MAGNET S2 WEEKLY SNAPSHOT – 2606014-1200z

Download PDF version of this report

MAGNET S2 WEEKLY SNAPSHOT — 260614-1200Z

MAGNET S2

Weekly OSINT Intelligence Snapshot

DTG: 260614-1200Z | Reporting Period: 7–14 June 2026 | United States Focus

www.magnethf.com

MAGCON STATUS

MAGCON

LEVEL 3

ELEVATED

MAGCON holds at Level 3 – ELEVATED. The dominant development this week is the Iran–US MOU reaching its closest point to signing since the conflict began — but remaining unsigned as of DTG. Iranian FM Araghchi declared on 12 June the deal has “never been closer”; Pakistan PM Sharif claimed on 13 June a final text was agreed and signing was within 24 hours; Qatari mediators flew to Tehran on 13–14 June to finalize terms. However, Iranian FM spokesman Baqaei stated 13 June signing would NOT occur on 14 June due to “hesitancy of the other side.” Today (14 June), Israel struck Hezbollah’s Dahiyeh district in Beirut — killing 3, wounding 7 — and Trump posted on Truth Social condemning the strikes and urging all sides to “stand down” and “not blow it.” Iran’s Khatam al-Anbiya military command threatened retaliation. Brent crude fell to ~$87/bbl on 12 June (lowest since early March) on deal optimism; AAA national gas average $4.074/gal as of 14 June (third consecutive week of decline). New CISA KEV additions: CVE-2026-7473 (Arista EOS), CVE-2026-11645 (Chromium V8 RCE), CVE-2026-20245 (Cisco SD-WAN Manager) — all added 9 June. Microsoft Patch Tuesday (10 June): 198 vulnerabilities, 3 zero-days including “RoguePlanet” Windows Defender SYSTEM escalation (CVSS 9.6, actively exploited). Delaney Hall protests now 23+ days continuous — 80+ total arrests; now the longest sustained ICE facility protest in recent US history. FIFA World Cup 2026 underway (opened 11 June) — MAGNET S2 published dedicated threat assessment 260608-1600Z.

TREND VS LAST WEEK: WORSENING — MOU UNSIGNED / BEIRUT STRIKES THREATEN DEAL TODAY / LEBANON BLOCKING VARIABLE ACTIVE IN REAL TIME / DELANEY HALL ESCALATING / PATCH TUESDAY 198 VULNS / ENERGY PRICES DECLINING ON DEAL OPTIMISM

