Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs
TL;DR - Ivanti Sentry shipped fixes for two critical unauthenticated flaws, including root RCE. - Microsoft’s June Patch Tuesday fixed 200 flaws and three zero-days, while a new Defender exploit surfaced. - Prioritize internet-facing appliances, Chromium-based browsers, and emergency patch validation today.
Top Stories
Ivanti Sentry fixes max-severity root RCE and auth bypass
Ivanti patched two severe vulnerabilities in Sentry, its secure mobile gateway product. The most urgent is CVE-2026-10520, an unauthenticated OS command injection flaw that can lead to root-level remote code execution. The second, CVE-2026-10523, allows authentication bypass and creation of arbitrary administrative accounts. Affected versions are fixed in R10.5.2, R10.6.2, and R10.7.1 according to Ivanti’s advisory: Ivanti advisory. Reporting and operational context: BleepingComputer.
So what?
Sentry is commonly deployed at the edge and often exposed to untrusted networks. Unaudited internet-facing management or gateway components should be treated as high-risk until patched and reviewed.
What to do next - Patch to R10.5.2 / R10.6.2 / R10.7.1 or later immediately. - Restrict administrative access paths to trusted IPs/VPN. - Review local admin account creation events and config changes since last known-good state. - If exposed externally, prepare for incident review, not just patching.
Microsoft June 2026 Patch Tuesday breaks records
Microsoft released fixes for 200 vulnerabilities in June 2026 Patch Tuesday, including three publicly disclosed zero-days and nearly three dozen critical issues. Coverage: BleepingComputer and analysis: KrebsOnSecurity.
So what?
The scale alone means organizations should expect patching delays, regression concerns, and incomplete coverage across endpoint, server, and application stacks.
What to do next - Triage by internet exposure, privilege boundary impact, and public exploit availability. - Pull asset inventories for browsers, Windows endpoints, Exchange-adjacent systems, and management servers. - Validate deployment success, not just WSUS/Intune approval status.
Microsoft Defender “RoguePlanet” zero-day exploit published
A security researcher released a new exploit dubbed RoguePlanet that reportedly grants SYSTEM privileges via Microsoft Defender, shortly after Patch Tuesday fixes for previously disclosed Defender issues. Report: BleepingComputer.
So what?
Even if this issue is not yet broadly weaponized, public exploit release sharply changes defender priorities. Any local privilege escalation with reliable SYSTEM impact raises post-compromise risk on workstations and servers.
What to do next - Track Microsoft guidance and validate Defender engine/platform versions. - Hunt for suspicious local privilege escalation chains on systems with recent initial access signals. - Watch EDR tamper events, service manipulation, and unusual child processes spawned by security tooling contexts.
ServiceNow discloses customer data exposure incident
ServiceNow disclosed a security incident tied to exploitation of an unauthenticated access flaw through a vulnerable API endpoint, allowing data queries from customer instances. Report: BleepingComputer.
So what?
This is a reminder that SaaS platform exposure often happens through APIs, not just console logins. Even when the provider owns remediation, customers still need to determine what data may have been exposed and whether downstream trust assumptions changed.
What to do next - Review provider notifications and tenant-specific exposure details. - Audit API usage, integrations, and secrets stored or exchanged through affected workflows. - Reassess data minimization and token scope in connected apps.
SAP June security updates include critical NetWeaver and Commerce Cloud flaws
SAP released 15 fixes in its June 2026 package, including four critical vulnerabilities affecting SAP NetWeaver and SAP Commerce Cloud. Coverage: BleepingComputer.
So what?
SAP platforms frequently support core business processes and are difficult to patch quickly. That combination makes compensating controls and targeted exposure review essential.
What to do next - Identify internet-reachable SAP services and admin interfaces first. - Coordinate emergency patch windows with application owners. - Increase logging and WAF/proxy inspection where patching must wait.
CISA adds three known exploited vulnerabilities to KEV
CISA added three actively exploited vulnerabilities to the KEV catalog: - CVE-2026-7473 affecting Arista EOS - CVE-2026-11645 affecting Google Chromium V8 - CVE-2026-20245 affecting Cisco Catalyst SD-WAN Manager
Source: CISA KEV update.
So what?
KEV additions are one of the strongest signals to expedite remediation. Chromium exploitation matters broadly because Chrome and many Chromium-based enterprise browsers inherit the risk window.
