Vulnerability Intelligence Report — June 10, 2026
Coverage: June 9–10, 2026 | Microsoft Patch Tuesday: 198 vulns, 3 zero-days | New CISA KEV: 3 | New items: 8 | KEV deadlines today: 2 | KEV deadlines tomorrow: 1
Previous reports: June 9, 2026 | June 8, 2026
Microsoft’s June 2026 Patch Tuesday addresses 198 vulnerabilities, including three zero-days: a Windows Defender privilege escalation (“RoguePlanet”) granting SYSTEM access, a Windows Kernel remote code execution, and a BitLocker security feature bypass. Check Point confirmed active exploitation of the IKEv1 VPN vulnerability (CVE-2026-50751) — the Dutch NCSC warns of imminent large-scale abuse ahead of tomorrow’s CISA KEV deadline. Critical vulnerabilities were also disclosed in Veeam Backup & Replication, Ivanti Sentry, Adobe ColdFusion, and Adobe Campaign Classic (CVSS 10.0). Nx Console and TanStack CISA KEV deadlines arrive today.
Quick Reference — Most Important Items Today
Microsoft Patch Tuesday: 198 vulns, 3 zero-days — apply June 2026 updates immediately
Windows Defender RoguePlanet: CVE-2026-47281 (zero-day, SYSTEM access, actively exploited)
Check Point VPN: CVE-2026-50751 (actively exploited, NCSC warns of large-scale abuse, KEV deadline tomorrow)
Veeam Backup & Replication: Critical RCE on backup servers — patch immediately
Ivanti Sentry: Critical vulnerabilities enabling remote takeover
Adobe ColdFusion: CVE-2026-47928 (CVSS 9.6, arbitrary code execution)
Adobe Campaign Classic: CVE-2026-48303 (CVSS 10.0, arbitrary code execution)
Perl DBI: CVE-2026-9698 (CVSS 9.8, buffer overflow)
KEV Deadlines: Nx Console + TanStack TODAY | Check Point TOMORROW
Microsoft Patch Tuesday — June 2026: 198 Vulnerabilities, 3 Zero-Days
Software affected: Windows, Windows Server, Microsoft Defender, Windows Kernel, BitLocker, Visual Studio Code, Azure Stack Edge, Windows TCP/IP, Windows DHCP, Windows HTTP.sys, and numerous other Microsoft products.
Summary: Microsoft’s June 2026 Patch Tuesday addresses 198 vulnerabilities — one of the largest Patch Tuesday releases on record. Three zero-days are included, two of which are actively exploited:
Windows Defender “RoguePlanet” — CVE-2026-47281 (CVSS 9.6, Zero-Day, SYSTEM Access): A privilege escalation vulnerability in Visual Studio Code / Defender that grants SYSTEM access to attackers. Actively exploited. This is the second Windows Defender zero-day this year following the Defender engine vulnerabilities (CVE-2026-41091, CVE-2026-45584, CVE-2026-45498) covered in previous reports. Apply the Defender update immediately.
Windows Kernel RCE — CVE-2026-45657 (CVSS 9.8, Zero-Day, Use-After-Free): A use-after-free vulnerability in the Windows Kernel allowing unauthorised remote code execution. This is a kernel-level vulnerability — successful exploitation gives an attacker the highest level of system access.
BitLocker Security Feature Bypass — CVE-2026-45585 Update: Microsoft has released the permanent fix for the YellowKey BitLocker bypass covered extensively in May 21–22 reports. Apply the Patch Tuesday update rather than relying on the PowerShell mitigation script.
Other critical Patch Tuesday CVEs:
- CVE-2026-42904 (CVSS 9.6): Windows TCP/IP heap-based buffer overflow — adjacent network attacker can elevate privileges
- CVE-2026-44815 (CVSS 9.8): Windows DHCP Client stack-based buffer overflow — unauthorised RCE
- CVE-2026-47291 (CVSS 9.8): Windows HTTP.sys integer overflow — unauthorised RCE
- CVE-2026-47643 (CVSS 9.8): Azure Stack Edge external file path control — unauthorised RCE
- CVE-2026-45602 (CVSS 9.1): Windows DHCP Server tampering vulnerability
- CVE-2026-26142 (CVSS 9.8): Nuance PowerScribe deserialization RCE
Fixable: Yes. Apply the June 2026 Patch Tuesday updates via Windows Update, WSUS, or Microsoft Update Catalog. Prioritise the three zero-days and the Windows Kernel, HTTP.sys, DHCP, and TCP/IP vulnerabilities — these are network-exploitable or grant SYSTEM/kernel access.
