Vulnerability Review – June 2026
This blog is a recap of the most critical vulnerabilities disclosed between 01 June to 30 June 2026 that most likely impact software utilized by managed service providers (MSPs).
While not all MSPs use the software discussed in this blog, the software has been labeled as a priority software by Blackpoint’s Adversary Pursuit Group (APG) due to the overall number of MSPs/organizations that use it.
Key Findings
- There were more than 8,000 vulnerabilities disclosed between 01 June to 30 June 2026, with more than 50% being scored with a high or critical Common Vulnerability Scoring System (CVSS) rating.
- Reported vulnerabilities increased 21.7% from May 2026 to June 2026; high and critical vulnerabilities increased 27.7% from May 2026 to June 2026.
- The U.S. CISA added 23 vulnerabilities to their Known Exploited Vulnerability (KEV) Catalog, indicating reliable reports of active exploitation.
- Blackpoint’s APG assesses with high confidence that threat actors will continue to leverage known and unknown vulnerabilities in ubiquitous software and services over the next 12 months.
Prioritized Software Categories – June 2026
The Blackpoint APG tracks prioritized software across six categories; in June 2026, we delivered notices spanning five of them. These categories are detailed in the Glossary.
Vulnerability Review – June 2026
Check Point – Multiple Vulnerabilities
- Prioritized Category: Network & Infrastructure
- Impacted Software: Check Point Security Gateway
- Type: Improper Authentication Vulnerability
- CVSS: 9.3 Critical
- CISA KEV Catalog: Yes – added June 08, 2026
Check Point Security Gateway vulnerabilities are attractive targets for threat actors because they target internet-facing perimeter devices that often provide direct access into networks. Successful exploitation of CVE-2026-50751 could allow an unauthenticated attacker to bypass authentication and gain unauthorized access to remote access VPN services, providing a foothold for credential theft, lateral movement, malware deployment, or data exfiltration. Additionally, Check Point reported this vulnerability as actively exploited as early as May 07, 2026, with at least one post-compromise incident attributed to a Qilin ransomware affiliate.[1]
- Prioritized Category: Network & Infrastructure
- Impacted Software: Check Point Security Gateway
- Type: Improper Certificate Validation Vulnerability
- CVSS: 7.4 High
- CISA KEV Catalog: No
CVE-2026-50752 requires a more specific attack scenario, a successful man-in-the-middle attack against vulnerability site-to-site VPN connections could allow an attacker to intercept, modify, or potentially impersonate trusted VPN communications, undermining the confidentiality and integrity of traffic flowing between connected networks.[2]
Cisco – Multiple Vulnerabilities
- Prioritized Category: Network & Infrastructure
- Impacted Software: Cisco Catalyst SD-WAN
- Type: Authenticated Privilege Escalation Vulnerability
- CVSS: 7.8 High
- CISA KEV Catalog: Yes – added June 09, 2026
Cisco Catalyst SD-WAN vulnerabilities are high-value targets because they support wide-area network management and control across distributed environments. CVE-2026-20245 allows a locally authenticated attacker to elevate privileges to root on the impacted device, potentially enabling full device takeover, configuration tampering, or using the device as a pivot point into connected networks.[3]
- Prioritized Category: Network & Infrastructure
- Impacted Software: Cisco Catalyst SD-WAN Controller
- Type: Arbitrary File Write Vulnerability
- CVSS: 6.5 Medium
- CISA KEV Catalog: Yes – added June 15, 2026
This vulnerability allows an authenticated attacker to write arbitrary files to the underlying operating system of a Cisco Catalyst SD-WAN Controller. While authentication is required, the vulnerability is dangerous in an environment where an attacker has already gained access via another method such as phishing or credential theft. Arbitrary file write vulnerabilities frequently lead to persistent backdoors, web shells, or code execution.[4]
Google – CVE-2026-11645
- Prioritized Category: Productivity, Communication, & User Applications
- Impacted Software: V8 in Google Chrome
- Type: Out-of-Bounds Memory Access Vulnerability
- CVSS: 8.8 High
- CISA KEV Catalog: Yes – added June 09, 2026
Browser vulnerabilities carry tremendous risk because the browser is nearly universal across organizations environments and serves as a primary attack surface for attacks, like drive-by download campaigns. CVE-2026-11645 is an out-of-bounds memory access issue in the V8 JavaScript engine that could allow a remote attacker to execute arbitrary code in the context of the browser process simply by directing a user to a malicious webpage. Given Chrome’s prevalence among end users, unpatched instances represent a significant and immediate risk. [5]
