CISA stopped reliably sending KEV alerts.
We didn't.
CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.
KEV Intelligence Brief — July 6, 2026
Issued: Monday, July 6, 2026 | Audience: Federal Contractors, DevOps, Security Operations Coverage: 8 CVEs added to the CISA KEV Catalog between June 23 and July 1, 2026
All eight entries carry BOD 26-04 remediation obligations and CISA Forensics Triage Requirements. As of today, six of the eight patch deadlines have already passed. Organizations that have not yet acted are not simply behind on patching — they are operating outside federal compliance thresholds and almost certainly within active threat actor targeting windows. The two entries still within remediation scope have narrow margins.
Deadline Watch: Network Infrastructure at Systemic Risk
The most operationally concentrated risk this cycle sits on network infrastructure and unified communications platforms, where three separate patch deadlines have lapsed and exploitation is confirmed in the wild.
Ubiquiti UniFi OS carries three simultaneous KEV entries — CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 — all added June 23 with a deadline of June 26. The cluster is significant. CVE-2026-34908 is an improper access control flaw enabling unauthorized system changes by any network-adjacent actor. CVE-2026-34909 is a path traversal vulnerability that allows file access and manipulation sufficient to compromise underlying accounts. CVE-2026-34910 enables command injection through improper input validation. Used in sequence, these three vulnerabilities form a credible lateral movement chain: an attacker with initial network access can traverse the filesystem, obtain credential material, escalate access, and inject commands — all without requiring elevated privileges at entry. UniFi OS deployments are pervasive in enterprise, campus, and government network environments. Organizations should immediately audit internet exposure of UniFi controllers, apply vendor patches, and treat any UniFi OS instance that has been internet-accessible since June 23 as potentially compromised pending forensic triage.
Cisco Unified Communications Manager (CVE-2026-20230, deadline June 28) represents a different but equally serious threat profile. This SSRF vulnerability requires no authentication and allows a remote attacker to write arbitrary files to the underlying OS — a reliable precursor to root-level privilege escalation. Unified CM and Unified CM SME are deeply embedded in federal and enterprise telephony infrastructure, often sitting on trusted internal network segments with relaxed egress controls that SSRF exploits are specifically designed to abuse. Network-level egress filtering on Unified CM hosts is a meaningful interim control while patching is completed, but given the deadline has passed, patching should be treated as an emergency change, not a scheduled maintenance window.
Unauthenticated RCE Across the Enterprise Stack
Two entries this cycle represent the highest-severity class in the catalog: unauthenticated remote code execution against widely deployed enterprise products. Both deadlines are overdue.
PTC Windchill and FlexPLM (CVE-2026-12569, deadline June 28) affects product lifecycle management platforms used heavily in defense industrial base and manufacturing supply chains. The improper input validation flaw allows an unauthenticated remote attacker to execute arbitrary code via a malicious network request — no credentials, no prior access, no social engineering required. For federal contractors with Windchill instances that process controlled unclassified information (CUI) or export-controlled technical data, exploitation of this vulnerability could constitute a reportable incident under federal acquisition regulations. Organizations should immediately restrict network access to Windchill and FlexPLM interfaces, apply vendor patches, and review access logs from June 25 onward for anomalous unauthenticated requests. If patching is not immediately feasible, consider taking internet-facing instances offline until remediation is complete.
Lantronix EDS5000 (CVE-2025-67038, deadline June 26) introduces risk at the operational technology boundary. This code injection vulnerability allows OS command injection through the username parameter, with injected commands executing at root. EDS5000 devices serve as serial-to-Ethernet device servers, commonly bridging legacy OT equipment to IP networks. Root-level command injection on a device in this position enables persistence, pivoting into adjacent OT or IT network segments, and potential disruption of connected serial devices. If patches are unavailable or the device is end-of-life, network isolation and discontinuation of internet exposure are the required response under BOD 26-04.
Authentication Failure and Collaboration Platform RCE: Act Now
Two entries carry the most recent addition dates and together represent active threat surfaces across collaboration and remote support tooling.
SimpleHelp (CVE-2026-48558, deadline July 2) presents a critical authentication bypass in its OIDC flow. Because submitted identity tokens are accepted without signature verification, a remote unauthenticated attacker can forge arbitrary identity claims and obtain a fully authenticated technician session — and in some configurations, bypass MFA entirely. SimpleHelp is a managed service provider staple, meaning a single compromised instance can cascade into downstream customer environments. This is an MSP supply-chain risk, not just a point vulnerability. Organizations should immediately verify their SimpleHelp version, apply the patch, rotate all technician credentials and API tokens, review session logs for anomalous logins since June 29, and treat any authenticated session established against an unpatched instance as suspect.
