Daily Threat Intelligence Brief - June 28, 2026

The Operator's Take

The story this week is not any single CVE, it is the seam where edge appliances, ransomware crews, and state crews now share the same front door. Check Point's VPN auth bypass (CVE-2026-50751) and Cisco's SD-WAN root flaw (CVE-2026-20245) both look modest in isolation, and that is exactly the trap: the Cisco bug is rated a 7.8 authenticated-local on paper, but it sits next to two auth-bypass companions in the same product, so the real-world chain is an unauthenticated path to a UID-0 backdoor account. If you triage edge vulnerabilities by standalone CVSS, you will keep underweighting the ones that actually get you owned. The defender move this week is to stop scoring perimeter CVEs as standalone numbers and start scoring them as chains: any auth-bypass on an internet-facing appliance promotes every "requires privileges" bug behind it to critical. Second, the Oracle PeopleSoft zero-day (CVE-2026-35273) was live for two weeks before the advisory, which means your patch SLA is irrelevant for the window that matters most, so compensating controls and exposure reduction beat patch speed for internet-facing ERP. Third, the same Qilin infrastructure hitting Check Point is reusing tooling against Palo Alto, Fortinet, and F5: treat one exploited VPN vendor as a signal to audit all of them, not just the one in the headline.

Executive Summary

Oracle PeopleSoft CVE-2026-35273 (CVSS 9.8) was exploited as an unauthenticated RCE zero-day between May 27 and June 9, 2026, roughly two weeks before Oracle's June 10 advisory, per Mandiant. Rapid7
CISA added Cisco Catalyst SD-WAN Manager CVE-2026-20245 and Arista EOS CVE-2026-7473 to the KEV catalog alongside a Chrome V8 zero-day (CVE-2026-11645), all under active exploitation. CISA
Check Point VPN CVE-2026-50751 (CVSS 9.3), an IKEv1 authentication bypass, has been exploited since May 7 and is linked with medium confidence to a Qilin ransomware affiliate. Check Point
Microsoft's June Patch Tuesday set a record at 206 CVEs, 32 critical, including three zero-days and two 9.8 RCEs in the DHCP Client (CVE-2026-44815) and HTTP.sys (CVE-2026-47291). The Hacker News
CISA added three Ubiquiti UniFi OS flaws (CVE-2026-34908/34909/34910) and a Cisco Unified Communications Manager SSRF (CVE-2026-20230) to KEV based on active exploitation. CISA
OWASP keeps prompt injection the #1 LLM risk for 2026, with reported attack volume up 340% year over year and MCP tool poisoning emerging as a primary agent attack vector. Kunal Ganglani
Qilin and Akira ransomware continue to weaponize VPN flaws, with Akira claiming JMS Southeast (25GB) and Qilin hitting Greek pharma firm ISOPLUS, both surfacing around June 25. DeXpose
Chinese state-sponsored APT activity against edge devices drew a renewed joint advisory, with median breakout time compressed to 72 minutes in 2026. Security Affairs

Critical Vulnerabilities

CVE-2026-35273 - Oracle PeopleSoft Enterprise PeopleTools (CVSS 9.8)

A critical flaw in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools is remotely exploitable without authentication and can result in remote code execution. Oracle published its advisory on June 10, 2026, but Mandiant reported active in-the-wild exploitation as a zero-day from May 27 through June 9, predating the advisory by about two weeks. Internet-facing PeopleSoft deployments should be treated as compromised-until-proven-clean for that exposure window. Rapid7

CVE-2026-20245 - Cisco Catalyst SD-WAN Manager, Controller, Validator (CVSS 7.8)

An improper-input-validation flaw (CWE-116) in the CLI lets an attacker with netadmin privileges upload a crafted file that backend scripts process without sanitization, yielding command execution as root. The standalone CVSS understates the risk: paired with auth-bypass flaws CVE-2026-20182 or CVE-2026-20127 in the same product, the full chain is unauthenticated. Cisco PSIRT confirmed exploitation at least a week before the June 5 disclosure, and observed attacks appended a UID-0 account named troot to /etc/passwd and /etc/shadow via a malicious evil_tenant.csv. Fixed releases include 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2. The Hacker News, Google Cloud

CVE-2026-50751 - Check Point Remote Access / Mobile Access VPN (CVSS 9.3)

