of action. Fighting continued June 27–28.	NEW / CONTESTED
Switzerland / Islamabad Talks — Roadmap Agreed	IMPROVING then WORSENING. Roadmap agreed; de-confliction cell established; comms line June 26. Exchange of strikes puts framework under severe stress as of DTG.	IMPROVING THEN WORSENING
GCC Missile Demand / Senate War Powers	NEW. GCC: deal must limit missile capability. Senate passed war powers resolution — first success during conflict.	NEW
IAEA Nuclear Inspection Dispute	ONGOING. US and Iran dispute whether Iran agreed to IAEA inspectors at bombed nuclear sites. No confirmed access.	ONGOING / UNRESOLVED
CVE-2026-20230 Cisco UCM (KEV — TODAY)	NEW — CISA added June 25. SSRF-to-root via WebDialer. Active exploitation confirmed. BOD 26-04 deadline TODAY June 28.	NEW / CRITICAL
CVE-2026-12569 PTC Windchill/FlexPLM (KEV — TODAY)	NEW — CISA added June 25. Deserialization RCE in industrial PLM. Manufacturing/defense/aerospace. Deadline TODAY June 28.	NEW / CRITICAL
Ubiquiti UniFi OS ×3 + Lantronix EDS5000 (Deadline PASSED June 26)	PASSED. Four BOD 26-04 deadlines expired June 26. Three CVSS 10.0 Ubiquiti vulns confirmed exploited. Treat unpatched as compromised.	PASSED / CRITICAL
Splunk CVE-2026-20253 (Deadline PASSED June 21)	ONGOING. Deadline passed June 21. Unpatched orgs: assume exploitation. Rotate credentials, preserve logs.	PASSED / ONGOING
Fortinet “FortiBleed” — 70,000+ Compromised	NEW INTELLIGENCE. 70,000+ Fortinet firewalls confirmed compromised (June 26). Not formal CISA KEV. Patch; run IOC check; rotate VPN credentials.	NEW / HIGH
Delaney Hall — Father’s Day Vigil Disrupted	ESCALATING. June 22: protester struck by vehicle; ICE deployed pepper spray. 50th ICE custody death. GAO Camp East Montana: “significant, pervasive issues.” Strike 37+ days.	ONGOING / ESCALATING
FIFA World Cup — Week 3 / July 4 Approaching	ONGOING / ELEVATED. Flashpoint June 22: “dynamic” threat environment. Iran-themed protests at host cities. Round of 16 complete. July 4 window approaching.	ONGOING
Section 702 Lapse	ONGOING — NO CHANGE. Still lapsed. No session, no EO. SIGINT gap continues.	ONGOING / NO CHANGE
Check Point CVE-2026-50751 Qilin	ONGOING — NO CHANGE. Qilin ransomware exploitation continues. Run SmartConsole log search from 2026-05-07.	ONGOING
Microsoft Patch Tuesday CVEs	ONGOING — NO CHANGE. June 10 patches still required for unpatched systems.	ONGOING
GKN Garden Grove / Converse Reservoir	NO CHANGE. No arrest, no contamination results, no suspect or motive.	NO CHANGE
Canvas LMS Breach	STABLE — NO CHANGE. Phishing risk through mid-August.	NO CHANGE

NO CHANGE

MAGCON level holds at 3 – ELEVATED
Iranian APT cyber targeting of US ICS/OT remains active
Bab el-Mandeb / Red Sea threat stable at ELEVATED (Houthi posture unchanged; MOU does not address Houthi)
Panama Canal – ROUTINE, stable
CIRCIA mandatory cyber incident reporting rule finalization still pending
CISA CI Fortify initiative ongoing
Microsoft Exchange CVE-2026-42897 (XSS/OWA) — patch still required
Canvas LMS breach phishing risk ongoing through mid-August
GKN Aerospace Garden Grove criminal investigation — no new arrest or contamination results
Converse Reservoir IED (Mobile, AL) — FBI investigation ongoing, no suspect or motive