PRIMARY RISK DRIVERS

Iran–US MOU — closest to signing in conflict history, still unsigned as of DTG (14 June): Iranian FM Araghchi (12 June): deal “never been closer.” Pakistan PM Sharif (13 June): final text agreed, signing within 24 hours. Qatari mediators flew to Tehran 13–14 June. Iranian FM Baqaei (13 June): NOT signing 14 June due to US “hesitancy.” Trump (14 June Truth Social): “we are very close to a Deal” — urged all sides to stand down. MOU draft terms (per Reuters, senior Iranian official): Iran opens Hormuz immediately; US lifts naval blockade in parallel; $25B in frozen Iranian assets released; oil sanctions waived; Iran agrees no new uranium enrichment and to dilute HEU stockpile inside country. Mechanism for HEU dilution still unresolved. Iran disputes US characterization of draft terms.
NEW — Israel strikes Beirut’s Dahiyeh district (14 June) — DIRECT THREAT TO MOU SIGNING: IDF struck a Hezbollah command center in Dahiyeh in response to Hezbollah launching 3 projectiles toward northern Israel. Lebanon Civil Defense: 3 killed, 7 wounded. First Beirut suburb strike since ceasefire renewal (12 June). Trump condemned strikes: “should not have happened, particularly on a special day when we are so close to a Peace Deal with Iran.” Iran’s Khatam al-Anbiya HQ threatened retaliation. Israel also issued forced displacement orders for 29 towns in southern Lebanon. Iran has explicitly conditioned Hormuz negotiations on Israeli restraint in Lebanon — today’s strikes place MOU signing in immediate jeopardy.
Energy — oil prices falling sharply on deal optimism: Brent crude ~$87/bbl (12 June) vs. $97.44/bbl (5 June) — lowest since early March, driven by MOU optimism. AAA national gas average $4.074/gal (14 June), down from $4.174/gal (7 June); three consecutive weeks of decline from $4.56 peak on 21 May. EIA June STEO: $105/bbl June–July average forecast assuming Hormuz stays closed near term. Today’s Beirut escalation may reverse oil price gains. Iran stated intent to charge a “service fee” (not toll) for Hormuz passage — ambiguity on post-MOU terms.
NEW — Microsoft June 2026 Patch Tuesday (10 June) — one of largest on record: 198 vulnerabilities patched. Three zero-days: CVE-2026-47281 “RoguePlanet” (Windows Defender/VSCode, CVSS 9.6, actively exploited, SYSTEM access); CVE-2026-45657 (Windows Kernel RCE, use-after-free, CVSS 9.8, actively exploited); CVE-2026-36891 (BitLocker security feature bypass). Apply immediately.
NEW — CISA KEV additions (9 June): CVE-2026-7473 Arista Extensible Operating System; CVE-2026-11645 Google Chromium V8 out-of-bounds RCE (sandbox escape, affects Chrome, Edge, Opera); CVE-2026-20245 Cisco Catalyst SD-WAN Manager. Federal deadlines apply. Additionally: CVE-2026-45247 Mirasvit Full Page Cache Warmer (Magento deserialization) added 3 June — deadline now passed.
NEW — Check Point VPN CVE-2026-50751 — large-scale exploitation imminent: IKEv1 authentication bypass confirmed actively exploited. Dutch NCSC warned of imminent large-scale abuse. Apply Check Point patches immediately; review VPN gateway logs for unauthorized remote access. KEV listing expected imminently.
KEV deadlines this week: TanStack CVE-2026-45321 federal deadline 10 June — NOW PASSED. DAEMON Tools CVE-2026-8398 and Nx Console CVE-2026-48027 federal deadline 17 June — IMMINENT. Organizations that have not audited package lock files and rotated credentials are at immediate risk.
Delaney Hall protests now 23+ days continuous — 80+ total arrests: Weekend of 7–8 June: 6 arrested including 2 repeat offenders (property damage, blocked entrance, vehicle climbers); 7th arrested for smashing vehicle windshields (Seattle man). Newark Police took control from state police at Doremus/Wilson Ave. Phoenix woman (Mariano Anthony Perez, 31) federally charged for assaulting HSI special agent on 5 June — announced 11 June by US Attorney. DHS Secretary Mullin condemned “rioters,” vowed ICE operations undeterred. Status: PERSISTENT — ESCALATING. Now longest sustained ICE facility protest in recent US history.
NEW — FIFA World Cup 2026 (opened 11 June): Tournament underway across 11 US host cities through 19 July. MAGNET S2 published dedicated threat assessment (260608-1600Z). Key threats: confirmed IED found near Kansas City fan zone (March 2026); Iran withdrew from tournament post-war; 400+ law enforcement agencies committed (creates emergency services degradation in all host cities); WHO PHEIC Ebola (Sudan strain) active concurrent with mass international travel. Host-city MAGNET operators: MAGCON recommend escalation to L2 HIGH on Quarterfinal, Semifinal, and Final match days.
Domestic — Section 702 lapsed (12 June): House rejected extension; Congress adjourned. FISA Section 702 authority expired. Significant domestic SIGINT/surveillance capability gap now active during active conflict and sensitive MOU negotiations. Watch for emergency legislative session or executive action.
Trump named Jay Clayton as DNI (12 June). Former SEC chair; intelligence community leadership change during active conflict and deal negotiations.
Previously reported — ongoing, no material change: GKN Aerospace Garden Grove (criminal investigation, environmental testing, civil suits — no new arrest or contamination results). Converse Reservoir IED (FBI investigation, no suspect or motive). Canvas LMS breach (phishing risk through mid-August). Iranian APT ICS/OT targeting remains active. CIRCIA finalization pending.

DELTA SUMMARY – CHANGES FROM LAST REPORT (260607-1200Z)

