♥ Help support the site
btc
bc1q3909urygy90qhytu32344ws0t5vy085y0h7xc8
eth
0x71faaDcAF2538e7346885F772FBAcb88740059A8
xmr
49PeCUfdgmG1ZMAzUxz2WFWiRDbDrycrJ8qYVfxBq6HWCHjk7uncaoESm7CRF5DtxcFgStuvyvcfUD3p4xU33F8dPep53MP
Insights

Bi-Weekly Threat Intel: CISA KEV Additions and Critical Zero-Days (June 2026)

A comprehensive round-up of the Known Exploited Vulnerabilities (KEV) added to CISA's catalog over the last two weeks, highlighting critical risks in VPN gateways, AI proxies, SD-WAN infrastructure, and kernel-level privilege escalations.

Published
Read time
5 min read
#cisa-kev#zero-day#patch-management#vulnerability

Introduction

In the threat landscape, CISA’s Known Exploited Vulnerabilities (KEV) catalog serves as one of the most reliable indicators of active attacker behavior. When a vulnerability is added to the KEV, it means defenders can no longer treat it as a hypothetical or theoretical risk—adversaries are actively scanning for, exploiting, and utilizing it in live environments.

Over the last two weeks (late May through June 11, 2026), CISA added over a dozen highly critical vulnerabilities to the KEV. This bi-weekly round-up reviews the technical details, exploitation context, and recommended remediation steps for the most impactful additions.

1. Gateway & Perimeter Security

VPNs and boundary firewalls continue to be the primary targets for initial access, especially for ransomware affiliates looking for entry points into corporate environments.

Check Point Security Gateway (CVE-2026-50751)

  • Severity: Critical (CVSS 9.3)
  • Vulnerability Class: Authentication Bypass (CWE-287)
  • Exploitation Context: Disclosed and added to the KEV on June 8, 2026, Check Point and CISA confirmed active exploitation going back to May 7, 2026. The vulnerability resides in legacy, deprecated IKEv1 certificate validation. Unauthenticated remote attackers can establish a VPN tunnel without a valid user password. Check Point linked at least one post-compromise case to a Qilin ransomware affiliate.
  • Remediation: Apply the exact hotfix listed in sk185033. If patching is delayed, disable legacy IKEv1 client authentication.

Cisco Catalyst SD-WAN Manager (CVE-2026-20245)

  • Severity: High (CVSS 7.8)
  • Vulnerability Class: Authenticated Command Injection / Local Privilege Escalation (CWE-116)
  • Exploitation Context: Added to KEV on June 9, 2026. An authenticated attacker with netadmin privileges can upload a crafted file to trigger command injection and execute commands as root. While requiring authentication, attackers often chain this with initial access vulnerabilities like CVE-2026-20182 to achieve full compromise. Cisco observed limited cases where exploitation resulted in unauthorized configuration changes being pushed to edge SD-WAN devices.
  • Remediation: Upgrade Catalyst SD-WAN Controllers, Managers, and Validators to 20.18.3.1, 26.1.1.2, or later.

2. Artificial Intelligence Infrastructure

As enterprises rush to adopt AI and LLM tooling, AI gateway proxies have become a new high-value target for adversaries.

BerriAI LiteLLM (CVE-2026-42271)

  • Severity: Critical (CVSS 8.8)
  • Vulnerability Class: Command Injection in MCP preview endpoints (CWE-78)
  • Exploitation Context: LiteLLM is a popular open-source AI gateway. Active exploitation of this command injection vulnerability in its Model Context Protocol (MCP) preview endpoints led to its KEV addition on June 8, 2026. Crucially, while this flaw originally required administrative API keys, researchers confirmed it can be chained with CVE-2026-48710 (a Starlette Host header validation bypass) to achieve unauthenticated Remote Code Execution on the proxy server.
  • Remediation: Upgrade to 1.83.7-stable or newer. Restrict internet access to proxy administration endpoints and rotate all API keys stored in the LiteLLM gateway if exposure is suspected.

