Stay Ahead of Threats with the Latest Vulnerability Updates for June
Stay up to date on critical cyber risks, Microsoft’s June Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats.
Quick Highlights
- Microsoft Patch Tuesday:
– 206 vulnerabilities disclosed
– 33 rated Critical, 3 are Zero-Day (publicly disclosed).
– Microsoft has patched a larger than average number of critical vulnerabilities this month, including flaws previously disclosed by security researcher Nightmare Eclipse.
- Advisories from Major Vendors:
– Adobe: 123 vulnerabilities patched across 11 products
– Cisco: 1 critical-severity flaw with a proof-of-concept exploit available, 1 high-severity flaw which is being actively exploited
– Fortinet: 1 critical-severity flaws in FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS
– Ivanti: 2 critical-severity flaws in Ivanti Sentry and 2 high-severity flaws in Ivanti Endpoint Manager Mobile
– SAP: 4 critical vulnerabilities in SAP NetWeaver AS ABAP/ABAP Platform, SAP Commerce Cloud and SAP Data Hub
– VEEAM: 1 critical-severity flaw patched in Veeam Backup & Replication 12.3.2.4465
- Top Threats to Watch:
– AI-powered attacks accelerating – Adversaries are increasingly using AI to discover vulnerabilities, build exploits (including zero-days), and automate intrusion workflows, making attacks faster and more scalable.
– Trusted platform abuse for delivery and evasion – Attackers are leveraging legitimate services (ChatGPT, Claude, Dropbox, GitHub, Salesforce) to host malware, evade detection, and bypass traditional security controls.
– Credential and session hijacking evolving beyond passwords – New phishing kits and exploits target OAuth tokens, GitHub tokens, and MFA bypass techniques, enabling persistent access without needing credentials.
– Social engineering + vishing as primary initial access vectors – Highly targeted campaigns use phone calls, staged conversations, and impersonation (IT support, customers) to bypass technical defenses and gain access quickly.
– Critical infrastructure & edge systems under active exploitation – Severe vulnerabilities (VPN auth bypass, RCE chains, endpoint security flaws) are being actively exploited, often leading to full system compromise or root access.
Windows 10 Reaches End of Support
As of October 14, 2025, Microsoft has officially ended support for Windows 10. October 2025’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program.
- What This Means for Your Organization:
– No more security patches or bug fixes for Windows 10 devices
– Increased exposure to vulnerabilities and compliance risks
– Continued support requires either: 1.) Enrolling in Microsoft’s paid ESU program, or 2.) Upgrading to Windows 11
- Upgrading Windows 11
Unlike traditional feature upgrades, Windows 11 25H2 is built on the same servicing branch and code base as Windows 11 24H2, making the transition simpler and lower risk.
Fortress has thoroughly tested Windows 11 25H2 and recommends upgrading all supported devices. To begin the upgrade process, contact our 24/7/365 Security Operations Team or reach out to your client experience manager.
Windows 11 End of Support
As of November 2025, Microsoft has officially ended support for earlier versions of Windows 11 (listed below).
- Windows 11 version 21H2 (All Editions)
- Windows 11 version 22H2 (All Editions)
- Windows 11 version 23H2 (Home & Pro)
We would also like to highlight several upcoming End of Support dates for the following Windows releases:
- Windows 11 version 23H2 (Enterprise & Education) – Support ends November 10, 2026. After this date, these editions will no longer receive security updates or fixes.
- Windows 11 version 24H2 (Home & Pro) – Support ends October 13, 2026. Devices running these editions should be upgraded before this date to remain supported and secure.
Fortress recommends reviewing device inventories ahead of these deadlines to ensure systems are upgraded in advance and remain within a supported lifecycle.
* Some specialized editions of Windows 11 24H2 (e.g. Long Term Support Cycle) will continue to receive extended support through 2029. However, for all other editions we recommend upgrading to Windows 11 25H2.
Windows Server 2016 End of Support
Support for Windows Server 2016 is scheduled to end on January 12, 2027, which is now less than a year away. After this date, Microsoft will no longer provide security updates, bug fixes, or technical support for the platform.
Organizations still running Windows Server 2016 should begin planning upgrade or migration strategies to avoid increased security risk and compliance concerns once support ends.
Fortress recommends reviewing affected systems early to allow sufficient time for testing, upgrades, or workload migration before the end-of-support deadline.
Need help planning your transition?
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.
