June 2026 CVEs: 57 Actively Exploited, Patch Exposed Assets First

June’s actionable signal is not merely 60 prioritized CVEs, but 57 listed by Recorded Future’s Insikt Group as actively exploited, 53 with public proof-of-concept exploits, and exploitation occurring in less than a day—so teams must prioritize exposed affected assets and compromise assessment over severity-only patch queues.
In June 2026, Recorded Future’s Insikt Group identified 60 high-impact vulnerabilities across 36 vendors for priority remediation. According to the group’s June 2026 CVE Landscape report, 30 received a Very Critical Recorded Future Risk Score, 23 overlapped with the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, and 53 had public proof-of-concept exploits.
The report’s quick-reference table excludes three honeypot-associated CVEs and lists the remaining 57 vulnerabilities as actively exploited during June. That distinction must remain explicit: the report prioritized 60 vulnerabilities in total, while its active-exploitation quick-reference table covered 57.
The more important story is not volume alone. Recorded Future reported that the fastest move from public disclosure to observed exploitation took less than one day. At that speed, a weekly review meeting cannot be the first point at which an organization determines whether an affected product is publicly reachable.

Cybersecurity analysts monitor a vulnerability surge dashboard in a dark operations center.What Windows and Infrastructure Teams Should Do This Week​

The following is WindowsForum’s recommended response sequence for the June findings:
  1. Inventory internet-facing systems first. Identify every externally reachable deployment of Microsoft Exchange, Microsoft SharePoint, Fortinet FortiClient EMS, Check Point gateways and Spark firewalls, Fortinet products, F5 BIG-IP, Cisco infrastructure, DD-WRT firmware, and relevant application servers or frameworks. Include cloud-hosted instances, branch-office equipment, inherited environments, disaster-recovery systems, and interfaces exposed through reverse proxies or port-forwarding rules.
  2. Identify affected versions. Match installed versions and configurations against the applicable vendor advisories. Do not rely only on endpoint-management records; verify appliances, application servers, firmware, virtual-machine templates, and systems managed outside the primary Windows administration stack.
  3. Patch or apply vendor mitigations. Prioritize systems that are both affected and externally reachable, followed by affected internal systems that occupy privileged, identity-adjacent, management, backup, or security-control roles.
  4. Remove public exposure where patching is delayed. Disable unnecessary services, restrict administrative interfaces to approved management networks, require access through a controlled VPN or equivalent access layer, apply vendor-provided mitigations, and use allowlists where practical. An accepted patch exception should not automatically mean accepted internet exposure.
  5. Hunt for post-exploitation indicators. For systems that were reachable while vulnerable, investigate for suspicious child processes, newly created accounts, unexpected scheduled tasks or services, altered startup mechanisms, web shells, unusual outbound connections, credential access, configuration changes, and lateral movement. Use the malware and campaign associations reported by Insikt Group as investigative context rather than assuming that installing an update ends the incident.
  6. Verify remediation. Use authenticated scanning or direct configuration checks to confirm the installed version and mitigation state. Require the named asset owner to sign off that the system was patched, isolated, removed, or otherwise remediated. A closed ticket without authenticated verification and ownership confirmation is not sufficient evidence that exposure ended.
This sequence is an operational recommendation from WindowsForum, not a finding attributed to Recorded Future. Its purpose is to convert the report’s threat signals into a response that infrastructure, Windows, network, application, and security teams can execute immediately.

