CISA Known Exploited Vulnerability Catalog June 2026

Vulnerability
Download Now
CISA KEV Catalog — June 2026 Update | HiveForce Labs

Threat Digest • CISA KEV Catalog

CISA Known Exploited Vulnerabilities (KEV) Catalog — June 2026 Update

In June 2026, 23 vulnerabilities were added to the Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog — the authoritative record of vulnerabilities confirmed to be exploited in the wild. Of the 23 KEV additions, 6 are zero-day vulnerabilities and 2 have been exploited by named threat actors in active attacks, spanning products from SimpleHelp, PTC Windchill and FlexPLM, Cisco, Ubiquiti UniFi OS, Splunk Enterprise, Oracle, Ivanti, Google Chrome, Check Point, SolarWinds, and the Linux Kernel.

23 KEV ADDITIONS 6 ZERO-DAYS 2 THREAT-ACTOR EXPLOITED CVSS UP TO 10.0 BOD 26-04 APPLIES
Report Type
CISA KEV Catalog Digest
Published
July 02, 2026
Period Covered
June 2026
Total KEV Additions
23
Zero-Day Vulnerabilities
6
Threat-Actor Exploited
2
CVSS Score Range
5.8 – 10.0
Earliest Due Date
June 04, 2026
Latest Due Date
July 02, 2026

Summary

The CISA Known Exploited Vulnerabilities (KEV) catalog is the authoritative source of vulnerabilities confirmed to have been exploited in the wild. In June 2026, 23 vulnerabilities met the criteria for inclusion in CISA's KEV catalog. Of these, 6 are zero-day vulnerabilities and 2 have been exploited by named threat actors and employed in active attacks. CVSS 3.x severity scores across the June 2026 KEV additions range from 5.8 to a maximum of 10.0, with the majority of entries scoring above 7.5, underscoring the critical nature of this month's additions.

Affected products span network and remote-access infrastructure (SimpleHelp, Ivanti Sentry, Check Point Security Gateway, Cisco Unified Communications Manager, Cisco Catalyst SD-WAN Manager), enterprise application platforms (PTC Windchill and FlexPLM, Oracle PeopleSoft Enterprise PeopleTools, Oracle WebLogic Server, Splunk Enterprise), networking and IoT hardware (Lantronix EDS5000, Ubiquiti UniFi OS, Arista Extensible Operating System), web and CMS components (Widget Factory Joomla Content Editor, LiteSpeed cPanel Plugin, Mirasvit Full Page Cache Warmer), the BerriAI LiteLLM AI infrastructure project, SolarWinds Serv-U, Google Chrome, the Linux Kernel, and the Android Framework. Because it is now July 02, 2026, several June KEV due dates listed below have already elapsed and remain overdue for remediation, while the most recent addition, CVE-2026-48558 affecting SimpleHelp, carries a due date of July 02, 2026.


Vulnerability Details

CISA KEV Catalog Additions — June 2026
CVE IDVulnerability NameAffected ProductCVSS 3.xCWE IDPatch Due Date
CVE-2026-48558SimpleHelp Authentication Bypass VulnerabilitySimpleHelp10.0CWE-347July 02, 2026
CVE-2026-12569PTC Windchill and FlexPLM Improper Input Validation VulnerabilityPTC Windchill and FlexPLM9.8CWE-20June 28, 2026
CVE-2026-20230Cisco Unified Communications Manager Server-Side Request Forgery (SSRF) VulnerabilityCisco Unified Communications Manager8.6CWE-918June 28, 2026
CVE-2026-20262Cisco Catalyst SD-WAN Manager Directory or Path Traversal VulnerabilityCisco Catalyst SD-WAN Manager6.5CWE-22June 29, 2026
CVE-2025-67038Lantronix EDS5000 Code Injection VulnerabilityLantronix EDS50009.8CWE-94June 26, 2026
CVE-2026-34910Ubiquiti UniFi OS Improper Input Validation VulnerabilityUbiquiti UniFi OS10.0CWE-20June 26, 2026
CVE-2026-34909Ubiquiti UniFi OS Path Traversal VulnerabilityUbiquiti UniFi OS10.0CWE-22June 26, 2026
CVE-2026-34908Ubiquiti UniFi OS Improper Access Control VulnerabilityUbiquiti UniFi OS10.0CWE-284June 26, 2026
CVE-2026-20253Splunk Enterprise Missing Authentication for Critical Function VulnerabilitySplunk Enterprise9.8CWE-306June 21, 2026
CVE-2026-48907Widget Factory Joomla Content Editor Improper Access Control VulnerabilityWidget Factory Joomla Content Editor9.8CWE-284June 19, 2026
CVE-2026-54420LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following VulnerabilityLiteSpeed cPanel Plugin8.5CWE-61June 18, 2026
CVE-2026-35273Oracle PeopleSoft Enterprise PeopleTools Missing Authentication for Critical Function VulnerabilityOracle PeopleSoft Enterprise PeopleTools9.8CWE-306June 15, 2026
CVE-2026-10520Ivanti Sentry OS Command Injection VulnerabilityIvanti Sentry10.0CWE-78June 14, 2026
CVE-2026-11645Google Chromium V8 Out-of-Bounds Read and Write VulnerabilityGoogle Chrome8.8CWE-125June 23, 2026
CVE-2026-7473Arista Extensible Operating System Incomplete Comparison with Missing Factors VulnerabilityArista Extensible Operating System5.8CWE-1023June 23, 2026
CVE-2026-20245Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output VulnerabilityCisco Catalyst SD-WAN Manager7.8CWE-116June 23, 2026
CVE-2026-42271BerriAI LiteLLM Command Injection VulnerabilityBerriAI LiteLLM8.8CWE-77June 22, 2026
CVE-2026-50751Check Point Security Gateway Improper Authentication VulnerabilityCheck Point Security Gateway9.3CWE-287June 11, 2026
CVE-2026-28318SolarWinds Serv-U Uncontrolled Resource Consumption VulnerabilitySolarWinds Serv-U7.5CWE-400June 19, 2026
CVE-2026-45247Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data VulnerabilityMirasvit Full Page Cache Warmer9.8CWE-502June 06, 2026
CVE-2022-0492Linux Kernel Improper Authentication VulnerabilityLinux Kernel7.8CWE-862June 05, 2026
CVE-2025-48595Android Framework Integer Overflow VulnerabilityAndroid Framework8.4CWE-190June 05, 2026
CVE-2024-21182Oracle WebLogic Server Unspecified VulnerabilityOracle WebLogic Server7.5CWE-200June 04, 2026
Threat Actor, Malware & Ransomware Associations
CVE IDAssociated EntityType
CVE-2026-48558TaskWeaver, Djinn StealerMalware
CVE-2026-35273ShinyHunters (aka UNC6240)Threat Actor
CVE-2026-20245UAT-8616Threat Actor
CVE-2026-50751Qilin RansomwareRansomware