Linux – CVE-2026-46331
- Prioritized Category: IT Management & Operations
- Impacted Software: Linux Kernel
- Type: Local Privilege Escalation Vulnerability
- CVSS: 7.8 High
- CISA KEV Catalog: No
Linux Kernel vulnerabilities are significant because Linux Kernel supports a wide range of server infrastructure, cloud workloads, and embedded systems used across environments. CVE-2026-46331 allows a local attacker with limited system access to escalate privileges to root, potentially enabling full system compromise, disabling security controls, or establishment of persistent access. While exploitation requires existing local access, this vulnerability could be used as a post-exploitation tool following initial access via phishing, exposed services, or other compromise. [6] [7] [8]
Microsoft – Multiple Vulnerabilities
- Prioritized Category: IT Management & Operations
- Impacted Software: Windows Collaborative Translation Framework (CTFMON)
- Type: Elevation of Privilege Vulnerability
- CVSS: 7.8 High
- CISA KEV Catalog: No
Windows Collaborative Translation Framework (CTFMON) is a component present on all Windows systems that manages text input and language services. Successful exploitation of this vulnerability allows an attacker who already has access on a system to elevate privileges to SYSTEM, granting complete control over the impacted machine. In the context of MSP-managed environments, where standard users often operate on shared infrastructure, CTFMON-based privilege escalation represents a meaningful post-exploitation risk that could enable malware deployment or lateral movement. [9]
- Prioritized Category: IT Management & Operations
- Impacted Software: HTTP.sys (dubbed HTTP/2 Bomb)
- Type: Denial of Service Vulnerability
- CVSS: 7.5 High
- CISA KEV Catalog: No
This vulnerability, dubbed HTTP/2 Bomb, impacts HTTP.sys, the Windows kernel mode HTTP request handler used by IIS and other Windows web services. An unauthenticated remote attacker can send a specially crafted HTTP/2 request that triggers resource exhaustion, crashing the impacted service. This vulnerability could be weaponized to disrupt web-hosted applications or create availability outages that mask simultaneous intrusion activity. [10]
- Prioritized Category: IT Management & Operations
- Impacted Software: Windows BitLocker
- Type: Security Feature Bypass Vulnerability
- CVSS: 6.8 Medium
- CISA KEV Catalog: No
Windows BitLocker is Microsoft’s full-disk encryption solution that is relied on to protect data at rest. Successful exploitation of this vulnerability could allow an attacker with physical or low-privileged access to circumvent BitLocker protections and access encrypted data without the proper key. This could leave endpoints that should be protected by BitLocker vulnerable to data exfiltration. [11]
SAP – Multiple Vulnerabilities
- Prioritized Category: IT Management & Operations
- Impacted Software: SAML Authentication in SAP NetWeaver AS ABAP and ABAP Platform
- Type: XML Signature Wrapping Vulnerability
- CVSS: 9.9 Critical
- CISA KEV Catalog: No
SAP NetWeaver is widely deployed in environments for business-critical operations, making it a high-value target for threat actors. Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to forge SAML assertions and authenticate as any user, including administrators, without valid credentials. This provides an opportunity for full application takeover, data theft, and lateral movement to connected business systems. [12]
- Prioritized Category: IT Management & Operations
- Impacted Software: NetWeaver and ABAP platform
- Type: Memory Corruption Vulnerability
- CVSS: 9.8 Critical
- CISA KEV Catalog: No
An unauthenticated threat actor could send crafted requests that target logic errors in memory management that could lead to memory corruption. This could result in the threat actor gaining unauthorized access to sensitive data, crash the application, or executing arbitrary code. [13]
SimpleHelp – CVE-2026-48558
- Prioritized Category: Remote Access & Identity
- Impacted Software: SimpleHelp
- Type: Authentication Bypass Vulnerability
- CVSS: 10.0 Critical
- CISA KEV Catalog: Yes – added June 29, 2026
This vulnerability allows threat actors to submit forged identity tokens without validating the cryptographic signature, which could allow them to fully compromise the server. [14] The Blackpoint Security Operations Center (SOC) responded to an incident that began with confirmed exploitation of this vulnerability, allowing the threat actor to bypass SimpleHelp OIDC authentication and obtain a technician session.