Microsoft SharePoint Server (CVE-2026-45659, deadline July 4) carries a deserialization of untrusted data vulnerability enabling network-based code execution by an authorized attacker. While authentication is required, the barrier is low in environments where broad internal access to SharePoint is standard practice. The July 4 deadline — a U.S. federal holiday — created a de facto remediation gap for many organizations. As of today, that deadline is two days past. Apply Microsoft's patch immediately, review SharePoint access logs for unusual deserialization activity, and consider restricting SharePoint to known-good network segments while remediation is confirmed.
Summary Remediation Priorities
| Priority | CVE(s) | Deadline Status | |---|---|---| | Critical — Patch + Forensics Now | CVE-2026-12569, CVE-2025-67038, CVE-2026-48558 | Overdue | | High — Emergency Change | CVE-2026-20230, CVE-2026-34908/09/10 | Overdue | | High — Immediate Patch | CVE-2026-45659 | Overdue (July 4) |
All organizations subject to BOD 26-04 should document remediation actions and retain forensic triage evidence per CISA guidance.
Sources: CISA KEV Catalog · CISA BOD 26-04 · Microsoft Security Update Guide · Cisco Security Advisory: Unified CM SSRF · PTC Security Advisory: Windchill · SimpleHelp Security Releases · Ubiquiti Security Advisory: UniFi OS · Lantronix Product Security
Free KEV Alerts
- Real-time notification the moment a KEV drops
- Vendor and product details
- BOD 26-04 remediation deadline included
Pro Alerts Coming Soon
- Real-time notification the moment a KEV drops
- Filtered to your specific vendor watchlist
- Urgency scoring (Critical / Urgent / Standard)
- Direct patch links included
Stay ahead of CISA.
Common Vulnerability and Exposure
CVEs form a database of known security vulnerabilities that are actively tracked and managed by a group of organizations, such as the U.S. National Cyber Security Alliance. CVEs are an important tool for network security management because they not only provide an inventory of existing vulnerabilities, but also provide information about how the vulnerability can be exploited and instructions on how to protect against it.
Search the KEV Catalog by Vendor or Product
Search for CVEs by vendor or product to identify known exploited vulnerabilities in your environment
Upcoming Patch Due Dates
via Binding Operational Directive 26-04
BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.
Loading...
Cyber Security News
You may have missed...
*
Inside a cyberattack: How hackers steal data
The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...
Bad Epoll Linux Kernel Vulnerability Allows Unprivileged Users to Gain Root Access
A new critical Linux kernel flaw called Bad Epoll (CVE-2026-46242) enables unprivileged users to escalate privileges to root on Linux and Android syst...
How ethical hackers with just a $3000 server found a flaw that could've put $70 billion in crypto at risk
Hacker facing screens with lines of code (Boitumelo/Unsplash) (Boitumelo/Unsplash). Summary. Show. Ethical hackers from security firm Hexens ...
North Korean Hackers Publish 108 Malicious Packages and Extensions in PolinRider Campaign
#1 Trusted Cybersecurity News Platform. Followed by 5.70+ million · The Hacker News Logo... Get the Latest News. Home; Newsletter ...
Greek Politician Investigating Spyware Had Mobile Phone Hacked - Yahoo Finance
(Bloomberg) -- The mobile phone of a Greek politician was repeatedly hacked by spyware while he was working on a European Parliament investigation ...
New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
Chung's exploit widens that window and retries without crashing, reaching root about 99% of the time on tested systems. Cybersecurity. Two things make...
New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
Chung's exploit widens that window and retries without crashing, reaching root about 99% of the time on tested systems. Cybersecurity. Two things make...
Nightmare-Eclipse: Individual Threat Actor Releasing Windows Zero-Day Exploits in Retaliatory Campaign Against Microsoft
A malicious actor has released six Windows zero-day exploits since early April 2026 in an escalating retaliatory campaign against Microsoft, with the ...
Researcher Drops Giant Cache of Zero-Day Exploits for 15 Major Open-Source Projects
An anonymous researcher using the pseudonym Bikini published proof-of-concept exploits for more than a dozen zero-day vulnerabilities affecting popula...
Updated daily
