In partnership with
PatchDay Alert: 2026-06-02
|
|
|
TODAY'S CALL
Nothing's on fire, but two of today's five deserve your attention before lunch. A SharePoint deserialization bug (CVE-2026-47294, CVSS 8.0) lets any authenticated user run code on your server, and an OpenShift Route validation failure (CVE-2026-1784, CVSS 8.8) lets attackers inject arbitrary HAProxy config into your ingress router. Neither is exploited in the wild yet, so you've got a window to patch cleanly.
|
|
DO FIRST
| • |
Apply the latest SharePoint security update from Microsoft's patch Tuesday release via Windows Update or manual CU installation
(CVE-2026-47294)
|
| • |
Remove or deactivate the WP AutoSuggest plugin immediately
(CVE-2018-25434)
|
| • |
Upgrade FlexRIC beyond v2.0.0 when a fix is available
(CVE-2026-37227)
|
| • |
Upgrade FlexRIC when a patched version ships
(CVE-2026-37222)
|
| • |
Apply the latest OpenShift Container Platform update from Red Hat
(CVE-2026-1784)
|
|
|
Clear the most in the fewest moves
2 updates close
multiple CVEs at once. Each row is one maintenance decision.
| ACTION |
CVES |
URGENCY |
IMPACT |
|
Remove or deactivate the WP AutoSuggest plugin immediately
|
24
1 critical
|
Patch immediately, internet-facing only
|
—
|
|
Upgrade FlexRIC beyond v2.0.0 when a fix is available
|
12
|
Patch this week, internet-facing only
|
—
|
|
|
TOP THREAT TODAY
|
|
An authenticated attacker can exploit a deserialization bug in SharePoint to run arbitrary code over the network. The attacker needs valid credentials, but once authenticated, no special privileges or user interaction are required. If you host on-prem SharePoint, this is a serious remote code execution risk from any authorized user.
Who's affected: SharePoint on-prem admins running any currently supported version of Microsoft Office SharePoint
| |
Patch within 24 hours if internet-facing or otherwise exposed.
Apply the latest SharePoint security update from Microsoft's patch Tuesday release via Windows Update or manual CU installation.
Exposure:
Network-reachable systems
·
Op impact:
Endpoint reboot
|
NVD
Ref 1
|
|
|
CVE-2018-25434
CVSS 8.2
|
HIGH
|
WP AutoSuggest 0.24 has an unauthenticated SQL injection bug in its autosuggest.php file. An attacker can send a crafted GET request with a malicious wpas_keys parameter and pull data straight out of your WordPress database, including posts, user tables, and anything else stored there. No login required.
Affects: WordPress site owners or developers running the WP AutoSuggest plugin version 0.24
| |
Patch immediately for internet-facing systems.
Remove or deactivate the WP AutoSuggest plugin immediately. This plugin appears abandoned. Switch to a maintained search suggestion plugin and audit your database for signs of exfiltration.
Exposure:
Internet-facing systems
|
ONE UPDATE · 24 CVEs
1 CRITICAL
NVD
Ref 1
Ref 2
|
|
CVE-2026-37227
CVSS 7.5
|
HIGH
|
FlexRIC v2.0.0's near-RT RIC process crashes when it receives certain valid but unimplemented E2AP message types. The message passes the whitelist check, but the handler calls assert(0) unconditionally, killing the process with SIGABRT. A remote unauthenticated attacker can take down the RIC by sending a single crafted E2AP PDU to port 36421.
Affects: Telecom engineers and researchers running FlexRIC v2.0.0 near-RT RIC in lab or production O-RAN environments
| |
Patch this week.
Upgrade FlexRIC beyond v2.0.0 when a fix is available. In the meantime, restrict network access to port 36421 so only trusted E2 nodes can reach the RIC.
Exposure:
Internet-facing systems
|
ONE UPDATE · 12 CVEs
NVD
Ref 1
Ref 2
|
|
CVE-2026-37222
CVSS 7.5
|
HIGH
|
FlexRIC v2.0.0 crashes when it receives an E2AP message with more Information Elements than it expects. The code uses hardcoded assertions on exact IE counts instead of checking valid ranges, so a legitimate-looking PDU with extra optional fields triggers SIGABRT. This affects both the near-RT RIC (port 36421) and iApp (port 36422), and requires no authentication.
Affects: Telecom engineers and researchers running FlexRIC v2.0.0 near-RT RIC or iApp components in O-RAN deployments
| |
Patch this week.
Upgrade FlexRIC when a patched version ships. Until then, restrict access to ports 36421 and 36422 to trusted E2 nodes and xApps only.
