This Month in Security: June 2026, Record 208-CVE Patch Tuesday, FortiBleed Exposes 86K Firewalls, Ubiquiti Zero-Days Hit CVSS 10.0, and Operation Endgame Returns

 June 2026 was the busiest month of the year for defenders. Microsoft shipped its largest Patch Tuesday to date, with more than 200 CVEs, including three zero-days and a wormable Windows Kernel TCP/IP remote code execution flaw that researchers are already racing to exploit. The FortiBleed campaign was one of the most serious credential exposure events in Fortinet's history. Verified administrator credentials from over 86,000 internet-facing FortiGate firewalls circulated on criminal forums across 194 countries before CISA and the UK NCSC issued emergency warnings. CISA added three Ubiquiti UniFi OS vulnerabilities rated CVSS 10.0 to its Known Exploited Vulnerabilities catalog. The trio can be chained into unauthenticated root code execution, and automated mass exploitation created rogue administrator accounts on exposed devices within days of disclosure. Cisco disclosed its seventh Catalyst SD-WAN zero-day of 2026, a flaw Mandiant confirmed attackers had used for months before public disclosure while covering their tracks with careful anti-forensic cleanup. On the law enforcement side, Europol, Microsoft, and more than a dozen private partners dismantled infrastructure for the SocGholish, Amadey, and StealC malware families in another phase of Operation Endgame. Nintendo of America confirmed that employee data was stolen through a third-party HR SaaS provider in a breach claimed by the extortion group Shadowbyt3$.

‍

Critical Zero-Day Exploits

The flaws exploited this month hit perimeter networking gear, browser engines, and enterprise management systems. Both state-sponsored actors and ordinary criminals were active.

• Ubiquiti UniFi OS Triple Zero-Day (CVE-2026-34908 / 34909 / 34910, CVSS 10.0): CISA added three critical Ubiquiti UniFi OS vulnerabilities to its KEV catalog on June 23, with a federal remediation deadline of June 26. All three carry perfect CVSS 10.0 scores. CVE-2026-34908 is an improper access control flaw allowing any network-adjacent attacker to make unauthorized system changes; CVE-2026-34909 is a path traversal vulnerability exposing credentials and configuration files; CVE-2026-34910 is a command injection flaw enabling arbitrary code execution as root. Researchers at Bishop Fox confirmed the trio can be chained into a fully unauthenticated remote code execution attack sequence. Active exploitation came fast. Threat researchers observed automated attacks creating rogue administrator accounts named "John Sim" within days of the advisory, with exploit traffic originating from the Mirai loader and botnet deployment underway. Patches are available in UniFi OS Server version 5.0.8, released May 21, 2026. (CISA, BleepingComputer, Cybersecurity News, Cybernews)
• Cisco Catalyst SD-WAN Manager Zero-Day (CVE-2026-20245, CVSS 7.8): Disclosed June 5, this command injection flaw in the Cisco Catalyst SD-WAN Manager CLI is the seventh Cisco SD-WAN vulnerability exploited in 2026. An authenticated attacker with netadmin privileges can upload a specially crafted file (in confirmed attacks, named evil_tenant.csv) to execute arbitrary commands as root. Mandiant reported that an unknown threat actor exploited the flaw at a service provider at least two months before public disclosure, establishing a rogue root-level account ("troot") and covering their tracks by restoring configuration files and deleting forensic evidence after each action. The attacker chain began with unauthorized SD-WAN peering connections likely exploiting two prior undisclosed flaws (CVE-2026-20127 and CVE-2026-20182), then escalated to root via CVE-2026-20245. Patches became available June 12. CISA added it to the KEV catalog on June 9. (The Hacker News, Google Cloud / Mandiant, Help Net Security, Security Affairs, SecurityWeek)
• Google Chrome V8 Zero-Day (CVE-2026-11645, CVSS 8.8): Google's June 8 Stable Channel release patched 74 security issues, calling out CVE-2026-11645 as a high-severity out-of-bounds read and write vulnerability in Chrome's V8 JavaScript engine, exploited in the wild before the patch. A remote attacker can execute arbitrary code inside Chrome's sandbox via a crafted HTML page. No user interaction beyond visiting a malicious page is required. CISA added it to the KEV catalog with a remediation date of June 23. The vulnerability affects not only Chrome itself but any Chromium-derived browser and embedded runtime, including Electron applications and headless browser deployments. (CISA, Penligent / CVE Analysis)
• Microsoft Defender "RoguePlanet" Zero-Day (CVE-2026-41091): The one actively exploited flaw in June's Patch Tuesday, this elevation of privilege vulnerability in Microsoft Defender was credited to multiple independent researchers, which usually signals active exploitation in the wild. The flaw grants SYSTEM-level privileges on compromised endpoints. Most environments are protected automatically via Defender's self-update mechanism, but isolated or air-gapped environments with update delays should treat this as a priority. (Zero Day Initiative, Security Affairs)
• PTC Windchill and FlexPLM RCE (CVE-2026-12569): An improper input validation vulnerability in PTC's Windchill PLM and FlexPLM platforms allows unauthenticated remote attackers to execute arbitrary code via a malicious network request. Added to CISA's KEV catalog on June 25, PTC Windchill and FlexPLM are widely deployed in manufacturing, aerospace, defense, and automotive sectors for product lifecycle management. Compromise of these platforms can expose engineering designs, supply chain data, and regulated technical documentation. (CISA)
• Cisco Unified Communications Manager SSRF (CVE-2026-20230): A server-side request forgery vulnerability in Cisco Unified CM and Unified CM SME, also added to the KEV catalog on June 25, allows an unauthenticated remote attacker to write files to the underlying operating system, which can subsequently be used to escalate to root. A public proof-of-concept exploit has been available since shortly after disclosure. (CISA, The Hacker News)