3. Kernel-Level Privilege Escalation & Container Escapes

Post-intrusion, attackers focus heavily on local privilege escalation to take over host machines and escape containerized sandbox environments.

Linux Kernel “Copy Fail” (CVE-2026-31431)

  • Severity: High (CVSS 7.8)
  • Vulnerability Class: Incorrect Resource Transfer / Write Primitive (CWE-669)
  • Exploitation Context: Added to KEV on June 1, 2026. Dubbed “Copy Fail” by researchers, this flaw in the Linux crypto subsystem (AF_ALG AEAD in-place optimization) allows local attackers to write to read-only memory mappings. In multi-tenant environments—such as shared CI/CD runners, Kubernetes nodes, or shared development hosts—this unprivileged write primitive allows attackers to escalate privileges to root.
  • Remediation: Patch the distribution kernel. In sandboxed environments, block AF_ALG socket creation using seccomp/apparmor or disable the algif_aead module.

Linux Kernel cgroups v1 (CVE-2022-0492)

  • Severity: High (CVSS 7.8)
  • Vulnerability Class: Container Escape
  • Exploitation Context: Although originally disclosed in 2022, CISA added this container escape to the KEV on June 6, 2026, due to a resurgence of active exploitation. The vulnerability allows attackers who already have root capabilities inside a container to escape the container boundary and run arbitrary code on the host kernel via cgroups v1 release agent execution.
  • Remediation: Standardize on cgroups v2, run containers without CAP_SYS_ADMIN, or enforce seccomp policies that block access to release_agent files.

Android Framework (CVE-2025-48595)

  • Severity: High (CVSS 8.4)
  • Vulnerability Class: Integer Overflow (CWE-190)
  • Exploitation Context: Added to KEV on June 2, 2026. This integer overflow in the Android Framework allows local privilege escalation without user interaction or additional execution privileges. Google reported indications of limited, targeted exploitation in the wild.
  • Remediation: Apply OEM updates containing the 2026-06-01 Android security patch level or later.

4. Endpoints & Clients

Google Chromium V8 (CVE-2026-11645)

  • Severity: High (CVSS 8.8)
  • Vulnerability Class: Out-of-Bounds Memory Access (CWE-125 / CWE-787)
  • Exploitation Context: Added to KEV on June 9, 2026. An out-of-bounds read and write in the V8 JavaScript engine allows attackers to execute code inside the browser sandbox through crafted HTML. Google confirmed active exploitation in the wild.
  • Remediation: Update Google Chrome to version 149.0.7827.102/.103 (Windows/macOS) or 149.0.7827.102 (Linux) immediately.

5. Other Enterprise Additions

Several other enterprise components were added to the KEV catalog due to active exploitation in targeted campaigns:

  • Arista EOS (CVE-2026-7473): Unexpected tunnel-protocol decapsulation bypass. Allows packets addressed to a configured decapsulation IP to be decapsulated regardless of tunnel protocol. Mitigated using ACL rules (no software patch planned by vendor).
  • cPanel & WHM (CVE-2026-41940): Authentication bypass in hosting control planes.
  • Oracle WebLogic Server (CVE-2024-21182): Authentication bypass in T3/IIOP protocols.
  • SolarWinds Serv-U (CVE-2026-28318): Denial of service vulnerability in managed file transfer.
  • Mirasvit Cache Warmer (CVE-2026-45247): Added to KEV on June 5, 2026.

Defensive Action Items

To defend against the latest exploited CVEs, security teams should prioritize:

  1. External Attack Surface Review: Audit internet-facing portals for VPN/gateway devices (Check Point, Cisco SD-WAN) and LLM proxies (LiteLLM). Patch immediately or apply configuration workarounds.
  2. Local Privilege Escalation Defenses: Ensure all Linux servers and shared build agents run patched kernels to block “Copy Fail” (CVE-2026-31431). Enforce seccomp filters on container runtimes to restrict container escapes.
  3. Endpoint Patching: Force immediate updates for Chromium-based browsers to mitigate V8 out-of-bounds code execution.