In this week’s report: Russian intelligence services have escalated their long-running campaign against Signal users, now stealing backup recovery keys that give them complete access to the victim’s entire message history, past and future.
A zero‑day vulnerability in Cisco Catalyst SD‑WAN Manager, exploited for at least two months before public disclosure, has been used to gain full root‑level control of network infrastructure at a communications provider, with limited forensic traces left behind.
A critical remote code execution flaw in PTC Windchill, widely used across manufacturing, medical device production, and life sciences supply chains, is being actively exploited, with attackers deploying persistent web shells to maintain hidden access even after patching.
NHS England's National CSOC has issued an alert for CVE-2026-8461, a high-severity vulnerability in FFmpeg nicknamed "Pixel Smash," which is embedded in hundreds of applications and can be triggered silently by a malicious media file with a published proof-of-concept and exploitation rated as likely.
Full report below...
Russian intelligence groups have been running a long-running campaign to break into Signal messaging accounts used by government officials, military personnel, politicians, journalists, and activists across Ukraine, Europe, and the United States. The FBI and CISA issued an updated formal warning on 26 June 2026, tracking the two main groups behind this activity as UNC5792 and UNC4221, both linked to Russian intelligence services, including the FSB.
The campaign has added a new step. Attackers are now sending messages that look like they come from Signal's support team, asking targets to open their Signal backup settings, view their Backup Recovery Key, and paste it into the chat. That single key is enough to restore a full backup of the account, including all private and group message history. Once the key is handed over, it keeps working. Even creating a new Signal account on the same phone number does not stop the attacker from using the old key against it, unless the user generates a new one. The March 2025 version of this campaign targeted verification codes and account PINs; this is a deliberate escalation. Dutch, German, and French intelligence agencies have all confirmed they have seen the same tactics.
Signal is widely used as a secure messaging tool by NHS leadership, digital health executives, policy teams, and organisations working in sensitive healthcare or defence-adjacent roles. It is also commonly used for internal communications at NHS suppliers and healthtechs who handle sensitive data. This campaign does not break Signal's encryption. The app itself is not compromised. The attack works by tricking the person holding the account into handing over the key. Anyone who uses Signal to discuss clinical decisions, contract negotiations, patient safety incidents, or commercially sensitive information should be aware that their account and everything in it can be read by a Russian intelligence group if they are successfully phished. The State Department has put a $10 million reward on information about UNC5792, which gives some indication of how seriously this is being taken.
Google-owned incident response firm Mandiant has confirmed that an unknown threat actor exploited a vulnerability in Cisco Catalyst SD-WAN Manager at least two months before Cisco publicly disclosed it. The vulnerability, tracked as CVE-2026-20245 with a CVSS severity score of 7.8, allowed an attacker who already had administrator-level access to the system to escalate their privileges all the way to root, giving them complete control of the device at the deepest level of the operating system.
The attack targeted a communications service provider. Mandiant found two separate waves of unauthorised activity: one between late 2025 and January 2026, and a second in March 2026. During the second wave, the attacker uploaded a malicious file to the system, which exploited the flaw to gain root access. They then created a hidden account called "troot" directly in the system's password files. Once done, they deleted every file they had touched, reversed their configuration changes, and ran a validation script to confirm they had left no detectable trace behind. By the time the attack was found, even a thorough forensic review could not fully reconstruct what the attacker had accessed.
Cisco Catalyst SD-WAN is used across enterprise networks, telecommunications providers, and managed service environments, including organisations that support NHS connectivity and digital health infrastructure. SD-WAN devices sit at the heart of how organisations connect their sites and manage network traffic. A compromised SD-WAN controller gives an attacker persistent visibility into internal traffic across the entire network it manages. The fact that this particular flaw was being exploited as a zero-day, meaning Cisco did not even know about it, means that no patch existed while the attack was happening. The attacker's careful clean-up also means that any organisation that was targeted may have no idea. Mandiant's wider finding is that advanced attackers are increasingly going after network edge devices specifically because these systems rarely have the same monitoring and forensic tools that endpoint devices do. If your organisation uses Cisco SD-WAN and relies on a managed IT provider to run it, this is a conversation worth having now.
