Ivanti Sentry CVE-2026-10520 - Security Appliance Patch Routing Leads 11 June Triage
Finding 1: Ivanti Sentry critical vulnerability cluster - CVE-2026-10520 / WID-SEC-2026-1841
Confidence: Medium
BSI, The Register, and SecurityWeek coverage put Ivanti Sentry at the front of the day. The action is narrow: identify Sentry owners, patch affected systems, and confirm whether any management plane is exposed to networks that should not reach it.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1841 ; https://www.theregister.com/patches/2026/06/10/ivanti-urges-sentry-users-to-patch-two-critical-bugs/5253428 ; https://www.securityweek.com/critical-vulnerabilities-patched-in-fortinet-ivanti-products/.
Finding 2: Fortinet FortiSandbox command execution - CVE-2026-25089 / WID-SEC-2026-1836
Confidence: Low / Unverified
The FortiSandbox item is single-source in this package, so keep the language restrained. Security-processing environments should still check inventory and fixed-version status because sandbox infrastructure often sits close to mail, file, and detonation workflows.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1836.
Finding 3: Adobe ColdFusion and Experience Manager updates - CVE-2026-47928 / CVE-2026-34691
Confidence: Low / Unverified
ColdFusion and Experience Manager should be routed to web-tier owners, especially where the applications are externally reachable. The evidence supports patch and exposure checks, not exploitation claims.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1858 ; https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1857.
Finding 4: Lenovo ThinkPad firmware/platform vulnerabilities - CVE-2026-20452 / WID-SEC-2026-1864
Confidence: Low / Unverified
This is an endpoint-platform compliance task. Map affected ThinkPad models, then confirm firmware and platform updates through the endpoint-management tool rather than relying on OS patch status.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1864.
Finding 5: Zoom Workplace privilege escalation - CVE-2026-53407 / WID-SEC-2026-1839
Confidence: Low / Unverified
Zoom Workplace updates belong with managed-client owners. Give priority to administrator endpoints and high-risk user groups where local privilege escalation would have a larger blast radius.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1839.
Finding 6: CERT-EU Windows Netlogon critical advisory - CERT-EU 2026-007
Confidence: Low / Unverified
CERT-EU places Windows Netlogon into the domain-controller queue. Reconcile it against existing Microsoft patch evidence and make sure domain-controller owners can show deployment status.
Sources: https://cert.europa.eu/publications/security-advisories/2026-007/.
Finding 7: FreeBSD WID-SEC-2026-1871 / CVE-2026-10846 cluster
Confidence: Medium
BSI and CERT-FR both surfaced the FreeBSD cluster, raising confidence above single-source items. Route it to appliance, storage, jail-host, and FreeBSD platform owners for version checks.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1871 ; https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0716/.
Finding 8: BSI Kernel WID-SEC-2026-1870 / CVE-2026-46316 cluster
Confidence: Low / Unverified
The kernel item should be handled as server and container-host hygiene. There is no exploitation proof in the daily intelligence, so focus on baseline routing and maintenance windows.
Sources: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1870.
Finding 9: NCSC-NL Veeam Backup & Replication NCSC-2026-0188
Confidence: Low / Unverified
Backup platforms are resilience-critical even when the evidence is still unverified. Confirm whether NCSC-2026-0188 maps to deployed Veeam Backup and Replication versions, then assign a patch window.
Sources: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0188.
Finding 10: Palo Alto Cortex XSOAR/XSIAM CVE-2026-0274 integration credential validation flaw
Confidence: Low / Unverified
The Palo Alto Cortex XSOAR/XSIAM item concerns CommvaultSecurityIQ integration credential validation. Review whether the integration is deployed, what credentials it holds, and whether scopes are wider than needed.
Sources: https://security.paloaltonetworks.com/CVE-2026-0274.
Finding 11: PAN-OS CVE-2026-0269 tunnel-traffic DoS
Confidence: Low / Unverified
PAN-OS CVE-2026-0269 is a tunnel-traffic denial-of-service item. Firewall owners should check authenticated tunnel exposure and maintenance-mode risk before broad escalation.
Sources: https://security.paloaltonetworks.com/CVE-2026-0269.
Finding 12: PAN-OS CVE-2026-0273 authenticated admin command injection
Confidence: Low / Unverified
PAN-OS CVE-2026-0273 sits on the authenticated administration path. Reduce shared admin-plane access and patch eligible firewalls, especially where administrator access is broad.
Sources: https://security.paloaltonetworks.com/CVE-2026-0273.
Finding 13: Go Restful API Boilerplate CVE-2026-48031 hardcoded JWT secret
Confidence: Low / Unverified
The hardcoded JWT secret risk is mainly a codebase discovery task. Search for deployed boilerplate use and rotate secrets where teams inherited defaults.
