Vulnerability Intelligence Report — June 4, 2026
Coverage: June 3–4, 2026 | New CISA KEV additions: 1 | New items: 5 | KEV deadlines today: 3 | KEV deadlines tomorrow: 2 | KEV deadlines June 6: 1
Previous reports: June 3, 2026 | June 2, 2026 | June 1, 2026
Today — June 4, 2026 — three CISA KEV remediation deadlines arrive for Oracle WebLogic, Trend Micro Apex One, and Langflow. CISA added a new entry: Mirasvit Full Page Cache Warmer (CVE-2026-45247, Magento/Adobe Commerce), due June 6, with active exploitation reported against Magento web shops. Acer confirmed two maximum-severity zero-days in Wave 7 routers — no patch available yet. Cisco disclosed exploit code availability for a critical Unified Communications Manager vulnerability. OpenSSL pre-announced a security update for June 9.
Quick Reference — Most Important Vulnerabilities Today
Mirasvit Full Page Cache Warmer (Magento): CVE-2026-45247 (NEW CISA KEV, actively exploited, due June 6)
Acer Wave 7 Routers: CVE-2026-49200 + CVE-2026-49201 (max severity zero-days, no patch yet)
Cisco Unified Communications Manager: CVE-2026-20230 (exploit code publicly available)
OpenSSL: Security update pre-announced for June 9
KEV DEADLINE TODAY: Oracle WebLogic / Trend Micro Apex One / Langflow
KEV DEADLINE TOMORROW: Linux Kernel cgroups CVE-2022-0492 / Android Framework CVE-2025-48595
Mirasvit Full Page Cache Warmer (Magento/Adobe Commerce) — CVE-2026-45247 (NEW CISA KEV, Actively Exploited)
Software affected: Mirasvit Full Page Cache Warmer — a Magento 2 / Adobe Commerce extension used to pre-warm page caches for improved store performance. The extension is deployed on Magento e-commerce platforms globally.
CVE: CVE-2026-45247 | Deserialization of Untrusted Data | Actively exploited against Magento web shops | Added to CISA KEV June 3, 2026 — federal agency deadline June 6, 2026
Fixable: Yes. Update the Mirasvit Full Page Cache Warmer extension to the latest patched version. If a patch is not immediately available, disable or remove the extension until it can be updated.
Business impact: An unauthenticated deserialization vulnerability allows remote attackers to achieve code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie. PHP deserialization vulnerabilities are consistently among the most dangerous web application vulnerability classes — they routinely lead to full server compromise. Magento/Adobe Commerce platforms process payment information, customer data, and order management — a compromised Magento store can expose customer PII, payment card data, and order history. Dutch security media reports that Magento web shops are currently under active attack via this vulnerability. The CISA KEV deadline of June 6 gives organisations two days to patch.
How to fix: Update the Mirasvit Full Page Cache Warmer extension to the latest version. If your Magento store uses this extension, check the Mirasvit website or Magento Marketplace for the patched version. After updating, clear all customer session cookies and the Magento cache. Review Magento access logs for requests containing unusually large or malformed CacheWarmer cookie values. If exploitation is suspected, treat the Magento instance as compromised: rotate all admin credentials, audit for unauthorised admin user creation, and review order and customer data for signs of exfiltration.
Recommended action: Urgent — actively exploited with a tight KEV deadline. Every Magento/Adobe Commerce store running the Mirasvit Full Page Cache Warmer extension must patch by June 6. If the extension cannot be patched immediately, disable it.
Official source: CISA KEV Catalog | NVD — CVE-2026-45247
Acer Wave 7 Routers — CVE-2026-49200 and CVE-2026-49201 (Max Severity Zero-Days, No Patch Yet)
Software affected: Acer Wave 7 mesh routers running firmware version T7c_GBL_1.01.000055 or earlier. The Wave 7 is a consumer and small-business mesh Wi-Fi system.
CVEs: CVE-2026-49200 — Broken Access Control. The acer_cgi.log file is accessible without authentication via the web interface and contains cleartext login credentials for both web administration and Telnet access, leading to unauthorised system access. CVE-2026-49201 — Hardcoded Cryptographic Key. The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key that allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection. Both rated maximum severity. Discovered by security researcher Gergo Pap.
Fixable: Not yet. Acer has confirmed the vulnerabilities and stated it is working on patches, but no firmware update is currently available.
Business impact: Two maximum-severity vulnerabilities combine to create a complete device compromise chain: CVE-2026-49200 provides unauthenticated access to plaintext credentials including web admin and Telnet passwords — instant administrative access to the router. CVE-2026-49201 allows an attacker who has gained access to inject a persistent backdoor by decrypting and modifying device backups with the hardcoded AES key, surviving firmware updates and factory resets. A compromised router gives an attacker a persistent foothold on the network: they can intercept, modify, and redirect traffic, perform man-in-the-middle attacks, access connected devices, and use the router as a pivot point for lateral movement. While the Wave 7 is positioned as a consumer/SMB product, mesh routers are commonly deployed in small offices, retail locations, and remote branch environments where they serve as the primary network gateway.
How to fix: No patch is available yet. Until Acer releases updated firmware, implement these mitigations: (1) restrict access to the router’s web management interface to trusted internal IP addresses only — do not expose it to the internet or guest networks; (2) disable remote administration and Telnet access entirely; (3) change all router passwords immediately — the cleartext log file means current passwords may already be exposed; (4) monitor for unusual administrative logins or configuration changes; (5) if the router is internet-facing or serves a business-critical function, consider replacing it with a patched alternative until Acer releases firmware updates. Monitor Acer’s support site for the firmware release.
