Audience: Vulnerability Managers, Security Operations, CISOs, DevSecOps Teams
Reading Time: Approximately 10 minutes
CISA added 23 vulnerabilities to the catalog, spanning remote-access tooling, enterprise applications, network hardware, and CMS plugins. The month's defining pattern isn't raw RCE — it's authentication and access-control failures, which account for nearly a third of all additions and gave attackers a way in without needing a code-execution bug at all. Vulnerability managers, detection engineers, and CISOs need this report to separate the handful of entries carrying real operational urgency — confirmed ransomware links, MSP-scale blast radius, zero-day exploitation — from the rest of the list.
| Metric | Value |
|---|---|
| Total new KEV additions this month | 23 |
| CVSS Critical entries (9.0–10.0) | 9 confirmed (SimpleHelp, PTC Windchill/FlexPLM, Oracle PeopleSoft, Check Point Security Gateway, Splunk Enterprise, Mirasvit Full Page Cache Warmer, and all three Ubiquiti UniFi OS entries) — remaining entries pending individual NVD verification |
| CVSS High entries (7.0–8.9) | 2 confirmed (Cisco Unified CM, LiteSpeed cPanel Plugin) — remaining entries pending individual NVD verification |
| Entries with confirmed active exploitation | 23 (all — active exploitation is the KEV entry criterion) |
| Entries with public PoC or exploit code | At least 1 confirmed public working exploit (Splunk Enterprise, published by watchTowr Labs); most other entries show confirmed in-the-wild exploitation without a published PoC — attackers are working from private tooling |
| Most affected vendor | Tied: Cisco (3 entries — Unified CM + two Catalyst SD-WAN Manager CVEs) and Ubiquiti (3 entries — UniFi OS) |
| Most common exploitation type | Authentication/access-control bypass (7 of 23 entries) — edges out injection/RCE-class bugs (6 of 23) as the dominant category this month |
| Sectors most targeted | No single vertical dominant — exposure spans MSP/remote-access tooling, manufacturing/aerospace PLM, telecom, and security operations (SIEM) infrastructure |
Figures above reflect independent verification against vendor advisories and CISA KEV alerts conducted for this report. The 14 lower-priority entries not individually cited below should still be checked against live NVD records before publishing final CVSS figures.
Ranked by operational risk, not CVSS alone.
| CVE | Vendor / Product | CVSS | Type | Why It's Priority |
|---|---|---|---|---|
| CVE-2026-48558 | SimpleHelp (RMM) | 10.0 | OIDC Auth Bypass → Technician RCE | A single compromised SimpleHelp instance cascades across every endpoint an MSP manages. Attackers are already using this to deploy two new malware families (TaskWeaver, Djinn Stealer) — this isn't theoretical exposure, it's an active supply-chain-style intrusion in progress. |
| CVE-2026-50751 | Check Point Security Gateway | 9.3 | IKEv1 Auth Bypass (Zero-Day) | Exploited in the wild for a full month before a patch existed, with a confirmed Qilin ransomware affiliate link. The zero-day window plus ransomware attribution outranks several higher-CVSS entries this month. |
| CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools | 9.8 | Missing Authentication → Full Takeover | Actively exploited by ShinyHunters with confirmed ransomware-campaign use. PeopleSoft's role in HR/financial data makes this a high-value target independent of its CVSS score. |
| CVE-2026-12569 | PTC Windchill / FlexPLM | 9.8 | Deserialization → RCE | Attackers are dropping JSP web shells on unpatched instances now. Windchill and FlexPLM sit inside manufacturing, aerospace, and defense engineering workflows — compromise risks IP theft, not just system access. |
| CVE-2026-20253 | Splunk Enterprise | 9.8 | Missing Auth (PostgreSQL sidecar) → Pre-Auth RCE | This one is different in kind: it targets the SIEM itself. A compromised Splunk instance can blind the exact detection capability an organisation would rely on to catch the other 22 entries in this report. A public working exploit is already circulating. |
| CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910 | Ubiquiti UniFi OS | 10.0 (each) | Access Control Bypass / Path Traversal / Command Injection | Three CVSS-10.0 bugs in the same advisory, under active botnet exploitation for automated Initial Access at scale. Any UniFi-managed network — common in SMB and MSP environments — is a target regardless of size. |
| CVE-2026-20230 | Cisco Unified Communications Manager | 8.6 | SSRF → Arbitrary File Write → Root RCE | Lower CVSS than the entries above, but Unified CM is often treated as "voice team" infrastructure rather than a security-monitored asset — under-defended systems with root-level compromise paths deserve priority disproportionate to their score. |
Note on scope: the remaining 14 June KEV additions (Lantronix EDS5000, Widget Factory Joomla Content Editor, LiteSpeed cPanel Plugin, two additional Cisco Catalyst SD-WAN Manager CVEs, Ivanti Sentry, Google Chromium V8, Arista EOS, BerriAI LiteLLM, SolarWinds Serv-U, Mirasvit Full Page Cache Warmer, Linux Kernel, Android Framework, and Oracle WebLogic Server) are all confirmed KEV entries but did not carry the same combination of ransomware attribution, supply-chain blast radius, or zero-day timing that drove the ranking above. Full CVE-by-CVE detail for these is in the weekly reports linked below.
| Week | Article Title | KEV Additions | Link |
|---|---|---|---|
| 29–30 Jun | Weekly CISA KEV Updates: 29 June 2026 – Six New Known Exploited Vulnerabilities Added | 1 (SimpleHelp; the six-addition count in that article's title reflects the prior week's PTC/Cisco/Ubiquiti/Lantronix cluster) | Week 4 |
Only the 29 June weekly article was confirmed via search for this report. Confirm and insert the remaining four weekly article links directly from the CMS before publishing — this dataset doesn't include your internal weekly-post archive, so I can't verify their exact titles or slugs from here.
