Vulnerability Intelligence Report — June 5, 2026
Coverage: June 4–5, 2026 | New items: 8 | CISA KEV deadlines today: 2 | CISA KEV deadlines tomorrow: 1 | Zero-days: 1
Previous reports: June 4, 2026 | June 3, 2026 | June 2, 2026
Today — June 5, 2026 — brings two CISA KEV deadlines (Linux cgroups and Android Framework). A newly disclosed Windows zero-day dubbed “MiniPlasma” (CVE-2026-33825) achieves SYSTEM access on fully patched systems, with PoC publicly released. Cisco confirmed active exploitation of an SD-WAN Manager vulnerability enabling root command execution. Microsoft disclosed an Azure HorizonDB authentication bypass (CVSS 10.0) and an Exchange Online information disclosure (CVSS 9.1). Google patched a record 429 vulnerabilities in Chrome. A supply chain attack via the binding.gyp npm package compromised dozens of packages.
Quick Reference — Most Important Vulnerabilities Today
Windows MiniPlasma: CVE-2026-33825 (zero-day, PoC released, SYSTEM access on fully patched Windows)
Cisco SD-WAN Manager: CVE-2026-20245 (actively exploited, root command execution)
Azure HorizonDB: CVE-2026-48567 (CVSS 10.0, authentication bypass)
Microsoft Exchange Online: CVE-2026-48579 (CVSS 9.1, unauthorized information disclosure)
Google Chrome: 429 vulnerabilities patched (record number, update to latest)
Seagull BarTender: CVE-2026-25550 (CVSS 9.8, unauthenticated RCE, .NET Remoting)
binding.gyp npm Supply Chain: dozens of packages compromised across maintainer accounts
KEV DEADLINE TODAY: Linux Kernel cgroups CVE-2022-0492 / Android Framework CVE-2025-48595
KEV DEADLINE TOMORROW: Mirasvit Full Page Cache Warmer CVE-2026-45247
Windows MiniPlasma — CVE-2026-33825 (Zero-Day, PoC Released, SYSTEM Access)
Software affected: Fully patched Windows systems. The vulnerability exists in the cldflt.sys Cloud Filter driver’s HsmOsBlockPlaceholderAccess routine — originally reported to Microsoft by Google Project Zero researcher James Forshaw in September 2020 as CVE-2020-17103 and reportedly fixed in December 2020.
CVE: CVE-2026-33825 | CVSS 7.8 High | Local Privilege Escalation to SYSTEM | PoC exploit publicly released on GitHub with source code and compiled executable
Fixable: No official patch from Microsoft yet. The researcher, known as Chaotic Eclipse (Nightmare Eclipse), released the PoC after claiming Microsoft failed to properly patch the original 2020 vulnerability.
Business impact: A privilege escalation vulnerability in a core Windows kernel driver (cldflt.sys) allows any local user or application to escalate from low-privilege access to SYSTEM — the highest privilege level on Windows. The researcher released both source code and a compiled executable on GitHub, meaning exploitation requires no development skill — simply run the provided binary. The Cloud Filter driver is present on all modern Windows versions as part of the Windows cloud file storage infrastructure (OneDrive, SharePoint sync). Because the original vulnerability (CVE-2020-17103) was “fixed” in 2020, even fully patched Windows 10, Windows 11, and Windows Server systems are affected. A publicly available, compiled PoC for SYSTEM privilege escalation on patched Windows is a significant security event — it can be immediately weaponised by ransomware operators, red teams, and malicious insiders.
How to fix: No patch is available. Until Microsoft releases a fix, implement these mitigations: (1) enforce strict local access controls — this is a local privilege escalation, so restrict who can log in interactively or run code on Windows systems; (2) monitor for unexpected privilege escalation events — use Windows Event ID 4672 (special privileges assigned to new logon) and 4688 (process creation) to detect processes unexpectedly running as SYSTEM; (3) consider application control policies (WDAC/AppLocker) to block execution of unknown binaries; (4) monitor Microsoft’s security update guide for a patch. The original CVE-2020-17103 was patched through Windows Update — monitor for a revised patch under CVE-2026-33825.
