Ivanti Sentry Flaw Lets Attackers Seize Root Control Remotely
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 16, 2026
cybr.cx Daily Digest — June 16, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-10520 | Ivanti Sentry | CVSS: Not scored in feed
An OS command injection vulnerability in Ivanti Sentry (formerly MobileIron Sentry) allows unauthenticated remote attackers to achieve root-level code execution — particularly dangerous when the appliance is in an unmanaged state. CISA's remediation deadline has already passed (June 14), meaning any unpatched deployment should be treated as compromised. Patch or isolate immediately.
⚠️ Actively exploited — CVE-2026-50751 | Check Point Security Gateway | CVSS: Not scored in feed
An improper authentication flaw in IKEv1 key exchange lets unauthenticated remote attackers bypass user authentication entirely and establish VPN connections without valid credentials. Active exploitation means threat actors are almost certainly using this to pivot into enterprise networks through what's supposed to be the security perimeter. Disable IKEv1 where possible and apply vendor patches.
⚠️ Actively exploited — CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools | CVSS: Not scored in feed
A missing authentication vulnerability allows unauthenticated attackers to fully take over PeopleSoft Enterprise PeopleTools instances. CISA's remediation deadline was June 15 — yesterday. PeopleSoft environments commonly handle HR, finance, and payroll data, making this an extremely high-value target. If you haven't patched, assume exposure.
⚠️ Actively exploited — CVE-2026-20262 | Cisco Catalyst SD-WAN Manager | CVSS: Not scored in feed
A path traversal vulnerability allows authenticated remote attackers to create or overwrite arbitrary files on affected SD-WAN Manager systems. Combined with a companion KEV entry (CVE-2026-20245) that allows authenticated local attackers to execute commands as root, the two flaws together represent a credible escalation chain across Cisco's SD-WAN infrastructure. Remediation due June 29 — don't wait.
⚠️ Actively exploited — CVE-2026-11645 | Google Chromium V8 | CVSS: Not scored in feed
An out-of-bounds read/write in Chromium's V8 JavaScript engine enables sandbox escape via a crafted HTML page, affecting Chrome, Edge, and any Chromium-based browser. Drive-by exploitation via malicious web pages makes this a broad, low-friction attack surface. Ensure browsers across your fleet are updated.
⚠️ Actively exploited — CVE-2026-54420 | LiteSpeed cPanel Plugin | CVSS: Not scored in feed
A symlink-following vulnerability in the LiteSpeed cPanel plugin can be exploited by users with FTP or web shell access on shared hosting servers running CloudLinux/CageFS to escape their confinement. Particularly relevant for managed hosting providers and shared infrastructure operators. Remediation due June 18 — this is urgent for hosters.
⚠️ Actively exploited — CVE-2026-42271 | BerriAI LiteLLM | CVSS: Not scored in feed
A command injection flaw in LiteLLM allows any authenticated user — including low-privilege internal-user key holders — to execute arbitrary commands on the host. As LiteLLM is widely deployed as an AI gateway in enterprise and startup environments, this is an especially timely risk given the current AI infrastructure boom. Patch or restrict access immediately.
CVE-2026-12186 & CVE-2026-12187 | GL.iNet GL-MT3000 (≤4.4.5) | CVSS: 8.8
Two separate command injection vulnerabilities exist in the GL-MT3000 travel router: one in the Tor Proxy Service Configuration Handler (replace_country function), and one in the Online Firmware Upgrade Handler. Both are remotely exploitable and have public exploits available. Upgrade to firmware 4.7.
CVE-2026-52720 | GStreamer librfb (RFB/VNC client) | CVSS: 8.8
A heap buffer overflow in GStreamer's VNC client component allows a malicious VNC server to send a rectangle with dimensions that pass an area-based bounds check but still extend beyond the framebuffer, resulting in an out-of-bounds heap write and potential code execution. Users connecting to untrusted VNC servers are at risk. Patch GStreamer or block connections to unknown VNC endpoints.
CVE-2016-20075 | WordPress Ultimate Product Catalog (≤3.8.6) | CVSS: 8.8
Authenticated users with contributor-level access or above can upload arbitrary PHP files via custom product fields, then execute them directly from the upcp-product-file-uploads directory. The low authentication bar makes this particularly dangerous on multi-author WordPress sites. Update the plugin immediately.
Headline News
LinkedIn Job Offer Delivers Backdoor to Unsuspecting Developer
A detailed post-mortem is circulating describing how a threat actor used a convincing LinkedIn recruitment approach to deliver a backdoored code challenge to a developer. The attack followed a now-familiar pattern associated with North Korean-linked campaigns: a plausible recruiter persona, a realistic-looking technical assessment, and a malicious repository that executed code on clone or build. What's notable here is the operational polish — the repo appeared professionally maintained, with a legitimate-looking commit history designed to reduce suspicion. This is a live threat vector actively targeting software engineers and security researchers, particularly those working in cryptocurrency, fintech, and defence-adjacent roles. Practitioners should treat any unsolicited code execution request from a recruitment context — however credible — as a potential intrusion attempt, and run unknown repositories in isolated environments.
Arch Linux AUR Hit by Another Wave of More Sophisticated Malware
The Arch Linux User Repository (AUR) is seeing a renewed and increasingly sophisticated wave of malware-laced packages, with attackers apparently evolving their techniques following earlier detection and removal efforts. The AUR's community-maintained, trust-based model has always carried inherent risk — packages are not vetted before submission — but the escalating sophistication of this campaign suggests organised actors rather than opportunistic script kiddies. The malware has reportedly become better at evading automated scanning and behavioural detection, making community vigilance and manual review more critical than ever. For security teams managing developer workstations running Arch or derivatives, this is a concrete supply-chain risk: developers installing AUR packages without careful source review may be inadvertently introducing backdoors into build environments. Audit installed AUR packages, prefer well-established packages with active maintainers, and consider AUR helper configurations that prompt for PKGBUILD review before installation.
Schrödinger's Feed
Oxford physicists have engineered a new class of Schrödinger's cat-like quantum states using components that are themselves deeply quantum in nature — a step beyond prior cat-state experiments that relied on more classical control elements. The technique leverages one-way quantum synchronisation to create more resilient quantum superpositions, which could translate directly into reduced error rates in quantum computation. For cryptographers and security architects, error-resilient quantum hardware accelerates the timeline toward cryptographically relevant quantum computers. If your post-quantum migration plan is still in the "we'll get to it" phase, Oxford's lab is quietly shortening your runway.
/dev/random
TinyWind is a browser-based pixel sailing game with a genuinely unusual differentiator: it models real wind physics, sourcing actual meteorological data to drive in-game conditions. Players have collectively sailed over 380,000 kilometres across its procedural seas, which is — for a game that essentially runs in a browser tab — an impressive number. It's a reminder that "realistic physics" doesn't require a AAA budget or a GPU farm, just a good API call and some clever rendering. Somewhere out there, a threat analyst is stress-testing their incident response reflexes between tacking manoeuvres.