KEV Intelligence Brief — June 11, 2026

Prepared for: Federal Contractors · DevOps & Platform Teams · Security Operations Leaders Reporting Period: June 3–11, 2026 | CVEs Covered: 8

Deadline Watch: Three Overdue or Expiring Today — Act Now

The most urgent cluster in this cycle demands immediate attention, with two patch deadlines already passed and one expiring today.

CVE-2026-50751 (Check Point Security Gateway) carries a deadline of June 11 — today. This is not a theoretical risk: the vulnerability resides in IKEv1 key exchange handling, allowing an unauthenticated remote attacker to bypass authentication entirely and establish a VPN tunnel without valid credentials. For organizations relying on Check Point gateways as their network perimeter, this is a complete perimeter bypass. If you have not patched, your VPN is functionally open to anyone aware of this flaw. Beyond patching, rotate all VPN user credentials and service account tokens post-remediation, audit IKEv1 session logs for anomalous tunnel establishments going back at least 72 hours, and consider temporarily disabling IKEv1 in favor of IKEv2 if your environment supports it.

CVE-2026-28318 (SolarWinds Serv-U) had a June 19 deadline but was added June 5 — federal contractors operating Serv-U file-transfer infrastructure have had two weeks and should be remediated. The vulnerability allows unauthenticated denial-of-service via a crafted Content-Encoding: deflate POST request. While not RCE, crashing a managed file-transfer service is a meaningful operational disruption and can mask concurrent intrusion activity. Teams that depended on Serv-U for compliance data transfer pipelines should verify service integrity and confirm no exploitation window was leveraged.

CVE-2010-0249 (Microsoft Internet Explorer) was added to the KEV catalog June 3 with a same-day deadline. This 16-year-old use-after-free vulnerability enabling remote code execution serves as a stark operational signal: if any asset in your environment is still running Internet Explorer, it is almost certainly end-of-life, unmanaged, or part of a legacy OT/ICS support chain. CISA's guidance is unambiguous — discontinue use. Conduct an asset inventory sweep; IE instances in federal contractor environments may represent BOD 22-01 compliance failures that predate the current administration.

Network Infrastructure and Perimeter Devices Under Active Exploitation

The mid-cycle additions reveal sustained adversary focus on network control plane and SD-WAN infrastructure — exactly the layer threat actors target to achieve persistent, lateral movement-enabling footholds.

CVE-2026-10520 (Ivanti Sentry) is the most severe entry in this brief. Added today with a three-day patch deadline of June 14 under BOD 26-04, this OS command injection vulnerability allows unauthenticated remote attackers to achieve root-level RCE on Sentry appliances. Ivanti Sentry acts as a gateway for mobile device management traffic — compromise here exposes device configurations, credentials, and mobile policy enforcement infrastructure. The three-day federal deadline reflects CISA's assessment of active exploitation and high organizational impact. BOD 26-04's Forensics Triage Requirements apply: before patching, preserve logs and volatile memory artifacts if operationally feasible. Internet-exposed Sentry instances should be isolated from internal management planes immediately. This product has a well-documented exploitation history; treat any Sentry appliance that has been internet-facing as potentially compromised until forensic triage clears it.

CVE-2026-20245 (Cisco Catalyst SD-WAN Manager) introduces an authenticated local privilege escalation path to root via crafted file injection. While the authenticated requirement raises the bar slightly, in SD-WAN environments the attack surface is broader than it appears — any operator-level account, including those provisioned for managed service providers or third-party vendors, becomes a viable escalation vector. Remediate and audit all non-essential local accounts on vManage/SD-WAN Manager nodes. Pair patching with a review of role-based access assignments.

CVE-2026-7473 (Arista EOS) represents a more nuanced but equally serious concern for data center and campus switching fabrics. The incomplete comparison logic causes EOS switches to incorrectly decapsulate and forward tunneled packets destined for configured decapsulation IPs. In practice, this can be weaponized for traffic interception or unauthorized network path injection in environments using VXLAN or GRE encapsulation. Operators should audit tunnel interface configurations and apply vendor-recommended ACLs as an interim control while patch deployment proceeds ahead of the June 23 deadline.

AI Infrastructure and Browser Attack Surface: Emerging and Persistent Risk

Two entries in this cycle highlight expanding attack surfaces that security programs have not uniformly matured to address.

CVE-2026-42271 (BerriAI LiteLLM) is a command injection flaw that grants any authenticated user — including low-privilege internal-user key holders — the ability to execute arbitrary OS commands on the LiteLLM host. As organizations rapidly deploy LLM proxy infrastructure to manage multi-model AI workloads, LiteLLM has become a common internal service, often standing up quickly without the same security scrutiny applied to production APIs. The June 22 deadline should be treated as an organizational forcing function: inventory all LiteLLM deployments, restrict API key issuance to least-privilege roles, and evaluate whether host-level isolation (containers with restricted syscall profiles) is in place. This class of vulnerability in AI middleware is a preview of a broader problem as the sector matures.

CVE-2026-11645 (Google Chromium V8) is an out-of-bounds read/write vulnerability enabling sandbox-escaping arbitrary code execution via a crafted HTML page, affecting Chrome, Edge, Opera, and any other Chromium-derived browser. The June 23 deadline is a ceiling, not a target — browser updates should be pushed immediately given the trivial delivery mechanism. Enforce browser auto-update policies via MDM/GPO, and prioritize patch verification for privileged workstations, developer endpoints, and CI/CD pipeline machines where browser-based tooling is common.

Aggregate Posture Note: Four of these eight vulnerabilities allow unauthenticated exploitation. Three involve root or arbitrary code execution. Federal contractors operating under BOD 22-01 and BOD 26-04 must treat all applicable deadlines as hard compliance requirements, not guidelines.

Sources: CISA KEV Catalog · CISA BOD 22-01 · CISA BOD 26-04 · Ivanti Security Advisory — Sentry · Cisco Security Advisory — SD-WAN Manager · Check Point Security Advisory · Google Chrome Releases · Arista EOS Security Advisory · SolarWinds Security Advisory — Serv-U