Vulnerability Intelligence Report — June 16, 2026

nick

Vulnerability Intelligence Report — June 16, 2026

by

Vulnerability Intelligence Report — June 16, 2026
Coverage: June 1–16, 2026 | Total CISA KEV additions (period): 14 | New KEVs yesterday: 2 | Oracle PeopleSoft deadline passed (June 15) | Next KEV deadline: LiteSpeed cPanel (June 18) | Overdue KEVs: 7
Previous reports: June 15, 2026 | June 14, 2026

Today — Tuesday, June 16, 2026 — marks the start of a new week and the first day after the Oracle PeopleSoft KEV deadline passed. The Oracle and Ivanti weekend deadlines are now both overdue, bringing the total overdue KEV count to 7. CISA added two new KEVs yesterday: LiteSpeed cPanel CVE-2026-54420 (due Thursday, June 18 — just 2 days) and Cisco SD-WAN Manager CVE-2026-20262 (due June 29), the latter confirmed as actively exploited in zero-day attacks. This is Cisco’s second SD-WAN KEV this month. In supply-chain news, the OptinMonster WordPress plugin was compromised in a CDN supply-chain attack — any site loading the plugin’s JavaScript from the CDN during the compromise window may have served malicious code to visitors. On the threat intelligence front, Chinese state-sponsored actors have been breaching REDCap servers at medical research institutions to steal clinical trial and patient data, and a Windows variant of the SprySOCKS Linux backdoor has been deployed against government organisations.

Quick Reference — Most Important Items Today

Oracle PeopleSoft: CVE-2026-35273 (KEV deadline passed June 15 — NOW OVERDUE, patch immediately if not done over the weekend)

LiteSpeed cPanel: CVE-2026-54420 (NEW CISA KEV, due June 18 — 2 days, shared hosting providers must patch urgently)

Cisco SD-WAN Manager: CVE-2026-20262 (NEW CISA KEV, due June 29, actively exploited zero-day, second Cisco SD-WAN KEV this month)

OptinMonster CDN: Supply-chain attack — WordPress plugin’s CDN-hosted JavaScript compromised, serving malicious code to visitor browsers

SimpleHelp: Bug allowing unauthorised creation of rogue remote support accounts — patch remote support infrastructure immediately

WP MAPS PRO: CVE-2026-8935 (CRITICAL 9.8) — unauthenticated AJAX action with exposed nonce, WordPress sites at risk

Chinese APT REDCap breaches: Medical research institutions targeted — clinical trial and patient data exfiltrated

SprySOCKS Windows variant: Government organisations targeted with Windows version of Linux backdoor

Overdue KEV: Oracle PS +1 | Ivanti +2 | Check Point +5 | Nx Console +6 | Mirasvit +10 | Android +11 | PAN-OS +15

Oracle PeopleSoft — CVE-2026-35273 (Deadline Passed — Now Overdue)

Software affected: Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62.

CVE: CVE-2026-35273 | CISA KEV deadline was Sunday, June 15, 2026 — NOW OVERDUE | CVSS 9.8 | Missing authentication enabling complete PeopleSoft takeover | Known ransomware campaign use | Actively exploited by ShinyHunters.

Status: The Sunday deadline has passed. The weekend double-deadline (Ivanti + Oracle) is now complete — both are overdue. ShinyHunters exploitation continues, and the Council of Europe confirmed yesterday that it is investigating ShinyHunters data breach claims, indicating the group is actively monetising compromised data. Organisations that did not patch over the weekend should treat this as priority-one remediation today. Full coverage in the dedicated CVE-2026-35273 advisory.

Recommended action: Patch immediately if not done over the weekend. One day overdue. Review PeopleSoft access logs for ShinyHunters IOCs. Rotate credentials after patching. Council of Europe investigation suggests ShinyHunters is actively exploiting stolen data — breach notification obligations may apply.

Official source: Oracle Security Alert | CISA KEV Catalog

LiteSpeed cPanel — CVE-2026-54420 (New CISA KEV, Due June 18)

Software affected: LiteSpeed cPanel plugin before 2.4.8 (distributed in LiteSpeed WHM Plugin before 5.3.2.0).

CVE: CVE-2026-54420 | NEW CISA KEV — added June 15, due Thursday June 18, 2026 | CVSS 8.5 | UNIX symlink following allows user with FTP/web shell on shared hosting to access other customers’ data | BOD 26-04 applies.

Status: This vulnerability was covered in our June 14 report and a dedicated advisory was published. It has now been formally added to the CISA KEV catalog with an accelerated 3-day deadline — only 2 days remaining. Shared hosting providers running LiteSpeed with the cPanel plugin are the primary affected population. The symlink following vulnerability is exploitable by any user with FTP or shell access on the shared server, enabling cross-account data access.

Recommended action: Upgrade LiteSpeed WHM Plugin to 5.3.2.0+ by Thursday, June 18. This is a short deadline — hosting providers should prioritise this above routine maintenance. Audit symlink configurations and CageFS enforcement on shared hosting servers.

Official source: LiteSpeed Security Update | CISA KEV Catalog

Cisco SD-WAN Manager — CVE-2026-20262 (New CISA KEV, Actively Exploited)

Software affected: Cisco Catalyst SD-WAN Manager (formerly vManage).

CVE: CVE-2026-20262 | NEW CISA KEV — added June 15, due June 29, 2026 | Path traversal allowing authenticated remote attacker to create or overwrite any file on the filesystem | Actively exploited in zero-day attacks | Second Cisco SD-WAN KEV this month (after CVE-2026-20245 on June 9).

