This brief covers cyber/InfoSec developments from the trailing ~48 hours (June 25–27, 2026). Every item below was confirmed against its primary advisory or the CISA KEV catalog, and only items with a primary-source disclosure inside the window are included.

CISA adds actively exploited Cisco Unified CM SSRF flaw (CVE-2026-20230) to KEV

Cisco · June 25, 2026

CISA added CVE-2026-20230 to its Known Exploited Vulnerabilities catalog on June 25, 2026, with a June 28 remediation deadline for federal agencies. The flaw is a server-side request forgery (CWE-918) vulnerability in Cisco Unified Communications Manager and Unified CM SME, carrying a CVSS 3.1 base score of 8.6 and a Cisco Security Impact Rating of Critical. An unauthenticated, remote attacker can send a crafted HTTP request to write files to the underlying OS and later escalate to root; exploitation requires the WebDialer service, which is disabled by default. Cisco first published the advisory on June 3 and has released fixed software (14SU6, 15SU5/COP1); public PoC code exists and outlets reported in-the-wild exploitation over the weekend prior to the KEV listing.

“A successful exploit could allow the attacker to write files to the underlying operating system that could be used later to elevate to root.” — Cisco Security Advisory cisco-sa-cucm-ssrf-cXPnHcW

Source: Cisco advisory · CISA KEV alert · BleepingComputer

PTC Windchill / FlexPLM RCE (CVE-2026-12569) added to KEV as web-shell attacks continue

PTC · June 25, 2026

CISA also added CVE-2026-12569 to the KEV catalog on June 25, 2026, with a June 28 deadline. The vulnerability is a critical remote code execution flaw (reported CVSS 9.3) in PTC’s Windchill PDMLink and FlexPLM product lifecycle management software, exploitable by an unauthenticated, remote attacker via deserialization/improper input validation. Attackers are dropping persistent JSP web shells (named with 16 hex characters under the Windchill login directory) for remote command execution and data exfiltration. PTC began releasing version-specific patches on June 17 and, in a June 25 update, published new indicators of compromise amid escalating activity. Given Windchill’s deployment across automotive, aerospace, defense, and manufacturing, the flaw poses a notable supply-chain risk.

“Over the last several hours, we’ve received continued reports of heightened threat activity. We urge you to apply all patches and remediations immediately.” — PTC Trust Center advisory, June 25, 2026 update

Source: PTC advisory · CISA KEV alert · The Hacker News

JFrog publishes working “DirtyClone” Linux kernel root exploit (CVE-2026-43503)

JFrog Security Research · June 25, 2026

JFrog Security Research published a full exploit walkthrough on June 25, 2026 for CVE-2026-43503, a high-severity (CVSS 8.8) local privilege escalation in the Linux kernel they dubbed “DirtyClone,” the first public demonstration for this DirtyFrag-family variant. The bug lives in the XFRM/IPsec path: cloning via __pskb_copy_fclone() drops the SKBFL_SHARED_FRAG safety flag, letting in-place IPsec decryption overwrite file-backed page-cache memory (e.g., patching /usr/bin/su in RAM) to gain root. Any local user able to acquire CAP_NET_ADMIN—often via unprivileged user namespaces—can exploit it, making multi-tenant cloud, Kubernetes, and container hosts the highest-risk environments. The fix was merged to mainline on May 21 (v7.1-rc5); Debian, Ubuntu, and Fedora are confirmed affected absent the full patch chain. No in-the-wild exploitation has been reported.

“The severity of this issue is significant because it allows any unprivileged local user to gain root access (LPE) by manipulating the Linux page cache. The attack is silent, leaves no kernel logs or audit traces, and bypasses common on-disk integrity monitoring tools.” — JFrog Security Research

Source: JFrog Security Research · CVE.org

This brief covers the trailing ~48 hours (June 25–27, 2026).

Primary sources:

• Cisco Security Advisory – CVE-2026-20230 (Unified CM SSRF)
• PTC Trust Center Advisory – CVE-2026-12569 (Windchill/FlexPLM RCE)
• JFrog Security Research – CVE-2026-43503 (DirtyClone)
• CISA – Adds Two Known Exploited Vulnerabilities to Catalog (June 25, 2026)

This brief covers the trailing ~48 hours (June 24–26, 2026). Every item below was verified against its primary source — CISA KEV alerts, vendor advisories, and original vendor research — with disclosure or exploitation activity confirmed inside the window.