TOPIC	DELTA FROM 260607-1200Z
Iran–US MOU — Imminent But Unsigned	WORSENING / IMPROVING SIMULTANEOUSLY. Deal closer than any point in conflict history (FM Araghchi: “never closer”; Pakistan PM: within 24 hrs) but still unsigned. Qatari mediators now in Tehran alongside Pakistan channel. Trump (14 June): “very close.” Iranian FM Baqaei (13 June): NOT signing 14 June. MOU draft terms now partially public: Hormuz opens immediately; US lifts blockade in parallel; $25B assets; oil sanctions waived; no new enrichment; HEU dilution inside Iran. Mechanism for HEU dilution still unresolved. Iran disputes some US characterizations.
Lebanon / Beirut Strikes (14 June) — BREAKING	NEW — CRITICAL ESCALATION. IDF struck Hezbollah command center in Dahiyeh, Beirut on 14 June in response to Hezbollah projectiles toward northern Israel. 3 killed, 7 wounded (Lebanon Civil Defense). First Beirut suburb strike since 12 June ceasefire renewal. Trump condemned strikes as happening “on a special day when we are so close to a Peace Deal.” Iran’s Khatam al-Anbiya HQ threatened retaliation. Iran has explicitly conditioned Hormuz MOU progress on Israeli restraint in Lebanon — this event places MOU signing in direct jeopardy as of DTG.
Oil / Energy Prices	IMPROVING (Conditionally). Brent crude ~$87/bbl (12 June) vs. $97.44/bbl (5 June) — driven by deal optimism, lowest since early March. AAA gas $4.074/gal (14 June) vs. $4.174/gal (7 June); three consecutive weeks of decline. EIA June STEO: $105/bbl June–July average forecast. Today’s Beirut escalation may reverse oil price gains. Iran’s “service fee” language introduces ambiguity into post-MOU Hormuz terms.
CISA KEV — New Additions (9 June)	NEW — THREE NEW KEV ENTRIES. CVE-2026-7473 Arista EOS (9 June). CVE-2026-11645 Google Chromium V8 Out-of-Bounds RCE — sandbox escape affecting Chrome, Edge, Opera (9 June). CVE-2026-20245 Cisco Catalyst SD-WAN Manager (9 June). Apply vendor patches per federal deadlines. Also: CVE-2026-45247 Mirasvit Full Page Cache Warmer (Magento deserialization) added 3 June — deadline PASSED.
Microsoft Patch Tuesday (10 June)	NEW — MAJOR PATCH RELEASE. 198 vulnerabilities, one of largest Patch Tuesday releases on record. Three zero-days: CVE-2026-47281 “RoguePlanet” (Windows Defender/VSCode, CVSS 9.6, SYSTEM access, actively exploited); CVE-2026-45657 (Windows Kernel RCE, use-after-free, CVSS 9.8, actively exploited); CVE-2026-36891 (BitLocker bypass). This is the second Windows Defender zero-day this year. Apply immediately.
Check Point VPN CVE-2026-50751	NEW — ACTIVE EXPLOITATION. IKEv1 authentication bypass confirmed exploited. Dutch NCSC warned of imminent large-scale abuse ahead of expected CISA KEV deadline. Apply Check Point patches immediately; review VPN logs for unauthorized remote access sessions.
KEV Deadlines This Week	PASSED / IMMINENT. TanStack CVE-2026-45321 federal deadline 10 June — PASSED. DAEMON Tools CVE-2026-8398 and Nx Console CVE-2026-48027 deadline 17 June — IMMINENT. Audit all Node.js projects; rotate credentials from affected TanStack environments; audit developer workstations for DAEMON Tools / Nx Console indicators.
Delaney Hall Protests — 23+ Days	ONGOING — ESCALATING. Now 23+ continuous days; 80+ total arrests. Weekend 7–8 June: 6 arrests (property damage, blocking entrance, vehicle climbers); 7th (Seattle) for windshield smashing. Newark Police took over from state. Phoenix woman federally charged 11 June for assaulting HSI agent. DHS Secretary Mullin vowed ICE operations undeterred. NJ political battle with Gov. Sherrill intensifying. Now longest sustained ICE facility protest in recent US history.
FIFA World Cup 2026 (Opens 11 June)	NEW — ACTIVE THREAT WINDOW. Tournament underway; 11 US host cities through 19 July. MAGNET S2 published 260608-1600Z threat assessment. Confirmed IED at KC fan zone (March); Iran withdrew; 400+ LE agencies committed; WHO Ebola PHEIC active. Host-city operators: recommend MAGCON L2 HIGH on QF/SF/Final days.
Section 702 Lapsed (12 June)	NEW — DOMESTIC SIGINT GAP. House rejected extension; Congress adjourned. FISA Section 702 authority lapsed. Significant foreign intelligence surveillance capability gap during active conflict and sensitive negotiations. Watch for emergency session or executive action.
GKN Aerospace Garden Grove	ONGOING — NO CHANGE. Criminal investigation active, environmental testing ongoing, civil suits proceeding. No new arrest, no contamination results released as of DTG.
Converse Reservoir IED	ONGOING — NO ARREST. FBI investigation continues. No suspect, no confirmed motive.
Canvas LMS Breach	STABLE — NO CHANGE. Phishing risk from 275M records continues through mid-August window.

NO CHANGE:

MAGCON level holds at 3 – ELEVATED
Iranian APT cyber targeting of U.S. ICS/OT remains active
Bab el-Mandeb / Red Sea threat stable at ELEVATED (Houthi posture unchanged)
CIRCIA mandatory cyber incident reporting rule finalization still pending
CISA CI Fortify initiative ongoing
Microsoft Exchange CVE-2026-42897 (XSS/OWA) — patch still required
US naval blockade of Iranian ports remains in effect