Recommended action: Deploy Patch Tuesday updates through your standard patch management process, but accelerate deployment for the three zero-days and network-facing vulnerabilities. Domain controllers, internet-facing servers, and systems running Windows Defender should be prioritised.
Official source: Microsoft Security Response Center — June 2026
Check Point Security Gateway — CVE-2026-50751 (Actively Exploited, NCSC Warns of Large-Scale Abuse)
Software affected: Check Point Security Gateway — Remote Access VPN with IKEv1 enabled.
CVE: CVE-2026-50751 | CISA KEV deadline June 11 (tomorrow) | Now confirmed actively exploited by Check Point | Dutch NCSC warns of imminent large-scale abuse
Update since yesterday: Check Point has confirmed active exploitation of the IKEv1 authentication bypass. The Dutch National Cyber Security Centre (NCSC) has issued a warning about expected large-scale abuse — the standard pattern where a VPN vulnerability transitions from targeted exploitation to mass scanning and automated attacks. With the CISA KEV deadline tomorrow, organisations have 24 hours to patch. If your Check Point gateway is internet-facing with IKEv1 enabled, patch today — do not wait for the deadline.
Recommended action: Emergency patch. The NCSC warning of large-scale abuse is the signal that automated mass exploitation is imminent. Patch today. Disable IKEv1 if not needed. Covered in full in the dedicated advisory.
Official source: Check Point Security Advisory | CISA KEV
Veeam Backup & Replication — Critical RCE on Backup Servers
Software affected: Veeam Backup & Replication — the enterprise backup and recovery platform deployed in organisations globally.
CVE: Critical severity | Remote code execution on backup servers
Fixable: Yes. Apply the Veeam security update immediately.
Business impact: A critical vulnerability allowing remote code execution on Veeam backup servers. In ransomware scenarios, backup servers are the last line of defence — attackers specifically target backup infrastructure to destroy or encrypt backups before deploying ransomware, ensuring the victim cannot recover without paying. A compromised backup server gives an attacker access to backups of every system in the organisation — effectively access to all organisational data. Veeam vulnerabilities have been consistently exploited in ransomware campaigns over the past several years. Patch immediately.
Recommended action: Critical — patch Veeam today. Backup servers should be treated as tier-0 assets. Ensure the Veeam server is not accessible from the internet or untrusted networks.
Official source: Veeam Security Advisory
Ivanti Sentry — Critical Vulnerabilities Enabling Remote Takeover
Software affected: Ivanti Sentry (formerly MobileIron Sentry) — gateway appliance for managing mobile device access to enterprise resources.
CVE: Critical severity | Remote takeover of Ivanti Sentry servers
Fixable: Yes. Apply Ivanti security updates immediately.
Business impact: Ivanti Sentry serves as the gateway between mobile devices and enterprise backend resources — it enforces access policies for email, documents, and internal applications accessed from mobile devices. A compromised Sentry server allows an attacker to intercept or manipulate mobile device traffic, bypass mobile security policies, and potentially gain access to internal enterprise resources through the mobile management channel. Ivanti vulnerabilities have been aggressively exploited in the wild in recent years — patch immediately.
Recommended action: Critical — patch Ivanti Sentry today. If the Sentry server is internet-facing (as is typical for mobile gateway appliances), treat this as an emergency patch.
Official source: Ivanti Security Advisory
Adobe ColdFusion and Campaign Classic — Critical RCE (CVSS 9.6 and 10.0)
Software affected: Adobe ColdFusion versions 2023.19 and 2025.8 and earlier. Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier.
CVEs: CVE-2026-47928 (ColdFusion, CVSS 9.6, CWE-20, arbitrary code execution, no user interaction, scope changed). CVE-2026-48303 (Campaign Classic, CVSS 10.0 — maximum severity, CWE-863, arbitrary code execution, scope changed).
