MAGNET S2 WEEKLY SNAPSHOT – 260607-1200z

Download the PDF version of this report

MAGNET S2 WEEKLY SNAPSHOT — 260607-1200Z

MAGNET S2

Weekly OSINT Intelligence Snapshot

DTG: 260607-1200Z | Reporting Period: 31 May – 7 June 2026 | United States Focus

www.magnethf.com

MAGCON STATUS

MAGCON

LEVEL 3

ELEVATED

MAGCON holds at Level 3 – ELEVATED. The dominant development this week is the full fracture and partial restoration of US–Iran MOU negotiations, driven by Iran’s suspension of talks on 1 June over Israel’s Lebanon operations. Talks were reported back on track by afternoon 1 June, but the MOU remains unsigned as of DTG. Fresh US–Iran mutual strikes (5–6 June) struck Iranian coastal radar sites and Gulf airspace — Iran called them ceasefire violations. Kuwait International Airport was struck by Iranian drones on 3 June: 1 killed (Indian national), 63 wounded, civilian terminal heavily damaged. Bahrain also sustained Iranian missile/drone attacks. Lebanon–Israel ceasefire agreed 4 June, but Hezbollah rejected it immediately. Brent crude has climbed back to ~$97/bbl (5 June), reversing May deal-optimism gains. AAA national gas average: $4.174/gal (7 June). New CISA KEV additions: CVE-2022-0492 (Linux cgroups LPE), CVE-2025-48595 (Android zero-day), and CVE-2024-21182 (Oracle WebLogic) — all added 1–2 June with deadlines now passed. Delaney Hall protests in Newark continue (16+ days): curfew lifted 2 June but new clashes 4–6 June; four federal arrests on 6 June.

TREND VS LAST WEEK: WORSENING — MOU UNSIGNED / TALKS FRACTURED & PARTIALLY RESTORED / NEW CIVILIAN CASUALTY (KUWAIT AIRPORT) / ESCALATORY MUTUAL STRIKES / ENERGY PRICES REBOUNDING / HEZBOLLAH COMPLICATES IRAN DEAL

PRIMARY RISK DRIVERS

Iran–US MOU negotiations — talks suspended by Iran (1 June) citing Israel’s Lebanon operations, restored by afternoon. MOU still unsigned as of DTG. Pakistan FM Naqvi visited Tehran 6 June; mediation channel active. Trump told NBC Iran retains ~21–22% of prewar missile stock. Polymarket permanent deal by June 15 at ~7%.
US–Iran mutual strikes (5–6 June) — CENTCOM struck Iranian coastal surveillance radar sites at Goruk and Qeshm Island (5 June) after shooting down 4 Iranian drones threatening Hormuz maritime traffic. 6 June: US downed 2 more Iranian drones; Iran launched additional missile-drone wave toward Gulf — intercepted. Iran FM called strikes a “clear violation” of the April 8 ceasefire. Iran fired warning shots near Hormuz linked to US vessel repositioning.
NEW — Kuwait International Airport struck by Iranian drones (3 June): 1 killed (Indian national), 63 wounded; passenger terminal heavily damaged. Airport briefly closed; Kuwait Airways resumed at alternate terminal. Kuwait FM condemned attack and reserved right to respond. Bahrain: IRGC launched missiles/drones toward US 5th Fleet HQ at NSA Bahrain 3–4 June; intercepted. Qatar condemned attacks as “flagrant violations of international law.”
NEW — Lebanon / Hezbollah complicates Iran MOU (4 June): Israel and Lebanon agreed to a US-brokered conditional ceasefire; Hezbollah immediately rejected it, demanding full Israeli withdrawal first. Iran explicitly linked Hormuz MOU progress to Lebanon: “No dialogue until Israel withdraws.” UNIFIL peacekeeper killed by mortar fire (4 June). Next round of Lebanon talks scheduled week of 22 June.
Oil / energy — Brent crude ~$97.44/bbl (5 June), up from $91.12/bbl low (29 May). AAA national gas average $4.174/gal (7 June). EIA STEO (May 12) projects ~$106/bbl Q2 2026 average. UAE departed OPEC effective 1 May — reduces future spare capacity estimates. SPR ~58M barrels released (14% of reserve); Atlantic hurricane season began 1 June with reserve reduced.
NEW CISA KEV (1–3 June) — CVE-2024-21182 Oracle WebLogic (KEV 1 June; federal deadline 4 June — PASSED). CVE-2022-0492 Linux kernel cgroups privilege escalation (KEV 2 June; deadline 5 June — PASSED). CVE-2025-48595 Android Framework integer overflow zero-day CVSS 8.4, actively exploited per Google (KEV 2 June; deadline 5 June — PASSED). Google June 2026 Android bulletin patched 124 CVEs including this zero-day.
KEV deadlines that expired this week — MS Defender CVE-2026-41091/45498 (3 June), Oracle WebLogic CVE-2024-21182 (4 June), Trend Micro Apex One CVE-2026-34926 (4 June), Langflow CVE-2025-34291 (4 June), Linux cgroups CVE-2022-0492 and Android CVE-2025-48595 (5 June). All require immediate remediation. Supply chain deadlines still approaching: TanStack CVE-2026-45321 (10 June — IMMINENT); DAEMON Tools CVE-2026-8398 and Nx Console CVE-2026-48027 (17 June).
Delaney Hall protests — ongoing, escalating again (1–7 June): Curfew lifted 2 June after zero arrests. New clashes 4–5 June after police drawdown — two out-of-state individuals arrested for assault on officer. 6 June: Four federal arrests (assault, obstruction, threats). 7 June: Police reimposed mask/backpack ban in surrounding streets. Protests now 16+ days continuous; status: ELEVATED, PERSISTENT.
Previously reported — ongoing, no material change: GKN Aerospace Garden Grove (criminal investigation, environmental remediation, civil suits active — no new arrest or contamination results). Converse Reservoir IED Mobile AL (no suspect or motive). Canvas LMS breach (phishing risk through mid-August). Iranian APT ICS/OT targeting. CIRCIA finalization pending.