June’s Numbers Describe a Queue That Has Already Failed​

Insikt Group’s June 2026 report is selective. It is not a count of every vulnerability disclosed during the month, but a list of 60 high-impact issues that Recorded Future believes defenders should prioritize based on exploitation evidence, risk scoring, public exploit availability, campaign activity, or other threat signals.
That distinction matters because vulnerability totals are easy to sensationalize and difficult to operationalize. A security team does not need another enormous feed of nominally important CVEs; it needs a defensible way to decide which exposed system should be patched, isolated, investigated, or retired first. Insikt Group’s report attempts to create such a queue, although even the filtered June set is substantial.
Recorded Future attributed a Very Critical risk score to 30 of the 60 vulnerabilities. It also identified 23 that overlapped with CISA’s Known Exploited Vulnerabilities catalog, 34 associated with vendor reporting, and three surfaced primarily through honeypot data.
The quick-reference table excludes those three honeypot-associated CVEs and lists the other 57 as actively exploited in June. The supported formulation is therefore precise: 57 vulnerabilities are listed as actively exploited in the quick-reference table; three honeypot-associated vulnerabilities are part of the 60-item priority set but excluded from that table. The 60 and 57 figures are related, but they are not interchangeable.
Risk or evidence signalCountScopeOperational meaning
High-impact vulnerabilities6036 vendorsRecorded Future’s complete June priority set
Very Critical risk score30Half of the priority setHighest-scored remediation candidates
CISA KEV overlap23Within the 60-item setAdditional evidence that exploitation has been documented
Vendor-reported vulnerabilities34Multiple product classesVersion and mitigation checks should begin with vendor advisories
Public proof-of-concept identified53Within the 60-item setPublic technical material may reduce the work required to develop exploits
Remote-code-execution vulnerabilities2518 vendorsSuccessful exploitation may permit attacker-controlled code execution
Listed as actively exploited57Quick-reference tableThe table’s active-exploitation set
Honeypot-associated vulnerabilities3Excluded from the quick-reference tableEvidence was surfaced primarily through observed probing or attacks
Recorded Future reported that the June total was 49 percent higher than May’s. That increase should not be treated as proof that software became 49 percent less secure in one month. The report’s selected total can be affected by disclosure timing, exploitation activity, vendor reporting, and the vulnerabilities that met Insikt Group’s prioritization criteria.
For defenders, the operational consequence is straightforward: the filtered queue grew, most of it was listed as actively exploited, and public proof-of-concept material existed for nearly the entire set.

Exploitation, Not Severity, Is the Center of Gravity​

The most consequential figure in the report is 57: the number of vulnerabilities in the quick-reference table that Recorded Future listed as actively exploited during June. These should not be treated as 57 independent observations from 57 separate investigations. They are 57 entries attributed by Recorded Future to active exploitation in its quick-reference table, while the three honeypot-associated CVEs were handled separately.
That changes the correct order of questions. Instead of beginning with “How severe is this vulnerability in the abstract?”, defenders should begin with “Do we run the affected product, is the affected deployment reachable, and was it exposed during the relevant period?” Severity still matters, but it should not be the only sorting mechanism for the patch queue.
The 23-vulnerability overlap with CISA’s KEV catalog adds another prioritization signal. It does not cover the whole June set, however. A workflow limited to KEV entries would omit vulnerabilities that Recorded Future prioritized through other evidence, including vendor reporting, campaign intelligence, and honeypot activity.
WindowsForum recommends an additive prioritization model:
  • Confirmed or reported exploitation raises urgency.
  • Internet reachability raises opportunity.
  • Public proof-of-concept availability may reduce attacker development time.
  • Remote code execution raises the potential impact.
  • Privileged placement increases the possible blast radius.
  • High-value data, identity access, or management authority increases business risk.
  • Exposure during a known vulnerable period creates a need for compromise assessment.
No single severity score captures that chain. The value of the June report is therefore not that it replaces scanner results, but that it gives defenders threat context with which to reorder them.

Externally Reachable Enterprise Systems Connect the Campaign Activity​

Recorded Future’s StrikeShark reporting provides a concrete example of attackers exploiting vulnerabilities across multiple externally reachable enterprise applications and appliances. According to an Insikt Group TTP Instance, StrikeShark exploited vulnerabilities affecting React Server Components, Microsoft Exchange, Hikvision firmware, Fortinet FortiOS, Cisco IOS XE Web UI, Apache Shiro, Microsoft SharePoint, Zimbra, Openfire, F5 BIG-IP, and GeoServer. Recorded Future associated successful exploitation with the deployment of SharkLoader, which then delivered Cobalt Strike.
The product list does not describe one software ecosystem. It spans email, collaboration, remote administration, web applications, network control planes, firmware, communications platforms, geospatial software, and security infrastructure.
The StrikeShark CVE set reported by Insikt Group includes CVE-2016-4437 in Apache Shiro; CVE-2021-26855 and CVE-2022-41082 in Microsoft Exchange; CVE-2021-36260 in Hikvision firmware; CVE-2021-27076 in Microsoft SharePoint; CVE-2022-40684 and CVE-2024-21762 in Fortinet FortiOS; CVE-2022-27925 in Zimbra; CVE-2023-20198 in Cisco IOS XE Web UI; CVE-2023-32315 in Openfire; CVE-2023-46747 in F5 BIG-IP; CVE-2024-36401 in GeoServer; and CVE-2025-55182 in React Server Components.
WindowsForum’s operational inference is that reachability can matter more than vendor alignment. An attacker does not need the entire environment to use one operating system. A Linux-hosted application, network appliance, management console, firmware-based device, or public web service can provide the initial path into an organization whose endpoints and identity infrastructure are predominantly Windows-based.
This is why a Microsoft-only remediation meeting is inadequate. Exchange and SharePoint may be the systems most familiar to Windows administrators, but the June campaign activity reported by Insikt Group crosses administrative ownership boundaries. Inventory, escalation, and verification must therefore cross those boundaries as well.