Sources: https://github.com/advisories/GHSA-mqq6-462x-jxmm.
Finding 14: @hulumi/policies CVE-2026-48032 IAM-role policy bypass
Confidence: Low / Unverified
This Pulumi policy-bypass item should go to IaC platform owners. Validate assumptions around IAM-role restrictions and do not assume policy packs catch every deployment route.
Sources: https://github.com/advisories/GHSA-g759-4pxw-6692.
Finding 15: @hulumi/policies CVE-2026-48033 forged Pulumi-URN policy bypass
Confidence: Low / Unverified
The forged Pulumi-URN bypass item needs a separate policy review. Checks that trust logical names or URNs should be tested against the advisory conditions.
Sources: https://github.com/advisories/GHSA-rhgj-6g2c-frmm.
Finding 16: Claude Code Action CVE-2026-47751 malicious MCP config RCE path
Confidence: Low / Unverified
CI and agent workflows need a configuration review. The concern is PR-controlled MCP server configuration, so restrict who can influence agent runtime settings and inspect affected pipelines.
Sources: https://github.com/advisories/GHSA-8q5r-mmjf-575q.
Finding 17: vLLM CVE-2026-47155 artifact-pinning weakness
Confidence: Low / Unverified
vLLM deployments should be checked for code, weight, and configuration artifact drift. Treat this as AI platform supply-chain hygiene unless stronger exploitation evidence appears.
Sources: https://github.com/advisories/GHSA-3ww4-5jv9-j5gm.
Finding 18: OpenTelemetry Operator CVE-2026-47701 bearerTokenFile arbitrary reads
Confidence: Low / Unverified
Kubernetes teams should inspect ServiceMonitor resources that use bearerTokenFile. The practical check is whether sensitive paths can be read through monitoring configuration.
Sources: https://github.com/advisories/GHSA-cxh2-4639-vmc5.
Finding 19: Keycloak CVE-2026-9704 identity queue item
Confidence: Low / Unverified
Identity teams should track vendor remediation and assess low-privilege authenticated exposure. Keep the item in validation language until stronger confirmation is available.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-9704.
Finding 20: GitHub npm registry security-control changes
Confidence: Low / Unverified
GitHub npm registry control changes are not a vulnerability patch, but they affect maintainer 2FA, tokens, provenance, and CI publishing. Package owners should map the changes to their release process.
Sources: https://www.bleepingcomputer.com/news/security/github-announces-npm-security-changes-to-tackle-supply-chain-attacks/.
Finding 21: CVE-2026-27220 / ZDI-26-355 - Adobe Acrobat Reader DC Annotation use-after-free RCE
Confidence: Low / Unverified
Document-handling endpoints should be prioritised because the ZDI item concerns Acrobat Reader DC Annotation use-after-free RCE. Focus first on users who process untrusted PDFs.
Sources: http://www.zerodayinitiative.com/advisories/ZDI-26-355/.
Finding 22: CVE-2026-49396 / GHSA-8qhj-4f8c-j8qg - Nezha cross-site GET stored cron-command trigger
Confidence: Low / Unverified
Teams running Nezha or exposed monitoring panels should review cron and job controls. The item is unverified in this package, so start with product and exposure confirmation.
Sources: https://github.com/advisories/GHSA-8qhj-4f8c-j8qg.
Finding 23: CVE-2026-47768 / GHSA-9pg3-25fq-p6cc - nebula-mesh operator API key redirect exposure
Confidence: Low / Unverified
The operator API key redirect exposure calls for key rotation where exposure is confirmed. Review logs for Referer leakage before deciding whether incident handling is needed.
Sources: https://github.com/advisories/GHSA-9pg3-25fq-p6cc.
Update: Progress Kemp LoadMaster edge-appliance RCE - CVE-2026-8037
Confidence: Low / Unverified
Previously covered 10 June 2026; today's delta: ZDI visibility and severity-change materiality keep LoadMaster in the edge-appliance queue.
Progress Kemp LoadMaster remains an update, not a fresh lead. Edge teams should verify inventory, management-plane exposure, and vendor fix status before treating this as an incident claim.
Sources: Zero Day Initiative ZDI-26-342.
Why This Matters
This is an owner-assignment day. The risk is not only one critical edge appliance; it is the chance that security appliances, backup systems, identity services, developer agents, document handlers, and package controls all wait for someone else to route the work.
The evidence depth is uneven. Ivanti Sentry and FreeBSD have multi-source support, while many GHSA, NVD, ZDI, BSI, NCSC-NL, Palo Alto, and CERT-EU rows remain LOW / UNVERIFIED. That means the right response is disciplined triage: product match, exposure check, fixed-version evidence, then escalation only where the asset is present and reachable.