The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability in PTC Windchill PDMlink and PTC FlexPLM to its Known Exploited Vulnerabilities catalogue on 26 June 2026, after confirming active exploitation in the wild. The flaw, CVE-2026-12569, has a CVSS severity score of 9.3. It allows an attacker with network access to send a specially crafted request to the Windchill system and execute arbitrary code on the server, with no need for valid login credentials. PTC confirmed on 25 June 2026 that it had received continued reports of heightened threat activity and that attackers are deploying web shells, small, hidden programmes that give them ongoing remote access to the server even after an initial attack is patched.
PTC Windchill is an enterprise Product Data Management (PDM) and Product Lifecycle Management (PLM) platform. It is used by manufacturing companies, engineering teams, and product development organisations to manage the design, documentation, and regulatory compliance records for physical products — including medical devices and pharmaceutical manufacturing equipment.
This vulnerability is directly relevant to the UK digital health and NHS supplier ecosystem. Medical device manufacturers, pharmaceutical companies, and NHS-connected engineering suppliers who use PTC Windchill to manage device documentation, design records, or regulatory submissions are exposed. A successful exploit gives an attacker the ability to read, modify, or delete product data, technical documentation, and compliance records. In a medical device context, this could include design history files, software bill of materials, clinical evaluation data, and post-market surveillance records all of which are required under EU MDR and UK regulatory frameworks. The deployment of web shells by attackers means that even systems that have since been patched may still have a hidden back door in place. Organisations in the medical technology and life sciences supply chain should treat this as an urgent operational risk.
NHS England's National Cyber Security Operations Centre (CSOC) has issued alert CC-4802 for a high-severity vulnerability in FFmpeg, one of the most widely used media-processing libraries in the world. The flaw, tracked as CVE-2026-8461 and nicknamed "Pixel Smash," has a CVSSv3 score of 8.8. It sits inside the MagicYUV video decoder in FFmpeg's libavcodec library. An attacker can trigger remote code execution or crash a system simply by getting it to process a specially crafted video file in formats as common as AVI, MKV, and MOV. Because the MagicYUV decoder is enabled by default in every major FFmpeg build and in standard distribution packages for Ubuntu, Debian, Fedora, Arch, and Alpine, the flaw is present in almost every installation prior to version 8.1.2.
What makes this particularly dangerous is that exploitation can happen without any user clicking anything. Many applications process media files automatically, generating thumbnails, building previews, or ingesting video into a pipeline, meaning a malicious file sent to a system could trigger the attack silently. A proof-of-concept exploit has been published, and NHS CSOC rates exploitation as likely. Affected products include Jellyfin, Nextcloud, the desktop media players mpv and Kodi, OBS Studio, Emby, Immich, PhotoPrism, ffmpegthumbnailer (used in Linux desktop environments), and any cloud or AI pipeline that processes video via FFmpeg.
FFmpeg is embedded in a very large number of applications across the NHS and digital health environments. Any system that handles video files, telehealth platforms, digital pathology tools, medical imaging viewers, collaboration platforms, or even file servers that auto-generate thumbnails is likely to use FFmpeg or a library that depends on it. The fact that exploitation requires no user interaction is particularly serious: an attacker could send a malicious video file to a shared drive, a media upload endpoint, or a clinical image repository and trigger code execution without anyone opening it. NHS suppliers and digital health organisations should not assume that because they do not run FFmpeg directly, they are safe; the library is embedded in many third-party products, and those products may not patch immediately. NHS CSOC has assessed exploitation as likely due to the public proof-of-concept.
ffmpeg -decoders 2>/dev/null | grep magicyuv. If the output includes VFS..D magicyuv, the system is vulnerable.Want help staying ahead of threats like these? Contact Periculo about our Threat Intelligence services and find out how we support UK digital health organisations, healthtechs, and NHS suppliers with practical, hands-on cybersecurity assurance.