This brief covers the trailing ~48 hours (June 22–24, 2026). Every item below was checked against its primary advisory, vendor statement, or original research before inclusion; CVE IDs are traced to their canonical source. A quiet patch window means the verified, in-window list is short, followed by several active campaigns that are still developing.

Cisco Unified CM WebDialer SSRF (CVE-2026-20230) now exploited in the wild

Cisco / Defused · June 23, 2026

Threat intelligence firm Defused reported active exploitation of CVE-2026-20230, an unauthenticated server-side request forgery flaw in the WebDialer service of Cisco Unified Communications Manager (Unified CM) and Unified CM Session Management Edition. The bug carries a CVSS base score of 8.6 but Cisco assigns it a Security Impact Rating of Critical because successful exploitation can write arbitrary files and escalate to root. Cisco shipped fixes on June 3; proof-of-concept code from SSD Secure is now public, and the observed activity to date appears to be reconnaissance-style scanning from a single IP. It is not yet listed in CISA KEV.

“Over the weekend we observed exploitation of CVE-2026-20230 — Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6). No previously recorded exploitation, and not yet listed in CISA KEV.” — Defused

Source: Cisco advisory (cisco-sa-cucm-ssrf-cXPnHcW) · SSD Secure write-up · BleepingComputer

LastPass confirms data theft in Klue / “Icarus” Salesforce supply-chain breach

LastPass / Klue · June 23, 2026

LastPass confirmed that customer support-case and CRM records were stolen from its Salesforce environment through the breach at market-intelligence vendor Klue, whose integration infrastructure was compromised on June 12 via a legacy credential, allowing attackers to abuse OAuth tokens connecting Klue to customers’ Salesforce instances. The extortion group “Icarus” has publicly claimed the campaign, and the disclosed victim roster has grown to include Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. LastPass says its password vaults, product infrastructure, and payment data were not affected; exposed data was limited to Salesforce CRM records such as names, contact details, and support cases.

“On June 12, we identified unauthorized activity affecting a portion of Klue’s integration infrastructure… The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.” — Jason Smith, CEO, Klue

Source: Klue security incident update · TechCrunch · BleepingComputer

Still developing

F5 ships out-of-band patches for critical NGINX RCE flaws (CVE-2026-42530, CVE-2026-42055)

F5 · June 17, 2026 (updated June 22)

F5 issued out-of-band fixes for two critical NGINX Open Source vulnerabilities, each rated CVSS v4 9.2. CVE-2026-42530 is a use-after-free in the HTTP/3 QUIC module (ngx_http_v3_module); CVE-2026-42055 is a heap-based buffer overflow in the HTTP/2 proxy/gRPC path (ngx_http_proxy_v2_module and ngx_http_grpc_module). Both are remotely triggerable by unauthenticated attackers on non-default configurations and can lead to denial of service or code execution. Fixes are in NGINX Open Source 1.31.2, NGINX Plus 37.0.2.1, and NGINX Gateway Fabric 2.6.4. No confirmed in-the-wild exploitation has been reported.

Source: F5 advisory (K000161616) · The Hacker News · BleepingComputer

“FortiBleed” leak exposes credentials for ~73,000 Fortinet FortiGate devices

Security researcher Bob Diachenko · June 17, 2026

Researcher Bob Diachenko disclosed an exposed dataset, dubbed FortiBleed, containing valid VPN credentials and configuration data for roughly 73,932 internet-facing FortiGate firewalls across 194 countries — estimated at about half of all internet-reachable FortiGate devices. The underlying weakness stems from FortiOS storing administrator passwords as weak SHA-256 hashes after upgrades until an admin re-authenticates, which attackers cracked offline at scale. Affected organizations span banking, telecom, healthcare, and critical infrastructure. This is a credential-exposure campaign rather than a single CVE.

