This month: 1 KEV detected

CISA stopped reliably sending KEV alerts.
We didn't.

CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.

CVE-2026-45659
Microsoft · SharePoint Server
Microsoft SharePoint Server Deserialization of Untrusted Data Vulnerability
Detected Jul 1 · 3-day patch deadline
CVE-2026-48558
SimpleHelp · SimpleHelp
SimpleHelp Authentication Bypass Vulnerability
Detected Jun 29 · 3-day patch deadline
CVE-2026-12569
PTC · Windchill and FlexPLM
PTC Windchill and FlexPLM Improper Input Validation Vulnerability
Detected Jun 25 · 3-day patch deadline

KEV Intelligence Brief — July 1, 2026

Issued: Wednesday, July 1, 2026 Audience: Federal Contractors · DevOps & Platform Teams · Security Operations Leaders Scope: 8 CVEs added to CISA's KEV Catalog between June 23–July 1, 2026

Critical Notice: Multiple Deadlines Already Overdue

Before any thematic analysis: four patch deadlines in this batch have already passed, and one expires tomorrow, July 2. Teams operating under BOD 26-04 obligations are not in a grace period — they are in violation. CISA's BOD 26-04 "Forensics Triage Requirements" attach to these entries, meaning affected organizations must be prepared to demonstrate not only that patches were applied, but that affected systems were evaluated for prior compromise before remediation.

The following deadlines have already lapsed:

  • CVE-2025-67038 (Lantronix EDS5000) — deadline June 26
  • CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 (Ubiquiti UniFi OS) — deadline June 26
  • CVE-2026-12569 (PTC Windchill/FlexPLM) — deadline June 28
  • CVE-2026-20230 (Cisco Unified CM) — deadline June 28

CVE-2026-48558 (SimpleHelp) expires July 2. CVE-2026-45659 (Microsoft SharePoint) expires July 4 — an unusually tight three-day window for an enterprise platform, likely reflecting active, high-tempo exploitation in the wild.

Network Infrastructure and Operational Technology Under Active Attack

Three Ubiquiti UniFi OS entries (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) appearing simultaneously on June 23 signal coordinated discovery or a single threat actor chain-exploiting the same platform. The trio is worth treating as a composite attack surface rather than three isolated bugs. CVE-2026-34908 is an improper access control flaw enabling unauthorized system changes; CVE-2026-34909 is a path traversal that exposes underlying filesystem objects, likely enabling credential harvesting; and CVE-2026-34910 is a command injection via improper input validation. In combination, a network-adjacent attacker could traverse from access to persistence to full command execution in a single engagement.

UniFi OS underpins network switching, routing, and wireless infrastructure across enterprise and government deployments. Compromise here is infrastructure-layer compromise — not an application breach. Teams should treat any UniFi OS device as laterally pivotable and audit for unauthorized configuration changes and unexpected account creation going back at least 30 days. Network segmentation enforcement and out-of-band management access should be validated immediately.

Equally urgent for OT-adjacent environments: CVE-2025-67038 in the Lantronix EDS5000 serial device server allows unauthenticated OS command injection through the username parameter, with injected commands executing at root. EDS5000 devices commonly bridge legacy serial-connected industrial equipment to IP networks — precisely the kind of asset that sits at the OT/IT boundary, is rarely patched, and often exposes a management interface to broader network segments. Root-level code injection on a device with physical serial access to downstream equipment represents a direct path toward industrial process interference. Organizations using EDS5000 in any SCADA-adjacent role should isolate these devices immediately if the patch cannot be applied and audit all connected downstream serial endpoints.

Enterprise Platforms and Authentication Failures: The High-Consequence Cluster

The remaining four entries target enterprise-scale platforms where exploitation yields immediate, high-value access — and in two cases, requires no authentication at all.

CVE-2026-45659, added today with a July 4 deadline, affects Microsoft SharePoint Server and enables authenticated remote code execution via deserialization of untrusted data. "Authenticated" does not mean low-risk here — SharePoint environments routinely have broad internal user populations, and any compromised account becomes a code execution vehicle. Deserialization vulnerabilities in SharePoint have historically been weaponized by both ransomware operators and nation-state actors; the three-day deadline reflects CISA's assessment of active exploitation urgency. Patch immediately, audit SharePoint application logs for anomalous deserialization events, and enforce least-privilege across service accounts. For internet-facing SharePoint instances, consider temporarily restricting external access until patching is confirmed.