Recommended action: Containment measures today — no patch exists. Restrict management access, rotate passwords, disable remote admin. For business-critical deployments, plan for replacement if a patch is delayed. The vulnerability details are public, and exploitation requires no authentication, making automated scanning likely.
Official source: Acer Security Advisory | NVD — CVE-2026-49200 | NVD — CVE-2026-49201
Cisco Unified Communications Manager — CVE-2026-20230 (Exploit Code Publicly Available)
Software affected: Cisco Unified Communications Manager (Unified CM) — Cisco’s enterprise IP telephony and video calling platform deployed in organisations globally for voice, video, messaging, and collaboration services.
CVE: CVE-2026-20230 | Cisco has confirmed that exploit code for this critical vulnerability is publicly available. Unified CM is the call control component of Cisco’s collaboration portfolio and is typically deployed as a core infrastructure service with high availability requirements.
Fixable: Yes. Cisco has released a patch. Apply the Cisco Unified CM update immediately. The official Cisco advisory provides specific fixed software versions.
Business impact: A critical vulnerability in Cisco Unified Communications Manager — the backbone of enterprise voice and video communications — with publicly available exploit code. Unified CM controls IP phone registration, call routing, voicemail, and video conferencing for entire organisations. A compromised Unified CM instance can disrupt all organisational voice communications, intercept or record calls, redirect phone numbers, and serve as a pivot point into the broader enterprise network. Public exploit code availability dramatically lowers the barrier to exploitation and typically triggers a surge in scanning and attack activity. The impact extends beyond IT: voice communications are a safety-critical service in many organisations, and extended downtime of the phone system during an incident can have operational and regulatory consequences.
How to fix: Apply the Cisco Unified CM security update immediately. Verify the installed version against the fixed version in the Cisco advisory. After patching, review Unified CM administrative audit logs for unauthorised configuration changes, unexpected administrator account creation, or unusual call routing modifications. If your Unified CM is accessible from untrusted networks, review access control lists and restrict management access.
Recommended action: Critical — patch today. The combination of a core infrastructure platform plus publicly available exploit code makes this an emergency-patch scenario. Unified CM should already be isolated from the internet — verify this is the case. If exploit code is public, automated scanning is imminent.
Official source: Cisco Security Advisory | NVD — CVE-2026-20230
OpenSSL — Security Update Pre-Announced for June 9, 2026
OpenSSL has pre-announced a security update scheduled for release on June 9, 2026. The OpenSSL project uses pre-announcements to give organisations advance notice to prepare for patching cycles — a practice established after the Heartbleed (2014) crisis. The severity and scope of the update have not been disclosed, but pre-announcements are typically reserved for updates rated HIGH or CRITICAL. Organisations should prepare to apply the OpenSSL update on June 9 — ensure your OpenSSL inventory is documented, identify all applications and services that link against OpenSSL (including statically linked and containerised deployments), and schedule a maintenance window for June 9 or shortly thereafter. The update will be distributed through operating system package managers and the OpenSSL website. Monitor openssl.org/news/ for the advisory on June 9.
KEV Deadline Watch — Three Today, Two Tomorrow, One June 6
Today — June 4, 2026 (3 deadlines)
Oracle WebLogic — CVE-2024-21182. T3/IIOP unauth access. Apply July 2024 CPU. Covered in the dedicated advisory.
Trend Micro Apex One — CVE-2026-34926. Pre-auth LPE. SP1 CP Build 18012 (on-premise), agent build 14.0.20731 (SaaS). Covered in the May 22 report.
Langflow — CVE-2025-34291. CORS + token theft (MuddyWater APT). Upgrade to 1.7.0. Covered in the May 22 report.
Tomorrow — June 5, 2026 (2 deadlines)
Android Framework — CVE-2025-48595. Actively exploited zero-day. Apply June 2026 Android update. Covered in the dedicated advisory.
Linux Kernel cgroups — CVE-2022-0492. Container-escape LPE. Update host kernel. Covered in the dedicated advisory.
June 6, 2026 (1 deadline)
Mirasvit Full Page Cache Warmer — CVE-2026-45247 (NEW). Covered as the lead item in this report. Magento/Adobe Commerce deserialization RCE. Actively exploited.
June 10, 2026 (2 deadlines)
Nx Console — CVE-2026-48027 / TanStack — CVE-2026-45321. Supply chain compromises. Audit npm dependencies.
Updates on Items from Previous Reports
Windows Netlogon — CVE-2026-41089 (CVSS 9.8, Belgian exploitation warning): Covered in the dedicated advisory. Patch domain controllers.
Citrix NetScaler — CVE-2026-3055 (CVSS 9.8, large-scale exploitation): Covered in the dedicated advisory. Fortinet confirms ongoing exploitation.
Palo Alto PAN-OS — CVE-2026-0257 (KEV deadline passed June 1): Three days past deadline. Covered in the dedicated advisory.
Apache Solr — CVE-2026-44825 / IBM WebSphere — CVE-2026-8644/9311/9319 / Kirki WP — CVE-2026-8206: Covered in the dedicated advisories linked from the June 2 report.
ARMember Premium WP — CVE-2026-5076/5073: Covered in the dedicated advisory.
Drupal, Ghost CMS, SonicWall, FortiClient/FortiAuth/FortiSandbox, Exim, ChromaDB, Oracle ORDS, CIFSwitch, 7-Zip, Starlette, Spectra, Simple History, GEO my WP, WP Maps Pro: All covered in dedicated advisories and previous reports. Refer to linked reports for full details.
This report is compiled from official vendor advisories, the CISA Known Exploited Vulnerabilities catalog, the National Vulnerability Database, and primary security research sources. Verify all remediation steps against official vendor documentation before applying changes in production environments.
