██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

Ivanti Sentry Zero-Day Exploited: Patch Deadline Tomorrow

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 12, 2026

Share

cybr.cx | Daily Digest — June 12, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-10520 | Ivanti Sentry | No CVSS in NVD feed
An OS command injection vulnerability in Ivanti Sentry (formerly MobileIron Sentry) allows a remote, unauthenticated attacker to achieve root-level RCE. CISA added this on June 11 with a remediation deadline of June 14 — that's tomorrow. If your MDM stack includes Sentry appliances in an unmanaged state, this needs to be your first call of the day.

⚠️ Actively exploited — CVE-2026-11645 | Google Chromium V8
An out-of-bounds read/write in the V8 JavaScript engine can be triggered by a crafted HTML page, enabling arbitrary code execution inside the browser sandbox. This affects Chrome, Edge, and any Chromium-derived browser — which is most of them. Verify your enterprise browser fleet has received recent updates; auto-update silent failures are common in locked-down environments.

⚠️ Actively exploited — CVE-2026-50751 | Check Point Security Gateway
An improper authentication flaw in IKEv1 key exchange allows an unauthenticated remote attacker to bypass password validation and establish a Remote Access VPN session entirely without credentials. The CISA remediation deadline has already passed (June 11). If you haven't patched or disabled IKEv1 on your Check Point gateways, assume your VPN perimeter is not holding.

⚠️ Actively exploited — CVE-2026-20245 | Cisco Catalyst SD-WAN Manager
An authenticated local attacker can escalate to root by supplying a crafted file, exploiting improper output escaping. While local access is required, the active exploitation designation means threat actors are chaining this — likely following initial access via phishing or credential theft. Deadline: June 23.

⚠️ Actively exploited — CVE-2026-42271 | BerriAI LiteLLM
Any authenticated user — including those holding low-privilege internal-user API keys — can execute arbitrary OS commands on the LiteLLM host. If your organisation is running LiteLLM as an AI gateway (increasingly common in enterprise AI stacks), treat all API key holders as potential RCE vectors until patched.

⚠️ Actively exploited — CVE-2026-7473 | Arista EOS
A comparison logic flaw in Arista's Extensible Operating System causes switches to incorrectly decapsulate and forward unexpected tunnelled packets matching the configured decapsulation IP. This can be abused to redirect traffic through network infrastructure silently. Deadline: June 23.

⚠️ Actively exploited — CVE-2026-28318 | SolarWinds Serv-U
An unauthenticated attacker can crash the Serv-U service by sending a POST request with a Content-Encoding: deflate header, triggering uncontrolled resource consumption. No authentication required, no complexity — this is a trivially weaponisable DoS against file transfer infrastructure. Patch deadline: June 19.

CVE-2026-7870 | IBM i 7.3–7.6 | CVSS 8.8
An unqualified library call in IBM i allows a regular user to run attacker-controlled code with administrator privileges. High CVSS, broad version coverage across a platform widely used in financial and government environments — prioritise if IBM i is in scope.

CVE-2026-10795 | UpdraftPlus WordPress Plugin ≤1.26.4 | CVSS 8.1
Insufficient validation of the remote communications message format allows attackers to bypass signature verification entirely and achieve authentication bypass. UpdraftPlus is one of the most installed WordPress backup plugins — a large attack surface for automated exploitation campaigns.

CVE-2026-53738 | Copy & Delete Posts WordPress Plugin ≤1.5.4 | CVSS 8.1
Any non-admin WordPress user with the plugin role enabled can invoke all operations in the cdp_action_handling AJAX handler, including deleting posts and overwriting plugin settings. Straightforward privilege abuse; update or remove the plugin.

CVE-2026-11774 | 389 Directory Server (389-ds-base) | CVSS 7.6
An integer overflow in the SASL I/O layer causes unsigned wraparound to zero when processing a crafted SASL packet length prefix of 0xFFFFFFFC, bypassing the nsslapd-maxsasliosize limit and enabling a heap buffer overflow of up to ~2MB of attacker-controlled data. LDAP infrastructure running 389-ds should be patched promptly.

