Weekly Threat Landscape Digest – Week 24

1. Microsoft June 2026 Patch Tuesday Addresses 206 Vulnerabilities

Technical Details / Key Points:

• Microsoft released its June 2026 Patch Tuesday updates fixing 206 vulnerabilities across Windows, Office, Outlook, Hyper-V, Remote Desktop Client, BitLocker, HTTP.sys, Microsoft Defender, and Azure components.
  • The update includes 37 Critical vulnerabilities, 3 publicly disclosed zero-days, and multiple RCE, EoP, DoS, Information Disclosure, and Security Feature Bypass flaws.
  • Publicly disclosed zero-days include:

• CVE-2026-50507 – BitLocker Security Feature Bypass.
• CVE-2026-49160 – HTTP.sys Denial of Service.
• CVE-2026-45586 – Windows CTFMON Elevation of Privilege.
  • CVE-2026-41091 – Microsoft Defender Elevation of Privilege vulnerability is reported as actively exploited in the wild.
  • Several critical vulnerabilities affect Microsoft Office, Outlook/Word, Hyper-V, Remote Desktop Client, Active Directory Domain Services, Kerberos KDC, DHCP Client, Windows Graphics, and HTTP.sys.

Impact:

• Successful exploitation may allow attackers to perform remote code execution, privilege escalation, security bypass, service disruption, or sensitive information disclosure.
  • The actively exploited Microsoft Defender vulnerability increases risk of endpoint compromise.
  • RDP, Office, and internet-facing Windows services may be targeted for initial access or lateral movement.

Recommendations:

• Apply the Microsoft June 2026 security updates immediately.
  • Prioritize internet-facing systems, remote access infrastructure, domain-joined endpoints, privileged workstations, and systems using RDP.
  • Monitor for suspicious Defender activity, privilege escalation attempts, abnormal RDP usage, and exploitation of Windows services.
  • Enforce MFA, restrict RDP access, and ensure EDR/vulnerability scanners are updated.

Reference:

• https://msrc.microsoft.com/update-guide/releaseNote/2026-Jun

2. Critical Vulnerabilities in Ivanti Sentry

Technical Details / Key Points:

• Ivanti released security updates addressing two critical vulnerabilities in Ivanti Sentry.
  • CVE-2026-10520 – OS Command Injection Remote Code Execution vulnerability with CVSS 10.0.
  • CVE-2026-10523 – Authentication Bypass vulnerability with CVSS 9.9.
  • Successful exploitation may allow remote, unauthenticated attackers to execute commands, bypass authentication, and gain root-level access.
  • Affected versions include Ivanti Sentry 10.5.1 and earlier, 10.6.1 and earlier, and 10.7.0 and earlier.
  • Fixed versions are 10.5.2, 10.6.2, and 10.7.1.

Impact:

• Attackers may achieve root-level remote code execution on affected appliances.
  • Exploitation could allow creation of unauthorized admin accounts and full appliance compromise.
  • Compromised Ivanti Sentry appliances may be used for persistence, credential access, and further network intrusion.

Recommendations:

• Immediately upgrade affected Ivanti Sentry appliances to the fixed versions.
  • Restrict administrative access to trusted networks only.
  • Review appliance logs for suspicious login attempts, newly created admin accounts, and abnormal command execution.
  • Assess exposed Ivanti Sentry appliances for possible compromise.

Reference:

• https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-Sentry-CVE-2026-10520-CVE2026-10523?language=en_US

3. Critical Vulnerability in FortiSandbox

Technical Details / Key Points:

• A critical vulnerability, CVE-2026-25089, has been identified in Fortinet FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS.
  • The vulnerability is a Second-Order OS Command Injection flaw affecting the Web User Interface (Web UI).
  • Severity: Critical
  • CVSS Score: 9.1
  • Attack Vector: Remote
  • Authentication Required: No
  • User Interaction Required: None
  • Exploitation may be possible through specially crafted HTTP requests sent to the Web UI.
  • Fortinet has stated that the vulnerability is not known to be exploited in the wild at the time of publication.
  • Affected versions include FortiSandbox 5.0.x / 4.4.x, FortiSandbox Cloud 5.0.x, and FortiSandbox PaaS 5.0.x.
  • Fixed versions include FortiSandbox 5.0.6 or later, 4.4.9 or later, FortiSandbox Cloud 5.0.6 or later, and FortiSandbox PaaS 5.0.6 or later.