What to do next - Force browser updates across managed fleets. - Identify Arista and Cisco SD-WAN management plane exposure. - Use KEV status to justify out-of-band remediation.
OpenClaw AI agent falls for phishing in testing
Researchers found the OpenClaw email agent vulnerable to phishing-style manipulation that led to data leakage in testing scenarios. Coverage: BleepingComputer.
So what?
AI agents should be treated as new identity and workflow surfaces, not trusted automation by default. Prompt-driven or email-driven actions can become data exfiltration paths.
What to do next - Limit agent permissions to least privilege. - Require human approval for external message handling and sensitive actions. - Log prompt context, tool calls, and outbound data paths.
Critical Vulnerabilities
CVE-2026-10520 — Ivanti Sentry OS command injection
- Severity: CVSS 10.0
- Impact: Unauthenticated attacker can achieve root-level remote code execution
- Affected: Ivanti Sentry before R10.5.2, R10.6.2, R10.7.1
- Reference: Ivanti advisory
Defender priority: Highest. Treat internet-exposed Sentry appliances as emergency patch targets.
CVE-2026-10523 — Ivanti Sentry authentication bypass
- Severity: CVSS 9.9
- Impact: Unauthenticated attacker can create arbitrary admin accounts and gain full administrative access
- Affected: Ivanti Sentry before R10.5.2, R10.6.2, R10.7.1
- Reference: Ivanti advisory
Defender priority: Pair remediation with account review. Search for unauthorized admin creation and changes to authentication settings.
CVE-2026-25089 — Fortinet FortiSandbox OS command injection
- Severity: CVSS 9.8
- Impact: Unauthenticated attacker may execute unauthorized commands via crafted HTTP requests
- Affected: FortiSandbox 5.0.0-5.0.5, 4.4.0-4.4.8, all 4.2 versions, FortiSandbox Cloud 5.0.4-5.0.5, FortiSandbox PaaS 5.0.4-5.0.5
- Reference: Fortinet advisory
Defender priority: High for exposed appliances and cloud-hosted sandbox management interfaces.
CVE-2017-20251 — WordPress Insert PHP plugin code injection
- Severity: CVSS 9.8
- Impact: Unauthenticated attackers can execute arbitrary PHP through crafted shortcode injection via the REST API
- Affected: Insert PHP plugin before 3.3.1
- References: WordPress plugin page, Exploit DB, VulnCheck advisory
Defender priority: High for internet-facing WordPress sites with legacy plugins and writable content workflows.
CVE-2026-7486 — Netcad E-İmar SQL injection
- Severity: CVSS 9.8
- Impact: SQL injection in Netcad Software Inc. E-İmar
- Affected: 2.10.1.0 before 3.0.2
- Reference: Turkish Cyber Security notification
Defender priority: High where the application is internet-accessible or connected to sensitive municipal or planning data.
What Defenders Should Do Today
1) Patch the highest-risk internet-facing systems first
Today’s most urgent work is on edge appliances and externally reachable management platforms: - Ivanti Sentry - FortiSandbox - SAP internet-facing services - Cisco SD-WAN Manager and Arista EOS if present, based on CISA KEV status
Build the list from external attack surface management, reverse proxies, load balancers, and firewall NAT rules, not only CMDB records.
2) Force browser updates because Chromium exploitation is active
CISA’s addition of CVE-2026-11645 to KEV means active exploitation exists for a Chromium V8 flaw. Source: CISA.
Immediate actions - Push Chrome/Chromium-based browser updates via enterprise management. - Validate actual installed versions with EDR or inventory tooling. - Prioritize high-risk user groups: admins, finance, developers, execs, helpdesk.
3) Review June Patch Tuesday exceptions
A large patch volume creates operational blind spots. Expect: - endpoints that missed reboot windows, - devices off network, - failed cumulative update installs, - security tools with delayed content/platform updates.
Create an exception list and actively chase it down.
4) Hunt for abuse of newly created admin accounts and local privilege escalation
For Ivanti Sentry and Windows environments, look for: - unexpected administrator creation, - policy changes, - suspicious service creation, - unusual parent-child process relationships during local escalation attempts.
5) Reassess SaaS API exposure and AI workflow controls
The ServiceNow incident and OpenClaw findings both reinforce the same lesson: automation and API trust boundaries fail quietly.
