In June 2026, Insikt Group® identified 60 high-impact vulnerabilities that should be prioritized for remediation, 30 of which had a Very Critical Recorded Future Risk Score. This represents a 49% increase from last month. 23 of the 60 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, 34 were reported by vendors, and three were primarily surfaced through honeypot data.
The 60 vulnerabilities in this report affected products from 36 vendors, with Microsoft accounting for approximately 18% of the vulnerabilities. The remaining exposure was concentrated across a range of enterprise software, security products, network infrastructure, developer tooling, and cloud platform vendors.
Insikt Group created Nuclei templates to detect two of the vulnerabilities featured in this month’s report: CVE-2026-35616 affecting Fortinet FortiClient EMS and CVE-2026-25939 affecting Frangoteam FUXA. These are available to Recorded Future customers via the Recorded Future Intelligence Operations Platform.
Quick reference: June 2026 Vulnerability Table
All 57 vulnerabilities below were actively exploited in June 2026. This table does not include the three CVEs associated with honeypot activity, which are available to Recorded Future customers via the CVE Monthly report, in the platform. The table below also provides examples of public PoCs identified by Insikt Group. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.
#
Vulnerability
Risk
Score
Vendor/Product
KEV
Malware Analysis
RCE
PoC
1
CVE-2020-17103
99
Microsoft Windows 10/11 and Windows Server 2019
✓
2
CVE-2022-0492
99
Linux Kernel
✓
3
CVE-2025-55182
99
Meta React Server Components packages
✓
✓
4
CVE-2025-67038
99
Lantronix EDS5000
✓
5
CVE-2025-8088
99
WinRAR
✓
✓
6
CVE-2026-10520
99
Ivanti Sentry
✓
✓
7
CVE-2026-11645
99
Google Chromium V8 and Chrome
✓
✓
8
CVE-2026-12569
99
PTC Windchill, Windchill PDMLink, and FlexPLM
✓
✓
9
CVE-2026-20230
99
Cisco Unified Communications Manager
✓
10
CVE-2026-20245
99
Cisco Catalyst SD-WAN Manager and Controller
✓
✓
11
CVE-2026-20253
99
Splunk Enterprise
✓
12
CVE-2026-20262
99
Cisco Catalyst SD-WAN Manager
✓
13
CVE-2026-21509
99
Microsoft 365 Apps for Enterprise and Office 2016
✓
(available to Recorded Future Customers)
14
CVE-2026-28318
99
SolarWinds Serv-U
✓
15
CVE-2026-33825
99
Microsoft Defender Antimalware Platform
✓
(available to Recorded Future Customers)
16
CVE-2026-34908
99
Ubiquiti UniFi OS, UniFi OS Server, UDM, and UDM-Pro
✓
17
CVE-2026-34909
99
Ubiquiti UniFi OS, UniFi OS Server, Express 7, and UDM
✓
18
CVE-2026-34910
99
Ubiquiti UniFi OS, UniFi OS Server, UDM, and UDM-Pro
✓
✓
19
CVE-2026-35273
99
Oracle PeopleSoft Enterprise PeopleTools
✓
20
CVE-2026-39808
99
FortiSandbox PaaS
✓
(available to Recorded Future Customers)
✓
21
CVE-2026-41089
99
Microsoft Windows Server 2012
✓
(available to Recorded Future Customers)
✓
22
CVE-2026-42271
99
BerriAI LiteLLM
✓
✓
23
CVE-2026-48558
99
SimpleHelp
✓
24
CVE-2026-48907
99
Joomla Content Editor (JCE) extension for Joomla
✓
25
CVE-2026-50751
99
Check Point Security Gateway, Quantum Security Gateway, and Spark Firewalls
✓
26
CVE-2026-54420
99
LiteSpeed cPanel Plugin
✓
27
CVE-2026-7473
99
Arista EOS
✓
28
CVE-2021-26855
89
Microsoft Exchange Server 2016 and 2019
✓
✓
29
CVE-2021-36260
89
Hikvision Firmware
✓
✓
30
CVE-2022-40684
89
Fortinet FortiOS, FortiProxy, and FortiSwitchManager
✓
31
CVE-2023-20198
89
Cisco IOS XE Software
✓
32
CVE-2024-21182
89
Oracle WebLogic Server
✓
33
CVE-2024-21762
89
Fortinet FortiProxy and FortiOS
✓
✓
34
CVE-2025-48595
89
Android Framework
✓
✓
35
CVE-2025-6218
89
WinRAR
✓
✓
36
CVE-2026-21513
89
Microsoft Windows 10 and Windows Server 2012
✓
37
CVE-2026-3300
89
WPEverest Everest Forms Pro
✓
✓
38
CVE-2026-35616
89
Fortinet FortiClientEMS
✓
✓
39
CVE-2026-41091
89
Microsoft Malware Protection Engine
✓
40
CVE-2026-44963
89
Veeam Backup and Replication
✓
✓
41
CVE-2026-45247
89
Mirasvit Full Page Cache Warmer for Magento 2
✓
✓
42
CVE-2016-4437
79
Apache Shiro
✓
✓
43
CVE-2021-27076
79
Microsoft SharePoint and Business Productivity Servers
✓
✓
44
CVE-2021-27137
79
DD-WRT Firmware
✓
45
CVE-2022-27925
79
Zimbra
✓
46
CVE-2022-41082
79
Microsoft Exchange Server 2013
✓
✓
47
CVE-2023-32315
79
Openfire
✓
48
CVE-2023-46747
79
F5 BIG-IP
✓
✓
49
CVE-2024-36401
79
Geoserver
✓
✓
50
CVE-2026-25089
79
Fortinet FortiSandbox PaaS and Cloud
✓
✓
51
CVE-2026-39813
79
Fortinet FortiSandbox and Cloud
✓
52
CVE-2026-4020
79
Gravity SMTP
✓
53
CVE-2026-45586
79
Microsoft Windows 10 and Windows Server 2012
✓
54
CVE-2026-46817
79
Oracle Payments
✓
55
CVE-2026-5027
79
Langflow
✓
56
CVE-2026-8206
79
Kirki – Freeform Page Builder, Website Builder & Customizer
✓
57
CVE-2026-25939
72
Frangoteam FUXA
✓
Table 1: List of vulnerabilities that were actively exploited in June, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs).