Impact:

• Successful exploitation may allow unauthenticated attackers to execute unauthorized OS commands.
  • Attackers may gain control over affected FortiSandbox systems.
  • Compromised sandbox infrastructure could impact malware analysis, security monitoring, and internal network security.

Recommendations:

• Immediately upgrade affected FortiSandbox products to the fixed versions.
  • Restrict access to the FortiSandbox Web UI from trusted networks only.
  • Monitor Web UI access logs for suspicious HTTP requests or abnormal activity.
  • Review affected systems for signs of unauthorized command execution or compromise.

Reference:

• https://fortiguard.fortinet.com/psirt/FG-IR-26-141

4. Critical Remote Code Execution Vulnerability in Veeam Backup & Replication

Technical Details / Key Points:

• A critical vulnerability, CVE-2026-44963, has been identified in Veeam Backup & Replication.
  • The vulnerability allows an authenticated domain user to execute arbitrary code on affected backup servers.
  • Severity: Critical
  • CVSS Score: 9.4
  • The issue affects domain-joined backup servers.
  • Affected versions include Veeam Backup & Replication 12.3.2.4465 and all earlier version 12 builds.
  • Fixed version is Veeam Backup & Replication 12.3.2.4854 or later.

Impact:

• Successful exploitation may allow remote code execution on the backup server.
  • Attackers may gain control of the backup environment and access sensitive backup data.
  • Compromise may disrupt backup and recovery operations, increasing ransomware recovery risk.

Recommendations:

• Upgrade affected Veeam Backup & Replication servers to 12.3.2.4854 or later.
  • Prioritize patching domain-joined backup servers.
  • Restrict access to Veeam servers to authorized administrators only.
  • Monitor for suspicious domain user activity, unauthorized access, and abnormal processes on backup servers.

Reference:

• https://www.veeam.com/kb4869

5. Security Updates for Zoom Products Addressing Multiple Vulnerabilities

Technical Details / Key Points:

• Zoom released security updates addressing multiple vulnerabilities in Zoom Workplace, Zoom Meeting SDK, and Remote Control for Zoom Contact Center.
  • CVE-2026-53407 and CVE-2026-53408 are high-severity improper authorization vulnerabilities in the Custom URL Scheme Handler.
  • These vulnerabilities may allow an unauthenticated attacker to perform privilege escalation via network access on affected Android and iOS applications.
  • CVE-2026-53406 is a high-severity vulnerability in Remote Control for Zoom Contact Center for Windows.
  • It may allow an authenticated local user to elevate privileges due to insufficient verification of data authenticity.
  • Affected versions include Zoom Workplace for Android before 7.0.4, Zoom Workplace for iOS before 7.0.3, Zoom Meeting SDK for Android before 7.0.4, Zoom Meeting SDK for iOS before 7.0.3, and Remote Control for Zoom Contact Center for Windows before 7.0.0.

Impact:

• Successful exploitation may allow privilege escalation on affected systems.
  • Attackers may gain unauthorized access or higher privileges within affected Zoom applications.
  • Compromised systems could be used for further unauthorized activity or access to sensitive communications.

Recommendations:

• Update affected Zoom products to the latest fixed versions.
  • Upgrade Zoom Workplace for Android to 7.0.4 or later and iOS to 7.0.3 or later.
  • Upgrade Zoom Meeting SDK for Android to 7.0.4 or later and iOS to 7.0.3 or later.
  • Upgrade Remote Control for Zoom Contact Center for Windows to 7.0.0 or later.
  • Ensure mobile and endpoint application updates are enforced through MDM or endpoint management tools.

Reference:

• https://www.zoom.com/en/trust/security-bulletin/zsb-26009/
  • https://www.zoom.com/en/trust/security-bulletin/zsb-26010/

6. Critical Vulnerability in Splunk Enterprise

Technical Details / Key Points:

• Splunk released security updates addressing multiple vulnerabilities in Splunk Enterprise and the Splunk Secure Gateway application.
  • The most critical issue is CVE-2026-20253, with a CVSS score of 9.8.
  • CVE-2026-20253 allows unauthenticated attackers to perform arbitrary file creation and file truncation through a vulnerable PostgreSQL sidecar service endpoint.
  • Other addressed vulnerabilities include:

• CVE-2026-20251 – Remote Code Execution via unsafe deserialization.
• CVE-2026-20252 – Server-Side Request Forgery (SSRF).
• CVE-2026-20258 – Stored Cross-Site Scripting (XSS).
  • Fixed versions include Splunk Enterprise 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13.
  • Splunk Secure Gateway fixed versions include 3.10.6, 3.9.20, and 3.8.67.