Ubiquiti UniFi OS unauthenticated RCE chain exploited as zero-days, added to CISA KEV

CISA / Ubiquiti · June 23, 2026

CISA added three maximum-severity Ubiquiti UniFi OS flaws to its Known Exploited Vulnerabilities catalog: CVE-2026-34908 (improper access control, CVSS 10.0), CVE-2026-34909 (path traversal), and CVE-2026-34910 (improper input validation/command injection, CVSS 10.0). Chained together, they give a remote, unauthenticated, network-adjacent attacker code execution on UniFi OS devices. Ubiquiti shipped fixes in UniFi OS Server 5.0.8 on May 21 without acknowledging in-the-wild abuse, but users reported attacks that created rogue administrator accounts under the username “John Sim,” and BishopFox published an analysis of the unauthenticated RCE chain. CISA ordered federal agencies to patch by June 26 under BOD 26-04.

“We confirmed the bypass against a live [UniFi OS version] 5.0.6 virtual machine. Requests built this way reached internal backends that are supposed to require authentication.” — BishopFox

Source: CISA KEV alert; Ubiquiti Security Advisory Bulletin 064; BishopFox analysis; SecurityWeek

Lantronix EDS5000 command injection added to CISA KEV alongside the Ubiquiti flaws

CISA / Lantronix · June 23, 2026

CISA added CVE-2025-67038 (CVSS 9.8), an unauthenticated OS command-injection flaw in the Lantronix EDS5000 serial-to-IP converter, to the KEV catalog in the same update. The HTTP RPC module fails to sanitize the username parameter before concatenating it into a shell command used to log failed authentication attempts, allowing arbitrary OS commands to run with root privileges. The bug was originally disclosed in April as part of the BRIDGE:BREAK set of Lantronix and Silex vulnerabilities affecting OT and healthcare environments; it now carries the same June 26 federal patch deadline.

Source: CISA KEV alert; CVE.org record; SecurityWeek

Cisco Unified CM WebDialer SSRF (CVE-2026-20230) seen exploited in the wild

Cisco / Defused Cyber · June 24, 2026

Researchers reported active exploitation of CVE-2026-20230 (CVSS 8.6), an unauthenticated server-side request forgery flaw in Cisco Unified Communications Manager that can be used to write files and ultimately escalate to root. Cisco previously rated the issue Critical and confirmed public proof-of-concept code; exploitation is only possible where the WebDialer service is enabled, which is off by default. Cisco PSIRT had not confirmed in-the-wild abuse, and the flaw was not yet listed in CISA KEV at the time of reporting. Cisco recommends disabling WebDialer until patches (14SU6, 15SU5/COP1) are applied.

“Over the weekend we observed exploitation of CVE-2026-20230 – Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6)… This is currently being exploited from a single source using an unvetted PoC, with genuinely-formatted file:// file-write payloads landing on our decoys.” — Defused (@DefusedCyber)

Source: Cisco advisory; Security Affairs

Mandiant: Cisco Catalyst SD-WAN zero-day (CVE-2026-20245) exploited months before disclosure

Google Mandiant / Cisco · June 25, 2026

Mandiant disclosed that an unknown threat actor exploited CVE-2026-20245 (CVSS 7.8) in Cisco Catalyst SD-WAN Manager as a zero-day at least two months before it was publicly disclosed. The flaw lets an authenticated attacker with netadmin privileges run arbitrary commands as root via a crafted file upload; attackers chained it with earlier authentication-bypass bugs (CVE-2026-20127, CVE-2026-20182) to reach netadmin in the first place. Mandiant observed intrusions against a communications service provider between late 2025 and March 2026, including creation of a rogue “troot” root account and extensive anti-forensic cleanup. Cisco has confirmed active exploitation and released fixes.

“In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider. After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access.” — Mandiant

Source: Mandiant report; Cisco advisory; Security Affairs

This brief covers the trailing ~48 hours (June 24–26, 2026).

