Coverage: Last 24 hours

Today’s Highlights

The cyber landscape is marked by critical vulnerabilities demanding immediate attention, including risks introduced by flaws in Ivanti Sentry, SAP enterprise platforms, Microsoft Defender zero-days, and an exposed ServiceNow API endpoint. Organizations face a record-breaking Microsoft Patch Tuesday, highlighting supply chain fragility and the need for rapid, coordinated updates. AI security persists as a concern: both model experimentation and agent deployment continue to expose enterprises to data leakage and exploitation. Safeguarding sensitive workflows and tightening controls across APIs and emerging AI deployments remain essential in defending against evolving threats.

Table of Contents

1. Ivanti: Max severity Sentry flaw allows code execution as root
2. ServiceNow discloses security incident exposing customer data
3. SAP fixes critical flaws in NetWeaver and Commerce Cloud
4. Microsoft releases Windows 10 KB5094127 extended security update
5. Windows 11 KB5094126 & KB5093998 cumulative updates released
6. Microsoft Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
7. Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws
8. A Record-Breaking Patch Tuesday for June 2026

Top Stories

Ivanti: Max severity Sentry flaw allows code execution as root

Source: BleepingComputer | Risk: Critical | Impacted: Ivanti Sentry administrators, Enterprises using mobile device management, Perimeter security teams

Summary: Ivanti has patched two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attackers to execute code with root privileges.

Why it matters: Remote attackers can seize control of the host operating system in Ivanti Sentry deployments, enabling lateral movement, persistence, or destruction at the infrastructure layer.

Practitioner Perspective

Organizations relying on Ivanti Sentry for secure mobile access are directly exposed to unauthenticated code execution risk if not yet patched. Attackers routinely scan for gateway appliances lagging on security fixes due to their perimeter placement and privilege. A successful exploit provides root-level access, bypassing access controls and granting operators wide latitude for further compromise or extortion. This ups the ante for prioritizing appliance patching and ensuring monitoring is not assumed to be trustworthy on compromised infrastructure. Treat this as a Tier 0 emergency requiring rapid and verifiable remediation.

Recommended Actions

• Apply the latest Ivanti Sentry patches addressing this code execution flaw without delay and verify firmware/software levels on all instances.
• Monitor Ivanti Sentry network traffic and logs for anomalous access patterns post-patch, especially spikes or suspicious authentication attempts.

ServiceNow discloses security incident exposing customer data

Source: BleepingComputer | Risk: High | Impacted: ServiceNow tenants, SaaS security managers, Enterprises processing sensitive data in ServiceNow

Summary: ServiceNow is warning about a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances.

Why it matters: Attackers able to query customer data through exposed ServiceNow API endpoints elevate risk of targeted phishing, fraud, and data loss for affected organizations.

Practitioner Perspective

Any enterprise using ServiceNow must treat exposed API endpoints as high-risk vectors for sensitive business information leakage. Given that attackers exploited an unauthenticated endpoint, there is a high probability of data access patterns that bypass conventional detection. This is a strong reminder that SaaS APIs require the same scrutiny and controls as on-prem infrastructure. It is critical to audit for unrecognized or excessive permissions and review logs for unusual query activity. Focus on post-incident forensics and notification obligations as customer trust is at stake.

Recommended Actions

• Review ServiceNow customer instance logs for unauthorized data access and anomalous API activity linked to the compromised endpoint.
• Audit ServiceNow API permissions and disable any anonymous or broad-scope API endpoints immediately.

SAP fixes critical flaws in NetWeaver and Commerce Cloud

Source: BleepingComputer | Risk: Critical | Impacted: SAP NetWeaver administrators, SAP Commerce Cloud operators, Corporate finance and accounting systems

Summary: SAP has released fixes for 15 vulnerabilities as part of its June 2026 Security Patch package, including four critical-severity flaws affecting SAP NetWeaver and SAP Commerce Cloud.

Why it matters: Critical vulnerabilities in core SAP business platforms create direct pathways to fraud, service outages, or attacker persistence within the enterprise ERP environment.

Practitioner Perspective

SAP NetWeaver and Commerce Cloud customers face a heightened threat landscape whenever critical advisories land, as organized attackers quickly reverse patches to weaponize proofs-of-concept. These platforms are often tightly integrated with sensitive workflows, amplifying the impact of compromise. Delayed patching or lack of compensating controls will leave vital ERP data exposed to theft or manipulation. Executives and SAP admins should view these updates as business risks, not just technical debt.

