Vulnerability Intelligence Report — June 28, 2026
Coverage: June 1–28, 2026 | Total CISA KEV additions (period): 22 | New KEVs: 0 | KEV deadline TODAY: DOUBLE (PTC Windchill + Cisco UCM, both actively exploited) | KEV deadline TOMORROW: Cisco SD-WAN — LAST active deadline of the period | Total overdue KEVs: 25
Previous reports: June 27, 2026 | June 26, 2026
Sunday, June 28, 2026 — the double CISA KEV deadline arrives today for PTC Windchill (confirmed webshell deployment with published IoCs) and Cisco Unified Communications Manager, both actively exploited and both under BOD 26-04’s 3-day mandate. Tomorrow, the Cisco SD-WAN deadline closes out the active KEV calendar for this reporting period. The biggest new vulnerability of the day is Gitea act_runner CVE-2026-58053 (CVSS 9.9): the CI/CD runner’s Docker backend blindly passes workflow-defined container.options to the Docker HostConfig, enabling container escape to the host even with privileged:false — attackers with workflow write access can inject –pid=host, –cap-add, and –security-opt flags to break out. Separately, a Windows Secure Boot certificate crisis has materialized: Microsoft’s original KEK CA 2011 certificate expired on June 24 and the UEFI CA 2011 followed on June 27, affecting billions of PCs and potentially preventing systems from booting with Secure Boot enabled — including Linux distributions that rely on the Microsoft-signed shim. FFmpeg disclosed its second vulnerability of the period — an out-of-bounds write in the RASC video decoder (CVE-2026-58049, CVSS 8.6) following last week’s PixelSmash. RustDesk’s remote desktop has a session permission bypass (CVE-2026-58056, CVSS 7.6) allowing keyboard/mouse injection through file transfer sessions, and libssh2 disclosed an integer overflow in its publickey subsystem (CVE-2026-58050).
Quick Reference — Most Important Items Today
KEV DEADLINE TODAY (June 28): PTC Windchill CVE-2026-12569 (webshells, IoCs published) + Cisco UCM CVE-2026-20230 — both actively exploited, BOD 26-04
KEV DEADLINE TOMORROW (June 29): Cisco SD-WAN CVE-2026-20262 — the LAST active KEV deadline of the period
Gitea act_runner CVE-2026-58053: CVSS 9.9 — container escape via workflow container.options, Docker backend, even with privileged:false
Windows Secure Boot Certificate Expired: Microsoft KEK CA 2011 (June 24) + UEFI CA 2011 (June 27) — billions of PCs, boot failures, Linux shim affected
FFmpeg CVE-2026-58049: CVSS 8.6 — RASC decoder out-of-bounds write, second FFmpeg flaw this period after PixelSmash
RustDesk CVE-2026-58056: CVSS 7.6 — file transfer session keyboard/mouse injection, remote desktop compromise
libssh2 CVE-2026-58050: CVSS 7.0 — integer overflow in publickey-subsystem on 32-bit platforms
After tomorrow: KEV calendar clears — 22 additions in 28 days under BOD 26-04
Double KEV Deadline TODAY — PTC Windchill (Webshells) + Cisco UCM
PTC Windchill/FlexPLM CVE-2026-12569: CISA and PTC have confirmed active exploitation with webshell deployment on compromised servers. PTC published Indicators of Compromise enabling victim organisations to check for compromise. PTC reports “increased threat activity.” The vulnerability is an unauthenticated deserialization RCE affecting Windchill PDMlink, FlexPLM, and CPS (Creo Parametric Server) — industrial PLM software managing product design, manufacturing, and distribution for aerospace, automotive, and defence. Today is the BOD 26-04 deadline. Apply PTC advisory CS473270 immediately. Check systems against published IoCs. Dedicated advisory.
Cisco UCM CVE-2026-20230: SSRF-to-RCE in Cisco’s enterprise VoIP platform. Patch has been available since June 3 — organisations that have not yet applied it are now 25 days behind on a confirmed KEV with active exploitation. WebDialer must be enabled (disabled by default). Deadline today. Dedicated advisory.
Recommended action: Patch both immediately — today is the BOD 26-04 deadline. For PTC: check IoCs and investigate any webshell detections. For Cisco UCM: disable WebDialer if not operationally required as a compensating control.
