Vulnerability Intelligence Report — June 2, 2026
Coverage: June 1–2, 2026 | New CISA KEV additions: 1 | New items this report: 7 | KEV deadlines tomorrow: 5 | KEV deadlines June 4: 3
Previous reports: June 1, 2026 | May 31, 2026 | May 30, 2026
This report covers the threat landscape as of June 2, 2026. CISA added Oracle WebLogic (CVE-2024-21182) to the Known Exploited Vulnerabilities catalog yesterday with a tight June 4 deadline. The Belgian government has issued an urgent warning about active exploitation of a critical Windows Netlogon vulnerability (CVE-2026-41089, CVSS 9.8). Fortinet reports large-scale exploitation of a Citrix NetScaler vulnerability (CVE-2026-3055, CVSS 9.8). Three critical IBM WebSphere vulnerabilities and a WordPress plugin account takeover round out the new items. Tomorrow — June 3 — brings five simultaneous CISA KEV deadlines.
Quick Reference — Most Important Vulnerabilities Today
Windows Netlogon: CVE-2026-41089 (CVSS 9.8, Belgian government exploitation warning, stack buffer overflow)
Citrix NetScaler: CVE-2026-3055 (CVSS 9.8, large-scale exploitation per Fortinet, SAML IDP)
Oracle WebLogic: CVE-2024-21182 (NEW CISA KEV, due June 4, T3/IIOP unauth access)
Apache Solr: CVE-2026-44825 (CVSS 8.1, hardcoded default admin credentials silently installed)
IBM WebSphere: CVE-2026-8644 / CVE-2026-9311 / CVE-2026-9319 (CVSS 9.0-9.1, spoofing + 2x RCE)
Kirki WP Plugin: CVE-2026-8206 (CVSS 9.8, unauthenticated account takeover via password reset)
Palo Alto PAN-OS: CVE-2026-0257 (KEV deadline passed June 1, still actively exploited)
WP Maps Pro: CVE-2026-8732 (actively exploited, rogue admin creation on WordPress sites)
Windows Netlogon — CVE-2026-41089 (CVSS 9.8, Belgian Government Exploitation Warning)
Software affected: Microsoft Windows Server 2012 through Windows Server 2025, including Windows Server 2012 R2, 2016, 2019, 2022, 2022 23H2, and 2025. Affects the Netlogon service — a core domain authentication component present on all Windows domain-joined servers.
CVE: CVE-2026-41089 | CVSS 9.8 Critical | CWE-121 (Stack-Based Buffer Overflow) | Network-exploitable without authentication
Fixable: Yes. Microsoft has released patches per the fixed build numbers: Windows Server 2016 (10.0.14393.9140), 2019 (10.0.17763.8755), 2022 (10.0.20348.5074), 2022 23H2 (10.0.25398.2330), and 2025 (10.0.26100.32772). Apply the latest cumulative update via Windows Update immediately.
Business impact: A stack-based buffer overflow in the Windows Netlogon service allows an unauthenticated attacker to execute arbitrary code over the network. Netlogon is the protocol that handles domain authentication between domain controllers and member servers — it runs on every Windows domain-joined machine and is a critical component of Active Directory infrastructure. The Belgian government’s Centre for Cybersecurity (CCB) has issued an urgent warning about active exploitation of this vulnerability, indicating that attacks are already underway. A successful exploit against a domain controller gives the attacker control over the entire Active Directory domain. The vulnerability’s characteristics — network-exploitable, no authentication required, CVSS 9.8, and exploitation confirmed by a national cybersecurity authority — place it in the highest priority category.
How to fix: Apply the latest Windows cumulative update on all Windows Server instances, prioritising domain controllers first, then member servers. Verify the installed build number matches or exceeds the fixed versions listed above. After patching, monitor Netlogon service logs and Windows Security event logs for unusual authentication patterns or service anomalies. Review network traffic for unexpected RPC requests targeting the Netlogon service (typically on TCP port 445 and dynamic RPC ports).