SECTOR THREAT LEVELS

SECTOR	LEVEL	NOTES
Terrorism / Extremism	ELEVATED	FIFA World Cup Week 3 active across 11 US host cities. Flashpoint (June 22): “dynamic” threat environment. ISIS propaganda targeting venues active. Iran-themed protests at host cities. July 4th convergence window (July 3–5) Quarterfinals — maximum threat window.
Cyber Activity	ELEVATED	DEADLINE TODAY: Cisco UCM CVE-2026-20230 (SSRF-root); PTC Windchill/FlexPLM CVE-2026-12569 (RCE). PASSED: Ubiquiti UniFi OS ×3 CVSS 10.0 + Lantronix (June 26). NEW: 70,000+ Fortinet firewalls compromised. Splunk CVE-2026-20253 deadline passed. Qilin/Check Point ongoing. cURL 18 vulns — update to 8.21.0.
Critical Infrastructure	ELEVATED	PTC Windchill/FlexPLM KEV directly targets manufacturing/defense PLM infrastructure. Ubiquiti CVSS 10.0 deadlines passed. Converse Reservoir IED ongoing. GKN Garden Grove active. Section 702 lapse creates surveillance gap during active strikes.
Energy / Fuel Sector	CRITICAL	Hormuz severely contested. M/V Ever Lovely (June 25) and M/T Kiku (June 27) struck by Iranian drones. US and Iran exchanged strikes June 26–27. IRGC threatened halt to diplomacy. JMIC widened Omani route — Iran contested. Commercial transits continue under CENTCOM escort. Brent price Monday open will signal market assessment. 54+ supertankers in Gulf backlog.
Education Sector	ELEVATED	Canvas breach phishing risk continues through mid-August. No new developments this cycle.
Civil Unrest	ELEVATED	ESCALATING. Delaney Hall 37+ day hunger/labor strike. Father’s Day vigil June 22: protester struck; ICE deployed pepper spray. 50th ICE custody death. GAO Camp East Montana: “significant, pervasive issues.” FIFA World Cup-related and Iran-themed protests at host cities.
Transportation Systems	CRITICAL	Hormuz under active drone attack threat. M/V Ever Lovely and M/T Kiku struck. JMIC widened route June 27 challenged by Iran. IMO sailor evacuation paused after Ever Lovely. FIFA World Cup travel surge stressing transit in 11 US host cities.
Supply Chain / Logistics	ELEVATED	Hormuz drone attacks threaten commercial supply chain routing. PTC Windchill RCE KEV targets manufacturing/defense supply chain management. Ubiquiti network device deadlines passed. Splunk SIEM compromise risk ongoing. 54+ supertanker backlog.
Food / Fertilizer Security	ELEVATED	Gulf shipping disruption persists. MOU at risk from exchange of strikes. WFP food insecurity warning active. Fertilizer/agricultural trade lane disruption ongoing.
Mass Gatherings / Public Safety	HIGH	FIFA World Cup Week 3 active. Flashpoint updated threat report June 22. Iran-themed protests at host cities. Round of 16 complete; Quarterfinals July 3–5 — maximum convergence with US 250th. Bahrain/Kuwait Iranian drone attacks may affect Iranian diaspora threat picture at US venues.

GLOBAL CHOKEPOINT WATCH

CHOKEPOINT	STATUS	ASSESSMENT
Strait of Hormuz	CRITICAL / CONTESTED	M/V Ever Lovely struck June 25; M/T Kiku struck June 27. CENTCOM struck Iran June 26 and June 27. Iran struck Bahrain/Kuwait June 27–28. JMIC widened Omani route June 27 — Iran rejected it. Commercial transits continue under CENTCOM escort. DO NOT route independently without TRANSCOM coordination. Mine clearance ongoing. Iran insists its coastal route is the only authorized lane.
Bab el-Mandeb / Red Sea	ELEVATED	Stable. Houthi threat posture unchanged. MOU does not address Houthi. No significant new incidents this cycle.
Panama Canal	ROUTINE	Stable. Normal operations.
Strait of Malacca	ELEVATED	SE Asia energy stress from Hormuz closure persists. Monitoring regional reactions to exchange of strikes. Stable but watching for escalation.
Bahrain — NSA Bahrain (US Base)	HIGH	NEW. Iran’s IRGC struck Bahrain on June 27 with multiple drones — first direct Iranian strike on a US base host nation since MOU signing. Bahrain condemned attack. US reported no assets hit. Monitor for follow-on incidents.
Kuwait — Air Bases	ELEVATED	NEW. Iran claimed attacks on US-linked targets in Kuwait June 27–28. Severity unconfirmed. Monitor for follow-on incidents.

