Vulnerability Intelligence Report — June 23, 2026

nick

Vulnerability Intelligence Report — June 23, 2026

by

Vulnerability Intelligence Report — June 23, 2026
Coverage: June 1–23, 2026 | Total CISA KEV additions (period): 16 | New KEVs: 0 | KEV deadlines TODAY: TRIPLE (Chromium V8, Arista EOS, Cisco SD-WAN) | LiteLLM deadline passed (June 22) | Next KEV: Cisco SD-WAN CVE-2026-20262 (June 29) | Total overdue KEVs: 12
Previous reports: June 22, 2026 | June 21, 2026

Today — Tuesday, June 23, 2026 — is the largest single-day CISA KEV deadline of this reporting period: three simultaneous deadlines for Google Chromium V8, Arista EOS, and Cisco SD-WAN Manager. After today, the KEV calendar clears significantly — the next deadline is not until June 29. The LiteLLM deadline passed yesterday, bringing the overdue KEV count to 12. On the vulnerability front, FFmpeg has patched a critical flaw dubbed “PixelSmash” in its widely used video decoder — FFmpeg underpins video processing in virtually every media application, browser, and streaming platform. Microsoft has fixed a code execution vulnerability in AutoGen Studio, the third AI framework compromise this period (following Mastra and LiteLLM). The FortiBleed campaign has been updated with details of a custom FortiGate sniffer used to steal credentials, and a sophisticated WhatsApp phishing attack is using fake business documents to compromise PCs.

Quick Reference — Most Important Items Today

TRIPLE KEV DEADLINE TODAY: Chromium V8 CVE-2026-11645 + Arista EOS CVE-2026-7473 + Cisco SD-WAN CVE-2026-20245

FFmpeg PixelSmash: Critical flaw in widely used video decoder — patch immediately, FFmpeg is ubiquitous in media/streaming

Microsoft AutoGen Studio: Code execution flaw patched — third AI framework compromise this period (after Mastra, LiteLLM)

FortiBleed Update: Custom FortiGate sniffer used — Fortinet threat cluster continues to expand

WhatsApp Phishing: Fake business documents used to deliver malware to PCs

LiteLLM: Deadline passed yesterday — now 1 day overdue

After today: KEV calendar clears until June 29 (Cisco SD-WAN actively exploited)

Overdue KEV: LiteLLM +1 | Splunk +2 | Joomla +4 | SolarWinds +4 | LiteSpeed +5 | Oracle PS +8 | Ivanti +9 | Check Point +12 | Nx Console +13 | Mirasvit +17 | Android +18 | PAN-OS +22

TRIPLE KEV Deadline Today — The Largest Single-Day Deadline of the Period

Today — Tuesday, June 23, 2026 — three CISA KEV deadlines fall simultaneously:

Google Chromium V8 CVE-2026-11645: Out-of-bounds read and write in the V8 JavaScript engine. Enables remote code execution inside the browser sandbox via a crafted HTML page. Affects Google Chrome, Microsoft Edge, Opera, and all Chromium-based browsers — effectively every browser in enterprise use. Verify fleet-wide browser auto-update compliance by end of day. Deploy updated browsers via endpoint management if auto-update is disabled. This is the broadest-affecting KEV of the period given Chromium’s near-universal browser market share.

Arista EOS CVE-2026-7473: Incomplete comparison with missing factors causing incorrect decapsulation and forwarding of unexpected tunneled packets. Network segmentation bypass — a switch-level vulnerability that can expose isolated network segments. Upgrade Arista EOS per advisory. Review network segmentation controls and tunnel endpoint configurations.

Cisco SD-WAN Manager CVE-2026-20245: Improper encoding/escaping of output enabling authenticated local attacker to execute arbitrary commands as root via crafted file. Apply per Cisco advisory. Restrict SD-WAN Manager access to trusted administrators only. Note: Cisco SD-WAN CVE-2026-20262 (due June 29, actively exploited) must also be patched — do not confuse these two separate Cisco SD-WAN CVEs.

Recommended action: All three deadlines are today. Chromium browsers should auto-update — verify compliance. Stage Arista EOS upgrades during your next maintenance window if not already scheduled. Complete Cisco SD-WAN Manager patching for both CVE-2026-20245 (today) and CVE-2026-20262 (June 29).

FFmpeg “PixelSmash” Flaw — Ubiquitous Video Decoder Vulnerability

Software affected: FFmpeg — the open-source multimedia framework used by virtually every media application, browser, streaming platform, and video processing pipeline.