DELTA SUMMARY – CHANGES FROM LAST REPORT (260531-2015Z)

TOPIC	DELTA FROM 260531-2015Z
Iran–US MOU Talks — Suspension & Partial Restoration (1 June)	WORSENING THEN PARTIALLY RESTORING. Iran’s Tasnim suspended talks 1 June, citing Israel’s Lebanon operations as ceasefire violation; threatened to fully close Hormuz. Trump pushed back same day; regional sources confirmed talks resumed by afternoon. MOU unsigned as of DTG. Pakistan FM Naqvi met Iranian FM Araghchi 6 June — mediation active. Polymarket permanent deal by 15 June at 7%. Trump told NBC Iran retains ~21–22% prewar missile stock.
US–Iran Mutual Strikes at Hormuz (5–6 June)	NEW — WORSENING. CENTCOM struck radar sites at Goruk and Qeshm Island (5 June) after 4 Iranian attack drones threatened maritime traffic. 6 June: 2 more Iranian drones downed; additional Hormuz/Gulf missile-drone wave intercepted. Iranian FM called US strikes “clear ceasefire violation.” Iran fired warning shots near Hormuz 6 June linked to US vessel repositioning.
Kuwait International Airport — Iran Drone Strike (3 June)	NEW — CIVILIAN CASUALTY EVENT. Iranian drones struck Kuwait International Airport terminal: 1 killed, 63 wounded. Airport briefly closed; partial operations resumed at alternate terminal. Kuwait FM condemned and reserved right to respond. Bahrain: Iranian missiles/drones targeted US 5th Fleet (NSA Bahrain) 3–4 June; intercepted. Qatar formally condemned attacks as “flagrant international law violations.” Treasury Sec. Bessent directed assessment of using Iranian assets to fund Gulf ally reconstruction.
Lebanon / Hezbollah — New Complication for Iran MOU (4 June)	NEW — SIGNIFICANT COMPLICATION. Israel–Lebanon US-brokered ceasefire agreed 4 June; Hezbollah immediately rejected it, demanding full Israeli withdrawal first. Iran directly linked Hormuz MOU progress to Lebanon — “No dialogue until Israel withdraws from Lebanon and Gaza.” UNIFIL peacekeeper killed by mortar (4 June). Next talks week of 22 June. Lebanon linkage now confirmed as a structural blocking variable for any MOU signing.
Oil / Energy — Prices Rebounding	WORSENING AFTER IMPROVING. Brent crude $97.44/bbl (5 June) vs. $91.12/bbl (29 May). AAA gas $4.174/gal (7 June) vs. $4.356/gal (30 May) — slight retail decline but crude trend reversing upward. EIA STEO projects ~$106/bbl Q2 average. UAE left OPEC effective 1 May. SPR 14% depleted; Atlantic hurricane season began 1 June. Oman Mina Al Fahal terminal briefly disrupted by explosion (5 June); operations resumed.
CISA KEV — New Additions (1–3 June)	NEW — THREE NEW KEV ENTRIES. CVE-2024-21182 Oracle WebLogic (KEV 1 June; deadline 4 June — PASSED). CVE-2022-0492 Linux kernel cgroups LPE (KEV 2 June; deadline 5 June — PASSED). CVE-2025-48595 Android Framework zero-day CVSS 8.4, actively exploited (KEV 2 June; deadline 5 June — PASSED). All deadlines now expired — treat as immediate remediation priority.
KEV Deadlines Expiring This Week	PASSED — IMMEDIATE ACTION REQUIRED. MS Defender CVE-2026-41091/45498 (3 June). Oracle WebLogic CVE-2024-21182 (4 June). Trend Micro CVE-2026-34926 (4 June). Langflow CVE-2025-34291 (4 June). Linux cgroups CVE-2022-0492 (5 June). Android CVE-2025-48595 (5 June). Still approaching: TanStack CVE-2026-45321 (10 June — IMMINENT); DAEMON Tools CVE-2026-8398 and Nx Console CVE-2026-48027 (17 June).
Delaney Hall ICE Protests — Newark, NJ (1–7 June)	ONGOING — ELEVATED. Curfew lifted 2 June after calm night. New clashes 4–5 June post police drawdown — 2 out-of-state arrests (aggravated assault on officer). 6 June: 4 federal arrests (assault/obstruction/threats). 7 June: mask/backpack ban reimposed in surrounding streets. Protests now 16+ days continuous.
GKN Aerospace MMA — Garden Grove, CA	ONGOING — NO CHANGE. Criminal investigation active, environmental testing ongoing, civil suits proceeding. No new arrest, no contamination results released as of DTG.
Converse Reservoir IED — Mobile, AL	ONGOING — NO ARREST. FBI investigation continues. No suspect, no confirmed motive. Water utility underwater physical security gap remains a national-level open issue.
Canvas LMS Breach	STABLE — NO CHANGE. Phishing risk from 275M records continues through mid-August window. Canvas-themed spear-phishing campaigns expected through mid-August.