Microsoft Represents a Significant Share, Not the Whole Attack Surface​

Recorded Future’s selected June data indicates that Microsoft accounted for approximately 18 percent of the 60 high-impact vulnerabilities. That share justifies urgent attention from Windows administrators, but the supplied figure does not establish that Microsoft represented the largest vendor concentration.
It also means that approximately 82 percent of the selected vulnerabilities affected other vendors. A well-managed Windows Update process is therefore only one component of the required response.
Microsoft-centric environments often have their best inventory and update data for domain-joined Windows clients and servers. Visibility may be weaker for third-party application servers, security appliances, network infrastructure, firmware, plugins, unsupported systems, cloud-hosted workloads, and products maintained directly by business units or service providers.
Recorded Future attributed exploitation of CVE-2026-21509, affecting Microsoft 365 Apps for Enterprise and Office 2016, and CVE-2026-21513, affecting Windows client and server versions, to APT36 activity targeting India. Insikt Group linked that activity to backdoor deployment and SHEETCREEP.
Those two vulnerabilities demonstrate that “Microsoft exposure” is not one remediation problem. A vulnerability affecting productivity applications may involve application versions, update channels, user interaction, file-handling controls, and email defenses. A vulnerability affecting Windows client and server versions may require different testing rings, maintenance windows, restart policies, and investigation procedures.
Administrators consequently need more than evidence that an update was approved for deployment. They need evidence that affected versions no longer remain on in-scope systems, including devices outside the primary endpoint-management platform, machines held back from standard deployment rings, servers awaiting maintenance, disconnected devices, virtual-machine templates, and recovery images.

Remote Code Execution Creates a Shared Blast Radius​

According to Insikt Group, 25 of the 60 high-impact vulnerabilities enabled remote code execution and affected products from 18 vendors: Meta, WinRAR, Ivanti, Google, PTC, Cisco, Ubiquiti, Fortinet, Microsoft, BerriAI, Android, WPEverest, Veeam, Mirasvit, Apache, Hikvision, F5, and GeoServer.
Remote code execution does not automatically mean unauthenticated compromise from the public internet. Preconditions, configuration, privileges, network location, and exploit reliability still matter. The classification does, however, raise the possible impact because successful exploitation may allow an attacker to execute code in the context of the vulnerable process.
Recorded Future’s StrikeShark reporting shows how that technical capability can become an intrusion chain: exploitation of public-facing applications was associated with SharkLoader deployment, followed by delivery of Cobalt Strike. The vulnerability provided entry; the subsequent tooling extended attacker control.
WindowsForum recommends treating remediation and compromise assessment as parallel activities whenever an affected RCE-capable system was reachable during its vulnerable period. Installing the patch can close the known entry point, but it does not by itself remove malicious files, revoke stolen credentials, identify persistence, or explain suspicious outbound traffic.
Security products require the same treatment as other exposed software. Recorded Future associated FortiClient EMS exploitation with EKZ information-stealing malware and linked CVE-2026-50751, affecting Check Point Security Gateway and Spark Firewalls, with Qilin ransomware. These systems may occupy trusted or privileged network positions, so suspected exploitation should be handled as an infrastructure incident rather than as a routine failed patch.

Public Exploits Have Compressed the Defender’s Calendar​

Insikt Group identified public proof-of-concept exploits for 53 of the 60 prioritized vulnerabilities. Recorded Future also reported that the shortest observed interval from public disclosure to exploitation was less than one day.
Those findings do not establish that every public proof of concept was reliable or that all affected systems could be compromised in the same way. They do establish that public technical material was available for most of the selected set and that defenders cannot assume a lengthy period between disclosure and exploitation.
Insikt Group also created Nuclei templates for CVE-2026-35616, affecting Fortinet FortiClient EMS, and CVE-2026-25939, affecting Frangoteam FUXA. Recorded Future made those templates available to its customers through the Recorded Future Intelligence Operations Platform.
The supported point is limited but useful: detection templates exist for those two vulnerabilities and can assist customers using that platform. Organizations should not infer from that fact alone what each template validates, how it behaves, or whether a result proves compromise.
The operational lesson is that visibility must be prepared before the next advisory arrives. Teams should already know who owns FortiClient EMS, where relevant FUXA deployments exist, which management interfaces are externally accessible, and how those systems will be isolated if an emergency update cannot be installed immediately.