Impact:

• Successful exploitation may allow unauthenticated attackers to create or modify files on affected systems.
  • RCE and SSRF vulnerabilities may lead to system compromise, internal network access, or unauthorized data exposure.
  • Stored XSS may allow execution of malicious scripts within the Splunk interface.

Recommendations:

• Upgrade affected Splunk Enterprise and Splunk Secure Gateway instances to the fixed versions immediately.
  • Restrict access to Splunk management and service endpoints to trusted networks only.
  • Review Splunk logs for suspicious file operations, abnormal requests, SSRF attempts, and unauthorized access.
  • Validate Splunk deployments for exposure of vulnerable services.

Reference:

• https://advisory.splunk.com/

7. Critical Remote Code Execution Vulnerability in Oracle PeopleSoft PeopleTools

Technical Details / Key Points:

• A critical vulnerability, CVE-2026-35273, has been identified in Oracle PeopleSoft PeopleTools.
  • The vulnerability affects the Updates Environment Management component.
  • Severity: Critical
  • CVSS Score: 9.8
  • The flaw is remotely exploitable over HTTP without authentication or user interaction.
  • Affected versions include Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62.
  • Oracle PeopleSoft Enterprise applications using affected PeopleTools versions may also be impacted.

Impact:

• Successful exploitation may allow attackers to execute arbitrary code on affected systems.
  • Attackers could fully compromise the confidentiality, integrity, and availability of the system.
  • Compromised PeopleSoft environments may expose sensitive enterprise data and business-critical applications.

Recommendations:

• Apply the latest Oracle security patches and mitigation guidance immediately.
  • Prioritize patching internet-facing or externally accessible PeopleSoft systems.
  • Restrict HTTP access to trusted networks only where possible.
  • Monitor PeopleSoft and web server logs for suspicious requests, unauthorized access, and abnormal process activity.

Reference:

• https://www.oracle.com/security-alerts/alert-cve-2026-35273.html

8. Multiple Vulnerabilities in Jenkins Core

Technical Details / Key Points:

• Multiple vulnerabilities have been identified in Jenkins Core, affecting Jenkins weekly and LTS releases.
  • CVE-2026-53435 is a high-severity deserialization vulnerability that may allow authenticated attackers to execute arbitrary code, impersonate users, and access sensitive files on the Jenkins controller.
  • CVE-2026-53441 is a high-severity stored XSS vulnerability in node offline cause descriptions.
  • Other vulnerabilities include open redirect, missing permission checks, improper permission validation, and exposure of plaintext secrets.
  • Affected versions include Jenkins weekly up to 2.567 and Jenkins LTS up to 2.555.2.
  • Fixed versions are Jenkins Weekly 2.568 and Jenkins LTS 2.555.3.

Impact:

• Successful exploitation may allow remote code execution, user impersonation, sensitive file access, stored XSS, phishing attacks, and credential exposure.
  • Attackers may abuse Jenkins access to compromise CI/CD pipelines, source code, build jobs, and deployment environments.

Recommendations:

• Upgrade Jenkins to Weekly 2.568 or LTS 2.555.3 immediately.
  • Review Jenkins user permissions, especially Agent/Configure and elevated read permissions.
  • Monitor Jenkins logs for suspicious job activity, unauthorized configuration changes, and abnormal user actions.
  • Restrict Jenkins access to trusted networks and enforce MFA for administrative users.

Reference:

• https://www.jenkins.io/security/advisory/2026-06-10/

9. Security Updates for Google Chrome Addressing Multiple Vulnerabilities

Technical Details / Key Points:

• Google released a new Chrome Stable Channel update addressing 28 security vulnerabilities across Windows, macOS, and Linux.
  • The update fixes 5 Critical and 23 High severity vulnerabilities affecting multiple browser components.
  • Critical vulnerabilities include Use-After-Free, Heap Buffer Overflow, and Insufficient Validation of Untrusted Input issues.
  • Key affected components include Core, GPU, Network, Accessibility, WebMIDI, Media, Extensions, Safe Browsing, Video Processing, Password Management, and DevTools.
  • Fixed versions are 149.0.7827.114/.115 for Windows and macOS and 149.0.7827.114 for Linux.

