Check Point VPN Flaw Exploited; CISA Deadline Already Missed
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 15, 2026
cybr.cx Daily Digest — June 15, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-50751 | Check Point Security Gateway
An improper authentication flaw in IKEv1 key exchange allows unauthenticated remote attackers to bypass credential checks entirely and establish VPN sessions without a valid password. CISA's remediation deadline has already passed (June 11), meaning any organisation still running unpatched Check Point Security Gateway appliances is likely already a target. Patch or disable IKEv1 immediately.
⚠️ Actively exploited — CVE-2026-10520 | Ivanti Sentry
An OS command injection vulnerability in Ivanti Sentry (formerly MobileIron Sentry) allows unauthenticated remote attackers to achieve root-level RCE — particularly dangerous when the appliance is in an unmanaged state. CISA's due date was June 14 — yesterday. Mobile device management infrastructure is high-value for threat actors seeking lateral movement into enterprise environments; treat this as a priority-zero patch.
⚠️ Actively exploited — CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools
A missing authentication for critical function vulnerability permits unauthenticated attackers to fully take over PeopleSoft PeopleTools instances. CISA's remediation deadline is today, June 15. PeopleSoft deployments frequently sit at the heart of HR and finance operations in large enterprises and universities — full takeover means exposure of sensitive personnel and financial data.
⚠️ Actively exploited — CVE-2026-11645 | Google Chromium V8
An out-of-bounds read/write in Chrome's V8 JavaScript engine can be triggered via a crafted HTML page, enabling arbitrary code execution inside the browser sandbox. This affects all Chromium-based browsers including Chrome, Edge, and Brave. Drive-by exploitation via malicious or compromised websites is the most likely delivery vector; ensure auto-updates are enabled and verify browser versions fleet-wide.
⚠️ Actively exploited — CVE-2026-42271 | BerriAI LiteLLM
A command injection flaw in LiteLLM allows any authenticated user — including low-privilege internal-user key holders — to run arbitrary OS commands on the host. As LiteLLM is widely used as an AI gateway in enterprise LLM deployments, this is a significant supply-chain risk for organisations that have granted broad internal API access. Audit who holds keys and apply the patch now.
⚠️ Actively exploited — CVE-2026-20245 | Cisco Catalyst SD-WAN Manager
An improper output escaping flaw in Cisco Catalyst SD-WAN Manager (formerly vManage) allows an authenticated local attacker to escalate to root by supplying a crafted file. While local access is required, SD-WAN management planes are frequent post-compromise targets; a foothold plus this bug equals full infrastructure control.
⚠️ Actively exploited — CVE-2026-7473 | Arista EOS
Arista's Extensible Operating System incorrectly decapsulates and forwards unexpected tunneled packets when the destination IP matches its configured decapsulation address. Active exploitation of network OS vulnerabilities in data centre switching fabric is particularly concerning for lateral movement and traffic interception scenarios. Check Arista's advisory for affected EOS versions and apply mitigations.
CVE-2026-12174 | D-Link DCS-935L (CVSS 8.8)
A format string vulnerability in the HTTP handler of D-Link DCS-935L firmware 1.10.01 can be triggered remotely by manipulating the data argument in /web/cgi-bin/greece/rhea. A public exploit exists. D-Link camera firmware rarely receives timely patches and these devices are frequently internet-exposed — if you have these on your network, segment or replace them.
Headline News
Silent Ransom Group Goes Physical — Law Firms Targeted with In-Person IT Impersonation
The FBI has issued a warning about the Silent Ransom Group escalating its tactics beyond phone-based vishing to include operatives physically showing up at law firm offices impersonating IT support personnel. The group's goal is direct access to workstations and sensitive client data — the kind of material that commands premium ransomware payouts or extortion leverage. What makes this particularly notable is the operational maturity it implies: physical reconnaissance, credible cover stories, and the social engineering sophistication to walk past reception. Law firms are attractive targets given attorney-client privileged communications and the volume of sensitive financial and litigation data they hold. Security teams should brief non-technical staff immediately — legitimate IT vendors should be verifiable through pre-established out-of-band channels, and unannounced physical visits should trigger an automatic escalation process.
Over 1,500 Arch Linux AUR Packages Compromised in Coordinated Malware Campaign
A large-scale supply chain attack against the Arch Linux User Repository resulted in malicious commits being injected into 1,579 community-maintained packages before the compromise was detected and the affected packages were pulled by Arch developers. The AUR, by design, is an unvetted community repository — its packages are maintained by individual contributors without the same oversight applied to official Arch repositories — making it a structurally attractive target for this kind of campaign. The scope of 1,500+ packages suggests either a coordinated group with access to multiple maintainer accounts, or a smaller number of accounts with unusually broad package ownership. Any system that installed or updated AUR packages during the window of compromise should be treated as potentially backdoored and rebuilt from a known-good state. This incident reinforces a standing practitioner concern: the convenience of community package repositories comes with inherent trust assumptions that don't always survive contact with motivated threat actors.
Anthropic Restricts AI Model Access Under US National Security Directive
Just days after launching its latest model suite, Anthropic received a government directive requiring it to cut off access for foreign nationals — a significant and largely unprecedented action in the commercial AI space. The directive underscores growing US government concern about frontier AI capabilities as a national security asset, and signals that access controls on advanced models may increasingly resemble export control regimes rather than standard terms-of-service decisions. For security practitioners, the implications are twofold: organisations with multinational teams using AI-assisted security tooling — code analysis, threat intelligence summarisation, vulnerability research — may face sudden access disruptions, and the incident highlights how AI providers can be compelled to act on opaque government orders with little notice. Teams relying on third-party AI services for any part of their security workflow should review their contingency plans for unexpected service interruption.
Schrödinger's Feed
Microsoft and Quantinuum have reported meaningful advances in quantum error correction — the long-standing practical barrier that prevents today's noisy quantum processors from running the deep circuits needed to threaten current cryptographic standards. Error correction is the discipline of detecting and fixing quantum computation errors without directly observing (and thereby collapsing) the quantum state, and progress here is what separates experimental curiosity from cryptographically relevant capability. The field is moving faster than many post-quantum migration timelines assumed when they were written. Practitioners should treat this as another data point confirming that PQC migration planning isn't a 2030 problem — NIST's finalised post-quantum standards are available now, and the window to complete orderly transitions is shrinking alongside each error-correction milestone.
/dev/random
A tool called Kage appeared this week, promising to shadow any website — full HTML, assets, the lot — into a single self-contained binary for offline viewing. The trick is compiling the entire crawled site into a portable executable that serves itself, no web server or extracted files required; you just run the binary and browse locally. It's a genuinely neat piece of engineering, and the security-adjacent thought it immediately raises is whether the same technique could be used to create convincing, distributable phishing replicas that run entirely offline and exfiltrate credentials on execution. We'll file that one under "dual-use tools that make you think for a moment" and quietly note that defenders already have enough to worry about without single-binary website clones entering the conversation.