Old Vulnerabilities Keep Winning When Old Systems Remain Reachable​

Recorded Future reported that four prominent June vulnerabilities were at least five years old and that the oldest was approximately ten years old. The StrikeShark set ranged from CVE-2016-4437 through vulnerabilities assigned in later years, showing that the reported campaign activity incorporated both older and more recently disclosed weaknesses.
WindowsForum’s operational conclusion is that vulnerability age should not be mistaken for irrelevance. An older vulnerability may persist because the affected application is abandoned, the operating environment is unsupported, an appliance lacks a clear owner, an upgrade project failed, or the system is absent from the organization’s external inventory.
This is the point at which repeated exceptions become an architecture decision. If an old affected system cannot be patched, the organization should remove its public exposure, restrict access, isolate it, place a supported control in front of it, monitor it as a high-risk asset, or retire it. Continuing to expose an unremediated system is not merely a delay in patch management; it is an acceptance of ongoing attack opportunity.

June’s Malware Map Shows What Happens After the CVE​

Recorded Future connected vulnerabilities in the June set with loaders, information stealers, backdoors, botnets, ransomware, and post-exploitation tooling. Those associations provide investigative context for systems that were exposed while vulnerable.
Insikt Group reported that Lazarus exploited CVE-2025-55182 to deploy COPPERHEDGE against financial and blockchain-related organizations. The same React Server Components vulnerability also appeared in the broader StrikeShark set reported by Recorded Future.
Recorded Future attributed exploitation of CVE-2026-21509 and CVE-2026-21513 to APT36 activity targeting India and associated the activity with backdoor deployment and SHEETCREEP.
Insikt Group also reported that the C0XMO botnet campaign exploited CVE-2021-27137 in DD-WRT firmware and propagated across Linux architectures. For Windows-focused organizations, the relevance is not the operating system alone. DD-WRT deployments can exist in branch offices, labs, remote sites, temporary facilities, and edge networks that connect back to Windows-based enterprise resources.
Recorded Future further associated FortiClient EMS exploitation with EKZ information-stealing malware and linked CVE-2026-50751 in Check Point Security Gateway and Spark Firewalls with Qilin ransomware.
The common sequence is vulnerability exploitation followed by payload delivery or another post-exploitation objective. WindowsForum therefore recommends that incident responders receive the vulnerability, asset, exposure, and campaign context at the same time as the patching team. Vulnerability management may close the entry point, but incident response must determine whether an attacker used it before closure.

The Weakness Rankings Point to Recurring Engineering Failures​

According to Insikt Group, the most commonly observed weakness in the June set was CWE-22, Path Traversal. It was followed by CWE-502, Deserialization of Untrusted Data; CWE-78, OS Command Injection; CWE-306, Missing Authentication for Critical Function; and CWE-287, Improper Authentication.
These categories describe failures at trust boundaries: accepting a path that should have been constrained, reconstructing attacker-controlled data as an object, passing untrusted input to operating-system commands, exposing critical functionality without authentication, or implementing authentication incorrectly.
Their persistence across modern enterprise products reinforces the need for defense in depth. Patch deployment remains necessary, but organizations should also reduce unnecessary public interfaces, place administrative functions behind restricted access paths, separate management networks, monitor application behavior, and avoid granting exposed services more privilege than they require.
For software and application-security teams, the rankings provide review priorities. Path normalization, archive extraction, object deserialization, shell invocation, authentication enforcement, and authorization checks deserve explicit testing. For infrastructure teams, the same rankings identify the product behaviors most likely to require compensating controls when patches cannot be applied immediately.