SECTOR THREAT LEVELS

SECTOR	LEVEL	NOTES
Terrorism / Extremism	ELEVATED	FIFA World Cup 2026 now underway — 11 US host cities through 19 July. Confirmed IED near KC fan zone (March 2026) unresolved. 400+ LE agencies committed. Iran withdrew from tournament post-war. Lone-actor threat remains analytically significant for mass-gathering events.
Cyber Activity	ELEVATED	NEW: Microsoft Patch Tuesday 198 vulns / 3 zero-days (10 June). NEW: CISA KEV — Arista EOS, Chromium V8 RCE, Cisco SD-WAN Manager (9 June). Check Point VPN CVE-2026-50751 large-scale exploitation imminent. TanStack deadline PASSED 10 June. DAEMON Tools / Nx Console deadline 17 June IMMINENT.
Critical Infrastructure	ELEVATED	Converse Reservoir IED (Mobile, AL) investigation ongoing — no arrest. GKN Garden Grove long-tail active. SD-WAN overdue patches expose CI networks. Section 702 lapse creates domestic surveillance gap. Kuwait airport still recovering from 3 June drone strike.
Energy / Fuel Sector	HIGH	IMPROVING (conditionally). Brent ~$87/bbl (12 June) vs. $97.44 (5 June) on deal optimism. AAA gas $4.074/gal (14 June) — 3rd consecutive week of decline. EIA June STEO: $105/bbl June–July. Beirut strikes today may reverse gains. MOU unsigned; Hormuz effectively closed. Iran “service fee” ambiguity on Hormuz post-MOU terms.
Education Sector	ELEVATED	Canvas breach phishing risk continues through mid-August. No new developments.
Civil Unrest	ELEVATED	PERSISTENT / ESCALATING. Delaney Hall 23+ days; 80+ arrests. Newark Police assumed control from state. Federal charges active. DHS Secretary Mullin engaged. NJ political battle intensifying. Watch for spread to other ICE facilities.
Transportation Systems	ELEVATED	Hormuz effectively closed pending MOU signing AND mine clearance. Kuwait International Airport still in limited operations. FIFA World Cup travel surge creating airport/transit stress in 11 host cities. Iran “service fee” concept adds post-MOU uncertainty to maritime routing.
Supply Chain / Logistics	ELEVATED	Hormuz closure continues. Developer supply chain attacks (TanStack/DAEMON Tools/Nx Console) deadlines approaching/passed. UAE OPEC departure affects regional production estimates. Mine clearance required even after MOU signing.
Food / Fertilizer Security	ELEVATED	Gulf shipping disruption continues impacting fertilizer/agricultural trade lanes. Oil price decline on deal optimism provides conditional relief. WFP food insecurity warning still in effect if prices return to $100+/bbl.
Mass Gatherings / Public Safety	HIGH	NEW — FIFA World Cup 2026 creates unprecedented mass gathering threat window through 19 July. 11 US host cities; up to 4M+ international visitors. 400+ LE agencies committed creating EMS degradation. Ebola WHO PHEIC concurrent with mass international travel. See MAGNET S2 report 260608-1600Z.

GLOBAL CHOKEPOINT WATCH

CHOKEPOINT	STATUS	ASSESSMENT
Strait of Hormuz	CRITICAL	WORSENING THEN IMPROVING THEN UNCERTAIN. MOU closer than ever but TODAY’s Beirut strikes threaten signing. Draft terms: Iran opens immediately; US lifts blockade; 30-day mine clearance. Iran “service fee” concept introduces post-MOU ambiguity. DO NOT route commercial traffic until MOU signed AND mines cleared AND confirmed open.
Kuwait International Airport	ELEVATED	RECOVERING. Iranian drone strike 3 June: 1 killed, 63 wounded. Terminal 1 heavily damaged; partial operations resumed at alternate terminal. Monitor for follow-on incidents; Gulf region Iranian attack risk persists.
Bab el-Mandeb / Red Sea	ELEVATED	Stable. Houthi threat posture unchanged. No significant new incidents this week.
Panama Canal	ROUTINE	Stable. Normal operations.
Strait of Malacca	ELEVATED	SE Asia energy stress from Hormuz closure persists. Stable but watching. India summoned US deputy mission chief over casualties to Indian mariners in Gulf of Oman (12 June) — indicator of broader Gulf maritime tension.
Oman — Mina Al Fahal Terminal	ELEVATED	Previously disrupted by explosion (5 June); operations resumed. Monitor for follow-on incidents. Oman warned by US Treasury (Bessent) against levying Hormuz tolls.

KEY INCIDENTS

IRAN–US MOU NEGOTIATIONS — CLOSEST TO SIGNING IN CONFLICT HISTORY, UNSIGNED AS OF DTG (8–14 JUNE)

The week of 8–14 June 2026 saw Iran–US MOU negotiations advance to their most critical juncture since the conflict began. Iranian FM Abbas Araghchi stated on 12 June that a deal has “never been closer.” Pakistan PM Shehbaz Sharif announced on 13 June that the final text had been agreed and signing could occur within 24 hours. Qatari mediators flew to Tehran on 13–14 June in a parallel push — the first dual-track mediation effort of the conflict alongside the Pakistan channel.

