• Request consultation
  • Newsletter
  • Deutsch Deutsch German de
  • English English English en
  • Italiano Italiano Italian it
  • Nederlands Nederlands Dutch nl
Greenbone
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for Your Sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap & Lifecycle
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
  • Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu
  • Products
    • OPENVAS BASIC
      • OPENVAS BASIC: Order
    • OPENVAS SCAN
    • Upcoming Solutions
      • OPENVAS SECURITY INTELLIGENCE
      • OPENVAS AI
    • Solutions for your sector
      • Educational Sector
      • Healthcare Sector
      • Public Sector
    • Technology
      • Feed Comparison
      • Product Comparison
        • OPENVAS vs. Nessus
      • Roadmap and Lifecycle
    • Request IT Security
  • Service & Support
    • Technical Support
    • Self-Learning Courses
    • Documents
  • Events
    • Cybersec Europe 2026
    • Webinars
  • Partners
    • MSSP
  • About Greenbone
    • Careers
    • Contact
    • Newsletter
  • Our Blog
    • Know-how
      • Attack Vector Timeline
      • Cyberattacks and Defense
      • Cyber Defense Security
      • Cyber Resilience Act
      • Data Security
      • Digital Operational Resilience Act
      • Exposure Management
      • IT and Information Security
      • NIS2 Directive
      • Open Source Vulnerability Management
      • The Vulnerability Timeline
  • German
  • English
  • Italian
  • Dutch
Joseph Lee

June 2026 Threat Report: Technical Debt Demands Visibility

Blog

June 2026 Threat Report: technical debt demands visibility

The true impact that cyber security aware AI will have on the global threat landscape remains to be seen. By some reports, the CVE output for software made by major vendors is on the rise. This June 2026 threat report only scratches the surface of the major cyber security threats from this month. The month brought a concentrated wave of actively exploited enterprise vulnerabilities, with CISA logging multiple new additions to its Known Exploited Vulnerabilities (KEV) catalog throughout the month. At least one new critical perimeter network exploit was tied to an active ransomware affiliate.

Greenbone’s vulnerability coverage extends far beyond major, headline-grabbing IT security events, such as the ones in this monthly threat report, and keeps pace with the onslaught of AI driven disclosures. Grabbing a copy of OPENVAS SCAN with a free two-week trial of the OPENVAS ENTERPRISE FEED is a surefire way to gain the deepest insight into where software vulnerabilities exist in your organization’s IT infrastructure.

Here are some of the top emerging threats to enterprise IT security from June 2026.

CVE-2026-20253: Unauthenticated RCE in Splunk Enterprise Actively Exploited

CVSS 9.8 · CriticalActively exploitedIn CISA KEVPublic PoC

CVE-2026-20253 (CVSS 9.8, EPSS ≥ 95th pctl) allows an unauthenticated remote attacker to create or truncate arbitrary files in Splunk Enterprise 10.2 before 10.2.4 and 10.0 before 10.0.7. The flaw is due to missing authentication [CWE-306] on a PostgreSQL sidecar service endpoint. Splunk confirmed limited in-the-wild exploitation, and CISA has added the flaw to KEV. A full technical description with PoC exploit code has been published by WatchTowr demonstrating unauthenticated RCE. Shadowserver tracked more than 1,400 internet-exposed Splunk instances.

CVE-2026-20253 is patched in Splunk Enterprise 10.2.4 and 10.0.7, and customers should upgrade immediately. If patching is not possible, exploitation can be prevented by disabling the PostgreSQL sidecar service. However, disabling the service may disrupt Edge Processor, OpAmp, or SPL2 data pipelines. The OPENVAS ENTERPRISE FEED includes a remote analysis check and a separate remote banner check to identify affected instances.

CVE-2026-28318: SolarWinds Serv-U Exploited in DoS Attacks

CVSS 7.5 · HighActively exploitedIn CISA KEVPublic PoC

CVE-2026-28318 (CVSS 7.5, EPSS ≥ 60th pctl) allows an unauthenticated remote attacker to cause a denial of service (DoS) in SolarWinds Serv-U Managed File Transfer and FTP Server. CISA added the flaw to its KEV catalog; however, no campaign attribution has been made. A technical description has been published. Exploitation is achieved by simply including the Content-Encoding: deflate request header and can crash the Serv-U service. The flaw is caused by uncontrolled resource consumption [CWE-400] in crafted HTTP POST request handling.

There is significant risk of operational disruption to exposed file transfer servers used in regulated sectors such as healthcare, finance, and government. Exposed Serv-U instances were originally reported to be more than 12,000 by Shodan and roughly 3,000 by Shadowserver. However, Shodan detection had since fallen to less than 10,000 by the end of June.