Recommended Actions

• Deploy SAP June 2026 security patches addressing NetWeaver and Commerce Cloud immediately, prioritizing externally-facing or internet-connected instances.
• Coordinate SAP downtime for patching with business stakeholders to minimize disruption but do not defer beyond organizational SLA.

Microsoft releases Windows 10 KB5094127 extended security update

Source: BleepingComputer | Risk: High | Impacted: Windows 10 ESU customers, Enterprise IT asset managers, Environments with Secure Boot dependencies

Summary: Microsoft has released the Windows 10 KB5094127 extended security update, which fixes the June 2026 Patch Tuesday vulnerabilities and adds new functionality to monitor the rollout of updated Secure Boot certificates that replace those expiring this month.

Why it matters: Unsupported Windows 10 deployments patched only by ESU remain at heightened risk of exploit, but the update window is narrowing as Secure Boot certificate rotation deadlines loom.

Practitioner Perspective

Organizations reliant on Extended Security Updates (ESU) for Windows 10 are balancing end-of-life risk, operational continuity, and last-chance patch coverage. The inclusion of Secure Boot certificate monitoring means defenders must track which endpoints are protected and identify any systems lagging on this essential security posture update. Delays risk exposure to mass exploitation campaigns targeting unpatched legacy systems. Do not assume ESU is a license to deprioritize upgrade planning.

Recommended Actions

• Push KB5094127 to all Windows 10 endpoints enrolled in ESU, confirming post-update Secure Boot certificate status for each device.
• Use new certificate monitoring features to inventory and remediate assets using soon-to-expire Secure Boot chains.

Windows 11 KB5094126 & KB5093998 cumulative updates released

Source: BleepingComputer | Risk: Medium | Impacted: Windows 11 fleets (23H2/24H2/25H2), Patch management teams, Remote work and BYOD environments

Summary: Microsoft has released Windows 11 KB5094126 and KB5093998 cumulative updates for versions 25H2/24H2 and 23H2 to fix security vulnerabilities, bugs, and add new features.

Why it matters: Delaying cumulative Windows 11 updates with security fixes increases the attack surface for adversaries seeking to exploit freshly disclosed flaws.

Practitioner Perspective

Any Windows 11 estate not promptly patched with KB5094126 or KB5093998 remains vulnerable to both opportunistic and targeted attacks leveraging new exploit code. Enterprises slow to incorporate these updates, especially in remote or hybrid settings, may see disproportionate exposure due to uneven patch hygiene. Coordinated rollouts across all supported versions are crucial given the diversity of threat actors zeroing in on laggards. Patch baselines must be enforced across all device classes, not just servers.

Recommended Actions

• Prioritize deployment of KB5094126 and KB5093998 cumulative updates to all eligible Windows 11 endpoints.
• Validate update installation and enforce a compliance check across group policies or MDM for unsupported versions.

Emerging Signals

No entries today.

Exploits & CVEs

Microsoft Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges

Source: BleepingComputer | Risk: High | Impacted: Organizations using Microsoft Defender, SOC monitoring Windows endpoints, Privileged access workstations

Summary: A security researcher has released a new Microsoft Defender zero-day exploit named “RoguePlanet” just hours after Microsoft fixed two previously disclosed flaws during June 2026 Patch Tuesday.

Why it matters: Active exploitation of unpatched Microsoft Defender zero-day flaws may allow attackers to escalate privileges and disable endpoint protections, undermining the security stack.

Practitioner Perspective

Any Windows system with Microsoft Defender enabled is susceptible to this newly disclosed zero-day, which can rapidly lead to SYSTEM-level compromise. Adversaries may capitalize on briefly available attack windows between disclosure and patch rollout, with a focus on environments lacking patch automation. Given Defender’s ubiquity, the risk is enterprise-wide, and exploitation could cascade to other parts of the estate via credential theft. Immediate patch uptake and hunting for known exploit indicators are essential.

Recommended Actions

• Patch Microsoft Defender on all Windows endpoints to mitigate the ‘RoguePlanet’ privilege escalation zero-day.
• Hunt for exploit artifacts associated with this Defender vulnerability in system and AV logs across high-value endpoints.

