Vulnerability Intelligence Report — June 30, 2026
Coverage: June 1–30, 2026 | Total CISA KEV additions (period): 23 | New KEVs: 1 (SimpleHelp RMM, CVSS 10.0) | KEV deadline: July 2 (SimpleHelp, BOD 26-04, 3 days) | Previous KEV cycle: CLEARED June 29 | Total overdue KEVs: 28
Previous reports: June 29, 2026 | June 28, 2026
Tuesday, June 30, 2026 — the last day of the month closes with a dramatic final act: a new CISA KEV entry that may be the most dangerous of the entire period. SimpleHelp CVE-2026-48558 (CVSS 10.0) is an authentication bypass in the RMM (Remote Monitoring and Management) platform used by managed service providers to control thousands of client endpoints. The vulnerability is stark: when OIDC authentication is configured, identity tokens are accepted without signature verification — an unauthenticated attacker can mint a forged token, create a Technician account, and gain administrative control over every managed endpoint the RMM server touches. Attackers are already deploying the TaskWeaver loader malware through compromised SimpleHelp instances. CISA added this to the KEV catalog yesterday with a July 2 deadline under BOD 26-04 — just 2 days from today. The day also brought three additional major active-exploitation reports: Oracle E-Business Suite CVE-2026-46817 is being actively exploited (Defused observed attacks on honeypots over the weekend), Microsoft Defender CVE-2026-33825 “BlueHammer” — a privilege escalation in Windows’ built-in antivirus — is now confirmed in ransomware attacks, and WolfSSL disclosed multiple vulnerabilities affecting billions of servers and IoT devices. Microsoft disclosed a critical Microsoft 365 Apps RCE exploitable via malicious Excel files, a PoC for NTLM reflection bypass enabling SYSTEM access on Windows Server was released, and GitHub reported that its Advisory Database hit a record 1,560 advisories in May 2026 — surpassing review capacity. Apple announced it will accelerate its patching cadence specifically because of AI-enabled threat acceleration.
Quick Reference — Most Important Items Today
SimpleHelp CVE-2026-48558: NEW CISA KEV — CVSS 10.0 authentication bypass in RMM — unsigned OIDC tokens accepted — MSP supply chain vector — TaskWeaver loader deployed — deadline July 2
Oracle E-Business Suite CVE-2026-46817: Critical unauthenticated takeover — actively exploited on honeypots over weekend — patch available since May 28
Microsoft Defender CVE-2026-33825 “BlueHammer”: SYSTEM privilege escalation — confirmed ransomware use — built into every Windows system
WolfSSL: Multiple vulnerabilities — certificate forgery, RCE, DoS — billions of servers and IoT devices
Microsoft 365 Apps: Critical RCE via malicious Excel file — Office ecosystem exploitation vector
NTLM Reflection Bypass: PoC released for SYSTEM access on Windows Server
GitHub Advisory Database: Record 1,560 advisories in May 2026 — surpassing review capacity
Apple: Accelerating patching cadence specifically due to AI-enabled threats
Previous KEV cycle: CLEARED June 29 — the window lasted exactly one day before a new entry arrived
SimpleHelp CVE-2026-48558 — CVSS 10.0 RMM Authentication Bypass, MSP Supply Chain Attack Vector, TaskWeaver Malware Deployed
Software affected: SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions — a widely deployed Remote Monitoring and Management (RMM) platform used by managed service providers (MSPs) and IT departments to manage thousands of endpoints.
CVE: CVE-2026-48558 | CVSS 10.0 (CRITICAL) | CWE-347 Improper Verification of Cryptographic Signature | CISA KEV added June 29 — deadline July 2, 2026 under BOD 26-04 | When OIDC (OpenID Connect) authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. An unauthenticated attacker can forge a token, create a Technician account on the RMM server, and gain administrative control over every endpoint managed by that server.
Status: This is the most dangerous MSP supply chain vulnerability disclosed this period. SimpleHelp RMM servers sit at the apex of the managed services hierarchy — a single compromised RMM server gives the attacker access to all client endpoints managed through it, including the ability to deploy software, execute scripts, and access data across every managed organisation. The vulnerability is stunningly simple: the OIDC token signature validation step was omitted. Attackers are already exploiting this in the wild — security firm Horizon3.ai has published IoCs confirming that the TaskWeaver loader malware is being deployed through compromised SimpleHelp instances. The patch was released June 5, but disclosure was delayed until June 12, and active exploitation has now been confirmed. SimpleHelp is used by thousands of MSPs globally — the blast radius of a compromised RMM server extends to every client of that MSP.
