This brief covers the trailing ~48 hours (June 24–26, 2026). Every item below was verified against its primary source — CISA KEV alerts, vendor advisories, and original vendor research — with disclosure or exploitation activity confirmed inside the window.

Ubiquiti UniFi OS unauthenticated RCE chain exploited as zero-days, added to CISA KEV

CISA / Ubiquiti · June 23, 2026

CISA added three maximum-severity Ubiquiti UniFi OS flaws to its Known Exploited Vulnerabilities catalog: CVE-2026-34908 (improper access control, CVSS 10.0), CVE-2026-34909 (path traversal), and CVE-2026-34910 (improper input validation/command injection, CVSS 10.0). Chained together, they give a remote, unauthenticated, network-adjacent attacker code execution on UniFi OS devices. Ubiquiti shipped fixes in UniFi OS Server 5.0.8 on May 21 without acknowledging in-the-wild abuse, but users reported attacks that created rogue administrator accounts under the username “John Sim,” and BishopFox published an analysis of the unauthenticated RCE chain. CISA ordered federal agencies to patch by June 26 under BOD 26-04.

“We confirmed the bypass against a live [UniFi OS version] 5.0.6 virtual machine. Requests built this way reached internal backends that are supposed to require authentication.” — BishopFox

Source: CISA KEV alert; Ubiquiti Security Advisory Bulletin 064; BishopFox analysis; SecurityWeek

Lantronix EDS5000 command injection added to CISA KEV alongside the Ubiquiti flaws

CISA / Lantronix · June 23, 2026

CISA added CVE-2025-67038 (CVSS 9.8), an unauthenticated OS command-injection flaw in the Lantronix EDS5000 serial-to-IP converter, to the KEV catalog in the same update. The HTTP RPC module fails to sanitize the username parameter before concatenating it into a shell command used to log failed authentication attempts, allowing arbitrary OS commands to run with root privileges. The bug was originally disclosed in April as part of the BRIDGE:BREAK set of Lantronix and Silex vulnerabilities affecting OT and healthcare environments; it now carries the same June 26 federal patch deadline.

Source: CISA KEV alert; CVE.org record; SecurityWeek

Cisco Unified CM WebDialer SSRF (CVE-2026-20230) seen exploited in the wild

Cisco / Defused Cyber · June 24, 2026

Researchers reported active exploitation of CVE-2026-20230 (CVSS 8.6), an unauthenticated server-side request forgery flaw in Cisco Unified Communications Manager that can be used to write files and ultimately escalate to root. Cisco previously rated the issue Critical and confirmed public proof-of-concept code; exploitation is only possible where the WebDialer service is enabled, which is off by default. Cisco PSIRT had not confirmed in-the-wild abuse, and the flaw was not yet listed in CISA KEV at the time of reporting. Cisco recommends disabling WebDialer until patches (14SU6, 15SU5/COP1) are applied.

“Over the weekend we observed exploitation of CVE-2026-20230 – Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6)… This is currently being exploited from a single source using an unvetted PoC, with genuinely-formatted file:// file-write payloads landing on our decoys.” — Defused (@DefusedCyber)

Source: Cisco advisory; Security Affairs

Mandiant: Cisco Catalyst SD-WAN zero-day (CVE-2026-20245) exploited months before disclosure

Google Mandiant / Cisco · June 25, 2026

Mandiant disclosed that an unknown threat actor exploited CVE-2026-20245 (CVSS 7.8) in Cisco Catalyst SD-WAN Manager as a zero-day at least two months before it was publicly disclosed. The flaw lets an authenticated attacker with netadmin privileges run arbitrary commands as root via a crafted file upload; attackers chained it with earlier authentication-bypass bugs (CVE-2026-20127, CVE-2026-20182) to reach netadmin in the first place. Mandiant observed intrusions against a communications service provider between late 2025 and March 2026, including creation of a rogue “troot” root account and extensive anti-forensic cleanup. Cisco has confirmed active exploitation and released fixes.

“In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider. After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access.” — Mandiant

Source: Mandiant report; Cisco advisory; Security Affairs

This brief covers the trailing ~48 hours (June 24–26, 2026).

