Threats
Attackers are exploiting CVE-2026-10520, a max-severity OS command injection flaw in Ivanti Sentry, to run code as root on internet-exposed gateways. Shadowserver reports most exposed instances already backdoored. Patched Tuesday in R10.5.2, R10.6.2, R10.7.1 — patch now.
Threats
Attackers are actively exploiting CVE-2026-5027 in Langflow, writing arbitrary files to exposed servers. Default unauthenticated auto-login means a single request reaches the vulnerable endpoint with no credentials. Roughly 7,000 instances were exposed; patch in 1.10.0.
Breaches
ServiceNow has quietly warned customers that attackers exploited an unauthenticated API endpoint to query data from customer instances. A June 5 update locked the endpoint to authenticated users only. Admins point to /api/now/related_list_edit set to requires_authentication=false.
Alerts
Nightmare Eclipse has released "RoguePlanet," a Microsoft Defender race-condition zero-day that spawns a SYSTEM shell on fully patched Windows 10 and 11 — including systems with this week's June updates. ThreatLocker independently reproduced it against patched Windows 11. No fix exists yet.
Alerts
SAP's June 2026 Security Patch Day addresses 15 vulnerabilities, four of them critical — led by a CVSS 9.9 XML Signature Wrapping flaw enabling SAML authentication bypass in NetWeaver and an unauthenticated CVSS 9.8 memory corruption bug exploitable via crafted RFC requests.
Alerts
"Ghost-Sender" lets attackers send email as any address — internal or external — to orgs running Exchange Online or hybrid Exchange behind a third-party MX record. SPF, DKIM, and DMARC are all bypassed, fewer than half of exposed orgs have mitigations, and Microsoft says no patch is coming.
Alerts
Veeam has patched CVE-2026-44963, a CVSS 9.4 flaw in Backup & Replication that lets any authenticated domain user execute remote code on the backup server. All version 12 builds are affected — version 13 is immune due to architectural changes. Ransomware groups routinely target Veeam first.
Alerts
Microsoft's June 2026 Patch Tuesday addresses 200 vulnerabilities, including three publicly disclosed zero-days covering a CTFMON privilege escalation, the "HTTP/2 Bomb" denial-of-service technique, and the YellowKey BitLocker bypass released by Nightmare Eclipse.
Threats
Google Mandiant attributes a sustained data theft and extortion campaign to UNC3753, combining voice phishing, IT impersonation, and in-person office break-ins to compromise US law and financial firms — progressing from initial contact to ransom demand in under an hour.
Alerts
Google has released emergency Chrome 149 updates to patch CVE-2026-11645, a high-severity V8 out-of-bounds read/write zero-day exploited in the wild — the fifth Chrome zero-day patched this year.
Alerts
Three chained vulnerabilities in Ubiquiti UniFi OS Server allow attackers to bypass authentication, execute commands, and escalate to root with no credentials or user interaction — granting full control over network infrastructure, surveillance cameras, and door access systems.
Alerts
Check Point has disclosed active exploitation of a critical authentication bypass vulnerability in its Remote Access VPN and Mobile Access products, tracked as CVE-2026-50751 with a CVSS score of 9.3. The flaw allows an unauthenticated remote attacker to establish a VPN session without a valid password by