Patch Tuesday Summary
Microsoft June 2026 Patch Tuesday
206 vulnerabilities disclosed, including 33 critical and 3 publicly-disclosed zero-days. By category:
- 65 Elevation of Privilege
- 55 Remote Code Execution
- 30 Information Disclosure
- 27 Spoofing
- 19 Security Feature Bypass
- 7 Denial of Service
Critical Common Vulnerabilities and Exposures (CVEs)
Windows Zero Days
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-45586 | Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability | Important | No, publicly disclosed |
| CVE-2026-49160 | HTTP.sys Denial of Service Vulnerability | Important | No, publicly disclosed |
| CVE-2026-50507 | Windows BitLocker Security Feature Bypass Vulnerability | Important | No, publicly disclosed |
Other Critical CVE’s Worth Mentioning
| CVE-ID | Details | Severity | Exploited? |
| CVE-2026-45648 | remote code execution vulnerability in Windows Active Directory Domain Services | Critical | No |
| CVE-2026-45476 | elevation of privilege flaw in Microsoft Azure Network Adapter | Critical | No |
| CVE-2026-33828 | elevation of privilege flaw in Windows Device Health Attestation (DHA) | Critical | No |
| CVE-2026-32193 | remote code execution vulnerability in Azure Kubernetes Service (AKS) | Critical | No |
| CVE-2026-45463 CVE-2026-45474 CVE-2026-45472 CVE-2026-45461 | remote code execution vulnerability in Microsoft Office | Critical | No |
| CVE-2026-45460 | information disclosure bug in Microsoft Office | Critical | No |
| CVE-2026-45458 CVE-2026-47635 CVE-2026-45456 | remote code execution vulnerability in Microsoft Outlook and Word | Critical | No |
| CVE-2026-26142 | remote code execution vulnerability in Nuance PowerScribe | Critical | No |
| CVE-2026-42985 CVE-2026-47289 CVE-2026-47654 CVE-2026-42992 CVE-2026-44801 CVE-2026-44799 CVE-2026-48563 | remote code execution vulnerability in Remote Desktop Client | Critical | No |
| CVE-2026-45641 CVE-2026-47652 CVE-2026-45607 | remote code execution vulnerability in Windows Hyper-V | Critical | No |
| CVE-2026-44810 | elevation of privilege flaw in Microsoft Cryptographic Services | Critical | No |
| CVE-2026-42987 | remote code execution vulnerability in Windows Deployment Services (WDS) | Critical | No |
| CVE-2026-44815 | remote code execution vulnerability in DCHP Client Service | Critical | No |
| CVE-2026-47291 | remote code execution vulnerability in HTTP.sys | Critical | No |
| CVE-2026-47288 | remote code execution vulnerability in Windows Kerberos Key Distribution Centre (KDC) | Critical | No |
| CVE-2026-45657 | remote code execution vulnerability in Windows Kernel | Critical | No |
| CVE-2026-48574 | remote code execution vulnerability in Windows Media | Critical | No |
| CVE-2026-44812 CVE-2026-44803 | remote code execution vulnerability in Windows Graphics Component | Critical | No |
| CVE-2025-10263 | ARM: CVE-2025-10263 Completion of affected memory accesses might not be guaranteed by completion of a TLBI [kernel] | Critical | No |
Microsoft June 2026 Security Update Release
3rd Party Critical CVE’s Worth Mentioning
Adobe Products *
| CVE-ID(s) | Affected Product | Issues | Key Risks |
| CVE-2026-47935 CVE-2026-47936 CVE-2026-47939 CVE-2026-47941 CVE-2026-47942 CVE-2026-47943 CVE-2026-47944 CVE-2026-47945 CVE-2026-47946 CVE-2026-47947 CVE-2026-47948 CVE-2026-47949 CVE-2026-47950 CVE-2026-47951 CVE-2026-47953 CVE-2026-47954 CVE-2026-47956 CVE-2026-47957 CVE-2026-47958 CVE-2026-47962 CVE-2026-47966 CVE-2026-47970 CVE-2026-47972 CVE-2026-47973 CVE-2026-47974 CVE-2026-47975 CVE-2026-47977 CVE-2026-47978 CVE-2026-47980 CVE-2026-47981 CVE-2026-47982 CVE-2026-47983 CVE-2026-47985 CVE-2026-47986 CVE-2026-47987 CVE-2026-47989 CVE-2026-47990 CVE-2026-47993 CVE-2026-34692 CVE-2026-48250 CVE-2026-48251 CVE-2026-48256 CVE-2026-48258 CVE-2026-48264 CVE-2026-48265 CVE-2026-48266 CVE-2026-48268 CVE-2026-48271 CVE-2026-48280 CVE-2026-48297 CVE-2026-48299 CVE-2026-48300 CVE-2026-48301 CVE-2026-48304 | Adobe Experience Manager | 54 Important, 3 Moderate | Arbitrary code execution Security feature bypass |
| CVE-2026-34691 CVE-2026-34693 CVE-2026-34694 | Adobe Experience Manager Forms | 2 Critical, 1 Important | Arbitrary code execution |
| CVE-2026-34695 CVE-2026-34696 CVE-2026-34697 CVE-2026-34698 CVE-2026-34699 CVE-2026-34700 CVE-2026-34701 CVE-2026-34702 CVE-2026-48293 CVE-2026-34703 CVE-2026-34704 CVE-2026-34705 | Adobe InDesign | 9 Critical, 3 Important | Arbitrary code execution Application denial-of-service Memory exposure |
