|
|
|
TODAY'S CALL
Three vulnerabilities are already being exploited in the wild this month, and Microsoft dropped a stack of 9.8s that deserve your attention tonight. The Chrome V8 bug, a Cisco SD-WAN root escalation, and an Arista EOS traffic injection issue are the ones actively under attack. Behind those, you've got pre-auth RCEs in HTTP.sys, the Windows DHCP Client, Ivanti Sentry (CVSS 10.0), and Fortinet FortiSandbox, so clear some time on the calendar.
|
|
DO FIRST
| • |
Update Chrome to 149.0.7827.103 or later right now
(CVE-2026-11645)
|
| • |
Apply the latest Cisco security patch for Catalyst SD-WAN Manager
(CVE-2026-20245)
|
| • |
Apply the latest Arista EOS patch
(CVE-2026-7473)
|
| • |
Apply the latest cumulative update for your Windows version via Windows Update or WSUS
(CVE-2025-10263)
|
| • |
Upgrade Ivanti Sentry to R10.5.2, R10.6.2, or R10.7.1 immediately
(CVE-2026-10520)
|
| • |
Apply the latest Nuance PowerScribe update
(CVE-2026-26142)
|
|
|
Clear the most in the fewest moves
3 updates close
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Update Chrome to 149.0.7827.103 or later right now
|
121
1 exploited, 7 critical
|
Patch immediately, KEV exploited
|
Browser relaunch
|
|
Apply the latest cumulative update for your Windows version via Windows Update or WSUS
|
78
3 critical
|
Patch this week
|
Endpoint reboot
|
|
Upgrade Ivanti Sentry to R10.5.2, R10.6.2, or R10.7.1 immediately
|
3
2 critical
|
Patch immediately, internet-facing only
|
Service restart
|
|
|
|
|
CVE-2025-10263
CVSS 9.3
EPSS 0.03%
|
CRITICAL
|
A local privilege escalation bug in the Windows kernel lets an unprivileged attacker gain elevated access without any user interaction. CVSS 9.3 makes this one of the highest-severity local escalation bugs you'll see. It's not exploited in the wild yet, but the low barrier (local, no auth) means weaponization is likely once details spread.
Affects: Windows sysadmins running Windows 10 21H2/22H2 or Windows 11 23H2/24H2/25H2 on ARM64 systems
| |
Patch this week.
Apply the latest cumulative update for your Windows version via Windows Update or WSUS. Prioritize ARM64 devices.
Exposure:
Estate exposure
·
Op impact:
Endpoint reboot
|
ONE UPDATE · 78 CVEs
3 CRITICAL
NVD
MSRC
Ref 1
Ref 2
|
|
|
|
CVE-2026-11645
CVSS 8.8
EPSS 5.47%
|
HIGH
EXPLOITED
|
An attacker can run code inside Chrome's sandbox by tricking a user into visiting a malicious web page. This is an out-of-bounds read/write bug in V8, Chrome's JavaScript engine, and attackers are already exploiting it in the wild. EPSS puts this at the 90th percentile for exploit probability, which lines up with what we're seeing.
Affects: Anyone running Google Chrome (or Chromium-based browsers like Edge, Brave, etc.) on any platform
| |
Patch immediately given active exploitation.
Update Chrome to 149.0.7827.103 or later right now. Force-restart browsers via policy if needed.
Exposure:
Active exploitation (KEV)
·
Op impact:
Browser relaunch
|
ONE UPDATE · 121 CVEs
7 CRITICAL
NVD
KEV
Ref 1
Ref 2
|
|
|
|
CVE-2026-20245
EPSS 0.33%
|
EXPLOITED
|
A local attacker with authenticated access to Cisco Catalyst SD-WAN Manager can escalate to root by feeding a crafted file to the system. This is being exploited in the wild. The attack requires local access and valid credentials, so this isn't a drive-by, but once an attacker has a foothold on your management plane, it's game over.
Affects: Network engineers and SD-WAN teams running Cisco Catalyst SD-WAN Manager (formerly vManage)
| |
Patch within 24 hours given active exploitation.
Apply the latest Cisco security patch for Catalyst SD-WAN Manager. Check Cisco's advisory for your specific version and upgrade path.
Exposure:
Active exploitation (KEV)
·
Op impact:
Service restart
|
NVD
KEV
|
|
CVE-2026-7473
EPSS 22.47%
|
EXPLOITED
|
Arista EOS switches with tunnel decapsulation configured will incorrectly decapsulate and forward unexpected tunneled packets when the destination IP matches the configured decapsulation IP. Attackers are exploiting this in the wild. EPSS is at the 96th percentile, reinforcing that this is getting real-world attention. The practical risk is traffic injection or bypass of network segmentation.