A logic-flow weakness in certificate validation for deployments using the deprecated IKEv1 protocol allows a remote, unauthenticated attacker to bypass authentication and establish a VPN connection with no valid password. Attacks began May 7, surged in early June, and have hit a few dozen organizations. Check Point assesses with medium confidence the operator is financially motivated and uses Qilin ransomware, the Tox protocol for comms, and Rclone for exfiltration. CISA added it to KEV with a June 11 federal deadline. The same infrastructure is believed to be probing Palo Alto, Fortinet, and F5 VPN flaws. Check Point, BleepingComputer

CVE-2026-7473 - Arista EOS Incomplete Comparison (KEV)

CISA added this incomplete-comparison-with-missing-factors flaw in Arista's Extensible Operating System to the KEV catalog on June 9, 2026 based on evidence of active exploitation. Operators running EOS on network infrastructure should prioritize the vendor fix within KEV deadlines. CISA

CVE-2026-11645 - Google Chromium V8 Zero-Day (CVSS 8.8)

An out-of-bounds read and write in V8, Chrome's JavaScript and WebAssembly engine, allows a remote attacker to execute arbitrary code inside the sandbox via a crafted HTML page. Exploited in the wild and added to KEV. Browser-based RCE remains a reliable initial-access primitive for both crimeware and espionage. The Hacker News

Microsoft June 2026 Patch Tuesday - Record 206 CVEs

Microsoft patched a record 206 vulnerabilities, 32 rated critical, including three zero-days. Two carry CVSS 9.8: CVE-2026-44815 (Windows DHCP Client Service RCE) and CVE-2026-47291 (HTTP.sys RCE). CVE-2026-41091 is an actively exploited Microsoft Defender privilege escalation. The 200-plus-CVE month is now characterized as a "new normal." The Hacker News, Tenable

CVE-2026-34908 / 34909 / 34910 - Ubiquiti UniFi OS (KEV)

CISA added three UniFi OS flaws to KEV on June 23: improper access control (CVE-2026-34908), path traversal (CVE-2026-34909), and improper input validation (CVE-2026-34910), all under active exploitation. UniFi gateways and controllers are common in SMB and prosumer networks, widening the exposed footprint. CISA, Cybersecurity News

CVE-2026-20230 - Cisco Unified Communications Manager SSRF (KEV)

CISA added this server-side request forgery flaw in Cisco Unified Communications Manager to KEV on June 25 based on active exploitation. SSRF on a UC platform can pivot into internal services and metadata endpoints. CISA

AI Security Threats

The AI attack surface continued to consolidate around a single architectural truth: large language models process instructions and data on the same channel, with no built-in separation between a trusted system prompt and untrusted input. That is why prompt injection remains OWASP's number-one LLM risk for 2026, with reported attack volume up 340% year over year, the fastest-growing attack category in the OWASP 2026 LLM Security Report. The industry framing has shifted: prompt injection is increasingly described not as a patchable bug but as a structural property of how current models work, which moves the burden from "fix the model" to "contain the blast radius." Kunal Ganglani, TechTimes

The most operationally relevant escalation is in the agent tooling layer. The rise of the Model Context Protocol and tool-using agents has turned prompt injection from a chatbot annoyance into a path to data exfiltration and unauthorized action. In tool poisoning, a malicious MCP server embeds injection payloads directly inside tool descriptions: the descriptions are read by the agent to learn how to call the tool, but are invisible to the human operator, so the user approves a tool they never actually see the instructions for. Kunal Ganglani

Two real-world supply-chain incidents show the pattern is past theory:

postmark-mcp: the first malicious MCP server caught in the wild shipped fifteen clean versions to build trust before adding malicious code, a classic slow-burn supply-chain play adapted to the agent ecosystem.
LiteLLM PyPI backdoor: in February 2026, an autonomous bot exploited a misconfigured GitHub Actions workflow and pushed backdoored LiteLLM builds to the Python Package Index, an attack notable for being machine-driven end to end.

Kunal Ganglani

For anyone running agentic red teaming or deploying agents in production, the defensive priorities this quarter are: pin and review MCP server versions rather than trusting a name, render tool descriptions to the human before granting tool access, enforce least-privilege scoping on every tool an agent can call, and treat any agent with both untrusted-input exposure and a powerful tool (filesystem, shell, outbound HTTP, credential store) as a single combined trust boundary, not two separate features. The combination of "reads attacker-controlled content" plus "can take a consequential action" is the actual vulnerable surface, the same lethal-trifecta logic that governs classic injection. arXiv: Formalizing LLM Agent Security