Source: BleepingComputer · SecurityWeek

Microsoft attributes Mastra AI npm supply-chain compromise to North Korea’s Sapphire Sleet

Microsoft · June 20, 2026

Microsoft attributed the compromise of more than 140 packages in the @mastra npm scope to the North Korean state actor Sapphire Sleet (BlueNoroff). Attackers hijacked the maintainer account “ehindero” and injected a malicious typosquat dependency, “easy-day-js,” whose post-install hook deployed a cross-platform information stealer targeting credentials, API keys, and 166 cryptocurrency wallet extensions on Windows, Linux, and macOS.

“Microsoft assesses with high confidence that this activity is attributable to Sapphire Sleet, a North Korean state actor that primarily targets the financial sector.” — Microsoft

Source: Microsoft Threat Intelligence · BleepingComputer

This brief covers the trailing ~48 hours (June 22–24, 2026).

Primary sources: Cisco PSIRT (CVE-2026-20230) · SSD Secure · Klue · F5 (CVE-2026-42530 / CVE-2026-42055) · Microsoft Threat Intelligence

This brief covers the trailing ~48 hours (June 18–20, 2026). No new vulnerabilities, advisories, or KEV entries surfaced from authoritative primary sources inside that window — a quiet stretch following last week’s heavy Patch Tuesday cycle. Rather than pad with unverified or stale items, the section below tracks the most significant campaigns from the preceding days that remain active, each presented with its true disclosure date and traced to its primary source.

Still developing

Oracle PeopleSoft zero-day exploited for unauthenticated RCE (CVE-2026-35273)

Oracle Security Alert · June 11, 2026

Oracle issued an out-of-cycle Security Alert for CVE-2026-35273, a critical flaw in PeopleSoft Enterprise PeopleTools (versions 8.61 and 8.62) carrying a CVSS base score of 9.8. The bug is remotely exploitable without authentication and can result in remote code execution. It was exploited as a zero-day in ShinyHunters data-theft attacks; Mandiant (Google Threat Intelligence) confirmed exploitation and notified more than 100 organizations, 68% of them in the higher-education sector. Oracle released emergency mitigations with a full patch to follow. Not yet listed in CISA KEV at the time of writing.

“This vulnerability is remotely exploitable without authentication. If successfully exploited, this vulnerability may result in remote code execution.” — Oracle Security Alert advisory

Source: Oracle Security Alert (CPU187) · Mandiant / Google Threat Intelligence · BleepingComputer

Microsoft June Patch Tuesday: Exchange Server zero-day exploited in the wild (CVE-2026-42897)

Microsoft (MSRC) · June 9, 2026

Microsoft’s June 2026 Patch Tuesday addressed 200 flaws, including six zero-days — five publicly disclosed and one exploited in attacks. The actively exploited issue is CVE-2026-42897, a Microsoft Exchange Server spoofing vulnerability affecting Exchange 2016, 2019, and Subscription Edition that lets an attacker execute JavaScript in a target’s browser via Outlook Web Access. The publicly disclosed zero-days include BitLocker bypasses (“YellowKey,” “bitskrieg”) and the “GreenPlasma” and “Mini-Plasma” elevation-of-privilege flaws. Administrators should prioritize the Exchange update.

“Today is Microsoft’s June 2026 Patch Tuesday, with security updates for 200 flaws, including five publicly disclosed zero-day vulnerabilities and one actively exploited in attacks.” — BleepingComputer

Source: Microsoft MSRC advisory (CVE-2026-42897) · BleepingComputer

Microsoft Defender “RoguePlanet” PoC grants SYSTEM on fully patched Windows (no patch)

BleepingComputer / Nightmare Eclipse · June 9, 2026

Hours after Patch Tuesday, the researcher known as Nightmare Eclipse released a proof-of-concept exploit dubbed “RoguePlanet” targeting a Microsoft Defender race-condition flaw. It spawns a command prompt with SYSTEM privileges on fully patched Windows 10 and Windows 11 systems. No CVE has been assigned and no patch was available at disclosure; Microsoft says it is investigating. Cybersecurity firm ThreatLocker independently reproduced the exploit against fully patched Windows 11 (build with KB5094126). Application allowlisting is cited as an effective mitigation.

“Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack.” — Danny Jenkins, CEO, ThreatLocker

Source: BleepingComputer

CISA adds Joomla Content Editor flaw to KEV (CVE-2026-48907)

CISA · June 16, 2026

CISA added CVE-2026-48907, an improper access control vulnerability in the Widget Factory Joomla Content Editor (JCE) extension, to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The addition sets a remediation deadline for federal civilian agencies under BOD 22-01 and is a strong signal for any organization running the affected Joomla extension to patch or mitigate. KEV status: listed.

Source: CISA alert · CISA KEV catalog

This brief covers the trailing ~48 hours (June 18–20, 2026).

Primary sources:

• Oracle Security Alert — CVE-2026-35273
• Microsoft MSRC — CVE-2026-42897
• Mandiant / Google Threat Intelligence
• CISA KEV addition — CVE-2026-48907
• CISA Known Exploited Vulnerabilities catalog

A roundup of notable cyber security developments from roughly the trailing 48 hours (June 15–17, 2026). Every item below was traced to a primary source — a vendor advisory, the CVE record, the CISA KEV catalog, or the original research writeup.

Microsoft confirms unpatched “RoguePlanet” zero-day in Defender (CVE-2026-50656)

Microsoft MSRC · June 17, 2026

Microsoft published an advisory acknowledging a publicly disclosed elevation-of-privilege flaw in the Microsoft Malware Protection Engine used by Microsoft Defender, tracked as CVE-2026-50656 (CVSS 7.8) and nicknamed “RoguePlanet.” A public proof-of-concept from researcher “Nightmare Eclipse” abuses a race condition to spawn a command prompt with SYSTEM privileges, and reportedly works whether or not Defender’s real-time protection is enabled. No patch is available yet; Microsoft says one is in progress.

“Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as ‘RoguePlanet’… We are working to provide a high-quality security update that addresses this vulnerability.” — Microsoft

Source: Microsoft MSRC advisory (CVE-2026-50656) · SecurityWeek

CISA adds a maximum-severity Joomla Content Editor flaw to its KEV catalog (CVE-2026-48907)

CISA · June 16, 2026

CISA added CVE-2026-48907 — a critical (CVSS 10.0) improper-access-control flaw in the Widget Factory Joomla Content Editor (JCE) extension — to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. The flaw can let unauthenticated attackers upload and execute PHP code by creating new editor profiles, and the KEV listing sets a federal remediation deadline under the current directive.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” — CISA

Source: CISA alert (June 16, 2026) · KEV catalog

Supply-chain attack hijacks a contributor account to poison 140+ Mastra npm packages

Socket / The Hacker News · June 17, 2026

In a roughly 80-minute window early on June 17 (UTC), attackers used a hijacked legitimate former-contributor account (“ehindero”) to publish malicious versions of more than 140 packages in the @mastra/* npm scope — the popular open-source AI-agent framework. Per Socket’s analysis, the compromised packages themselves were unmodified; the malware was delivered through an injected typosquatted dependency (easy-day-js) carrying an obfuscated postinstall payload that runs automatically on npm install. Affected packages include @mastra/core, which sees hundreds of thousands of weekly downloads.

Source: Socket research · The Hacker News

Still developing: Oracle PeopleSoft zero-day fuels ShinyHunters extortion of universities (CVE-2026-35273)

Oracle / Mandiant · disclosed June 10, 2026 (ongoing)

The ShinyHunters group has been exploiting CVE-2026-35273, an unauthenticated remote-code-execution flaw in Oracle PeopleSoft PeopleTools, in attacks dating to at least late May. Google/Mandiant say 100+ organizations — about two-thirds in higher education — were notified, and the University of Nottingham confirmed student data was stolen. Oracle issued an out-of-band advisory with mitigations but, as of reporting, no full patch.

“This campaign is still active. We have observed ShinyHunters sending extortions as recently as today.” — Charles Carmakal, CTO, Mandiant Consulting

Source: Oracle security alert · Google Threat Intelligence · CyberScoop

This brief covers the trailing ~48 hours (June 15–17, 2026).

Primary sources: msrc.microsoft.com · cisa.gov · socket.dev · oracle.com