Join our Upcoming Free Webinar · Continuous Pentesting in DevSecOps using AI Agents  on July 9 at 8 PM IST / 10:30 AM EST · Seats are LimitedRegister Now
Strobesstrobes
Platform
Solutions
Resources
Customers
Company
Pricing
Book a Demo
Strobesstrobes

Strobes connects every exposure signal to autonomous action, so security teams fix what matters, prove what works, and stop chasing noise.

Book a DemoTalk to an expert
ISO 27001SOC 2CREST
  • Platform
  • Platform Overview
  • Agentic Exposure Management
  • AI Agents
  • Integrations
  • API & Developers
  • Workflows & Automation
  • Analytics & Reporting
  • Solutions
  • Exposure Assessment (EAP)
  • Attack Surface Management
  • Application Security Posture
  • Risk-Based Vulnerability Management
  • Adversarial Exposure Validation (AEV)
  • AI Pentesting
  • Pentesting as a Service
  • CTEM Framework
  • By Industry
  • Financial Institutions
  • Technology
  • Retail
  • Healthcare
  • Manufacturing
  • By Roles
  • CISOs
  • Security Directors
  • Cloud Security Leaders
  • App Sec Leaders
  • Resources
  • Quick Agentic Pentest
  • Blog
  • Customer Stories
  • eBooks
  • Datasheets
  • Videos & Demos
  • Exposure Management Academy
  • Pentesting ROI Calculator
  • Pentest Health Check
  • Security Tool ROI Calculator
  • Company
  • About Strobes
  • Meet the Team
  • Trust & Security
  • Contact Us
  • Careers
  • Become a Partner
  • Technology Partner
  • Partner Deal Registration
  • Press Release

Weekly insight for security leaders

CTEM research, agentic AI trends, and what's actually moving the needle.

© 2026 Strobes Security Inc. All rights reserved.

Privacy PolicyTerms of ServiceCookie PolicyAccessibilitySitemap
Back to Blog
Top CVE's of June 2026
CVEVulnerability IntelligenceVulnerability Prioritization

Top CVEs of June 2026: 5 Critical Flaws to Patch Now

Shubham JhaJuly 1, 202612 min read

Table of Contents

  • What did June 2026 actually look like?
  • CVE-2026-50751, the Check Point VPN bypass ransomware crews jumped on
    • What to do right now
  • CVE-2026-20253, Splunk shipped a database port with no lock on it
    • What to do right now
  • CVE-2026-47291, one oversized request to own the Windows kernel
    • What to do right now
  • CVE-2026-42271, your AI gateway is now an unauthenticated shell
    • What to do right now
  • CVE-2026-33825, the Defender flaw that came back as a ransomware tool
    • What to do right now
  • At a glance
  • How should you prioritize these five?
  • Frequently asked questions
  • Related reading
  • Sources

Authors

S
Shubham Jha

Share

Table of Contents

  • What did June 2026 actually look like?
  • CVE-2026-50751, the Check Point VPN bypass ransomware crews jumped on
    • What to do right now
  • CVE-2026-20253, Splunk shipped a database port with no lock on it
    • What to do right now
  • CVE-2026-47291, one oversized request to own the Windows kernel
    • What to do right now
  • CVE-2026-42271, your AI gateway is now an unauthenticated shell
    • What to do right now
  • CVE-2026-33825, the Defender flaw that came back as a ransomware tool
    • What to do right now
  • At a glance
  • How should you prioritize these five?
  • Frequently asked questions
  • Related reading
  • Sources

Authors

S
Shubham Jha

Share

TL;DR
  • ✓CVE-2026-47291 (Windows HTTP.sys, 9.8) is an unauthenticated, kernel-mode RCE reachable through IIS, WinRM, and WCF. One crafted oversized HTTP request hands an attacker SYSTEM. EPSS sits at 22% and a PoC is already public.
  • ✓CVE-2026-50751 (Check Point Remote Access VPN) lets an unauthenticated attacker bypass login over the deprecated IKEv1 path. Exploitation runs back to May 7 and Check Point ties at least one case to a Qilin ransomware affiliate.
  • ✓CVE-2026-20253 (Splunk Enterprise) exposes an unauthenticated PostgreSQL sidecar endpoint that writes arbitrary files. watchTowr turned it into pre-auth RCE within days. EPSS is 88%, the highest on this list.
  • ✓CVE-2026-42271 (LiteLLM) lets any low-privilege API key run host commands through MCP test endpoints that skipped the admin role check. The AI gateway becomes the foothold. EPSS 75%.
  • ✓CVE-2026-33825 (Microsoft Defender “BlueHammer”, 7.8) escalates a local user to SYSTEM through a TOCTOU race in Defender’s remediation engine. CISA updated the KEV entry on June 30 to confirm ransomware crews are now using it.
  • ✓The pattern: CVSS told you the ceiling. EPSS, KEV status, and real exposure told you which five actually mattered. Four had a fix available before the attacks scaled.