Impact:

• Successful exploitation may allow attackers to execute malicious code, crash the browser, or compromise browser security.
  • Use-after-free and memory corruption flaws may be exploited through specially crafted web content.
  • Exploitation could lead to unauthorized access, data exposure, or further compromise of user systems.

Recommendations:

• Update Google Chrome to the latest stable version immediately.
  • Enable automatic browser updates across enterprise environments.
  • Ensure endpoint and vulnerability management tools verify Chrome version compliance.
  • Monitor for abnormal browser behavior and restrict use of outdated Chrome versions.

Reference:

• https://chromereleases.googleblog.com/2026/06/stable-channel-update-fordesktop_01962725236.html

10. Security Updates for GitLab CE and EE Addressing Multiple Vulnerabilities

Technical Details / Key Points:

• GitLab released security updates addressing multiple vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE).
  • The most severe issue is CVE-2026-6552, a high-severity improper access control vulnerability in the Group SAML Identity API that may allow a Group Owner to take over another group member’s GitLab account.
  • CVE-2026-10087 is a high-severity stored XSS vulnerability in the Analytics Dashboard, allowing authenticated users to execute malicious client-side code.
  • Other vulnerabilities include Denial of Service, HTML Injection, SSRF, Authorization Bypass, and improper access control issues.
  • Fixed versions are GitLab 19.0.2, 18.11.5, and 18.10.8.

Impact:

• Successful exploitation may lead to account takeover, unauthorized access, stored XSS, service disruption, and exposure of internal resources.
  • SSRF and access control flaws may allow attackers to access internal systems, modify restricted data, or bypass review controls.
  • Compromise of GitLab may impact source code, CI/CD pipelines, project security settings, and development workflows.

Recommendations:

• Upgrade affected GitLab CE/EE instances to 19.0.2, 18.11.5, 18.10.8, or later immediately.
  • Prioritize internet-facing and enterprise GitLab deployments using SAML, CI/CD, and repository import features.
  • Review GitLab logs for suspicious SAML activity, unauthorized account changes, API abuse, and abnormal repository import attempts.
  • Enforce strong access controls, review group owner permissions, and monitor CI/CD and merge request activity.

Reference:

• https://docs.gitlab.com/releases/patches/patch-release-gitlab-19-0-2-released/#cve-2026-6552—improper-access-control-issue-in-group-saml-identity-api-impacts-gitlab-ee

11. Actively Exploited Vulnerability in SolarWinds Serv-U

Technical Details / Key Points:

• An actively exploited vulnerability, CVE-2026-28318, has been identified in SolarWinds Serv-U.
  • The vulnerability is an unauthenticated Denial of Service (DoS) issue caused by uncontrolled resource consumption.
  • An attacker can exploit the flaw remotely by sending specially crafted HTTP POST requests with the Content-Encoding: deflate header.
  • CVSS Score: 7.5
  • Authentication Required: No
  • User Interaction Required: No
  • Affected versions include SolarWinds Serv-U 15.5.4 and earlier.
  • Fixed version is SolarWinds Serv-U 15.5.4 HF1.
  • Internet-facing Serv-U servers are at the highest risk.

Impact:

• Successful exploitation may cause the Serv-U service to crash or become unavailable.
  • Attackers may disrupt file transfer services and impact business operations.
  • Active exploitation increases the risk for exposed Serv-U deployments.

Recommendations:

• Upgrade SolarWinds Serv-U to 15.5.4 HF1 immediately.
  • Restrict Serv-U access to trusted IP addresses where possible.
  • Review exposure of internet-facing Serv-U instances.
  • Monitor logs for suspicious HTTP POST requests containing the Content-Encoding: deflate header.

