██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

Check Point Gateway Flaw Lets Attackers Bypass Auth Remotely

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 09, 2026

Share

cybr.cx Daily Digest — June 09, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-50751 | Check Point Security Gateway | CVSS: N/A
The most urgent issue in today's feed. Check Point Security Gateway contains an improper authentication flaw in its IKEv1 key exchange that allows an unauthenticated remote attacker to bypass user authentication and establish a full remote access VPN session — no valid password required. CISA's remediation deadline is June 11, meaning you have two days. If you're running Check Point VPN infrastructure, treat this as an emergency patch or mitigate IKEv1 immediately.

⚠️ Actively exploited — CVE-2026-42271 | BerriAI LiteLLM | CVSS: N/A
A command injection vulnerability in LiteLLM allows any authenticated user — including low-privilege internal-user key holders — to execute arbitrary OS commands on the host. Given LiteLLM's widespread use as an AI gateway and proxy layer, exploitation could expose the underlying infrastructure of AI-heavy environments. CISA's patch deadline is June 22 — audit who holds internal-user keys now.

⚠️ Actively exploited — CVE-2026-28318 | SolarWinds Serv-U | CVSS: N/A
An unauthenticated denial-of-service vulnerability in SolarWinds Serv-U allows an attacker to crash the file transfer service using a specially crafted POST request with a Content-Encoding: deflate header. No credentials required. For organisations using Serv-U for managed file transfer, this is an availability risk with a low attack bar. Patch by June 19.

⚠️ Actively exploited — CVE-2026-45247 | Mirasvit Full Page Cache Warmer (Magento/Adobe Commerce) | CVSS: N/A
Unauthenticated remote code execution via PHP object deserialization — an attacker simply crafts a malicious serialized payload in the CacheWarmer cookie. E-commerce platforms running this Magento extension are at direct risk of full server compromise. The CISA remediation deadline has already passed (June 6); if you haven't patched or removed this extension, assume you're exposed.

⚠️ Actively exploited — CVE-2024-21182 | Oracle WebLogic Server | CVSS: N/A
A network-accessible vulnerability over T3/IIOP protocols allows unauthenticated attackers to potentially gain complete access to WebLogic data and configuration. Oracle WebLogic remains a persistent target; T3 and IIOP should be firewalled from untrusted networks as a baseline control regardless of patch status.

⚠️ Actively exploited — CVE-2025-48595 | Android Framework | CVSS: N/A
An integer overflow in the Android Framework enables local privilege escalation via code execution. Active exploitation in the wild makes this a meaningful risk for enterprise Android fleets and BYOD environments. Push the latest Android security update to managed devices immediately.

⚠️ Actively exploited — CVE-2022-0492 | Linux Kernel | CVSS: N/A
Yes, 2022 — and still being actively exploited. A privilege escalation flaw in the cgroups v1 release_agent feature allows local users to escalate to root. Container environments that haven't disabled cgroups v1 or properly sandboxed workloads are particularly at risk. If you're running older kernel versions in containerised infrastructure, this should be on your remediation list.

CVE-2026-25559 | OpenBullet2 ≤ 0.3.2 | CVSS: 8.8
A path traversal vulnerability in the wordlist endpoint allows authenticated attackers to read, write, and delete arbitrary files — and chain these primitives into full remote code execution by manipulating system files. OpenBullet2 is widely used in credential-stuffing toolkits; if you're monitoring for its presence in your environment (or running it legitimately for security testing), update immediately.

CVE-2026-11498 / 11503 / 11504 / 11522 / 11524 / 11528 | Tenda Routers (Multiple Models) | CVSS: 8.8 each
A cluster of stack-based buffer overflow vulnerabilities across Tenda HG7, HG9, HG10, CX12L, W20E, and AC18 routers, all remotely exploitable via their web management interfaces. Exploits are publicly disclosed for most of these. If these devices are internet-exposed — common in SMB and residential deployments — they're a straightforward target. Disable remote management or replace end-of-life hardware.

