Vulnerability Intelligence Report — June 25, 2026
Coverage: June 1–25, 2026 | Total CISA KEV additions (period): 20 | New KEVs: 0 | KEV deadline TOMORROW: QUADRUPLE (3x Ubiquiti UniFi OS + Lantronix EDS5000, all BOD 26-04) | Next KEV: Cisco SD-WAN CVE-2026-20262 (June 29) | Total overdue KEVs: 15 | FortiBleed: 70,000+ firewalls compromised
Previous reports: June 24, 2026 | June 23, 2026
Thursday, June 25, 2026 — the calm before the deadline. No new CISA KEV entries were added in the past 24 hours, but tomorrow — June 26 — carries the quadruple KEV deadline for three Ubiquiti UniFi OS vulnerabilities (all CVSS 10.0) and the Lantronix EDS5000 code injection flaw, all under BOD 26-04’s 3-day accelerated mandate. Meanwhile, multiple new active-exploitation reports have emerged: Cisco Unified Communications Manager CVE-2026-20230 (CVSS 8.6, SSRF→RCE) is now being exploited in the wild according to Defused, despite Cisco not yet confirming. Google released Chrome 149 with patches for 10 vulnerabilities including a critical WebGL use-after-free (CVE-2026-13028, CVSS 9.6) and two additional use-after-free flaws (CVSS 8.8). The FortiBleed campaign has been dramatically re-scoped: over 70,000 Fortinet firewalls have been confirmed compromised — making this the largest single-vendor compromise event of the reporting period. The Five Eyes intelligence alliance has issued a joint advisory warning that AI-enabled threats demand dramatically faster patching cycles. Unpatched SharePoint servers are being actively exploited for ransomware deployment, and a critical vulnerability in the widely-used libssh2 library enables remote code execution via malicious SSH packets.
Quick Reference — Most Important Items Today
KEV DEADLINE TOMORROW (June 26): Ubiquiti UniFi OS CVE-2026-34908/34909/34910 (all CVSS 10.0) + Lantronix EDS5000 CVE-2025-67038 — BOD 26-04 3-day mandate
Cisco Unified Communications Manager: CVE-2026-20230 (CVSS 8.6, SSRF→file write→root) — actively exploited since weekend per Defused, patch available
FortiBleed: 70,000+ Fortinet firewalls confirmed compromised — largest single-vendor compromise event of the period
Chrome 149: 10 CVEs patched — CVE-2026-13028 (CVSS 9.6, WebGL use-after-free on Android) + 2x CVSS 8.8 use-after-free flaws
libssh2: Critical RCE vulnerability via malicious SSH packets — widely used in SSH clients, servers, and embedded systems
SharePoint: Unpatched servers actively exploited for ransomware and custom backdoor deployment
Five Eyes Joint Advisory: AI-enabled threats require dramatically faster enterprise patching — BOD 26-04’s 3-day model cited as new baseline
Overdue KEV: Triple deadline (June 23) now +2 | LiteLLM +3 | Splunk +4 (actively exploited) | 15 total overdue
Next KEV after tomorrow: Cisco SD-WAN CVE-2026-20262 (June 29, actively exploited)
KEV Deadline TOMORROW — Ubiquiti UniFi OS (Triple CVSS 10.0) + Lantronix EDS5000
Software affected: All Ubiquiti UniFi OS devices (Cloud Gateways, Network Controllers, Protect NVRs, Access Hubs, Talk) and Lantronix EDS5000 device servers.
CVE: CVE-2026-34910 (Command Injection, CVSS 10.0) | CVE-2026-34909 (Path Traversal, CVSS 10.0) | CVE-2026-34908 (Access Control Bypass, CVSS 10.0) | CVE-2025-67038 (Lantronix Code Injection) | All four: CISA KEV deadline June 26, 2026 — TOMORROW | BOD 26-04 3-day mandate applies.
Status: Tomorrow is the remediation deadline for the four most recently added KEV entries. The Ubiquiti vulnerabilities collectively enable complete device takeover by any network-adjacent attacker — no authentication required. The Lantronix EDS5000 bridges serial-based industrial equipment to IP networks, sitting in the critical path between OT/ICS and enterprise environments. Organisations that have not yet patched these four CVEs are now operating within the final 24-hour window. CISA has confirmed active exploitation of the Ubiquiti vulnerabilities. The Dutch security authority (NCSC) has also issued separate warnings about active Ubiquiti UniFi OS exploitation.
Recommended action: Patch all Ubiquiti UniFi OS devices per Security Advisory Bulletin 064 today. Update Lantronix EDS5000 firmware. If patching is not possible, network-segment or disconnect affected devices until patched. BOD 26-04 deadline is tomorrow.