Affects: Network engineers running Arista EOS switches with tunnel decapsulation enabled
| |
Patch immediately given active exploitation.
Apply the latest Arista EOS patch. Review your tunnel decapsulation configuration and audit for unexpected forwarded traffic while you schedule the update.
Exposure:
Active exploitation (KEV)
|
NVD
KEV
|
|
CVE-2026-10520
CVSS 10.0
EPSS 0.22%
|
CRITICAL
|
An unauthenticated attacker can get root-level remote code execution on Ivanti Sentry by injecting OS commands. No credentials needed, no user interaction. CVSS 10.0, which is as bad as it gets. Not yet confirmed exploited in the wild, but Ivanti appliances are a favorite target and this will get picked up fast.
Affects: Anyone running Ivanti Sentry (formerly MobileIron Sentry) prior to R10.5.2, R10.6.2, or R10.7.1
| |
Patch immediately for internet-facing systems.
Upgrade Ivanti Sentry to R10.5.2, R10.6.2, or R10.7.1 immediately. If you can't patch tonight, restrict network access to the management interface.
Exposure:
Internet-facing systems
·
Op impact:
Service restart
|
ONE UPDATE · 3 CVEs
2 CRITICAL
NVD
Ref 1
|
|
CVE-2026-26142
CVSS 9.8
EPSS 0.37%
|
CRITICAL
|
An unauthenticated attacker can execute code over the network on Nuance PowerScribe by sending crafted serialized data. PowerScribe is a radiology reporting platform, so if you run it in a healthcare environment, this puts patient-facing systems at direct risk. CVSS 9.8, no credentials required.
Affects: Healthcare IT teams and radiology departments running Nuance PowerScribe
| |
Patch immediately if internet-facing or otherwise exposed.
Apply the latest Nuance PowerScribe update. If a patch isn't available yet, isolate PowerScribe servers from untrusted network segments immediately.
Exposure:
Network-reachable systems
|
NVD
Ref 1
|
|
Community Signal Check
|
Check Point VPN auth bypass CVE-2026-50751 exploited in the wild since May 7
Attackers are bypassing certificate validation on Check Point Remote Access VPN, Mobile Access, and Spark Firewalls to establish VPN sessions without credentials. Exploitation started May 7, and Rapid7 ties it to the Qilin ransomware operation. If you run IKEv1 on any of these products, patch now.
Rapid7
•
active_exploitation
|
|
Cisco SD-WAN Manager CVE-2026-20245 exploited in the wild
Mandiant observed active exploitation of CVE-2026-20245, a command injection bug in Catalyst SD-WAN Manager CLI that gives authenticated netadmin users root access via crafted file uploads. This CVE is already in today's digest. If you run SD-WAN Manager, prioritize the Cisco update.
SOCPrime
•
active_exploitation
|
|
Windows 11 June 2026 cumulative updates failing on upgraded devices
Machines upgraded from Windows 10 22H2/21H2 or Windows 11 23H2 to 24H2/25H2 are failing June cumulative updates with errors 0x80073712 or 0x800f0993. The Patch Tuesday release fixes it going forward, but already-upgraded boxes need manual cleanup via DISM. Check your fleet before assuming this month's patches landed cleanly.
BleepingComputer
•
broken_patch
|
|
Veeam Backup & Replication RCE: domain users can run code on backup servers
Any authenticated domain user can execute remote commands on Veeam Backup & Replication servers running version 12 or earlier. Veeam shipped fixes across multiple builds. Your backup infrastructure is a prime ransomware target, so patch this before the weekend.
The Hacker News
•
vendor_advisory
|
|
|
SECURE BOOT ·
14 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
9.8
CVE-2026-25089 · appliance:fortinet
A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.
|
Plus 127 more this window. See
NVD
for the full list.
|
|
Recent from the blog
A crash got a federal patch deadline. Here's why that's the right call
CVE-2026-28318 is a 7.5 denial-of-service bug in SolarWinds Serv-U, the kind that usually waits. CISA listed it on KEV two days after the f…
Three June 30 Microsoft 365 retirements that fail silently
A printer stops scanning to email, a conference-room keyboard's mute key dies, a town hall won't schedule. None of these will announce them…
Your Azure CLI session has an MFA exemption you never asked for
Two Entra Conditional Access changes land in the same fortnight, and they're the lead evidence in a longer story: Microsoft is closing the…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