Recommended action: Upgrade SimpleHelp to the patched version immediately. If OIDC is not required, disable it as a compensating control. Audit SimpleHelp Technician accounts for unauthorised additions. Check managed endpoints for unexpected software deployments — particularly the TaskWeaver loader. If you are an MSP customer, contact your MSP to verify their SimpleHelp instance has been patched. Rotate all RMM credentials after patching. Deadline: July 2 — 2 days.
Official source: Horizon3.ai Advisory with IoCs | CISA KEV Catalog | Security.nl Report
Oracle E-Business Suite CVE-2026-46817 — Unauthenticated Takeover, Actively Exploited
Software affected: Oracle E-Business Suite (EBS) — Oracle Payments component. Enterprise Resource Planning (ERP) software holding sensitive organisational and customer data including financials, HR, supply chain, and procurement.
CVE: CVE-2026-46817 | Unauthenticated remote takeover | Oracle describes it as “easily exploitable” | The vulnerability in the Oracle Payments product allows an unauthenticated attacker to gain complete control of the EBS instance via network access. Patch available since May 28, 2026.
Status: Security firm Defused reports active exploitation on its honeypot infrastructure over the weekend of June 27–28. Oracle released patches on May 28 — over a month ago. EBS vulnerabilities have a history of being exploited for data extortion; late 2025 saw a wave of attacks where stolen EBS data was used to extort organisations. EBS holds the crown jewels of enterprise data — compromise exposes financial records, HR data, customer information, and supply chain details. Despite the patch being available for over a month, active exploitation indicates many organisations have not applied it. CISA has not yet added this to KEV but the Defused report — if confirmed — would likely trigger a listing.
Recommended action: Apply Oracle’s May 28 patch immediately if not already done. Audit EBS access logs for unauthorised activity — particularly in the Oracle Payments component. Review EBS user accounts for unexpected administrative additions. Network-segment EBS instances — they should never be directly internet-facing.
Official source: CybersecurityNews Report | Security.nl Report | Oracle Critical Patch Update (May 2026)
Microsoft Defender “BlueHammer” CVE-2026-33825 — Antivirus Privilege Escalation Used in Ransomware
Software affected: Microsoft Defender — the antivirus software built into every Windows installation. All Windows systems with Defender enabled (the default).
CVE: CVE-2026-33825 | Dubbed “BlueHammer” | Local privilege escalation to SYSTEM | An attacker who already has access to a system can exploit Defender to escalate to SYSTEM — the highest privilege level on Windows — gaining full control. PoC exploit was publicly released in early April. Microsoft patched April 14. CISA added to KEV on April 22.
Status: CISA has now confirmed that this vulnerability is being actively used in ransomware attacks. This is a deeply ironic vulnerability — the very software designed to protect Windows systems is being used as the escalation vector. Defender runs with high privileges by design, making it an attractive target for privilege escalation. Ransomware operators typically follow a pattern: gain initial access → escalate to SYSTEM via an LPE vulnerability → deploy ransomware. BlueHammer fills a critical step in that chain. Every unpatched Windows system is a potential ransomware target through its own antivirus. The patch has been available since April 14 — over 10 weeks ago. Organisations that have not applied April 2026 Windows updates are exposed.
Recommended action: Apply Microsoft’s April 14, 2026 security updates immediately if not already done. Verify Defender is updated across the Windows fleet. This is a KEV with confirmed ransomware use — treat as highest priority for any unpatched systems.
Official source: CISA KEV Catalog | Security.nl Report
WolfSSL, Microsoft 365 RCE, NTLM Bypass, GitHub Record — A Flood of New Disclosures
WolfSSL — Multiple Vulnerabilities, Billions of Devices: WolfSSL disclosed multiple vulnerabilities in its widely-embedded TLS library, including certificate forgery, remote code execution, and denial-of-service flaws. WolfSSL is the TLS stack of choice for embedded systems, IoT devices, and resource-constrained environments — it is deployed in billions of servers, industrial controllers, medical devices, automotive systems, and consumer IoT products. Certificate forgery in a TLS library means attackers can impersonate trusted servers. The embedded/IoT nature of WolfSSL deployments means patching will be slow — many devices lack update mechanisms. Apply WolfSSL updates immediately for systems you control. For embedded devices, contact manufacturers for firmware updates.
