National Cyber Warfare Foundation (NCWF)

June 2026 CVE Landscape


0 user ratings
2026-07-10 13:58:08
milo
Blue Team (CND)
In June 2026, Insikt Group® identified 60 high-impact vulnerabilities that should be prioritized for remediation, 30 of which had a Very Critical Recorded Future Risk Score. This represents a 49% increase from last month.

In June 2026, Insikt Group® identified 60 high-impact vulnerabilities that should be prioritized for remediation, 30 of which had a Very Critical Recorded Future Risk Score. This represents a 49% increase from last month. 23 of the 60 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, 34 were reported by vendors, and three were primarily surfaced through honeypot data.


The 60 vulnerabilities in this report affected products from 36 vendors, with Microsoft accounting for approximately 18% of the vulnerabilities. The remaining exposure was concentrated across a range of enterprise software, security products, network infrastructure, developer tooling, and cloud platform vendors.


Insikt Group created Nuclei templates to detect two of the vulnerabilities featured in this month’s report: CVE-2026-35616 affecting Fortinet FortiClient EMS and CVE-2026-25939 affecting Frangoteam FUXA. These are available to Recorded Future customers via the Recorded Future Intelligence Operations Platform.


Quick reference: June 2026 Vulnerability Table


All 57 vulnerabilities below were actively exploited in June 2026. This table does not include the three CVEs associated with honeypot activity, which are available to Recorded Future customers via the CVE Monthly report, in the platform. The table below also provides examples of public PoCs identified by Insikt Group. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.




#

Vulnerability

Risk
Score

Vendor/Product

KEV

Malware Analysis

RCE

PoC



1

CVE-2020-17103

99

Microsoft Windows 10/11 and Windows Server 2019


✓





2

CVE-2022-0492

99

Linux Kernel

✓






3

CVE-2025-55182

99

Meta React Server Components packages


✓

✓




4

CVE-2025-67038

99

Lantronix EDS5000

✓






5

CVE-2025-8088

99

WinRAR


✓

✓




6

CVE-2026-10520

99

Ivanti Sentry

✓


✓




7

CVE-2026-11645

99

Google Chromium V8 and Chrome

✓


✓




8

CVE-2026-12569

99

PTC Windchill, Windchill PDMLink, and FlexPLM

✓


✓




9

CVE-2026-20230

99

Cisco Unified Communications Manager

✓






10

CVE-2026-20245

99

Cisco Catalyst SD-WAN Manager and Controller

✓


✓




11

CVE-2026-20253

99

Splunk Enterprise

✓






12

CVE-2026-20262

99

Cisco Catalyst SD-WAN Manager

✓






13

CVE-2026-21509

99

Microsoft 365 Apps for Enterprise and Office 2016



✓


(available to Recorded Future Customers)







14

CVE-2026-28318

99

SolarWinds Serv-U

✓






15

CVE-2026-33825

99

Microsoft Defender Antimalware Platform



✓


(available to Recorded Future Customers)







16

CVE-2026-34908

99

Ubiquiti UniFi OS, UniFi OS Server, UDM, and UDM-Pro

✓






17

CVE-2026-34909

99

Ubiquiti UniFi OS, UniFi OS Server, Express 7, and UDM

✓






18

CVE-2026-34910

99

Ubiquiti UniFi OS, UniFi OS Server, UDM, and UDM-Pro

✓


✓




19

CVE-2026-35273

99

Oracle PeopleSoft Enterprise PeopleTools

✓






20

CVE-2026-39808

99

FortiSandbox PaaS



✓


(available to Recorded Future Customers)



✓




21

CVE-2026-41089

99

Microsoft Windows Server 2012



✓


(available to Recorded Future Customers)