NO CHANGE:

MAGCON level holds at 3 – ELEVATED
Iranian APT cyber targeting of U.S. ICS/OT remains active
Bab el-Mandeb / Red Sea threat stable at ELEVATED (Houthi posture unchanged)
CIRCIA mandatory cyber incident reporting rule finalization still pending
CISA CI Fortify initiative ongoing; Converse Reservoir IED directly validates CI Fortify threat model
Microsoft Exchange CVE-2026-42897 (XSS/OWA) — patch still required
US naval blockade of Iranian ports remains in effect

SECTOR THREAT LEVELS

SECTOR	LEVEL	NOTES
Terrorism / Extremism	ELEVATED	No new domestic incident. White House perimeter cluster (23 May) follow-up ongoing; 30-day lone-actor threat pattern remains analytically significant. Watch for copycat events.
Cyber Activity	ELEVATED	NEW: Android zero-day (CVE-2025-48595) actively exploited. Linux cgroups KEV (CVE-2022-0492) added. Six KEV remediation deadlines expired this week. Supply-chain attack campaign deadlines approaching (TanStack 10 June; DAEMON Tools/Nx Console 17 June). Citrix NetScaler CVE-2026-3055 and Windows Netlogon CVE-2026-41089 large-scale exploitation reported — not yet KEV.
Critical Infrastructure	ELEVATED	Converse Reservoir IED (Mobile, AL) investigation ongoing — no arrest. GKN Garden Grove long-tail active. SD-WAN overdue patches expose CI networks. Kuwait airport civilian aviation CI severely damaged by Iranian drone strike.
Energy / Fuel Sector	HIGH	WORSENING. Brent crude $97.44/bbl (5 June) after $91/bbl low (29 May). AAA gas $4.174/gal (7 June). MOU unsigned; active Hormuz strikes both sides. EIA projects $106/bbl Q2 avg. UAE left OPEC. SPR 14% depleted entering hurricane season.
Education Sector	ELEVATED	Canvas breach phishing risk continues through mid-August. No new developments.
Civil Unrest	ELEVATED	PERSISTENT. Delaney Hall Newark protests now 16+ days. Curfew lifted 2 June; new clashes 4–6 June; 4 federal arrests 6 June; mask/backpack ban 7 June. Watch for spread to other ICE facilities in NJ, NY, and adjacent states.
Transportation Systems	ELEVATED	Hormuz effectively closed pending MOU signing and mine clearance. Kuwait International Airport terminal damaged (3 June); partial operations. Active US–Iran strikes near Hormuz 5–6 June increase maritime risk.
Supply Chain / Logistics	ELEVATED	Hormuz closure continues. Oman Mina Al Fahal terminal briefly disrupted by explosion (5 June); operations resumed. UAE OPEC departure affects regional production estimates. Mine clearance and infrastructure repair required even after MOU signing.
Food / Fertilizer Security	ELEVATED	WFP warns up to 45M people could face acute food insecurity if oil stays near $100/bbl — now being realized. Gulf shipping disruption continues impacting fertilizer and agricultural trade lanes. No new developments.