CVE-2026-48558 in SimpleHelp — with a deadline of tomorrow, July 2 — is arguably the most tactically dangerous entry in this batch. The vulnerability allows a completely unauthenticated attacker to forge OIDC identity tokens and obtain a fully authenticated technician session, potentially bypassing MFA entirely. SimpleHelp is a remote access and support tool; a compromised technician session grants the same access level used for legitimate remote administration. This is textbook initial access infrastructure. Organizations using SimpleHelp with OIDC authentication enabled should treat all existing technician sessions as potentially compromised, rotate credentials, revoke active sessions, and review connection logs for unauthorized remote access activity dating back to the vulnerability's disclosure window.

CVE-2026-12569 affects PTC Windchill and FlexPLM — product lifecycle management platforms widely used in defense manufacturing and regulated industries. Unauthenticated remote code execution via improper input validation on a system storing engineering design data and supply chain metadata carries significant counterintelligence implications beyond the immediate operational risk. The June 28 deadline has passed; if your organization has not yet patched, assume potential compromise and initiate forensic triage per BOD 26-04 requirements before patching, to preserve evidence integrity.

CVE-2026-20230 in Cisco Unified Communications Manager rounds out the enterprise cluster. An unauthenticated SSRF allows arbitrary file writes to the underlying OS, which can be staged for subsequent root escalation. Cisco UCM handles call routing, conferencing, and voicemail across large enterprise deployments — compromise here affects both operational continuity and potentially recorded communications depending on deployment configuration. The June 28 deadline has passed. Apply Cisco's advisory guidance, audit for unexpected files in OS-writable paths, and evaluate whether UCM management interfaces are network-segmented from general user traffic.

Sources: CISA KEV Catalog · CISA BOD 26-04 · Microsoft Security Response Center · Cisco Security Advisories · PTC Security Advisories · SimpleHelp Security Updates · Ubiquiti Security Advisories · Lantronix Product Security

Free KEV Alerts

  • Real-time notification the moment a KEV drops
  • Vendor and product details
  • BOD 26-04 remediation deadline included

Pro Alerts Coming Soon

  • Real-time notification the moment a KEV drops
  • Filtered to your specific vendor watchlist
  • Urgency scoring (Critical / Urgent / Standard)
  • Direct patch links included

Stay ahead of CISA.

No spam. Unsubscribe anytime. We don't sell your data.


Upcoming Patch Due Dates

via Binding Operational Directive 26-04

BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.

Loading...

News Logo

Cyber Security News

You may have missed...


📌 Pinned

*

https:betanews.comMar 5

Inside a cyberattack: How hackers steal data

The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...

https://thehackernews.comJul 1

282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study

Embed it in the app, and it is exposed with every request the app makes. Cybersecurity. All 282 fell into one of three groups: Plaintext keys (54 apps...

https://www.helpnetsecurity.comJun 5

Cisco Catalyst SD-WAN Manager Zero-Day Privilege Escalation Being Exploited (CVE-2026-20245)

An unpatched zero-day privilege escalation vulnerability in Cisco Catalyst SD-WAN Manager is being actively exploited by attackers in the wild.

https://thehackernews.comJun 29

Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw

It never enforced an upper bound. Cybersecurity. The size calculation adds packet_length to a couple of small values using 32-bit arithmetic, so a ...

https://www.justice.govJun 27

Former U.S. National Security Advisor John R. Bolton, II Pleads Guilty to Violating the Espionage Act

... hacked by a cyber actor allegedly linked to the Islamic Republic of Iran. ... Bolton reported that hack to law enforcement but did not tell the .....

https://thehill.comJun 27

Secret Service didn't secure mobile devices, putting leaders at risk, report says - The Hill

Secret Service agents' reliance on personal devices for official business exposes them to hacking risks, says government watchdog report.

https://www.bankinfosecurity.comJun 27

A Hack Too Far? Report Ties Russia to Jaguar Land Rover Hit - BankInfoSecurity

Suggestions that the Kremlin orchestrated the disruptive hack attack against British automotive giant Jaguar Land Rover raise the question of how ...

https://www.nytimes.comJun 26

A $2.5 Billion Whodunit: The Hack That Dented the U.K. Economy - The New York Times

Last year, hackers burrowed into the computer systems of Jaguar Land Rover, a crown jewel of British manufacturing. It was a devastating attack ...

https://abcnews.comJun 26

Iranian national sought by US on hacking charges arrested in Montenegro - ABC News

Montenegrin police say they have arrested an Iranian national who is wanted by the United States for mass hacking attacks that caused damage of ...


Updated daily