Vulnerability Intelligence Report — June 1, 2026
Coverage: May 31 – June 1, 2026 | New exploitation confirmations: 1 | CISA KEV deadlines today: 1 | Deadlines this week: 6
Previous reports: May 31, 2026 | May 30, 2026 | May 29, 2026
This report covers the threat landscape as of June 1, 2026. Today marks the CISA KEV remediation deadline for Palo Alto PAN-OS CVE-2026-0257 — now confirmed actively exploited by multiple threat actors. WP Maps Pro (CVE-2026-8732) has now been confirmed under active exploitation with attackers creating rogue admin accounts on WordPress sites. Google Chrome’s Device Bound Session Credentials (DBSC) has reached general availability, providing hardware-bound session cookie protection to all users. The week ahead brings six additional CISA KEV deadlines across Microsoft Defender, Trend Micro Apex One, and Langflow.
Quick Reference — Most Important Vulnerabilities Today
Palo Alto PAN-OS GlobalProtect: CVE-2026-0257 (CISA KEV DEADLINE TODAY, actively exploited, CVSS 9.1)
WP Maps Pro (WordPress): CVE-2026-8732 (NOW ACTIVELY EXPLOITED, CVSS 9.8, rogue admin creation)
Microsoft Defender: CVE-2026-41091, CVE-2026-45498 (KEV deadline June 3, 2 days)
Trend Micro Apex One: CVE-2026-34926 (KEV deadline June 4, 3 days)
Langflow: CVE-2025-34291 (KEV deadline June 4, 3 days, MuddyWater exploitation)
Drupal Core: CVE-2026-9082 (KEV deadline passed May 27, still actively exploited)
FortiClient EMS: CVE-2026-35616 (actively exploited, EKZ infostealer)
Ghost CMS: CVE-2026-26980 (actively exploited, 700+ domains, ClickFix)
SonicWall SSL-VPN: CVE-2024-12802 (actively exploited, incomplete patch on Gen6)
Palo Alto PAN-OS GlobalProtect — CVE-2026-0257 (DEADLINE TODAY, Actively Exploited)
Software affected: PAN-OS devices running GlobalProtect portal and gateway with authentication override cookies enabled. Full affected version ranges were detailed in the May 30 and May 31 reports and the dedicated advisory.
CVE: CVE-2026-0257 | CVSS 9.1 Critical | CWE-287 | CISA KEV — deadline today, June 1, 2026 | Actively exploited since May 17
Status update: Today is the CISA KEV remediation deadline. Rapid7 has confirmed exploitation across numerous customer environments via two distinct attack waves — from Vultr infrastructure (May 18) and Dromatics Systems (May 21) — using forged authentication override cookies targeting the local administrator account. Palo Alto Networks has raised the severity from Medium to High in response to exploitation activity. Organisations that have not yet patched are now past the federal deadline and operating at direct, confirmed risk of unauthorised VPN access. The patch was released earlier in May — there is no excuse for remaining unpatched on deadline day. A full technical breakdown is available in the dedicated CVE-2026-0257 advisory published May 31.
Fixable: Yes. Apply the PAN-OS patch immediately.
Recommended action: Patch today. If remediation is not yet complete, this is your highest-priority action. Audit GlobalProtect gateway logs for sessions authenticated with override cookies targeting the local admin account. Hunt for connections from Vultr and Dromatics Systems IP ranges. For organisations that have already patched: verify the patch was applied correctly by confirming the running PAN-OS version and reviewing the advisory for any post-patch configuration steps.
Official source: Palo Alto Networks Advisory — CVE-2026-0257 | CISA KEV Catalog
WP Maps Pro (WordPress Plugin) — CVE-2026-8732 (NOW ACTIVELY EXPLOITED)
Software affected: WP Maps Pro — a commercial WordPress mapping and store locator plugin sold through Envato Market — all versions up to and including 6.1.0. The plugin has over 15,800 sales.
