Vulnerability Intelligence Report — June 17, 2026

nick

Vulnerability Intelligence Report — June 17, 2026

by

Vulnerability Intelligence Report — June 17, 2026
Coverage: June 1–17, 2026 | Total CISA KEV additions (period): 15 | New KEVs yesterday: 1 | KEV deadline TOMORROW: LiteSpeed cPanel (June 18) | Next: Joomla CE / SolarWinds (June 19) | Overdue KEVs: 7
Previous reports: June 16, 2026 | June 15, 2026

Today — Wednesday, June 17, 2026 — brings a heavy news cycle. CISA added a new KEV for the Widget Factory Joomla Content Editor (CVE-2026-48907, due Friday June 19 — 2 days), which allows unauthenticated PHP upload and execution. The big story of the day: critical Fortinet FortiSandbox vulnerabilities are now actively exploited in attacks — FortiSandbox is a core security appliance used by enterprises to detonate and analyse suspicious files, making compromise particularly dangerous. ShinyHunters has claimed another victim: Kodak has confirmed a data breach attributed to the group, following the Council of Europe investigation disclosed yesterday. In emerging threats, malicious JetBrains Marketplace plugins are stealing AI API keys (OpenAI, Anthropic, Google) from developer environments, a ransomware gang has been observed abusing Microsoft Teams relays to hide C2 traffic, and Steam Workshop is being abused to distribute malware through the Wallpaper Engine app. On the vulnerability front, a critical remote code execution flaw via missing authorization was found in the Premmerce Dev Tools WordPress plugin.

Quick Reference — Most Important Items Today

Fortinet FortiSandbox: CRITICAL vulnerabilities actively exploited in attacks — enterprise security appliances compromised

Joomla Content Editor: CVE-2026-48907 (NEW CISA KEV, due June 19 — 2 days, unauthenticated PHP upload/execution)

LiteSpeed cPanel: CVE-2026-54420 (CISA KEV deadline TOMORROW June 18 — patch shared hosting today)

Kodak: Confirmed data breach by ShinyHunters extortion gang — follow-up to Oracle PeopleSoft exploitation

JetBrains Marketplace: Malicious plugins stealing AI API keys from developer environments

Microsoft Teams: Ransomware gangs abusing Teams relays to hide C2 traffic

RoguePlanet Defender: Microsoft confirms patch in development for Windows Defender zero-day

Steam Workshop: Malware distributed via Wallpaper Engine app on Steam

Rokarolla Android: New malware targeting 217 banking and crypto apps

Premmerce Dev Tools: CVE-2026-6933 (HIGH 8.8) — RCE via missing authorization in WordPress plugin

Overdue KEV: Oracle PS +2 | Ivanti +3 | Check Point +6 | Nx Console +7 | Mirasvit +11 | Android +12 | PAN-OS +16

Fortinet FortiSandbox — Critical Vulnerabilities Actively Exploited

Software affected: Fortinet FortiSandbox — enterprise security appliance for sandbox-based threat analysis.

Status: Fortinet has confirmed that critical vulnerabilities in FortiSandbox are now actively exploited in the wild. FortiSandbox is a core security infrastructure component used by enterprises to detonate suspicious files in isolated environments. The exploitation of FortiSandbox itself means attackers can compromise the very appliance designed to detect and analyse malware, creating a dangerous blind spot in the security stack. Specific CVE identifiers are pending. The attack vector and impacted versions are being updated via Fortinet’s PSIRT advisories.

Recommended action: Apply FortiSandbox patches immediately upon release. Until patches are applied: isolate FortiSandbox management interfaces from untrusted networks, review sandbox appliance logs for signs of compromise, and verify that sandbox detonation is still functioning correctly. Consider whether compromised sandbox appliances may have been used to suppress detection of other malicious activity. Monitor Fortinet’s PSIRT advisory page for updates.

Official source: BleepingComputer Report | Fortinet PSIRT Advisory (pending)

Joomla Content Editor — CVE-2026-48907 (New CISA KEV, Due June 19)

Software affected: Widget Factory Joomla Content Editor (JCE) — widely used WYSIWYG editor for Joomla CMS.

CVE: CVE-2026-48907 | NEW CISA KEV — added June 16, due Friday June 19, 2026 | Improper access control (CWE-284) allows unauthenticated users to upload and execute PHP code via creation of new editor profiles | BOD 26-04 applies.

Status: This is a critical vulnerability in one of the most widely deployed Joomla extensions. The improper access control means any unauthenticated visitor can create editor profiles that enable arbitrary PHP file uploads — effectively granting remote code execution on the Joomla server. The 3-day BOD 26-04 deadline means patching is required by Friday. Joomla sites using JCE should treat this as an emergency.

Recommended action: Update JCE to the patched version immediately — do not wait for Friday’s deadline. Free patches are available for older sites. Check for unexpected admin accounts, editor profiles, and PHP files on Joomla installations. Restrict /administrator access to trusted IPs as a compensating control.

Official source: JCE Security Update | CISA KEV Catalog

LiteSpeed cPanel — CVE-2026-54420 (KEV Deadline TOMORROW)

Software affected: LiteSpeed cPanel plugin before 2.4.8 / WHM Plugin before 5.3.2.0.

CVE: CVE-2026-54420 | CISA KEV deadline TOMORROW — June 18, 2026 | CVSS 8.5 | Symlink following enables cross-account data access on shared hosting. Dedicated advisory.