| CVE-2026-34706 CVE-2026-34707 CVE-2026-34708 | Adobe InCopy | 3 Critical | Arbitrary code execution |
| CVE-2026-48305 CVE-2026-48306 CVE-2026-34709 CVE-2026-34710 | Substance 3D Sampler | 2 Critical, 2 Important | Arbitrary code execution |
| CVE-2026-34711 CVE-2026-34712 CVE-2026-34713 CVE-2026-47902 CVE-2026-47903 CVE-2026-47904 CVE-2026-47905 CVE-2026-34657 | Content Credentials SDK | 3 Critical, 5 Important | Application denial-of-service Arbitrary file system write |
| CVE-2026-47906 CVE-2026-47907 CVE-2026-47908 CVE-2026-47909 CVE-2026-47910 | Adobe Dreamweaver | 3 Critical, 2 Important | Arbitrary code execution Arbitrary file system read |
| CVE-2026-47911 CVE-2026-47912 CVE-2026-47913 CVE-2026-47914 CVE-2026-47915 CVE-2026-47916 CVE-2026-47917 CVE-2026-47918 CVE-2026-47919 CVE-2026-47920 CVE-2026-47921 CVE-2026-47955 CVE-2026-47959 CVE-2026-47952 CVE-2026-47937 CVE-2026-47961 CVE-2026-47923 CVE-2026-47924 CVE-2026-47925 CVE-2026-47926 | Adobe Acrobat Reader | 15 Critical, 5 Important | Arbitrary code execution Application denial-of-service Memory exposure |
| CVE-2026-47928 CVE-2026-47932 CVE-2026-47929 CVE-2026-47931 CVE-2026-47930 CVE-2026-47960 CVE-2026-47933 | Adobe ColdFusion | 6 Critical, 1 Important | Security feature bypass Privilege escalation Arbitrary code execution Arbitrary file system read |
| CVE-2026-48291 CVE-2026-48292 | Adobe Format Plugins | 2 Critical | Arbitrary code execution |
| CVE-2026-48303 CVE-2026-47938 | Adobe Campaign Classic | 2 Critical | Arbitrary code execution |
Cisco *
| CVE-ID(s) | Affected Product | Description | Severity | Exploited? |
| CVE-2026-20230 | Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) | A vulnerability could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device. | Critical | Proof-of-concept exploit code available |
| CVE-2026-20245 | Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond | A vulnerability in the CLI could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. | High | Yes, actively exploited |
Fortinet *
| CVE-ID | Affected Product | Description | Severity | Exploited? |
| CVE-2026-25089 | FortiSandbox, FortiSandbox Cloud and FortiSandbox PaaS WEB UI | An improper neutralization of special elements used in an OS command vulnerability may allow an unauthenticated attacker to execute unauthorized commands via specifically crafted HTTP requests. | Critical | No |
| CVE-2025-67862 | FortiOS and FortiProxy | An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability may allow an authenticated admin to execute lua scripts via crafted CLI commands. | Medium | No |
Ivanti *
| CVE-ID(s) | Affected Product | Description | Severity | Exploited? |
| CVE-2026-6973 CVE-2026-10727 | Ivanti Endpoint Manager Mobile | Multiple vulnerabilities allow a remote authenticated attacker to inject arbitrary code, leading to remote code execution. | High | No |
| CVE-2026-10520 CVE-2026-10523 | Ivanti Sentry | Multiple vulnerabilities allow a remote unauthenticated user to achieve root-level remote code execution or create arbitrary administrative accounts and obtain full administrative access. | Critical | No |
Ivanti June 2026 Security Update
SAP *
| CVE-ID | Affected Component | Description | Severity | Exploited? |
| CVE-2026-44748 | SAP NetWeaver AS ABAP and ABAP Platform | Allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. | Critical | No |
| CVE-2026-27671 | Application Server ABAP of SAP NetWeaver and ABAP Platform | Due to improper RFC protocol validation, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. | Critical | No |
| CVE-2026-22732 | SAP Commerce Cloud and SAP Data Hub | When applications specify HTTP response headers for servletapplications using Spring Security, there is the possibility that the HTTP Headers will not be written. | Critical | No |
| CVE-2026-40128 | SAP NetWeaver Application Server Java | Allows an unauthenticated attacker to craft a malicious HTTP logon request that manipulates file inclusion parameters, enabling path traversal and processing of the included file. | Critical | No |
VEEAM
| CVE-ID(s) | Affected Product | Description | Severity | Exploited? |
| CVE-2026-44963 | Veeam Backup & Replication 12.3.2.4465 | A vulnerability allowing remote code execution (RCE) on the Backup Server by an authenticated domain user. | Critical | Yes |
Google Chrome
- Version: 149.0.7827.102/.103 (Windows and Mac), 149.0.7827.102 (Linux)
- Release Date: Monday, June 8, 2026
- Key Fixes: 74 security fixes including 17 critical, 55 high severity vulnerabilties
* Not handled by Fortress SRM.