SolarWinds advises customers to install Serv-U 15.5.4 Hotfix 1 immediately. If patching cannot be done right away, users can block POST requests containing the Content-Encoding: deflate header without losing any functionality. The OPENVAS ENTERPRISE FEED includes a remote banner check to detect vulnerable instances.

Living on the Edge: Emerging Threats to Perimeter Security

Vulnerabilities in network perimeter devices are particularly high risk because they are exposed to attack by arbitrary remote attackers. According to the latest Verizon DBIR 2026 report, exploiting publicly exposed software vulnerabilities is now the most common vector for initial access globally. Here are some of the most critical emerging threats to perimeter devices in June 2026.

CVE-2026-50751: Check Point Security Gateway Exploited in Ransomware Attacks

CVSS 9.3 · CriticalActively exploitedIn CISA KEVPublic PoCRansomware-linked

CVE-2026-50751 (CVSS 9.3, EPSS ≥ 98th pctl) and CVE-2026-50752 (CVSS 7.4, EPSS ≥ 90th pctl) affect Check Point VPN Remote Access, Mobile Access, Security Gateways, and Spark Firewalls. CVE-2026-50751 is being actively exploited with at least one post-compromise case linked to a Qilin ransomware affiliate. CISA has added CVE-2026-50751 to its KEV catalog. The first attacks were observed on May 7, 2026. A few dozen organizations have been targeted globally. PoC exploit code and a full technical description are publicly available for CVE-2026-50751. CVE-2026-50752 is not reported as actively exploited.

The CVEs are described below:

  • CVE-2026-50751 (CVSS 9.3, EPSS ≥ 98th pctl): Unauthenticated remote attackers can establish VPN access through a logic-flow and certificate-validation weakness in IKEv1 deployments.
  • CVE-2026-50752 (CVSS 7.4, EPSS ≥ 90th pctl): Could allow unauthenticated attackers to conduct adversary-in-the-middle attacks against VPN site-to-site connections.

Check Point has published recommendations for removing support for legacy protocols, upgrading affected instances to fixed versions, and provides additional security hardening advice [1][2]. The OPENVAS ENTERPRISE FEED includes remote banner detection for Gaia, Check Point’s unified security OS for Security Gateways, Security Management products, Software Blades, Check Point appliances, and Open Servers. Check Point Gaia version R80.20, R80.40, R81, R81.10, R81.20, R82, and R82.10 are affected.

Three CVSS 10 Flaws in Ubiquiti UniFi OS Allow Unauthenticated RCE

CVSS 10 · CriticalExploited as zero-dayIn CISA KEV

Three new CVSS 10 flaws affecting UniFi OS systems have been published and added to CISA’s KEV list. The flaws collectively allow attackers to modify underlying operating-system files and accounts, and execute commands. User reports indicate the flaws were likely exploited as zero-days to create rogue administrator accounts. Risk is elevated because UniFi OS devices centrally manage network infrastructure, making successful compromise a potential path for lateral movement into enterprise environments.

The CVEs are described below:

  • CVE-2026-34908 (CVSS 10): An attacker with network access can exploit an improper access control vulnerability [CWE-284] in UniFi OS devices to make unauthorized changes to the system.
  • CVE-2026-34909 (CVSS 10): An attacker with network access can exploit a path traversal vulnerability [CWE-22] in UniFi OS devices to access and manipulate files on the underlying system and access underlying accounts.
  • CVE-2026-34910 (CVSS 10): An attacker with network access can exploit an improper input validation vulnerability [CWE-20] in UniFi OS devices to execute command injection attacks.

Bishop Fox published a full technical analysis showing that CVE-2026-34908 and CVE-2026-34909 form an authentication gateway bypass caused by crafted NGINX request handling. Exploitation exposes internal routes and enables command injection via CVE-2026-34910.

Exploitation of all aforementioned CVEs has been validated against UniFi OS version 5.0.6. Ubiquiti fixed the vulnerabilities in UniFi OS Server version 5.0.8, released on May 21, 2026. No workarounds are available. The OPENVAS ENTERPRISE FEED includes a remote vulnerability check and remote banner check for Ubiquiti UniFi OS on various devices and an additional remote vulnerability check and remote banner check for Ubiquiti UniFi OS Server version 5.0.6 and prior.

Squidbleed (CVE-2026-47729) Memory Leak Has Public PoC

CVSS 6.5 · MediumPublic PoCNo ITW exploitation

CVE-2026-47729 (CVSS 6.5), also known as Squidbleed, allows an authorized Squid proxy user to leak another user’s cleartext HTTP request data. The flaw is caused by a heap over-read in the FTP directory-listing parser. Leaked data may include credentials, session tokens, API keys, and Authorization headers. Public proof-of-concept exploit code and a full technical description are available. However, in-the-wild exploitation has not been reported. Surprisingly, despite having a GitHub Security Advisory referencing the CVE by ID, CVE-2026-47729 has not been published to MITRE’s CVE.org or NIST NVD as of July 1st, 2026.