Primary sources:

• CISA – Adds Four Known Exploited Vulnerabilities to Catalog (June 23, 2026)
• Ubiquiti – Security Advisory Bulletin 064
• BishopFox – UniFi OS Server unauthenticated RCE chain
• CVE.org – CVE-2025-67038 (Lantronix EDS5000)
• Cisco – Unified CM SSRF advisory (CVE-2026-20230)
• Cisco – Catalyst SD-WAN privilege escalation advisory (CVE-2026-20245)
• Google Mandiant – Zero-day exploitation of Cisco Catalyst SD-WAN Manager

This brief covers the trailing ~48 hours (June 22–24, 2026). Every item below was checked against its primary advisory, vendor statement, or original research before inclusion; CVE IDs are traced to their canonical source. A quiet patch window means the verified, in-window list is short, followed by several active campaigns that are still developing.

Cisco Unified CM WebDialer SSRF (CVE-2026-20230) now exploited in the wild

Cisco / Defused · June 23, 2026

Threat intelligence firm Defused reported active exploitation of CVE-2026-20230, an unauthenticated server-side request forgery flaw in the WebDialer service of Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition. The bug carries a CVSS base score of 8.6 but Cisco assigns it a Security Impact Rating of Critical because successful exploitation can write arbitrary files and escalate to root. Cisco shipped fixes on June 3; proof-of-concept code from SSD Secure is now public, and the observed activity to date appears to be reconnaissance-style scanning from a single IP. It is not yet listed in CISA KEV.

“Over the weekend we observed exploitation of CVE-2026-20230 — Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6). No previously recorded exploitation, and not yet listed in CISA KEV.” — Defused

Source: Cisco advisory (cisco-sa-cucm-ssrf-cXPnHcW) · SSD Secure write-up · BleepingComputer

LastPass confirms data theft in Klue / “Icarus” Salesforce supply-chain breach

LastPass / Klue · June 23, 2026

LastPass confirmed that customer support-case and CRM records were stolen from its Salesforce environment through the breach at market-intelligence vendor Klue, whose integration infrastructure was compromised on June 12 via a legacy credential, allowing attackers to abuse OAuth tokens connecting Klue to customers’ Salesforce instances. The extortion group “Icarus” has publicly claimed the campaign, and the disclosed victim roster has grown to include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. LastPass says its password vaults, product infrastructure, and payment data were not affected; exposed data was limited to Salesforce CRM records such as names, contact details, and support cases.

“On June 12, we identified unauthorized activity affecting a portion of Klue’s integration infrastructure… The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.” — Jason Smith, CEO, Klue

Source: Klue security incident update · TechCrunch · BleepingComputer

Still developing

F5 ships out-of-band patches for critical NGINX RCE flaws (CVE-2026-42530, CVE-2026-42055)

F5 · June 17, 2026 (updated June 22)

F5 issued out-of-band fixes for two critical NGINX Open Source vulnerabilities, each rated CVSS v4 9.2. CVE-2026-42530 is a use-after-free in the HTTP/3 QUIC module (ngx_http_v3_module); CVE-2026-42055 is a heap-based buffer overflow in the HTTP/2 proxy/gRPC path (ngx_http_proxy_v2_module and ngx_http_grpc_module). Both are remotely triggerable by unauthenticated attackers on non-default configurations and can lead to denial of service or code execution. Fixes are in NGINX Open Source 1.31.2, NGINX Plus 37.0.2.1, and NGINX Gateway Fabric 2.6.4. No confirmed in-the-wild exploitation has been reported.

Source: F5 advisory (K000161616) · The Hacker News · BleepingComputer

“FortiBleed” leak exposes credentials for ~73,000 Fortinet FortiGate devices

Security researcher Bob Diachenko · June 17, 2026

Researcher Bob Diachenko disclosed an exposed dataset, dubbed FortiBleed, containing valid VPN credentials and configuration data for roughly 73,932 internet-facing FortiGate firewalls across 194 countries — estimated at about half of all internet-reachable FortiGate devices. The underlying weakness stems from FortiOS storing administrator passwords as weak SHA-256 hashes after upgrades until an admin re-authenticates, which attackers cracked offline at scale. Affected organizations span banking, telecom, healthcare, and critical infrastructure. This is a credential-exposure campaign rather than a single CVE.

Source: BleepingComputer · SecurityWeek

Microsoft attributes Mastra AI npm supply-chain compromise to North Korea’s Sapphire Sleet

Microsoft · June 20, 2026

Microsoft attributed the compromise of more than 140 packages in the @mastra npm scope to the North Korean state actor Sapphire Sleet (BlueNoroff). Attackers hijacked the maintainer account “ehindero” and injected a malicious typosquat dependency, “easy-day-js,” whose post-install hook deployed a cross-platform information stealer targeting credentials, API keys, and 166 cryptocurrency wallet extensions on Windows, Linux, and macOS.

“Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector.” — Microsoft

Source: Microsoft Threat Intelligence · BleepingComputer

This brief covers the trailing ~48 hours (June 22–24, 2026).

Primary sources: Cisco PSIRT (CVE-2026-20230) · SSD Secure · Klue · F5 (CVE-2026-42530 / CVE-2026-42055) · Microsoft Threat Intelligence

This brief covers the trailing ~48 hours (June 18–20, 2026). No new vulnerabilities, advisories, or KEV entries surfaced from authoritative primary sources inside that window — a quiet stretch following last week’s heavy Patch Tuesday cycle. Rather than pad with unverified or stale items, the section below tracks the most significant campaigns from the preceding days that remain active, each presented with its true disclosure date and traced to its primary source.

Still developing

Oracle PeopleSoft zero-day exploited for unauthenticated RCE (CVE-2026-35273)

Oracle Security Alert · June 11, 2026

Oracle issued an out-of-cycle Security Alert for CVE-2026-35273, a critical flaw in PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62) carrying a CVSS base score of 9.8. The bug is remotely exploitable without authentication and can result in remote code execution. It was exploited as a zero-day in ShinyHunters data-theft attacks; Mandiant (Google Threat Intelligence) confirmed exploitation and notified more than 100 organizations, 68% of them in the higher-education sector. Oracle released emergency mitigations with a full patch to follow. Not yet listed in CISA KEV at the time of writing.

“This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.” — Oracle Security Alert advisory

Source: Oracle Security Alert (CPU187) · Mandiant / Google Threat Intelligence · BleepingComputer

Microsoft June Patch Tuesday: Exchange Server zero-day exploited in the wild (CVE-2026-42897)

Microsoft (MSRC) · June 9, 2026

Microsoft’s June 2026 Patch Tuesday addressed 200 flaws, including six zero-days — five publicly disclosed and one exploited in attacks. The actively exploited issue is CVE-2026-42897, a Microsoft Exchange Server spoofing vulnerability affecting Exchange 2016, 2019, and Subscription Edition that lets an attacker execute JavaScript in a target’s browser via Outlook Web Access. The publicly disclosed zero-days include BitLocker bypasses (“YellowKey,” “bitskrieg”) and the “GreenPlasma” and “Mini-Plasma” elevation-of-privilege flaws. Administrators should prioritize the Exchange update.

“Today is Microsoft’s June 2026 Patch Tuesday, with security updates for 200 flaws, including five publicly disclosed zero-day vulnerabilities and one actively exploited in attacks.” — BleepingComputer

Source: Microsoft MSRC advisory (CVE-2026-42897) · BleepingComputer

Microsoft Defender “RoguePlanet” PoC grants SYSTEM on fully patched Windows (no patch)

BleepingComputer / Nightmare Eclipse · June 9, 2026

Hours after Patch Tuesday, the researcher known as Nightmare Eclipse released a proof-of-concept exploit dubbed “RoguePlanet” targeting a Microsoft Defender race-condition flaw. It spawns a command prompt with SYSTEM privileges on fully patched Windows 10 and Windows 11 systems. No CVE has been assigned and no patch was available at disclosure; Microsoft says it is investigating. Cybersecurity firm ThreatLocker independently reproduced the exploit against fully patched Windows 11 (build with KB5094126). Application allowlisting is cited as an effective mitigation.

“Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack.” — Danny Jenkins, CEO, ThreatLocker

Source: BleepingComputer

CISA adds Joomla Content Editor flaw to KEV (CVE-2026-48907)

CISA · June 16, 2026

CISA added CVE-2026-48907, an improper access control vulnerability in the Widget Factory Joomla Content Editor (JCE) extension, to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The addition sets a remediation deadline for federal civilian agencies under BOD 22-01 and is a strong signal for any organization running the affected Joomla extension to patch or mitigate. KEV status: listed.

Source: CISA alert · CISA KEV catalog

This brief covers the trailing ~48 hours (June 18–20, 2026).

Primary sources:

• Oracle Security Alert — CVE-2026-35273
• Microsoft MSRC — CVE-2026-42897
• Mandiant / Google Threat Intelligence
• CISA KEV addition — CVE-2026-48907
• CISA Known Exploited Vulnerabilities catalog