Microsoft June 2026 Patch Tuesday fixes 3 zero-day, 200 flaws

Source: BleepingComputer | Risk: High | Impacted: Windows IT asset and vulnerability managers, Hybrid-cloud estates, Enterprises with unmanaged or legacy systems

Summary: Today is Microsoft’s June 2026 Patch Tuesday, with security updates for 200 flaws and three publicly disclosed zero-day vulnerabilities.

Why it matters: A surge in critical Microsoft vulnerabilities means attackers have a statistically higher chance of finding an unpatched entry point across diverse enterprise environments.

Practitioner Perspective

A Patch Tuesday fix volume of over 200, including three zero-days, signals stretched patch cycles and defender fatigue. Threat groups will rapidly weaponize vulnerabilities with public exploit code, particularly in environments with heterogenous device fleets or lapses in update compliance. Prioritize zero-day and critical fixes, but don’t ignore the compounding risk from multiple ‘important’ vulnerabilities chained together. Integrate threat intelligence feeds to help triage and focus your patching prioritization.

Recommended Actions

• Prioritize immediate patching for all Microsoft products addressed in the June 2026 Patch Tuesday (especially zero-days).
• Correlate asset inventories to published CVEs and flag assets lagging behind in update compliance.

A Record-Breaking Patch Tuesday for June 2026

Source: Krebs on Security | Risk: High | Impacted: Windows-focused IT operations, Organizations using legacy Microsoft platforms, Asset owners with slow patch cycles

Summary: Microsoft today released software updates to plug nearly 200 security holes across its Windows operating systems and supported software, a record number of fixes for the company’s monthly Patch Tuesday cycle. Nearly three dozen of those bugs earned Microsoft’s most dire “critical” rating, and exploit code for at least three of the weaknesses is now publicly available.

Why it matters: The volume and criticality of Microsoft’s June 2026 patches amplify organizational risk if patch approvals or staged rollouts lag behind available exploit code.

Practitioner Perspective

Defenders are under heavy time pressure following a record-setting Patch Tuesday, with nearly three dozen critical bugs and active exploit code in circulation. Adversaries will focus their automation on slow-responding organizations, and even small configuration laggards or sideloaded legacy apps can create high-impact exposures. Leverage this event to rationalize exceptions and expedite urgent changes, especially on internet-facing assets. Crisis communications and executive buy-in will be necessary for any deviation from standard patching cadence.

Recommended Actions

• Fast-track critical fixes from the June 2026 Microsoft patch bundle to all platforms, explicitly including high-risk legacy software.
• Leverage SIEM and vulnerability scanners to surface unpatched endpoints and track remediation against vulnerability ID lists.

Defensive Actions

• Apply the latest Ivanti Sentry patches addressing this code execution flaw without delay and verify firmware/software levels on all instances.
• Review ServiceNow customer instance logs for unauthorized data access and anomalous API activity linked to the compromised endpoint.
• Deploy SAP June 2026 security patches addressing NetWeaver and Commerce Cloud immediately, prioritizing externally-facing or internet-connected instances.
• Push KB5094127 to all Windows 10 endpoints enrolled in ESU, confirming post-update Secure Boot certificate status for each device.
• Prioritize deployment of KB5094126 and KB5093998 cumulative updates to all eligible Windows 11 endpoints.
• Patch Microsoft Defender on all Windows endpoints to mitigate the ‘RoguePlanet’ privilege escalation zero-day.
• Prioritize immediate patching for all Microsoft products addressed in the June 2026 Patch Tuesday (especially zero-days).
• Fast-track critical fixes from the June 2026 Microsoft patch bundle to all platforms, explicitly including high-risk legacy software.
• Monitor Ivanti Sentry network traffic and logs for anomalous access patterns post-patch, especially spikes or suspicious authentication attempts.
• Hunt for exploit artifacts associated with this Defender vulnerability in system and AV logs across high-value endpoints.

What We’re Watching

• Uptake and possible exploitation of recently disclosed Ivanti Sentry, SAP, and Microsoft vulnerabilities
• Post-incident response and regulatory review for organizations impacted by ServiceNow API exposure
• Patch cycle acceleration and vulnerability management effectiveness following June 2026 Patch Tuesday
• Evolving tactics in targeting and bypassing AI-powered agents and email automation within enterprise environments
• Impact of limited-time AI releases, such as Anthropic Fable 5, on enterprise security evaluation and adoption policies

Categories: Cybersecurity Blog, Cybersecurity News

Tags: AI Security, cve, defensive actions, Ivanti, Microsoft, Patch Tuesday, Phishing, SAP, ServiceNow