Recommended action: Critical — patch domain controllers today. The Belgian government warning and CVSS 9.8 score demand immediate attention. Any Windows Server that is domain-joined should be patched in this cycle. Prioritise internet-facing servers and domain controllers.
Official source: Microsoft MSRC — CVE-2026-41089 | NVD — CVE-2026-41089
Citrix NetScaler — CVE-2026-3055 (CVSS 9.8, Large-Scale Exploitation)
Software affected: Citrix NetScaler ADC and NetScaler Gateway, all versions prior to 13.1-62.23 (standard), 13.1-37.262 (FIPS/NDcPP), and 14.1-60.58 (standard). Affected when configured as a SAML Identity Provider (IDP).
CVE: CVE-2026-3055 | CVSS 9.8 Critical | CWE-125 (Out-of-Bounds Read) | Large-scale active exploitation confirmed by Fortinet
Fixable: Yes. Update NetScaler ADC and NetScaler Gateway to versions 13.1-62.23 or 14.1-60.58 (standard builds) or 13.1-37.262 (FIPS/NDcPP).
Business impact: An insufficient input validation vulnerability in NetScaler ADC and NetScaler Gateway, when configured as a SAML IDP, leads to a memory overread that can be exploited for remote code execution. Fortinet’s threat intelligence team has confirmed large-scale active exploitation of this vulnerability. NetScaler appliances serve as the primary remote access and application delivery gateway for thousands of organisations — they sit at the network perimeter handling VPN termination, load balancing, and SAML-based single sign-on. A compromised NetScaler gives an attacker a privileged position at the network edge from which they can intercept authentication traffic, manipulate SAML assertions, establish persistent VPN access, and pivot into the internal network. This follows the well-established pattern of NetScaler vulnerabilities being among the most aggressively exploited in the wild — CVE-2023-4966 (CitrixBleed) and CVE-2023-3519 remain cautionary examples of how quickly NetScaler flaws are weaponised at scale.
How to fix: Update NetScaler ADC and NetScaler Gateway to the appropriate patched version immediately. After updating, verify the installed version via the management interface or CLI. If SAML IDP functionality is not required, consider disabling it to reduce the attack surface even after patching. Review NetScaler access logs and authentication logs for unusual SAML assertion activity, unexpected IDP-initiated logins, or connections from unrecognised IP ranges. Fortinet has published indicators of compromise for the ongoing exploitation campaign.
Recommended action: Critical for any organisation running NetScaler ADC or Gateway configured as a SAML IDP. Large-scale exploitation is confirmed and ongoing. Patch immediately. If your NetScaler is internet-facing — as most are — treat this as an emergency-patch item. Even if SAML IDP is not configured, verify your appliance’s configuration to confirm this, as the feature may be inadvertently enabled.
Official source: Citrix Security Bulletin — CTX696300 | NVD — CVE-2026-3055
Oracle WebLogic — CVE-2024-21182 (NEW CISA KEV, Deadline June 4)
Software affected: Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0. WebLogic is Oracle’s flagship Java EE application server and is widely deployed in enterprise and government environments for hosting business-critical Java applications.
CVE: CVE-2024-21182 | CVSS 7.5 High | Added to CISA KEV June 1, 2026 — federal agency deadline June 4, 2026
Fixable: Yes. Oracle released the patch in the July 2024 Critical Patch Update. Apply the July 2024 CPU or a subsequent Oracle patch release that includes the fix for CVE-2024-21182. The July 2024 CPU is available at: https://www.oracle.com/security-alerts/cpujul2024.html
Business impact: An unspecified vulnerability in the Core component of Oracle WebLogic Server allows an unauthenticated attacker with network access via the T3 and IIOP protocols to compromise the server. Successful exploitation results in unauthorised access to critical data — and depending on the environment, potential full server compromise. The T3 and IIOP protocols are proprietary Oracle protocols used for communication between WebLogic components and are commonly exposed on enterprise networks. The fact that this is a 2024-vintage CVE being added to KEV in June 2026 — nearly two years after the patch was released — indicates sustained exploitation interest and a significant population of unpatched WebLogic instances still in production. WebLogic’s presence in government, financial services, and large enterprise environments makes it a high-value target for both espionage and ransomware actors. CISA has set a tight June 4 deadline — just three days from the KEV addition — signalling urgency.