KEY INCIDENTS

US–IRAN EXCHANGE OF STRIKES IN STRAIT OF HORMUZ (JUNE 25–27, 2026)

The most significant post-MOU military escalation occurred June 25–27 when Iran launched one-way attack drones at commercial vessels in the Strait of Hormuz, triggering US retaliatory strikes on Iranian military infrastructure for the first time since the MOU was signed on June 18.

June 25: A suspected Iranian drone struck the Singapore-flagged M/V Ever Lovely while the vessel was exiting the Strait along the Omani coast. The ship sustained damage but was able to continue. Trump posted to Truth Social: “Obviously, this is a foolish violation of our Ceasefire Agreement.”

June 26: CENTCOM launched strikes on Iranian missile and drone storage locations and coastal radar sites in response to the Ever Lovely attack. CENTCOM stated Iran was then “given a chance to honor the ceasefire agreement but elected not to.”

June 27: Iran launched a one-way attack drone that struck the Panama-flagged oil tanker M/T Kiku (carrying crude oil for QatarEnergy) at 4:30 a.m. ET. Bridge damaged; all crew safe. CENTCOM then struck 10 Iranian military targets. UKMTO raised its Hormuz threat level from Moderate to Substantial.

June 27–28: Iran’s IRGC struck Bahrain with multiple drones (hosts NSA Bahrain US Navy facility) and claimed attacks on US-linked targets in Kuwait. Bahrain condemned the attacks as “blatant violation of sovereignty.” US reported no assets hit. Iran’s IRGC warned attacks would result in “complete halt of all diplomatic processes.”

Assessment: CENTCOM states commercial vessel transits continue; US forces “vigilant, lethal, ready.” Iran FM Araghchi warned any routing outside Iran-designated lanes “will only lead to more complications and delays.” The MOU remains nominally in effect but is under severe strain. Monitor for any Iranian formal announcement of MOU suspension.

ISRAEL–LEBANON FRAMEWORK AGREEMENT SIGNED — HEZBOLLAH REJECTS (JUNE 26, 2026)

US Secretary of State Rubio announced on June 26 that Israel and Lebanon had reached a new framework agreement, signed in Washington by Israeli Ambassador Leiter and Lebanese Ambassador Hamadeh. Secretary Rubio called it a step toward “lasting peace and security.”

The framework calls for: a ceasefire contingent on complete cessation of Hezbollah operations; withdrawal of Hezbollah operatives from southern Lebanon; assumption of sovereign control by the Lebanese Armed Forces. Critically, the deal does NOT mandate Israeli military withdrawal from the approximately 20% of Lebanese territory currently occupied by the IDF — withdrawal is instead tied to Hezbollah disarmament, a condition Hezbollah has repeatedly rejected.

Hezbollah leader Naim Qassem called the deal “null and void” on June 26. Supporters blocked the Beirut airport road with burning tires. Israeli Defense Minister Katz confirmed IDF retains “full freedom of action” in Lebanon. Fighting continued: An Israeli drone struck Nabatieh al-Fawqa on June 27 — the day after signing.

Assessment: The Lebanon variable that has repeatedly blocked the broader US–Iran MOU implementation remains active. The MOU Clause 1 linkage (full termination of operations on all fronts including Lebanon) is not resolved by this framework.

DELANEY HALL — FATHER’S DAY VIGIL DISRUPTED / 50TH ICE CUSTODY DEATH (JUNE 22, 2026)

The hunger and labor strike inside Delaney Hall ICE detention facility in Newark, NJ has exceeded 37 continuous days. On June 22, a Father’s Day vigil outside Delaney Hall was disrupted when a vehicle reportedly operated by a GEO Group employee struck a female protester. ICE agents then deployed pepper spray and mace on the crowd.