CVE: CVE-2026-8732 | CVSS 9.8 Critical | CWE-306 (Missing Authentication for Critical Function) | NOW CONFIRMED ACTIVELY EXPLOITED
Update since May 30 report: Covered in the May 30 report. Active exploitation is now confirmed. Attackers are targeting WordPress sites running vulnerable versions to create rogue administrator accounts without any authentication. The attack exploits the plugin’s “temporary access” feature — originally designed for vendor support — via an AJAX endpoint accessible to unauthenticated users and protected only by a publicly exposed nonce embedded in frontend JavaScript. A single crafted request triggers code that: (1) creates a new WordPress user with the administrator role, (2) generates a passwordless login URL for that account, and (3) sends the URL to a remote attacker-controlled system. When the attacker visits the URL, they are automatically authenticated as the new administrator with no password required — achieving full site takeover in a single HTTP request. Security researcher David Brown discovered and reported the vulnerability.
Fixable: Yes. A patched version of WP Maps Pro has been released. Update immediately through your Envato Market / CodeCanyon account or the developer’s distribution channel.
How to fix: Update WP Maps Pro to the latest patched version. After updating, immediately audit your WordPress user list for unrecognised administrator accounts — particularly recently created accounts with unusual usernames or email addresses. Check the WordPress activity logs for user creation events from external IP addresses. If a rogue admin account is found, treat the site as compromised: delete the account, rotate all credentials, review all installed themes and plugins for backdoors, and check for unauthorised content modifications.
Recommended action: Urgent for any WordPress site running WP Maps Pro. The vulnerability is trivial to exploit — a single unauthenticated HTTP request creates a full admin account with a passwordless login URL exfiltrated to the attacker. With confirmed active exploitation and 15,800+ sites in the install base, automated scanning is highly likely. If you cannot update immediately, disable the plugin until the patch can be applied. A dedicated advisory for CVE-2026-8732 will be published shortly on threat-modeling.com.
Official source: NVD — CVE-2026-8732
This Week’s CISA KEV Deadlines — Six Deadlines in Three Days
The week of June 1–4, 2026 brings a dense cluster of CISA KEV remediation deadlines. Organisations subject to BOD 22-01 should ensure these are addressed before their respective dates.
June 3, 2026 (Tuesday — 2 days)
Microsoft Defender — CVE-2026-41091 and CVE-2026-45498. Covered in the May 22 report. Verify that the Malware Protection Engine is updated to version 1.1.26040.8 across all Windows endpoints. Both CVEs allow local privilege escalation and denial of service respectively. The engine update is distributed through Windows Update and should be applied automatically on managed endpoints — verify deployment coverage.
Microsoft Windows Server Service — CVE-2008-4250. A buffer overflow in the Windows Server Service (Conficker-era vulnerability) added to KEV on May 20. While this is a 2008-era CVE, its KEV addition signals sustained exploitation interest. Ensure MS08-067 is applied on any legacy Windows Server installations.
Microsoft DirectX — CVE-2009-1537. QuickTime Movie Parser filter vulnerability in DirectShow. Added to KEV May 20.
Adobe Acrobat and Reader — CVE-2009-3459. Heap buffer overflow via crafted PDF. Added to KEV May 20.
June 4, 2026 (Wednesday — 3 days)
Trend Micro Apex One — CVE-2026-34926. Covered in the May 22 report. Directory traversal allowing pre-authenticated local attacker to modify a key table and inject malicious code. Apply SP1 CP Build 18012 for on-premise deployments and agent build 14.0.20731 for SaaS. Actively exploited.
Langflow — CVE-2025-34291. Covered in the May 22 report. Overly permissive CORS configuration combined with SameSite=None refresh token cookie allows cross-origin token theft. Exploited by MuddyWater APT group. Upgrade to Langflow 1.7.0 or later immediately.
Google Chrome — Device Bound Session Credentials (DBSC) Now Generally Available
Google has announced that Chrome’s Device Bound Session Credentials (DBSC) security feature has reached general availability and is now rolling out to all users. DBSC cryptographically binds session cookies to a device’s hardware security chip — the Trusted Platform Module (TPM) on Windows or the Secure Enclave on macOS — using unique public/private key pairs generated by the chip itself. Because the private key never leaves the hardware, stolen session cookies become useless on any other device, effectively neutralising the session-cookie-theft-and-MFA-bypass attack pattern that has been a primary vector for account takeovers. The feature has been in beta since April 2026 and was first announced in 2024. This is a significant architectural defence against credential-stealing malware — including the EKZ infostealer currently being distributed through compromised FortiClient EMS servers — and represents a meaningful reduction in the blast radius of infostealer campaigns. Organisations should ensure Chrome is updated to the latest version to receive DBSC protection as it rolls out.
