Vulnerability Intelligence Report — June 27, 2026
Coverage: June 1–27, 2026 | Total CISA KEV additions (period): 22 | New KEVs: 0 | KEV deadline TOMORROW: DOUBLE (PTC Windchill + Cisco UCM, both actively exploited, BOD 26-04) | Next: Cisco SD-WAN (June 29) | Quadruple deadline (June 26): PASSED +1 overdue | Total overdue KEVs: 23
Previous reports: June 26, 2026 | June 25, 2026
Saturday, June 27, 2026 — the weekend brings two urgent KEV deadlines tomorrow: PTC Windchill/FlexPLM and Cisco Unified Communications Manager, both actively exploited and both due June 28 under BOD 26-04. CISA and PTC have now confirmed that attackers are deploying webshells on compromised Windchill servers, and PTC has published Indicators of Compromise for victim organisations. The biggest technical story of the day is Node.js: the June 2026 security releases patch a CVSS 9.8 TLS vulnerability (CVE-2026-48930) that enables silent certificate authority rebinding through embedded-nul hostname truncation — affecting all supported Node.js 22 and 24 release lines. Additional Node.js flaws include a TLS wildcard authentication bypass via Unicode dot separators (CVE-2026-48618, CVSS 7.7) and a bypass of a previously fixed vulnerability (CVE-2026-50741, CVSS 8.8). On the Linux front, a new local privilege escalation dubbed “DirtyClone” (CVE-2026-43503) enables unprivileged users to gain root via cloned network packets. Amazon’s Q Developer VS Code extension had a high-severity flaw enabling code execution and cloud environment access. And a critical authentication bypass in python.org’s release management API could have allowed attackers to redirect millions of Python users to malicious packages.
Quick Reference — Most Important Items Today
KEV DEADLINE TOMORROW (June 28): PTC Windchill CVE-2026-12569 (webshells deployed, IoCs published) + Cisco UCM CVE-2026-20230 — both actively exploited, BOD 26-04
Node.js June 2026 Security Releases: CVE-2026-48930 (CVSS 9.8, TLS embedded-nul hostname → authority rebinding) + CVE-2026-48618 (TLS wildcard bypass) + CVE-2026-50741 (CVSS 8.8, bypass of prior fix)
DirtyClone Linux: CVE-2026-43503 — local privilege escalation to root via cloned network packets
7-Zip 26.02: Multiple bugs and vulnerabilities patched — widely deployed compression tool, details undisclosed
python.org: Critical auth bypass in release management API — could redirect millions of package downloads
Amazon Q Developer: High-severity VS Code extension vulnerability — code execution + cloud access
KubeVirt CVE-2026-13325: Migration proxy binds plain TCP on all interfaces (CVSS 8.5)
WSO2 API Manager CVE-2026-2053: SSRF via WS-Addressing headers (CVSS 8.3)
Apache Airflow CVE-2026-49486: FTPSHook data channel transmitted in cleartext (CVSS 7.5)
Quadruple KEV deadline (June 26): Ubiquiti UniFi OS x3 + Lantronix — now +1 overdue, 23 total overdue
Node.js June 2026 Security Releases — CVSS 9.8 TLS Authority Rebinding
Software affected: Node.js 22.x and 24.x (all supported release lines).
CVE: CVE-2026-48930 (CVSS 9.8, CRITICAL) — Embedded-nul hostnames cause silent TLS certificate authority rebinding due to C-string truncation in resolver bindings | CVE-2026-48618 (CVSS 7.7) — Unicode dot separator handling leads to TLS wildcard-depth authentication bypass due to resolver/verifier hostname normalization mismatch | CVE-2026-50741 (CVSS 8.8) — Bypass of the fix for CVE-2026-34916 via disallowed plugin identifiers or ox.setChannelTargeting bypass | CVE-2026-48933 (CVSS 7.5) — WebCrypto subtle.encrypt() crash on large inputs | CVE-2026-48619 (CVSS 7.5) — HTTP/2 client allows unlimited ORIGIN frames leading to OOM | CVE-2026-48615 (CVSS 7.5) — Proxy credentials exposed in ERR_PROXY_TUNNEL error messages.