Details of the MOU draft text emerged publicly (per Reuters, citing a senior Iranian official): Iran would immediately open the Strait of Hormuz; the US would in parallel lift its naval blockade of Iranian ports; Washington would release $25 billion of Iran’s frozen assets including via direct cash transfers; the US would impose no new sanctions until a final deal is reached and would waive oil sanctions; Iran would agree to neither produce nor purchase nuclear weapons, enrich no new uranium until a final deal is concluded, and dilute its highly enriched uranium stockpile inside the country — though the exact mechanism for HEU dilution still needs to be worked out. Trump disputed the Iranian-published 14-point draft (via Mehr News Agency on 12 June), stating it has “NOTHING to do with the terms that were agreed to, in writing.”

Iranian FM spokesman Esmaeil Baqaei stated on 13 June that signing was unlikely on 14 June due to “the hesitancy of the other side.” On 14 June, Trump posted on Truth Social: “We are very close to a Deal that will bring peace to the region, including to Lebanon, and all sides should stand down.” The post came in direct response to Israeli strikes on Beirut’s Dahiyeh district that same day. Assessment: MOU probability remains higher than at any prior point in the conflict, but today’s Beirut strikes introduce the most acute signing risk since talks resumed.

ISRAEL STRIKES BEIRUT DAHIYEH — DIRECT THREAT TO MOU SIGNING (14 JUNE 2026) [CRITICAL — BREAKING]

On 14 June 2026, the Israeli Defense Forces struck a Hezbollah command center in the Dahiyeh neighborhood of Beirut’s southern suburbs, in response to Hezbollah launching three projectiles toward communities in northern Israel — which the IDF called “a blatant ceasefire violation.” Prime Minister Netanyahu and Defense Minister Katz issued a joint statement confirming the strike. Lebanon’s Civil Defense agency reported 3 killed and 7 wounded in the Dahiyeh area. This was the first Israeli strike on Beirut’s suburbs since the Lebanon–Israel ceasefire was renewed on 12 June, just two days prior.

The strike came on the same day Qatari mediators were in Tehran pushing to finalize the Iran–US MOU. Trump posted on Truth Social that the Beirut strikes “should not have happened, particularly on a special day when we are so close to a Peace Deal with Iran” and urged all parties: “This could be the beginning of a long and beautiful peace — Let’s not blow it!” Iran’s Khatam al-Anbiya Central Headquarters issued a threat of retaliation for the Israeli strikes on Lebanon. Israel additionally issued forced displacement orders for 29 towns in southern Lebanon on 14 June.

Assessment: Iran has explicitly and repeatedly conditioned Hormuz MOU progress on Israeli restraint in Lebanon. The 14 June Beirut strikes are the most direct Lebanon-driven threat to MOU signing since the 1 June suspension. Watch for Iranian formal suspension announcement in the next 12–24 hours. The Lebanon blocking variable is now active in real time on the day closest to signing. Any deal signed despite today’s strikes would represent a significant decoupling of Lebanon from the Hormuz framework — which Iran has so far refused to allow.

FIFA WORLD CUP 2026 — TOURNAMENT UNDERWAY; THREAT WINDOW ACTIVE THROUGH 19 JULY

The FIFA 2026 World Cup opened 11 June 2026 with 104 matches across 11 US host cities (Los Angeles, San Francisco Bay Area, Seattle, Kansas City, Dallas, Houston, Boston, New York/New Jersey, Philadelphia, Atlanta, Miami) through the Final at MetLife Stadium on 19 July. MAGNET S2 published a dedicated threat assessment at 260608-1600Z (available at magnethf.com/reports).

Key threat findings from 260608-1600Z: (1) A confirmed improvised explosive device was discovered near a World Cup fan zone in Kansas City in March 2026 — no arrest announced as of DTG. (2) Iran qualified for the tournament then withdrew following the outbreak of the 2026 Iran–US war, creating an adversarial threat environment with Iranian-linked actors potentially in-country. (3) More than 400 law enforcement agencies are committed to tournament security, creating simultaneous emergency services degradation across all 11 host cities through 19 July. (4) A WHO-declared public health emergency of international concern — Ebola Sudan strain in Congo and Uganda — is active concurrent with the arrival of millions of international visitors. (5) GHOST STADIUM fraud network: 300+ cloned FIFA-related websites targeting fans across multiple domains.

MAGNET operator guidance for host-city regions: Recommend escalation to MAGCON L2 HIGH on Quarterfinal, Semifinal, and Final match days. Avoid vehicle traffic and large crowds in venue perimeters during match windows. Maintain communications redundancy; primary EMS channels may be saturated.