Updates on Items from Previous Reports
The following items were covered in full in earlier reports. Brief updates are noted where new information is available. For full technical details and remediation steps, refer to the linked original entries.
Palo Alto PAN-OS — CVE-2026-0257 (KEV deadline today, actively exploited): Covered as the lead item in both this report and the dedicated advisory. Deadline is today. Patch now if you have not already.
Drupal Core — CVE-2026-9082 (KEV deadline passed May 27, actively exploited): Covered in the May 28 report and dedicated advisory. Now five days past the federal deadline. Organisations still running unpatched Drupal instances on PostgreSQL are at direct risk of exploitation.
LiteSpeed cPanel Plugin — CVE-2026-48172 (KEV deadline passed May 29): Covered in the May 28 report. cPanel has been proactively removing the vulnerable user-end plugin.
Daemon Tools Lite — CVE-2026-8398 (KEV deadline passed May 30): Covered in the May 28 report. Deadline passed yesterday. Patch if you have not already.
FortiClient EMS — CVE-2026-35616 (EKZ infostealer, actively exploited): Covered in the May 29 report. Arctic Wolf has published additional IOCs. Patch FortiClient EMS 7.4.5/7.4.6 immediately. EKZ stealer targets session cookies — Chrome’s new DBSC feature (covered above) provides a hardware-level defence against this class of malware.
Ghost CMS — CVE-2026-26980 (actively exploited, 700+ domains): Covered in the May 29 report. ClickFix campaign continues at scale. Update to Ghost 6.19.1 and rotate admin API keys.
SonicWall SSL-VPN — CVE-2024-12802 (actively exploited, incomplete patch): Covered in the May 29 report. Gen6 devices: firmware update plus manual LDAP reconfiguration required. Treat unverified Gen6 devices as potentially compromised — ransomware precursor activity has been documented.
CIFSwitch Linux Kernel LPE: Covered in the May 31 report and dedicated advisory. Mitigations available while waiting for distribution kernel updates. Blacklist CIFS module, remove cifs-utils, disable unprivileged user namespaces.
Spectra WP Plugin — CVE-2026-7465 (Contributor to RCE): Covered in the May 31 report and dedicated advisory. Update to 2.19.26.
Simple History WP Plugin — CVE-2026-7459 (Subscriber to account takeover): Covered in the May 31 report and dedicated advisory. Update to 5.26.1.
GEO my WP Plugin — CVE-2026-9757 (unauth SQL injection): Covered in the May 31 report and dedicated advisory. Update to 4.5.6.
Oracle REST Data Services — CVE-2026-46840 (CVSS 10.0, first CSPU): Covered in the May 30 report. Apply the May 2026 Oracle CSPU.
ChromaDB — CVE-2026-45829 (CVSS 10.0, fix unconfirmed): Covered in the May 29 report. Do not expose the API server to the internet. Monitor for patch confirmation.
Exim — CVE-2026-45185 (CVSS 9.8): Covered in the May 29 report. Update to 4.99.3.
FortiAuthenticator — CVE-2026-44277 / FortiSandbox — CVE-2026-26083: Covered in the May 29 report. Both CVSS 9.8. Patch immediately.
7-Zip — CVE-2026-48095: Covered in the May 30 report. Update to 26.01.
Starlette / FastAPI — CVE-2026-48710 (BadHost): Covered in the May 30 report. Update Starlette to 1.0.1.
Nx Console — CVE-2026-48027 / TanStack — CVE-2026-45321: Covered in the May 28 report. Both CISA KEV, both due June 10. Audit npm dependencies.
This report is compiled from official vendor advisories, the CISA Known Exploited Vulnerabilities catalog, the National Vulnerability Database, and primary security research sources. Verify all remediation steps against official vendor documentation before applying changes in production environments.