GLOBAL CHOKEPOINT WATCH

CHOKEPOINT	STATUS	ASSESSMENT
Strait of Hormuz	CRITICAL	WORSENING. MOU unsigned. US struck Iranian radar sites Goruk/Qeshm (5 June). Iran drones downed 5–6 June. Iranian warning shots 6 June. TREAT AS CLOSED — DO NOT route commercial traffic until MOU signed AND mines cleared AND confirmed open.
Kuwait International Airport	CRITICAL	NEW — DAMAGED. Iranian drone strike 3 June: 1 killed, 63 wounded. Terminal 1 heavily damaged; partial operations resumed at alternate terminal. Watch for follow-on strikes.
Bab el-Mandeb / Red Sea	ELEVATED	Stable. Houthi threat posture unchanged. No significant new incidents.
Panama Canal	ROUTINE	Stable. Normal operations.
Strait of Malacca	ELEVATED	SE Asia energy stress from Hormuz closure persists. Stable but watching.
Oman — Mina Al Fahal Terminal	ELEVATED	NEW. Briefly disrupted by explosion (5 June); operations resumed. Monitor for follow-on incidents.

KEY INCIDENTS

IRAN–US NEGOTIATIONS — SUSPENSION, PARTIAL RESTORATION, MOU UNSIGNED (1–7 June)

On 1 June 2026, Iranian state media outlet Tasnim reported that Iranian negotiators would cease exchanging messages with the US through intermediaries and would move to fully close the Strait of Hormuz, citing ongoing ceasefire violations — specifically Israel’s continued military operations in Lebanon against Hezbollah. Tehran’s position: “No dialogue will take place” until Israel fully withdraws from occupied areas in Lebanon and stops all attacks in Lebanon and Gaza.

President Trump responded the same day, stating he believed a deal was reachable “over the next week” and described the Lebanon complication as a “little glitch” he turned around by deterring Netanyahu from a major Beirut operation. Regional sources confirmed talks resumed by afternoon. Pakistan Interior Minister Mohsin Naqvi traveled to Tehran on 6 June for talks with Iranian FM Abbas Araghchi — the Pakistan mediation channel remains active. As of DTG, the MOU remains unsigned. Key outstanding disputes include uranium enrichment limits, sequencing of sanctions relief vs. mine clearance, US force withdrawal posture, and the Lebanon linkage. Polymarket places a permanent deal by 15 June at approximately 7%. Trump told NBC that Iran retains approximately 21–22% of its prewar missile stock.

Assessment: The fracture-and-restore cycle on 1 June demonstrates structural fragility of the MOU framework. Lebanon is now a confirmed blocking variable, not merely a complication. The probability of MOU signing within the next 7 days remains low absent Israeli restraint in Lebanon. Watch for further Iranian leverage moves tied to Hormuz operations.

US–IRAN MUTUAL STRIKES AT HORMUZ (5–6 JUNE) [ELEVATED — ONGOING]

On 5 June 2026, US CENTCOM struck Iranian coastal surveillance radar sites in Goruk and on Qeshm Island following the intercept of four Iranian one-way attack drones threatening maritime traffic near the Strait of Hormuz. CENTCOM stated the drones “posed an immediate threat to regional maritime traffic.” Iran’s Foreign Ministry called the strikes a “clear violation of the April 8 ceasefire and an act of military aggression against the sovereignty and territorial integrity of the Islamic Republic of Iran,” citing that the facilities struck were tasked with “safeguarding the country’s borders and ensuring the security of navigation.”

On 6 June, the US shot down two additional Iranian drones over the Strait area. Iran launched an additional wave of missiles and drones toward the Hormuz/Gulf region; air raid sirens activated in Kuwait and Bahrain; all intercepted. Iran separately fired “warning shots” near Hormuz, which Mehr news agency attributed to US vessel repositioning near the waterway.

Assessment: The 5–6 June exchange represents the most intense mutual kinetic activity since the 25–28 May incidents. The ceasefire framework is severely stressed. Iran’s targeting of surveillance infrastructure signals an attempt to establish that defensive maritime monitoring is protected under ceasefire terms — a definitional dispute that is unresolved and will generate further incidents.

