Mid-year 2026 is shaping up like 2024 and 2025 before it: edge devices, identity gateways, and the supply chain keep getting wrecked. Here are the ten CVEs every blue team should already have triaged, patched, hunted, and written a detection for — with the “why it matters” and a quick defender action for each.
All ten are either in the CISA Known Exploited Vulnerabilities (KEV) catalog, confirmed exploited in the wild, or showing mass in-the-wild reconnaissance as of June 2026. Patch is step one — detection and hunt are non-negotiable.
1. CVE-2026-3055 — Citrix NetScaler ADC / Gateway “CitrixBleed 3”
CVSS: 9.3 (Critical) · Type: Unauthenticated memory overread
Third “bleed” in three years. Malformed requests to /saml/login (omitting AssertionConsumerServiceURL) or /wsfed/passive?wctx= leak kilobytes of process memory — including session tokens. Mass exploitation against unpatched, internet-facing SAML IdP appliances has been observed since late March.
Defender action: Patch immediately, then rotate every session, token, and credential handled by the appliance. Hunt for unexpected source IPs reusing valid session cookies. Companion bug CVE-2026-4368 chains for full session hijack.
2. CVE-2026-25089 — Fortinet FortiSandbox unauthenticated RCE
CVSS: 9.8 · Type: OS command injection (pre-auth)
Patched in Fortinet’s June 2026 Patch Tuesday and weaponised within days. A remote, unauthenticated attacker executes arbitrary commands on the appliance — which by design sits next to your most sensitive detonation telemetry. Often chained with an auth-bypass for full root.
Defender action: Patch, restrict management plane to admin VLANs, and review submitted samples / API jobs for the last 90 days. If you ingested FortiBleed’s leaked credential dataset (see #10), assume keys are burnt.
3. CVE-2026-1281 & CVE-2026-1340 — Ivanti EPMM zero-days
CVSS: 9.8 · Type: Unauthenticated RCE chain
Two flaws in Ivanti Endpoint Manager Mobile, dropped together as zero-days in January and quickly into the KEV catalog. Mass-exploited through Q1/Q2 2026, often as the foothold for ransomware affiliates pivoting into MDM-managed mobile fleets and the corporate AD behind them.
Defender action: Patch to the fixed branch, audit EPMM mifs.log for unexpected groovy/Java payloads, and treat any enrolled device with anomalous certificate issuance as compromised.
4. CVE-2026-0234 — Ivanti Connect Secure pre-auth command injection
CVSS: 9.8 · Type: Pre-authentication command injection
Yet another Connect Secure (née Pulse Secure) chain — exploited as a zero-day before disclosure, then combined with a second bug for persistent root. State-aligned actors used it for VPN-pivoting espionage; criminal crews followed within weeks.
Defender action: Patch, run Ivanti’s Integrity Checker Tool (ICT) after reboot, and rebuild appliances that show ICT mismatches rather than trusting in-place remediation. Hunt for outbound beacons from VPN concentrators — they shouldn’t have any.
5. CVE-2026-32201 — Microsoft SharePoint Server zero-day
CVSS: 9.1 · Type: Improper input validation / network spoofing, no auth, no UI
Addressed in the April 2026 Patch Tuesday, but more than 1,300 servers were still publicly exposed and unpatched at last count. Pre-auth, no user interaction, no special conditions — the textbook drive-by zero-day. Frequently paired with the SharePoint RCE CVE-2026-20963 (insecure deserialization) for full code execution.
Defender action: Patch on-prem SharePoint this week if you haven’t. Hunt for anomalous w3wp.exe child processes, spinstall-style web shells, and outbound traffic from SharePoint to non-Microsoft IP space.
6. F5 BIG-IP source-code leak — BRICKSTORM backdoor campaign
Why it’s on the list: Not a single CVE — a campaign enabled by leaked source code
State-linked operators have been seen using internal F5 BIG-IP source artefacts to develop the BRICKSTORM backdoor and chain undisclosed bugs against enterprise load balancers. Even fully patched BIG-IP devices need active hunting until F5 finishes its triage cycle.
Defender action: Subscribe to F5’s emergency advisory feed, restrict TMUI/management to a jumphost, and hunt for the IoCs published by Mandiant/Resecurity for BRICKSTORM (long-lived TCP beacons from BIG-IP to cloud VPS providers).
7. Mastra npm supply-chain compromise (Sapphire Sleet)
Why it’s on the list: Post-install payload in a widely-used AI-agent package
Microsoft’s Threat Intelligence team disclosed in June that the Mastra npm package was compromised by Sapphire Sleet, with the malicious payload delivered via the package postinstall script. Build agents and developer workstations are the blast radius.
Defender action: Pin and audit lockfiles, block postinstall network egress from CI runners, and search npm/CI logs for the compromised versions. Rotate any credentials that touched a build host between the compromised release and the takedown.
8. FortiClient EMS — CVE-2026-35616 patch-cycle weaponisation (EKZ infostealer)
Type: Trojanised “patch”, malware delivery
An interesting twist: attackers piggy-backed on the May 2026 Forti patch cycle to deliver the EKZ infostealer disguised as a legitimate FortiClient EMS update. Admins racing to remediate became the initial access vector.
Defender action: Only pull Fortinet updates from authenticated vendor channels — never mirrors. Verify GPG/PE signatures. Alert on EMS console processes spawning curl / powershell / unsigned binaries.
9. Node.js June 2026 security release — the LTS triple-patch
Severity: High · Type: Multiple memory and HTTP parser bugs
Node.js shipped emergency security releases on 17 and 18 June 2026. Several of the patched bugs affect the HTTP/2 stack and the permission model — meaning containers and serverless runtimes that allow arbitrary user code are squarely in scope.
Defender action: Roll forward on every Node LTS line in production (20.x / 22.x / 24.x as applicable). Treat unpatched Node images in your registry as a risk asset and rebuild downstream containers, not just base images.
10. FortiBleed credential dump — 73,932 firewalls exposed
Type: Aggregated credential leak from prior Fortinet bug chain
The 17 June 2026 “FortiBleed” dataset is the cumulative payoff of every Fortinet credential-leaking bug from the last 18 months. Roughly 74,000 firewalls’ admin credentials are now circulating, and credential-spraying activity is already mapped on Security Affairs and CISA advisories.
Defender action: Treat any Fortinet appliance whose admin password has not been rotated since 17 June 2026 as compromised. Enforce MFA on the management plane, lock admin access to a bastion, and review configuration backups for unauthorised admin accounts or VPN tunnels.
The defender’s checklist — do these today
- Cross-check your asset inventory against the CISA KEV catalog — not your CVSS-sorted scanner queue.
- Patch the edge first: NetScaler, FortiSandbox, FortiClient EMS, Ivanti EPMM & ICS, on-prem SharePoint.
- Assume credentials handled by any vulnerable appliance are burnt. Rotate, don’t reuse.
- Hunt — don’t just patch. CitrixBleed 3 and the Ivanti chains all leave durable post-exploitation artefacts.
- Lock supply-chain: pin npm lockfiles, block
postinstallnetwork egress in CI, verify vendor update signatures.
References: CISA KEV catalog, MSRC April/June 2026 advisories, Fortinet PSIRT advisories, Ivanti security bulletins, Citrix Cloud Software Group security advisories, Microsoft Threat Intelligence blog (Sapphire Sleet / Mastra), Node.js security releases June 2026, Security Affairs FortiBleed coverage.
— elvis.hk, 20 June 2026
Comments