Threat Intelligence Trends – June 2026
The following resources are grouped by threat type / category.
AI-Enabled / Emerging Threats
Charter Communications Data Breach Affects 4.9 Million Accounts
A ShinyHunters-linked attack exposed millions of Charter customer records via a compromised employee account and Salesforce data theft, though the company disputes that highly sensitive data was taken. The breach highlights ongoing vishing risks and targeted attacks on SaaS platforms.
Read more
Webworm: New Burrowing Techniques
ESET researchers reveal how the Webworm APT group is evolving its toolkit with stealthier proxy-based infrastructure and new backdoors using Discord and Microsoft Graph API for command-and-control, expanding operations into Europe. The campaign highlights increased use of cloud services and living-off-the-land tactics to evade detection.
Read more
ReliaQuest Uncovers China-Linked Espionage Cluster “OP-512”
ReliaQuest researchers identified a new China-linked threat cluster using advanced, stealthy web shell techniques on IIS servers, designed to evade detection through encryption, unique builds, and covert DNS signaling. The operation reflects long-term espionage goals and increasing sophistication in persistence and defense evasion.
Read more
Adversaries Leverage AI for Vulnerability Exploitation and Initial Access
Google researchers highlight how threat actors are increasingly using AI to discover vulnerabilities, develop exploits (including zero-days), and automate attack workflows, while also targeting AI systems themselves for initial access. The report underscores AI’s growing role in enabling scalable, adaptive, and stealthier cyber operations.
Read more
FBI Warns of Spoofed FIFA Websites Ahead of 2026 World Cup
The FBI issued a warning about attackers creating fake FIFA-themed websites to steal personal data and sell fraudulent tickets, using typo-squatting domains and deceptive ads to lure victims. Users are advised to verify URLs carefully and avoid clicking sponsored or suspicious links.
Read more
Social Engineering & Phishing
Targeted Campaign Against US Law Firms (UNC3753 / Luna Moth)
A financially motivated threat group is targeting U.S. law firms using vishing and social engineering to trick employees into granting remote access, followed by rapid data theft and extortion. The campaign highlights the growing effectiveness of human-focused intrusion methods and even includes rare instances of physical office infiltration.
Read more
LLMShare Malvertising Campaign Uses AI Chat Platforms for Malware Delivery
Attackers are abusing shared ChatGPT and Claude pages hosted on trusted domains to distribute malware via malvertising, including fake service notices that redirect users to malicious downloads. This technique bypasses traditional security checks by leveraging legitimate AI platforms and highly convincing social engineering.
Read more
Massive Smishing Campaign Targets Governments, Postal Services, and Telecoms
A large-scale smishing operation spanning 19 countries leveraged thousands of phishing domains and shared infrastructure to impersonate government portals, delivery services, and telecom providers to steal payment card data. The campaign used highly convincing multi-stage phishing flows and reusable templates to scale globally.
Read more
Vibe Hacking: AI-Augmented Campaigns Target Latin America
Trend Micro details two emerging campaigns using agentic AI to automate full attack lifecycles—from initial access to data exfiltration—against government and financial organizations in Latin America, highlighting a shift toward AI-driven, dynamically generated tools and stealthier intrusion techniques.