CVE-2026-11517 | UTT HiPER 2610G ≤ 3.0.0-171107 | CVSS: 8.8
A buffer overflow in the DNS filter configuration endpoint of UTT HiPER 2610G routers, exploitable remotely via a manipulated GroupName argument. Public exploit available. Network edge devices with publicly disclosed RCE bugs and no imminent patch are a bleak combination — segment or replace.


Headline News

ShinyHunters Dumps 234 GB of DentaQuest Data on 2.6 Million People

The ShinyHunters extortion group has published a 234 GB archive of data allegedly stolen from DentaQuest, a dental benefits administrator serving millions of Americans. The dump follows failed ransom negotiations — a now-familiar pattern from this group, which has previously executed high-profile extortion campaigns against Ticketmaster and others. Data reportedly includes personally identifiable and potentially protected health information for approximately 2.6 million individuals. For practitioners, the incident is a reminder that healthcare-adjacent benefits administrators frequently hold PHI at scale while operating with security maturity well below that of primary healthcare providers. Detection and response timelines in this sector remain a persistent weak point, and downstream notification obligations under HIPAA will now trigger a lengthy regulatory process.

Cisco SD-WAN Zero-Day Under Active Exploitation — No Patch Available

Cisco has disclosed CVE-2026-20245, a critical privilege escalation vulnerability in Catalyst SD-WAN Manager that is currently being actively exploited in the wild with no patch yet available. The flaw allows attackers to elevate privileges within the management plane, potentially enabling lateral movement across SD-WAN fabric. Cisco has confirmed limited observed exploitation, but in enterprise WAN environments, "limited" can mean significant blast radius depending on the deployment. With no fix in hand, defenders should focus on restricting management interface access, reviewing audit logs for anomalous privilege activity, and applying any available workarounds from Cisco's advisory. This continues a troubling pattern of SD-WAN management plane vulnerabilities being weaponised before vendors can ship fixes.

The Disclosure Lag Problem: 1,000 Breaches and Getting Worse

An analysis tracking a milestone of 1,000 catalogued data breaches finds that the time between a breach occurring and public or victim notification is not improving — it's getting worse. Despite regulatory frameworks in multiple jurisdictions mandating disclosure windows, the gap between initial compromise and disclosure continues to widen, leaving affected individuals exposed for extended periods without the ability to take protective action. The analysis highlights structural incentives that reward delayed disclosure — liability management, ongoing incident response, and negotiation with threat actors — over timely transparency. For security practitioners, the operational implication is stark: you cannot rely on vendor or partner breach notifications as a timely signal; proactive monitoring for credential exposure and third-party risk telemetry is the only realistic defence.


Schrödinger's Feed

The U.S. Department of Energy and Japan's science and trade ministries have announced a $1 billion joint strategic partnership focused on quantum and advanced computing research — marking Japan as the first international partner at this funding tier. The scale of the commitment signals that quantum is firmly in the national-security infrastructure conversation, not just the academic one. For the cryptography community, large state-level investment in quantum hardware acceleration compresses the timeline estimates for when cryptographically relevant quantum computers might emerge. Practitioners who haven't yet begun post-quantum cryptography migration planning should treat announcements like this as a calendar accelerant, not background noise.


/dev/random

Apple has apparently decided that the best AI architecture is someone else's: the company revealed it is rebuilding its on-device and cloud AI stack around Google Gemini models — a plot twist that would have sounded like satire two years ago. The integration raises genuinely interesting questions about trust boundaries, since Apple has long marketed device-side processing as a privacy feature, and Gemini inference presumably doesn't live exclusively in Cupertino's secure enclave. It also means that two of the largest platform vendors in the world now share a dependency on the same underlying model, which is the kind of single point of failure that gives supply chain security people stress dreams. On the bright side, at least we now know what it looks like when a trillion-dollar company decides its moat is distribution, not models.