A Practical Triage Timeline​

WindowsForum recommends using the following timeline when a high-impact vulnerability affects a reachable enterprise system:
Time from alertRequired actionVerification criterion
0–4 hoursIdentify the product owner, enumerate potentially affected assets, and determine public reachabilityNamed owner and target list recorded
4–12 hoursConfirm affected versions and review vendor patches or mitigationsVersion evidence collected from the systems, not only from inventory records
Within 24 hoursPatch, mitigate, isolate, or remove exposure for the highest-risk reachable assetsAuthenticated verification confirms the changed state
Within 24 hoursBegin compromise assessment for systems exposed during the vulnerable periodInvestigation scope, telemetry sources, and responsible analyst documented
Within 48 hoursAddress affected internal management, security, identity-adjacent, backup, and high-value systemsRemaining exceptions have owners, deadlines, and compensating controls
Within 7 daysReconcile scanner, configuration, cloud, network, and owner inventoriesUnowned or unmatched assets escalated
At closureObtain asset-owner sign-off and security validationEvidence shows the vulnerability or exposure was actually removed
This timeline is a WindowsForum recommendation. It is intentionally based on exposure and potential impact rather than on severity labels alone.

Administrator Closure Checklist​

Before marking a June-related vulnerability ticket complete, administrators should be able to answer yes to the applicable questions:
  • Is the asset’s business and technical owner identified?
  • Was the installed version obtained directly through authenticated inspection or an equivalent trusted method?
  • Was internet exposure checked from an external perspective?
  • Was the vendor patch installed or the documented mitigation applied?
  • If patching was delayed, was public access removed or tightly restricted?
  • Were cloud instances, branch-office systems, standby nodes, disaster-recovery environments, templates, and recovery images included?
  • Was the system exposed while vulnerable?
  • If so, was a compromise assessment opened and completed?
  • Were unexpected accounts, services, scheduled tasks, child processes, files, configuration changes, and outbound connections reviewed?
  • Were relevant credentials or secrets evaluated for rotation?
  • Did authenticated rescanning confirm that the vulnerable condition no longer exists?
  • Did the asset owner sign off on the remediation status?
  • Were remaining exceptions assigned an expiration date and an accountable approver?
A scanner result alone cannot answer every question. Verification requires technical evidence, asset ownership, and a documented decision about any remaining exposure.

The Core Management Problem Is Ownership​

The June findings expose a coordination problem as much as a patching problem. Exchange may belong to messaging, SharePoint to collaboration, Cisco and F5 to network engineering, Fortinet and Check Point to security infrastructure, GeoServer to an application team, and DD-WRT devices to a branch office that central IT does not realize it supports.
WindowsForum recommends one shared emergency queue for exploited or urgently prioritized vulnerabilities, regardless of which department owns the affected product. Each entry should contain the asset, owner, affected version, exposure state, remediation method, investigation status, verification evidence, and deadline.
This avoids repeating the same conceptual debate in separate departmental meetings while attackers operate across the combined environment. The required unit of work is not “the Windows patch,” “the firewall patch,” or “the application patch.” It is the organization’s complete exposure to a vulnerability and the evidence that the exposure has ended.

The Next Disclosure Will Not Wait for the Next Maintenance Window​

Recorded Future’s June 2026 data presents a demanding but actionable picture: 60 prioritized vulnerabilities across 36 vendors; 57 listed as actively exploited in the quick-reference table after three honeypot-associated CVEs were excluded; 53 with public proof-of-concept exploits; 25 enabling remote code execution; 23 overlapping with CISA’s KEV catalog; and a fastest disclosure-to-exploitation interval of less than one day.
The appropriate response is not to abandon patch testing or treat every CVE as an emergency. It is to distinguish exposed and affected systems from theoretical inventory, give active exploitation and campaign context more weight than severity alone, and investigate systems that may have been compromised before remediation.
Windows and infrastructure teams should leave June with six durable capabilities: a reliable inventory of externally reachable assets, rapid affected-version identification, a path for emergency patching or isolation, cross-team ownership, post-exploitation hunting, and authenticated closure verification.
The next high-impact vulnerability may appear in Windows, Exchange, SharePoint, a security gateway, a network appliance, an application framework, or a system no central team currently knows it owns. The organization that can identify that asset, restrict it, remediate it, investigate it, and prove closure within hours will be in a fundamentally better position than one whose process begins and ends with adding another critical item to a severity-sorted queue.

References​

  1. Primary source: Recorded Future
    Published: 2026-07-10T16:40:18.653119
  2. Related coverage: vulnerability-lookup.org
  3. Related coverage: dataproof.co.za
  4. Related coverage: first.org
  5. Related coverage: cve.org
  6. Related coverage: hackerstorm.com
 

Back
Top