June 2026 CVE Landscape
In June 2026, Insikt Group® identified 60 high-impact vulnerabilities that should be prioritized for remediation, 30 of which had a Very Critical Recorded Future Risk Score. This represents a 49% increase from last month. 23 of the 60 vulnerabilities were included in the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog, 34 were reported by vendors, and three were primarily surfaced through honeypot data.
The 60 vulnerabilities in this report affected products from 36 vendors, with Microsoft accounting for approximately 18% of the vulnerabilities. The remaining exposure was concentrated across a range of enterprise software, security products, network infrastructure, developer tooling, and cloud platform vendors.
Insikt Group created Nuclei templates to detect two of the vulnerabilities featured in this month’s report: CVE-2026-35616 affecting Fortinet FortiClient EMS and CVE-2026-25939 affecting Frangoteam FUXA. These are available to Recorded Future customers via the Recorded Future Intelligence Operations Platform.
Quick reference: June 2026 Vulnerability Table
All 57 vulnerabilities below were actively exploited in June 2026. This table does not include the three CVEs associated with honeypot activity, which are available to Recorded Future customers via the CVE Monthly report, in the platform. The table below also provides examples of public PoCs identified by Insikt Group. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.
Score
✓
(available to Recorded Future Customers)
✓
(available to Recorded Future Customers)
✓
(available to Recorded Future Customers)
Table 1: List of vulnerabilities that were actively exploited in June, 2026 based on Recorded Future data (excluding honeypot-sourced CVEs).
Key trends: June 2026
- In June 2026, StrikeShark exploited public-facing applications to deploy SharkLoader and deliver Cobalt Strike; Lazarus exploited CVE-2025-55182 to deploy COPPERHEDGE; APT36 exploited Microsoft vulnerabilities in operations targeting India; a C0XMO botnet propagated through DD-WRT routers; EKZ information-stealing malware was delivered through FortiClient EMS exploitation; and Qilin ransomware was associated with a vulnerability affecting Check Point gateways.
- 25 of the 60 vulnerabilities enabled remote code execution (RCE), affecting products from 18 vendors: Meta, WinRAR, Ivanti, Google, PTC, Cisco, Ubiquiti, Fortinet, Microsoft, BerriAI, Android, WPEverest, Veeam, Mirasvit, Apache, Hikvision, F5, and GeoServer.
- Insikt Group identified public proof-of-concept (PoC) exploits for 53 of the 60 vulnerabilities identified this month.
- The most commonly observed flaws this month were CWE-22 (Path Traversal), followed by CWE-502 (Deserialization of Untrusted Data), CWE-78 (OS Command Injection), CWE-306 (Missing Authentication for Critical Function), and CWE-287 (Improper Authentication).
- 4 of the 60 vulnerabilities in this month’s prominent vulnerability disclosures table are at least five years old, with the oldest approximately ten years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Additionally, the fastest observed time from a vulnerability’s public disclosure to exploitation was less than one day.
Trend analysis: Malware-linked exploitation and intrusion activity
June's strongest campaign-linked theme was the exploitation of externally reachable enterprise applications and appliances. Insikt Group published a TTP Instance on the StrikeShark campaign which described activity spanning CVE-2025-55182 affecting React Server Components, CVE-2021-26855 and CVE-2022-41082 affecting Microsoft Exchange, CVE-2021-36260 affecting Hikvision firmware, CVE-2022-40684 and CVE-2024-21762 affecting Fortinet FortiOS, CVE-2023-20198 affecting Cisco IOS XE Web UI, CVE-2016-4437 affecting Apache Shiro, CVE-2021-27076 affecting Microsoft SharePoint, CVE-2022-27925 affecting Zimbra, CVE-2023-32315 affecting Openfire, CVE-2023-46747 affecting F5 BIG-IP, and CVE-2024-36401 affecting GeoServer. The exploitation of these vulnerabilities resulted in the deployment of SharkLoader, which then delivered Cobalt Strike.
React Server Components was also linked to targeted malware delivery outside the broader StrikeShark set: Lazarus Group exploited CVE-2025-55182 to deploy COPPERHEDGE against financial and blockchain-related organizations. Microsoft-related exploitation appeared in both endpoint and document-processing contexts: APT36 exploited CVE-2026-21509 (affecting Microsoft 365 Apps for Enterprise and Office 2016) and CVE-2026-21513 (affecting Windows client and server versions) in operations targeting India. This activity was linked to backdoor deployment and SHEETCREEP. CVE-2021-27137, affecting DD-WRT firmware, was linked to a C0XMO botnet campaign across Linux architectures, while Qilin Ransomware was associated with CVE-2026-50751 affecting Checkpoint Security Gateway and Spark Firewalls.
PoC exploit trends and analyses associated with this month's high-impact vulnerabilities are available to Recorded Future customers.
Take action.
Timely and relevant information on vulnerabilities in your environment and that of your vendors and suppliers is critical for reducing risk. Find out how Recorded Future can support your team by increasing visibility, improving efficiency, and enabling confident decisions.
Vulnerability Prioritization – Prioritize vulnerabilities based on the likelihood of exploitation – not just the severity. Easily understand the risk of exploitation alongside severity, and real-time contextualized intelligence to help you quickly make confident decisions, patch what matters, and prevent attacks.
Attack Surface Intelligence – Identify internet-facing assets vulnerable to a specific CVE. Attack Surface Intelligence provides an outside-in view of your organization to help you actively discover, prioritize, and respond to unknown, vulnerable, or misconfigured assets.
Third-Party Risk – Gain an external view of the security posture of your vendors and partners. Eliminate time-consuming research and vendor communication cycles with the ability to promptly assess vulnerabilities in their internet-facing systems.
Insikt Group® – Receive access to exclusive reports on new vulnerabilities and trends from Recorded Future’s team of experts, the Insikt Group®. Download Nuclei templates created by Insikt Group® for select CVEs to test potentially vulnerable instances.
Recorded Future Professional Services – Work with our Professional Services team on a Vulnerability Analysis Engagement. Designed to equip your team with advanced strategies for identifying, prioritizing, and mitigating threats effectively, this program delves into technologies and operations essential for a successful vulnerability management program. (Learn more about how our Professional Services team can help your elevate your team by watching our recent Vulnerability Prioritization Workshop)
About Iniskt Group®
Recorded Future’s Insikt Group, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for customers, enables tangible outcomes, and prevents business disruption.
Related Resources
Explore expert insights, reports, and tools to strengthen your cybersecurity strategy.