Recommended action: Containment measures today. Restrict local access, enable enhanced auditing for privilege escalation, and deploy application control. This is a true zero-day with public PoC — the exploit is available to anyone. Assume it will be integrated into commodity malware and ransomware toolkits within days.
Official source: Microsoft MSRC — CVE-2026-33825 | NVD — Original CVE-2020-17103
Cisco SD-WAN Manager — CVE-2026-20245 (Actively Exploited, Root Command Execution)
Software affected: Cisco SD-WAN Manager (formerly Cisco SD-WAN vManage) — the centralised network management and orchestration platform for Cisco SD-WAN deployments.
CVE: CVE-2026-20245 | Actively exploited in the wild — allows attackers to execute arbitrary commands as root on affected SD-WAN Manager instances. Cisco has confirmed exploitation and issued a security advisory.
Fixable: Yes. Cisco has released software updates. Apply the patched SD-WAN Manager version immediately. The Cisco advisory provides specific fixed versions for each release train.
Business impact: Cisco SD-WAN Manager is the central control plane for software-defined wide area network deployments — it manages routing policies, VPN configurations, security policies, and connectivity for branch offices, retail locations, and remote sites across entire organisations. A root-compromised SD-WAN Manager gives an attacker the ability to: reconfigure routing to redirect or intercept traffic across all managed sites, disable security policies, manipulate VPN tunnels to gain access to branch networks, and deploy malicious configurations to all managed SD-WAN edge devices. Cisco SD-WAN is deployed across enterprise, retail, financial services, and government environments globally. Active exploitation has been confirmed — this is not a theoretical risk.
How to fix: Apply the Cisco SD-WAN Manager software update immediately. Verify the installed version against the fixed version in the Cisco advisory. After patching, audit SD-WAN Manager administrative logs for unauthorised configuration changes, unexpected administrative user creation, and unusual command execution. Review managed edge device configurations for unauthorised modifications.
Recommended action: Critical — patch today. Confirmed active exploitation plus root-level command execution on a central network management platform is an emergency-patch scenario. SD-WAN Manager should be isolated from the internet — verify this is the case regardless of patching status.
Official source: Cisco Security Advisory | NVD — CVE-2026-20245
Azure HorizonDB — CVE-2026-48567 (CVSS 10.0, Authentication Bypass)
Software affected: Azure HorizonDB — a Microsoft Azure database service. Specific version and deployment details are available in the Microsoft Security Response Center advisory.
CVE: CVE-2026-48567 | CVSS 10.0 Critical — the maximum possible severity | CWE-290 (Authentication Bypass by Spoofing) | Unauthorised attacker can elevate privileges over a network
Fixable: Yes. Microsoft has released a security update. Apply the patch through the Azure service update mechanism or via the Microsoft Security Response Center advisory. Azure HorizonDB is a cloud-managed service — Microsoft may have already applied the fix to managed instances. Verify with Azure support or your cloud security posture management tooling.
Business impact: A CVSS 10.0 — the maximum possible severity score — in an Azure database service. The vulnerability allows an unauthenticated attacker to bypass authentication and elevate privileges over the network, gaining unauthorised access to the database service. In Azure cloud environments, database services store critical business data, customer information, and application state. An authentication bypass at the Azure service level could potentially provide cross-tenant access depending on the service architecture — the exact scope depends on the Azure HorizonDB deployment model. Microsoft has assigned the maximum CVSS score, signalling that the impact is severe and the attack complexity is low.
How to fix: Apply the Microsoft security update. For Azure-managed HorizonDB instances, verify with Azure support that the service-side patch has been applied. Review Azure audit logs and database access logs for unauthorised authentication events or unexpected privilege escalations during the vulnerable window. Rotate database credentials after confirming the patch is applied.
