Microsoft Kerberos KDC CVE-2026-47288 - Patch Tuesday Identity Queue Leads 10 June Triage
Finding 1: Microsoft Kerberos KDC RCE / Windows identity cluster - CVE-2026-47288
Confidence: Medium
MSRC and NCSC-NL place this item in the identity maintenance queue. Prioritise domain controllers and authentication infrastructure, then capture owner, maintenance window, and patch evidence.
Sources: Microsoft Security Response Centre CVE-2026-47288 and NCSC-NL NCSC-2026-0181.
Finding 2: Microsoft Windows patch batch - CVE-2026-42904 / NCSC-2026-0181
Confidence: Medium
NCSC-NL and MSRC coverage make this a broad Windows evidence task, not a generic Patch Tuesday note. Server, endpoint, and domain-controller owners should show patch status rather than relying on calendar-based assumptions.
Sources: NCSC-NL NCSC-2026-0181 and Microsoft Security Response Centre CVE-2026-42904.
Finding 3: Microsoft SharePoint Server RCE - CVE-2026-47298
Confidence: Medium
On-prem SharePoint farms need a named patch owner. Confirm externally reachable sites first, then internal collaboration farms where delayed maintenance is common.
Sources: Microsoft Security Response Centre CVE-2026-47298.
Finding 4: Microsoft Office patch batch - CVE-2026-45467 / NCSC-2026-0182
Confidence: Medium
Office updates should be checked for higher-risk user groups such as finance, legal, executives, and heavy document-exchange roles. The useful control is rollout evidence, not broad user messaging.
Sources: NCSC-NL NCSC-2026-0182 and Microsoft Security Response Centre CVE-2026-45467.
Finding 5: Microsoft Developer Tools patch batch - CVE-2026-47287 / NCSC-2026-0184
Confidence: Medium
Developer tooling sits outside many endpoint patch dashboards. Engineering workstations, build images, and shared toolchain hosts should be checked separately.
Sources: NCSC-NL NCSC-2026-0184 and Microsoft Security Response Centre CVE-2026-47287.
Finding 6: strongSwan CVE-2026-47895 code execution
Confidence: Medium
BSI and CERT-FR both surfaced this VPN/IPsec advisory. Route it to VPN owners for fixed-version validation and prioritise gateways with wider network reach.
Sources: BSI CERT-Bund WID-SEC-2026-1832 and CERT-FR CERTFR-2026-AVI-0709.
Finding 7: Apache HTTP Server WID-SEC-2026-1824 / CVE-2026-29167 cluster
Confidence: Medium
Internet-facing Apache servers need patch-state validation and change-window planning. Use the BSI and CERT-FR references to map the issue to platform teams rather than opening one undifferentiated web ticket.
Sources: BSI CERT-Bund WID-SEC-2026-1824 and CERT-FR CERTFR-2026-AVI-0710.
Finding 8: Fortinet FG-IR-26-141 command-injection advisory
Confidence: Medium
Fortinet PSIRT published FG-IR-26-141 for command injection via start VNC JSON input. Check Fortinet asset ownership, management-plane exposure, and fixed-version guidance.
Sources: Fortinet PSIRT FG-IR-26-141.
Finding 9: Siemens KACO Blueplanet / Siemens products cluster - CVE-2025-40946
Confidence: Medium
NCSC-NL and CISA ICS coverage make this an OT product matching task. Ask plant, facilities, or energy-system owners whether Siemens KACO Blueplanet assets are deployed and remotely managed.
Sources: NCSC-NL NCSC-2026-0187 and CISA ICSA-26-160-02.
Finding 10: SAP NetWeaver and Commerce Cloud June critical fixes
Confidence: Low / Unverified
BleepingComputer reports critical SAP June fixes affecting NetWeaver and Commerce Cloud. Route this to ERP and e-commerce owners for patch confirmation, but avoid exploitation language unless SAP or another primary source confirms it.
Sources: BleepingComputer.
Finding 11: Progress Kemp LoadMaster RCE - CVE-2026-8037
Confidence: Low / Unverified
ZDI published a LoadMaster advisory for CVE-2026-8037. Edge-appliance teams should check inventory, management-plane exposure, and vendor fix status.
Sources: Zero Day Initiative ZDI-26-342.
Finding 12: Keycloak CVE-2026-11577 / WID-SEC-2026-1821 administrator-rights advisory
Confidence: Low / Unverified
BSI marked the Keycloak advisory as unpatched in today's intelligence. Inventory Keycloak instances now, especially admin-facing deployments, and watch vendor remediation before wider escalation.
Sources: BSI CERT-Bund WID-SEC-2026-1821.
Finding 13: Checkmk CVE-2026-7186 / WID-SEC-2026-1817 XSS advisory
Confidence: Low / Unverified
Monitoring platforms can hold privileged operational views. Assign the item to the monitoring-platform owner and validate fixed version and administrator exposure.