Status: The critical CVE-2026-48930 is the most significant Node.js vulnerability disclosed this period. Embedded-nul characters in TLS hostnames are handled differently by Node.js’s C-based resolver bindings (which truncate at the nul byte) versus the JavaScript TLS verifier (which processes the full string). This normalization mismatch allows an attacker to present a valid certificate for a benign hostname (before the nul) while the application believes it is connected to a different, potentially malicious host (after the nul). The result is silent certificate authority rebinding — TLS verification passes but the connection goes to the wrong destination. This affects every Node.js application that makes TLS connections where the hostname could contain embedded-nul characters, which is exploitable through attacker-controlled URLs, redirects, or proxy configurations. The fix addresses the normalization mismatch across resolver and verifier layers.
Recommended action: Upgrade Node.js to the latest patched versions across all supported release lines immediately — the CVSS 9.8 TLS flaw demands urgent attention. Audit all Node.js applications that handle TLS connections. Apply updates to development, CI/CD, and production environments. For containerised deployments, rebuild all Node.js images.
Official source: Node.js June 2026 Security Releases
PTC Windchill CVE-2026-12569 — Webshells Deployed, IoCs Published, KEV Deadline Tomorrow
Software affected: PTC Windchill PDMlink, PTC FlexPLM, and all CPS (Creo Parametric Server) versions.
CVE: CVE-2026-12569 | CISA KEV deadline tomorrow — June 28, 2026 | Remote code execution via deserialization of untrusted data | Actively exploited with webshell deployment | BOD 26-04 3-day mandate.
Status: Both CISA and PTC have now confirmed active exploitation. PTC disclosed on June 17 that attackers are infecting servers with webshells — persistent backdoors that allow attackers to maintain access and conduct further operations. PTC has published Indicators of Compromise (IoCs) enabling organisations to check whether their systems have been compromised. PTC stated it is aware of “increased threat activity” and urged immediate mitigation. The vulnerability is an unauthenticated remote code execution flaw caused by improper handling of user input during deserialization. Windchill and FlexPLM manage the entire product lifecycle — design, manufacturing, and distribution processes — for manufacturing, aerospace, automotive, and defence organisations. Compromise exposes intellectual property, product designs, and supply chain data.
Recommended action: Apply PTC’s mitigations per advisory CS473270 before tomorrow’s KEV deadline. Check systems for IoCs published by PTC. If webshells are detected, initiate incident response — webshell deployment indicates the attacker intends persistent access. Audit PLM access logs for unauthorised data access or exfiltration.
Official source: PTC Advisory CS473270 | Security.nl Report | CISA KEV Catalog
DirtyClone Linux, 7-Zip, python.org, Amazon Q — Critical Flaws Across the Stack
DirtyClone Linux CVE-2026-43503 — Local Privilege Escalation to Root: A new Linux kernel vulnerability dubbed “DirtyClone” enables unprivileged local users to gain full root access by manipulating cloned network packets. The name follows the tradition of “Dirty” Linux kernel exploits (Dirty COW, Dirty Pipe) that abuse copy-on-write or cloning mechanisms. Local privilege escalation vulnerabilities in the Linux kernel are particularly dangerous in multi-tenant environments — cloud VMs, shared hosting, container hosts — where an attacker with any level of local access can escalate to root and break out of isolation boundaries. Specific kernel versions affected and patch status are pending. Apply kernel updates as distributions release them. Monitor for the official CVE publication and vendor advisories.
7-Zip 26.02: The developer of 7-Zip — one of the most widely deployed compression tools on Windows and cross-platform — has released version 26.02 patching multiple bugs and vulnerabilities. Specific CVE identifiers have not been disclosed. 7-Zip vulnerabilities have been exploited in the past by threat actors to deliver malware via malicious archives. Update to 7-Zip 26.02 across all Windows endpoints, particularly those that handle archives from external sources. For enterprise environments, deploy via endpoint management.
python.org — Critical Auth Bypass in Release Management API: A critical authentication bypass vulnerability in python.org’s release management API could have allowed attackers to impersonate administrators and potentially redirect millions of users to malicious Python packages. The vulnerability has been patched. This is a significant software supply chain near-miss — python.org is the official distribution point for the Python language and its package infrastructure. The Python Software Foundation has not disclosed specific CVE identifiers or technical details. No evidence of exploitation before the patch. This incident underscores the criticality of securing software distribution infrastructure — a compromise of python.org could impact virtually the entire Python ecosystem.
Amazon Q Developer — VS Code Extension: A high-severity vulnerability in the Amazon Q Developer Extension for Visual Studio Code — Amazon’s AI-powered coding assistant — enabled code execution and access to sensitive cloud environments. The extension has deep integration with AWS services and access to cloud credentials. Specific CVE and technical details are pending. Update the Amazon Q VS Code extension to the latest version immediately. Rotate any AWS credentials that may have been accessible through the VS Code environment.
