Top Cyber Security Vulnerabilities – June 2026 Roundup

Top-CVEs-Roundup-June-2026

June 2026 was defined by a new enforcement regime colliding with an old credential problem: CISA’s Binding Operational Directive 26-04 replaced its flat six-month patching rule with a tiered, risk-based framework on June 11, and immediately put it to the test with 23 Known Exploited Vulnerabilities catalog additions in 30 days, several carrying three-day remediation windows for systems that grant total control post-exploitation. At the same time, the month’s most damaging story wasn’t a new CVE at all, it was FortiBleed, a credential-harvesting campaign that surfaced roughly 74,000 working Fortinet firewall logins built from years of unrotated administrator passwords surviving version upgrades rather than from any single new flaw. The disclosures that did carry CVE numbers hit remote support tooling, enterprise VoIP, industrial product lifecycle platforms, ERP payment processing, and network management infrastructure, each exploited within days or weeks of patches becoming available. June was not a month where new zero-days did the damage, it was a month where the gap between patching and actually closing exposure did.

What We'll Cover

SimpleHelp RMM Authentication Bypass (CVE-2026-48558)

Overview

SimpleHelp is a remote support and RMM platform that managed service providers and internal IT teams use to reach and control customer or employee endpoints, and when an administrator enables OpenID Connect login, typically to hand authentication off to Azure AD or another identity provider, the server accepts identity tokens submitted during login without verifying their cryptographic signature. That gap lets a remote, unauthenticated attacker forge a token containing arbitrary identity claims and obtain a fully authenticated technician session, and because technician access in SimpleHelp carries remote code execution, file transfer, and administrative control over every endpoint the server manages, a single forged login can hand an attacker reach across an entire MSP’s client base rather than just the RMM server itself, the kind of third-party risk that makes RMM platforms attractive targets in the first place.

Severity and Score

Critical | CVSS 10.0

Type

Improper Verification of a Cryptographic Signature (CWE-347)

Disclosure

June 12, 2026 Included in the CISA Known Exploited Vulnerabilities catalog (added June 29, 2026)

Exploitation Status

Horizon3.ai discovered and disclosed the flaw after finding roughly 14,000 internet-facing SimpleHelp servers, about 7.2 percent of them configured with the vulnerable OIDC setup, and Blackpoint Cyber’s Adversary Pursuit Group later documented real-world exploitation chaining the forged login into two previously undocumented malware families, a Node.js loader called TaskWeaver and a credential stealer named Djinn Stealer, targeting cloud and AI provider keys on compromised hosts. No public proof-of-concept has circulated, but the fix predates the CVE, SimpleHelp shipped 5.5.16 and 6.0 RC2 in late May, weeks before the vulnerability was formally published on June 12. CISA’s federal remediation deadline is July 2, 2026.

Mitigation Strategies

Update to SimpleHelp 5.5.16 or 6.0 RC2 or later without delay, and where immediate patching isn’t possible, disable OIDC under Administration > Login Security or restrict Technician login to trusted IP ranges as an interim measure. SimpleHelp application logs aren’t forwarded to external monitoring platforms by default, so administrators should check locally for unexpected Technician account creation under Administration > Technicians with “Show Group Authenticated Users” enabled, since that’s the clearest indicator this bypass was used.

Cisco Unified CM WebDialer SSRF to Root (CVE-2026-20230)

Overview

Cisco Unified Communications Manager runs call control for enterprise voice, video, and messaging deployments that Cisco puts in the tens of millions of users globally, and the vulnerability sits in WebDialer, a click-to-call feature disabled by default but commonly enabled wherever staff place calls from a browser or desktop client. Because Unified CM doesn’t properly validate HTTP requests processed by the WebDialer service, an unauthenticated remote attacker can send a crafted request that triggers server-side request forgery against an internal Apache Axis SOAP service, using that access to write a JSP file into the CUCM Tomcat web directory and ultimately escalate to root on the underlying operating system. Cisco assigned the advisory a Critical Security Impact Rating one tier above what its own 8.6 CVSS score would suggest, specifically because the file-write path leads to full root compromise of the platform managing an organization’s entire voice and video infrastructure.

Severity and Score

Critical | CVSS 8.6

Type

Server-Side Request Forgery (CWE-918)

Disclosure

June 3, 2026 Included in the CISA Known Exploited Vulnerabilities catalog (added June 25, 2026)

Exploitation Status

SSD Secure Disclosure published a technical write-up and working proof-of-concept exploit in early June, and honeypot operator Defused observed scanning for vulnerable WebDialer endpoints escalate into full exploitation on June 24, less than 24 hours after that PoC became public. Defused’s telemetry showed the attack chain deploying a rogue Axis service, writing a first-stage JSP file-writer, then dropping a password-protected command shell lifted directly from the published exploit code. CISA’s KEV addition on June 25 set a June 28 federal remediation deadline, meaning organizations that hadn’t patched by then were already three weeks behind a fix that had been publicly available since June 3.

