Vulnerability Intelligence Report — June 14, 2026

nick

Vulnerability Intelligence Report — June 14, 2026

by

Vulnerability Intelligence Report — June 14, 2026
Coverage: June 1–14, 2026 | New CISA KEV additions (period): 12 | New KEV since yesterday: 0 | KEV deadline TODAY: Ivanti Sentry | KEV deadline TOMORROW: Oracle PeopleSoft | Overdue KEVs: 5
Previous reports: June 13, 2026 | June 12, 2026

Today — Saturday, June 14, 2026 — marks the CISA KEV remediation deadline for Ivanti Sentry CVE-2026-10520, and Oracle PeopleSoft CVE-2026-35273 follows tomorrow (Sunday, June 15) for a rare weekend double-deadline. Both carry BOD 26-04’s 3-day patch mandate. No new CISA KEV entries were added. The weekend news cycle is quieter on the vulnerability front, though several notable advisories merit attention: a CRITICAL path traversal and privilege escalation in the Grafana Operator, a HIGH-severity symlink mishandling in LiteSpeed cPanel affecting shared hosting environments, four TOCTOU/race condition vulnerabilities in ABRT/libreport on RHEL/Fedora systems, and a DNS rebinding weakness in the Model Context Protocol (MCP) — relevant to organisations deploying AI agent infrastructure. On the threat intelligence side, a report details Chinese state-sponsored actors maintaining persistent access to an isolated network for over a decade by hijacking authentication flows.

Quick Reference — Most Important Items Today

Ivanti Sentry: CVE-2026-10520 (CISA KEV DEADLINE TODAY, actively exploited, patch by end of day or disconnect)

Oracle PeopleSoft: CVE-2026-35273 (CISA KEV deadline TOMORROW Sunday June 15, ransomware, ShinyHunters, patch this weekend)

Grafana Operator: NEW CRITICAL path traversal / privilege escalation — upgrade to 5.24.0 immediately

LiteSpeed cPanel: CVE-2026-54420 (CVSS 8.5) — symlink mishandling on shared hosting, upgrade WHM Plugin to 5.3.2.0+

ABRT/libreport: 4 new HIGH-severity CVEs (CVE-2026-54228 through 54231) — TOCTOU, race conditions, symlink following on RHEL/Fedora crash reporting

Model Context Protocol: DNS rebinding vulnerability — patch MCP servers to v0.25+, relevant for AI agent infrastructure

Grafana Operator: CRITICAL — upgrade to 5.24.0

Overdue KEV: Check Point +2 | Nx Console +4 | Mirasvit +8 | PAN-OS +13 | BitLocker YellowKey + ongoing

Ivanti Sentry — CVE-2026-10520 (KEV DEADLINE TODAY)

Software affected: Ivanti Sentry (formerly MobileIron Sentry) — all versions prior to patched release.

CVE: CVE-2026-10520 | CISA KEV deadline today — June 14, 2026 | OS command injection enabling unauthenticated root-level RCE | Actively exploited | BOD 26-04 3-day mandate applies. CISA explicitly ordered FCEB agencies to patch by today.

Status: Today is the remediation deadline. Organisations that have not yet patched are now at the deadline. The vulnerability is exploited in the wild on internet-exposed Sentry appliances. The BOD 26-04 mandate requiring 3-day patching for critical exploited vulnerabilities makes this the first major test of the new directive’s accelerated timeline. If your Sentry appliance is internet-facing: patch today, or disconnect from the internet immediately. Full coverage in the June 13 report.

Recommended action: Patch today — this is the deadline. Disconnect internet-facing Sentry appliances immediately if patching cannot be completed. Ensure mTLS with EPMM or restricted HTTPS through Neurons for MDM as compensating controls.

Official source: Ivanti Security Advisory | CISA KEV Catalog

Oracle PeopleSoft — CVE-2026-35273 (KEV Deadline Tomorrow)

Software affected: Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62.

CVE: CVE-2026-35273 | CISA KEV deadline tomorrow — Sunday, June 15, 2026 | CVSS 9.8 | Missing authentication enables complete PeopleSoft takeover via HTTP | Known ransomware campaign use | Actively exploited by ShinyHunters.

Status: Tomorrow’s deadline falls on a Sunday — a weekend patching window that many organisations may not have staffed. This is the first weekend KEV deadline in the current cycle and a practical test of whether the accelerated BOD 26-04 timeline is achievable for organisations with weekend change freezes. Organisations with internet-facing PeopleSoft should have already patched or disconnected. Those that have not must act today. Full coverage in the dedicated CVE-2026-35273 advisory and June 13 report.

Recommended action: Patch PeopleSoft this weekend — deadline is Sunday. If patching is not possible, restrict all network access to PeopleSoft until Monday. Review access logs for ShinyHunters IOCs.

Official source: Oracle Security Alert CVE-2026-35273 | CISA KEV Catalog

Grafana Operator — CRITICAL Path Traversal / Privilege Escalation

Software affected: Grafana Operator versions prior to 5.24.0 — used in Kubernetes environments to manage Grafana instances.

CVE: CVE-2026-11769 | CRITICAL severity per vendor advisory | Path traversal combined with privilege escalation enables attackers to access sensitive cluster resources and escalate within Kubernetes namespaces. The Grafana Operator runs with elevated cluster privileges to manage Grafana deployments, making successful exploitation particularly impactful.

Status: Grafana has released version 5.24.0 with a fix. The Grafana Operator is widely deployed in Kubernetes observability stacks — every cluster running Grafana through the operator is potentially affected. While no active exploitation has been confirmed, the combination of path traversal and privilege escalation in a Kubernetes operator merits urgent attention.