Recommended action: Critical. CVSS 10.0 on an Azure database service is an emergency-patch scenario. Verify patch status with Azure support and audit access logs.
Official source: Microsoft MSRC — CVE-2026-48567
Microsoft Exchange Online — CVE-2026-48579 (CVSS 9.1, Unauthorized Information Disclosure)
Software affected: Microsoft Exchange Online — Microsoft’s cloud-hosted email and collaboration service.
CVE: CVE-2026-48579 | CVSS 9.1 Critical | CWE-285 (Improper Authorization) | Unauthorised attacker can disclose information over a network
Fixable: Yes. As a cloud service, Microsoft has applied the fix to Exchange Online. On-premises Exchange deployments should check the Microsoft advisory for applicability and apply any available security updates. Additionally, Dutch security media reports critical vulnerabilities in Exchange Online and Copilot that enabled data theft — organisations should audit Copilot access permissions and review Exchange Online audit logs.
Business impact: An improper authorization vulnerability in Exchange Online — the email platform used by millions of organisations worldwide — allows an unauthorised attacker to disclose information. Combined with the Copilot-related data theft vulnerabilities reported by Dutch security media, there is a pattern of Microsoft 365 authorization flaws enabling unauthorised access to email and collaboration data. Exchange Online processes sensitive corporate communications, attachments, calendar data, and contact information — unauthorised information disclosure at this layer can expose confidential business communications.
Recommended action: Verify that Exchange Online is updated (Microsoft applies cloud-side patches automatically). Review Exchange Online audit logs and Copilot access permissions for unauthorised data access patterns.
Official source: Microsoft MSRC — CVE-2026-48579
Google Chrome — Record 429 Vulnerabilities Patched
Software affected: Google Chrome for Windows, Mac, and Linux. All versions prior to the latest release.
Fixable: Yes. Update Chrome to the latest version immediately. Restart the browser for the update to take effect. The sheer volume — 429 vulnerabilities in a single release — far exceeds the previous record of 151 set just last week. This represents an unprecedented single-release patch volume for Chrome. Among the 429 fixes are multiple critical and high-severity vulnerabilities that enable remote code execution via crafted web content. Enterprise-managed Chrome deployments should push this update through browser management policies and enforce restart.
Recommended action: Update Chrome immediately across all endpoints. The record volume of patches signals that attackers have a rich target surface. Verify Chrome auto-update is functioning and enforce browser restart policies for enterprise deployments.
Official source: Google Chrome Releases Blog
Seagull BarTender — CVE-2026-25550 (CVSS 9.8, Unauthenticated RCE via .NET Remoting)
Software affected: Seagull Scientific BarTender 2010, 2016 (through R9), and 2019 (through R10). BarTender is an enterprise label design and printing automation platform used in manufacturing, logistics, healthcare, and retail environments.
CVE: CVE-2026-25550 | CVSS 9.8 Critical | CWE-306 (Missing Authentication) | Unauthenticated RCE via TCP port 7375
Fixable: Yes. Update BarTender to the latest version. The BtSystem.Service.exe .NET Remoting service exposes unauthenticated singleton endpoints that accept arbitrary remote commands. BarTender 2016 R10 and 2019 R11 and later contain the fix, or upgrade to the current BarTender release. After updating, verify that TCP port 7375 is not exposed to untrusted networks.
Recommended action: High priority for manufacturing, logistics, and healthcare environments where BarTender is deployed. The .NET Remoting endpoint has been a known attack surface for years — any internet-facing or untrusted-network-accessible BarTender installation should be patched immediately.
Official source: Seagull Scientific — BarTender Downloads | NVD — CVE-2026-25550
binding.gyp npm Supply Chain Attack — Dozens of Packages Compromised
Software affected: Dozens of npm packages across multiple maintainer accounts. The attack used the binding.gyp package — a build configuration file format used by native Node.js addons — as the initial compromise vector, spreading to packages maintained by the affected accounts.