Sources: BSI CERT-Bund WID-SEC-2026-1817.
Finding 14: shell-quote CVE-2026-9277 newline escaping issue
Confidence: Low
The useful test is whether shell-quote output reaches shell command construction. Escalate those paths first and leave non-executable display-only uses for normal dependency hygiene.
Sources: GitHub Security Advisory GHSA-w7jw-789q-3m8p and Ubuntu USN-8410-1.
Finding 15: FortiOS CVE-2025-57740 heap-based buffer overflow
Confidence: Low / Unverified
NVD has the FortiOS 7.6.2 record, but today's evidence is single-source. Confirm applicability with Fortinet owners before treating it as a broad edge emergency.
Sources: NVD CVE-2025-57740.
Finding 16: File Browser CVE-2026-32759/CVE-2026-35585 exposure
Confidence: Low / Unverified
Find exposed File Browser deployments before escalating severity. File-management tools are risky when internet-facing or admin-facing, but this item needs product and exposure confirmation first.
Sources: NVD CVE-2026-32759 and CVE-2026-35585.
Finding 17: Schneider Electric EcoStruxure Panel Server - CVE-2026-6866 / ICSA-26-160-03
Confidence: Low / Unverified
CISA ICS published the advisory, so OT teams should check product and version match. Prioritise management-plane exposure over generic OT concern.
Sources: CISA ICSA-26-160-03.
Finding 18: Schneider Electric Modicon managed switches - CVE-2024-3596 / ICSA-26-160-01
Confidence: Low / Unverified
Network diagrams and OT switch inventories should be checked for affected Modicon managed switches. Keep the request narrow: product, version, and management access.
Sources: CISA ICSA-26-160-01.
Finding 19: UK-facing Microsoft Patch Tuesday owner-mapping context
Confidence: Low / Unverified
UK coverage adds useful context, but the action is to join that coverage to MSRC product records. Do that before sending customer-specific statements.
Sources: The Register.
Finding 20: Microsoft Defender RoguePlanet zero-day grants SYSTEM privileges
Confidence: Medium
A Microsoft Defender zero-day tracked as RoguePlanet is reported as actively exploited and grants SYSTEM privileges on affected hosts. Treat this as a priority endpoint-security item: confirm Defender platform and engine versions, prioritise unmanaged and high-value hosts, and capture update evidence rather than assuming managed rollout reached every device.
Sources: BleepingComputer.
Finding 21: Adobe Acrobat Reader DC information-disclosure advisories - CVE-2026-47924 / CVE-2026-47923
Confidence: Low / Unverified
ZDI published two Adobe Acrobat Reader DC information-disclosure advisories, ZDI-26-346 (CVE-2026-47924) and ZDI-26-344 (CVE-2026-47923), both rated CVSS 3.3. Each needs a user to open a malicious file or visit a malicious page, and no exploitation is reported. Fold these into normal Acrobat patch hygiene for document-handling user groups.
Sources: Zero Day Initiative ZDI-26-346 and ZDI-26-344.
Finding 22: X.Org Server CheckSetGeom information disclosure - CVE-2026-34000
Confidence: Low / Unverified
ZDI published an X.Org Server information-disclosure advisory, ZDI-26-334 (CVE-2026-34000), rated CVSS 6.1, requiring local low-privileged code execution first. Route it to Linux and workstation owners running X.Org: confirm affected versions on shared and multi-user hosts and fold it into normal patching.
Sources: Zero Day Initiative ZDI-26-334.
Update: Google Chrome zero-day CVE-2026-11645 exploited in the wild
Confidence: Medium
Today's delta: CVE-2026-11645 is Known Exploited, added to the CISA KEV catalogue on 9 June 2026 as a Chromium V8 out-of-bounds read and write flaw. CVE-2026-11628 is the companion fix in the same Chrome update and is not in KEV. Validate browser update compliance and prioritise unmanaged endpoints.
Sources: CISA KEV catalogue, BSI CERT-Bund WID-SEC-2026-1819, SecurityWeek, and BleepingComputer.
Update: Cisco Catalyst SD-WAN zero-day CVE-2026-20245 under attack
Confidence: Medium
Today's delta: CVE-2026-20245 is Known Exploited, added to the CISA KEV catalogue on 9 June 2026 with a 23 June federal remediation deadline. It is a Cisco Catalyst SD-WAN Manager output-encoding flaw and the seventh actively exploited SD-WAN zero-day this year, with no vendor patch yet. Route to network and edge owners: confirm SD-WAN Manager exposure, restrict management-plane access, and apply Cisco mitigations as they ship.
Sources: CISA KEV catalogue and CyberScoop.
