PatchDay Alert: 2026-06-04
|
|
|
TODAY'S CALL
Nothing burning in the wild today, but two high-severity items deserve your attention before lunch. A CVSS 9.6 privilege escalation in OpenShift Pipelines (CVE-2026-10840) lets any authenticated cluster user tamper with workload scheduling and overwrite TLS secrets, and a Cisco Unified Communications Manager SSRF (CVE-2026-20230, CVSS 8.6) chains to root if WebDialer is enabled. Five total patches, no active exploitation, but don't let the quiet fool you on that OpenShift one.
|
|
DO FIRST
| • |
Apply the latest Cisco security patch for Unified CM, and confirm WebDialer is disabled on any systems where you don't need it
(CVE-2026-20230)
|
| • |
Update the OpenShift Pipelines operator to the patched version
(CVE-2026-10840)
|
| • |
Upgrade OP-TEE to version 4.11.0 or later
(CVE-2026-40290)
|
| • |
Update the Cloud Credential Operator to the patched version
(CVE-2026-10843)
|
| • |
Restrict or disable the base64 QR code endpoint immediately
(CVE-2026-10771)
|
|
|
Clear the most in the fewest moves
1 update closes
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Upgrade OP-TEE to version 4.11.0 or later
|
37
|
Patch this week
|
Endpoint reboot
|
|
|
TOP THREAT TODAY
|
|
An unauthenticated attacker can send a crafted HTTP request to Cisco Unified Communications Manager and use server-side request forgery to write files to the OS, then escalate to root. Cisco rates this Critical because of the root escalation path. The catch: the WebDialer service must be enabled for this to work, and it's off by default.
Who's affected: Anyone running Cisco Unified CM or Unified CM SME with the WebDialer service enabled
| |
Patch within 24 hours for internet-facing systems.
Apply the latest Cisco security patch for Unified CM, and confirm WebDialer is disabled on any systems where you don't need it.
Exposure:
Internet-facing systems
·
Op impact:
Service restart
|
NVD
Ref 1
|
|
|
CVE-2026-10840
CVSS 9.6
|
CRITICAL
|
The OpenShift Pipelines operator binds a ClusterRole with write access to Kueue and cert-manager custom resources to the system:authenticated group. That means any authenticated cluster user can mess with workload scheduling, delete other tenants' Workload objects, or trick cert-manager into overwriting TLS secrets, including the default ingress certificate. This is a CVSS 9.6 privilege escalation that requires only basic cluster authentication.
Affects: OpenShift cluster operators using the OpenShift Pipelines operator where Kueue or cert-manager CRDs are installed
| |
Patch immediately if internet-facing or otherwise exposed.
Update the OpenShift Pipelines operator to the patched version. If you can't patch right away, manually edit or remove the tekton-scheduler-rolebinding ClusterRoleBinding to restrict access.
Exposure:
Network-reachable systems
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-40290
CVSS 7.8
EPSS 0.01%
|
HIGH
|
A use-after-free race condition exists in OP-TEE's shared memory teardown logic for FF-A secure partitions. An attacker who can trigger concurrent shared memory operations could exploit this to corrupt memory in the secure world. This only applies if you've built OP-TEE as an SPMC for S-EL0 secure partitions (CFG_SECURE_PARTITION=y), which is not a default config.
Affects: Embedded and IoT teams running OP-TEE versions 3.16.0 through 4.10.x with CFG_SECURE_PARTITION=y on Arm TrustZone hardware
| |
Patch this week.
Upgrade OP-TEE to version 4.11.0 or later.
Exposure:
Estate exposure
·
Op impact:
Endpoint reboot
|
ONE UPDATE · 37 CVEs
NVD
Ref 1
|
|
CVE-2026-10843
CVSS 7.2
|
HIGH
|
The OpenShift Cloud Credential Operator in Mint mode provisions AWS IAM credentials with account-wide destructive permissions instead of scoping them to cluster-owned resources. If an attacker compromises those credentials, they can delete or modify AWS resources outside the cluster, affecting other workloads in the same AWS account.
Affects: OpenShift operators running on AWS in Mint credential mode
| |
Patch this week.
Update the Cloud Credential Operator to the patched version. Review your AWS IAM policies created by the operator and tighten resource scoping to cluster-owned tags or ARNs.