KUWAIT INTERNATIONAL AIRPORT — IRAN DRONE STRIKE (3 JUNE) [CRITICAL — CIVILIAN CASUALTY EVENT]

Iranian drones struck Kuwait International Airport’s passenger terminal on 3 June 2026, killing one person (identified as an Indian national by India’s embassy) and wounding 63 others, including passengers and airport workers; some injuries described as serious. Kuwait’s Defense Ministry stated it destroyed over a dozen missiles and a similar number of drones. Debris from intercepted weapons caused the terminal damage. Kuwait briefly suspended all flights; Kuwait Airways resumed operations at an alternate terminal after damage assessment.

Kuwait’s Ministry of Foreign Affairs condemned the attack as a “brutal and ongoing” assault on “civilian and vital facilities” and reserved its “full and inherent right to take appropriate measures.” Iran denied causing the damage; US Central Command called Iran’s denial false and described the attack as “deliberate, calculated and unjustified.” This incident coincided with Iranian missile and drone attacks on Bahrain’s Naval Support Activity (US 5th Fleet HQ) on 3–4 June; all intercepted. Qatar formally condemned the attacks on Kuwait and Bahrain as “flagrant violations of international law.” Treasury Secretary Bessent directed his team to assess whether Iranian assets could be used to fund Gulf ally reconstruction.

Assessment: The Kuwait airport strike is the most significant civilian casualty event in the Gulf states in the current reporting period — an escalatory step beyond military facility targeting. Watch for Kuwait and Bahrain to formalize retaliatory or defensive authority requests to US forces. The civilian death and airport damage create domestic political pressure that may accelerate Gulf state demands for US offensive action against Iran.

LEBANON / HEZBOLLAH — NEW CEASEFIRE AGREED, HEZBOLLAH REJECTS, IRAN LINKAGE CONFIRMED (4 JUNE)

On 4 June 2026, Israel and Lebanon agreed to a US-brokered conditional ceasefire following a fourth round of direct talks in Washington. The agreement called for a demilitarized zone in parts of southern Lebanon currently occupied by Israeli forces, to be administered by the Lebanese national army. Israeli Defense Minister Katz confirmed military presence and operations in southern Lebanon would continue despite the announcement.

Hezbollah, which was not party to the talks, immediately rejected the agreement. Hezbollah leader Naim Qassem stated the group is “concerned only with a comprehensive cessation of aggression, a ceasefire, and the withdrawal of Israel.” Hours after the agreement was announced, Hezbollah launched fresh attacks and air raid sirens were reported in northern Israel. UNIFIL reported one peacekeeper killed and others wounded in mortar fire in southeastern Lebanon on 4 June. Lebanese President Aoun called this the “last chance” for a comprehensive ceasefire. Further talks are scheduled for the week of 22 June.

Assessment: The Lebanon complication is now operationally embedded in the Iran–US MOU framework. Iran has stated explicitly it will not negotiate Hormuz while Israel is operating in Lebanon. Hezbollah’s non-party status means any Lebanon ceasefire is fragile by design. MAGNET operators should treat the Lebanon situation as a primary blocking variable for any Hormuz resolution in the near term.