Exposure:
Internet-facing systems
|
NVD
Ref 1
Ref 2
|
|
CVE-2026-1784
CVSS 8.8
|
HIGH
|
OpenShift's Route resource doesn't properly validate the spec.path field, letting an attacker inject arbitrary HAProxy configuration. If someone can create or modify Route objects in your cluster, they can tamper with the router's behavior, potentially intercepting or redirecting traffic for other routes. This is a high-impact bug because HAProxy config injection can affect all traffic flowing through the ingress router.
Affects: OpenShift cluster admins running affected versions of OpenShift Container Platform with HAProxy-based ingress routers
| |
Patch within 24 hours if internet-facing or otherwise exposed.
Apply the latest OpenShift Container Platform update from Red Hat. Review existing Route objects for suspicious spec.path values and restrict who can create or edit Route resources using RBAC.
Exposure:
Estate exposure
|
NVD
Ref 1
Ref 2
|
|
Community Signal Check
|
PAN-OS GlobalProtect auth bypass (CVE-2026-0257) now exploited in the wild
Palo Alto bumped CVE-2026-0257 from medium to high after attackers started exploiting it across multiple customer environments. The bug lets an unauthenticated attacker bypass GlobalProtect authentication cookies and spin up unauthorized VPN sessions into your network. If you run GlobalProtect, patch PAN-OS now.
Palo Alto Networks PSIRT
•
active_exploitation
|
|
Windows Netlogon RCE (CVE-2026-41089) actively exploited, hits domain controllers
Belgium's CCB confirmed attackers are exploiting CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon, to run code as SYSTEM on domain controllers with no authentication required. This is about as bad as it sounds. Patch every DC you own tonight.
Help Net Security
•
active_exploitation
|
|
Microsoft Defender privilege escalation and DoS bugs exploited in the wild
Three Defender bugs are exploited in the wild: CVE-2026-41091 (CVSS 7.8, local privilege escalation to SYSTEM), CVE-2026-45498 (CVSS 4.0, Defender DoS), and CVE-2026-33825 (BlueHammer). Huntress confirmed all three in targeted intrusions where attackers staged files in user directories and escalated manually. CISA added them to KEV with a June 3 deadline, so don't wait.
The Hacker News
•
active_exploitation
|
|
|
SECURE BOOT ·
22 days until Microsoft Secure Boot certificates begin expiring (June 24, 2026).
How to remediate →
|
|
Also patched this window
Lower-priority items that cleared the enterprise filter. Scan for anything in your estate.
8.8
CVE-2026-9614 · appliance:ivanti
An Improper Access Control vulnerability in Ivanti Neurons for ITSM (cloud and on-premises) allows a remote…
|
7.8
CVE-2026-46243
In the Linux kernel, the following vulnerability has been resolved:
smb: client: reject userspace cifs.spnego…
|
7.8
CVE-2026-10118
A flaw was found in Poppler's Splash backend.
|
7.8
CVE-2026-43958
A flaw was found in rrdcached, a component of rrdtool.
|
9.8
CVE-2025-53209
Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation.
|
9.8
CVE-2026-25879
Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection.
|
9.3
CVE-2026-42684
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ahmad WP Job Portal allows Blind SQL Injection.
|
9.3
CVE-2026-42672
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wp Directory Kit…
|
8.2
CVE-2026-43624
F5-TTS through version 1.1.20 contains a path traversal vulnerability in the finetune Gradio handlers that allows…
|
8.1
CVE-2026-39551
Deserialization of Untrusted Data vulnerability in Elated-Themes Töbel allows Object Injection.
|
Plus 20 more this window. See
NVD
for the full list.
|
|
Recent from the blog
Enforcing and proving BitLocker TPM+PIN across an Intune fleet
Requiring a startup PIN is one toggle. Landing it on already-encrypted devices and proving it took across the whole fleet is the actual wor…
Gogs has a critical RCE and no one is coming to fix it
Rapid7 found a push-button remote code execution flaw in Gogs, shipped a Metasploit module with it, and ran 72 days from report to publicat…
Palo Alto's third edge zero-day in two years rhymes with the first two
CISA's federal deadline for CVE-2026-0300 landed four days before a patch existed. The deadline is not the story. The third PAN-OS portal z…
|
|
That's your patch day digest.
|
|
patchdayalert.com
|
|
Global HR shouldn't require five tools per country
Your company going global shouldn’t mean endless headaches. Deel’s free guide shows you how to unify payroll, onboarding, and compliance across every country you operate in. No more juggling separate systems for the US, Europe, and APAC. No more Slack messages filling gaps. Just one consolidated approach that scales.