The defining shift this month is the balance between access-control failures and code-execution bugs: seven of 23 entries are authentication or access-control bypasses, edging out the injection/RCE category (six entries) as the largest single class. That matters operationally — organisations that tune detection primarily around RCE indicators (webshells, unusual process spawning) may be under-instrumented for the "walk in the front door with a forged token" pattern that defined SimpleHelp, Check Point, Oracle PeopleSoft, and Splunk this month. Two vendors tied for most entries — Cisco and Ubiquiti, both with three — but for different reasons: Cisco's spread across Unified CM and two separate SD-WAN Manager CVEs suggests broad platform scrutiny rather than a single flawed component, while Ubiquiti's three bugs shipped in one advisory, meaning any exposed UniFi deployment is carrying compounding risk from a single patch cycle. Notably absent from this month's list: no major cloud-identity provider entries, despite that category dominating recent months — a gap worth tracking rather than assuming resolved. The cumulative picture: June's KEV additions read less like isolated CVEs and more like a coordinated reminder that credential and session validation, not just code execution, is where 2026's attackers are finding the cheapest path in.
| Sector | Exposure Level | Key CVEs This Month | Recommended Focus |
|---|---|---|---|
| Government / FCEB | High | CVE-2026-35273 (Oracle PeopleSoft), CVE-2026-12569 (PTC Windchill) | All FCEB deadlines under BOD 26-04 apply; confirm asset inventories against the full 23-CVE list, not just the headline entries. |
| Healthcare | Medium | CVE-2026-20253 (Splunk) | Audit whether SIEM infrastructure itself is exposed — a compromised Splunk instance undermines breach detection across the entire environment. |
| Financial Services | High | CVE-2026-50751 (Check Point), CVE-2026-35273 (Oracle PeopleSoft) | Both carry confirmed ransomware attribution (Qilin, ShinyHunters) — treat as active-threat, not theoretical-risk, patching. |
| Critical Infrastructure | Medium | CVE-2025-67038 (Lantronix EDS5000) | Lantronix bridges OT/ICS serial equipment to IP networks — verify exposure even though this CVE didn't rank in the top priority table. |
| Technology / SaaS / MSP | High | CVE-2026-48558 (SimpleHelp), CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910 (Ubiquiti UniFi OS) | MSP-managed tooling and network-edge devices carry blast radius beyond the immediately compromised organisation — notify downstream clients if you're an MSP running either product. |
The industry is under-weighting authentication-bypass vulnerabilities relative to RCE, and this month's data argues that's backwards. Seven of 23 entries didn't need a code-execution bug at all — a forged OIDC token, a certificate-validation logic flaw, or a missing-auth endpoint got attackers just as far, often faster, because these bypasses are frequently invisible to detection rules tuned for webshells and process anomalies. The Splunk entry deserves particular attention independent of its CVSS score: when the vulnerability sits in the SIEM itself, "detect and respond" stops being a reliable fallback, because the detection layer is the thing that's compromised. We'd also flag the Check Point timeline specifically — a full month of active, ransomware-linked exploitation before a patch existed is a pattern worth tracking across vendors, not treating as a one-off. Organisations scoring this month's KEV list purely on CVSS will patch Ubiquiti and Mirasvit (both 9.8–10.0) before Check Point (9.3) — and get the priority order wrong, because zero-day timing and confirmed ransomware attribution matter more than a 0.5–0.7 point CVSS gap.
🔗 CVSS vs EPSS: How to Prioritise Vulnerabilities by Real Exploitation Risk
Why read this: Directly extends this month's ranking logic — the priority table above uses the same exploitation-first, attribution-aware methodology over static CVSS ordering.
🔗 Vulnerability Backlog: Why CVSS Prioritisation Is Broken and How to Fix It
Why read this: Companion piece on why EPSS + KEV + asset reachability outperforms CVSS-only triage — relevant given the Check Point vs. Ubiquiti ranking discussed above.
🔗 Vulnerability Management: Operational Risk & Exposure-Based Prioritization
Why read this: Practical exposure/reachability framework for triaging a 23-entry month like this one without treating every CVSS-9+ entry as equally urgent.
This analysis is based on publicly available reporting and security research summaries. Some technical details may change as additional information becomes available.
Timur Mehmet | Founder & Lead Editor
Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.
Contact:
This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:
Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections
Learn More: About Hackerstorm.com | FAQs
COOKIE / PRIVACY POLICY: This website uses essential cookies required for basic site functionality. We also use analytics cookies to understand how the website is used. We do not use cookies for marketing or personalization, and we do not sell or share any personal data with third parties.