VendorResearch

June 2026 CVE Landscape


In June 2026, Insikt Group® identified 60 high-impact vulnerabilities that should be prioritized for remediation, 30 of which had a Very Critical Recorded Future Risk Score. This represents a 49% increase from last month. 23 of the 60 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, 34 were reported by vendors, and three were primarily surfaced through honeypot data.

The 60 vulnerabilities in this report affected products from 36 vendors, with Microsoft accounting for approximately 18% of the vulnerabilities. The remaining exposure was concentrated across a range of enterprise software, security products, network infrastructure, developer tooling, and cloud platform vendors.

Insikt Group created Nuclei templates to detect two of the vulnerabilities featured in this month’s report: CVE-2026-35616 affecting Fortinet FortiClient EMS and CVE-2026-25939 affecting Frangoteam FUXA. These are available to Recorded Future customers via the Recorded Future Intelligence Operations Platform.

Quick reference: June 2026 Vulnerability Table

All 57 vulnerabilities below were actively exploited in June 2026. This table does not include the three CVEs associated with honeypot activity, which are available to Recorded Future customers via the CVE Monthly report, in the platform. The table below also provides examples of public PoCs identified by Insikt Group. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

#

Vulnerability

Risk
Score

Vendor/Product

KEV

Malware Analysis

RCE

PoC

1

CVE-2020-17103

99

Microsoft Windows 10/11 and Windows Server 2019

2

CVE-2022-0492

99

Linux Kernel

3

CVE-2025-55182

99

Meta React Server Components packages

4

CVE-2025-67038

99

Lantronix EDS5000

5

CVE-2025-8088

99

WinRAR

6

CVE-2026-10520

99

Ivanti Sentry

7

CVE-2026-11645

99

Google Chromium V8 and Chrome

8

CVE-2026-12569

99

PTC Windchill, Windchill PDMLink, and FlexPLM

9

CVE-2026-20230

99

Cisco Unified Communications Manager

10

CVE-2026-20245

99

Cisco Catalyst SD-WAN Manager and Controller

11

CVE-2026-20253

99

Splunk Enterprise

12

CVE-2026-20262

99

Cisco Catalyst SD-WAN Manager

13

CVE-2026-21509

99

Microsoft 365 Apps for Enterprise and Office 2016

(available to Recorded Future Customers)

14

CVE-2026-28318

99

SolarWinds Serv-U

15

CVE-2026-33825

99

Microsoft Defender Antimalware Platform

(available to Recorded Future Customers)

16

CVE-2026-34908

99

Ubiquiti UniFi OS, UniFi OS Server, UDM, and UDM-Pro

17

CVE-2026-34909

99

Ubiquiti UniFi OS, UniFi OS Server, Express 7, and UDM

18

CVE-2026-34910

99

Ubiquiti UniFi OS, UniFi OS Server, UDM, and UDM-Pro

19

CVE-2026-35273

99

Oracle PeopleSoft Enterprise PeopleTools

20

CVE-2026-39808

99

FortiSandbox PaaS

(available to Recorded Future Customers)

21

CVE-2026-41089

99

Microsoft Windows Server 2012

(available to Recorded Future Customers)

22

CVE-2026-42271

99

BerriAI LiteLLM

23

CVE-2026-48558

99

SimpleHelp

24

CVE-2026-48907

99

Joomla Content Editor (JCE) extension for Joomla

25

CVE-2026-50751

99

Check Point Security Gateway, Quantum Security Gateway, and Spark Firewalls

26

CVE-2026-54420

99

LiteSpeed cPanel Plugin

27

CVE-2026-7473

99

Arista EOS

28

CVE-2021-26855

89

Microsoft Exchange Server 2016 and 2019

29

CVE-2021-36260

89

Hikvision Firmware

30

CVE-2022-40684

89

Fortinet FortiOS, FortiProxy, and FortiSwitchManager

31

CVE-2023-20198

89

Cisco IOS XE Software

32

CVE-2024-21182

89

Oracle WebLogic Server

33

CVE-2024-21762

89

Fortinet FortiProxy and FortiOS

34

CVE-2025-48595

89

Android Framework

35

CVE-2025-6218

89

WinRAR

36

CVE-2026-21513

89

Microsoft Windows 10 and Windows Server 2012

37

CVE-2026-3300

89

WPEverest Everest Forms Pro

38

CVE-2026-35616

89

Fortinet FortiClientEMS

39

CVE-2026-41091

89

Microsoft Malware Protection Engine

40

CVE-2026-44963

89

Veeam Backup and Replication

41

CVE-2026-45247

89

Mirasvit Full Page Cache Warmer for Magento 2

42

CVE-2016-4437

79

Apache Shiro

43

CVE-2021-27076

79

Microsoft SharePoint and Business Productivity Servers

44

CVE-2021-27137

79

DD-WRT Firmware

45

CVE-2022-27925

79

Zimbra

46

CVE-2022-41082

79

Microsoft Exchange Server 2013

47

CVE-2023-32315

79

Openfire

48

CVE-2023-46747

79

F5 BIG-IP

49

CVE-2024-36401

79

Geoserver

50

CVE-2026-25089

79

Fortinet FortiSandbox PaaS and Cloud

51

CVE-2026-39813

79

Fortinet FortiSandbox and Cloud

52

CVE-2026-4020

79

Gravity SMTP

53

CVE-2026-45586

79

Microsoft Windows 10 and Windows Server 2012

54

CVE-2026-46817

79

Oracle Payments

55

CVE-2026-5027

79

Langflow

56

CVE-2026-8206

79

Kirki – Freeform Page Builder, Website Builder & Customizer

57

CVE-2026-25939

72

Frangoteam FUXA

Table 1: List of vulnerabilities that were actively exploited in June, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs).