CYBER / INFRASTRUCTURE BULLETIN

KEV Bulletin — Patch Immediately

CVE / SYSTEM	SEVERITY	ACTION REQUIRED
CVE-2025-48595 Android Framework	CVSS 8.4	NEW KEV 2 June. Actively exploited zero-day confirmed by Google. Integer overflow → Local Privilege Escalation on Android 14+. Affects ALL device manufacturers. Apply June 2026 Android security update (124 CVEs patched). Federal deadline: 5 June — PASSED.
CVE-2022-0492 Linux Kernel cgroups	HIGH	NEW KEV 2 June. Privilege escalation via cgroups v1 — distinct from CVE-2026-31431. Affects containerized and cloud environments. Apply kernel patches immediately. Federal deadline: 5 June — PASSED.
CVE-2024-21182 Oracle WebLogic Server	HIGH	NEW KEV 1 June. Unspecified remote exploitation vulnerability. Apply Oracle patches; review for indicators of compromise. Federal deadline: 4 June — PASSED.
CVE-2026-8398 DAEMON Tools Lite	CVSS 9.3	KEV 27 May. Supply chain RCE via compromised official installers (Apr–May 2026). Update to v12.6.0.2445 or uninstall. Audit Apr–May installs for indicators of compromise. Federal deadline: 17 June.
CVE-2026-45321 TanStack (npm)	CVSS 9.5	KEV 27 May. 84 malicious npm versions via hijacked GitHub Actions; credential theft. Audit package lock files; rotate all credentials. Federal deadline: 10 June — IMMINENT.
CVE-2026-48027 Nx Console (VS ext)	CVSS 9.3	KEV 27 May. Malicious extension on VS Marketplace and OpenVSX. Update immediately; scan developer workstations. Federal deadline: 17 June.
CVE-2026-31431 Linux Kernel ‘Copy Fail’	CVSS 7.8	EXPLOITATION SURGE CONFIRMED ACTIVE. Federal deadline PASSED 15 May. Patch to kernel 6.18.22 / 6.19.12 / 7.0 — treat as active incident response priority.
CVE-2026-20182 Cisco Catalyst SD-WAN	CVSS 10.0	Federal deadline PASSED 17 May. UAT-8616 and 10+ clusters active. If not patched, assume compromise. Apply ED-26-03 or discontinue immediately.
CVE-2026-41091 Microsoft Defender (EoP)	CVSS 7.8	Deadline PASSED 3 June. Elevation of privilege to SYSTEM via Defender abuse. Patch to Defender 4.18.26040.7 / MMP Engine 1.1.26040.8.
CVE-2026-3055 Citrix NetScaler	CVSS 9.8	WATCH Not yet KEV. Large-scale exploitation confirmed by Fortinet. Apply Citrix patches now — do not wait for KEV listing.
CVE-2026-41089 Windows Netlogon	CVSS 9.8	WATCH Not yet KEV. Belgian government exploitation warning. Apply Microsoft patches; review Netlogon logs for anomalies.
CVE-2026-42897 Microsoft Exchange Server	HIGH	ONGOING. XSS in Outlook Web Access. Apply MSRC mitigations. Confirmed active exploitation.

EMERGING INDICATORS

Watch: Iran MOU negotiations — next 72–96 hours critical. Lebanon linkage is confirmed blocking variable. Watch for any Israeli restraint signal in Lebanon or further Iranian suspension. Pakistan mediator activity is a positive indicator.
Watch: Hezbollah ceasefire trajectory — next talks week of 22 June. Any Hezbollah agreement to the Lebanon ceasefire framework removes the primary Iran diplomatic blocker.
Watch: Hormuz kinetic activity — mutual strike cycle (5–6 June) could escalate. Any Iranian targeting of commercial vessels or US naval assets would represent a threshold event.
Watch: Kuwait and Bahrain response to Iranian strikes — both states now have civilian casualties and infrastructure damage. Watch for formal requests for expanded US offensive authority or unilateral defensive escalation.
Watch: TanStack CVE-2026-45321 federal deadline — 10 June. Any organization using Node.js/TanStack that has not audited package lock files and rotated credentials is at immediate risk.
Watch: DAEMON Tools / Nx Console KEV deadlines — 17 June. Rotate credentials from any installations made April–May 2026; run SCA scans on developer workstations.
Watch: Android CVE-2025-48595 exploitation expansion — actively exploited zero-day targeting Android 14+; federal deadline passed; watch for criminal/APT exploitation campaigns against mobile endpoints.
Watch: Citrix NetScaler CVE-2026-3055 and Windows Netlogon CVE-2026-41089 KEV candidacy — large-scale exploitation confirmed; CISA likely to add both within days.
Watch: Oil price trajectory as Brent approaches $100/bbl — any Hormuz escalation or MOU collapse restores prior price spike; $100/bbl is a consumer stress threshold. Any MOU signing drives rapid decline.
Watch: GKN groundwater contamination results (Garden Grove) — expected any time; confirmed contamination elevates environmental liability and sets national industrial compliance precedent.
Watch: SPR levels entering hurricane season — 58M barrels released, reserve at ~86% heading into Atlantic hurricane season (started 1 June); any major hurricane affecting Gulf production adds directly to war-driven energy vulnerability.
Watch: Delaney Hall — watch for federal escalation (additional arrest authority, DOJ action) vs. de-escalation (facility transfer or administrative response to detainee conditions). Protests show no sign of ending.
Watch: Converse Reservoir FBI investigation update — any arrest or motive attribution will change national threat posture for water utility operators and CI security planners.