Status: Tomorrow is the deadline. CISA also warned yesterday of another actively exploited cPanel plugin flaw, indicating sustained attacker interest in hosting infrastructure vulnerabilities. Shared hosting providers running LiteSpeed with the cPanel plugin must upgrade WHM Plugin to 5.3.2.0+ by tomorrow. The short 3-day BOD 26-04 deadline makes this the tightest patching window of the current cycle.

Recommended action: Upgrade today before tomorrow’s deadline. Audit CageFS and symlink configurations. Review for cross-account access anomalies.

Official source: LiteSpeed Security Update | CISA KEV Catalog

Kodak ShinyHunters Breach, JetBrains AI Key Theft, MS Teams Relay Abuse, and More

Kodak ShinyHunters Breach: Kodak has confirmed a data breach attributed to the ShinyHunters extortion gang. This follows yesterday’s disclosure that the Council of Europe is investigating ShinyHunters breach claims. The ShinyHunters campaign — which began with exploitation of Oracle PeopleSoft CVE-2026-35273 — is now confirmed to have compromised multiple high-profile organisations. Organisations using PeopleSoft should assume they are being targeted and review breach notification obligations immediately.

JetBrains Marketplace AI Key Theft: Malicious plugins on the JetBrains Marketplace are stealing AI API keys (OpenAI, Anthropic, Google AI) from developer IDE environments. The plugins appear legitimate but exfiltrate stored API keys to attacker-controlled endpoints. Developers should immediately audit installed JetBrains plugins, rotate all AI API keys, and verify Marketplace plugin authenticity. This is particularly damaging for organisations where developers have access to production AI service keys.

Microsoft Teams Relay Abuse: A ransomware gang has been observed abusing Microsoft Teams relays to hide command-and-control traffic. By routing C2 communications through Teams infrastructure, attackers make their traffic appear as legitimate Microsoft 365 network activity, evading network detection. Organisations should review Teams relay configurations, monitor for anomalous Teams traffic patterns, and ensure EDR/XDR solutions can inspect Teams-related network flows.

RoguePlanet Defender Patch: Microsoft has confirmed a patch is in development for the Windows Defender RoguePlanet zero-day (CVE-2026-47281, CVSS 9.6) disclosed during June Patch Tuesday. The vulnerability enables SYSTEM-level privilege escalation. No timeline announced — continue using existing mitigations until the patch is released.

Steam Workshop Wallpaper Engine Malware: Steam Workshop is being abused to distribute malware through the Wallpaper Engine application. Malicious wallpaper packages contain hidden executable code. Steam users should verify Wallpaper Engine subscriptions and remove any from untrusted sources.

Rokarolla Android Malware: New Android banking trojan targeting 217 banking and cryptocurrency apps. Deployed via phishing and smishing campaigns. Android users should avoid sideloading apps and verify Play Protect is enabled.

Premmerce Dev Tools CVE-2026-6933 (CVSS 8.8): Remote code execution via missing authorization in Premmerce Dev Tools WordPress plugin. This is a developer/admin tool — any site with this plugin installed and accessible should patch immediately.

KEV Deadline Watch

TOMORROW (June 18): LiteSpeed cPanel CVE-2026-54420. Dedicated advisory. Patch today.

June 19 (2 days): Joomla Content Editor CVE-2026-48907 (NEW KEV) + SolarWinds Serv-U CVE-2026-28318. Double deadline.

June 22 (5 days): BerriAI LiteLLM CVE-2026-42271.

June 23 (6 days): Chromium V8 CVE-2026-11645 / Arista EOS CVE-2026-7473 / Cisco SD-WAN CVE-2026-20245.

June 29 (12 days): Cisco SD-WAN CVE-2026-20262. Actively exploited. Dedicated advisory.

OVERDUE — June 15: Oracle PeopleSoft CVE-2026-35273 (+2 days, ransomware).

OVERDUE — June 14: Ivanti Sentry CVE-2026-10520 (+3 days).

OVERDUE — June 11: Check Point CVE-2026-50751 (+6 days, ransomware).

OVERDUE — June 10: Nx Console CVE-2026-48027 (+7 days, ransomware).

OVERDUE — June 6: Mirasvit CVE-2026-45247 (+11 days).

OVERDUE — June 5: Android CVE-2025-48595 (+12 days).

OVERDUE — June 1: PAN-OS CVE-2026-0257 (+16 days).

Updates on Items from Previous Reports

ShinyHunters: Now confirmed at Oracle PeopleSoft, Council of Europe, and Kodak. Campaign is widening. Assume targeting if running PeopleSoft.

LiteSpeed cPanel CVE-2026-54420: Deadline tomorrow. Upgrade WHM Plugin to 5.3.2.0+ today.

Cisco SD-WAN: CVE-2026-20245 (Jun 23) and CVE-2026-20262 (Jun 29). Both patching deadlines approaching. CVE-2026-20262 actively exploited.

Oracle PeopleSoft, Ivanti Sentry, Check Point, Nx Console: All past deadline. Overdue KEV count at 7.

OptinMonster CDN, SimpleHelp, WP MAPS PRO, Cisco SD-WAN KEV: Dedicated advisories all published in June 16 batch.

Fortinet FortiSandbox: Actively exploited — this is today’s top story. Monitor PSIRT for CVE assignments and patches.

All dedicated advisories (23 total): Arch AUR, Spring, GitLab, UpdraftPlus, Apinizer, Golem OEE, Grafana Operator, ABRT, MCP, WP Ticket, Linux-PAM, Perl, Comma AI, nanoMODBUS, MQTT-C, LiteSpeed, OptinMonster, SimpleHelp, Cisco KEV, WP MAPS PRO — all published on threat-modeling.com.

This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!