How to fix: Apply the Oracle July 2024 Critical Patch Update or a subsequent CPU that includes the fix for CVE-2024-21182. Verify the patch level via the WebLogic admin console. After patching, review WebLogic access logs for unexpected T3/IIOP connections from unrecognised IP addresses. Consider restricting T3 and IIOP protocol access to only trusted application servers and administrative hosts — these protocols are often unnecessarily exposed to broader network segments. If T3/IIOP connectivity from untrusted networks is not required, implement network-level filtering to block access on the default T3 port (typically 7001) and IIOP ports from unauthorised sources.
Recommended action: High priority with a tight deadline. Federal agencies and BOD 22-01-compliant organisations must patch by June 4. Even for non-federal organisations, the KEV addition and the sustained exploitation interest over nearly two years make this a patch-now item. Audit your WebLogic inventory to identify any instances still running unpatched versions.
Official source: Oracle July 2024 Critical Patch Update | CISA KEV Catalog
Apache Solr — CVE-2026-44825 (CVSS 8.1, Hardcoded Admin Credentials)
Software affected: Apache Solr versions 9.4.0 through 9.10.1 and version 10.0.0. Apache Solr is a widely deployed open-source enterprise search platform built on Apache Lucene.
CVE: CVE-2026-44825 | CVSS 8.1 High | CWE-798 (Hardcoded Credentials) | Published June 1, 2026
Fixable: Yes. Update Apache Solr to a version beyond 9.10.1 and 10.0.0, or apply the workaround: delete the template users (superadmin, admin, solr, and readonly) created by the Basic Authentication setup tool. These template users are installed silently alongside user-specified accounts and carry publicly known default credentials.
Business impact: The bin/solr auth enable Basic Authentication setup tool silently installs additional template user accounts with hardcoded, publicly known default credentials alongside the user-specified administrative account. A remote attacker who discovers these template accounts can authenticate with full administrative access to the Solr cluster — gaining the ability to read, modify, and delete indexed data, reconfigure the cluster, and potentially execute arbitrary code through Solr’s configuration and plugin mechanisms. Solr is commonly used as the search backend for e-commerce platforms, content management systems, enterprise data lakes, and log analytics pipelines — a compromised Solr instance can expose sensitive business data and serve as a pivot point into connected systems.
How to fix: Apply the Apache Solr update or immediately delete the template users. To check for their presence, authenticate to Solr and review the user list. Delete any template accounts found: superadmin, admin, solr, and readonly. After remediation, audit Solr access logs for administrative actions performed by these template account names from unrecognised IP addresses. If exploitation is suspected, rotate all Solr credentials and review indexed data for unauthorised modifications or exfiltration.
Recommended action: High priority for any organisation running Apache Solr in production environments where the Basic Authentication setup tool has been used. The hardcoded credentials are publicly known and require no exploitation sophistication — simple credential testing against exposed Solr instances is sufficient. Check your Solr deployments today.
Official source: Apache Solr Security Advisory | NVD — CVE-2026-44825
IBM WebSphere Application Server — CVE-2026-8644, CVE-2026-9311, CVE-2026-9319
Software affected: IBM WebSphere Application Server versions 8.5 and 9.0. WebSphere is a core Java EE application server deployed across enterprise, financial services, and government environments globally.
CVEs: CVE-2026-8644 | CVSS 9.1 Critical | CWE-290 (Authentication Bypass by Spoofing) — identity spoofing vulnerability. CVE-2026-9311 | CVSS 9.0 Critical | CWE-94 (Code Injection) — RCE via security control bypass. CVE-2026-9319 | CVSS 9.0 Critical | CWE-502 (Deserialization of Untrusted Data) — RCE via JAX-WS endpoints with WS-Security. All three published June 1, 2026.
