What you need to know today.

Check Point VPN auth bypass is under active exploitation by the Qilin ransomware gang, with CISA ordering federal agencies to patch within three days. The vulnerability (CVE-2026-50751, CVSS 9.3) is a logic-flow weakness in the deprecated IKEv1 certificate-validation path in Remote Access and Mobile Access components, allowing an unauthenticated attacker to bypass user authentication and establish a VPN tunnel. As SecurityWeek reported, Qilin operators have been observed leveraging this flaw for initial access in active campaigns. BleepingComputer noted that CISA added the bug to the KEV catalog on June 9, giving federal civilian agencies until June 12 to remediate. Affected organizations should immediately restrict IKEv1 on their Check Point gateways or apply the vendor-supplied hotfix; this is the highest-priority item on today's board given the ransomware nexus and emergency CISA deadline.

Ivanti disclosed two critical pre-auth flaws in Sentry — one rated CVSS 10.0 for unauthenticated root RCE — with patches now available. CVE-2026-10520 (CVSS 10.0) is an OS command injection that allows a remote unauthenticated attacker to execute arbitrary commands as root; CVE-2026-10523 (CVSS 9.9) is an authentication-bypass bug that lets an unauthenticated attacker create arbitrary administrative accounts. As The Register reported, both are fixed in Sentry versions R10.5.2, R10.6.2, and R10.7.1. watchTowr Labs published a technical analysis demonstrating that CVE-2026-10520 can be trivially weaponized. Neither CVE is yet listed on the CISA KEV, but given the max-severity CVSS scores and the availability of public exploit analysis, defenders should treat these as emergency-patch items.

CISA added two more actively-exploited flaws to the KEV: a Chrome V8 zero-day (CVE-2026-11645) and a Cisco SD-WAN privilege-escalation bug (CVE-2026-20245). CVE-2026-11645 (CVSS 8.8) is an out-of-bounds read/write in Chrome's V8 JavaScript engine that Google patched in version 149.0.7827.103; it is the fifth Chrome zero-day exploited in the wild this year, as The Register noted. CVE-2026-20245 (CVSS 7.8) affects Cisco Catalyst SD-WAN Controller, Manager, and Validator, and allows an authenticated local attacker to escalate privileges. CyberScoop reported that Cisco has indicated no patch will be issued for the SD-WAN flaws — putting the onus on administrators to follow the vendor's mitigation guidance. Both CVEs should be remediated immediately per the KEV binding operational directive.

Microsoft's June 2026 Patch Tuesday fixed a record 206 vulnerabilities, including three zero-days and multiple critical RCE bugs. Among the most severe are CVE-2026-44815 (CVSS 9.8), a stack-based buffer overflow in the Windows DHCP Client that allows unauthenticated remote code execution; CVE-2026-42904 (CVSS 9.6), a heap-based buffer overflow in Windows TCP/IP enabling privilege escalation over an adjacent network; and CVE-2026-47643 (CVSS 9.8), an external-control-of-filename bug in Azure Stack Edge permitting remote code execution. As BleepingComputer reported, the three zero-day flaws include CVE-2026-26142 (CVSS 9.8, deserialization in Nuance PowerScribe) and CVE-2026-47281 (CVSS 9.6, input validation in Visual Studio Code). The Cisco Talos blog provides Snort rules for several of these CVEs. Given the sheer volume and the presence of network-reachable RCEs like the DHCP Client bug, this Patch Tuesday demands immediate attention across the Windows estate.

Fortinet shipped fixes for a critical OS command injection in FortiSandbox (CVE-2026-25089, CVSS 9.8) and a newly KEV-listed auth bypass in FortiAnalyzer (CVE-2026-24858, CVSS 9.8). CVE-2026-25089 affects FortiSandbox versions 5.0.0 through 5.0.5, 4.4.0 through 4.4.8, and all 4.2.x builds, allowing an unauthenticated remote attacker to execute arbitrary OS commands. Cyber Security News reported that attackers are actively probing for vulnerable instances. CVE-2026-24858, added to the CISA KEV alongside the Check Point and Chrome bugs, is an authentication-bypass via alternate path in FortiAnalyzer spanning versions 7.6.0 through 7.0.x. Both product lines should be updated to the latest patched releases immediately.

Two more critical unauthenticated RCE bugs surfaced in enterprise and infrastructure software, though neither is yet on the KEV. CVE-2026-11429 (Altium Enterprise Server and Altium 365, no CVSS assigned) involves two endpoints in the Vault Service ScriptsController that accept file uploads with unsanitized user-supplied filename components, enabling arbitrary file writes. CVE-2026-36721 (Bookcars v8.3, CVSS 9.8) is a JWT authentication bypass caused by missing cryptographic signature verification in the validateAccessToken function. While neither has evidence of active exploitation today, the Altium bug in particular should be prioritized by any organization using Altium 365 or on-prem Enterprise Server for PCB design workflows, as file-upload-to-RCE chains in engineering tools carry outsized supply-chain risk.