Georgian national Mamuka Artmeladze, 43, died at Winn Correctional Center in Louisiana — marking the 50th death in ICE custody since Trump took office. The GAO released a report on Camp East Montana (Fort Bliss, El Paso), the largest ICE detention facility in the US, finding “significant, pervasive issues” with treatment including medical neglect, violent abuse, and failure to perform health assessments.

Operator guidance: Avoid Doremus Ave vicinity Newark during protest windows. Monitor for spread to other ICE facilities in NJ, NY, and adjacent states. Track court proceedings vs. GEO Group.

FIFA WORLD CUP 2026 — WEEK 3 / JULY 4 CONVERGENCE WINDOW APPROACHING

The 2026 FIFA World Cup enters Week 3 with Round of 16 concluded and Quarterfinals beginning July 3. Flashpoint published an updated threat landscape assessment on June 22 characterizing the environment as “dynamic,” spanning physical security, civil unrest, cyber threats, and geopolitical developments.

Protest activity in host cities has expanded to include Iran-themed geopolitical tensions, immigration enforcement, housing advocacy, and anti-FIFA sentiment. Iran’s IRGC strikes on Bahrain and Kuwait (June 27–28) add a new dimension to the threat picture for Iranian diaspora attending US host city venues.

CRITICAL UPCOMING WINDOW: July 3–5 — Quarterfinals in Dallas, Kansas City, Houston, Philadelphia, and New York City converge with US 250th Independence Day celebrations. MAGNET operator guidance: recommend MAGCON L2 HIGH for host-city operators on July 3–5 match days.

CYBER / INFRASTRUCTURE KEV BULLETIN

⚠ PATCH-IMMEDIATELY TABLE

CVE / SYSTEM	SEVERITY	ACTION REQUIRED
NEWCVE-2026-20230 Cisco Unified Communications Manager	CVSS 8.6 CRITICAL	KEV Deadline TODAY June 28. SSRF via WebDialer → unauthenticated file write → root escalation. Active exploitation confirmed by Defused (June 21 week). Patch since June 3 (cisco-sa-cucm-ssrf-cXPnHcW). Disable WebDialer if patch unavailable. Assume compromise if internet-exposed and unpatched.
NEWCVE-2026-12569 PTC Windchill PDMlink / FlexPLM	CRITICAL RCE	KEV Deadline TODAY June 28. Deserialization of untrusted data → unauthenticated RCE. Manufacturing, aerospace, automotive, defense PLM. All versions through 11.0; branches 11.1–13.0. Apply PTC advisory CS473270 immediately.
PASSEDCVE-2026-34908/34909/34910 Ubiquiti UniFi OS (×3)	CVSS 10.0 × 3	Federal deadline PASSED June 26. Command injection, improper access control, path traversal — all CVSS 10.0. Active exploitation confirmed (CISA, NCSC Netherlands). Apply Ubiquiti Security Advisory 064. Treat unpatched as compromised; rotate all credentials.
PASSEDCVE-2025-67038 Lantronix EDS5000	HIGH	Federal deadline PASSED June 26. Treat unpatched as compromised. Apply Lantronix advisory immediately.
PASSEDCVE-2026-20253 Splunk Enterprise PostgreSQL Sidecar	CVSS 9.8 CRITICAL	Deadline PASSED June 21. Pre-auth RCE. Public PoC on GitHub since June 13. Upgrade to 10.4.0, 10.2.4, or 10.0.7. Treat internet-exposed Splunk 10.0.x/10.2.x as compromised if unpatched.
CVE-2026-50751 Check Point Security Gateway	CVSS 9.3 CRITICAL	ONGOING / ESCALATED. Qilin ransomware affiliate confirmed. Run SmartConsole log search from 2026-05-07. Apply hotfix. Disable IKEv1 if hotfix cannot be applied immediately.
CVE-2026-47281 Windows Defender/VSCode “RoguePlanet”	CVSS 9.6	ONGOING — Patch Tuesday 10 June. Zero-day, actively exploited. Apply June 2026 Microsoft patches.
CVE-2026-45657 Windows Kernel (RCE)	CVSS 9.8 CRITICAL	ONGOING — Patch Tuesday 10 June. Zero-day, actively exploited. Use-after-free kernel RCE. Apply June 2026 Microsoft patches immediately.
PASSEDCVE-2026-8398 DAEMON Tools Lite	CVSS 9.3	Deadline PASSED June 17. Supply chain RCE. Update to v12.6.0.2445 or uninstall. Rotate all credentials. Treat unpatched as compromised.
PASSEDCVE-2026-48027 Nx Console (VS Extension)	CVSS 9.3	Deadline PASSED June 17. Malicious extension. Scan all developer workstations. Rotate credentials. Treat unpatched as compromised.
CVE-2026-42897 Microsoft Exchange Server	HIGH	ONGOING — XSS in OWA. Apply MSRC mitigations. Confirmed active exploitation.
NEW INTELFortinet “FortiBleed” (multiple CVEs)	HIGH–CRITICAL	NEW INTELLIGENCE — 70,000+ Fortinet firewalls confirmed compromised. Not a formal CISA KEV but intelligence-confirmed mass exploitation. Patch all Fortinet products; run IOC hunt; rotate all Fortinet VPN credentials immediately.
NEWcURL CVE-2026-8932 + 17 CVEs	HIGH	18 vulnerabilities in cURL patched, including a 25-year-old flaw. Update to cURL 8.21.0 across all systems. 20 billion device install base — enterprise-wide sweep required.