Mitigation Strategies

Apply Cisco’s fixed release per advisory cisco-sa-cucm-ssrf-cXPnHcW for your Unified CM or Unified CM SME train; Cisco lists no workaround beyond disabling WebDialer entirely through Cisco Unified Serviceability under Service Activation if the feature isn’t operationally required. Organizations that keep WebDialer enabled should restrict access to trusted network ranges and audit Unified CM’s filesystem for unexpected files written under directories the web service account can reach.

PTC Windchill and FlexPLM Deserialization RCE (CVE-2026-12569)

Overview

Windchill and FlexPLM are PTC’s product lifecycle management platforms, used across manufacturing, aerospace, automotive, and retail to manage CAD files, bills of materials, and engineering data from design through retirement, with Windchill alone claiming more than 1.5 million users at customers including Boeing, Lockheed Martin, and BMW. The flaw allows an unauthenticated attacker to submit a specially crafted serialized Java object to an exposed Windchill or FlexPLM endpoint, and because the application server deserializes that object without validating its type against an allowlist, a gadget chain already present in the classpath triggers arbitrary code execution with no credentials or user interaction required. For a platform that holds a company’s engineering intellectual property and manufacturing workflows rather than data that can simply be reissued, compromise doesn’t just mean a breached server, it means exposure of the product itself.

Severity and Score

Critical | CVSS 9.3

Type

Deserialization of Untrusted Data (CWE-502)

Disclosure

June 18, 2026 Included in the CISA Known Exploited Vulnerabilities catalog (added June 25, 2026)

Exploitation Status

PTC confirmed continued reports of heightened threat activity as of June 25, with unidentified attackers deploying JSP web shells into Windchill and FlexPLM environments for persistent access rather than one-off exploitation. Given how concentrated Windchill’s customer base is in defense, aerospace, and automotive supply chains, CISA and sector ISACs are treating the exploitation as an ongoing, targeted concern rather than opportunistic scanning, and organizations in those sectors should assume active targeting rather than wait for direct evidence.

Mitigation Strategies

Apply the patched release referenced in PTC advisory CS473270, fixed in Windchill and FlexPLM 11.0 M030 and later across all CPS versions, and where patching can’t happen immediately, isolate PLM systems from the general network entirely, since PTC’s own guidance is that these platforms should never be internet-reachable without VPN and MFA. A reverse proxy or WAF rule blocking the Java serialization magic bytes in request bodies buys additional time, and administrators should review Windchill and FlexPLM process logs for unexpected child processes spawned under the service account, ideally correlated through a next-gen SIEM rather than checked in isolation.

Oracle E-Business Suite Payments Unauthenticated Takeover (CVE-2026-46817)

Overview

Oracle Payments is the payment-processing module inside E-Business Suite, Oracle’s ERP platform for financial, HR, procurement, and supply chain operations, and the vulnerability lives in the File Transmission component’s ibytransmit endpoint, which fails to authenticate incoming requests before calling an internal Oracle Java function. An unauthenticated attacker with plain HTTP access can redirect that function to compromise Oracle Payments outright, requiring no valid account, no user interaction, and low attack complexity, which is why Oracle itself classifies the flaw as easily exploitable and why its CVSS vector reflects complete loss of confidentiality, integrity, and availability. This CVE belongs in June’s roundup not because of when it was disclosed but because of when it started being used: the patch had been sitting untouched on unpatched systems for a month before anyone weaponized it.

Severity and Score

Critical | CVSS 9.8

Type

Missing Authentication for a Critical Function (CWE-306)

Disclosure

May 28, 2026, patched in Oracle’s May Critical Security Patch Update; first observed exploitation recorded June 27-28, 2026

Exploitation Status

Honeypot operator Defused reported the first confirmed in-the-wild exploitation over the weekend of June 27-28, roughly six weeks after Oracle’s patch shipped and with no public proof-of-concept in circulation, pointing to privately developed exploit tooling rather than a copied script. The activity targeted the ibytransmit endpoint with unauthenticated file-read requests from a single source IP, and Shadowserver’s scanning counts more than 450 internet-exposed EBS instances still reachable. Oracle EBS has a recent history here: the Clop group exploited a separate EBS zero-day, CVE-2025-61882, against multiple US universities and enterprises in 2025, and stolen EBS data has repeatedly been used for extortion rather than ransomware deployment.