‍

‍

Notable Threats and Incidents

June's biggest incidents were a large-scale credential compromise, a third-party breach at Nintendo, and one of the largest law enforcement takedowns of cybercrime infrastructure to date.

• FortiBleed: 86,644 Fortinet Firewall Credentials Exposed: Discovered June 13 by security researcher Volodymyr "Bob" Diachenko, who stumbled onto an open threat actor server, FortiBleed is the largest industrialized credential-harvesting campaign in Fortinet's history. A Russian-speaking threat group executed approximately 1.16 billion credential attempts against more than 320,000 internet-facing FortiGate targets, cracking administrator password hashes using a 45-GPU cluster running Hashtopolis, and producing a verified database of working credentials for 86,644 unique devices across 194 countries, roughly half of all internet-facing Fortinet firewalls globally. Researchers Kevin Beaumont and Hudson Rock confirmed the credentials are authentic and recent, with the dataset spanning organizations including Foxconn, Samsung, Comcast, Siemens, Oracle, PwC, Accenture, and multiple government agencies. The campaign exploited a weakness in FortiOS credential management: when administrators upgrade firmware, existing passwords remain stored as crackable SHA-256 hashes until the administrator manually logs in after the upgrade. CISA issued an emergency alert on June 18; the UK NCSC issued a global warning the same day. (CISA, SecurityWeek, Help Net Security, Arctic Wolf, Recorded Future, BitSight)
• Operation Endgame Phase 2: Amadey, StealC, and SocGholish Infrastructure Dismantled: Between June 15 and 19, Europol coordinated a multi-nation law enforcement operation involving agencies from Canada, Denmark, Germany, the Netherlands, the UK, and the US, alongside private partners including Microsoft, Bitdefender, IBM X-Force, Proofpoint, Infoblox, Shadowserver, and Orange Cyberdefense. The operation targeted three malware families that form the opening stages of the ransomware attack chain: SocGholish (linked to Evil Corp, spread via compromised WordPress sites), Amadey (a paid dropper service operating since October 2018), and StealC (a credential and identity-harvesting tool). Microsoft had linked both Amadey and StealC to over 140,000 infected computers worldwide in just the first two weeks of May. By hitting the loader infrastructure rather than the ransomware payload, Operation Endgame attacked the economics of the entire "cybercrime-as-a-service" ecosystem. Europol described it as the largest international operation ever undertaken against ransomware enablers. (Security Affairs, CyberHub Podcast)
• Nintendo of America Third-Party Breach (Shadowbyt3$): On June 12 and 13, extortion-as-a-service group Shadowbyt3$ claimed to have stolen 859 MB of data from TinyPulse, a WebMD Health Services employee engagement platform used by Nintendo of America. The group demanded a $2 million ransom and threatened to publish employee names, email addresses, W-9 tax forms, bank statement PDFs, internal survey analytics, and progress plans spanning 2016 to 2026. Nintendo of America confirmed a loss "limited to internal survey content comprising a small subset of our employees," stating that Nintendo's own systems were not compromised and no customer or financial data was accessed. Shadowbyt3$, which has operated since October 2025 as a financially motivated extortion group, previously claimed breaches of Starbucks AWS cloud storage. The incident shows attackers going after loosely secured SaaS integrations instead of hardened enterprise perimeters. (Nintendo Life, TechRadar, Cybernews, Hackread)
• Oxford University CareerConnect Data Breach: On June 1, Oxford University identified a breach of its CareerConnect student career services platform. Attackers gained unauthorized access to personal information including first names, last names, and email addresses of CareerConnect users. The number of records exposed remains under investigation. (SharkStriker)
• TVING User Data Leak: South Korean streaming platform TVING confirmed on June 3 that unauthorized external access had exposed user personal data including IDs, names, birth dates, phone numbers, email addresses, passwords, and refund account numbers. The scale of the breach remains under investigation. (SharkStriker)
• Joomla Content Editor Improper Access Control (CVE-2026-48907): CISA added a Widget Factory Joomla Content Editor improper access control vulnerability to its KEV catalog on June 16, confirming active exploitation. The flaw allows attackers to bypass authorization controls in the widely used CMS plugin, giving them write access to content and potentially full site compromise on unpatched installations. (CISA)

