Graphic visualization of monthly vulnerability trends and high-impact security threats

June 2026 CVE Landscape

In June 2026, Insikt Group® identified 60 high-impact vulnerabilities that should be prioritized for remediation, 30 of which had a Very Critical Recorded Future Risk Score. This represents a 49% increase from last month. 23 of the 60 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, 34 were reported by vendors, and three were primarily surfaced through honeypot data.

The 60 vulnerabilities in this report affected products from 36 vendors, with Microsoft accounting for approximately 18% of the vulnerabilities. The remaining exposure was concentrated across a range of enterprise software, security products, network infrastructure, developer tooling, and cloud platform vendors.

Insikt Group created Nuclei templates to detect two of the vulnerabilities featured in this month’s report: CVE-2026-35616 affecting Fortinet FortiClient EMS and CVE-2026-25939 affecting Frangoteam FUXA. These are available to Recorded Future customers via the Recorded Future Intelligence Operations Platform.

Quick reference: June 2026 Vulnerability Table

All 57 vulnerabilities below were actively exploited in June 2026. This table does not include the three CVEs associated with honeypot activity, which are available to Recorded Future customers via the CVE Monthly report, in the platform. The table below also provides examples of public PoCs identified by Insikt Group. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.

#
Vulnerability
Risk
Score
Vendor/Product
KEV
Malware Analysis
RCE
PoC
1
CVE-2020-17103
99
Microsoft Windows 10/11 and Windows Server 2019
✓ Link
2
CVE-2022-0492
99
Linux Kernel
✓ Link
3
CVE-2025-55182
99
Meta React Server Components packages
✓ Link
4
CVE-2025-67038
99
Lantronix EDS5000
5
CVE-2025-8088
99
WinRAR
✓ Link
6
CVE-2026-10520
99
Ivanti Sentry
✓ Link
7
CVE-2026-11645
99
Google Chromium V8 and Chrome
✓ Link
8
CVE-2026-12569
99
PTC Windchill, Windchill PDMLink, and FlexPLM
9
CVE-2026-20230
99
Cisco Unified Communications Manager
✓ Link
10
CVE-2026-20245
99
Cisco Catalyst SD-WAN Manager and Controller
✓ Link
11
CVE-2026-20253
99
Splunk Enterprise
✓ Link
12
CVE-2026-20262
99
Cisco Catalyst SD-WAN Manager
✓ Link
13
CVE-2026-21509
99
Microsoft 365 Apps for Enterprise and Office 2016

(available to Recorded Future Customers)

✓ Link
14
CVE-2026-28318
99
SolarWinds Serv-U
✓ Link
15
CVE-2026-33825
99
Microsoft Defender Antimalware Platform

(available to Recorded Future Customers)

✓ Link
16
CVE-2026-34908
99
Ubiquiti UniFi OS, UniFi OS Server, UDM, and UDM-Pro
✓ Link
17
CVE-2026-34909
99
Ubiquiti UniFi OS, UniFi OS Server, Express 7, and UDM
✓ Link
18
CVE-2026-34910
99
Ubiquiti UniFi OS, UniFi OS Server, UDM, and UDM-Pro
✓ Link
19
CVE-2026-35273
99
Oracle PeopleSoft Enterprise PeopleTools
✓ Link
20
CVE-2026-39808
99
FortiSandbox PaaS

(available to Recorded Future Customers)

✓ Link
21
CVE-2026-41089
99
Microsoft Windows Server 2012

(available to Recorded Future Customers)

✓ Link
22
CVE-2026-42271
99
BerriAI LiteLLM
✓ Link
23
CVE-2026-48558
99
SimpleHelp
✓ Link
24
CVE-2026-48907
99
Joomla Content Editor (JCE) extension for Joomla
✓ Link
25
CVE-2026-50751
99
Check Point Security Gateway, Quantum Security Gateway, and Spark Firewalls
✓ Link
26
CVE-2026-54420
99
LiteSpeed cPanel Plugin
✓ Link
27
CVE-2026-7473
99
Arista EOS
✓ Link
28
CVE-2021-26855
89
Microsoft Exchange Server 2016 and 2019
✓ Link
29
CVE-2021-36260
89
Hikvision Firmware
✓ Link
30
CVE-2022-40684
89
Fortinet FortiOS, FortiProxy, and FortiSwitchManager
✓ Link
31
CVE-2023-20198
89
Cisco IOS XE Software
✓ Link
32
CVE-2024-21182
89
Oracle WebLogic Server
✓ Link
33
CVE-2024-21762
89
Fortinet FortiProxy and FortiOS
✓ Link
34
CVE-2025-48595
89
Android Framework
✓ Link
35
CVE-2025-6218
89
WinRAR
✓ Link
36
CVE-2026-21513
89
Microsoft Windows 10 and Windows Server 2012
37
CVE-2026-3300
89
WPEverest Everest Forms Pro
✓ Link
38
CVE-2026-35616
89
Fortinet FortiClientEMS
✓ Link
39
CVE-2026-41091
89
Microsoft Malware Protection Engine
✓ Link
40
CVE-2026-44963
89
Veeam Backup and Replication
41
CVE-2026-45247
89
Mirasvit Full Page Cache Warmer for Magento 2
✓ Link
42
CVE-2016-4437
79
Apache Shiro
✓ Link
43
CVE-2021-27076
79
Microsoft SharePoint and Business Productivity Servers
44
CVE-2021-27137
79
DD-WRT Firmware
45
CVE-2022-27925
79
Zimbra
✓ Link
46
CVE-2022-41082
79
Microsoft Exchange Server 2013
✓ Link
47
CVE-2023-32315
79
Openfire
✓ Link
48
CVE-2023-46747
79
F5 BIG-IP
✓ Link
49
CVE-2024-36401
79
Geoserver
✓ Link
50
CVE-2026-25089
79
Fortinet FortiSandbox PaaS and Cloud
✓ Link
51
CVE-2026-39813
79
Fortinet FortiSandbox and Cloud
✓ Link
52
CVE-2026-4020
79
Gravity SMTP
✓ Link
53
CVE-2026-45586
79
Microsoft Windows 10 and Windows Server 2012
54
CVE-2026-46817
79
Oracle Payments
✓ Link
55
CVE-2026-5027
79
Langflow
✓ Link
56
CVE-2026-8206
79
Kirki – Freeform Page Builder, Website Builder & Customizer
✓ Link
57
CVE-2026-25939
72
Frangoteam FUXA
✓ Link

