Daily briefing · June 24, 2026
Ten KEV Vulnerabilities in Active Exploitation Demand Immediate Attention Across Enterprise and Consumer Stacks
June 24, 2026 recorded no new CVE publications, but the active threat landscape remains severe: all ten vulnerabilities highlighted today carry confirmed exploitation in the wild (KEV status), spanning CMS extensions, enterprise SIEM, ERP platforms, VPN gateways, e-commerce infrastructure, developer tooling, browsers, web hosting panels, Android, and SD-WAN controllers. The combination of high EPSS scores, public proof-of-concept code, and unauthenticated attack vectors across multiple entries makes this a high-priority patching cycle for defenders.
Today’s brief
- All 10 featured vulnerabilities are confirmed under active exploitation — no theoretical risks here, only live threats.
- Four entries allow full remote code execution or system takeover with zero authentication required (Joomla JCE, Splunk, PeopleSoft, Magento).
- A supply-chain incident via a malicious Nx Console VS Marketplace release and a symlink abuse in a cPanel plugin highlight non-traditional attack surfaces defenders often overlook.
- Android, Chrome, and Cisco SD-WAN round out the list — patching must extend to endpoints, browsers, and network infrastructure simultaneously.
Critical highlights
1
An unauthenticated attacker can create editor profiles in the JCE extension for Joomla and upload arbitrary PHP files, resulting in full remote code execution on the web server. Any internet-facing Joomla site running JCE is at critical risk of complete compromise without any credentials.
2
Splunk Enterprise exposes an unauthenticated PostgreSQL sidecar endpoint that allows any network-reachable user to create or truncate arbitrary files, threatening data integrity, service availability, and potentially code execution. Versions below 10.2.4 and 10.0.7 are affected and should be treated as actively targeted.
3
Oracle PeopleSoft PeopleTools versions 8.61 and 8.62 contain an easily exploitable unauthenticated HTTP attack path that leads to full system takeover. Given PeopleSoft's typical deployment in HR and finance environments, a successful compromise carries severe data and regulatory consequences.
4
A logic flaw in deprecated IKEv1 certificate validation on Quantum Security Gateway allows an unauthenticated remote attacker to bypass authentication entirely and establish a VPN tunnel without valid credentials. This effectively nullifies perimeter access controls for affected deployments.
5
The Mirasvit Full Page Cache Warmer for Magento 2 deserializes attacker-controlled data from the CacheWarmer cookie without restriction, enabling unauthenticated remote code execution via PHP object injection and available gadget chains. Any Magento 2 store running versions before 1.11.12 should be considered fully exposed.
6
A malicious version of Nx Console (18.95.0) was published to Visual Studio Marketplace and OpenVSX for a window of 18 to 36 minutes, representing a supply-chain compromise targeting developer workstations. Any developer who installed or auto-updated Nx Console during that window on May 19, 2026 should treat their environment as potentially backdoored.
7
An out-of-bounds read and write in Chrome's V8 JavaScript engine allows a remote attacker to execute arbitrary code inside the browser sandbox via a crafted HTML page, exploitable simply by visiting a malicious site. With a public PoC and KEV status, unpatched Chrome installations below 149.0.7827.103 are actively targeted.
8
The LiteSpeed cPanel plugin mishandles symlinks provided by users with FTP or web shell access on shared hosting servers running CloudLinux/CageFS, enabling privilege escalation within the hosting environment. Shared hosting providers are particularly exposed, as a single compromised tenant could leverage this to affect co-hosted sites.
9
An integer overflow in Android allows local privilege escalation to a higher-privileged context with no additional permissions and no user interaction required. The no-interaction requirement lowers the exploitation bar significantly for malware or apps already present on a device.
10
An authenticated local attacker on Cisco Catalyst SD-WAN Controller, Manager, or Validator can escalate to root by supplying a crafted file to a CLI command that fails to validate user-supplied input. While local access is required, SD-WAN control-plane components are high-value targets where even post-authentication escalation represents a critical network-wide risk.
Today’s recommendation: Prioritize immediate patching of the unauthenticated RCE vulnerabilities in Joomla JCE, Splunk Enterprise, PeopleSoft PeopleTools, and Magento 2, then address the VPN authentication bypass in Quantum Security Gateway — all five are remotely exploitable with no credentials and carry public PoC code under active exploitation. Concurrently, push Chrome and Android updates to all endpoints and audit developer environments for any Nx Console installations from May 19, 2026.
With ten actively exploited vulnerabilities spanning web applications, enterprise platforms, network infrastructure, and developer toolchains, now is the moment to validate your actual attack surface rather than relying on assumed coverage.Before an attacker finds it, find it first: run a free initial exposure assessment and see whether your infrastructure is vulnerable to flaws like these.Meet the Autonomous AI Pentest Agent →Previous briefings
June 25, 2026 — Three CVSS 10.0 Flaws Lead a Heavy Day: Apache Kvrocks, Flowise, and WordPress Under FireJune 24, 2026 — Ten KEV Vulnerabilities in Active Exploitation Demand Immediate Attention Across Enterprise and Consumer StacksJune 23, 2026 — FOSSBilling Auth Bypass and Router Hardcoded Keys Headline 9 Critical CVEs on June 23view full archive →