‍

Policy and Framework Updates

Federal guidance in June focused on credential hygiene at perimeter scale, the growing attack surface of network edge devices, and the operational lessons of the Cisco SD-WAN disclosure pattern.

• CISA Emergency Alert on FortiBleed: On June 18, CISA issued an emergency advisory directing organizations to immediately terminate all active SSL VPN and administrative sessions on Fortinet devices, reset all FortiGate VPN and administrative passwords, enforce MFA on all remote and administrative access, restrict management interfaces to trusted internal networks, and review logs for unauthorized access. The advisory was updated June 22 to incorporate Fortinet's own hardening guidance. This is the second Fortinet-related emergency alert of 2026, following the April advisory on FortiClient EMS exploitation. (CISA)
• Cisco SD-WAN: An Architectural Problem: CVE-2026-20245 is the seventh actively exploited Cisco Catalyst SD-WAN zero-day of 2026. The concentration of vulnerabilities in overlapping components (the vdaemon service, the CLI layer, and the NETCONF channel) and the repeated use of anti-forensic cleanup by attackers point to an architectural problem rather than a patch management one. Security researchers and Mandiant have both pointed to the management plane design as a structural risk that patch cadence alone cannot resolve. Organizations relying on SD-WAN infrastructure should move beyond individual CVE remediation toward a full architectural review of SD-WAN trust models. (CyberAngel, Cloud Security Alliance)
• KEV Catalog Expansions Throughout June: CISA added vulnerabilities across six separate KEV updates in June: Arista EOS, Chrome V8, and Cisco SD-WAN CVE-2026-20245 on June 9; Joomla Content Editor on June 16; Ubiquiti UniFi OS (three flaws) and Lantronix EDS5000 on June 23; and PTC Windchill/FlexPLM and Cisco Unified CM on June 25. The breadth spanned network operating systems, browsers, CMS plugins, industrial PLM platforms, industrial serial-to-Ethernet converters, and enterprise communications infrastructure. The exploited attack surface now spans nearly every category of software. (CISA KEV Catalog)