VERIFIED STATUS

✓ CONFIRMED Iran suspended US MOU talks 1 June via Tasnim; Trump stated deal reachable within week; talks reported back on track by afternoon. Pakistan FM Naqvi visited Tehran 6 June. (CNN, CNBC, The Hill — 1 June 2026)
✓ CONFIRMED US CENTCOM struck Iranian coastal radar sites Goruk and Qeshm Island 5 June after 4 Iranian drones threatened Hormuz traffic. 6 June: 2 more drones downed; additional missile-drone wave intercepted. (CENTCOM/X, CNN, CBS News — 5–6 June 2026)
✓ CONFIRMED Iranian drone strike on Kuwait International Airport 3 June: 1 killed (Indian national), 63 wounded; terminal heavily damaged; airport briefly closed. (NPR, CBS News, Reuters — 3 June 2026)
✓ CONFIRMED Iran launched missiles and drones at NSA Bahrain (US 5th Fleet) 3–4 June; intercepted. Bahrain and Qatar formally condemned attacks. (Fox News, CBS News — 3–4 June 2026)
✓ CONFIRMED Israel–Lebanon US-brokered ceasefire agreed 4 June; Hezbollah immediately rejected it, demanding full Israeli withdrawal. (Al Jazeera, NPR, Time — 4 June 2026)
✓ CONFIRMED UNIFIL peacekeeper killed by mortar fire in southeastern Lebanon 4 June. (NPR — 4 June 2026)
✓ CONFIRMED CISA KEV additions: CVE-2024-21182 Oracle WebLogic (1 June), CVE-2022-0492 Linux cgroups and CVE-2025-48595 Android zero-day (2 June). All federal deadlines passed. (CISA.gov — 1–2 June 2026)
✓ CONFIRMED AAA national gas average $4.174/gal as of 7 June 2026. Brent crude ~$97.44/bbl as of 5 June. (AAA gasprices.aaa.com, Fortune — 5–7 June 2026)
✓ CONFIRMED Delaney Hall protests: curfew lifted 2 June; new clashes 4–5 June; 4 federal arrests 6 June; mask/backpack ban 7 June. Protests continuing 16+ days. (CBS New York, ABC7 NY — 2–7 June 2026)
✗ NOT CONFIRMED Iran–US MOU formally signed. Unsigned as of DTG.
✗ NOT CONFIRMED Hezbollah agreement to Lebanon ceasefire. Group has publicly rejected current proposal.
✗ NOT CONFIRMED GKN Garden Grove groundwater contamination confirmed. Testing ongoing; no results publicly available as of DTG.
✗ NOT CONFIRMED Converse Reservoir IED — suspect identified or motive confirmed. FBI investigation ongoing with no public arrest.

OPERATOR GUIDANCE

PATCH ANDROID NOW — CVE-2025-48595 actively exploited zero-day; federal deadline PASSED 5 June; apply June 2026 Android security update on all organizational and personal devices used for sensitive communications.
PATCH LINUX KERNEL (cgroups) — CVE-2022-0492; federal deadline PASSED 5 June; review cgroups v1 configurations in containerized and cloud environments; audit privilege escalation logs.
PATCH ORACLE WEBLOGIC — CVE-2024-21182; federal deadline PASSED 4 June; apply Oracle patches immediately; review WebLogic logs for indicators of compromise.
TANSTACK DEADLINE 10 JUNE — IMMINENT — CVE-2026-45321; run software composition analysis NOW against all Node.js projects; rotate all credentials accessible from affected environments before 10 June.
DAEMON TOOLS / NX CONSOLE — DEADLINE 17 JUNE — audit all installations from Apr–May 2026; rotate credentials; scan developer workstations for indicators of compromise.
CITRIX NETSCALER — CVE-2026-3055 (CVSS 9.8) large-scale exploitation confirmed; not yet KEV but imminent; apply Citrix patches now — do not wait for KEV listing.
PATCH LINUX KERNEL (Copy Fail) — CVE-2026-31431 exploitation surge confirmed active; federal deadline PASSED 15 May; patch to kernel 6.18.22 / 6.19.12 / 7.0 immediately; audit all cloud and container environments for unauthorized privilege escalation.
CISCO SD-WAN — CVE-2026-20182 CVSS 10.0; federal deadline PASSED 17 May; if not patched, assume compromise and begin incident response procedures; apply ED-26-03 or discontinue immediately.
DO NOT ROUTE THROUGH HORMUZ — strait effectively closed until MOU signing is formally confirmed AND mine clearance is complete; active US–Iran strikes 5–6 June confirm continued kinetic risk; verify through TRANSCOM for any operational requirements.
AVIATION / LOGISTICS PLANNERS — Kuwait International Airport terminal damaged; partial operations resumed at alternate terminal; route planning for Gulf region should account for Kuwait airport limitations; Bahrain NSA vicinity under repeated Iranian strikes.
NJ / NORTHEAST OPERATORS — Delaney Hall protests persist (16+ days); curfew lifted but mask/backpack ban reimposed 7 June; avoid protest area Doremus Ave vicinity Newark; monitor for spread to other ICE facilities in NJ, NY, and adjacent states.
MONITOR BRENT CRUDE APPROACH TO $100/bbl — Hormuz escalation or MOU collapse could rapidly reverse energy improvements; prepare operational contingencies; $100/bbl is a consumer stress threshold.
HURRICANE SEASON ALERT — Atlantic season began 1 June with SPR at ~86% capacity; any Gulf Coast hurricane affecting production compounds war-driven energy vulnerability; monitor NOAA forecasts.
CANVAS INSTITUTIONS — maintain elevated phishing awareness through mid-August; verify any Canvas-branded communication through official channels; expect personalized spear-phishing using course names and private message context.
WATER / DAM OPERATORS — Converse Reservoir IED investigation ongoing with no arrest; maintain enhanced underwater physical security protocols; report anomalies to FBI and DHS.
MR09 / CALIFORNIA OPERATORS — Monitor GKN groundwater contamination results; check AQMD and EPA ECHO enforcement databases for industrial-chemical facilities near residential zones in your operating area.
Report cyber incidents to cisa.gov or IC3.gov; CI Fortify guidance at cisa.gov.