EMERGING INDICATORS

Watch: Hormuz — will Iran formally suspend the MOU? IRGC threatened “complete halt to all diplomatic processes” after June 27 CENTCOM strikes. Any formal MOU suspension announcement changes the strategic picture entirely.
Watch: Cisco UCM CVE-2026-20230 — Deadline TODAY. Unified CM deployments with WebDialer enabled: check web logs for unexpected HTTP requests, unusual file creation, and anomalous process execution post-exploitation.
Watch: PTC Windchill/FlexPLM CVE-2026-12569 — Deadline TODAY. Manufacturing and defense PLM: patch or mitigate immediately. Check for pre-patch compromise indicators in deserialization event logs.
Watch: Bahrain/Kuwait — follow-on Iranian strikes? First direct IRGC strikes on US-base host nations since MOU signing. Watch for escalation to direct US base targeting.
Watch: Lebanon ceasefire holding? Hezbollah rejected June 26 framework; fighting continued June 27–28. Major IDF operation or Hezbollah escalation could trigger Iran to formally suspend the MOU.
Watch: Oil markets Monday open. Exchange of strikes on Hormuz (Ever Lovely, Kiku) and Bahrain/Kuwait attacks will drive Brent price movement — market signal of MOU survivability assessment.
Watch: FIFA July 4th weekend (July 3–5). Quarterfinals in Dallas, KC, Houston, Philadelphia, NYC. Maximum threat convergence. Host-city MAGNET operators: recommend MAGCON L2 HIGH.
Watch: Ubiquiti UniFi OS — deadlines passed June 26 with confirmed active exploitation. Unpatched Ubiquiti infrastructure: assume compromise; begin incident response.
Watch: Fortinet “FortiBleed” — 70,000+ confirmed compromised. Fortinet firewall/VPN IOC check is urgent; credential rotation is now critical.
Watch: Iran IAEA inspection dispute. No confirmed IAEA access to bombed nuclear sites. Refusal signals unwillingness to fulfill MOU nuclear provisions.
Watch: Delaney Hall court proceedings. NJ AG and Newark Mayor suits active. Watch for any court order restricting facility operations or compelling independent health inspections.
Watch: Section 702 emergency session. SIGINT gap persists during active exchange of strikes. Watch for executive order or emergency Congress return.