Key trends: June 2026
- In June 2026, StrikeShark exploited public-facing applications to deploy SharkLoader and deliver Cobalt Strike; Lazarus exploited CVE-2025-55182 to deploy COPPERHEDGE; APT36 exploited Microsoft vulnerabilities in operations targeting India; a C0XMO botnet propagated through DD-WRT routers; EKZ information-stealing malware was delivered through FortiClient EMS exploitation; and Qilin ransomware was associated with a vulnerability affecting Check Point gateways.
- 25 of the 60 vulnerabilities enabled remote code execution (RCE), affecting products from 18 vendors: Meta, WinRAR, Ivanti, Google, PTC, Cisco, Ubiquiti, Fortinet, Microsoft, BerriAI, Android, WPEverest, Veeam, Mirasvit, Apache, Hikvision, F5, and GeoServer.
- Insikt Group identified public proof-of-concept (PoC) exploits for 53 of the 60 vulnerabilities identified this month.
- The most commonly observed flaws this month were CWE-22 (Path Traversal), followed by CWE-502 (Deserialization of Untrusted Data), CWE-78 (OS Command Injection), CWE-306 (Missing Authentication for Critical Function), and CWE-287 (Improper Authentication).
- 4 of the 60 vulnerabilities in this month’s prominent vulnerability disclosures table are at least five years old, with the oldest approximately ten years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was less than one day.
Trend analysis: Malware-linked exploitation and intrusion activity
June’s strongest campaign-linked theme was the exploitation of externally reachable enterprise applications and appliances. Insikt Group published a TTP Instance on the StrikeShark campaign which described activity spanning CVE-2025-55182 affecting React Server Components, CVE-2021-26855 and CVE-2022-41082 affecting Microsoft Exchange, CVE-2021-36260 affecting Hikvision firmware, CVE-2022-40684 and CVE-2024-21762 affecting Fortinet FortiOS, CVE-2023-20198 affecting Cisco IOS XE Web UI, CVE-2016-4437 affecting Apache Shiro, CVE-2021-27076 affecting Microsoft SharePoint, CVE-2022-27925 affecting Zimbra, CVE-2023-32315 affecting Openfire, CVE-2023-46747 affecting F5 BIG-IP, and CVE-2024-36401 affecting GeoServer. The exploitation of these vulnerabilities resulted in the deployment of SharkLoader, which then delivered Cobalt Strike.

React Server Components was also linked to targeted malware delivery outside the broader StrikeShark set: Lazarus Group exploited CVE-2025-55182 to deploy COPPERHEDGE against financial and blockchain-related organizations. Microsoft-related exploitation appeared in both endpoint and document-processing contexts: APT36 exploited CVE-2026-21509 (affecting Microsoft 365 Apps for Enterprise and Office 2016) and CVE-2026-21513 (affecting Windows client and server versions) in operations targeting India. This activity was linked to backdoor deployment and SHEETCREEP. CVE-2021-27137, affecting DD-WRT firmware, was linked to a C0XMO botnet campaign across Linux architectures, while Qilin Ransomware was associated with CVE-2026-50751 affecting Checkpoint Security Gateway and Spark Firewalls.
PoC exploit trends and analyses associated with this month’s high-impact vulnerabilities are available to Recorded Future customers.
Take action.
Timely and relevant information on vulnerabilities in your environment and that of your vendors and suppliers is critical for reducing risk. Find out how Recorded Future can support your team by increasing visibility, improving efficiency, and enabling confident decisions.
Vulnerability Prioritization – Prioritize vulnerabilities based on the likelihood of exploitation – not just the severity. Easily understand the risk of exploitation alongside severity, and real-time contextualized intelligence to help you quickly make confident decisions, patch what matters, and prevent attacks.
Attack Surface Intelligence – Identify internet-facing assets vulnerable to a specific CVE. Attack Surface Intelligence provides an outside-in view of your organization to help you actively discover, prioritize, and respond to unknown, vulnerable, or misconfigured assets.
Third-Party Risk – Gain an external view of the security posture of your vendors and partners. Eliminate time-consuming research and vendor communication cycles with the ability to promptly assess vulnerabilities in their internet-facing systems.
Insikt Group® – Receive access to exclusive reports on new vulnerabilities and trends from Recorded Future’s team of experts, the Insikt Group®. Download Nuclei templates created by Insikt Group® for select CVEs to test potentially vulnerable instances.
Recorded Future Professional Services – Work with our Professional Services team on a Vulnerability Analysis Engagement. Designed to equip your team with advanced strategies for identifying, prioritizing, and mitigating threats effectively, this program delves into technologies and operations essential for a successful vulnerability management program. (Learn more about how our Professional Services team can help your elevate your team by watching our recent Vulnerability Prioritization Workshop)
About Iniskt Group®
Recorded Future’s Insikt Group, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for customers, enables tangible outcomes, and prevents business disruption.