What did June 2026 actually look like?

June set a record nobody wanted. Microsoft shipped fixes for 208 CVEs in a single Patch Tuesday, the largest release since anyone started counting, and the wider month added a Check Point VPN bypass, a Splunk pre-auth file write, an AI-gateway RCE, and a Defender privilege-escalation bug that quietly graduated into ransomware tooling. Volume like that is its own kind of noise. A CVSS list of 208 entries does not tell you where to start.

So we did not rank by CVSS. We ranked by what was being exploited, what had a public proof-of-concept, and what sits on assets you actually expose. Five flaws clear that bar for June. Each one is live on the Strobes Vulnerability Intelligence platform with EPSS, KEV status, and exploit availability tracked in real time. Start with the VPN, because it is the cleanest example of the gap between a score and a breach.

CVE-2026-50751, the Check Point VPN bypass ransomware crews jumped on

CVE-2026-50751 lets an unauthenticated attacker reach a Check Point Remote Access VPN and log in without a password. That is the whole story, and it is enough. The flaw is a certificate-validation logic error in the deprecated IKEv1 key exchange used by Remote Access and Mobile Access. An attacker who can reach the gateway establishes a VPN session as a real user, no credentials required.

Look at the score Strobes VI carries: CVSS 0.0 from NVD at the time of writing, EPSS 71%. If you triaged on CVSS alone, this one never reaches your queue. The trend is marked rising, and the reason is the company you keep on the other end. Check Point observed exploitation going back to May 7, with a spike in early June, across several dozen organizations. At least one incident is linked to a Qilin ransomware affiliate, and Rapid7 attributed two cases with high confidence. CISA added it to the Known Exploited Vulnerabilities catalog on June 9.

VPN gateways are the classic ransomware front door, and an authentication bypass turns one internet-reachable box into access across everything behind the identity layer. Four of the nine affected version branches (R80.20.x, R80.40, R81, R81.10) are already end of support, so plenty of exposed gateways have no clean upgrade path.

What to do right now

  • Apply the Check Point hotfix on an emergency basis, not the next maintenance window.
  • Disable IKEv1 where you can; the flaw lives in that deprecated path.
  • Assume compromise for any gateway exposed before the fix. Hunt back to May 7: audit VPN logs for sessions with no matching authentication event and review configuration changes.
  • Migrate the end-of-support branches. There is no patch coming for R80.40 or R81. See our take on why adversarial exposure validation beats waiting for the next scan to tell you a VPN is reachable.

CVE-2026-20253, Splunk shipped a database port with no lock on it

CVE-2026-20253 is an unauthenticated file write in Splunk Enterprise that becomes remote code execution. The PostgreSQL sidecar service endpoint that ships with Splunk has no authentication on it, so any network-reachable user can create or truncate arbitrary files on the host. From there, writing to the right path is a short hop to code execution.

This is the highest EPSS on the list at 88%, and Strobes VI flags it critical priority on the combination that matters: high EPSS, exploit exists, active exploitation. Splunk PSIRT confirmed limited exploitation in June. watchTowr published a write-up and PoC on June 12 showing the file write chains into RCE, and CISA followed with a KEV listing and a patch-by-Sunday deadline. Shadowserver was tracking more than 1,400 internet-exposed Splunk instances when the advisory dropped.

Splunk is the system your SOC trusts. An unauthenticated write into that box does not just compromise a server, it compromises the telemetry you would use to detect the compromise. That is why a “low severity 0.0” label is so misleading here, and why prioritization that ignores CVSS in favor of real signals is the only sane way to read a month like this.

What to do right now

  • Upgrade to Splunk Enterprise 10.2.4 or 10.0.7, or the fixed Splunk Cloud builds.
  • Until you patch, block network access to the PostgreSQL sidecar endpoint and keep Splunk off the public internet.
  • Hunt for unexpected file creation or truncation on Splunk hosts and review the Emerging Threats Suricata signature for this CVE.

CVE-2026-47291, one oversized request to own the Windows kernel

CVE-2026-47291 is an unauthenticated, network RCE in Windows HTTP.sys that runs in kernel mode. HTTP.sys is the kernel driver under IIS, WinRM, WCF, and a long list of Windows HTTP services. An integer overflow in its request-parsing logic, triggered by a crafted request crossing 65,535 bytes, wraps the allocation size and overflows the heap in kernel memory. Success means code execution as SYSTEM with no privilege boundary above it.

CVE-2026-47291 on Strobes Vulnerability Intelligence showing CVSS 9.8, EPSS 22%, exploit available, no patch, critical priority
CVE-2026-47291 on Strobes VI: CVSS 9.8, EPSS 22%, exploit available, no patch flag, critical priority.