- Recommended Actions
- Validate exposed edge and security platforms first: Ivanti Sentry, FortiSandbox, PAN-OS, Cortex integrations, and Progress Kemp LoadMaster.
- Reconcile identity and resilience items: CERT-EU Netlogon, Keycloak, Veeam, and OpenTelemetry bearerTokenFile exposure.
- Patch managed endpoint and document-handler surfaces: Adobe Acrobat, ColdFusion, Experience Manager, Lenovo firmware, and Zoom Workplace.
- Audit developer and AI supply-chain controls: Claude Code Action MCP configuration, vLLM artifact pinning, npm publishing changes, Go JWT boilerplate, and Pulumi policy bypasses.
- Keep LOW / UNVERIFIED items in validation language. Do not turn single-source advisories into exploitation claims.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 11 June 2026.
Update: Microsoft Defender RoguePlanet Zero-Day Grants SYSTEM Access on Updated Windows
Confidence: Medium
The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet. "The exploit is a race condition, so it's a hit or miss," the researcher, who published the exploit
Sources: https://thehackernews.com/2026/06/microsoft-defender-rogueplanet-zero-day.html
Update: Microsoft ships largest Patch Tuesday on record, with one bug under active attack
Confidence: Medium
The release comes after Microsoft’s security leadership acknowledged last month that AI tools are driving a surge in vulnerability discovery across the industry.
Sources: https://therecord.media/microsoft-ships-largest-patch-tuesday-on-record
Update: Microsoft patches Exchange Server zero-day exploited in attacks
Confidence: Medium
Microsoft has patched an actively exploited Exchange Server vulnerability that allows threat actors to execute arbitrary JavaScript code in cross-site scripting (XSS) attacks targeting Outlook Web Access users. [...]
Sources: https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-exchange-server-zero-day-exploited-in-attacks/
Update: Microsoft Defender 'RoguePlanet' zero-day grants SYSTEM privileges
Confidence: Medium
A security researcher has released a new Microsoft Defender zero-day exploit named "RoguePlanet" just hours after Microsoft fixed two previously disclosed flaws during June 2026 Patch Tuesday. [...]
Sources: https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/
Update: Microsoft patches YellowKey, GreenPlasma, MiniPlasma zero-days
Confidence: Medium
On Tuesday, Microsoft patched two zero-day vulnerabilities that let attackers gain SYSTEM privileges on fully patched Windows systems, and a third one that grants access to BitLocker-protected drives. [...]
Sources: https://www.bleepingcomputer.com/news/microsoft/microsoft-patches-yellowkey-greenplasma-miniplasma-zero-days/
Update: WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine CVE-2025-8088
Confidence: Medium
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released. The activity has been attributed by Trend Micro to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UA Known Exploited (CISA KEV).
Sources: https://thehackernews.com/2026/06/winrar-flaw-exploited-by-russia-aligned.html
Update: ServiceNow Patches Vulnerability Exploited Against Some Customers
Confidence: Medium
The company updated hosted customer instances to patch a security issue it reportedly had known about since April 7. The post ServiceNow Patches Vulnerability Exploited Against Some Customers appeared first on SecurityWeek .
Sources: https://www.securityweek.com/servicenow-patches-vulnerability-exploited-against-some-customers/
Update: June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days
Confidence: Medium
Route to the relevant asset owner for patch evidence.
Sources: https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-june-2026/
Update: Critical Vulnerabilities Patched in Fortinet, Ivanti Products
Confidence: Medium
Two OS command injection flaws can be exploited remotely, without authentication, for arbitrary code execution. The post Critical Vulnerabilities Patched in Fortinet, Ivanti Products appeared first on SecurityWeek .
Sources: https://www.securityweek.com/critical-vulnerabilities-patched-in-fortinet-ivanti-products/
Update: ServiceNow Flaw Exploited to Gain Unauthorized Access to Customer Instances
Confidence: Medium
ServiceNow has warned about a security incident in which unknown threat actors exploited a flaw to obtain deeper unauthorized access to susceptible instances. "On June 5, 2026, ServiceNow applied a security update to hosted customer instances," the company revealed in an advisory that requires custo
Sources: https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html
Update: Cisco customers encounter another SD-WAN zero-day under attack
Confidence: Medium
The defect marks the seventh actively exploited zero-day in Cisco SD-WANs this year, and the vendor has yet to release a patch. The post Cisco customers encounter another SD-WAN zero-day under attack appeared first on CyberScoop .
Sources: https://cyberscoop.com/cisco-sdwan-zero-day-vulnerability-exploited-cve202620245/