Official source: Ubiquiti Security Advisory Bulletin 064 | CISA KEV Catalog
Cisco Unified Communications Manager — CVE-2026-20230 (CVSS 8.6, SSRF→RCE, Actively Exploited)
Software affected: Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME).
CVE: CVE-2026-20230 | CVSS 8.6 (HIGH) | CWE-918 Server-Side Request Forgery | Published June 3, 2026 | An unauthenticated remote attacker can send a specially crafted HTTP request to achieve SSRF → arbitrary file write to the underlying operating system → root-level code execution. Prerequisite: WebDialer must be enabled (disabled by default).
Status: Cisco patched this vulnerability in early June and noted public proof-of-concept exploit code was available, but stated they were not aware of active exploitation. Security firm Defused now reports active exploitation since this weekend (June 21–22). Cisco has not yet confirmed the active exploitation. This is a critical enterprise VoIP platform — Unified CM processes phone calls for organisations globally. The WebDialer prerequisite limits the attack surface, but any organisation that has enabled this feature for click-to-call functionality is exposed. CISA has not yet added this to the KEV catalog, but the active exploitation report from Defused, if confirmed, would likely trigger a KEV listing under BOD 26-04.
Recommended action: Apply Cisco’s patch immediately — the advisory was published June 3. If WebDialer is not required, disable it as a compensating control. Audit Unified CM access logs for unexpected HTTP requests targeting WebDialer endpoints. Monitor for CISA KEV addition — if confirmed, this would carry a 3-day BOD 26-04 deadline from the date of addition.
Official source: Cisco Security Advisory cisco-sa-cucm-ssrf-cXPnHcW | Security.nl Report
FortiBleed — 70,000+ Fortinet Firewalls Confirmed Compromised
Software affected: Fortinet FortiGate firewall appliances — the investigation now covers a significantly expanded scope.
Status: The FortiBleed campaign has been dramatically re-scoped. What was initially reported as a credential leak affecting an unspecified number of devices has now been confirmed as over 70,000 compromised Fortinet firewalls. This makes FortiBleed the largest single-vendor compromise event of the reporting period. The campaign combines multiple Fortinet vulnerabilities — FortiSandbox exploitation, the FortiBleed credential leak, and a custom-built FortiGate sniffer deployed to intercept VPN credentials in real time. The scale of compromise — 70,000+ devices — means that virtually every organisation running Fortinet VPN appliances should assume their device was in the scope of this campaign. The attack surface spans enterprise VPN concentrators, branch office firewalls, and managed service provider customer-premises equipment.
Recommended action: Every organisation with Fortinet FortiGate appliances should immediately: (1) apply all available firmware updates, (2) rotate all VPN credentials and pre-shared keys, (3) audit device configurations for unauthorised changes, (4) inspect logs for the custom sniffer indicator, and (5) review all VPN user accounts created or modified during the compromise window. This is no longer a targeted threat — the scale demands a comprehensive response.
Official source: CybersecurityNews Report | FortiBleed Advisory (June 23)
Chrome 149, libssh2, SharePoint — Critical Patches and Active Exploitation
Google Chrome 149 (10 CVEs): Google has released Chrome 149.0.7827.197 with patches for 10 vulnerabilities. The most severe: CVE-2026-13028 (CVSS 9.6, WebGL use-after-free on Android enabling remote code execution), CVE-2026-13026 (CVSS 8.8, Digital Credentials use-after-free on Mac), CVE-2026-13027 (CVSS 8.8, FileSystem use-after-free), and CVE-2026-13025 (CVSS 8.3, DevTools race condition). Chrome typically auto-updates — verify fleet-wide deployment. Chromium-based browsers (Edge, Opera, Brave) will follow with their own updates. Given that Chrome’s V8 KEV (CVE-2026-11645) is now 2 days overdue, browser update compliance should be a priority for endpoint management teams.
libssh2 Critical RCE: A critical vulnerability in the libssh2 library — a widely-used C library implementing the SSH2 protocol — enables remote code execution via malicious SSH packets. libssh2 is embedded in numerous SSH clients, servers, file transfer tools, and IoT/embedded systems. The library’s ubiquity means the blast radius is substantial — any application that links against libssh2 for SSH connectivity is potentially affected. Specific CVE identifiers and CVSS scores are pending NVD publication. Patch libssh2 across all dependent applications immediately. Inventory all software that bundles or links against libssh2 — this includes curl (with SSH support), custom SSH tools, embedded device firmware, and CI/CD pipeline components.