Short-term controls - reduce token scope, - rotate exposed or over-privileged API credentials, - require approval for sensitive AI-driven actions, - log and review API calls with unusual response sizes or query patterns.
Technical Deep Dive
Technical Notes: Asset validation and patch triage
Start by identifying exposed assets and versions before you patch blindly.
# Example: enumerate externally exposed HTTPS services from a known subnet
nmap -Pn -p 443,8443,9443 203.0.113.0/24 -sV -oA june10-external-scan
# Search CMDB/export for likely products
grep -Ei 'ivanti|sentry|fortisandbox|sap|cisco|arista' assets.csv
# Example: pull Chrome version inventory from endpoints via osquery
SELECT hostname, version FROM programs WHERE name LIKE '%Chrome%';
If your environment uses EDR or vulnerability scanners, export all assets matching: - vendor names in today’s advisories, - externally accessible systems, - administrative consoles, - appliances with delayed maintenance cycles.
Technical Notes: Log patterns worth checking
For appliance and web application compromises, review: - spikes in unauthenticated requests to admin or API endpoints, - unexpected POST requests from unfamiliar IPs, - new administrative users, - config export/download activity, - shell or command execution traces where available.
Example web/proxy review approach:
# Look for suspicious POSTs to admin/API paths in reverse proxy logs
zgrep -E 'POST .*(/api/|/admin|/rest|/wp-json/)' /var/log/nginx/*access*.gz
# Find unusual status codes or large responses
zgrep -E ' 200 | 500 | 403 ' /var/log/nginx/*access*.gz | awk '{print $7, $9, $10}' | sort | uniq -c | sort -nr | head
For WordPress environments potentially impacted by plugin abuse:
# Search for REST API post creation and shortcode indicators
grep -R "wp-json/wp/v2/posts" /var/log/apache2/ /var/log/nginx/
grep -R "insert_php\|<\?php\|base64_decode" /var/www/html/wp-content/
Technical Notes: Windows endpoint checks after Patch Tuesday
Given the public Defender exploit reporting, verify that Windows systems actually received June updates and rebooted where required.
# Check recent installed hotfixes
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 20
# Defender status snapshot
Get-MpComputerStatus | Select-Object AMProductVersion, AMEngineVersion, AntispywareEnabled, RealTimeProtectionEnabled
# Review local admin group membership
Get-LocalGroupMember -Group "Administrators"
Useful telemetry pivots: - Event ID 4688 for suspicious process creation - Event ID 4720 for user creation - Event ID 4732 for group membership changes - Service installation or modification events - Defender tamper or service health alerts in your EDR/SIEM
Technical Notes: Compensating controls when patching must wait
If a maintenance window is delayed, apply exposure reduction immediately.
# Example firewall pseudo-rules
allow from mgmt-vpn-subnet to ivanti-sentry-admin ports 443
deny from any to ivanti-sentry-admin ports 443
allow from trusted-admins to fortisandbox-mgmt ports 443
deny from any to fortisandbox-mgmt ports 443
Also consider: - temporary geo/IP restrictions, - reverse proxy access control, - MFA enforcement on admin access, - disabling unused APIs or integrations, - snapshot/backups before emergency changes.
Why this matters for SMBs and lean security teams
Smaller teams cannot patch everything today, so the right sequence matters more than completeness in the first 24 hours.
Best order of operations
1. Internet-facing appliances and management consoles
2. Browsers and user-facing endpoints
3. High-value SaaS integrations and API keys
4. Core business apps such as SAP
5. Long-tail internal systems and lower-risk assets
That order reduces exploitable exposure fastest.
Bottom Line
The most important developments for cybersecurity threats June 2026 today are straightforward:
- Ivanti Sentry demands emergency attention because unauthenticated attackers can reach root RCE or create admin accounts.
- Microsoft June Patch Tuesday is unusually large, and public exploit activity raises the cost of delay.
- CISA KEV additions for Chromium, Arista, and Cisco SD-WAN Manager should move those assets to the top of remediation queues.
- ServiceNow and AI agent incidents show that API and automation trust boundaries remain weak points.
If you only do three things today, patch exposed edge systems, force Chromium updates, and review logs for unauthorized admin creation and suspicious API activity.
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.