Five edge and gateway bugs went under active attack in one week. Here is the patch order.

This was a quiet week for new advisories and a loud one for exploitation. June’s big rollups were already behind us: Microsoft’s Patch Tuesday, Chrome’s 33-CVE drop, Oracle’s monthly bundle, Atlassian, and SAP all shipped the week before. What landed this week instead was a cluster of edge and management-plane devices going under active attack at the same time, and a CISA KEV update on June 23 that put five of them on the federal clock.

The common thread is not a shared bug class. It is a shared position in the network. Every item below sits at an edge: a VPN gateway, a SIEM ingest path, a sandbox appliance, a router console, a network-management plane. Internet-reachable, often unauthenticated, and rarely on the same tidy patch cadence as your Windows fleet. Attackers know that, which is why the same seven days produced five separate KEV additions across five vendors.

Here is the breakdown, ordered by what to do first.

1. Ivanti Standalone Sentry, the worst of the week

CVE-2026-10520 is a CVSS 10.0 unauthenticated remote code execution flaw in Ivanti Standalone Sentry, the mobility gateway that fronts EPMM deployments. An attacker sends crafted XML to a single API endpoint and runs commands as root. No login, no user interaction, on a box that is by design exposed to the internet.

It is being exploited at scale. Rapid7 documented the flaw alongside a sibling bug, a public proof-of-concept circulated within a day of disclosure, and the exploitation has continued through this week. The EPSS score sits near the top of the scale, which matches what the telemetry shows.

If you run Sentry, this is the first thing you touch. Upgrade to 10.5.2, 10.6.2, or 10.7.1. If you cannot patch in the next few hours, take the management interface off the public internet until you can. A gateway whose whole job is to be reachable is not a candidate for a “next maintenance window” decision when the exploit is already public.

2. Splunk Enterprise, because your SIEM is a target

CVE-2026-20253 is a CVSS 9.8 flaw that lets an unauthenticated attacker write to arbitrary files through a PostgreSQL sidecar endpoint that should never have been reachable without authentication. On its own that is a file-write primitive. Chained, researchers turned it into pre-auth code execution under the Splunk service account.

Splunk’s PSIRT confirmed limited exploitation, and CISA added it to KEV on June 18 with a June 21 federal deadline, which is one of the tightest windows you will see. The affected versions are Splunk Enterprise 10.2 before 10.2.4 and 10.0 before 10.0.7; the fixes are 10.2.4 and 10.0.7.

The reason this ranks second despite a lower base score than Ivanti is what a SIEM is. It holds your logs, your detections, and frequently credentials to half your estate. An attacker who lands code execution there does not just own a server, they own your visibility into everything else. Patch it like the crown-jewel system it is.

3. Fortinet FortiSandbox, two unauthenticated bugs in one appliance

Fortinet’s FortiSandbox carries two flaws now seeing active exploitation. CVE-2026-39808 (CVSS 9.8) is an unauthenticated OS command injection that runs as root through a single GET parameter. CVE-2026-39813 (CVSS 9.8) is an unauthenticated path traversal that escalates privilege. BleepingComputer reported live exploitation matching the public proof-of-concept in mid-June.

The patches predate this window; the exploitation does not, which is the reason it belongs in this issue. One upgrade clears both bugs. Pull the fixed FortiSandbox build from Fortinet’s PSIRT advisory and verify your appliance is past the affected 4.4.x line before you close the ticket. Fortinet did not list the exact fixed build in the press coverage, so confirm against the advisory rather than a secondhand number.

4. Ubiquiti UniFi OS, a three-bug chain to root

Ubiquiti shipped fixes for three UniFi OS flaws, all rated 10.0 and all added to KEV on June 23 with a June 26 deadline. CVE-2026-34908 is an improper access control bug, CVE-2026-34909 is a path traversal, and CVE-2026-34910 is the command injection. Individually they are bad. Chained, a network-adjacent attacker reaches unauthenticated root on UniFi gateways and consoles.