By exploiting this vulnerability, the threat actor was able to repurpose legitimate RMM capabilities to transfer files and remotely execute malware, TaskWeaver and Djinn Stealer, across managed systems. The Blackpoint SOC contained the incident; however, it highlights how the compromise of a single RMM server can have a widespread impact due to the trust these legitimate tools have within managed environments. [15]
Veeam – CVE-2026-44963
- Prioritized Category: Data Protection & Recovery
- Impacted Software: Veeam Backup & Replication (VBR)
- Type: Remote Code Execution (RCE) Vulnerability
- CVSS: 9.4 Critical
- CISA KEV Catalog: No
Veeam Backup & Replication (VBR) is an attractive target for threat actors because it is used to back up data and could be used to help recover that data in the event of an incident. VBR instances are very likely to store important data from multiple systems in one place. A threat actor with any standard, authenticated domain credential could exploit this vulnerability to achieve remote code execution on domain-joined VBR servers without needing to elevate privileges. This could allow an attacker to destroy backups, steal sensitive data, or take control of the backup server. [16]
Blackpoint’s APG Analysis
Blackpoint’s SOC consistently monitors and actions lateral movement and remote execution within our customer’s environments. Additionally, Blackpoint has detections in place to identify the behaviors associated with the vulnerabilities detailed within this blog.
Blackpoint’s APG assesses with high confidence that threat actors will continue to target, or begin targeting, these vulnerabilities over the next 12 months to deploy malware, steal sensitive information, and gain unauthorized access to organizations. It is likely that these vulnerabilities will be targeted by multiple types of threat actors, including both nation-state and financially motivated threat actors over the next 12 months.
Glossary
- Data Protection & Recovery: These tools are very likely to store important data from multiple systems in one place, making them an attractive target for threat actors. Attackers who gain access to these systems can delete company backups, encrypt them, or steal data.
- IT Management & Operations: IT teams use these tools to monitor systems, fix issues, and automate tasks. These tools typically have high-level access permissions and an attacker who gains access could change settings, run malicious code, or spread across many systems without detection. A single compromise of these tools could impact multiple customers as the result of a single intrusion.
- Network & Infrastructure: These systems control how data moves in and out of a network; they often sit between the internal systems and the internet. Due to their exposure and being highly trusted, they are attractive targets for threat actors and are frequently targeted. An attacker that successfully targets these systems could access internal systems, access network traffic, or bypass security controls.
- Productivity, Communication, & User Applications: These tools frequently contain sensitive data, instructions, and private conversations, making them attractive tools for threat actors. An attacker that gains access to these tools can read private messages, steal information, impersonate trusted users, and conduct additional attacks from a trusted platform.
- Remote Access & Identity: These tools are frequently used by administrators and are trusted across the environment, making them an attractive target for threat actors. An attacker that gains access to or abuses tools within this category can log in as legitimate users, bypass security checks, and more through systems without being detected.
- Security & Threat Defense: These tools collect security data and alert teams when something appears suspicious or malicious. Attackers that exploit these tools can hide their activity, turn off alerts, or delete evidence of their activity. This type of abuse can leave security teams blind to malicious activity and allow attackers to complete their objectives.
References
- https://me.sap.com/notes/3746332 (login required to access)
- https://me.sap.com/notes/3717897 (login required to access)
DATE PUBLISHEDJuly 13, 2026
AUTHORBlackpoint Cyber
SHARE ON
Blackpoint AI: A Decade in the Making
Webinar - July 22
Automated attacks need automated defense. Learn how Blackpoint AI protects your clients from identity threats by containing threats in as little as 21 seconds.*
*Under two minutes on average