The flaw affects shared proxy environments where Squid can inspect cleartext HTTP or terminate TLS altogether, and all Squid versions dating back to a 1997 FTP parser change. Exploitation requires the Squid instance to be able to reach an attacker-controlled FTP server on TCP port 21. The flaw is fixed in the Squid 7.6 June 2026 release but can also be mitigated by disabling FTP support if not required. The OPENVAS ENTERPRISE FEED includes package-level detection for Linux distributions that have issued security advisories and a remote banner detection for affected versions of Squid proxy.

CVE-2026-10520 and CVE-2026-10523 in Ivanti Sentry

CVSS 10 · CriticalActively exploitedIn CISA KEVPublic PoC

CVE-2026-10520 (CVSS 10) and CVE-2026-10523 (CVSS 9.8) allow a remote, unauthenticated attacker to achieve root-level RCE and create arbitrary administrative accounts in Ivanti Sentry. CVE-2026-10520 has been added to CISA’s KEV catalog after reported exploitation attempts against honeypots. watchTowr published a full technical analysis including a public PoC exploit. Shadowserver reported large-scale exploitation of CVE-2026-10520, identifying 19 vulnerable instances in its scans with at least two identified as compromised.

  • CVE-2026-10520 (CVSS 10): An OS command injection vulnerability [CWE-78] allows a remote, unauthenticated user to achieve root-level remote code execution.
  • CVE-2026-10523 (CVSS 9.8): An authentication bypass vulnerability [CWE-288] allows a remote, unauthenticated attacker to create arbitrary administrative accounts and obtain full administrative access.

Exploitation requires access to the management port 8443. Affected versions include Ivanti Sentry 10.5.1, 10.6.1, 10.7.0, and prior versions, with fixes available in 10.5.2, 10.6.2, and 10.7.1. Greenbone’s OPENVAS ENTERPRISE FEED includes an active check and a remote banner check that cover both CVEs.

The HTTP/2 Bomb: DoS against All Major Web Servers

CVSS 7.5 · HighPublic PoCMulti-vendor DoS

HTTP/2 Bomb is a remote, unauthenticated denial-of-service (DoS) technique against HTTP/2 server implementations. The flaw affects the default HTTP/2 configurations in Apache HTTP Server, NGINX, Microsoft IIS, Envoy Proxy, and Cloudflare Pingora, among other digital products that package them. A detailed technical write-up is available, and Calif’s HTTP/2 Bomb companion repository lists self-contained per-server PoCs and Docker labs for major affected web servers, increasing the risk. HTTP/3 is not reported as directly vulnerable to the current HTTP/2 Bomb technique.

The exploit uses legitimate HTTP/2 features in a way the HPACK header compression spec did not constrain. Affected web servers failed to enforce the extra limits needed to make those features safe. Exploitation has a reported memory amplification of between 70:1 and 5.7K:1 and allows consuming 32 GB to 64 GB of server memory within seconds. The root cause is flawed HTTP/2 request handling, where HPACK-driven cookie expansion triggers excessive memory allocation and data amplification. Calif.io also states that the deeper root cause is a protocol specification issue. The major products related to HTTP/2 Bomb are described below:

  • CVE-2026-49975 (CVSS 7.5) — Apache HTTP Server mod_http2: Apache HTTP Server versions 2.4.17 through 2.4.67 are affected and the issue is fixed in Apache HTTP Server version 2.4.68.
  • CVE-2026-47774 (CVSS 7.5) — Envoy Proxy: Envoy versions before 1.35.11, 1.36.7, 1.37.3, and 1.38.1 are affected.
  • CVE-2026-49160 (CVSS 7.5) — Microsoft HTTP.sys / IIS: Affects Microsoft HTTP.sys, the Windows HTTP stack used by IIS and other Windows HTTP services. Microsoft addressed the issue in its June 9th, 2026 security updates.
  • No CVE assigned — nginx: All nginx versions before 1.29.8 are affected and the issue is fixed in nginx 1.29.8. Red Hat states that upstream nginx did not assign a CVE for HTTP/2 Bomb.

Quang Luong of Calif.IO attributes the discovery of HTTP/2 Bomb to OpenAI Codex. Many additional CVEs are expected to emerge as hardware and software vendors patch their products. Greenbone includes numerous vulnerability tests to detect HTTP/2 Bomb across a wide range of Linux distributions and other affected products. This includes detection for affected Apache HTTP Server products (CVE-2026-49975), Envoy Proxy (CVE-2026-47774), Microsoft IIS (CVE-2026-49160), and nginx despite the lack of CVE coverage.