Fixable: Yes. IBM has released fixes for all three vulnerabilities. Apply the appropriate IBM WebSphere fix pack or interim fix for your version. IBM support pages: CVE-2026-8644 (node/7274740), CVE-2026-9311 (node/7274733), CVE-2026-9319 (node/7274738).
Business impact: Three critical vulnerabilities in IBM WebSphere Application Server were disclosed simultaneously. The identity spoofing vulnerability (CVE-2026-8644) allows attackers to bypass authentication and impersonate legitimate users. CVE-2026-9311 enables remote code execution by bypassing security controls. CVE-2026-9319 is a deserialization vulnerability in JAX-WS endpoints with WS-Security — deserialization flaws in Java application servers have historically been among the most dangerous and widely exploited vulnerability classes (the 2017 Equifax breach was a deserialization flaw in Apache Struts). Organisations running WebSphere should treat these as a coordinated patch bundle and apply all three fixes in a single maintenance window. WebSphere is deeply embedded in critical business infrastructure including banking systems, insurance platforms, government services, and enterprise resource planning — a compromised WebSphere instance can provide access to backend databases, message queues, and integrated enterprise systems.
How to fix: Apply the IBM fix pack or interim fix addressing all three CVEs. Verify the installed patch level via the WebSphere admin console. After patching, review WebSphere access logs and security audit logs for authentication anomalies, unexpected JAX-WS endpoint access, and unusual deserialization activity. If your WebSphere instances are exposed to untrusted networks, review whether this exposure is necessary and consider restricting access to trusted application tiers.
Recommended action: High priority for all WebSphere deployments. Three critical CVEs — identity spoofing plus two RCE vectors — disclosed simultaneously represent a significant risk surface. Patch all three in your next available maintenance window at the latest.
Official source: IBM Support — CVE-2026-8644 | CVE-2026-9311 | CVE-2026-9319
Kirki WordPress Plugin — CVE-2026-8206 (CVSS 9.8, Unauthenticated Account Takeover)
Software affected: Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress, versions 6.0.0 to 6.0.6.
CVE: CVE-2026-8206 | CVSS 9.8 Critical | CWE-269 (Improper Privilege Management) | Published June 2, 2026
Fixable: Yes. Update the Kirki plugin to a version beyond 6.0.6. The fix addresses improper validation in the password reset flow where an arbitrary email address is accepted when a valid username is supplied.
Business impact: The Kirki plugin accepts an arbitrary attacker-controlled email address in password reset requests when a valid username is provided. An unauthenticated attacker can trigger a password reset for any registered WordPress user — including administrators — and have the reset link delivered to an email address they control. This enables complete account takeover with no prior authentication or user interaction. Kirki is a page builder and customizer plugin that provides site-building functionality — it is not a niche plugin with a small user base. The simplicity of the attack — a single password reset request with a known admin username and attacker’s email address — makes this trivially exploitable at scale.
How to fix: Update the Kirki plugin via the WordPress admin dashboard immediately. After updating, audit the WordPress user list for any password reset requests associated with unrecognised email addresses. Check the WordPress email logs for password reset emails sent to unexpected external domains. If a rogue password reset is suspected, immediately invalidate all user sessions (Users > All Users > select all > Bulk Actions > Force Logout), rotate all administrative passwords, and review the site for unauthorised content changes or backdoor installations.
Recommended action: Urgent for any WordPress site running Kirki versions 6.0.0–6.0.6. The attack is trivially executable with no authentication — a single HTTP request with a known username and attacker email address enables full account takeover. Update immediately. If you cannot update, disable the plugin until the patch can be applied.