Read more
Kimsuky Spear-Phishing Campaign Masquerades as Data Breach Inquiry
Researchers uncovered a targeted spear-phishing campaign linked to the North Korea–aligned Kimsuky group, using staged email conversations and fake “data breach” inquiries to trick security staff into opening malicious LNK attachments. The malware employs multi-stage infection chains, cloud-based C2 (Dropbox), and evasion techniques to steal system data and maintain persistence.
Read more
FBI Warns of Kali365 Phishing-as-a-Service Targeting Microsoft 365
The FBI alerted organizations to Kali365, a phishing-as-a-service toolkit that steals Microsoft 365 OAuth tokens via legitimate login pages, effectively bypassing MFA and granting persistent account access. The platform lowers the barrier for attackers with ready-made phishing kits and automation tools.
Read more
Vulnerabilities & Exploits
1-Click GitHub Token Stealing via a VSCode Bug
A VSCode/web (github.dev) vulnerability allowed attackers to steal GitHub OAuth tokens with a single malicious link by abusing webview keybinding events to install a rogue extension. This could grant access to private repositories, though Microsoft quickly issued fixes after disclosure.
Read more
Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis
Researchers detail a critical цеп strong chain of vulnerabilities in UniFi OS that allows unauthenticated attackers to achieve full root access via authentication bypass and command injection, exposing network control and sensitive secrets. The blog also provides detection techniques and emphasizes urgent patching and secret rotation.
Read more
Redis CVE-2026-23479 Deep Dive
This analysis explores a critical Redis vulnerability that can be exploited for unauthorized access or code execution, breaking down root cause, exploitation techniques, and potential impact. It also highlights mitigation strategies and emphasizes proper configuration and patching.
Read more
Check Point Releases Hotfix for IKEv1 VPN Vulnerabilities
Check Point issued an urgent patch for critical flaws in the deprecated IKEv1 VPN protocol, including an actively exploited authentication bypass that allows attackers to gain VPN access without valid credentials. Organizations are urged to update immediately and migrate away from IKEv1 due to ongoing exploitation risks.
Read more
Microsoft Warns of New Defender Zero-Days Exploited in Attacks
Microsoft patched two actively exploited zero-day vulnerabilities in Defender that enable privilege escalation and denial-of-service, prompting urgent mitigation guidance and a federal mandate to patch affected systems.
Read more
Dashlane Users Locked Out After Brute-Force Attacks
Dashlane confirmed that attackers launched brute-force login attempts against user accounts, triggering automated security lockouts to prevent unauthorized access, though no systems were compromised. The incident highlights how protective account defenses can disrupt users while blocking credential-stuffing activity.
Read more
Recommended Actions
Mitigations
- Patch and upgrade critical systems immediately (VPNs, UniFi OS, endpoint security tools) and deprecate insecure protocols like IKEv1.
- Restrict exposure of management interfaces and enforce network segmentation for internet-facing systems.
- Disable or limit risky authentication flows (e.g., device code flow) and enforce strong MFA and token protections.
- Block or strictly control use of remote access tools (RMM, screen sharing) and enforce application allowlisting.
- Educate users on phishing, smishing, and malvertising risks, especially involving “trusted” platforms and urgent scenarios.
Monitoring
- Monitor authentication logs for anomalous behavior (impossible travel, new devices, excessive login attempts, token anomalies).
- Track unusual outbound traffic to cloud storage, SaaS platforms, or AI service domains used as C2 channels.
- Alert on suspicious DNS queries, long encoded domains, or abnormal web server activity indicative of web shells.
- Watch for installation or execution of unauthorized tools (RMM agents, tunneling utilities, scripting engines).
- Monitor user behavior within SaaS/enterprise apps for large data exports or abnormal access patterns.
Detection Tips
- Detect phishing patterns involving device codes, shared chatbot links, or staged conversations/social engineering chains.
- Identify command injection, RCE attempts, and exploitation chains targeting exposed services and APIs.
- Hunt for suspicious endpoint behavior such as PowerShell execution, LNK file launches, or encoded/obfuscated scripts.
- Flag abnormal process behaviors (e.g., web servers spawning shells, privilege escalation activity, reflective loading).
- Detect AI-assisted or polymorphic malware through behavior-based analytics rather than signatures alone.
About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering
Why Patching Matters
Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities.
Vigilant Managed Cyber Hygiene
Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management.
- Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications
- Critical patches, OS upgrades, and configuration updates for all devices, on/off network
- 24/7/365 U.S.-based monitoring and real-time reporting for full visibility
Stay Protected. Stay Proactive.
Learn how Fortress SRM can enhance your cybersecurity strategy