CISA Flags Five Actively Exploited Vulnerabilities; Patch Now
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 18, 2026
cybr.cx Daily Digest — June 18, 2026
Critical Vulnerabilities
No new CVEs meeting the CVSS ≥ 7.0 threshold were published to NVD in the last 24 hours — but the CISA KEV queue is anything but quiet. Five actively exploited vulnerabilities demand immediate attention.
⚠️ Actively exploited — CVE-2026-10520 | Ivanti Sentry (formerly MobileIron Sentry)
An unauthenticated OS command injection flaw in Ivanti Sentry allows a remote attacker to achieve root-level RCE without any credentials. The attack surface is widened when the appliance is in an unmanaged state — a condition that isn't uncommon in large deployments. CISA's remediation deadline has already passed (June 14). If you haven't patched or isolated these appliances, treat this as an active incident response situation.
⚠️ Actively exploited — CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools
A missing authentication vulnerability allows an unauthenticated remote attacker to fully take over PeopleSoft PeopleTools instances. PeopleSoft underpins HR, finance, and student information systems at universities, hospitals, and government agencies worldwide — the blast radius here is significant. CISA's remediation deadline was June 15, meaning any unpatched internet-facing instance is already overdue. Prioritise isolation or emergency patching immediately.
⚠️ Actively exploited — CVE-2026-20262 | Cisco Catalyst SD-WAN Manager
An authenticated path traversal vulnerability in Cisco's Catalyst SD-WAN Manager lets a remote attacker create or overwrite arbitrary files on the underlying filesystem. While authentication is required, the exploitability of post-auth file write primitives in network management platforms is well-documented — attackers with any foothold can pivot hard. Remediation deadline is June 29, but given active exploitation, don't wait.
⚠️ Actively exploited — CVE-2026-54420 | LiteSpeed cPanel Plugin
A symlink-following vulnerability in LiteSpeed's cPanel plugin enables a user with FTP or web shell access on a shared hosting server (running CloudLinux/CageFS) to break out of their cage and traverse to other users' files. This is a shared hosting escape — exactly the kind of issue that gets quietly mass-exploited against hosting providers before anyone notices. Today is CISA's remediation deadline.
⚠️ Actively exploited — CVE-2026-48907 | Widget Factory Joomla Content Editor
An improper access control flaw in the Widget Factory Joomla Content Editor plugin allows unauthenticated users to create new editor profiles and abuse them to upload and execute arbitrary PHP code. That's unauthenticated remote code execution on any Joomla site running this plugin. CISA's deadline is tomorrow (June 19). Disable or remove the plugin now if you can't patch immediately.
Headline News
Rokarolla Android Trojan Targets 217 Banking and Crypto Apps
A newly documented Android banking trojan dubbed Rokarolla has emerged with an unusually broad target list — 217 banking and cryptocurrency applications — and an extensive command set of 137 distinct instructions. The malware gives operators a granular, scriptable capability against victims: intercepting SMS-based OTPs, overlaying login screens, exfiltrating credentials, and interacting with crypto wallet interfaces. What makes Rokarolla noteworthy beyond its target breadth is the operational sophistication implied by that command architecture — this isn't a commodity builder kit. Security teams supporting BYOD programmes or mobile banking deployments should push detection signatures and consider whether their mobile threat defence tooling can identify the C2 patterns. Users with unofficial APKs installed remain the highest-risk population.
Hackers Repurposing Legitimate Remote Access Tools as Stealthy Backdoors
HP's latest threat intelligence report flags a growing trend that should concern every blue team: attackers are no longer dropping obvious malware — they're subverting tools like AnyDesk, TeamViewer, and similar RMM software into persistent, hard-to-detect backdoors. Because these applications are whitelisted, generate expected network traffic, and appear in process lists as legitimate software, traditional signature-based detection largely misses them. Initial access is being achieved through trojanised downloads and fake update lures, after which the legitimate tool is reconfigured to phone home to attacker-controlled infrastructure. The practical implication is that alert fatigue around remote access tool telemetry is actively being weaponised — defenders need behavioural baselines for these tools, not just presence checks, and should audit which RMM binaries in their environment have outbound connections to non-corporate endpoints.
US Holds Off on Blacklisting DeepSeek Amid Broader AI Security Review
The US government has opted not to formally blacklist Chinese AI firm DeepSeek for now, even as more than 100 other companies have been designated as security risks in the same review process. The decision reflects the complexity of regulating AI models that are already widely deployed, open-weight, and mirrored globally — a blacklisting may have limited practical effect compared to the signal it sends. From a security practitioner standpoint, the more relevant concern is that DeepSeek's models have been self-hosted inside enterprise environments and government-adjacent organisations without consistent vetting of the model weights or inference infrastructure. The broader list of 100+ newly designated firms is worth monitoring as it will likely inform future procurement restrictions and supply chain guidance.
Schrödinger's Feed
IonQ has announced the Clavis XG Multiplex, a new addition to its Quantum Key Distribution portfolio designed to make QKD more practical for metropolitan network deployment — essentially, quantum-secured key exchange at infrastructure scale. QKD is one of the few quantum security technologies with near-term deployability, and multiplex configurations address a longstanding bottleneck around channel capacity and cost-per-link. Separately, PsiQuantum has broken ground on a $940M AUD utility-scale photonic quantum computing facility in Queensland, Australia, signalling that the "when will quantum be real" question is increasingly being answered in concrete and steel. Practitioners working on cryptographic roadmaps should note that the gap between quantum hardware announcements and cryptographically-relevant capability is narrowing faster than many migration timelines assume — if your PQC transition plan is still in draft, the clock is genuinely ticking.
/dev/random
The US government has formally reviewed DeepSeek and more than 100 other firms for national security risks — and then decided not to blacklist DeepSeek specifically, which is itself a kind of bureaucratic Schrödinger's cat. The firm is simultaneously "a security concern significant enough to review" and "not quite a security concern significant enough to act on," a distinction that will no doubt bring great comfort to every sysadmin who already has it running on-premises. The other 100+ firms on the list presumably lack DeepSeek's talent for existing in a policy superposition. We await the government's forthcoming review of whether the review of the review constitutes a security risk.