CYBER / INFRASTRUCTURE BULLETIN

KEV Bulletin — Patch Immediately

CVE / SYSTEM	SEVERITY	ACTION REQUIRED
CVE-2026-47281 Windows Defender/VSCode “RoguePlanet”	CVSS 9.6	NEW Patch Tuesday 10 June. Zero-day, actively exploited. Privilege escalation to SYSTEM via Defender/VSCode. Second Windows Defender zero-day this year. Apply June 2026 Microsoft patches immediately.
CVE-2026-45657 Windows Kernel (RCE)	CVSS 9.8	NEW Patch Tuesday 10 June. Zero-day, actively exploited. Use-after-free enabling unauthorized remote code execution at kernel level. Apply June 2026 Microsoft patches immediately.
CVE-2026-36891 BitLocker Bypass	HIGH	NEW Patch Tuesday 10 June. Zero-day. BitLocker security feature bypass — disk encryption protection circumvented. Apply June 2026 Microsoft patches.
CVE-2026-11645 Google Chromium V8	HIGH	NEW KEV 9 June. Out-of-bounds read/write enabling RCE inside sandbox via crafted HTML. Affects Chrome, Edge, Opera. Apply browser updates immediately across all endpoints.
CVE-2026-50751 Check Point Security Gateway	CRITICAL	NEW IKEv1 auth bypass; unauthenticated remote attackers can establish VPN connection without valid password. Confirmed actively exploited. Dutch NCSC: imminent large-scale abuse. Apply Check Point patches NOW; review VPN gateway logs immediately.
CVE-2026-7473 Arista EOS	HIGH	NEW KEV 9 June. Incomplete comparison with missing factors in Arista Extensible Operating System. Apply Arista patches; federal deadline applies.
CVE-2026-20245 Cisco Catalyst SD-WAN Mgr	HIGH	NEW KEV 9 June. Improper encoding / escaping of output in SD-WAN Manager. Apply Cisco patches per federal deadline.
CVE-2026-8398 DAEMON Tools Lite	CVSS 9.3	ONGOING — KEV 27 May. Supply chain RCE via compromised official installers (Apr–May 2026). Update to v12.6.0.2445 or uninstall. Federal deadline: 17 June — IMMINENT.
CVE-2026-45321 TanStack (npm)	CVSS 9.5	ONGOING — KEV 27 May. 84 malicious npm versions via hijacked GitHub Actions. Federal deadline: 10 June — PASSED. Audit package lock files; rotate credentials NOW if not done.
CVE-2026-48027 Nx Console (VS extension)	CVSS 9.3	ONGOING — KEV 27 May. Malicious extension on VS Marketplace and OpenVSX. Federal deadline: 17 June — IMMINENT. Update immediately; scan developer workstations.
CVE-2026-31431 Linux Kernel “Copy Fail”	CVSS 7.8	ONGOING — Exploitation surge active. Federal deadline PASSED 15 May. Patch to kernel 6.18.22 / 6.19.12 / 7.0. Treat as active incident response priority in cloud/container environments.
CVE-2026-20182 Cisco Catalyst SD-WAN	CVSS 10.0	ONGOING — Federal deadline PASSED 17 May. If not patched, assume compromise. Apply ED-26-03 or discontinue immediately.
CVE-2026-42897 Microsoft Exchange Server	HIGH	ONGOING. XSS in Outlook Web Access. Apply MSRC mitigations. Confirmed active exploitation.

EMERGING INDICATORS

Watch: MOU signing or collapse within 24–72 hours — today’s Beirut strikes are the most acute risk factor. Iran must either formally suspend talks again or proceed despite Lebanese casualties. Watch for Iranian official MOU status statement in next 12 hours.
Watch: Iranian retaliation for Beirut strikes — Iran’s Khatam al-Anbiya HQ threatened retaliation 14 June. Any kinetic Iranian response to Dahiyeh strikes could collapse the ceasefire framework and MOU negotiations simultaneously.
Watch: Oil price reversal — Brent at $87/bbl reflects MOU optimism. Beirut strikes and potential Iranian retaliation may drive rapid reversal toward $95–100+/bbl. Monitor Monday opening for price signal.
Watch: DAEMON Tools / Nx Console KEV deadlines — 17 June (3 days). Rotate credentials from any April–May 2026 installations; run SCA scans on developer workstations before deadline.
Watch: Check Point VPN CVE-2026-50751 — Dutch NCSC warned of imminent large-scale abuse; KEV listing likely this week. Organizations with Check Point gateways using IKEv1 should apply patches before the week closes.
Watch: Windows Defender “RoguePlanet” CVE-2026-47281 — actively exploited zero-day. Monitor enterprise environments for SYSTEM-level anomalies; high-value post-access pivot for threat actors.
Watch: Section 702 lapse — FISA authority expired 12 June. Watch for emergency legislative session or executive order to restore authority during active conflict and sensitive MOU negotiations.
Watch: FIFA World Cup threat window through 19 July — monitor for threat actor activity targeting mass gathering events, especially in host cities. KC fan zone IED discovery (March) remains unresolved.
Watch: Delaney Hall — federal escalation vs. administrative resolution. 80+ arrests; NJ political battle intensifying. Watch for facility transfer or detainee condition administrative response.
Watch: GKN groundwater contamination results (Garden Grove) — expected any time; confirmed contamination elevates liability and sets national industrial compliance precedent.
Watch: Converse Reservoir IED (Mobile, AL) — any arrest or motive attribution changes national CI threat posture for water utility operators.
Watch: US Army Apache helicopter went down near Hormuz (9 June) — Trump stated pilots safe. Monitor for Iranian exploitation of incident or follow-on narrative.
Watch: India–US maritime friction — India summoned US deputy mission chief over casualties to Indian mariners in Gulf (12 June). Gulf commercial maritime routing remains contingent on MOU confirmation.