Reference:

• https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28318

12. Multiple Vulnerabilities in Progress Sitefinity CMS and Sitefinity Insight

Technical Details / Key Points:

• Progress disclosed multiple vulnerabilities affecting Progress Sitefinity CMS and Sitefinity Insight.
  • The vulnerabilities impact OData Web Services and ServiceStack Web Services.
  • CVE-2026-7312 is a critical insufficiently protected credentials vulnerability in OData Web Services with CVSS 10.0.
  • CVE-2026-7198 is a critical improper access control vulnerability in OData Web Services with CVSS 9.8.
  • Other high-severity issues include improper input validation, authorization bypass, and insufficiently protected credentials.
  • Affected versions include Sitefinity 8.0 through 15.4, depending on the vulnerability.
  • Fixed updates are available for affected Sitefinity versions, including 15.4.8630, 15.3.8531, 15.2.8441, 15.1.8335, 15.0.8234, 14.4.8152, and 13.3.7652.

Impact:

• Successful exploitation may allow unauthorized access, credential exposure, authorization bypass, and improper access to Sitefinity resources.
  • Attackers may exploit vulnerable internet-facing Sitefinity deployments to access sensitive data or abuse CMS functionality.
  • Compromise of CMS environments may impact website integrity, user data, and business applications.

Recommendations:

• Upgrade affected Sitefinity installations to the latest fixed security update immediately.
  • Prioritize remediation for internet-facing Sitefinity CMS and Sitefinity Insight environments.
  • Review access logs for suspicious OData or ServiceStack web service activity.
  • Enforce strong access controls and restrict administrative access to trusted users and networks.

Reference:

• https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-AddressingSecurity-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026

13. Critical Vulnerability in MariaDB Community Server

Technical Details / Key Points:

• Multiple security vulnerabilities have been identified in MariaDB Community Server, including one critical flaw.
  • The most severe vulnerability is CVE-2026-49261, with a CVSS score of 10.0.
  • Additional high-severity vulnerabilities include CVE-2026-48165 and CVE-2026-48163, both with CVSS 8.0.
  • The vulnerabilities affect multiple MariaDB versions used across on-premises and cloud database environments.
  • Fixed versions include MariaDB 11.8.8, 11.4.12, 10.11.18, and 10.6.27 or later.

Impact:

• Successful exploitation may lead to unauthorized access, sensitive data exposure, or database server compromise.
  • Affected database servers may be at risk of service disruption, data manipulation, or full takeover.
  • Internet-facing MariaDB instances are at higher risk.

Recommendations:

• Upgrade MariaDB Community Server to the latest patched version immediately.
  • Identify all MariaDB instances across on-premises and cloud environments.
  • Prioritize remediation of internet-facing database servers.
  • Restrict database access to trusted hosts and monitor logs for suspicious authentication or query activity.

Reference:

• https://mariadb.com/docs/release-notes/community-server/11.8/11.8.8
  • https://mariadb.com/docs/release-notes/community-server/11.4/11.4.12
  • https://mariadb.com/docs/release-notes/community-server/10.11/10.11.18
  • https://mariadb.com/docs/release-notes/community-server/10.6/10.6.27

14. Multiple Vulnerabilities in VMware Cloud Foundation Operations

Technical Details / Key Points:

• Multiple stored cross-site scripting vulnerabilities have been identified in VMware Cloud Foundation Operations and related products.
  • Tracked as CVE-2026-41722, CVE-2026-41723, and CVE-2026-41724.
  • Severity: High
  • CVSS Score: 8.0
  • An authenticated attacker with privileges to create policies, views, or text widgets may inject malicious scripts.
  • Affected products include VMware Cloud Foundation Operations, VMware Aria Operations, VMware vSphere Foundation, and VMware Telco Cloud Platform.
  • Fixed versions include VCF Operations 9.1.0.0, 9.0.2.0 EP2, VMware Aria Operations 8.18.6 / 8.18.7, and related Broadcom fixes.

Impact:

• Successful exploitation may allow malicious script execution within the application context.
  • Attackers may perform unauthorized administrative actions, compromise sessions, or manipulate application content.
  • Exploitation could impact monitoring, operational visibility, and administrative control in VMware environments.

Recommendations:

• Update affected VMware/Broadcom products to the fixed or latest supported versions.
  • Review users with permissions to create policies, views, or text widgets.
  • Restrict administrative access to trusted users and networks.
  • Monitor for suspicious widget, policy, or view changes and unusual administrative activity.