VERIFIED STATUS

✓CONFIRMED Iranian one-way attack drone struck M/V Ever Lovely (Singapore-flagged) on June 25 in Strait of Hormuz per CENTCOM and Trump Truth Social. (CENTCOM, Fox News, NBC News — June 25–26, 2026)
✓CONFIRMED US CENTCOM launched retaliatory strikes on Iranian military targets June 26 and June 27 (10 targets June 27). (CENTCOM statement, CNN, RFE/RL — June 26–27, 2026)
✓CONFIRMED Iranian drone struck M/T Kiku (Panama-flagged, QatarEnergy oil) June 27; bridge damaged, crew safe. UKMTO confirmed. (CENTCOM, UKMTO, Times of Israel — June 27, 2026)
✓CONFIRMED Iran’s IRGC launched drone and missile attacks on Bahrain June 27. Bahrain’s Foreign Ministry condemned. US reported no assets hit. (RFE/RL, NPR, Bahrain FM — June 27–28, 2026)
✓CONFIRMED JMIC (US Navy) announced widened transit route near Oman June 27. (Wikipedia Hormuz crisis — June 27, 2026)
✓CONFIRMED US–Israel–Lebanon framework agreement signed June 26 by Rubio with Israeli and Lebanese ambassadors at State Department. (CNBC, Al Jazeera, Times of Israel — June 26, 2026)
✓CONFIRMED Hezbollah leader Qassem called framework “null and void” and rejected it June 26. Supporters protested in Beirut. (Al Jazeera — June 26–27, 2026)
✓CONFIRMED CVE-2026-20230 Cisco UCM SSRF added to CISA KEV June 25; BOD 26-04 deadline June 28. Active exploitation confirmed. (CISA, Bleeping Computer, The Hacker News — June 25, 2026)
✓CONFIRMED CVE-2026-12569 PTC Windchill/FlexPLM RCE added to CISA KEV June 25; BOD 26-04 deadline June 28. (CISA, Security Boulevard — June 25, 2026)
✓CONFIRMED Ubiquiti UniFi OS CVE-2026-34908/34909/34910 (3 × CVSS 10.0) and Lantronix EDS5000 — four BOD 26-04 deadlines passed June 26. Active exploitation confirmed. (CISA, threat-modeling.com — June 26, 2026)
✓CONFIRMED Father’s Day vigil outside Delaney Hall disrupted June 22: protester struck by vehicle; ICE deployed pepper spray. (Democracy Now! — June 22, 2026)
✓CONFIRMED Mamuka Artmeladze died at Winn Correctional Center LA — 50th ICE custody death under Trump. (Democracy Now! — June 9, 2026)
✓CONFIRMED GCC foreign ministers declared Iran deal must limit missile capability, June 26. US Senate passed war powers resolution — first success during conflict. (Wikipedia Iran-US negotiations, hormuzstraitmonitor.com — June 26, 2026)
✗NOT CONFIRMED Hormuz fully open under MOU terms. Commercial transits ongoing under CENTCOM escort but contested; Iran threatens to halt diplomacy as of DTG.
✗NOT CONFIRMED Lebanon/Hezbollah ceasefire holding. Hezbollah rejected June 26 framework; fighting continued June 27–28.
✗NOT CONFIRMED IAEA access to Iranian nuclear sites confirmed. US and Iran dispute whether Iran agreed to inspections.
✗NOT CONFIRMED Iran–US MOU still fully operational. IRGC threatened “complete halt to all diplomatic processes” as of DTG.
✗NOT CONFIRMED GKN Garden Grove groundwater contamination confirmed. Testing ongoing.
✗NOT CONFIRMED Converse Reservoir IED — suspect identified or motive confirmed. Investigation ongoing.

