██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

CISA Deadline: Check Point VPN Auth Bypass Under Active Attack

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 11, 2026

Share

cybr.cx — Daily Digest | June 11, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-50751 | Check Point Security Gateway | CVSS: N/A
Today is the CISA remediation deadline for this one. Check Point Security Gateway contains an authentication bypass in IKEv1 key exchange — an unauthenticated remote attacker can establish a VPN connection without valid credentials. If you haven't patched or mitigated this yet, you're already past due. Disable IKEv1 where possible and apply vendor guidance immediately.

⚠️ Actively exploited — CVE-2026-11645 | Google Chromium V8 | CVSS: N/A
An out-of-bounds read/write in Chrome's V8 engine allows remote code execution inside the sandbox via a crafted HTML page. This affects every Chromium-based browser — Chrome, Edge, Brave, and others. Drive-by exploitation is entirely viable, and CISA confirmed active exploitation on June 9. Force-update browsers enterprise-wide now.

⚠️ Actively exploited — CVE-2026-42271 | BerriAI LiteLLM | CVSS: N/A
Any authenticated user — including low-privilege internal API key holders — can execute arbitrary commands on the host running LiteLLM. This is a command injection flaw in what is increasingly a central piece of AI infrastructure. If you're running LiteLLM in an agentic pipeline or as an LLM proxy, treat this as critical regardless of CVSS.

⚠️ Actively exploited — CVE-2026-7473 | Arista EOS | CVSS: N/A
Arista switches running EOS will incorrectly decapsulate and forward unexpected tunnelled packets whose destination IP matches the device's configured decapsulation address. Active exploitation in the wild suggests threat actors are already probing network infrastructure. Patch or apply Arista's mitigation guidance without delay.

⚠️ Actively exploited — CVE-2026-20245 | Cisco Catalyst SD-WAN Manager | CVSS: N/A
An authenticated local attacker can execute arbitrary commands as root by supplying a crafted file. The local requirement lowers the bar less than it sounds in SD-WAN environments where management access is frequently shared. Actively exploited per CISA, due date June 23.

⚠️ Actively exploited — CVE-2026-28318 | SolarWinds Serv-U | CVSS: N/A
Unauthenticated attackers can crash the Serv-U service by sending a specially crafted POST with a Content-Encoding: deflate header. This is a denial-of-service with no authentication required — straightforward to weaponise, and it's already happening in the wild.

⚠️ Actively exploited — CVE-2026-45247 | Mirasvit Full Page Cache Warmer (Magento) | CVSS: N/A
Unauthenticated RCE via a crafted serialised PHP object in the CacheWarmer cookie. Magento-based e-commerce stores running this extension are directly exposed. The remediation due date has already passed (June 6) — treat any unpatched instance as compromised.

CVE-2026-52751 | NSA Ghidra (before 12.1) | CVSS: 8.8
Unauthenticated RCE via unsafe deserialisation in Ghidra's Shared Project RMI client. A malicious ghidra:// URL triggers deserialisation of untrusted objects using a Jython 2.7.4 gadget chain when a victim opens the project via the UI. Reverse engineers working with shared project repositories — often in team or contractor environments — are the direct target surface. Upgrade to 12.1.

CVE-2026-52754 | NSA Ghidra (before 12.1) | CVSS: 8.8
Authentication bypass in PKIAuthenticationModule allows anyone with a valid CA-signed certificate to impersonate other users by presenting their public cert with a null signature. In shared reverse engineering environments, this means full repository takeover, access control modification, and exfiltration of proprietary analysis databases. Pair remediation with CVE-2026-52751 above.

CVE-2026-20251 | Splunk Enterprise / Cloud / Secure Gateway | CVSS: 8.8
Low-privileged Splunk users — those without admin or power roles — can achieve RCE via the Secure Gateway app. Affected versions span Splunk Enterprise below 10.2.4/10.0.7/9.4.12/9.3.13 and multiple Splunk Cloud Platform releases. The low privilege bar makes this particularly dangerous in environments with broad Splunk access.

CVE-2026-47932 / CVE-2026-47929 / CVE-2026-47931 | Adobe ColdFusion (≤2023.19, ≤2025.8) | CVSS: 8.8 / 8.4 / 8.4
Three distinct vulnerabilities hit ColdFusion simultaneously: a path traversal enabling security feature bypass (8.8), an incorrect authorisation flaw allowing RCE without user interaction (8.4), and an improper input validation bug also leading to RCE (8.4). ColdFusion has historically been a high-value target for ransomware operators. Apply Adobe's patches across all three CVEs as a batch.

CVE-2026-6893 | dracut (Linux initramfs tooling) | CVSS: 8.8
An adjacent-network attacker can inject commands by serving malicious DHCP options — such as a crafted hostname — to systems using dracut's legacy DHCP path. The options are written into temporary shell scripts without sanitisation, enabling command injection at boot time. Systems using network boot or DHCP-configured initramfs in untrusted network segments should prioritise this.


Headline News

Spyware Found on US Military Personnel's Phones in Israel
A significant counterintelligence incident has emerged involving US military personnel stationed in Israel who discovered commercial spyware installed on their personal and possibly work devices. The US has reportedly elevated its espionage threat assessment for the region in response. The discovery follows a broader pattern of state-grade mobile surveillance tools — historically associated with products like Pegasus and its contemporaries — being deployed against high-value targets with access to sensitive military or diplomatic information. For practitioners, this underscores a hard truth: endpoint security policy that doesn't account for physical proximity and device handling in high-risk environments is incomplete. Mobile threat defence tooling, device hygiene protocols, and strict separation of personal and government devices need to be treated as operational security requirements, not IT hygiene.

Single Errant Character Causes High-Severity Linux Privilege Escalation
Researchers have disclosed a high-severity Linux kernel vulnerability rooted in a single incorrect character in the kernel source — an exceptionally rare and instructive failure mode. The bug allows unprivileged local users to escalate to root, making it highly relevant to any multi-user Linux system, shared hosting infrastructure, or container environment where kernel namespaces are the isolation boundary. The specifics highlight how source-level correctness auditing and fuzzing remain insufficient defences when a single-character logic error can survive code review across multiple kernel versions. Practitioners running affected kernel versions should apply available patches promptly; the simplicity of the root cause will likely accelerate exploit development once PoC code circulates.


Schrödinger's Feed

The race to migrate enterprise cryptography before quantum computers break it is moving from theoretical urgency to infrastructure product. Keyfactor's newly launched Trust Control Plane aims to give organisations a unified plane for managing machine identities, certificates, and cryptographic keys — with post-quantum migration as a core design goal rather than a retrofit. The challenge it's addressing is real: most large enterprises have no centralised inventory of where classical cryptography is deployed, which makes NIST PQC algorithm migration a largely unmapped problem. Practitioners should note that the window between "start cataloguing your cryptographic assets" and "you needed to have started this two years ago" is narrowing faster than most patching cycles.


/dev/random

L'Affaire Siloxane turns out to be a forensic deep-dive into how silicone — specifically polydimethylsiloxane, the stuff in everything from shampoo to baking parchment — has been quietly contaminating mass spectrometry samples and confounding analytical chemistry results for decades. Researchers found that PDMS outgasses and deposits onto lab equipment, showing up as ghost peaks in chromatograms that have reportedly led to false positives and retracted papers. The security parallel writes itself: trace contamination from a ubiquitous, unexamined substrate quietly corrupting your signal is basically the hardware supply chain problem in a fume hood. At least with PDMS you can eventually smell the problem — your firmware can't.