✓




22

CVE-2026-42271

99

BerriAI LiteLLM

✓


✓




23

CVE-2026-48558

99

SimpleHelp

✓






24

CVE-2026-48907

99

Joomla Content Editor (JCE) extension for Joomla

✓






25

CVE-2026-50751

99

Check Point Security Gateway, Quantum Security Gateway, and Spark Firewalls

✓






26

CVE-2026-54420

99

LiteSpeed cPanel Plugin

✓






27

CVE-2026-7473

99

Arista EOS

✓






28

CVE-2021-26855

89

Microsoft Exchange Server 2016 and 2019


✓

✓




29

CVE-2021-36260

89

Hikvision Firmware


✓

✓




30

CVE-2022-40684

89

Fortinet FortiOS, FortiProxy, and FortiSwitchManager


✓





31

CVE-2023-20198

89

Cisco IOS XE Software


✓





32

CVE-2024-21182

89

Oracle WebLogic Server

✓






33

CVE-2024-21762

89

Fortinet FortiProxy and FortiOS


✓

✓




34

CVE-2025-48595

89

Android Framework

✓


✓




35

CVE-2025-6218

89

WinRAR


✓

✓




36

CVE-2026-21513

89

Microsoft Windows 10 and Windows Server 2012


✓





37

CVE-2026-3300

89

WPEverest Everest Forms Pro


✓

✓




38

CVE-2026-35616

89

Fortinet FortiClientEMS


✓

✓




39

CVE-2026-41091

89

Microsoft Malware Protection Engine


✓





40

CVE-2026-44963

89

Veeam Backup and Replication


✓

✓




41

CVE-2026-45247

89

Mirasvit Full Page Cache Warmer for Magento 2

✓


✓




42

CVE-2016-4437

79

Apache Shiro


✓

✓




43

CVE-2021-27076

79

Microsoft SharePoint and Business Productivity Servers


✓

✓




44

CVE-2021-27137

79

DD-WRT Firmware


✓





45

CVE-2022-27925

79

Zimbra


✓





46

CVE-2022-41082

79

Microsoft Exchange Server 2013


✓

✓




47

CVE-2023-32315

79

Openfire


✓





48

CVE-2023-46747

79

F5 BIG-IP


✓

✓




49

CVE-2024-36401

79

Geoserver


✓

✓




50

CVE-2026-25089

79

Fortinet FortiSandbox PaaS and Cloud


✓

✓




51

CVE-2026-39813

79

Fortinet FortiSandbox and Cloud


✓





52

CVE-2026-4020

79

Gravity SMTP


✓





53

CVE-2026-45586

79

Microsoft Windows 10 and Windows Server 2012


✓





54

CVE-2026-46817

79

Oracle Payments


✓





55

CVE-2026-5027

79

Langflow


✓





56

CVE-2026-8206

79

Kirki – Freeform Page Builder, Website Builder & Customizer


✓





57

CVE-2026-25939

72

Frangoteam FUXA


✓





Table 1: List of vulnerabilities that were actively exploited in June, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs).


Key trends: June 2026



  • In June 2026, StrikeShark exploited public-facing applications to deploy SharkLoader and deliver Cobalt Strike; Lazarus exploited CVE-2025-55182 to deploy COPPERHEDGE; APT36 exploited Microsoft vulnerabilities in operations targeting India; a C0XMO botnet propagated through DD-WRT routers; EKZ information-stealing malware was delivered through FortiClient EMS exploitation; and Qilin ransomware was associated with a vulnerability affecting Check Point gateways.

  • 25 of the 60 vulnerabilities enabled remote code execution (RCE), affecting products from 18 vendors: Meta, WinRAR, Ivanti, Google, PTC, Cisco, Ubiquiti, Fortinet, Microsoft, BerriAI, Android, WPEverest, Veeam, Mirasvit, Apache, Hikvision, F5, and GeoServer.

  • Insikt Group identified public proof-of-concept (PoC) exploits for 53 of the 60 vulnerabilities identified this month.

  • The most commonly observed flaws this month were CWE-22 (Path Traversal), followed by CWE-502 (Deserialization of Untrusted Data), CWE-78 (OS Command Injection), CWE-306 (Missing Authentication for Critical Function), and CWE-287 (Improper Authentication).

  • 4 of the 60 vulnerabilities in this month’s prominent vulnerability disclosures table are at least five years old, with the oldest approximately ten years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was less than one day.


Trend analysis: Malware-linked exploitation and intrusion activity


June's strongest campaign-linked theme was the exploitation of externally reachable enterprise applications and appliances. Insikt Group published a TTP Instance on the StrikeShark campaign which described activity spanning CVE-2025-55182 affecting React Server Components, CVE-2021-26855 and CVE-2022-41082 affecting Microsoft Exchange, CVE-2021-36260 affecting Hikvision firmware, CVE-2022-40684 and CVE-2024-21762 affecting Fortinet FortiOS, CVE-2023-20198 affecting Cisco IOS XE Web UI, CVE-2016-4437 affecting Apache Shiro, CVE-2021-27076 affecting Microsoft SharePoint, CVE-2022-27925 affecting Zimbra, CVE-2023-32315 affecting Openfire, CVE-2023-46747 affecting F5 BIG-IP, and CVE-2024-36401 affecting GeoServer. The exploitation of these vulnerabilities resulted in the deployment of SharkLoader, which then delivered Cobalt Strike.





Screenshot detailing risk assessment metrics and exploit status for the React2Shell vulnerability.



Figure 1: Vulnerability Intelligence Card® for CVE-2025-55128 (React2Shell) in Recorded Future (Source: Recorded Future)



React Server Components was also linked to targeted malware delivery outside the broader StrikeShark set: Lazarus Group exploited CVE-2025-55182 to deploy COPPERHEDGE against financial and blockchain-related organizations. Microsoft-related exploitation appeared in both endpoint and document-processing contexts: APT36 exploited CVE-2026-21509 (affecting Microsoft 365 Apps for Enterprise and Office 2016) and CVE-2026-21513 (affecting Windows client and server versions) in operations targeting India. This activity was linked to backdoor deployment and SHEETCREEP. CVE-2021-27137, affecting DD-WRT firmware, was linked to a C0XMO botnet campaign across Linux architectures, while Qilin Ransomware was associated with CVE-2026-50751 affecting Checkpoint Security Gateway and Spark Firewalls.


PoC exploit trends and analyses associated with this month's high-impact vulnerabilities are available to Recorded Future customers.



Source: RecordedFuture
Source Link: https://www.recordedfuture.com/blog/june-2026-cve-landscape


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Blue Team (CND)



Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.