Threat Actor Activity

Actor	Type	Recent Activity	Source
Qilin (Agenda)	Ransomware (RaaS)	Linked with medium confidence to Check Point VPN zero-day exploitation (CVE-2026-50751); heavy healthcare focus; hit Greek pharma ISOPLUS around June 25	Help Net Security
Akira	Ransomware	Claimed JMS Southeast on June 25, threatening release of 25GB; continues VPN-flaw exploitation	DeXpose
Volt Typhoon	China state-sponsored	Critical-infrastructure pre-positioning via edge devices and compromised routers	Security Affairs
Salt Typhoon / APT40	China state-sponsored	Telecom and ISP espionage, pivoting through edge appliances	CISA AA25-239A
APT41	China state-sponsored	Dual espionage and financially motivated operations	Security Affairs
Sandworm	Russia state-sponsored	Cyber operations integrated into kinetic doctrine, operating on military timelines	Hive Security

A joint advisory from NSA, NCSC, FBI, CISA, and allied partners reinforced that Chinese state-sponsored actors are running a deliberate, sustained campaign for long-term access to critical infrastructure, prioritizing historically exploited CVEs on exposed edge devices including Fortinet, Juniper, Microsoft Exchange, Nokia, Sierra Wireless, and SonicWall. The median adversary breakout time compressed to 72 minutes in 2026, a fourfold reduction year over year, which shrinks the window between initial foothold and lateral movement to less than a coffee break. CISA

Ransomware and Data Breaches

Victim / Target	Actor	Impact	Date	Source
JMS Southeast (temperature measurement, US)	Akira	25GB data exfiltration threatened	June 25, 2026	DeXpose
ISOPLUS (pharmaceutical, Greece)	Qilin	Breach disclosed, healthcare-sector targeting	June 25, 2026	Ransomware.live
Multiple healthcare orgs	Qilin	9 new victims claimed in a 24-hour window, healthcare focus	Late June 2026	DeXpose

The throughline across the ransomware data is initial access via VPN and edge appliances. Qilin, Akira, and Play are all actively exploiting VPN vulnerabilities to breach networks in 2026, and ransomware volume is holding at an elevated "new normal" rather than declining. The convergence of a Qilin affiliate on the Check Point IKEv1 bypass is the clearest current example of a single perimeter CVE feeding a full extortion chain. BriteCity, Industrial Cyber

Recommended Actions

Immediate (0 to 72 hours)

Patch all CISA KEV additions against their federal deadlines: Cisco SD-WAN CVE-2026-20245, Arista EOS CVE-2026-7473, Chrome V8 CVE-2026-11645, Ubiquiti UniFi OS CVE-2026-34908/34909/34910, and Cisco UCM CVE-2026-20230. CISA KEV
Apply the Check Point hotfix for CVE-2026-50751 and disable the deprecated IKEv1 protocol where remote-access or mobile-access VPN is in use. Check Point
Hunt for compromise on internet-facing PeopleSoft (CVE-2026-35273) across the May 27 to June 9 window; patch is not sufficient given pre-disclosure exploitation. Rapid7
On Cisco SD-WAN, audit /etc/passwd and /etc/shadow for rogue UID-0 accounts (for example troot) as an indicator of CVE-2026-20245 exploitation. Google Cloud

Short-Term (1 to 4 weeks)

Deploy Microsoft June Patch Tuesday, prioritizing the 9.8 RCEs in DHCP Client (CVE-2026-44815) and HTTP.sys (CVE-2026-47291) and the actively exploited Defender privesc (CVE-2026-41091). Tenable
Re-triage all internet-facing VPN and edge appliances by chainability, not standalone CVSS, since auth-bypass companions promote "requires privileges" bugs to critical. Audit Palo Alto, Fortinet, and F5 VPN exposure given shared Qilin infrastructure. Check Point
Pin and review MCP server versions for any deployed AI agents; render tool descriptions to a human before granting tool access; scope every agent tool to least privilege. Kunal Ganglani

Strategic (1 quarter and beyond)

Adopt a chain-aware vulnerability management model for perimeter assets: any auth-bypass on an exposed appliance should automatically raise the priority of every authenticated flaw behind it.
Treat agent security as a trust-boundary problem, not a model problem. Architect agents so that untrusted-input exposure and high-consequence tools are never combined without isolation, approval gates, or output filtering. Run agentic red teaming against your own deployments. arXiv
Compress detection and response to beat a 72-minute breakout window. Invest in identity-anomaly detection and edge-device telemetry, since pre-positioning by Chinese APT actors targets exactly the devices that fall outside traditional endpoint coverage. CISA
Build a software and agent supply-chain review gate that accounts for slow-burn trust-building attacks (postmark-mcp) and automated CI/CD compromise (LiteLLM), not just one-shot malicious uploads.