Your Network Edge Took the Hits This Month

The last two weeks made one thing clear. The fastest way into an organization right now is through the gear sitting at its edge. VPN gateways, network controllers, and file-transfer servers all showed up on CISA's actively-exploited list, and at least one is already being used to deliver ransomware. Microsoft also shipped one of its largest Patch Tuesdays on record. Here is what actually deserves your attention, and what to do about it.

A Check Point VPN flaw is already feeding ransomware

The most urgent item is CVE-2026-50751, an authentication bypass in the IKEv1 VPN built into Check Point Security Gateways. An unauthenticated attacker can establish a remote-access VPN tunnel without a valid password, which puts them inside your perimeter. CISA added it to its Known Exploited Vulnerabilities catalog on June 8 with a June 11 deadline for federal agencies, and Check Point has tracked exploitation since early May across dozens of organizations. At least one incident has been tied to a Qilin ransomware affiliate.

If you run Check Point gateways with remote-access VPN, treat this as a same-day job. Apply Check Point's hotfix now. If you cannot patch immediately, check whether IKEv1 remote access is even enabled, since many environments run only IKEv2, and turn it off if you do not use it. Then review your VPN logs for tunnels you cannot account for.

Cisco's SD-WAN manager is being exploited with no patch yet

CVE-2026-20245 affects Cisco Catalyst SD-WAN Manager and lets an authenticated local attacker run commands as root. CISA added it to the exploited list on June 9. The catch is that there is no patch or mitigation available yet, so the work here is about reducing exposure. Make sure the SD-WAN management interface is not reachable from the internet, restrict which accounts and networks can reach it, and watch for Cisco's advisory. The management plane controls your entire network fabric, which is exactly why attackers want it.

A record Patch Tuesday, with one flaw already under attack

Microsoft's June update fixed 200 vulnerabilities, including six zero-days. Five were publicly disclosed before the patch shipped. One, CVE-2026-42897 in Exchange Server, is being actively exploited and lets an attacker run arbitrary JavaScript in a victim's browser through Outlook Web Access. If you still run on-premises Exchange, prioritize that fix and roll the rest through your normal cycle.

Two of the disclosed zero-days are BitLocker bypasses that let a local attacker get past full-disk encryption. If you depend on BitLocker to protect laptops that get lost or stolen, those belong on your list too, even though no one is exploiting them yet.

What to do this week

1. Patch your internet-facing gear first, in this order: the Check Point VPN flaw (being used for ransomware), the SolarWinds Serv-U flaw below, then on-premises Exchange.
2. Inventory what parts of your edge are reachable from the open internet. Management interfaces for firewalls, SD-WAN, and file transfer belong on an internal network, behind access controls.
3. Push the latest Chrome and Chromium updates across your fleet and have people restart their browsers so the update takes effect.

Quick hits

• SolarWinds Serv-U (CVE-2026-28318): a crafted request can crash the file-transfer server and knock it offline. SolarWinds shipped a fix in version 15.5.4 Hotfix 1, and CISA flagged active exploitation on June 5.
• Chrome V8 (CVE-2026-11645): the fifth Chrome zero-day exploited this year. Updating and restarting the browser closes it.
• Operation Saffron: a multinational law-enforcement effort seized a VPN service that ransomware crews used to stay anonymous, pulling more than 33 servers offline and exposing customer identities. A rare bit of good news.

The bottom line

The theme this stretch is consistent. The edge is where the fighting is happening. If you do one thing this week, make sure nothing that manages your network or moves your files is sitting on the open internet. If keeping track of which vendor appliances are exposed and which need patching is the hard part, that is the kind of visibility a vendor operations layer is built to give you.