Cyber Threat Intel

Critical CVEs: PAN-OS, cPanel, Cisco SD-WAN, Check Point VPN, Ivanti Sentry, ServiceNow, PeopleSoft, UpdraftPlus, GitLab, iPhone flaw, Vertiv UPS, FortiGate, LiteLLM, WebKit DoS, Chrome, Microsoft Teams Android, RoguePlanet, SimpleHelp, Flowise, SAP, STACKIT, FortiSandbox, Linux kernel, Cisco CVE-2026-20127, Bookly CVE-2026-42667, MongoDB CVEs, Chrome 33 flaws, Rockwell ICS, Tesla CAN injection, Jenkins CVE-2026-53435, cPanel CVE-2026-48172, Joomla Widget Factory RCE, Oracle Financials CVE-2026-46969, Joomla/LiteSpeed CVE-2026-54420, Joomla JCE RCE, JD Edwards CVE-2026-46880, Moxa NPort RCE, F5 NGINX patches

Critical CVEs: PAN-OS, cPanel, Cisco SD-WAN, Check Point VPN, Ivanti Sentry, ServiceNow, PeopleSoft, UpdraftPlus, GitLab, iPhone flaw, Vertiv UPS, FortiGate, LiteLLM, WebKit DoS, Chrome, Microsoft Teams Android, RoguePlanet, SimpleHelp, Flowise, SAP, STACKIT, FortiSandbox, Linux kernel, Cisco CVE-2026-20127, Bookly CVE-2026-42667, MongoDB CVEs, Chrome 33 flaws, Rockwell ICS, Tesla CAN injection, Jenkins CVE-2026-53435, cPanel CVE-2026-48172, Joomla Widget Factory RCE, Oracle Financials CVE-2026-46969, Joomla/LiteSpeed CVE-2026-54420, Joomla JCE RCE, JD Edwards CVE-2026-46880, Moxa NPort RCE, F5 NGINX patches

Key Questions

What is the RoguePlanet zero-day vulnerability?

RoguePlanet is a zero-day in Microsoft Defender (CVE-2026-50656) that Microsoft has acknowledged, with a patch currently in development. It was highlighted as actively exploited in the latest critical CVEs summary.

Which vulnerabilities are under active exploitation according to CISA?

CISA has added PAN-OS GlobalProtect, Cisco SD-WAN CVE-2026-20262, FortiSandbox CVE-2026-25089, Joomla JCE RCE, and cPanel CVE-2026-48172 to the KEV catalog due to confirmed exploitation. CISA BOD 26-04 now requires 3-day patching for these.

What is the status of the Check Point VPN vulnerability?

A proof-of-concept has been released for the Check Point VPN flaw, leading to expectations of increased exploitation attempts. It is listed among the critical vulnerabilities requiring immediate attention.

How severe is the new Chrome vulnerability?

Chrome CVE-2026-12013 is a high-severity use-after-free bug, and the latest update (Chrome 149) addresses 33 flaws including 7 critical ones such as CVE-2026-12437. Users are advised to update immediately.

What new patches were released for Fortinet products?

Fortinet released June 2026 patches covering multiple high-priority vulnerabilities including FortiGate and FortiSandbox issues. These are considered high priority due to active exploitation reports.

Which Joomla vulnerabilities are actively being exploited?

Joomla JCE RCE (added to CISA KEV), Joomla/LiteSpeed CVE-2026-54420 (root escalation), and the Widget Factory plugin unauthenticated RCE are under active attack with no patch yet for the latter. Shared hosting environments are particularly at risk.

What does the Tesla CAN injection vulnerability affect?

The flaw in Tesla Model 3 enables keyless theft through CAN injection and was discovered by PlaxidityX Threat Labs. It is one of several new ICS and automotive vulnerabilities disclosed recently.

Why are patch windows collapsing for these CVEs?

The exploit-to-patch gap has turned negative at 7 days, with AI-assisted discovery accelerating attacks on unpatched systems. CISA mandates rapid remediation for KEV-listed issues amid widespread active exploitation.

Active exploitation of multiple critical vulnerabilities. New: RoguePlanet zero-day (CVE-2026-50656) acknowledged by Microsoft, patch in progress. Cisco SD-WAN CVE-2026-20262 root escalation under attack – CISA KEV. Chrome CVE-2026-12013 use-after-free (high severity). Check Point VPN PoC released – exploitation expected to spike. Fortinet June 2026 patches released – high priority. PAN-OS GlobalProtect bug actively exploited, added to CISA KEV. SimpleHelp auth bypass, Flowise RCE, SAP NetWeaver tampering, STACKIT privilege escalation – all critical. FortiSandbox CVE-2026-25089 exploited via vibecoded exploit. Linux kernel root exploit CVE-2026-23111 patched in Linux 7.1. CVE-2026-20127 (CVSS 10.0) authentication bypass in Cisco product – no exploitation yet. Bookly WordPress plugin CVE-2026-42667 – high-severity unauthenticated data exposure. CISA BOD 26-04 mandates 3-day patching for KEVs. Patch windows collapsed; exploit-to-patch gap negative 7 days. PeopleSoft CVE-2026-35273: SSRF-to-RCE chain, 100+ orgs hit, 68% higher ed, Council of Europe deadline today. New: MongoDB CVE-2026-9740 and CVE-2026-11933 high-severity memory-safety bugs. New: Chrome 149 fixes 33 flaws, 7 critical (CVE-2026-12437 use-after-free). New: Rockwell Automation patches ICS vulnerabilities. New: Tesla Model 3 CAN injection vulnerability for keyless theft. New: Jenkins CVE-2026-53435 – authenticated deserialization to full controller takeover, actively exploited. Critical for CI/CD supply chain. New: cPanel CVE-2026-48172 in LiteSpeed plugin – root escalation, actively exploited, CISA deadline. New: Joomla Widget Factory plugin critical unauthenticated RCE – no patch yet. New: Oracle Financials CVE-2026-46969 (CVSS 7.2) – takeover potential, not yet exploited. New: Joomla/LiteSpeed CVE-2026-54420 root escalation actively exploited – shared hosting environments at risk. New: Joomla JCE RCE flaw added to CISA KEV – active exploitation confirmed. New: JD Edwards EnterpriseOne Tools CVE-2026-46880 (CVSS 9.8) – critical takeover vulnerability, no active exploitation yet. New: Moxa NPort serial server RCE (authenticated to root) – patch v1.5.1 available, OT devices at risk. New: F5 NGINX out-of-band patches for HTTP/3 and HTTP/2 CVEs – adds to patch pressure.

Sources (20)
Updated Jun 24, 2026