Beyond these four confirmed associations, the remaining KEV additions in this month's catalog — including CVE-2026-12569 (PTC Windchill and FlexPLM), CVE-2026-20230 (Cisco Unified Communications Manager), CVE-2025-67038 (Lantronix EDS5000), CVE-2026-34910, CVE-2026-34909, and CVE-2026-34908 (Ubiquiti UniFi OS), CVE-2026-20253 (Splunk Enterprise), CVE-2026-48907 (Widget Factory Joomla Content Editor), CVE-2026-54420 (LiteSpeed cPanel Plugin), CVE-2026-20262 (Cisco Catalyst SD-WAN Manager), CVE-2026-10520 (Ivanti Sentry), CVE-2026-11645 (Google Chrome), CVE-2026-7473 (Arista Extensible Operating System), CVE-2026-42271 (BerriAI LiteLLM), CVE-2026-28318 (SolarWinds Serv-U), CVE-2026-45247 (Mirasvit Full Page Cache Warmer), CVE-2022-0492 (Linux Kernel), CVE-2025-48595 (Android Framework), and CVE-2024-21182 (Oracle WebLogic Server) — have no named threat actor, malware, or ransomware association recorded in this catalog update.


Recommendations

01
Prioritize Patching Before Due Dates

Organizations should prioritize the 23 vulnerabilities listed above and promptly apply patches before the stated due date for each CVE, giving immediate attention to entries whose June 2026 due dates have already passed.

02
Comply with Binding Operational Directive 26-04

Federal agencies must comply with Binding Operational Directive 26-04 issued by the Cybersecurity and Infrastructure Security Agency (CISA), which outlines the minimum cybersecurity standards required to protect against threats posed by cataloged Known Exploited Vulnerabilities.

03
Inventory Affected Products for Priority Remediation

Use the affected-product list in this KEV catalog update to identify assets running SimpleHelp, PTC Windchill and FlexPLM, Cisco Unified Communications Manager, Cisco Catalyst SD-WAN Manager, Lantronix EDS5000, Ubiquiti UniFi OS, Splunk Enterprise, Oracle PeopleSoft Enterprise PeopleTools, Ivanti Sentry, Google Chrome, Check Point Security Gateway, SolarWinds Serv-U, or the Linux Kernel, even without conducting an active scan, and patch these assets with priority to reduce risk.


Potential MITRE ATT&CK TTPs

T1190
Initial Access
Exploit Public-Facing Application
T1189
Initial Access
Drive-by Compromise
T1133
Initial Access
External Remote Services
T1059
Execution
Command and Scripting Interpreter
T1059.004
Execution
Command and Scripting Interpreter: Unix Shell
T1203
Execution
Exploitation for Client Execution
T1136
Persistence
Create Account
T1505.003
Persistence
Server Software Component: Web Shell
T1068
Privilege Escalation
Exploitation for Privilege Escalation
T1548
Privilege Escalation
Abuse Elevation Control Mechanism
T1611
Privilege Escalation
Escape to Host
T1078
Defense Evasion
Valid Accounts
T1599
Defense Evasion
Network Boundary Bridging
T1070.004
Defense Evasion
Indicator Removal: File Deletion
T1606
Credential Access
Forge Web Credentials
T1552.001
Credential Access
Unsecured Credentials: Credentials In Files
T1056.003
Collection
Input Capture: Web Portal Capture
T1005
Collection
Data from Local System
T1083
Discovery
File and Directory Discovery
T1046
Discovery
Network Service Discovery
T1499.004
Impact
Endpoint Denial of Service: Application or System Exploitation
T1657
Impact
Financial Theft

References & Patch Links