Primary sources:

• CISA – Adds Four Known Exploited Vulnerabilities to Catalog (June 23, 2026)
• Ubiquiti – Security Advisory Bulletin 064
• BishopFox – UniFi OS Server unauthenticated RCE chain
• CVE.org – CVE-2025-67038 (Lantronix EDS5000)
• Cisco – Unified CM SSRF advisory (CVE-2026-20230)
• Cisco – Catalyst SD-WAN privilege escalation advisory (CVE-2026-20245)
• Google Mandiant – Zero-day exploitation of Cisco Catalyst SD-WAN Manager

This brief covers the trailing ~48 hours (June 22–24, 2026). Every item below was checked against its primary advisory, vendor statement, or original research before inclusion; CVE IDs are traced to their canonical source. A quiet patch window means the verified, in-window list is short, followed by several active campaigns that are still developing.

Cisco Unified CM WebDialer SSRF (CVE-2026-20230) now exploited in the wild

Cisco / Defused · June 23, 2026

Threat intelligence firm Defused reported active exploitation of CVE-2026-20230, an unauthenticated server-side request forgery flaw in the WebDialer service of Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition. The bug carries a CVSS base score of 8.6 but Cisco assigns it a Security Impact Rating of Critical because successful exploitation can write arbitrary files and escalate to root. Cisco shipped fixes on June 3; proof-of-concept code from SSD Secure is now public, and the observed activity to date appears to be reconnaissance-style scanning from a single IP. It is not yet listed in CISA KEV.

“Over the weekend we observed exploitation of CVE-2026-20230 — Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6). No previously recorded exploitation, and not yet listed in CISA KEV.” — Defused

Source: Cisco advisory (cisco-sa-cucm-ssrf-cXPnHcW) · SSD Secure write-up · BleepingComputer

LastPass confirms data theft in Klue / “Icarus” Salesforce supply-chain breach

LastPass / Klue · June 23, 2026

LastPass confirmed that customer support-case and CRM records were stolen from its Salesforce environment through the breach at market-intelligence vendor Klue, whose integration infrastructure was compromised on June 12 via a legacy credential, allowing attackers to abuse OAuth tokens connecting Klue to customers’ Salesforce instances. The extortion group “Icarus” has publicly claimed the campaign, and the disclosed victim roster has grown to include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. LastPass says its password vaults, product infrastructure, and payment data were not affected; exposed data was limited to Salesforce CRM records such as names, contact details, and support cases.

“On June 12, we identified unauthorized activity affecting a portion of Klue’s integration infrastructure… The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.” — Jason Smith, CEO, Klue

Source: Klue security incident update · TechCrunch · BleepingComputer

Still developing

F5 ships out-of-band patches for critical NGINX RCE flaws (CVE-2026-42530, CVE-2026-42055)

F5 · June 17, 2026 (updated June 22)

F5 issued out-of-band fixes for two critical NGINX Open Source vulnerabilities, each rated CVSS v4 9.2. CVE-2026-42530 is a use-after-free in the HTTP/3 QUIC module (ngx_http_v3_module); CVE-2026-42055 is a heap-based buffer overflow in the HTTP/2 proxy/gRPC path (ngx_http_proxy_v2_module and ngx_http_grpc_module). Both are remotely triggerable by unauthenticated attackers on non-default configurations and can lead to denial of service or code execution. Fixes are in NGINX Open Source 1.31.2, NGINX Plus 37.0.2.1, and NGINX Gateway Fabric 2.6.4. No confirmed in-the-wild exploitation has been reported.

Source: F5 advisory (K000161616) · The Hacker News · BleepingComputer

“FortiBleed” leak exposes credentials for ~73,000 Fortinet FortiGate devices

Security researcher Bob Diachenko · June 17, 2026

Researcher Bob Diachenko disclosed an exposed dataset, dubbed FortiBleed, containing valid VPN credentials and configuration data for roughly 73,932 internet-facing FortiGate firewalls across 194 countries — estimated at about half of all internet-reachable FortiGate devices. The underlying weakness stems from FortiOS storing administrator passwords as weak SHA-256 hashes after upgrades until an admin re-authenticates, which attackers cracked offline at scale. Affected organizations span banking, telecom, healthcare, and critical infrastructure. This is a credential-exposure campaign rather than a single CVE.

Source: BleepingComputer · SecurityWeek

Microsoft attributes Mastra AI npm supply-chain compromise to North Korea’s Sapphire Sleet

Microsoft · June 20, 2026

Microsoft attributed the compromise of more than 140 packages in the @mastra npm scope to the North Korean state actor Sapphire Sleet (BlueNoroff). Attackers hijacked the maintainer account “ehindero” and injected a malicious typosquat dependency, “easy-day-js,” whose post-install hook deployed a cross-platform information stealer targeting credentials, API keys, and 166 cryptocurrency wallet extensions on Windows, Linux, and macOS.

“Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector.” — Microsoft

Source: Microsoft Threat Intelligence · BleepingComputer

This brief covers the trailing ~48 hours (June 22–24, 2026).

Primary sources: Cisco PSIRT (CVE-2026-20230) · SSD Secure · Klue · F5 (CVE-2026-42530 / CVE-2026-42055) · Microsoft Threat Intelligence

This brief covers the trailing ~48 hours (June 18–20, 2026). No new vulnerabilities, advisories, or KEV entries surfaced from authoritative primary sources inside that window — a quiet stretch following last week’s heavy Patch Tuesday cycle. Rather than pad with unverified or stale items, the section below tracks the most significant campaigns from the preceding days that remain active, each presented with its true disclosure date and traced to its primary source.

Still developing

Oracle PeopleSoft zero-day exploited for unauthenticated RCE (CVE-2026-35273)

Oracle Security Alert · June 11, 2026

Oracle issued an out-of-cycle Security Alert for CVE-2026-35273, a critical flaw in PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62) carrying a CVSS base score of 9.8. The bug is remotely exploitable without authentication and can result in remote code execution. It was exploited as a zero-day in ShinyHunters data-theft attacks; Mandiant (Google Threat Intelligence) confirmed exploitation and notified more than 100 organizations, 68% of them in the higher-education sector. Oracle released emergency mitigations with a full patch to follow. Not yet listed in CISA KEV at the time of writing.

“This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.” — Oracle Security Alert advisory

Source: Oracle Security Alert (CPU187) · Mandiant / Google Threat Intelligence · BleepingComputer

Microsoft June Patch Tuesday: Exchange Server zero-day exploited in the wild (CVE-2026-42897)

Microsoft (MSRC) · June 9, 2026

Microsoft’s June 2026 Patch Tuesday addressed 200 flaws, including six zero-days — five publicly disclosed and one exploited in attacks. The actively exploited issue is CVE-2026-42897, a Microsoft Exchange Server spoofing vulnerability affecting Exchange 2016, 2019, and Subscription Edition that lets an attacker execute JavaScript in a target’s browser via Outlook Web Access. The publicly disclosed zero-days include BitLocker bypasses (“YellowKey,” “bitskrieg”) and the “GreenPlasma” and “Mini-Plasma” elevation-of-privilege flaws. Administrators should prioritize the Exchange update.

“Today is Microsoft’s June 2026 Patch Tuesday, with security updates for 200 flaws, including five publicly disclosed zero-day vulnerabilities and one actively exploited in attacks.” — BleepingComputer

Source: Microsoft MSRC advisory (CVE-2026-42897) · BleepingComputer

Microsoft Defender “RoguePlanet” PoC grants SYSTEM on fully patched Windows (no patch)

BleepingComputer / Nightmare Eclipse · June 9, 2026

Hours after Patch Tuesday, the researcher known as Nightmare Eclipse released a proof-of-concept exploit dubbed “RoguePlanet” targeting a Microsoft Defender race-condition flaw. It spawns a command prompt with SYSTEM privileges on fully patched Windows 10 and Windows 11 systems. No CVE has been assigned and no patch was available at disclosure; Microsoft says it is investigating. Cybersecurity firm ThreatLocker independently reproduced the exploit against fully patched Windows 11 (build with KB5094126). Application allowlisting is cited as an effective mitigation.

“Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack.” — Danny Jenkins, CEO, ThreatLocker

Source: BleepingComputer

CISA adds Joomla Content Editor flaw to KEV (CVE-2026-48907)

CISA · June 16, 2026

CISA added CVE-2026-48907, an improper access control vulnerability in the Widget Factory Joomla Content Editor (JCE) extension, to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The addition sets a remediation deadline for federal civilian agencies under BOD 22-01 and is a strong signal for any organization running the affected Joomla extension to patch or mitigate. KEV status: listed.

Source: CISA alert · CISA KEV catalog

This brief covers the trailing ~48 hours (June 18–20, 2026).

Primary sources:

• Oracle Security Alert — CVE-2026-35273
• Microsoft MSRC — CVE-2026-42897
• Mandiant / Google Threat Intelligence
• CISA KEV addition — CVE-2026-48907
• CISA Known Exploited Vulnerabilities catalog