Microsoft 365 Apps RCE — Malicious Excel File Vector: Microsoft disclosed a critical remote code execution vulnerability in the Office ecosystem exploitable through a malicious Excel file. This is a classic Office macro/object embedding attack vector — open the file, code executes. The vulnerability affects Microsoft 365 Apps (the subscription version of Office). Apply Microsoft’s security updates immediately. Brief users on the risk of opening Excel files from untrusted sources — though this is a perennial recommendation, active exploitation of Office RCE vulnerabilities makes it a live concern.
NTLM Reflection Bypass — SYSTEM Access PoC: A proof-of-concept exploit demonstrating NTLM reflection bypass on Windows Server has been released, enabling SYSTEM-level access. NTLM reflection attacks have been a known attack category for years, and Microsoft has implemented multiple mitigations. This PoC demonstrates a bypass of those mitigations, re-opening a path to SYSTEM that was believed closed. Apply latest Windows security updates. Disable NTLM authentication where possible in favour of Kerberos.
GitHub Advisory Database — Record Volume Surpasses Review Capacity: GitHub published a record 1,560 security advisories in May 2026 — the highest monthly volume in the database’s history — yet still lagged behind incoming vulnerability reports. This data point confirms what this reporting period has demonstrated empirically: the volume of vulnerability disclosures is accelerating beyond the capacity of centralised review processes. The implications are significant — advisories may be published later, with less review, or not at all. Organisations cannot rely solely on centralised advisory databases for vulnerability awareness; direct vendor monitoring and proactive scanning are essential.
Apple Accelerates Patching — AI-Driven Threat Acceleration Now Policy-Level
Status: Apple has announced it will accelerate its security patching cadence specifically because of AI-enabled threat acceleration. This is a significant policy shift from a vendor that has traditionally operated on a more measured release cycle. Apple’s announcement follows the Five Eyes joint advisory from earlier this period that called for 3-day patching as the new operational baseline. The pattern is now clear across the industry: AI-assisted vulnerability discovery, AI-generated exploits, and AI-accelerated attack chains are compressing the window between disclosure and exploitation. Vendors are responding — Apple joining the accelerated patching movement is a milestone. Organisations should expect patch volumes and frequencies to continue increasing across all major vendors.
KEV Deadline Watch
July 2 (2 days): SimpleHelp CVE-2026-48558 (CVSS 10.0, actively exploited, TaskWeaver loader). BOD 26-04 3-day mandate. ONLY ACTIVE KEV DEADLINE.
Previous cycle cleared June 29. The KEV calendar was empty for exactly one day before SimpleHelp arrived.
Overdue — June 29 (+1): Cisco SD-WAN CVE-2026-20262.
Overdue — June 28 (+2): DOUBLE — PTC Windchill + Cisco UCM.
Overdue — June 26 (+4): QUADRUPLE — Ubiquiti UniFi OS x3 + Lantronix EDS5000.
Overdue — June 23 (+7): TRIPLE — Chromium V8 + Arista EOS + Cisco SD-WAN CVE-2026-20245.
OLDER OVERDUE: LiteLLM +8, Splunk +9, Joomla CE +11, SolarWinds +11, LiteSpeed +12, Oracle PS +15, Ivanti +16, Check Point +19, Nx Console +20, Mirasvit +24, Android +25, PAN-OS +29.
Total overdue after today: 28. With 23 KEV additions in 30 days, the June 2026 reporting period closes as the most aggressive KEV cycle on record.
Updates on Items from Previous Reports
SimpleHelp CVE-2026-48558 (NEW): CVSS 10.0, CISA KEV, MSP supply chain. TaskWeaver loader deployed. Deadline July 2.
Gitea act_runner CVE-2026-58053: CVSS 9.9 container escape, public PoC. Advisory.
Windows Secure Boot: Certificate expiry impact unfolding. Advisory.
Node.js CVE-2026-48930: CVSS 9.8. Advisory.
Cisco SD-WAN CVE-2026-20262: Deadline passed yesterday. Now overdue. Advisory.
FortiBleed: 70,000+ Fortinet firewalls. Advisory.
61 dedicated advisories published this period. June 2026 closes with 23 CISA KEV additions, 28 overdue, and a new KEV cycle already beginning with SimpleHelp.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds. June 30, 2026 — final report of the month. 23 CISA KEV additions, 61 dedicated advisories, 30 days covered.