This was the headline bug in a 208-CVE Patch Tuesday, and Microsoft put it on the “exploitation more likely” list. Strobes VI tracks it at CVSS 9.8 with EPSS 22% and a public PoC already on GitHub. There is one nuance that decides whether you are exposed: servers running the default MaxRequestBytes value of 16,384 bytes are not affected. Only hosts where that value was explicitly raised above 65,535 are in range. That single registry setting is the difference between “patch on the normal cycle” and “patch tonight,” and you cannot know which servers are affected without checking.

It is the same unauthenticated-plus-kernel-mode-plus-integer-overflow class that produced PrintNightmare and the 2021 HTTP.sys scare. Each time, that combination proved devastating. Microsoft has not called this one wormable, but the raw capability is there.

What to do right now

  • Apply the June Patch Tuesday update for HTTP.sys.
  • Before you patch, audit MaxRequestBytes across your Windows web fleet. If it sits above 65,535, set it back below that and restart the HTTP service. Microsoft’s bulletin ships a PowerShell script for the change.
  • Inventory everything fronting HTTP.sys, including non-obvious services like WinRM and WCF, not just public IIS sites.

CVE-2026-42271, your AI gateway is now an unauthenticated shell

CVE-2026-42271 lets any authenticated LiteLLM user, including a low-privilege internal key, run arbitrary commands on the proxy host. LiteLLM is a popular gateway that sits in front of model providers. Two endpoints used to preview an MCP server before saving it, POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, accepted a full stdio server config and spawned the supplied command as a subprocess with the proxy’s privileges. The endpoints checked for a valid API key but skipped the role check the save endpoint enforced.

Strobes VI tracks it at EPSS 75%, with public PoCs and a Nuclei template already published. This is the June flaw most worth your attention if you are building anything agentic. The AI gateway holds the keys to every model provider and tool it brokers, and a missing role check on a debug endpoint turns that gateway into a command-execution primitive. As MCP servers and AI tooling spread across engineering orgs, this class of bug, an over-permissioned internal endpoint, is going to define the next wave of exposure. It is exactly the kind of chained, reasoned flaw agentic pentesting is built to surface before an attacker does.

What to do right now

  • Upgrade to LiteLLM 1.83.7, which puts both test endpoints behind the PROXY_ADMIN role.
  • If you cannot upgrade immediately, block the two /mcp-rest/test/ endpoints at your reverse proxy or API gateway.
  • Rotate every provider key reachable from the proxy and audit which internal keys could call those endpoints.

CVE-2026-33825, the Defender flaw that came back as a ransomware tool

CVE-2026-33825, the “BlueHammer” bug, escalates a local unprivileged user to SYSTEM by abusing Microsoft Defender’s own remediation engine. It is a time-of-check to time-of-use race condition. Defender performs privileged file operations during malware cleanup without re-validating the target path at write time. The exploit uses an opportunistic lock to pause Defender mid-operation, drops an NTFS junction to redirect the write into C:\Windows\System32, and lets Defender finish the job with SYSTEM privileges. The endpoint security tool becomes the escalation path.

CVE-2026-33825 BlueHammer on Strobes Vulnerability Intelligence showing CVSS 7.8, zero-day, exploit and patch available
CVE-2026-33825 on Strobes VI: CVSS 7.8, zero-day, exploit and patch available.

This one earns its place for a June-specific reason. BlueHammer was disclosed and patched back in April, exploited in the wild as a zero-day before the fix shipped. On June 30, CISA updated the KEV entry to confirm the flaw is now being used in ransomware campaigns. A 7.8 that you may have deprioritized in April is, two months later, part of an active ransomware playbook. That is the entire argument for re-prioritizing on a rolling basis instead of treating a patch cycle as done. Strobes VI flags it zero-day with exploit and patch both available, and the trend is one to watch.

What to do right now

  • Confirm the April 2026 Defender platform update (Antimalware Platform 4.18.26050.3011 or later) actually reached every endpoint, especially isolated or update-restricted machines.
  • Watch for privilege-escalation tells: NTFS junction creation near Defender temp paths, oplock abuse, and recon sequences like whoami /priv and cmdkey /list from user-writable folders.
  • Restrict execution from Pictures and Downloads subfolders and enable Attack Surface Reduction rules where you can.

At a glance

Five products with nothing in common except that the score on the label told you almost nothing about the risk in the wild.