CVE-2026-10142 / CVE-2026-10143 | kafka-python <2.3.2 | CVSS 7.5
Two denial-of-service vulnerabilities in kafka-python: the first allows a malicious or MitM broker to exhaust client memory via an unbounded 4-byte frame length; the second freezes the client event loop by supplying an inflated SCRAM iteration count passed directly to pbkdf2_hmac() without validation. Both are exploitable by a rogue broker. Upgrade to 2.3.2.


Headline News

Miasma Worm Source Code Leaked on GitHub
The source code for the Miasma credential-stealing worm — a framework that has been actively targeting open-source software supply chains — was briefly published on GitHub before being taken down. Even a short availability window is significant: it's sufficient for threat actors to clone, fork, and adapt the code before takedowns complete. Miasma has been observed conducting supply-chain attacks against open-source ecosystems, meaning the leak could accelerate the emergence of derivative variants with modified signatures that existing detections won't catch. Defenders maintaining internal package registries or monitoring PyPI, npm, and similar repositories should refresh detection rules and review recent dependency ingestion logs.

FBI Seizes 13 Chinese Fake Job Recruitment Websites Targeting Cleared US Personnel
Federal authorities seized 13 fraudulent job recruiting websites allegedly operated by Chinese government agents as part of a campaign to identify and cultivate sources among American security clearance holders. The sites were designed to appear as legitimate recruiting platforms, gathering detailed employment histories and personal information from applicants — classic intelligence collection tradecraft adapted for the digital era. This is a timely reminder that spearphishing and social engineering against cleared personnel increasingly bypasses technical controls entirely, operating through seemingly mundane professional interactions. Security teams supporting defence contractors or government clients should reinforce user awareness around unsolicited recruiting outreach and verify that personnel reporting obligations cover online contact with foreign entities.

CISA Moves to Compress Federal Patch Windows, Citing AI-Accelerated Threats
CISA has issued updated guidance directing US federal agencies to patch certain critical vulnerabilities within as few as three days, a dramatic compression of previous timelines, driven explicitly by the agency's assessment that AI tooling is accelerating adversary exploit development. The directive reflects a broader strategic concern: the time between CVE publication and weaponised exploitation is collapsing, and the traditional 15–30 day federal patch cycle is no longer defensible. For practitioners outside the federal space, the directive signals a posture shift worth mirroring — particularly for internet-exposed infrastructure. Today's KEV list, with its June 14 deadline for the Ivanti Sentry RCE, is a concrete illustration of exactly the scenario CISA is responding to.


Schrödinger's Feed

Alice & Bob has unveiled the Helium Quantum System, a full-stack, on-premise quantum computing platform built around a noise-biased cat-qubit architecture — a design approach that exploits the physics of coherent states to suppress bit-flip errors at the hardware level, potentially requiring far fewer physical qubits per logical qubit than conventional approaches. The transition from selling chips to delivering integrated on-premise machines is a maturity signal: cat-qubit hardware is moving from lab curiosity toward deployable research infrastructure. For cryptography specifically, fault-tolerant architectures like this are the prerequisite for the kind of large-scale quantum computation that could eventually threaten RSA and ECC at meaningful key sizes. Practitioners who haven't started PQC migration planning should note that the hardware roadmap is no longer purely theoretical — treat it as a slow-burning deadline.


/dev/random

The Hacker News community spent part of this week enthusiastically upvoting a website that trains your ears to identify musical intervals and chords. It is, objectively, an excellent tool — and a gentle reminder that the same community that reverse-engineers firmware and audits cryptographic libraries also apparently harbours a surprising number of frustrated musicians. Tonedear.com presents interval recognition exercises in the browser with no account required, which, given this week's authentication bypass CVEs, is arguably the most secure login experience in today's digest. Perfect pitch not included; patch management skills assumed.