This one cuts across the line between home-lab and enterprise. UniFi gear shows up in branch offices, small sites, and plenty of SMB networks, frequently with the console exposed for remote management. The fix is a single UniFi OS update; Ubiquiti’s Security Advisory Bulletin 064 lists the fixed builds, so check your console version against it. If any of these devices are internet-facing, treat the deadline as a formality and patch now.

5. Cisco Catalyst SD-WAN Manager, exploited but auth-gated

CVE-2026-20262 is a path traversal and arbitrary file write in Cisco Catalyst SD-WAN Manager (formerly vManage). The base score is a comparatively mild 6.5 because it requires authentication, but Cisco confirmed it was exploited as a zero-day, and CISA added it to KEV on June 23 with a June 29 deadline. A second SD-WAN Manager flaw, CVE-2026-20245 (CVSS 7.8, authenticated privilege escalation to root), carried a federal deadline of June 23.

The CVSS undersells the risk here. SD-WAN Manager is the control plane for your entire WAN fabric. An attacker who already has a foothold, or a stolen netadmin credential, can use these to write files and escalate to root on the box that pushes config to every site. Lower score, very high blast radius. Patch it this week, sooner if the management plane is reachable beyond your trusted network or you cannot vouch for every privileged account.

The KEV clock that ran out this week

Two more items were already patched but hit their federal deadline inside this window, which means anyone who deferred them is now late. CVE-2026-11645, an exploited V8 zero-day in Chrome, had a June 23 KEV deadline; the fix shipped in Chrome 149.0.7827.102/.103 earlier in the month, so this is a “confirm the fleet actually updated” task, not a new push. A Linux kernel privilege-escalation flaw known as “Copy Fail” (CVE-2026-31431) is in the same boat, with current distributions already covered.

Patched this week, not yet exploited, still worth your attention

A few high-severity fixes shipped this week without known exploitation. They did not make the urgent list, but they are real:

• F5 NGINX released advisory K000161614 on June 17 covering two unauthenticated bugs, CVE-2026-42530 (HTTP/3 QUIC use-after-free) and CVE-2026-42055 (HTTP/2 heap overflow), both 8.1 on CVSS v3.1 and 9.2 on v4.0. This is NGINX, not BIG-IP. Fixed in NGINX OSS 1.31.2 / 1.30.3 and NGINX Plus R37 P2 / R36 P6.
• Red Hat shipped a critical fix for Ansible Automation Platform, CVE-2026-11807 (CVSS 9.6), a missing-authorization bug in Event-Driven Ansible that can lead to credential theft. It matters only if you run EDA, but if you do, it is a credential exposure.
• Veeam Backup & Replication carries CVE-2026-44963 (CVSS 9.4 on v4.0; NVD has not assigned a v3.1 score), a .NET deserialization RCE that any authenticated domain user can trigger. It was disclosed June 10 with a public proof-of-concept the same day. No confirmed in-the-wild use yet, but Veeam’s history of fast ransomware weaponization makes the fix (12.3.2.4854) worth scheduling. Losing your backups is the worst version of a bad week.

The actual patch order

If you are triaging across all of this with limited hands, here is the sequence:

1. Ivanti Sentry (CVE-2026-10520) if exposed. Unauthenticated root, public exploit, ongoing attacks.
2. Splunk Enterprise (CVE-2026-20253). Unauthenticated RCE, exploited, and it is your visibility layer.
3. FortiSandbox (CVE-2026-39808 / 39813). Unauthenticated root, exploited, one upgrade clears both.
4. Ubiquiti UniFi OS (the three-bug chain), internet-facing units first.
5. Cisco SD-WAN Manager (CVE-2026-20262 / 20245). Auth-gated but it owns your WAN.
6. Confirm Chrome and Linux kernel are actually current; their KEV deadlines already passed.
7. Schedule NGINX, Ansible, and Veeam where they apply.

None of this is exotic. It is the same lesson the edge keeps teaching: the devices most exposed to the internet are the ones least likely to be on a patch cadence you trust, and attackers have learned to cluster their attention there. The fix is boring and it works. Know which of these you run, and close the internet-facing ones first.

PatchDayAlert tracks KEV additions like these in the daily digest the day they land, and rounds up the week every Wednesday. That is the job: the signal that has to move before the change board meets, not after.