Reference:

• https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37513

15. Critical Vulnerabilities in IBM WebSphere Application Server

Technical Details / Key Points:

• Multiple critical vulnerabilities have been identified in IBM WebSphere Application Server.
  • The vulnerabilities may allow authentication bypass, unauthorized access, remote code execution, and security control bypass.
  • Key vulnerabilities include:

• CVE-2026-8644 – Critical authentication bypass vulnerability with CVSS 9.1.
• CVE-2026-9319 – Critical deserialization vulnerability in JAX-WS endpoints with WS-Security, allowing remote code execution.
• CVE-2026-9311 – Critical remote code execution vulnerability due to security control bypass.
• CVE-2026-9330 – High-severity SAML SSO validation issue that may lead to remote code execution.
  • Affected versions include IBM WebSphere Application Server 9.0.0.0 through 9.0.5.28 and 8.5.0.0 through 8.5.5.29.
  • IBM has released interim fixes for APARs PH71422, PH71453, and PH71454.

Impact:

• Successful exploitation may allow attackers to bypass authentication, spoof identities, and gain unauthorized access.
  • Remote code execution could lead to full application server compromise.
  • Compromised WebSphere servers may expose sensitive enterprise applications, disrupt services, and support lateral movement.

Recommendations:

• Apply the IBM interim fixes for PH71422, PH71453, and PH71454 without delay.
  • Upgrade to Fix Pack 9.0.5.29 or later / 8.5.5.30 or later when available.
  • Prioritize remediation of internet-facing and business-critical WebSphere deployments.
  • Review WebSphere security configurations and restrict unnecessary service exposure.
  • Monitor application and server logs for suspicious access, crafted requests, and abnormal execution activity.

Reference:

• https://www.ibm.com/support/pages/node/7274733
  • https://www.ibm.com/support/pages/node/7274738
  • https://www.ibm.com/support/pages/node/7274740

16. Actively Exploited Zero-Day Vulnerability in Google Chrome

Technical Details / Key Points:

• Google released Chrome Stable Channel updates addressing 74 security fixes, including 17 Critical and multiple High/Medium severity vulnerabilities.
  • The update includes an actively exploited zero-day, CVE-2026-11645, affecting the V8 JavaScript engine.
  • CVE-2026-11645 is a high-severity out-of-bounds memory access vulnerability that may allow remote attackers to execute arbitrary code through a crafted HTML page.
  • Critical vulnerabilities include multiple Use-After-Free flaws affecting components such as Ozone, File Input, Aura, TabStrip, Bluetooth, Gamepad, Autofill, Views, Printing, Compositing, Web Apps, and Proxy.
  • Other notable high-severity issues affect V8, WebRTC, GPU, Media, Bluetooth, Bindings, and libyuv.
  • Fixed versions are 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux.

Impact:

• Successful exploitation may allow arbitrary code execution, browser compromise, memory corruption, or application crashes.
  • The actively exploited V8 vulnerability increases risk for users visiting malicious or compromised websites.
  • Exploitation may lead to unauthorized access, data exposure, or further compromise of endpoint systems.

Recommendations:

• Update Google Chrome to the latest stable version immediately.
  • Enable automatic browser updates across enterprise environments.
  • Prioritize patch validation for all endpoints, especially user workstations and privileged systems.
  • Monitor for abnormal browser behavior, suspicious web activity, and outdated Chrome versions.

Reference:

• https://chromereleases.googleblog.com/2026/06/stable-channel-update-fordesktop_0153744567.html

17. Actively Exploited Vulnerability in Check Point Remote Access VPN and Mobile Access

Technical Details / Key Points:

• An actively exploited vulnerability, CVE-2026-50751, has been identified in Check Point Remote Access VPN and Mobile Access VPN.
  • The vulnerability is a high-severity authentication bypass issue affecting deployments using the deprecated IKEv1 protocol.
  • Successful exploitation may allow an unauthenticated attacker to establish a VPN connection without a valid user password.
  • Affected platforms include Gaia and Gaia Embedded security gateways.
  • Vulnerable configurations include environments where Remote Access VPN/Mobile Access is enabled, IKEv1 is enabled, legacy VPN clients are allowed, and machine certificate authentication is not mandatory.
  • Affected versions include R82.10, R82, R81.20, R81.10, R81, R80.40, and supported/unsupported Spark Firewall releases, depending on hotfix level.
  • Known exploitation activity has been observed from IPs including 45.77.149.152, 209.182.225.136, 38.60.157.139, 162.33.177.101, 45.76.26.42, 144.208.127.155, 38.54.88.201, 38.54.107.167, and 66.42.99.200.