OPERATOR GUIDANCE

HORMUZ ACTIVE THREAT — COORDINATE WITH TRANSCOM (June 28): Iranian drones struck two commercial vessels June 25–27. CENTCOM conducted retaliatory strikes. Iran struck Bahrain/Kuwait June 27–28. DO NOT route commercial maritime through Hormuz without TRANSCOM coordination and current JMIC advisory. Use the widened Omani route per JMIC June 27 guidance — but verify Iran enforcement posture before transit.
CISCO UCM PATCH TODAY (CVE-2026-20230): KEV deadline TODAY June 28. Exploitation confirmed. Any Unified CM with WebDialer enabled is at immediate risk. Apply cisco-sa-cucm-ssrf-cXPnHcW NOW. If unavailable, disable WebDialer. Review logs for unexpected HTTP requests and unusual file creation since June 21. Assume compromise if internet-exposed and unpatched.
PTC WINDCHILL / FLEXPLM PATCH TODAY (CVE-2026-12569): KEV deadline TODAY June 28. Deserialization RCE in PLM software. Apply PTC advisory CS473270 immediately. Restrict PLM network access pending patch. Check deserialization event logs for pre-patch exploitation indicators.
UBIQUITI UNIFI OS — TREAT AS COMPROMISED (Deadlines PASSED June 26): Three CVSS 10.0 vulnerabilities with confirmed active exploitation. Deadlines passed. Assume compromise. Apply Security Advisory 064. Rotate all administrative credentials. Audit access logs from June 23 forward.
FORTINET — URGENT IOC CHECK: 70,000+ Fortinet firewalls confirmed compromised. Patch all Fortinet products; run IOC hunt on firewall/VPN logs; rotate all Fortinet VPN credentials and administrative accounts immediately.
FIFA WORLD CUP — HOST CITY OPERATORS (July 4 approaching): Quarterfinals begin July 3. Recommend MAGCON L2 HIGH on July 4th weekend match days (July 3–5) in Dallas, KC, Houston, Philadelphia, NYC. Maintain EMS and comms redundancy. Avoid vehicle traffic in venue perimeters during match windows. Iran-themed geopolitical tensions may heighten Iranian diaspora threat at US venues.
BAHRAIN / KUWAIT — REGIONAL OPERATORS: First direct IRGC strikes on US base host nations since MOU signing. Personnel in Bahrain and Kuwait: heighten force protection posture, review emergency procedures, monitor CENTCOM threat notifications closely.
DELANEY HALL / ICE FACILITIES — NJ/NORTHEAST OPERATORS: 37+ day strike ongoing. Vehicle strike on protester June 22 escalated tensions. Legal proceedings active. Avoid Doremus Ave vicinity Newark. Monitor for spread to other ICE facilities.
CHECK POINT VPN — FINAL CALL (CVE-2026-50751): Qilin ransomware actor confirmed. Run SmartConsole log search from 2026-05-07. Apply emergency hotfix. Disable IKEv1 if hotfix cannot be applied immediately.
GENERAL: Report cyber incidents to cisa.gov or IC3.gov; CI Fortify guidance at cisa.gov. Check magnethf.com/reports for any MAGNET S2 flash reports published since this snapshot.

SOURCE LIST

All sources open-source. Admiralty rating: letter = reliability, number = confidence (e.g. A1 = fully reliable, confirmed).

[1] [A2] NBC News — US–Iran exchange of strikes, Strait of Hormuz, June 25–27, 2026 — nbcnews.com
[2] [A1] CENTCOM — Strikes on Iranian military targets June 26–27, 2026 — centcom.mil
[3] [A1] Fox News Live — US Iran strikes, Bahrain/Kuwait attacks, June 26–27, 2026 — foxnews.com
[4] [A1] CBS News Live Updates — US–Iran war, Hormuz, peace deal, June 26–28, 2026 — cbsnews.com
[5] [A1] NPR — US and Iran exchange strikes, Bahrain/Kuwait attacks, June 28, 2026 — npr.org
[6] [A1] CNN — US launches additional Iran strikes, June 27, 2026 — cnn.com
[7] [B2] Wikipedia — 2026 Strait of Hormuz Crisis (updated June 28, 2026) — en.wikipedia.org
[8] [B2] Wikipedia — 2025–2026 Iran–United States Negotiations (updated June 28, 2026) — en.wikipedia.org
[9] [A1] RFE/RL — Iran launches drone/missile attacks on Bahrain, Kuwait, June 27–28, 2026 — rferl.org
[10] [A1] Times of Israel — June 27 live blog: Netanyahu, Lebanon, Kiku, Hormuz — timesofisrael.com
[11] [A2] CNBC — Israel and Lebanon reach framework agreement, June 26, 2026 — cnbc.com
[12] [A2] Al Jazeera — Israel–Lebanon deal: ceasefire tied to Hezbollah disarmament, June 27, 2026 — aljazeera.com
[13] [B2] Wikipedia — 2026 Israel–Lebanon ceasefire (updated June 28, 2026) — en.wikipedia.org
[14] [A1] CISA — Adds CVE-2026-20230 and CVE-2026-12569 to KEV Catalog, June 25, 2026 — cisa.gov
[15] [A1] Bleeping Computer — CISA urgent deadline to fix Cisco UCM flaw exploited in attacks, June 28, 2026 — bleepingcomputer.com
[16] [A1] The Hacker News — Cisco Unified CM Flaw Exploited, June 2026 — thehackernews.com
[17] [A2] Security Boulevard — CISA urgent deadline Cisco flaw, June 28, 2026 — securityboulevard.com
[18] [B2] Threat-Modeling.com — Vulnerability Intelligence Report June 26, 2026 — threat-modeling.com
[19] [A1] CISA.gov — Known Exploited Vulnerabilities Catalog — cisa.gov
[20] [B1] Democracy Now! — Delaney Hall vigil disrupted June 22, 2026 — democracynow.org
[21] [A2] ACLU — Delaney Hall hunger strike, ICE facilities nationwide, June 2026 — aclu.org
[22] [A2] Flashpoint — 2026 FIFA World Cup Threat Landscape (updated June 22, 2026) — flashpoint.io
[23] [A2] Dark Reading — 2026 FIFA World Cup Faces Surge in Cyber Threats, June 2026 — darkreading.com
[24] [B2] Hormuz Strait Monitor — Crisis Timeline (updated June 28, 2026) — hormuzstraitmonitor.com
[25] [A1] MAGNET S2 Report 260608-1600Z — FIFA World Cup 2026 Threat Assessment — magnethf.com