Recommended action: Apply Linux kernel updates for DirtyClone as distributions release patches — prioritise multi-tenant and container host environments. Update 7-Zip to 26.02 enterprise-wide. Verify python.org package integrity if you downloaded Python packages during the vulnerability window. Update Amazon Q VS Code extension and rotate AWS credentials.
KubeVirt, WSO2, Apache Airflow — Infrastructure and API Vulnerabilities
KubeVirt CVE-2026-13325 (CVSS 8.5): When TLS is disabled on the KubeVirt migration proxy (spec.configuration.migrations.disableTLS=true), the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication. This means that when TLS is intentionally disabled for migration performance, the migration data stream — which includes virtual machine memory contents — is exposed without encryption or authentication to any network-adjacent attacker. KubeVirt runs virtual machines on Kubernetes — compromise of the migration stream exposes VM memory, credentials, and application data. Apply the KubeVirt patch and do not disable TLS for migrations unless absolutely necessary, and only in isolated network environments.
WSO2 API Manager CVE-2026-2053 (CVSS 8.3): The message flow component does not sufficiently validate WS-Addressing headers, enabling SSRF attacks through user-controlled header values. WSO2 API Manager is widely deployed for API gateway and management functions — SSRF in an API gateway can expose internal services and cloud metadata endpoints. Apply WSO2 advisory WSO2-2026-5072.
Apache Airflow CVE-2026-49486 (CVSS 7.5): The FTPSHook.get_conn() method creates an ftplib.FTP_TLS connection but never calls prot_p(), meaning the data channel is transmitted in cleartext despite the “FTPS” name implying encryption. Any deployment using FTPSHook for file transfers is unknowingly exposing data in transit. Fixed in Apache Airflow per GitHub PR #67946.
KEV Deadline Watch
TOMORROW (June 28): DOUBLE — PTC Windchill/FlexPLM CVE-2026-12569 (webshells deployed, IoCs published) + Cisco UCM CVE-2026-20230 (actively exploited). Both BOD 26-04. FINAL 24 HOURS.
June 29 (2 days): Cisco SD-WAN CVE-2026-20262. Actively exploited. Dedicated advisory.
OVERDUE — June 26 (+1): QUADRUPLE — Ubiquiti UniFi OS CVE-2026-34908/34909/34910 + Lantronix EDS5000 CVE-2025-67038.
OVERDUE — June 23 (+4): TRIPLE — Chromium V8 + Arista EOS + Cisco SD-WAN CVE-2026-20245.
OVERDUE — June 22 (+5): LiteLLM CVE-2026-42271.
OVERDUE — June 21 (+6): Splunk CVE-2026-20253 (actively exploited).
OVERDUE — June 19 (+8): Joomla CE + SolarWinds.
OVERDUE — June 18 (+9): LiteSpeed CVE-2026-54420.
OLDER OVERDUE: Oracle PS (+12), Ivanti (+13), Check Point (+16), Nx Console (+17), Mirasvit (+21), Android (+22), PAN-OS (+26).
After June 29: The KEV calendar finally clears — no remaining active deadlines in this reporting period. 22 KEV additions in 27 days under BOD 26-04.
Updates on Items from Previous Reports
PTC Windchill CVE-2026-12569: Now confirmed: active exploitation with webshell deployment. PTC published IoCs. Deadline tomorrow. Dedicated advisory.
Cisco UCM CVE-2026-20230: KEV deadline tomorrow. Patch available since June 3. Dedicated advisory.
Quadruple KEV Deadline (June 26): Ubiquiti UniFi OS + Lantronix now 1 day overdue. Organisations past the BOD 26-04 deadline — patch immediately. Ubiquiti | Lantronix.
FortiBleed: 70,000+ Fortinet firewalls compromised. Updated advisory.
cURL 8.21.0: 18 vulnerabilities patched. Update rollout continues across Linux distributions and container ecosystems. Advisory.
Overdue KEVs: 23 total. Splunk and Cisco SD-WAN are actively exploited. PAN-OS is now 26 days past deadline — the oldest overdue KEV.
53 dedicated advisories published this period. Cumulative Spring ecosystem CVEs: 35+. Cumulative GitLab CVEs: 15.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.