VERIFIED STATUS

✓ CONFIRMED Iranian FM Araghchi (12 June): deal “never been closer.” Pakistan PM Sharif (13 June): final text agreed, signing within 24 hrs. Iranian FM Baqaei (13 June): NOT signing 14 June. Qatari mediators flew to Tehran 13–14 June. (NBC News, RFERL, Polymarket — 12–14 June 2026)
✓ CONFIRMED IDF struck Hezbollah command center in Dahiyeh, Beirut on 14 June 2026. Lebanon Civil Defense: 3 killed, 7 wounded. First Beirut suburb strike since 12 June ceasefire renewal. Trump condemned via Truth Social 14 June. Iran’s Khatam al-Anbiya threatened retaliation. (NBC News, Al Jazeera, Jerusalem Post — 14 June 2026)
✓ CONFIRMED Brent crude ~$87/bbl (12 June), lowest since early March; fell 4%+ on deal optimism. AAA national gas average $4.074/gal as of 14 June. Three consecutive weeks of decline from $4.56 peak 21 May. (Trading Economics, AAA gasprices.aaa.com — 12–14 June 2026)
✓ CONFIRMED CISA added 3 new KEVs on 9 June: CVE-2026-7473 (Arista EOS), CVE-2026-11645 (Chromium V8 RCE), CVE-2026-20245 (Cisco Catalyst SD-WAN Manager). (CISA.gov — 9 June 2026)
✓ CONFIRMED Microsoft June 2026 Patch Tuesday (10 June): 198 vulnerabilities; three zero-days including CVE-2026-47281 “RoguePlanet” (CVSS 9.6, actively exploited), CVE-2026-45657 Windows Kernel RCE (CVSS 9.8, actively exploited), CVE-2026-36891 BitLocker bypass. (Threat-Modeling.com — 10 June 2026)
✓ CONFIRMED Delaney Hall protests 23+ continuous days; 80+ total arrests. Weekend 7–8 June: 6 arrested (property damage, blocking). Phoenix woman federally charged 11 June for assaulting HSI agent. DHS Secretary Mullin condemned “rioters.” (NJ1015, PBS NewsHour, Fox5NY — 8–11 June 2026)
✓ CONFIRMED FIFA World Cup 2026 opened 11 June. MAGNET S2 published threat assessment 260608-1600Z on 9 June. Confirmed IED near Kansas City fan zone (March 2026); Iran withdrew; 400+ LE agencies committed. (magnethf.com/260608-1600z — 8–11 June 2026)
✓ CONFIRMED Section 702 FISA authority lapsed 12 June after House rejected extension and Congress adjourned. Trump named Jay Clayton as DNI on 12 June. (The Cipher Brief — 12 June 2026)
✗ NOT CONFIRMED Iran–US MOU formally signed. Unsigned as of DTG 14 June 2026.
✗ NOT CONFIRMED Hezbollah agreement to Lebanon ceasefire. Group has publicly rejected current proposals.
✗ NOT CONFIRMED GKN Garden Grove groundwater contamination confirmed. Testing ongoing.
✗ NOT CONFIRMED Converse Reservoir IED — suspect identified or motive confirmed. Investigation ongoing.