Status: FFmpeg has patched a critical vulnerability dubbed “PixelSmash” in its video decoder. FFmpeg is one of the most widely integrated C libraries in the world — it handles video decoding for VLC, Chrome, Firefox, OBS Studio, HandBrake, YouTube’s backend processing, Netflix encoding pipelines, and countless other applications. A vulnerability in FFmpeg’s core decoding functions has an enormous blast radius. Specific CVE identifiers and technical details are pending. Given FFmpeg’s ubiquity, this should be treated as an ecosystem-level vulnerability.

Recommended action: Patch FFmpeg across all systems that integrate it — media servers, streaming backends, desktop applications, browser video stacks. Linux distributions will push updated FFmpeg packages — apply these immediately. For containerised deployments, rebuild all images that include FFmpeg. Audit embedded/IoT devices that use FFmpeg for video processing.

Official source: BleepingComputer Report | FFmpeg Security Advisory (ffmpeg.org)

Microsoft AutoGen Studio RCE + FortiBleed Custom Sniffer + WhatsApp Phishing

Microsoft AutoGen Studio Code Execution: Microsoft has patched a vulnerability in AutoGen Studio that enabled code execution. AutoGen is Microsoft’s open-source framework for building multi-agent AI applications. This is the third AI framework compromise this period — following the North Korea-attributed Mastra AI supply chain attack and the LiteLLM command injection (CVE-2026-42271). Organisations using AutoGen Studio should upgrade immediately. Audit AI agent execution environments for unexpected code execution. The pattern of AI framework vulnerabilities this period is notable — three separate frameworks compromised in less than a week.

FortiBleed Update — Custom FortiGate Sniffer: New details reveal that the FortiBleed campaign used a custom-built sniffer tool designed to intercept credentials directly from FortiGate VPN appliances. This elevates the incident from a passive credential leak to an active credential interception operation. Organisations with Fortinet VPN appliances should re-audit their devices for signs of the custom sniffer, rotate all VPN credentials, and apply firmware updates immediately. The Fortinet threat cluster (FortiSandbox exploitation + FortiBleed leak + custom sniffer) is the largest vendor-specific threat campaign of this reporting period.

WhatsApp Phishing: A sophisticated phishing campaign is using fake business documents delivered via WhatsApp to compromise PCs. The attack uses social engineering to convince targets to open malicious documents that deploy malware. This is a significant evolution in phishing delivery — WhatsApp’s end-to-end encryption and personal nature make it harder for enterprise security tools to detect and block. Brief users on the threat and ensure endpoint protection can detect document-based malware delivery regardless of the communication channel.

KEV Deadline Watch

TODAY (June 23): TRIPLE — Chromium V8 CVE-2026-11645 + Arista EOS CVE-2026-7473 + Cisco SD-WAN CVE-2026-20245. DEADLINE.

June 29 (6 days): Cisco SD-WAN CVE-2026-20262. Actively exploited. Dedicated advisory.

OVERDUE — June 22: LiteLLM CVE-2026-42271 (+1).

OVERDUE — June 21: Splunk CVE-2026-20253 (+2, actively exploited).

OVERDUE — June 19: Joomla CE CVE-2026-48907 (+4) + SolarWinds CVE-2026-28318 (+4).

OVERDUE — June 18: LiteSpeed CVE-2026-54420 (+5).

OLDER OVERDUE: Oracle PS (+8), Ivanti (+9), Check Point (+12), Nx Console (+13), Mirasvit (+17), Android (+18), PAN-OS (+22).

After today: Only one remaining KEV deadline this period — Cisco SD-WAN June 29. The accelerated BOD 26-04 cadence has been the defining feature of this reporting period.

Updates on Items from Previous Reports

LiteLLM CVE-2026-42271: Deadline passed yesterday. Now 1 day overdue. 5 additional LiteLLM CVEs also disclosed. LiteLLM Advisory.

Splunk CVE-2026-20253: 2 days overdue. Actively exploited. Patch immediately. Dedicated advisory.

Triple Deadline Today: Chromium browsers should auto-update — verify. Stage Arista EOS upgrades. Complete Cisco SD-WAN patching.

AI Framework Compromises: Three this period — North Korea Mastra, LiteLLM, Microsoft AutoGen Studio. Audit all AI framework dependencies and execution environments.

Fortinet Threat Cluster: FortiSandbox exploitation → FortiBleed credential leak → custom FortiGate sniffer. Comprehensive Fortinet audit recommended.

43 dedicated advisories published this period.

This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Vendor Advisories.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!