No CVE assigned. This is an active supply chain compromise.
Business impact: Attackers compromised maintainer accounts and published malicious versions of dozens of npm packages through the binding.gyp supply chain. The binding.gyp file format is used in thousands of native Node.js modules for build configuration — it is a trusted component of the Node.js development ecosystem. Compromised packages may include credential stealers, backdoors, or cryptocurrency miners embedded in the package code that execute during npm install or at application runtime. This follows the pattern of the TanStack, Nx Console, and Laravel-Lang supply chain attacks covered in previous reports — indicating a sustained campaign targeting the software supply chain through compromised maintainer credentials.
How to fix: (1) Audit your package-lock.json / yarn.lock for any packages that depend on binding.gyp or were updated in the last 48 hours from maintainer accounts flagged in the advisory. (2) Pin all npm dependencies to known-good versions. (3) Review npm audit output for flagged packages. (4) If any compromised package was installed, rotate all credentials accessible from the build environment (CI/CD tokens, npm tokens, cloud API keys) and audit for signs of compromise.
Recommended action: Audit npm dependencies today. The sustained pattern of npm supply chain attacks makes routine dependency auditing a mandatory security practice. Consider deploying package allowlisting and automated integrity verification in CI/CD pipelines.
Official source: CybersecurityNews research | npm advisory
KEV Deadline Watch — Two Today, One Tomorrow
Today — June 5, 2026 (2 deadlines): Linux Kernel cgroups CVE-2022-0492 (container-escape LPE, patch from 2022, covered in the dedicated advisory). Android Framework CVE-2025-48595 (actively exploited zero-day, apply June 2026 Android update, covered in the dedicated advisory).
Tomorrow — June 6, 2026 (1 deadline): Mirasvit Full Page Cache Warmer CVE-2026-45247 (Magento/Adobe Commerce deserialization RCE, actively exploited, covered in the dedicated advisory).
June 10, 2026 (2 deadlines): Nx Console CVE-2026-48027 / TanStack CVE-2026-45321 (supply chain compromises, audit npm dependencies).
Updates on Items from Previous Reports
Microsoft Defender KEV deadlines (passed June 3): Now two days past deadline. Verify Malware Protection Engine 1.1.26040.8. May 22 report.
Oracle WebLogic / Trend Micro / Langflow KEV deadlines (passed June 4): Now one day past deadline. June 4 report.
Windows Netlogon CVE-2026-41089: Dedicated advisory.
Citrix NetScaler CVE-2026-3055: Dedicated advisory.
Palo Alto PAN-OS CVE-2026-0257: Deadline passed June 1. Dedicated advisory.
Acer Wave 7 zero-days: Still no patch. Dedicated advisory.
Cisco UC Manager CVE-2026-20230: Dedicated advisory.
OpenSSL pre-announcement: Update scheduled for June 9. Prepare inventory of OpenSSL-linked applications.
OpenStack oslo.messaging, Tautulli, Python tarfile, authentik, BIRD BGP, MLflow, morgan, LibreChat, MISP, elixir-mint, AIOHTTP, Go x509, React Router, Perl JSON::XS, FOSSBilling, SolarWinds: All covered in dedicated advisories published June 4. Refer to the June 4 report for links.
Drupal, Ghost CMS, SonicWall, FortiClient/FortiAuth/FortiSandbox, Exim, ChromaDB, Oracle ORDS, CIFSwitch, 7-Zip, Starlette, Spectra, Simple History, GEO my WP, WP Maps Pro, Kirki, ARMember: All covered in dedicated advisories and previous reports.
This report is compiled from official vendor advisories, the CISA Known Exploited Vulnerabilities catalog, the National Vulnerability Database, and primary security research sources. Verify all remediation steps against official vendor documentation before applying changes in production environments.