Impact:

• Successful exploitation may allow unauthorized VPN access to internal corporate networks.
  • Attackers may use the access for lateral movement, data theft, privilege escalation, and further compromise of critical systems.
  • Active exploitation increases risk for organizations using vulnerable legacy VPN configurations.

Recommendations:

• Apply the latest Check Point Jumbo Hotfix Accumulator or vendor-provided hotfix immediately.
  • Search VPN and SmartConsole logs for listed IOC IPs, IKE events, Key Install actions, Quick Mode negotiations, and unusual VPN sessions.
  • Disable legacy client support and IKEv1 for remote access where possible.
  • Upgrade unsupported End-of-Support versions immediately.
  • Enforce MFA and machine certificate authentication for remote access users.
  • Rotate VPN user credentials if suspicious activity is detected.

Reference:

• https://support.checkpoint.com/results/sk/sk185033

18. Multiple Vulnerabilities in Apache MINA

Technical Details / Key Points:

• Multiple vulnerabilities have been identified in Apache MINA, impacting application security and availability.
  • CVE-2026-47065 is a critical deserialization vulnerability that may allow attackers to bypass configured class allow-lists through Java Proxy class handling.
  • Successful exploitation could bypass deserialization security controls and trigger unintended code paths in affected applications.
  • CVE-2026-47321 affects the CompressionFilter component and may allow specially crafted compressed data to cause excessive memory consumption.
  • Fixed versions are Apache MINA 2.0.29, 2.1.13, and 2.2.8.

Impact:

• Successful exploitation may allow deserialization security bypass and unintended code execution paths.
  • CompressionFilter abuse may lead to memory exhaustion and denial of service.
  • Affected applications using Apache MINA may experience instability, service disruption, or increased attack exposure.

Recommendations:

• Upgrade Apache MINA to 2.0.29, 2.1.13, 2.2.8, or later immediately.
  • Review applications using Apache MINA deserialization features and restrict unsafe object handling.
  • For environments using CompressionFilter, configure decompression limits such as maxDecompressedSize, maxDecompressRatio, and decompressRatioMinSize.
  • Monitor application logs for abnormal deserialization errors, memory exhaustion, and DoS-related activity.

Reference:

• https://lists.apache.org/thread/y7xj1bl8qo47p9bktb11hg5v6k1d4dyj

19. Security Updates for SAP Products Addressing Multiple Vulnerabilities

Technical Details / Key Points:

• SAP released its June 2026 Security Updates addressing multiple vulnerabilities across several SAP products.
  • Affected products include SAP NetWeaver, SAP Commerce Cloud, SAP S/4HANA, SAP Business Objects, SAP Fiori, SAP Data Hub, and SAP Wily Introscope Enterprise Manager.
  • Critical vulnerabilities include:

• CVE-2026-44748 – XML Signature Wrapping issue in SAML authentication affecting SAP NetWeaver AS ABAP and ABAP Platform.
• CVE-2026-27671 – Memory corruption vulnerability in SAP NetWeaver Application Server ABAP.
• CVE-2026-22732 – Potential Spring Security vulnerability in SAP Commerce Cloud and SAP Data Hub.
• CVE-2026-40128 – Directory traversal vulnerability in SAP NetWeaver Application Server Java.
  • Other vulnerabilities include missing authorization checks, SQL injection, reflected XSS, path traversal, email spoofing, and security misconfiguration issues.

Impact:

• Successful exploitation may allow authentication bypass, remote code execution, privilege escalation, and unauthorized access.
  • Attackers may access sensitive SAP data, manipulate database queries, access restricted files, or compromise affected SAP systems.
  • Exploitation may impact the confidentiality, integrity, and availability of business-critical SAP environments.

Recommendations:

• Apply the latest SAP June 2026 security updates immediately.
  • Prioritize internet-facing and business-critical SAP systems such as NetWeaver, S/4HANA, Commerce Cloud, and Business Objects.
  • Review SAP authorization settings and restrict unnecessary access.
  • Monitor SAP logs for suspicious authentication, authorization failures, SQL injection attempts, XSS activity, and abnormal file access.

Reference:

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/june2026.html