Cyber Threat Brief — June 10 2026
⚠️ This report is AI-generated. Always validate findings.
1. Check Point VPN Auth Bypass Zero-Day — CVE-2026-50751
TL;DR: Critical (CVSS 9.3) auth bypass in Check Point Remote Access VPN IKEv1 exploited since May 7 by Qilin ransomware affiliate. CISA KEV added June 9 — apply hotfix immediately.
What’s New:
- Check Point advisory June 8; CISA KEV June 9
- IKEv1 certificate validation logic flaw lets unauthenticated attacker establish VPN session without valid password
- Qilin ransomware affiliate attributed (medium confidence); post-exploitation ELF payload retrieval observed
- Affects R80.20.X through R82.10 (four branches already End of Support)
- Companion CVE-2026-50752 (CVSS 7.4) MitM in site-to-site IKEv1 — no exploitation observed
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| 45.77.149[.]152 | IP | T1133 | Firewall/VPN | Block |
| 209.182.225[.]136 | IP | T1133 | Firewall/VPN | Block |
| 38.60.157[.]139 | IP | T1133 | Firewall/VPN | Block |
| 162.33.177[.]101 | IP | T1133 | Firewall/VPN | Block |
| 45.76.26[.]42 | IP | T1133 | Firewall/VPN | Block |
| 144.208.127[.]155 | IP | T1133 | Firewall/VPN | Block |
| 38.54.88[.]201 | IP | T1133 | Firewall/VPN | Block |
| 38.54.107[.]167 | IP | T1133 | Firewall/VPN | Block |
| 66.42.99[.]200 | IP | T1133 | Firewall/VPN | Block |
| 52fda5c1b9704544f32ee98d9060e689 | MD5 | T1059 | EDR | Hunt |
| 51d39aa39478beeac94f2d12f682ecce | MD5 | T1059 | EDR | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Check Point IKEv1 auth bypass rule; need VPN auth success from VPS ASNs without prior MFA |
| Elastic | None | No specific rule |
| Sigma | None | Need rule for VPN session establishment from known VPS providers without machine certificate |
Sources: Rapid7 ETR, BleepingComputer, Check Point Blog
2. LiteLLM Unauth RCE Chain — CVE-2026-42271 + CVE-2026-48710
TL;DR: Authenticated command injection in LiteLLM AI gateway (CVSS 8.7) chains with Starlette host header bypass for full unauth RCE. CISA KEV added June 8 — upgrade to 1.83.7+.
What’s New:
- CISA KEV addition June 8; Horizon3.ai published full chain analysis
- POST
/mcp-rest/test/connectionand/mcp-rest/test/tools/listpasscommand/args/envto subprocess with no validation - CVE-2026-48710 (Starlette BadHost) bypasses auth entirely on Starlette <= 1.0.0 — converts to unauth RCE
- Affects LiteLLM 1.74.2 through 1.83.6; chained with prior CVE-2026-42208 SQLi for credential theft
- Distinct from CVE-2026-42208 (SQLi) covered June 5 — this is a separate command injection path
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| POST /mcp-rest/test/connection | URI | T1190 | WAF/Proxy | Block |
| POST /mcp-rest/test/tools/list | URI | T1190 | WAF/Proxy | Block |
command/args/env in JSON body | Payload | T1059 | WAF | Alert |
| Unexpected child processes from LiteLLM (sh, bash, python, curl, wget, nc) | Process | T1059.004 | EDR | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No LiteLLM-specific detection; need WAF rule on /mcp-rest/test/* endpoints with command injection patterns |
| Elastic | None | No specific rule |
| Sigma | None | Need web application child process spawning rule tuned for LiteLLM/Python ASGI |
Sources: The Hacker News, Horizon3.ai, Help Net Security
3. GreenPlasma Windows CTFMON LPE — CVE-2026-45586
TL;DR: Publicly disclosed zero-day privilege escalation in Windows CTFMON abuses Object Manager symlinks and CloudFiles registry links for SYSTEM. Patched in today’s record-breaking 208-CVE Patch Tuesday.
What’s New:
- Patched June 10 Patch Tuesday (record 208 CVEs); publicly disclosed before patch
- Nightmare Eclipse PoC (“GreenPlasma”) on GitHub; exploits CTF session Object Manager symlink + CloudFiles policy registry link
- Affects Windows 10/11/Server 2022/2026 with interactive CTFMON sessions
- Same researcher also disclosed “MiniPlasma” (similar CTF vector) and “YellowKey” (patched same day)
- Not yet confirmed exploited ITW but PoC is weaponization-ready
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| ctfmon.exe spawning unexpected children | Process | T1068 | Sysmon EID 1 | Hunt |
| ProcessAccess to ctfmon.exe from non-standard callers | Process | T1068 | Sysmon EID 10 | Hunt |
| Object creation in \Sessions\\BaseNamedObjects\CTF. | Object | T1068 | Sysmon EID 14 | Hunt |
| Registry writes to HKLM\..\CloudFiles\* policy keys | Registry | T1112 | Sysmon EID 13 | Hunt |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No CTFMON abuse detection; need ProcessAccess + symlink creation rule |
| Elastic | None | No specific rule |
| Sigma | None | No GreenPlasma-specific rule; need CTF session object monitoring |
Sources: BleepingComputer, Blackfort Analysis, GitHub PoC
4. Veeam Backup & Replication Domain-User RCE — CVE-2026-44963
TL;DR: Any domain user can achieve RCE on domain-joined Veeam Backup servers (CVSS 9.4). PoC public, patch released June 9 — prioritize given Veeam’s ransomware target history.
What’s New:
- WatchTowr (Sina Kheirkhah) disclosure; patch 12.3.2.4854 released June 9
- Domain user authentication sufficient — no admin required
- Only affects domain-joined VBR 12.x installations; v13.x not affected (architectural changes)
- No ITW exploitation yet but Veeam warns exploit development expected immediately
- Public PoC on GitHub; Veeam is top ransomware target (Akira, LockBit, BlackCat history)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Veeam Backup Server process spawning unexpected children | Process | T1210 | EDR | Hunt |
| Domain user auth to VBR management port from non-admin workstations | Auth | T1078 | Windows Security | Hunt |
| VBR version < 12.3.2.4854 | Version | T1190 | Vuln Scanner | Patch |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No Veeam domain-user RCE rule; need auth anomaly + process chain detection on VBR servers |
| Elastic | None | No specific rule |
| Sigma | None | Need rule for unexpected process execution under Veeam service account context |
Sources: BleepingComputer, The Hacker News, Veeam KB
Status Updates
- CVE-2026-42897 (Exchange OWA XSS): Permanent patch delivered in June 10 Patch Tuesday after 26 days with only EEMS mitigation. CISA KEV deadline July 1. Apply SU immediately. Original brief.
- CVE-2026-49975 / CVE-2026-49160 (HTTP/2 HPACK Bomb): Microsoft patched HTTP.sys (CVE-2026-49160, CVSS 7.5) in June PT, adding MaxHeadersCount registry setting. IIS/HTTP.sys exposure now mitigated. nginx/Apache patches from June 5 brief remain applicable for non-Microsoft stacks. Original brief.
- Miasma/Hades Supply Chain: Hades variant hit PyPI June 8 — 37 malicious wheels across 19 packages (ensmallen, gpsea, MCP-themed packages). Startup hook .pth execution, Bun runtime credential stealer targeting GitHub/npm/PyPI/AWS/GCP/Azure tokens. 471 total artifacts across npm+PyPI. Original brief.