Our Blog

Hackerstorm monthly KEV vulnerability report

HackerStorm Vulnerability Priority Report – June 2026

 

Audience: Vulnerability Managers, Security Operations, CISOs, DevSecOps Teams
Reading Time: Approximately 10 minutes

 

23 KEV additions. 9+ critical CVEs. What security teams must prioritise in June.

 

CISA added 23 vulnerabilities to the catalog, spanning remote-access tooling, enterprise applications, network hardware, and CMS plugins. The month's defining pattern isn't raw RCE — it's authentication and access-control failures, which account for nearly a third of all additions and gave attackers a way in without needing a code-execution bug at all. Vulnerability managers, detection engineers, and CISOs need this report to separate the handful of entries carrying real operational urgency — confirmed ransomware links, MSP-scale blast radius, zero-day exploitation — from the rest of the list.

 

 

The Month in Numbers

 

Metric Value
Total new KEV additions this month 23
CVSS Critical entries (9.0–10.0) 9 confirmed (SimpleHelp, PTC Windchill/FlexPLM, Oracle PeopleSoft, Check Point Security Gateway, Splunk Enterprise, Mirasvit Full Page Cache Warmer, and all three Ubiquiti UniFi OS entries) — remaining entries pending individual NVD verification
CVSS High entries (7.0–8.9) 2 confirmed (Cisco Unified CM, LiteSpeed cPanel Plugin) — remaining entries pending individual NVD verification
Entries with confirmed active exploitation 23 (all — active exploitation is the KEV entry criterion)
Entries with public PoC or exploit code At least 1 confirmed public working exploit (Splunk Enterprise, published by watchTowr Labs); most other entries show confirmed in-the-wild exploitation without a published PoC — attackers are working from private tooling
Most affected vendor Tied: Cisco (3 entries — Unified CM + two Catalyst SD-WAN Manager CVEs) and Ubiquiti (3 entries — UniFi OS)
Most common exploitation type Authentication/access-control bypass (7 of 23 entries) — edges out injection/RCE-class bugs (6 of 23) as the dominant category this month
Sectors most targeted No single vertical dominant — exposure spans MSP/remote-access tooling, manufacturing/aerospace PLM, telecom, and security operations (SIEM) infrastructure

 

Figures above reflect independent verification against vendor advisories and CISA KEV alerts conducted for this report. The 14 lower-priority entries not individually cited below should still be checked against live NVD records before publishing final CVSS figures.

 

 

Priority Vulnerabilities This Month

Ranked by operational risk, not CVSS alone.

 

CVE Vendor / Product CVSS Type Why It's Priority
CVE-2026-48558 SimpleHelp (RMM) 10.0 OIDC Auth Bypass → Technician RCE A single compromised SimpleHelp instance cascades across every endpoint an MSP manages. Attackers are already using this to deploy two new malware families (TaskWeaver, Djinn Stealer) — this isn't theoretical exposure, it's an active supply-chain-style intrusion in progress.
CVE-2026-50751 Check Point Security Gateway 9.3 IKEv1 Auth Bypass (Zero-Day) Exploited in the wild for a full month before a patch existed, with a confirmed Qilin ransomware affiliate link. The zero-day window plus ransomware attribution outranks several higher-CVSS entries this month.
CVE-2026-35273 Oracle PeopleSoft Enterprise PeopleTools 9.8 Missing Authentication → Full Takeover Actively exploited by ShinyHunters with confirmed ransomware-campaign use. PeopleSoft's role in HR/financial data makes this a high-value target independent of its CVSS score.
CVE-2026-12569 PTC Windchill / FlexPLM 9.8 Deserialization → RCE Attackers are dropping JSP web shells on unpatched instances now. Windchill and FlexPLM sit inside manufacturing, aerospace, and defense engineering workflows — compromise risks IP theft, not just system access.
CVE-2026-20253 Splunk Enterprise 9.8 Missing Auth (PostgreSQL sidecar) → Pre-Auth RCE This one is different in kind: it targets the SIEM itself. A compromised Splunk instance can blind the exact detection capability an organisation would rely on to catch the other 22 entries in this report. A public working exploit is already circulating.
CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910 Ubiquiti UniFi OS 10.0 (each) Access Control Bypass / Path Traversal / Command Injection Three CVSS-10.0 bugs in the same advisory, under active botnet exploitation for automated Initial Access at scale. Any UniFi-managed network — common in SMB and MSP environments — is a target regardless of size.
CVE-2026-20230 Cisco Unified Communications Manager 8.6 SSRF → Arbitrary File Write → Root RCE Lower CVSS than the entries above, but Unified CM is often treated as "voice team" infrastructure rather than a security-monitored asset — under-defended systems with root-level compromise paths deserve priority disproportionate to their score.