OPERATOR GUIDANCE

MONITOR MOU STATUS IN NEXT 24 HOURS — Beirut strikes on 14 June place signing in direct jeopardy. Watch for Iranian official MOU suspension statement. If MOU collapses, energy prices will reverse sharply and military resumption risk escalates. Prepare contingencies for both outcomes.
PATCH WINDOWS IMMEDIATELY (Patch Tuesday, 10 June) — Apply June 2026 Microsoft security updates. CVE-2026-47281 “RoguePlanet” (CVSS 9.6, SYSTEM escalation, actively exploited) and CVE-2026-45657 Windows Kernel RCE (CVSS 9.8, actively exploited) are zero-days requiring immediate patching. Do not defer.
PATCH CHECK POINT VPN NOW — CVE-2026-50751 IKEv1 auth bypass confirmed exploited; Dutch NCSC warned of imminent large-scale abuse. Apply Check Point patches before this week closes; review VPN gateway logs for unauthorized access sessions.
UPDATE CHROME / EDGE / OPERA IMMEDIATELY — CVE-2026-11645 Chromium V8 RCE on KEV (9 June); out-of-bounds read/write enables sandbox escape via crafted HTML. Apply browser vendor updates across all endpoints.
DAEMON TOOLS / NX CONSOLE — DEADLINE 17 JUNE (3 DAYS) — Audit all DAEMON Tools installations from Apr–May 2026; rotate credentials; update to v12.6.0.2445 or uninstall. Audit Nx Console VS extension; run SCA scans on developer workstations.
TANSTACK CVE-2026-45321 DEADLINE PASSED 10 JUNE — If credentials have not been rotated from affected Node.js/TanStack environments, treat as compromised. Run SCA against all package lock files; rotate all CI/CD and cloud credentials accessible from affected builds.
DO NOT USE HORMUZ TRANSIT — Strait remains effectively closed. MOU unsigned as of DTG. Beirut strikes 14 June may collapse negotiations. Verify through TRANSCOM for any operational requirements. Do not plan commercial maritime routing through Hormuz until MOU signed AND mines cleared AND formally confirmed open.
FIFA WORLD CUP — HOST CITY OPERATORS — See MAGNET S2 report 260608-1600Z for full threat assessment. Avoid vehicle traffic and large crowds in venue perimeters during match windows. Maintain communications redundancy. Recommend MAGCON L2 HIGH on Quarterfinal, Semifinal, and Final match days.
NJ / NORTHEAST OPERATORS — DELANEY HALL — Protests 23+ days continuous; 80+ arrests. Avoid Doremus Ave vicinity Newark during protest windows. Monitor for spread to other ICE facilities in NJ, NY, and adjacent states. Federal charges now active.
WATER / DAM OPERATORS — Converse Reservoir IED investigation ongoing; maintain enhanced underwater physical security; report anomalies to FBI and DHS.
CANVAS INSTITUTIONS — Maintain elevated phishing awareness through mid-August; verify any Canvas-branded communication through official channels.
Report cyber incidents to cisa.gov or IC3.gov; CI Fortify guidance at cisa.gov.

SOURCE LIST

[1] NBC News — Qatari negotiators fly to Tehran to finalize US-Iran deal, 13–14 June 2026 — nbcnews.com
[2] RFERL — Qatari negotiators travel to Tehran; MOU draft terms emerge, 14 June 2026 — rferl.org
[3] Polymarket — US x Iran permanent peace deal odds, updated 14 June 2026 — polymarket.com
[4] ABC News — What the US says is in the potential Iran war agreement, 13 June 2026 — abcnews.com
[5] CNBC — Trump disputes Iran’s account of deal terms; decries drone attack, 12 June 2026 — cnbc.com
[6] NBC News — Israel continues strikes in Beirut’s southern suburbs, 14 June 2026 — nbcnews.com
[7] Al Jazeera — At least 3 killed as Israel attacks southern Beirut, 14 June 2026 — aljazeera.com
[8] Jerusalem Post — IDF strikes Hezbollah targets in Dahiyeh, 14 June 2026 — jpost.com
[9] CBC News — Trump warns Israel and Iran not to “blow it” after new strikes, 14 June 2026 — cbc.ca
[10] Trading Economics — Brent crude oil price, 12 June 2026 — tradingeconomics.com
[11] AAA Gas Prices — National average $4.074/gal, 14 June 2026 — gasprices.aaa.com
[12] Fortune — Price of oil, 9 June 2026 — fortune.com
[13] EIA — June 2026 Short-Term Energy Outlook — eia.gov
[14] CISA.gov — Adds three known exploited vulnerabilities, 9 June 2026 — cisa.gov
[15] Threat-Modeling.com — Vulnerability Intelligence Report June 10, 2026 — threat-modeling.com
[16] Investing.com — Brent Crude Oil Futures Price, 12 June 2026 — investing.com
[17] NJ1015 — Another out-of-state arrest raises questions, 11 June 2026 — nj1015.com
[18] NJ1015 — Arrests and violence continue outside Delaney Hall, 8 June 2026 — nj1015.com
[19] PBS NewsHour — What to know about the protests outside Delaney Hall, 8 June 2026 — pbs.org
[20] Fox5NY — 6 arrested during Delaney Hall protests, 8 June 2026 — fox5ny.com
[21] MAGNET S2 Report 260608-1600Z — FIFA World Cup 2026 Threat Assessment — magnethf.com
[22] The Cipher Brief — Global Intelligence Report, 12 June 2026 — thecipherbrief.com
[23] AAA Gas Prices News — Three straight weeks of decline, 11 June 2026 — gasprices.aaa.com
[24] Threat-Modeling.com — Vulnerability Intelligence Report June 8, 2026 — threat-modeling.com
[25] CVEFeed.io — CISA KEV Catalog, updated June 2026 — cvefeed.io

Submit reports through established MAGNET situational awareness channels.
To Learn More About MAGNET, Visit www.MAGNETHF.COM