Attackers have begun exploiting a critical flaw in Oracle E-Business Suite, the financial and operations platform used by large enterprises, threat intelligence firm Defused reports. The bug (CVE-2026-46817), rated 9.8, sits in the File Transmission component of Oracle Payments and lets an unauthenticated attacker with HTTP access take over the system through a low-complexity attack. Oracle patched it in its May 2026 update, but exploitation began over the weekend despite no public proof-of-concept existing, meaning attackers built their own. Observed payloads attempt to read sensitive system files. Shadowserver tracks more than 450 EBS instances exposed online, many in North America and Asia, with unknown numbers still unpatched.
CISA has confirmed active exploitation of four critical flaws in Ubiquiti UniFi OS and Lantronix EDS5000 devices, adding them to its Known Exploited Vulnerabilities catalog with a June 26 deadline for federal agencies. Three UniFi OS bugs (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910), each rated 10.0, can be chained for unauthenticated remote code execution and root; attackers were seen creating rogue admin accounts. The Lantronix flaw (CVE-2025-67038) is an unauthenticated root command injection in the EDS5000 serial console server. Ubiquiti patched UniFi OS Server in version 5.0.8, and Lantronix in firmware 2.2.0.0R1. Compromised network appliances let attackers pivot deep into internal networks.
A flaw in Cisco Unified Communications Manager, the system that runs enterprise phone and call infrastructure, is now being exploited in attacks. The bug (CVE-2026-20230) is a server-side request forgery that lets an unauthenticated attacker send a crafted HTTP request to write files onto the underlying system, which can then be used to escalate to root and fully take over the server. Cisco patched it on June 3 and rates it critical; public exploit code has been available since, and security firms now see active exploitation attempts. The flaw is only exploitable when the WebDialer service is enabled, which is not the default.
Attackers are mass-exploiting a flaw in Gravity SMTP, a WordPress email plugin installed on about 100,000 sites, to harvest credentials without any login. The bug (CVE-2026-4020) leaves a REST API endpoint with a permission check that always passes, so a single unauthenticated request returns a 365 KB system report containing API keys, secrets, and OAuth tokens for connected email services like Amazon SES, Mailjet, and Zoho, plus detailed software-stack information. Wordfence has blocked more than 17 million attempts, with activity spiking around June 6 and 7. A patch shipped in version 2.1.5, but updating does not revoke keys attackers may have already grabbed.
A critical Splunk Enterprise flaw disclosed earlier this month is now being exploited in the wild, and CISA has added it to its known-exploited list with a June 21 federal patch deadline. The bug (CVE-2026-20253, rated 9.8) is a missing-authentication issue in a PostgreSQL sidecar service: an unauthenticated, network-reachable attacker can create or truncate arbitrary files on the Splunk host, which can cascade into log corruption, broken monitoring, and remote code execution. Both Splunk and Resecurity have confirmed active exploitation, and a public proof-of-concept and Nuclei template exist. Because Splunk underpins many SOC and SIEM operations, a compromise can blind defenders.
A critical flaw in the Joomla Content Editor (JCE), one of the most widely used editor extensions for the Joomla CMS, is being actively exploited to take over websites. The bug (CVE-2026-48907, rated a perfect 10) is an access-control failure that lets an unauthenticated attacker create editor profiles and then upload and run arbitrary PHP code, leading to full server compromise. CISA added it to its known-exploited list and ordered federal agencies to patch by June 19. Working exploit code is public and attacks are automated, so even sites with no public registration are at risk. Patching closes the hole but does not remove anything attackers already planted.
CISA has added a LiteSpeed cPanel plugin flaw to its known-exploited list and given federal agencies until June 18 to patch. The bug (CVE-2026-54420, rated 8.5) lets a user who already has FTP or web-shell access on a shared hosting server escalate to root by abusing how the plugin follows symbolic links, on servers running CloudLinux or CageFS. On multi-tenant hosting that turns one compromised account into full control of the whole server and every site on it. Namecheap reported it after spotting suspicious activity, and LiteSpeed flagged active exploitation in early June. The fix is LiteSpeed WHM Plugin 5.3.2.1 with cPanel plugin 2.4.8.
Threat-intelligence firm Defused reports that attackers are now exploiting three critical flaws in Fortinet's FortiSandbox, the appliance other Fortinet products rely on to judge whether files are malicious. Two (CVE-2026-39813, a JRPC API path traversal that bypasses authentication, and CVE-2026-39808, an unauthenticated command-injection that runs code as root) were patched in April; the third (CVE-2026-25089) only last week. All are unauthenticated and rated critical. Compromising a sandbox is especially dangerous because attackers can make it wave real malware through as clean. Notably, the exploit for one flaw appears to have been generated with AI and is likely faulty, yet attackers are trying it anyway.
Cisco has patched a flaw in Catalyst SD-WAN Manager (formerly vManage), the console used to manage thousands of SD-WAN devices, that attackers were already exploiting as a zero-day to gain root. The bug (CVE-2026-20262) stems from weak validation of file uploads in the web interface, letting an authenticated low-privilege remote attacker create or overwrite any file on the system by sending crafted HTTP requests, and from there run commands as root. It affects every deployment type, including on-premises, Cisco-managed cloud, and the FedRAMP government edition, regardless of configuration. It is the latest in a run of exploited Cisco SD-WAN Manager zero-days this year.
The critical Ivanti Sentry flaw covered yesterday is now under active attack, with researchers reporting compromised gateways within about 24 hours of the patch and public patch analysis. CVE-2026-10520, rated a perfect 10, is an OS command injection in an internal configuration API that accepts commands from anyone who can reach it over the internet, granting remote code execution as root with no login. A second flaw, CVE-2026-10523, lets attackers create their own admin accounts. With exploitation confirmed and detection tooling public, the time to patch has effectively run out for internet-exposed appliances. Ivanti released fixes earlier this week.