 

Note on scope: the remaining 14 June KEV additions (Lantronix EDS5000, Widget Factory Joomla Content Editor, LiteSpeed cPanel Plugin, two additional Cisco Catalyst SD-WAN Manager CVEs, Ivanti Sentry, Google Chromium V8, Arista EOS, BerriAI LiteLLM, SolarWinds Serv-U, Mirasvit Full Page Cache Warmer, Linux Kernel, Android Framework, and Oracle WebLogic Server) are all confirmed KEV entries but did not carry the same combination of ransomware attribution, supply-chain blast radius, or zero-day timing that drove the ranking above. Full CVE-by-CVE detail for these is in the weekly reports linked below.

 

 

This Month's Weekly KEV Reports — Full Index

 

Week Article Title KEV Additions Link
29–30 Jun Weekly CISA KEV Updates: 29 June 2026 – Six New Known Exploited Vulnerabilities Added 1 (SimpleHelp; the six-addition count in that article's title reflects the prior week's PTC/Cisco/Ubiquiti/Lantronix cluster) Week 4

 

Only the 29 June weekly article was confirmed via search for this report. Confirm and insert the remaining four weekly article links directly from the CMS before publishing — this dataset doesn't include your internal weekly-post archive, so I can't verify their exact titles or slugs from here.

 

 

Threat Landscape Context

 

The defining shift this month is the balance between access-control failures and code-execution bugs: seven of 23 entries are authentication or access-control bypasses, edging out the injection/RCE category (six entries) as the largest single class. That matters operationally — organisations that tune detection primarily around RCE indicators (webshells, unusual process spawning) may be under-instrumented for the "walk in the front door with a forged token" pattern that defined SimpleHelp, Check Point, Oracle PeopleSoft, and Splunk this month. Two vendors tied for most entries — Cisco and Ubiquiti, both with three — but for different reasons: Cisco's spread across Unified CM and two separate SD-WAN Manager CVEs suggests broad platform scrutiny rather than a single flawed component, while Ubiquiti's three bugs shipped in one advisory, meaning any exposed UniFi deployment is carrying compounding risk from a single patch cycle. Notably absent from this month's list: no major cloud-identity provider entries, despite that category dominating recent months — a gap worth tracking rather than assuming resolved. The cumulative picture: June's KEV additions read less like isolated CVEs and more like a coordinated reminder that credential and session validation, not just code execution, is where 2026's attackers are finding the cheapest path in.

 

 

Sector Exposure Summary

 

Sector Exposure Level Key CVEs This Month Recommended Focus
Government / FCEB High CVE-2026-35273 (Oracle PeopleSoft), CVE-2026-12569 (PTC Windchill) All FCEB deadlines under BOD 26-04 apply; confirm asset inventories against the full 23-CVE list, not just the headline entries.
Healthcare Medium CVE-2026-20253 (Splunk) Audit whether SIEM infrastructure itself is exposed — a compromised Splunk instance undermines breach detection across the entire environment.
Financial Services High CVE-2026-50751 (Check Point), CVE-2026-35273 (Oracle PeopleSoft) Both carry confirmed ransomware attribution (Qilin, ShinyHunters) — treat as active-threat, not theoretical-risk, patching.
Critical Infrastructure Medium CVE-2025-67038 (Lantronix EDS5000) Lantronix bridges OT/ICS serial equipment to IP networks — verify exposure even though this CVE didn't rank in the top priority table.
Technology / SaaS / MSP High CVE-2026-48558 (SimpleHelp), CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910 (Ubiquiti UniFi OS) MSP-managed tooling and network-edge devices carry blast radius beyond the immediately compromised organisation — notify downstream clients if you're an MSP running either product.