Update: Veeam Backup & Replication CVE-2026-44963 RCE
Confidence: Medium
Today's delta: patch-released status moves backup servers into fixed-version validation; check management exposure and backup-administrator access.
Sources: BSI CERT-Bund WID-SEC-2026-1834, CERT-FR CERTFR-2026-AVI-0712, and BleepingComputer.
Update: Check Point Security Gateway VPN CVE-2026-50751 / Qilin reporting
Confidence: Medium
Today's delta: CVE-2026-50751 is Known Exploited, added to the CISA KEV catalogue on 8 June 2026 with a three-day federal remediation deadline. It is an IKEv1 improper-authentication flaw that lets an unauthenticated remote attacker establish a VPN connection without valid credentials. Patch-released status and ransomware-linked reporting justify a separate VPN edge ticket; keep it separate from other Check Point CVE queues.
Sources: CISA KEV catalogue, SecurityWeek, and BleepingComputer.
Update: WinRAR CVE-2025-8088 exploitation by Russia-aligned groups
Confidence: Medium
Today's delta: CVE-2025-8088 is Known Exploited, in the CISA KEV catalogue since 12 August 2025, a WinRAR path-traversal flaw now tied to Russia-aligned exploitation. Endpoint teams should look for stale installs and archive-handling exposure.
Sources: CISA KEV catalogue, The Hacker News, and NVD CVE-2025-8088.
Update: Shai-Hulud PyPI package trojanisation
Confidence: Low / Unverified
Today's delta: reported reach widened to 19 science-focused packages; research, science, and ML teams should compare package locks and CI installs with the published list.
Sources: BleepingComputer.
Update: Hades PyPI campaign
Confidence: Low / Unverified
Today's delta: 19 poisoned packages were reported; check package locks, developer endpoints, and CI logs where those package names appear.
Sources: The Hacker News.
Update: TeamPCP supply-chain campaign
Confidence: Low / Unverified
Today's delta: activity remains relevant through 07 June 2026; keep it in developer and package telemetry review.
Sources: SANS ISC.
Update: Proofpoint UNKDeadDrop developer phishing campaign
Confidence: Low / Unverified
Today's delta: developer-focused phishing detail adds repository-lure and cryptocurrency-theft relevance; extract Proofpoint indicators for email and developer telemetry.
Sources: Proofpoint.
Update: Linux kernel CVE-2026-23111 local-root item
Confidence: Low / Unverified
Today's delta: public exploit and patch-routing pressure make shared Linux hosts, CI runners, developer workstations, and bastions the first review targets.
Sources: NVD CVE-2026-23111.
Update: PHPSpreadsheet CVE-2026-45034 patch bypass
Confidence: Low / Unverified
Today's delta: applications parsing untrusted spreadsheets should confirm package remediation and prioritise file-ingestion paths.
Sources: GitHub Security Advisory GHSA-5pgg-2g8v-p4x9.
Update: SymfonyRuntime CVE-2026-47767 patch bypass
Confidence: Low / Unverified
Today's delta: SymfonyRuntime users should validate patched versions where web requests can influence runtime environment handling.
Sources: GitHub Security Advisory GHSA-fqc7-9xjw-jrh3.
Why This Matters
This is a routing day, not a single-vendor panic. Microsoft identity and Windows patch evidence sit at the front, but the same 24-hour window also creates work for ERP, backup, VPN/browser, Apache, strongSwan, Fortinet, Kemp, OT, and developer dependency owners.
The practical risk is missed ownership. A single patch calendar will not cover domain controllers, on-prem SharePoint, SAP, Veeam, OT panels, edge appliances, Python and PHP packages, and developer phishing telemetry. Each needs a named owner and a narrow exposure question.
- Recommended Actions
- Treat the actively exploited zero-days as immediate: Cisco Catalyst SD-WAN CVE-2026-20245 (KEV), Microsoft Defender RoguePlanet, Google Chrome CVE-2026-11645 (KEV), Check Point CVE-2026-50751 (KEV), and WinRAR CVE-2025-8088 (KEV).
- Treat Microsoft Kerberos KDC CVE-2026-47288, Windows, SharePoint, Office, and developer-tool updates as a coordinated Patch Tuesday evidence request.
- Confirm SAP, Veeam, Chrome, Check Point VPN, and WinRAR patch state before broadening incident language.
- Route strongSwan, Apache, Fortinet, Kemp, Siemens, and Schneider Electric items to asset owners for product, version, and exposure checks.
- Keep LOW / UNVERIFIED findings in validation language. Do not turn single-source advisories into exploitation claims.
- Review developer and package surfaces for Shai-Hulud, Hades, TeamPCP, UNKDeadDrop, PHPSpreadsheet, SymfonyRuntime, shell-quote, and Linux CVE-2026-23111 indicators.
All findings grounded in a13e intelligence sweeps through 05:15 UTC 10 June 2026.