Gitea act_runner CVE-2026-58053 — Critical Container Escape via Workflow Options (CVSS 9.9)
Software affected: Gitea act_runner with the Docker backend — through act 0.262.0. Gitea is a popular self-hosted Git platform and act_runner is its CI/CD pipeline execution engine.
CVE: CVE-2026-58053 | CVSS 9.9 (CRITICAL) | CWE-269 Improper Privilege Management | The act_runner Docker backend passes a workflow’s container.options string directly to the Docker job container’s HostConfig. Even when the runner is configured with privileged: false, only the Privileged flag is explicitly forced off — all other options from the workflow definition are merged into the HostConfig without sanitization.
Status: This is a devastating CI/CD vulnerability. An attacker who can submit or modify a workflow (which is the baseline for any CI/CD platform) can inject Docker HostConfig options through the container.options field. The attack surface includes: –pid=host (access host process namespace), –cap-add=SYS_ADMIN (near-root capabilities), –security-opt flags, and other options that collectively enable container escape to the underlying host. The runner’s privileged:false setting is bypassed because only that single flag is forced off — everything else passes through. Once escaped to the host, the attacker has access to the CI/CD runner’s credentials, build secrets, deployment keys, and potentially the entire build infrastructure. A proof-of-concept exploit has been published. This is particularly dangerous for public Gitea instances where anyone can submit a pull request with a malicious workflow.
Recommended action: Upgrade act_runner immediately. Review all CI/CD workflow definitions for suspicious container.options configurations — particularly –pid, –cap-add, –security-opt, –device, and –volume flags. Audit CI/CD runner hosts for unexpected processes or containers. For public repositories: restrict workflow execution to trusted contributors only, or implement workflow approval gates. Rotate all CI/CD secrets and deployment credentials after patching — if a runner has been compromised, all secrets accessible to it should be considered exposed.
Official source: Exploitarium PoC Repository
Windows Secure Boot Certificate Expired — Billions of PCs, Linux Distros Affected
Software affected: All PCs and devices relying on Microsoft’s 2011 Secure Boot certificates — effectively every x86 PC manufactured since Windows 8 (2012). Linux distributions using the Microsoft-signed shim bootloader are also affected.
Status: This is not a vulnerability — it is an operational certificate expiry event with massive global impact. Microsoft’s original Secure Boot certificates have reached end-of-life: the Microsoft Corporation KEK CA 2011 expired on June 24, 2026, and the Microsoft UEFI CA 2011 expired on June 27, 2026. These certificates form the root of trust for Secure Boot on billions of devices. Systems with Secure Boot enabled may fail to boot if the firmware has not been updated with the replacement certificates. The impact extends beyond Windows: Linux distributions that use the Microsoft-signed shim bootloader to achieve Secure Boot compatibility also depend on these certificates. Device manufacturers (Dell, HP, Lenovo, ASUS, etc.) and motherboard vendors are responsible for distributing UEFI firmware updates containing the new certificates. Microsoft has published replacement certificates (Microsoft UEFI CA 2023 and others) that manufacturers should have been deploying via firmware updates over the past years. Organisations that have not been regularly applying UEFI firmware updates may find systems failing to boot with Secure Boot enabled after the certificate expiry dates.
Recommended action: Apply the latest UEFI firmware updates from your device/motherboard manufacturer immediately. Verify Secure Boot functionality after updates. For enterprise environments: audit firmware update status across the fleet — this is a rare event where firmware updates become operationally urgent. For systems that fail to boot: temporarily disable Secure Boot in UEFI settings as a workaround, apply firmware updates, then re-enable. For Linux systems using shim: ensure you are on the latest shim version that supports the new certificate chain. This is not a security patch — it is infrastructure maintenance at planetary scale.
Official source: CybersecurityNews Report | Microsoft UEFI CA certificate documentation
FFmpeg RASC Decoder, RustDesk, libssh2 — New Vulnerabilities Across Media, Remote Desktop, and SSH
FFmpeg CVE-2026-58049 — RASC Video Decoder Out-of-Bounds Write (CVSS 8.6): The RASC video decoder (decode_dlta in libavcodec/rasc.c) performs 32-bit reads and writes at the row cursor before the NEXT_LINE row-boundary check, and validates the DLTA region in pixels rather than bytes. On a PAL8 frame, a crafted DLTA run can access several bytes past the row allocation — a classic heap buffer overflow exploitable for code execution through a malicious video file. This is the second FFmpeg vulnerability this period following last week’s PixelSmash flaw. FFmpeg’s near-universal deployment in media applications, browsers, streaming platforms, and video processing pipelines makes every decoder vulnerability a high-impact event. Upgrade FFmpeg to the patched version. Audit video processing pipelines that accept untrusted input — particularly user-uploaded video content.