‍

June Patches and Vulnerabilities

• Microsoft Patch Tuesday: Record 208 CVEs: Microsoft released its largest-ever single monthly security update on June 9, addressing between 198 and 208 CVEs depending on counting methodology, with 37 to 38 rated Critical. This is the second record-breaking release in four months, following April's then-record 167 CVEs. Zero Day Initiative's Dustin Childs noted the total CVE count shipped by Microsoft in 2026 through June already exceeds the total shipped in all of 2018. One vulnerability was confirmed as actively exploited at release; three others were publicly disclosed before patches were available. AI-assisted code analysis is widely credited as the structural driver behind the sustained volume increase. (CrowdStrike, Zero Day Initiative, Security Affairs, BleepingComputer, Cybersecurity News)
• Windows Kernel TCP/IP RCE (CVE-2026-45657, CVSS 9.8): A use-after-free and heap-based buffer overflow in the way the Windows Kernel handles TCP/IP allows remote, unauthenticated attackers to execute arbitrary code at SYSTEM level with no user interaction. Microsoft classifies it as "Exploitation Less Likely," but Zero Day Initiative has flagged it as wormable and noted that every researcher with a disassembler is working to reproduce the attack. Patch it before a working exploit appears. (Zero Day Initiative, The Cyber Express)
• HTTP.sys RCE (CVE-2026-47291, CVSS 9.8): An integer overflow and heap-based buffer overflow in the Windows HTTP Protocol Stack allows unauthenticated remote attackers to execute code on any Windows server exposing web services, with no user interaction. Systems using the default MaxRequestBytes registry value of 16,384 bytes are not affected, a rare case where a default configuration actually helps. Microsoft has introduced a MaxHeadersCount registry setting as an additional mitigating control. (CrowdStrike, GBHackers)
• Windows BitLocker Bypass "YellowKey" / "Bitskrieg" (CVE-2026-45585 / CVE-2026-50507): Three BitLocker bypass vulnerabilities were patched this month, two of which, "YellowKey" (CVE-2026-45585) and "Bitskrieg" (CVE-2026-50507), were publicly disclosed by researcher Nightmare Eclipse before patches were available. Both require physical or local access to bypass full-disk encryption protections, reducing remote risk, but they are significant for organizations relying on BitLocker as the last line of defense for lost or stolen hardware. The researcher has publicly threatened follow-on exploit drops. Enabling TPM+PIN authentication (rather than TPM-only) mitigates both. (Arctic Wolf, Security Affairs)
• Secure Boot: Ten "Scope Change" Patches: Ten Secure Boot patches in June's release carry CVSS "scope change" ratings, meaning exploitation breaks out of the vulnerable component into boot integrity, Virtual Secure Mode, and pre-OS execution. The bulk are credited to researcher Alon Leviev, whose prior BootKitty and BlackLotus-adjacent research has shaped understanding of boot-path attacks. These patches, combined with the now-passed June 26 Secure Boot certificate expiration deadline, make boot integrity the highest-priority operational item for any environment that delayed certificate renewal. (Arctic Wolf)
• Remote Desktop Client Cluster (11 CVEs, 4 Critical): Remote Desktop Client received the largest single-component cluster in the June release, with eleven RCE CVEs including Critical-rated CVE-2026-44801, CVE-2026-44799, CVE-2026-42992, and CVE-2026-42985. Successful exploitation can achieve code execution when a user connects to a malicious RDP server or opens a crafted .rdp file. Phishing campaigns delivering pre-configured RDP files directly to users represent the most likely delivery vector. (Cybersecurity News, Arctic Wolf)
• Windows Hyper-V Guest Escape (CVE-2026-47652 / 45641 / 45607): Three Critical RCE vulnerabilities in Windows Hyper-V allow VM guest escape and code execution on the hypervisor host. In virtualized environments, host compromise from a guest is the highest-severity outcome possible. It breaks the isolation boundary that cloud and on-premises virtualization depend on. (Cybersecurity News)
• Adobe June Patch Day: Adobe patched 123 unique CVEs across 11 products including Acrobat Reader, ColdFusion, Experience Manager and Experience Manager Forms, InDesign, InCopy, Substance 3D Sampler, Content Credentials SDK, Dreamweaver, Format Plugins, and Adobe Campaign Classic. ColdFusion and Campaign Classic represent the highest deployment risk for organizations running server-side Adobe infrastructure and should be prioritized. (Zero Day Initiative)