Exposure:
Network-reachable systems
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-10771
CVSS 7.3
EPSS 0.04%
|
HIGH
|
The CRMEB Java e-commerce platform (version 1.4) has an SSRF bug in its QR code endpoint. An attacker can manipulate the URL parameter to make the server send arbitrary HTTP requests on their behalf, potentially reaching internal services. A public exploit already exists.
Affects: Anyone running CRMEB Java (crmeb_java) version 1.4
| |
Patch this week.
Restrict or disable the base64 QR code endpoint immediately. Monitor the CRMEB project for a patched release. The maintainers have not responded to the report yet, so consider adding input validation or a URL allowlist on the affected endpoint yourself.
Exposure:
Network-reachable systems
|
NVD
Ref 1
Ref 2
|
|
Community Signal Check
|
Microsoft Defender zero-days exploited in the wild: privilege escalation and DoS
Attackers are exploiting two Defender zero-days right now. CVE-2026-41091 gives them SYSTEM privileges via a link-following bug, and CVE-2026-45498 kills Defender entirely so it can't protect the host. Huntress is seeing both used in active incidents, sometimes chained with a third flaw (CVE-2026-33825). Check your Defender version and push updates today.
BleepingComputer
•
active_exploitation
|
|
Google patches Android zero-day exploited in targeted attacks
Google's June 2026 Android patch set fixes 124 bugs, including CVE-2025-48595, a privilege escalation in the Android Framework that needs no user interaction. Google says attackers are using it in limited, targeted attacks against high-profile individuals. If you manage a fleet of Android devices, push the June security update now.
BleepingComputer
•
active_exploitation
|
|
KB5089549 fails on PCs with small EFI partitions, fix available
The May 2026 cumulative update KB5089549 for Windows 11 24H2 and 25H2 hangs at 35% reboot on machines with tight EFI System Partitions (error 0x800f0922). Microsoft shipped an optional fix, KB5089573, and a permanent fix is expected in the June 9 Patch Tuesday. If you're seeing failed installs across your fleet, check EFI partition free space or deploy the Known Issue Rollback.
WindowsLatest
•
broken_patch
|
|
Ivanti Neurons for ITSM privilege escalation: on-prem customers need to patch now
CVE-2026-9614 lets any authenticated user with minimal privileges escalate to full admin on Ivanti Neurons for ITSM. Low complexity, network-accessible. Cloud tenants were auto-patched May 24-25. If you run on-prem, apply patches 2025.4 Patch 1, 2025.3 Patch 1, or 2025.2 Patch 1 immediately.
Cyberpress
•
vendor_advisory
|
|
|
SECURE BOOT ·
20 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
7.5
CVE-2026-41858
Weak Randomness / Insecure Cryptographic Primitive (CWE-338) in Get-RandomPassword in BOSH-Ecosystem /…
|
9.8
CVE-2026-36576
An OS command injection vulnerability in the app.py component of openlabs docker-wkhtmltopdf-aas up to commit 9f50579…
|
7.6
CVE-2026-49771
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in 10Web Photo…
|
7.5
CVE-2026-10737 · cms:wordpress
The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability…
|
7.8
CVE-2026-41859
A network man-in-the-middle between nats-sync and the BOSH director can steal the director credentials (Basic auth…
|
8.8
CVE-2026-41860
CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM.
|
7.8
CVE-2022-49042
An inclusion of functionality from untrusted control sphere vulnerability in MinGW DLL component in Synology Hyper…
|
7.8
CVE-2022-49036
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active…
|
|
|
Recent from the blog
Everything is critical, so nothing is critical
A third of last year's CVEs were rated High or Critical, but only a few percent ever get exploited. The severity score was never a risk sco…
Three CVEs keep getting called the Nx attack, and only one of them is this one
An 18-minute window on the VS Code marketplace ended with 3,800 of GitHub's own repositories copied. The interesting part isn't the speed.…
The patch triage meeting that ends with owners, not opinions
The short-list is built before anyone sits down. The meeting exists to put a name and a clock on each item, then end. Here's how to run it…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
How Pricing Models Are Rewriting Finance Team Rules
Usage-based pricing is transforming B2B revenue—but finance teams are struggling to keep up. Join Tabs and PwC on June 10th for a live breakdown of what it takes to scale modern pricing models. Save your spot now.