RustDesk CVE-2026-58056 — File Transfer Session Keyboard/Mouse Injection (CVSS 7.6): RustDesk, an open-source remote desktop application, gates incoming control messages on per-capability flags but does not clear those flags when a session transitions. A peer holding only a valid FileTransfer authorization can inject keyboard and mouse input because the capability flags from the file transfer session persist into the control channel. This means someone authorized only to transfer files can silently take control of the remote desktop — a serious trust boundary violation. Upgrade RustDesk. Review remote desktop access policies — do not grant file transfer access to untrusted peers.
libssh2 CVE-2026-58050 — Publickey Subsystem Integer Overflow (CVSS 7.0): libssh2 through 1.11.1 reads an attacker-controlled 32-bit attribute count from a publickey-subsystem response and uses it in the allocation num_attrs * sizeof(libssh2_publickey_attribute) without bounds checking. On 32-bit platforms, the multiplication overflows to an undersized buffer, enabling a heap overflow from a malicious or compromised SSH server. This is a client-side vulnerability — any application using libssh2 to connect to an SSH server (git over SSH, SFTP clients, custom SSH tools) could be exploited by a malicious server. Upgrade libssh2. Most modern systems use 64-bit platforms where the integer overflow is less likely, but 32-bit embedded systems and IoT devices remain exposed.
KEV Deadline Watch
TODAY (June 28): DOUBLE — PTC Windchill/FlexPLM CVE-2026-12569 (webshells, IoCs published) + Cisco UCM CVE-2026-20230. Both BOD 26-04. DEADLINE.
TOMORROW (June 29): Cisco SD-WAN CVE-2026-20262. Actively exploited. LAST ACTIVE KEV DEADLINE OF THE PERIOD. Dedicated advisory.
OVERDUE — June 26 (+2): QUADRUPLE — Ubiquiti UniFi OS CVE-2026-34908/34909/34910 + Lantronix EDS5000 CVE-2025-67038.
OVERDUE — June 23 (+5): TRIPLE — Chromium V8 + Arista EOS + Cisco SD-WAN CVE-2026-20245.
OVERDUE — June 22 (+6): LiteLLM CVE-2026-42271.
OVERDUE — June 21 (+7): Splunk CVE-2026-20253 (actively exploited).
OVERDUE — June 19 (+9): Joomla CE + SolarWinds.
OLDER OVERDUE: LiteSpeed +10, Oracle PS +13, Ivanti +14, Check Point +17, Nx Console +18, Mirasvit +22, Android +23, PAN-OS +27.
After June 29: The active KEV calendar for this reporting period clears. 22 CISA KEV additions in 28 days under BOD 26-04’s accelerated 3-day mandate — the most aggressive KEV cadence since the directive was established. 25 overdue KEVs remain. Cisco SD-WAN tomorrow is the final entry.
Updates on Items from Previous Reports
PTC Windchill CVE-2026-12569: Deadline today. Webshells confirmed. IoCs published. Dedicated advisory.
Cisco UCM CVE-2026-20230: Deadline today. Patch available since June 3. Dedicated advisory.
Cisco SD-WAN CVE-2026-20262: Deadline tomorrow — the final active KEV. Actively exploited. Dedicated advisory.
Node.js June 2026 Security Releases: CVE-2026-48930 (CVSS 9.8 TLS rebinding). Upgrade Node.js 22.x and 24.x. Dedicated advisory.
DirtyClone Linux CVE-2026-43503: Local privesc to root. Apply kernel updates. Dedicated advisory.
FortiBleed: 70,000+ Fortinet firewalls compromised. Updated advisory.
cURL 8.21.0: 18 vulnerabilities patched, update rollout continues. Advisory.
FFmpeg: Now two vulnerabilities this period — PixelSmash (June 23) and RASC decoder (today). Update FFmpeg across all dependent applications.
Windows Secure Boot: Certificate expiry is an operational event, not a patch. Apply UEFI firmware updates. The impact will unfold over the coming days as unpatched systems encounter boot failures.
57 dedicated advisories published this period. After tomorrow the KEV calendar clears — this reporting period is effectively complete.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.