FLMSG / TERMINAL BULLETIN

BEG FLMSG
DE MAGNET S2 / DTG 260628-1200Z
SUBJ: WEEKLY OSINT SNAPSHOT // UNCLASSIFIED // OSINT
PERIOD: 21-28 JUN 2026 // MAGCON: L3 ELEVATED (WORSENING)

PRIORITY ITEMS:
1. US-IRAN EXCHANGE OF STRIKES 25-27 JUN. EVER LOVELY + KIKU STRUCK.
   CENTCOM STRUCK IRAN X2 (26+27 JUN). IRAN STRUCK BAHRAIN/KUWAIT 27-28 JUN.
   IRGC THREATENS HALT TO DIPLOMACY. TRANSITS CONTINUE UNDER CENTCOM ESCORT.
2. JMIC WIDENED HORMUZ ROUTE 27 JUN. IRAN CONTESTED. COORDINATING WITH
   TRANSCOM REQUIRED FOR ALL COMMERCIAL MARITIME ROUTING.
3. ISRAEL-LEBANON FRAMEWORK SIGNED 26 JUN (RUBIO). HEZBOLLAH: NULL AND VOID.
   FIGHTING CONTINUED 27-28 JUN. LEBANON VARIABLE REMAINS UNRESOLVED.
4. KEV DEADLINES TODAY 28 JUN:
   - CISCO UCM CVE-2026-20230 (SSRF-ROOT, ACTIVE EXPLOITATION). PATCH NOW.
   - PTC WINDCHILL/FLEXPLM CVE-2026-12569 (RCE, MANUFACTURING/DEFENSE). PATCH NOW.
5. UBIQUITI UNIFI OS x3 CVSS 10.0 + LANTRONIX EDS5000: DEADLINES PASSED
   26 JUN. TREAT UNPATCHED AS COMPROMISED.
6. FORTINET FORTIBLEED: 70K+ FIREWALLS CONFIRMED COMPROMISED.
   ROTATE CREDS. AUDIT NOW.
7. DELANEY HALL: 37+ DAYS. PROTESTER STRUCK BY VEHICLE 22 JUN.
   50TH ICE CUSTODY DEATH UNDER TRUMP.
8. FIFA WC WEEK 3. JULY 4 CONVERGENCE WINDOW (3-5 JUL) APPROACHING.
   RECOMMEND L2 HIGH HOST-CITY OPERATORS.
9. SECTION 702 STILL LAPSED.

REF: MAGNETHF.COM/REPORTS // NEXT DTG: 260705-1200Z
END FLMSG