‍

Key Takeaways for Staying Secure

‍

• Treat FortiBleed as an Active Incident, Not a Future Risk: With 86,644 verified working credentials in criminal hands covering roughly half of all internet-facing FortiGate devices, this is not a theoretical exposure. Immediately terminate all active SSL VPN and administrative sessions, rotate all FortiGate administrator and VPN credentials, enable MFA on every remote access and administrative path, and restrict management interfaces to trusted internal IPs. After upgrading FortiOS, require every administrator to log in at least once to force re-encryption of password hashes to PBKDF2. If logs show indicators of compromise, engage Fortinet TAC. Credential rotation alone will not secure a device that is already compromised.
• Patch Ubiquiti UniFi OS Immediately and Hunt for "John Sim": CVE-2026-34908/34909/34910 are being mass-exploited by botnet operators chaining them into unauthenticated root access. Upgrade to UniFi OS Server 5.0.8, review all administrator accounts for unauthorized entries, particularly any account named "John Sim," and audit recent configuration changes. Isolate UniFi controllers from direct internet exposure; their management interfaces should be reachable only from trusted VLANs or VPN.
• Respond to Cisco SD-WAN as an Incident, Not a Patch: CVE-2026-20245 was exploited months before disclosure, and the attacker's anti-forensic cleanup means a clean log review does not confirm you were unaffected. If your SD-WAN infrastructure was internet-accessible between late 2025 and June 2026, run the request admin-tech command on all control plane components before upgrading, preserve the output, engage Cisco TAC, and audit for the "troot" account and unexpected authorized peers. Then upgrade to the fixed releases. Do both, in that order.
• Fast-Track June's Microsoft Patches: Two Wormable CVEs Demand Urgency: CVE-2026-45657 (Windows Kernel TCP/IP, CVSS 9.8, wormable) and CVE-2026-47291 (HTTP.sys, CVSS 9.8) are the highest-priority items in the record-breaking June release. Verify that the MaxRequestBytes registry value is at or below 65,534 bytes as an interim control for HTTP.sys while you deploy the patch, and prioritize Netlogon, Hyper-V, Remote Desktop, and BitLocker components alongside the two wormable flaws.
• Audit Third-Party SaaS and HR Platform Integrations: Nintendo's breach was not a compromise of Nintendo's own systems. It was a compromise of TinyPulse, a third-party HR platform, which had access to sensitive employee data including W-9 forms, bank details, and internal survey data spanning a decade. Inventory every third-party SaaS integration that holds aggregated employee or customer data, review their security posture and incident history, enforce data minimization, and ensure contractual breach notification obligations are in place.
• Enforce Browser Update Automation Across All Chromium Runtimes: CVE-2026-11645 enables sandbox-level code execution via a single crafted HTML page with no user interaction beyond navigation. The hard part is not patching Chrome itself. It is making sure every Chromium-derived runtime in your environment has actually restarted into the patched version. Audit Electron applications, headless browser deployments, Chromium-based kiosk systems, and CEF-based embedded browsers alongside desktop Chrome.
• Prioritize Boot Integrity Now: The June 26 Deadline Has Passed: The Secure Boot certificate expiration deadline of June 26, 2026 is no longer upcoming. It has now passed. Organizations that have not completed certificate validation and renewal face an immediate risk of boot-chain blocking and, with ten new Secure Boot scope-change patches in June's release plus Alon Leviev's ongoing research, an expanding set of pre-OS attack vectors. If your environment missed the deadline, treat this as an emergency change request.
• Review Your Security Posture: When needed, reach out to a trusted provider to review your security posture, like Cloud Security Partners.

‍

About the Author

‍

Jordan Darrah is a Security Consultant at Cloud Security Partners. Jordan's interest in IT started when she was working as a menswear fashion designer and bridal seamstress. Since then, she has built a diverse technical background spanning hardware repair, systems administration, regulatory compliance, and penetration testing.

‍

Currently, Jordan specializes in application and cloud security assessments, where she evaluates system vulnerabilities and conducts penetration tests. Jordan holds multiple industry certifications, including CISSP, eJPT, and CompTIA PenTest+. She also runs an OSCP study group and maintains a blog where she breaks down concepts and tools for new security professionals.

‍