Mitigation Strategies

Apply Oracle’s May 2026 Critical Security Patch Update immediately if it hasn’t been applied already, since this isn’t a patch-availability problem but a patch-application one at this point. Restrict EBS web interfaces, particularly the /OA_HTML/ path, to internal networks rather than the public internet, and audit logs for POST requests to /OA_HTML/ibytransmit carrying unusual XML payloads. Any instance that was internet-facing and unpatched past May 28 should be treated as a candidate for incident response rather than routine remediation.

Ubiquiti UniFi OS Unauthenticated Root Compromise Chain (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910)

Overview

UniFi OS runs the management layer behind Ubiquiti’s Cloud Gateways, Network Controllers, Protect NVRs, and related appliances deployed widely across small business and enterprise networks, and three independently rated CVSS 10.0 flaws in the platform chain into a single unauthenticated root compromise. An authentication gateway bug lets a raw HTTP request bypass nginx’s front-door authorization check because the proxy compares an un-normalized URI against a normalized one, routing the attacker to an internal package-update function that runs unsanitized input through a shell wrapper and achieves arbitrary command execution as root, a chain that Bishop Fox independently validated against a live UniFi OS 5.0.6 instance. Because root access exposes the device’s secret store, including signing keys, TLS keys, cloud tokens, and the login database, Ubiquiti’s own remediation guidance treats a compromised device as unrecoverable through patching alone and calls for a clean rebuild from a known-good backup.

Severity and Score

Critical | CVSS 10.0 (all three CVEs)

Type

Improper Access Control (CWE-284), Path Traversal (CWE-22), and Improper Input Validation leading to Command Injection (CWE-20)

Disclosure

May 21, 2026 Included in the CISA Known Exploited Vulnerabilities catalog (added June 23, 2026)

Exploitation Status

Defused’s honeypot telemetry showed attackers chaining the three flaws into remote code execution to distribute malware, and Bishop Fox separately published working proof-of-concept code demonstrating the full chain achieving device takeover. CISA’s KEV addition confirmed active exploitation and imposed a three-day federal remediation deadline under BOD 26-04, one of the tightest windows the new directive produced in its first month of use.

Mitigation Strategies

Update to UniFi OS Server 5.0.8 or later without delay, but given what root access exposes, treat any instance that was running a vulnerable build as compromised rather than simply patched: restore from a known-good backup instead of trusting an in-place update, rotate the unifi-core signing key manually since restoring an update does not rotate it automatically, force-logout all active sessions, and reset database credentials. The UniFi Management console should never be exposed directly to the internet as part of a broader Zero Trust architecture; Ubiquiti’s Remote Site Management service is the supported alternative.

Cisco Catalyst SD-WAN Manager Arbitrary File Write (CVE-2026-20262)

Overview

Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, is the management plane for an organization’s entire SD-WAN fabric, capable of pushing configuration to thousands of edge devices from a single console, and the vulnerability sits in the web UI’s file upload process, which fails to properly validate user-supplied input. An authenticated remote attacker with at least low-privilege write access can send a crafted HTTP request to an affected API endpoint that creates or overwrites arbitrary files on the underlying filesystem, and Cisco’s own advisory notes that the written file can later be used to elevate privileges to root, turning what looks like a routine file-write bug into a path to full management-plane compromise. Because this is the eighth Cisco SD-WAN vulnerability flagged as actively exploited in 2026 alone, some tied to the same APT cluster, an environment already running an older unpatched SD-WAN component may hand an attacker the credentials this flaw still requires.

Severity and Score

Medium | CVSS 6.5

Type

Improper Limitation of a Pathname to a Restricted Directory / Path Traversal (CWE-22)

Disclosure

June 15, 2026 Included in the CISA Known Exploited Vulnerabilities catalog (added June 15, 2026)

Exploitation Status

Cisco discovered the flaw during internal security testing and separately confirmed limited exploitation in the wild, without disclosing further attack detail, which points to a targeted rather than opportunistic operation. Cisco’s advisory lists indicators including suspicious WAR file uploads to the WildFly deployment directory, though the company cautions these may not consistently appear in every incident log. CISA’s KEV addition on June 15 set a June 29 federal remediation deadline, one of several Cisco SD-WAN flaws exploited this year and attributed in part to a threat cluster tracked as UAT-8616.

Mitigation Strategies

Apply Cisco’s fixed release for your Catalyst SD-WAN Manager branch immediately; Cisco states there is no workaround, so upgrading is the only remediation path. Because exploitation requires valid low-privileged credentials, review authentication logs for unexpected login activity and rotate credentials on any account with write access, and audit the WildFly deployment directory and other web-writable paths for unexpected files.