 

Hackerstorm Analysis

 

The industry is under-weighting authentication-bypass vulnerabilities relative to RCE, and this month's data argues that's backwards. Seven of 23 entries didn't need a code-execution bug at all — a forged OIDC token, a certificate-validation logic flaw, or a missing-auth endpoint got attackers just as far, often faster, because these bypasses are frequently invisible to detection rules tuned for webshells and process anomalies. The Splunk entry deserves particular attention independent of its CVSS score: when the vulnerability sits in the SIEM itself, "detect and respond" stops being a reliable fallback, because the detection layer is the thing that's compromised. We'd also flag the Check Point timeline specifically — a full month of active, ransomware-linked exploitation before a patch existed is a pattern worth tracking across vendors, not treating as a one-off. Organisations scoring this month's KEV list purely on CVSS will patch Ubiquiti and Mirasvit (both 9.8–10.0) before Check Point (9.3) — and get the priority order wrong, because zero-day timing and confirmed ransomware attribution matter more than a 0.5–0.7 point CVSS gap.

 

Further Reading

 

🔗 CVSS vs EPSS: How to Prioritise Vulnerabilities by Real Exploitation Risk
Why read this: Directly extends this month's ranking logic — the priority table above uses the same exploitation-first, attribution-aware methodology over static CVSS ordering.

 

🔗 Vulnerability Backlog: Why CVSS Prioritisation Is Broken and How to Fix It
Why read this: Companion piece on why EPSS + KEV + asset reachability outperforms CVSS-only triage — relevant given the Check Point vs. Ubiquiti ranking discussed above.

 

🔗 Vulnerability Management: Operational Risk & Exposure-Based Prioritization
Why read this: Practical exposure/reachability framework for triaging a 23-entry month like this one without treating every CVSS-9+ entry as equally urgent.

 

 


About This Report

 

Attribution Note

This analysis is based on publicly available reporting and security research summaries. Some technical details may change as additional information becomes available. 

 

Author Information

Timur Mehmet | Founder & Lead Editor

Timur is a veteran Information Security professional with a career spanning over three decades. Since the 1990s, he has led security initiatives across high-stakes sectors, including Finance, Telecommunications, Media, and Energy. Professional qualifications over the years have included CISSP, ISO27000 Auditor, ITIL and technologies such as Networking, Operating Systems, PKI, Firewalls. For more information including independent citations and credentials, visit our About page.

Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.

 

Editorial Standards

This article adheres to Hackerstorm.com's commitment to accuracy, independence, and transparency:

  • Fact-Checking: All statistics and claims are verified against primary sources and authoritative reports
  • Source Transparency: Original research sources and citations are provided in the References section below
  • No Conflicts of Interest: This analysis is independent and not sponsored by any vendor or organization
  • Corrections Policy: We correct errors promptly and transparently. Report inaccuracies to This email address is being protected from spambots. You need JavaScript enabled to view it.

Editorial Policy: Ethics, Non-Bias, Fact Checking and Corrections


Learn More: About Hackerstorm.com | FAQs

 

Source Transparency

 

 

By using this site, you agree to our Terms & Conditions.

COOKIE / PRIVACY POLICY: This website uses essential cookies required for basic site functionality. We also use analytics cookies to understand how the website is used. We do not use cookies for marketing or personalization, and we do not sell or share any personal data with third parties.

Terms & Privacy Policy