CVEProductCVSSTypeExploitedFix
CVE-2026-47291Windows HTTP.sys9.8Unauth network RCE (kernel)PoC public, EPSS 22%June Patch Tuesday
CVE-2026-50751Check Point VPNCritUnauth VPN auth bypassIn KEV, Qilin ransomwareCheck Point hotfix
CVE-2026-20253Splunk EnterpriseCritUnauth file write to RCEIn KEV, EPSS 88%Splunk 10.2.4 / 10.0.7
CVE-2026-42271LiteLLM (MCP proxy)CritAuthd command injection RCEPoC public, EPSS 75%LiteLLM 1.83.7
CVE-2026-33825Microsoft Defender7.8Local priv-esc to SYSTEMIn KEV, now ransomwareApril Patch Tuesday

CVSS values reflect NVD data as carried on Strobes VI at time of writing; several were still 0.0 or unscored while EPSS and KEV already flagged active risk.

How should you prioritize these five?

Patch by exposure and exploitation, not by severity score alone. In a month with 208 Microsoft CVEs, a raw severity list buries the bugs attackers actually reach for. The order that holds up puts CISA KEV entries with confirmed exploitation first (Check Point, Splunk, Defender), then high-EPSS flaws with public exploit code on assets you expose (LiteLLM, and the HTTP.sys hosts where MaxRequestBytes is raised), then everything else. That is the logic behind risk-based vulnerability management and the prioritization stage of a CTEM program.

The Strobes Vulnerability Intelligence platform tracks that live context for every CVE here, exploit availability, EPSS movement, KEV status, and real exposure. Start at strobes.co/vi.

Frequently asked questions

Which June 2026 CVE should I patch first?

If you run Check Point Remote Access VPN, CVE-2026-50751 comes first: it is an unauthenticated bypass, it is in CISA KEV, and it is already tied to Qilin ransomware. After that, prioritize Splunk (CVE-2026-20253, EPSS 88%) and confirm your April Defender update closed BlueHammer (CVE-2026-33825), which is now in ransomware campaigns.

Is my Windows server affected by the HTTP.sys bug CVE-2026-47291?

Only if the MaxRequestBytes registry value was raised above 65,535. Servers on the default 16,384-byte value are not exploitable. Check that value across every host running IIS, WinRM, or WCF before assuming you are safe, then apply the June Patch Tuesday update.

Why does an AI gateway flaw like CVE-2026-42271 matter for security teams?

LiteLLM brokers credentials and tools for every model provider behind it. A missing role check on a debug endpoint let any authenticated key run host commands, turning the gateway into an unauthenticated-adjacent shell. As MCP servers and agentic tooling spread, over-permissioned internal endpoints like this are becoming a primary attack surface.

How does Strobes help with CVEs like these?

Strobes Vulnerability Intelligence tracks exploit availability, EPSS, and KEV status for every CVE in real time, and the platform validates which findings are actually reachable in your environment. That replaces raw CVSS sorting with risk-based prioritization, so a 208-CVE month becomes a short, ordered queue. See Adversarial Exposure Validation and RBVM.

Related reading

  • What is vulnerability prioritization? A Strobes guide
  • Vulnerability validation: why most of your scanner backlog is noise
  • Top CVEs of May 2026: 5 critical flaws to patch now
  • NIST NVD CVE prioritization update 2026

Sources

  1. Strobes Vulnerability Intelligence
  2. CISA Known Exploited Vulnerabilities Catalog
  3. FIRST EPSS Model
  4. NIST National Vulnerability Database
Tags
top CVEs June 2026CVE-2026-50751 Check PointCVE-2026-20253 SplunkCVE-2026-47291 HTTP.sysCVE-2026-42271 LiteLLMCVE-2026-33825 BlueHammerCISA KEV June 2026June 2026 Patch Tuesday

Stop chasing vulnerabilities Start reducing exposure

See how Strobes AI agents validate and fix your most critical exposures automatically.

Book a Demo
Continue Reading

Related Posts

CVE-2026-41940 - cPanel WHM Critical Pre-Auth Bypass Vulnerability
CVEVulnerability Intelligence

Top CVEs of May 2026: 5 Critical Flaws to Patch Now

Five CVEs dominated May 2026: cPanel's two-month zero-day, Linux's stealth kernel priv-esc, Langflow exploited 20 hours after disclosure, n8n's perfect-10 RCE chain, and Microsoft's SSO bypass. Here's what happened and what to do.

Jun 3, 20269 min
Top CVEs of April 2026 - CVE Roundup
CVEVulnerability Intelligence

Top 7 Critical CVEs of April 2026 You Need to Act On Now

The top CVEs of April 2026 were exploited in hours. Marimo RCE, Windows IKE, Fortinet EMS, GitHub GHES, ActiveMQ, and more. Attack scenarios, risk context, and fixes.

May 1, 202622 min
Checkmarx and Bitwarden supply chain attack: Your CI/CD pipeline is the attack surface
CybersecurityVulnerability Intelligence

Checkmarx and Bitwarden Just Showed That Your Pipeline Is the Attack Surface

How the Checkmarx supply chain attack compromised Bitwarden's CLI pipeline in four minutes, what was stolen, and the program design gap that made it possible.

Apr 29, 20267 min