SharePoint Ransomware Exploitation: Unpatched Microsoft SharePoint servers are being actively exploited to deploy ransomware and custom backdoors. Attackers are targeting known vulnerabilities in SharePoint that have available patches but remain unpatched in production environments. This follows the well-established pattern of SharePoint being a high-value target for ransomware operators due to its role in document management and enterprise collaboration. Apply all outstanding SharePoint security updates immediately. Audit SharePoint farms for indicators of compromise — unexpected file modifications, new administrative accounts, or unusual data access patterns.
Recommended action: Verify Chrome fleet-wide auto-update compliance. Inventory all libssh2-dependent applications and patch. Apply all outstanding SharePoint security updates. The Five Eyes joint advisory released this week specifically warns that AI-enabled threats are accelerating exploitation timelines — the era of month-long patch cycles is over.
Five Eyes Joint Advisory — AI-Enabled Threats Demand Faster Patching
Status: The Five Eyes intelligence alliance (US, UK, Canada, Australia, New Zealand) has issued a joint advisory warning that AI-enabled cyber threats are dramatically reducing the window between vulnerability disclosure and active exploitation. The advisory explicitly references the need for enterprise patching cycles to accelerate — citing 3-day and even 24-hour remediation targets as the new operational baseline. This aligns directly with CISA’s BOD 26-04 which mandates a 3-day patch window for critical exploited vulnerabilities in federal agencies. The advisory also notes that AI-assisted vulnerability discovery and exploit generation is compressing the traditional vulnerability lifecycle, and that organisations relying on monthly or quarterly patch cycles are operating at unacceptable risk levels.
Recommended action: Review enterprise patch management SLAs. Move toward continuous patch deployment for critical and high-severity vulnerabilities. Implement automated vulnerability scanning with same-day alerting. The Five Eyes advisory is not theoretical — this reporting period has demonstrated the acceleration firsthand: 20 CISA KEV additions in 25 days, with BOD 26-04’s 3-day deadlines.
KEV Deadline Watch
TOMORROW (June 26): QUADRUPLE — Ubiquiti UniFi OS CVE-2026-34908/34909/34910 + Lantronix EDS5000 CVE-2025-67038. All four: BOD 26-04 3-day mandate. FINAL 24 HOURS.
June 29 (4 days): Cisco SD-WAN CVE-2026-20262. Actively exploited. Dedicated advisory.
OVERDUE — June 23 (+2): TRIPLE — Chromium V8 CVE-2026-11645 + Arista EOS CVE-2026-7473 + Cisco SD-WAN CVE-2026-20245.
OVERDUE — June 22 (+3): LiteLLM CVE-2026-42271.
OVERDUE — June 21 (+4): Splunk CVE-2026-20253 (actively exploited).
OVERDUE — June 19 (+6): Joomla CE CVE-2026-48907 + SolarWinds CVE-2026-28318.
OVERDUE — June 18 (+7): LiteSpeed CVE-2026-54420.
OLDER OVERDUE: Oracle PS (+10), Ivanti (+11), Check Point (+14), Nx Console (+15), Mirasvit (+19), Android (+20), PAN-OS (+24).
After June 26: Only one remaining active KEV deadline this period — Cisco SD-WAN June 29. With 20 KEV additions in 25 days, the accelerated BOD 26-04 cadence has defined this reporting period.
Updates on Items from Previous Reports
Ubiquiti UniFi OS + Lantronix EDS5000 (KEV deadline tomorrow): Final 24 hours. CISA and NCSC (Netherlands) have both confirmed active exploitation of the Ubiquiti vulnerabilities. Ubiquiti advisory | Lantronix advisory.
FortiBleed: Scale re-estimated at 70,000+ compromised Fortinet firewalls — the largest single-vendor compromise event of the period. Comprehensive Fortinet audit mandatory. FortiBleed advisory.
Cisco UCM CVE-2026-20230: Now actively exploited per Defused (not yet confirmed by Cisco or CISA). Monitor for potential KEV addition — if confirmed, would trigger a 3-day BOD 26-04 deadline.
Chrome 149: 10 new CVEs patched. Chrome V8 KEV (CVE-2026-11645) now 2 days overdue — verify auto-update compliance across fleet.
AI Framework Vulnerabilities: Four this period (Mastra, LiteLLM, AutoGen Studio, Flowise). The Five Eyes joint advisory on AI-accelerated threats provides policy-level context for this pattern.
Overdue KEVs: 15 total. Splunk CVE-2026-20253 and Cisco SD-WAN CVE-2026-20262 are actively exploited — highest priority among overdue items. PAN-OS is now 24 days past deadline.
47 dedicated advisories published this period. Cumulative Spring ecosystem CVEs: 35+. Cumulative GitLab CVEs: 12.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.