Multiple Critical Flaws in SAP SE and SAP NetWeaver AS ABAP, and ABAP Platform

CVSS 9.9 · CriticalNo known exploitationPatch available

Three new critical flaws affecting SAP products have been published. Collectively, the flaws impact NetWeaver AS ABAP and ABAP Platform, SAP NetWeaver Application Server Java Web Container, SAP Commerce Cloud, and SAP Data Hub. Risk is elevated because the flaws can allow unauthorized access, sensitive data exposure, file modification, application crashes, memory corruption, arbitrary code execution, and connection hijacking without user interaction in several cases. No active exploitation has been observed in the wild. Public PoC exploits or a full public exploit chain are not available. Mitigate by applying SAP’s June 2026 Security Patch Day updates immediately.

Details on the three CVEs are included below:

  • CVE-2026-44748 (CVSS 9.9): An authenticated attacker with normal privileges can obtain a valid signed message and send modified signed XML documents to the verifier. This can result in acceptance of tampered identity information, leading to unauthorized access to sensitive user data and disruption of normal system usage. SAP NetWeaver AS ABAP version 7.02, 7.31, 7.40, 7.50, 7.51, 7.52, 7.53, 7.54, 7.55, 7.56, 7.57, 7.58, 8.16, 9.18, and 9.19 are affected. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances.
  • CVE-2026-27671 (CVSS 9.8): Due to improper RFC protocol validation in the SAP Kernel, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. SAP NetWeaver AS ABAP version 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.18, and 9.19 are affected. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances.
  • CVE-2026-40128 (CVSS 9.0): An unauthenticated attacker can craft a malicious HTTP logon request that manipulates file inclusion parameters. Exploitation enables path traversal and processing of the included file and allows the attacker to view or modify sensitive information or render any part of the local system unavailable. SAP NetWeaver AS Java version 7.50 is affected. The OPENVAS ENTERPRISE FEED includes a remote banner check to identify affected instances.

Summary

June 2026 underscored accelerating enterprise risk from actively exploited flaws in Splunk, SolarWinds Serv-U, Check Point gateways, Ubiquiti UniFi OS, Ivanti Sentry, Squid, HTTP/2 implementations, and SAP platforms. Public PoCs, KEV listings, ransomware links, and exposed internet-facing assets reinforce the need for rapid patching, compensating controls, and continuous vulnerability detection across perimeter and core infrastructure.

Greenbone’s OPENVAS BASIC is available free of charge and includes a two-week trial of the OPENVAS ENTERPRISE FEED — giving your security team immediate access to automated vulnerability detection for the CVEs covered in this report and tens of thousands more. Start your free trial today.

 

Contact Test Now Buy Here Back to Overview
Joseph Lee
Joseph Lee

Joseph has had a varied and passionate background in IT and cyber security since the late 1980s. His early technical experience included working on an IBM PS/2, assembling PCs and programming in C++.

He also pursued academic studies in computer and systems engineering, anthropology and an MBA in technology forecasting.

Joseph has worked in data analytics, software development and, in particular, enterprise IT security. He specialises in vulnerability management, encryption and penetration testing.

LinkedIn

9. July 2026/by Joseph Lee
Share this entry
  • Share on LinkedIn
  • Share by Mail
https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png 0 0 Joseph Lee https://www.greenbone.net/wp-content/uploads/greenbone-logo-2025.png Joseph Lee2026-07-09 15:05:342026-07-09 15:24:53June 2026 Threat Report: Technical Debt Demands Visibility

Search

Search Search

Archive

  • 2026
  • 2025

Newsletter

Subscribe Now

OPENVAS BASIC

Our entry-level enterprise product

Test 14 Days Free of Charge

Products & Solutions

  • OPENVAS PRODUCTS
  • OPENVAS SECURITY INTELLIGENCE
  • OPENVAS SCAN
  • OPENVAS BASIC
  • OPENVAS FREE
  • OPENVAS AI
ISO9001-EN

Service & Support

  • Technical Support
  • FAQ
  • Documents
  • Warranty
  • Open Source Vulnerability Management
  • Cyber Resilience Act
ISO27001-EN

About us

  • About Greenbone
  • Partners
  • MSSP
  • License information
  • Privacy Statement
  • Terms & Conditions
ISO14001-EN

Contact with us

  • Contact
  • Newsletter
  • Media Contact
  • Careers
  • Security Response
  • Imprint
  • Grounding Page

Community

  • Community Portal
  • Community Forum
© Copyright - Greenbone AG 2020-2026
  • Link to LinkedIn
Link to: Sovereignty was a promise. Now it’s becoming a test criterion. Link to: Sovereignty was a promise. Now it’s becoming a test criterion. Sovereignty was a promise. Now it’s becoming a test criterion.
Scroll to top Scroll to top Scroll to top
Contact
Request IT Security Contact Us Subscribe to Newsletter Follow on LinkedIn