Gitea act_runner Docker Backend Container Escape (CVE-2026-58053)

Overview

Gitea is a popular self-hosted Git platform, and act_runner is its CI/CD pipeline execution engine; when act_runner is configured with a Docker backend, it passes a workflow’s container.options string directly into the Docker job container’s HostConfig without sanitizing it. Even when an administrator sets privileged: false, that setting only forces the Docker Privileged flag off, while other options defined in the workflow, such as –pid=host, –cap-add, and –security-opt, are merged into the container configuration unchanged, so any user who can submit or modify a workflow can request host process namespace access and near-root capabilities and escape the job container to the underlying host as root. Because submitting a workflow is the baseline capability on any CI/CD platform, and public Gitea instances often accept pull requests from untrusted contributors, this flaw turns a routine build job into a host takeover.

Severity and Score

Critical | CVSS 9.9

Type

Improper Privilege Management (CWE-269)

Disclosure

June 28, 2026 (not yet added to the CISA Known Exploited Vulnerabilities catalog at time of writing)

Exploitation Status

The vulnerability was published June 28 with a proof-of-concept exploit already available, and while no confirmed in-the-wild exploitation has been reported yet, the combination of a public PoC, a CVSS 9.9 score, and the low bar for triggering it, mere workflow submission rights, makes opportunistic exploitation likely once attackers start scanning for exposed act_runner Docker backends. A successful escape exposes the CI/CD runner’s credentials, build secrets, and deployment keys, giving an attacker a foothold into whatever infrastructure that pipeline deploys to.

Mitigation Strategies

Upgrade act_runner past the vulnerable act 0.262.0 dependency as soon as a fixed release is available, and in the meantime restrict workflow execution to trusted contributors only or add a manual approval gate before any workflow from an external pull request runs on a Docker-backed runner. Review existing workflow definitions for suspicious container.options values, particularly –pid, –cap-add, –security-opt, –device, and –volume flags, and audit CI/CD runner hosts for unexpected processes or containers that don’t correspond to a known build.

Seven flaws, seven different product categories, and the same underlying pattern: SimpleHelp, Cisco Unified CM, Oracle EBS, Ubiquiti UniFi, and Cisco Catalyst SD-WAN Manager are all default choices in their respective categories, remote support tooling, enterprise VoIP, ERP, network management, and SD-WAN, and attackers keep returning to exactly this kind of infrastructure because it’s treated as plumbing rather than as the front line it actually is, with authentication itself, not just the software wrapped around it, increasingly where these identity-based attacks start. CVE-2026-12569 and CVE-2026-58053 break that pattern in a different direction: PTC Windchill isn’t consumer-adjacent software at all, it’s industrial PLM holding something even harder to replace than a database, a company’s actual engineering intellectual property, while the Gitea act_runner flaw is a reminder that the CI/CD pipeline itself, the thing that builds and deploys everything else, is now squarely a target rather than trusted plumbing.

The CVSS-versus-reality gap this month ran in an unusual direction compared to last month’s roundup. Cisco’s own advisory for CVE-2026-20230 overrode its 8.6 CVSS score with a Critical impact rating, a vendor openly admitting the scoring formula undersold a bug whose real endpoint is root-level compromise. Oracle’s CVE-2026-46817 shows the mismatch running the other way: a maximum 9.8 score sat patched and untouched for a month before anyone exploited it, proof that a high score doesn’t guarantee immediate targeting and that “patch available” is not the same operational state as “patch applied,” a gap that only continuous security testing rather than a one-time scan actually catches.

None of that changes what June’s actual headline story was, and it wasn’t a CVE at all. FortiBleed exposed roughly 74,000 working Fortinet firewall credentials through a known design quirk rather than a fresh zero-day: administrator passwords staying on weak SHA-256 hashes after a FortiOS upgrade until someone manually logs back in and forces a rehash. It’s the same lesson as CVE-2026-46817 in different clothes, that a patch existing isn’t the finish line. Security teams that spent June only tracking KEV deadlines caught half the picture; the other half was sitting in unrotated credentials that a managed SOC watching for authentication and configuration drift would have caught months earlier.

Ready to secure your systems against these risks? Our managed security services can help identify exposure across your patched-but-not-verified infrastructure, close credential and configuration gaps, and strengthen your defenses before attackers exploit them.

Contact us

Partner with Us for Cutting-Edge IT Solutions

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Our Value Proposition
What happens next?
1

We’ll arrange a call at your convenience.

2

We do a discovery and consulting meeting 

3

We’ll prepare a detailed proposal tailored to your requirements.

Schedule a Free Consultation