Fixable: Yes. Apply the Adobe security updates immediately. ColdFusion advisory: APSB26-64. Campaign Classic advisory: APSB26-66.
Business impact: ColdFusion is a widely deployed web application server in government, education, and enterprise environments. A CVSS 9.6 RCE with no user interaction required and scope change makes unpatched ColdFusion servers trivially exploitable. Campaign Classic at CVSS 10.0 — the maximum possible severity — represents a complete system compromise vector. Adobe ColdFusion vulnerabilities have historically been exploited aggressively — patch today.
Recommended action: Critical — patch ColdFusion and Campaign Classic immediately. Internet-facing ColdFusion servers should be patched as an emergency.
Official source: Adobe APSB26-64 (ColdFusion) | APSB26-66 (Campaign)
Perl DBI Buffer Overflow — CVE-2026-9698 (CVSS 9.8)
Software affected: Perl DBI (Database Interface) module — the standard database access layer for Perl — all versions prior to 1.648.
CVE: CVE-2026-9698 | CVSS 9.8 Critical | CWE-787 (Out-of-Bounds Write) | Buffer overflow in error message handling
Fixable: Yes. Update Perl DBI to version 1.648 or later: cpanm DBI@1.648. Error messages exceeding 200 bytes when RaiseError, PrintError, or HandleError are enabled trigger a buffer overflow. Attackers who can influence error text in applications using DBI can exploit this for remote code execution. Update across all Perl applications and environments.
Official source: GitHub — DBI Fix Commit
Google Chromium V8 — CVE-2026-11645 (NEW CISA KEV, Due June 23)
Software affected: Google Chromium V8 JavaScript engine — affects Chrome, Edge, Brave, Opera, and all Chromium-based browsers.
CVE: CVE-2026-11645 | Added to CISA KEV June 9, 2026 — deadline June 23, 2026 | Out-of-bounds read and write in V8 engine allows RCE inside sandbox via crafted HTML page
Fixable: Yes. Google has released a Chrome update. Update Chrome and all Chromium-based browsers immediately. The vulnerability can be exploited simply by visiting a crafted web page — no user interaction beyond browsing.
Official source: CISA KEV
Spring Framework — CVE-2026-41851 (DoS via SpEL Expression Cache Growth)
Software affected: Spring Framework 5.3.0–5.3.48, 6.1.0–6.1.27, 6.2.0–6.2.18, 7.0.0–7.0.7. Spring is the most widely used Java application framework — deployed in millions of enterprise applications.
CVE: CVE-2026-41851 | CVSS 5.3 | CWE-770 (Uncontrolled Resource Consumption) | Fixed in 5.3.49 / 6.1.28 / 6.2.19 / 7.0.8
Recommended action: Update Spring Framework. Applications that accept user-supplied SpEL expressions are affected — audit your application for SpEL evaluation on user input.
Official source: Spring Security Advisory
KEV Deadline Watch
TODAY (June 10): Nx Console CVE-2026-48027 / TanStack CVE-2026-45321.
TOMORROW (June 11): Check Point Security Gateway CVE-2026-50751 — actively exploited, NCSC warns of large-scale abuse.
June 19: SolarWinds Serv-U CVE-2026-28318.
June 22: BerriAI LiteLLM CVE-2026-42271.
June 23: Google Chromium V8 CVE-2026-11645 / Arista EOS CVE-2026-7473 / Cisco SD-WAN CVE-2026-20245.
Updates on Items from Previous Reports
Everest Forms Pro CVE-2026-3300: Still the most urgent actively exploited WordPress threat. Dedicated advisory.
Windows MiniPlasma CVE-2026-33825: Patch Tuesday may include a fix — check the June update. Dedicated advisory.
Hugging Face Transformers, Cisco SD-WAN, X.Org, Ansible, Comodo, all WP plugin CVEs: Covered in dedicated advisories.
PAN-OS CVE-2026-0257: 9 days past KEV deadline. Still actively exploited.
Citrix NetScaler, Windows Netlogon, Acer routers, FortiClient, Ghost CMS, SonicWall, ChromaDB, Oracle, Cisco UC Manager, authentik, BIRD BGP, MLflow, React Router, LibreChat, MISP: Covered in previous reports.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources.