Official source: Kirki Plugin Trac — Vulnerability Source | NVD — CVE-2026-8206
KEV Deadline Watch — Five Deadlines Tomorrow (June 3), Three on June 4
The next 48 hours bring eight CISA KEV remediation deadlines. Organisations subject to BOD 22-01 must ensure all of these are addressed.
Tomorrow — June 3, 2026 (5 deadlines)
Microsoft Defender — CVE-2026-41091 and CVE-2026-45498. Covered in the May 22 report. Verify Malware Protection Engine version 1.1.26040.8 across all Windows endpoints. Local privilege escalation and denial of service.
Microsoft Windows Server Service — CVE-2008-4250. Conficker-era RPC buffer overflow. Ensure MS08-067 is applied on any legacy Windows Server installations.
Microsoft Internet Explorer — CVE-2010-0249 and CVE-2010-0806. Use-after-free vulnerabilities in legacy IE. Ensure IE is fully patched on any systems where it remains enabled.
June 4, 2026 (3 deadlines)
Oracle WebLogic — CVE-2024-21182. Covered in full in this report. July 2024 CPU patch.
Trend Micro Apex One — CVE-2026-34926. Covered in the May 22 report. Apply SP1 CP Build 18012 (on-premise) or agent build 14.0.20731 (SaaS).
Langflow — CVE-2025-34291. Covered in the May 22 report. CORS + SameSite=None token theft exploited by MuddyWater APT. Upgrade to Langflow 1.7.0.
Updates on Items from Previous Reports
Palo Alto PAN-OS — CVE-2026-0257 (KEV deadline passed June 1, actively exploited): Covered in the June 1 report and dedicated advisory. Deadline was yesterday. If you have not patched, you are past the federal deadline with confirmed active exploitation ongoing.
WP Maps Pro — CVE-2026-8732 (actively exploited): Covered in the June 1 report and dedicated advisory. Attackers creating rogue admin accounts via unauthenticated AJAX endpoint. Update immediately.
Drupal Core — CVE-2026-9082 (KEV deadline passed May 27): Covered in the dedicated advisory. Now six days past the federal deadline.
CIFSwitch Linux LPE: Covered in the dedicated advisory. Apply mitigations while waiting for distribution kernel updates.
FortiClient EMS — CVE-2026-35616 (EKZ infostealer): Covered in the May 29 report. Patch FortiClient EMS 7.4.5/7.4.6.
Ghost CMS — CVE-2026-26980 (actively exploited, 700+ domains): Covered in the May 29 report. Update to Ghost 6.19.1.
SonicWall SSL-VPN — CVE-2024-12802 (actively exploited): Covered in the May 29 report. Gen6 devices: firmware update + manual LDAP reconfiguration.
ChromaDB — CVE-2026-45829 (CVSS 10.0, fix unconfirmed): Covered in the May 29 report. Do not expose the API server to the internet.
Exim — CVE-2026-45185 (CVSS 9.8): Covered in the May 29 report. Update to 4.99.3.
FortiAuthenticator — CVE-2026-44277 / FortiSandbox — CVE-2026-26083: Both CVSS 9.8. Covered in the May 29 report.
Oracle REST Data Services — CVE-2026-46840 (CVSS 10.0): Covered in the May 30 report. Apply May 2026 CSPU.
7-Zip — CVE-2026-48095: Covered in the May 30 report. Update to 26.01.
Starlette / FastAPI — CVE-2026-48710 (BadHost): Covered in the May 30 report. Update Starlette to 1.0.1.
Spectra — CVE-2026-7465 / Simple History — CVE-2026-7459 / GEO my WP — CVE-2026-9757: Three WordPress plugin vulnerabilities. Covered in the May 31 report with dedicated advisories for each.
Nx Console — CVE-2026-48027 / TanStack — CVE-2026-45321: Both CISA KEV, both due June 10. Covered in the May 28 report.
This report is compiled from official vendor advisories, the CISA Known Exploited Vulnerabilities catalog, the National Vulnerability Database, and primary security research sources. Verify all remediation steps against official vendor documentation before applying changes in production environments.
