cybersecurity

Cisco disclosed CVE-2026-20245 on June 5 — the 7th Cisco SD-WAN vulnerability confirmed exploited in 2026. A high-severity command injection in Cisco Catalyst SD-WAN Manager allows root privilege escalation via a crafted file upload. No patch exists. No timeline provided. Discovered by Mandiant during active exploitation investigation. The vulnerability chains directly after CVE-2026-20182 and CVE-2026-20127, both CVSS 10.0. Configuration changes were pushed to edge devices in confirmed exploitation cases. UAT-8616 confirmed involved.

CVE-2026-8732 is a CVSS 9.8 critical vulnerability in the WP Maps Pro WordPress plugin that lets unauthenticated attackers create administrator accounts with zero credentials — a single HTTP request creates the account, generates a passwordless login URL, and exfiltrates it to the attacker. Wordfence blocked 2,858 exploitation attempts in 24 hours. Over 15,800 commercial installs are in the target window. Patch to version 6.1.1 immediately and audit all admin accounts now.

CVE-2026-0257 is an actively exploited authentication bypass in Palo Alto PAN-OS GlobalProtect that lets unauthenticated attackers forge session cookies and establish unauthorized VPN connections — bypassing MFA in affected configurations. CISA added it to the KEV catalog on May 29 with a federal deadline of June 19. Rapid7 MDR confirmed successful exploitation across multiple customers in two distinct waves since May 17. CVSS raised from 7.8 to 9.1 after exploitation confirmed. Patch immediately.

CISA issued a formal advisory on May 28, 2026 warning all organizations to audit developer systems for the Nx Console / GitHub supply chain compromise. CVE-2026-48027 and CVE-2026-45321 are on the CISA KEV catalog — federal deadline June 10. CISA also formally documented the parallel Megalodon campaign targeting GitHub Actions workflows. Full CISA guidance, complete attack chain, expanded credential targeting list, and forensic audit checklist inside.