Recommended action: Upgrade Grafana Operator to 5.24.0 immediately. Audit Kubernetes RBAC for Grafana Operator service accounts. Review operator audit logs for suspicious activity. Consider restricting the operator’s RBAC permissions as a defence-in-depth measure.

Official source: Grafana Operator Release 5.24.0 | Grafana Security Advisory

LiteSpeed cPanel, ABRT/libreport, MCP, and WP Ticket — Notable New Advisories

LiteSpeed cPanel CVE-2026-54420 (CVSS 8.5): Symlink mishandling in the LiteSpeed cPanel plugin prior to 2.4.8 (distributed in LiteSpeed WHM Plugin before 5.3.2.0). A user with FTP or web shell access on a shared hosting server can exploit symlinks to access files outside their document root, potentially reading other customers’ data. Affects shared hosting environments. Upgrade WHM Plugin to 5.3.2.0 or later. High priority for hosting providers.

ABRT/libreport — 4 CVEs (CVE-2026-54228 through 54231): Multiple TOCTOU race conditions, symlink following, and content injection vulnerabilities in the ABRT (Automatic Bug Reporting Tool) post-create event handlers and D-Bus service. Affects RHEL, Fedora, and derivatives. Local privilege escalation on systems with ABRT enabled — particularly relevant for shared multi-user systems, development workstations, and CI runners. Apply distribution updates when available.

Model Context Protocol CVE-2026-11624: The MCP specification carries a security warning advising servers to validate Origin headers to prevent DNS rebinding attacks. Prior to v0.25, MCP servers did not enforce this validation, making them vulnerable to DNS rebinding — an attacker could cause a user’s browser to connect to a local MCP server and execute arbitrary tool calls. Relevant for organisations running MCP-based AI agent infrastructure internally. Upgrade MCP implementations to v0.25 or later and validate Origin headers on all connections.

WP Ticket CVE-2026-9848 (CVSS 7.5): SQL injection via the WordPress search query parameter in WP Ticket plugin versions up to 6.0.4. The plugin hooks into WordPress’s native search and passes unsanitised input to SQL queries. Update WP Ticket beyond 6.0.4.

Nefteprodukttekhnika BUK TS-G CVE-2026-12183 (CVSS 9.8): Critical authentication bypass in gas station automation systems. ICS/OT — patch if deployed, though limited enterprise exposure.

Threat Intelligence: Chinese APT Decade-Long Persistence via Auth Flow Hijacking

BleepingComputer reports that Chinese state-sponsored actors maintained persistent access to an isolated network for over a decade by hijacking authentication flows rather than deploying traditional malware. The technique involved intercepting and manipulating authentication tokens at network boundaries, allowing the attackers to impersonate legitimate users without triggering conventional detection mechanisms. This is not a CVE — it is a TTP (tactic, technique, and procedure) alert. Organisations operating air-gapped or isolated networks should review authentication architectures for single points of trust that could be similarly subverted. Network segmentation alone does not protect against auth-flow manipulation if the authentication service itself is reachable from both sides of the boundary.

KEV Deadline Watch

TODAY (June 14): Ivanti Sentry CVE-2026-10520. BOD 26-04 3-day mandate. DEADLINE.

TOMORROW (June 15): Oracle PeopleSoft CVE-2026-35273. Known ransomware. BOD 26-04 3-day mandate. Dedicated advisory.

OVERDUE — June 11: Check Point Security Gateway CVE-2026-50751 (+3 days, ransomware). Disable IKEv1 now.

OVERDUE — June 10: Nx Console CVE-2026-48027 (+4 days, ransomware). Dedicated advisory.

OVERDUE — June 6: Mirasvit Cache Warmer CVE-2026-45247 (+8 days). Unauthenticated RCE on e-commerce.

OVERDUE — June 5: Android Framework CVE-2025-48595 (+9 days).

OVERDUE — June 1: Palo Alto PAN-OS CVE-2026-0257 (+13 days). Dedicated advisory.

June 19: SolarWinds Serv-U CVE-2026-28318 (5 days).

June 22: BerriAI LiteLLM CVE-2026-42271 (8 days).

June 23: Google Chromium V8 CVE-2026-11645 / Arista EOS CVE-2026-7473 / Cisco SD-WAN CVE-2026-20245 (9 days).

Updates on Items from Previous Reports

Ivanti Sentry CVE-2026-10520: Deadline is today. Patch now or disconnect from internet. This is the first BOD 26-04 deadline to fall on a weekend.

Oracle PeopleSoft CVE-2026-35273: Deadline tomorrow (Sunday). Dedicated advisory now published at CVE-2026-35273 Advisory.

UpdraftPlus CVE-2026-10795: Dedicated advisory published. Auth bypass → RCE on millions of WordPress installs. CVE-2026-10795 Advisory.

Check Point CVE-2026-50751: Now 3 days past KEV deadline. IKEv1 should be disabled on all internet-facing gateways by now.

Arch Linux AUR: Supply chain compromise now has a dedicated advisory. Over 400 packages affected. Audit all Arch-based systems. Arch Linux AUR Advisory.

Spring ecosystem + GitLab: Dedicated grouped advisories published covering all new CVEs. Spring Advisory | GitLab Advisory.

Mirasvit CVE-2026-45247, PAN-OS CVE-2026-0257, Nx Console CVE-2026-48027: All significantly past KEV deadline. Remediate or disconnect immediately.

Chinese APT auth-flow hijacking: Not a CVE — TTP alert. Review authentication boundary architectures in isolated/air-gapped networks. BleepingComputer Report.

This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!