Status: Cisco confirmed yesterday that this vulnerability has been exploited in the wild as a zero-day. The path traversal allows an authenticated attacker to write arbitrary files, which can lead to remote code execution by overwriting system binaries, configuration files, or deploying webshells. This is the second Cisco SD-WAN Manager vulnerability to be added to the KEV catalog this month — CVE-2026-20245 (local privilege escalation to root, due June 23) was added June 9. BleepingComputer has confirmed the zero-day exploitation.

Recommended action: Apply Cisco’s fix immediately per Cisco Advisory. Do not wait for the June 29 deadline — this is actively exploited. Review SD-WAN Manager file integrity and audit logs for indicators of compromise. Apply CVE-2026-20245 patch simultaneously if not already done.

Official source: Cisco Advisory cisco-sa-sdwan-arbfw | CISA KEV Catalog

OptinMonster CDN Supply-Chain Attack — WordPress Plugin Compromised

Affected platforms: WordPress sites using the OptinMonster plugin that loaded JavaScript assets from the plugin’s CDN during the compromise window. Over 1.4 million active installations.

Status: The OptinMonster WordPress plugin was compromised in a CDN supply-chain attack. Attackers gained access to the plugin’s CDN hosting and replaced legitimate JavaScript files with malicious versions. Any site that loaded OptinMonster’s CDN-hosted scripts during the compromise window served attacker-controlled JavaScript to visitors — enabling credential harvesting, session hijacking, and drive-by malware delivery. This follows a pattern of CDN-based supply-chain attacks targeting WordPress plugins.

Recommended action: Immediately verify the integrity of all OptinMonster CDN-loaded scripts. Clear all caches. Check website visitors’ browsers for signs of compromise (unexpected redirects, credential prompts). Review WordPress admin accounts for unauthorised additions. Consider using Subresource Integrity (SRI) hashes for all third-party CDN scripts as a permanent mitigation. Update OptinMonster to the latest patched version.

Official source: BleepingComputer Report | OptinMonster Security Notice (expected)

SimpleHelp, WP MAPS PRO, and Chinese APT Activity — Additional Items

SimpleHelp Rogue Account Creation: A vulnerability in the SimpleHelp remote support platform allows attackers to create rogue administrator accounts without authorisation. Remote support tools are high-value targets — they provide direct access to customer endpoints and internal systems with legitimate remote access credentials. Patch SimpleHelp immediately. Audit all accounts for unauthorised additions. Restrict admin interface to trusted IP ranges.

WP MAPS PRO CVE-2026-8935 (CVSS 9.8): Critical unauthenticated AJAX vulnerability in WP MAPS PRO before 6.1.1. The plugin registers an AJAX action without authentication and emits a valid nonce on any frontend page, making exploitation trivial. Update to 6.1.1+ immediately.

Chinese APT REDCap Breaches: Chinese state-sponsored actors are breaching REDCap (Research Electronic Data Capture) servers at medical research institutions, exfiltrating clinical trial data and patient records. REDCap is widely used in academic and healthcare research. Institutions running REDCap should review access logs, enforce MFA, segment research data from production networks, and apply latest REDCap security patches.

SprySOCKS Windows Variant: A Windows version of the SprySOCKS Linux backdoor malware has been identified in attacks against government organisations. Government security teams should update detection signatures and hunt for SprySOCKS indicators across Windows environments.

KEV Deadline Watch

June 18 (2 days): LiteSpeed cPanel CVE-2026-54420. NEW KEV. Dedicated advisory.

June 19 (3 days): SolarWinds Serv-U CVE-2026-28318.

June 22 (6 days): BerriAI LiteLLM CVE-2026-42271.

June 23 (7 days): Google Chromium V8 CVE-2026-11645 / Arista EOS CVE-2026-7473 / Cisco SD-WAN CVE-2026-20245.

June 29 (13 days): Cisco SD-WAN Manager CVE-2026-20262. NEW KEV. Actively exploited.

OVERDUE — June 15: Oracle PeopleSoft CVE-2026-35273 (+1 day, ransomware). Dedicated advisory.

OVERDUE — June 14: Ivanti Sentry CVE-2026-10520 (+2 days).

OVERDUE — June 11: Check Point CVE-2026-50751 (+5 days, ransomware).

OVERDUE — June 10: Nx Console CVE-2026-48027 (+6 days, ransomware).

OVERDUE — June 6: Mirasvit CVE-2026-45247 (+10 days).

OVERDUE — June 5: Android Framework CVE-2025-48595 (+11 days).

OVERDUE — June 1: Palo Alto PAN-OS CVE-2026-0257 (+15 days).

Updates on Items from Previous Reports

Oracle PeopleSoft CVE-2026-35273: Sunday deadline passed — now overdue. Council of Europe investigating ShinyHunters data breach claims. Dedicated advisory.

Ivanti Sentry CVE-2026-10520: Saturday deadline passed — now 2 days overdue. First BOD 26-04 weekend deadline.

LiteSpeed cPanel CVE-2026-54420: Now a CISA KEV — 2-day deadline. Dedicated advisory.

Cisco SD-WAN: Second KEV this month (CVE-2026-20262). Both require patching. CVE-2026-20262 actively exploited.

Check Point, Nx Console, Mirasvit, Android, PAN-OS: All significantly past deadline. Overdue KEV count now at 7.

Microsoft 365 Copilot: TTP alert from June 15. Microsoft investigating mitigations. Review Copilot document access scope.

Arch Linux AUR, Spring, GitLab, UpdraftPlus, Apinizer, Golem OEE, Grafana Operator, ABRT, MCP, WP Ticket, Linux-PAM, Perl, Comma AI, nanoMODBUS, MQTT-C: All have dedicated advisories published. Covered in previous reports.

This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!