  • In June 2026, StrikeShark exploited public-facing applications to deploy SharkLoader and deliver Cobalt Strike; Lazarus exploited CVE-2025-55182 to deploy COPPERHEDGE; APT36 exploited Microsoft vulnerabilities in operations targeting India; a C0XMO botnet propagated through DD-WRT routers; EKZ information-stealing malware was delivered through FortiClient EMS exploitation; and Qilin ransomware was associated with a vulnerability affecting Check Point gateways.
  • 25 of the 60 vulnerabilities enabled remote code execution (RCE), affecting products from 18 vendors: Meta, WinRAR, Ivanti, Google, PTC, Cisco, Ubiquiti, Fortinet, Microsoft, BerriAI, Android, WPEverest, Veeam, Mirasvit, Apache, Hikvision, F5, and GeoServer.
  • Insikt Group identified public proof-of-concept (PoC) exploits for 53 of the 60 vulnerabilities identified this month.
  • The most commonly observed flaws this month were CWE-22 (Path Traversal), followed by CWE-502 (Deserialization of Untrusted Data), CWE-78 (OS Command Injection), CWE-306 (Missing Authentication for Critical Function), and CWE-287 (Improper Authentication).
  • 4 of the 60 vulnerabilities in this month’s prominent vulnerability disclosures table are at least five years old, with the oldest approximately ten years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was less than one day.

Trend analysis: Malware-linked exploitation and intrusion activity

June’s strongest campaign-linked theme was the exploitation of externally reachable enterprise applications and appliances. Insikt Group published a TTP Instance on the StrikeShark campaign which described activity spanning CVE-2025-55182 affecting React Server Components, CVE-2021-26855 and CVE-2022-41082 affecting Microsoft Exchange, CVE-2021-36260 affecting Hikvision firmware, CVE-2022-40684 and CVE-2024-21762 affecting Fortinet FortiOS, CVE-2023-20198 affecting Cisco IOS XE Web UI, CVE-2016-4437 affecting Apache Shiro, CVE-2021-27076 affecting Microsoft SharePoint, CVE-2022-27925 affecting Zimbra, CVE-2023-32315 affecting Openfire, CVE-2023-46747 affecting F5 BIG-IP, and CVE-2024-36401 affecting GeoServer. The exploitation of these vulnerabilities resulted in the deployment of SharkLoader, which then delivered Cobalt Strike.

Screenshot detailing risk assessment metrics and exploit status for the React2Shell vulnerability.

React Server Components was also linked to targeted malware delivery outside the broader StrikeShark set: Lazarus Group exploited CVE-2025-55182 to deploy COPPERHEDGE against financial and blockchain-related organizations. Microsoft-related exploitation appeared in both endpoint and document-processing contexts: APT36 exploited CVE-2026-21509 (affecting Microsoft 365 Apps for Enterprise and Office 2016) and CVE-2026-21513 (affecting Windows client and server versions) in operations targeting India. This activity was linked to backdoor deployment and SHEETCREEP. CVE-2021-27137, affecting DD-WRT firmware, was linked to a C0XMO botnet campaign across Linux architectures, while Qilin Ransomware was associated with CVE-2026-50751 affecting Checkpoint Security Gateway and Spark Firewalls.

PoC exploit trends and analyses associated with this month’s high-impact vulnerabilities are available to Recorded Future customers.

Take action.

Timely and relevant information on vulnerabilities in your environment and that of your vendors and suppliers is critical for reducing risk. Find out how Recorded Future can support your team by increasing visibility, improving efficiency, and enabling confident decisions.

Vulnerability Prioritization – Prioritize vulnerabilities based on the likelihood of exploitation – not just the severity. Easily understand the risk of exploitation alongside severity, and real-time contextualized intelligence to help you quickly make confident decisions, patch what matters, and prevent attacks.

Attack Surface Intelligence – Identify internet-facing assets vulnerable to a specific CVE. Attack Surface Intelligence provides an outside-in view of your organization to help you actively discover, prioritize, and respond to unknown, vulnerable, or misconfigured assets.

Third-Party Risk – Gain an external view of the security posture of your vendors and partners. Eliminate time-consuming research and vendor communication cycles with the ability to promptly assess vulnerabilities in their internet-facing systems.

Insikt Group® – Receive access to exclusive reports on new vulnerabilities and trends from Recorded Future’s team of experts, the Insikt Group®. Download Nuclei templates created by Insikt Group® for select CVEs to test potentially vulnerable instances.

Recorded Future Professional Services – Work with our Professional Services team on a Vulnerability Analysis Engagement. Designed to equip your team with advanced strategies for identifying, prioritizing, and mitigating threats effectively, this program delves into technologies and operations essential for a successful vulnerability management program. (Learn more about how our Professional Services team can help your elevate your team by watching our recent Vulnerability Prioritization Workshop)

About Iniskt Group®

Recorded Future’s Insikt Group, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for customers, enables tangible outcomes, and prevents business disruption.



Source link