Table 1: List of vulnerabilities that were actively exploited in June, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs).

Trend analysis: Malware-linked exploitation and intrusion activity

June's strongest campaign-linked theme was the exploitation of externally reachable enterprise applications and appliances. Insikt Group published a TTP Instance on the StrikeShark campaign which described activity spanning CVE-2025-55182 affecting React Server Components, CVE-2021-26855 and CVE-2022-41082 affecting Microsoft Exchange, CVE-2021-36260 affecting Hikvision firmware, CVE-2022-40684 and CVE-2024-21762 affecting Fortinet FortiOS, CVE-2023-20198 affecting Cisco IOS XE Web UI, CVE-2016-4437 affecting Apache Shiro, CVE-2021-27076 affecting Microsoft SharePoint, CVE-2022-27925 affecting Zimbra, CVE-2023-32315 affecting Openfire, CVE-2023-46747 affecting F5 BIG-IP, and CVE-2024-36401 affecting GeoServer. The exploitation of these vulnerabilities resulted in the deployment of SharkLoader, which then delivered Cobalt Strike.

Screenshot detailing risk assessment metrics and exploit status for the React2Shell vulnerability.
Figure 1: Vulnerability Intelligence Card® for CVE-2025-55128 (React2Shell) in Recorded Future (Source: Recorded Future)

React Server Components was also linked to targeted malware delivery outside the broader StrikeShark set: Lazarus Group exploited CVE-2025-55182 to deploy COPPERHEDGE against financial and blockchain-related organizations. Microsoft-related exploitation appeared in both endpoint and document-processing contexts: APT36 exploited CVE-2026-21509 (affecting Microsoft 365 Apps for Enterprise and Office 2016) and CVE-2026-21513 (affecting Windows client and server versions) in operations targeting India. This activity was linked to backdoor deployment and SHEETCREEP. CVE-2021-27137, affecting DD-WRT firmware, was linked to a C0XMO botnet campaign across Linux architectures, while Qilin Ransomware was associated with CVE-2026-50751 affecting Checkpoint Security Gateway and Spark Firewalls.

PoC exploit trends and analyses associated with this month's high-impact vulnerabilities are available to Recorded Future customers.

Take action.

Timely and relevant information on vulnerabilities in your environment and that of your vendors and suppliers is critical for reducing risk. Find out how Recorded Future can support your team by increasing visibility, improving efficiency, and enabling confident decisions.

Vulnerability Prioritization – Prioritize vulnerabilities based on the likelihood of exploitation – not just the severity. Easily understand the risk of exploitation alongside severity, and real-time contextualized intelligence to help you quickly make confident decisions, patch what matters, and prevent attacks.

Attack Surface Intelligence – Identify internet-facing assets vulnerable to a specific CVE. Attack Surface Intelligence provides an outside-in view of your organization to help you actively discover, prioritize, and respond to unknown, vulnerable, or misconfigured assets.

Third-Party Risk – Gain an external view of the security posture of your vendors and partners. Eliminate time-consuming research and vendor communication cycles with the ability to promptly assess vulnerabilities in their internet-facing systems.

Insikt Group® – Receive access to exclusive reports on new vulnerabilities and trends from Recorded Future’s team of experts, the Insikt Group®. Download Nuclei templates created by Insikt Group® for select CVEs to test potentially vulnerable instances.

Recorded Future Professional Services – Work with our Professional Services team on a Vulnerability Analysis Engagement. Designed to equip your team with advanced strategies for identifying, prioritizing, and mitigating threats effectively, this program delves into technologies and operations essential for a successful vulnerability management program. (Learn more about how our Professional Services team can help your elevate your team by watching our recent Vulnerability Prioritization Workshop)

About Iniskt Group®

Recorded Future’s Insikt Group, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for customers, enables tangible outcomes, and prevents business disruption.

Explore expert insights, reports, and tools to strengthen your cybersecurity strategy.