SOURCE LIST

[1] CNN — Iran suspends talks, Trump insists deal coming within week, 1 June 2026 — cnn.com
[2] CNBC — Iran halts ceasefire talks, vows to keep Hormuz closed, 1 June 2026 — cnbc.com
[3] The Hill — Iran accuses Trump of ceasefire violations, 1 June 2026 — thehill.com
[4] NPR — Kuwait says Iranian drones hit airport, killed 1, 3 June 2026 — npr.org
[5] CBS News — Kuwait airport hit; Iran drone strikes; Bahrain targeted, 3 June 2026 — cbsnews.com
[6] Reuters — Kuwait FM condemns Iranian attacks on Kuwait airport, 3 June 2026
[7] CNN — US–Iran mutual strikes, ceasefire under strain, 5 June 2026 — cnn.com
[8] CNN — Ceasefire faces further strain, US–Iran launch strikes, 6 June 2026 — cnn.com
[9] Fox News — Iran war news: US strikes Iran radar sites, 6 June 2026 — foxnews.com
[10] RFERL — US forces hit Iranian coastal sites after Tehran launches drones, 6 June 2026 — rferl.org
[11] CBS News — Iran accused of ceasefire violation; US shot down 6 drones, 6 June 2026 — cbsnews.com
[12] Al Jazeera — Israel and Lebanon agree to conditional ceasefire, 4 June 2026 — aljazeera.com
[13] NPR — Hezbollah rejects ceasefire deal agreed by Israel and Lebanon, 4 June 2026 — npr.org
[14] Time — Hezbollah rejects Israel–Lebanon ceasefire agreement, 4 June 2026 — time.com
[15] AAA Gas Prices — National average $4.1740/gal, 7 June 2026 — gasprices.aaa.com
[16] NBC News — Gas prices tracker, updated 7 June 2026 — nbcnews.com
[17] Fortune — Brent crude price $97.44/bbl, 5 June 2026 — fortune.com
[18] EIA Short-Term Energy Outlook — Brent $106/bbl Q2 forecast, May 2026 — eia.gov
[19] CISA — Adds CVE-2024-21182 Oracle WebLogic to KEV, 1 June 2026 — cisa.gov
[20] CISA — Adds CVE-2022-0492 and CVE-2025-48595 to KEV, 2 June 2026 — cisa.gov
[21] Threat-Modeling.com — Vulnerability Intelligence Report 3 June 2026 — threat-modeling.com
[22] CBS New York — Delaney Hall curfew lifted, 2 June 2026 — cbsnews.com
[23] ABC7 New York — Clashes at Delaney Hall after police scale back, 5 June 2026 — abc7ny.com
[24] Britannica — 2026 Iran war, updated 7 June 2026 — britannica.com
[25] Polymarket — US–Iran permanent peace deal probability, June 2026 — polymarket.com
[26] MAGNET S2 Report 260527-1306Z — GKN MMA Delta Update — magnethf.com
[27] MAGNET S2 Report 260526-1200Z — GKN MMA Original Report — magnethf.com

Submit reports through established MAGNET situational awareness channels.
To Learn More About MAGNET, Visit www.MAGNETHF.COM