Top 10 Cybersecurity News (June 15, 2026): Check Point VPN Authentication Bypass Exploited In The Wild, Splunk Enterprise Pre-Auth Remote Code Execution, and More

WEEKLY TOP TEN: June 15, 2026, 16:00 GMT

1. Check Point VPN Authentication Bypass Exploited In The Wild
   
   Check Point disclosed CVE-2026-50751, a critical authentication bypass affecting its Remote Access VPN, Mobile Access, and Spark Firewall products configured for the deprecated IKEv1 protocol. By exploiting a logic flaw in certificate validation, an attacker can establish a VPN session without possession of a valid password, effectively bypassing authentication requirements. Check Point has indicated that CVE-2026-50751 is being actively exploited in the wild, with observed activity dating back to May 7, 2026. One case involved confirmed post-compromise activity associated with a Qilin ransomware affiliate. A related man-in-the-middle issue, CVE-2026-50752, was also identified. Administrators running IKEv1 configurations should apply the vendor hotfix immediately.
2. Microsoft Ships Record-Breaking Patch Tuesday
   
   Microsoft addressed an unusually large batch of flaws in its June security release, an event security teams flagged as the largest monthly total on record. Microsoft has addressed 206 vulnerabilities in its June 2026 security update release. This month’s patches include fixes for three publicly disclosed zero-day vulnerabilities and 37 Critical vulnerabilities, along with 166 additional vulnerabilities of varying severity levels. CVE-2026-44815 is a Critical RCE vulnerability affecting the Windows DHCP Client Service and has a CVSS score of 9.8. Windows received the most fixes, followed by Extended Security Updates and Microsoft Office. The volume, partly attributed to AI-assisted bug discovery, makes prioritized testing and rapid deployment essential for enterprises.
3. Splunk Enterprise Pre-Auth Remote Code Execution
   
   Splunk, now part of Cisco, warned of a critical flaw allowing unauthenticated code execution on its flagship platform. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system. In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. Because the main web application proxies requests to this internal service, internet-facing deployments are especially exposed, with AWS-hosted instances enabling the component by default. Splunk Cloud is not impacted, as Postgres sidecars are not used in the product. Researchers demonstrated escalation from file write to full remote code execution, making prompt patching urgent.
4. Veeam Backup Servers Exposed To Low-Privilege Takeover
   
   Veeam patched a critical flaw threatening the backup infrastructure many organizations rely on for ransomware recovery. Veeam has patched a critical remote code execution vulnerability, tracked as CVE-2026-44963 (CVSS v4 Score of 9.4), affecting Backup & Replication version 12.x. The flaw could allow a low-privileged domain user to execute code on backup servers connected to an Active Directory domain, potentially leading to full system compromise. The issue was fixed in version 12.3.2.4854 and does not affect Veeam Backup & Replication 13.x, which uses a different architecture. Only domain-joined deployments are affected. While no active exploitation was confirmed, the vendor warned attackers routinely reverse-engineer such patches to target unpatched systems.
5. Oracle PeopleSoft Zero-Day Drives Extortion Campaign
   
   Oracle issued an out-of-band fix for a PeopleSoft flaw that attackers had already been abusing for weeks. Oracle has released an out-of-band advisory and security alert for CVE-2026-35273, a critical unauthenticated remote code execution vulnerability impacting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62, as well as PeopleSoft Enterprise Applications. Google’s Mandiant attributed the campaign to ShinyHunters, dating activity from late May before any advisory existed. The higher-education sector was hit hardest, with stolen data posted to the group’s leak site. The software giant has released mitigations, but patches do not appear to be available. Affected organizations should apply mitigations and hunt for compromise indicators around exposed PeopleSoft endpoints.
6. CISA Flags Cisco And Arista Flaws For Federal Action
   
   The U.S. cyber agency added actively exploited networking-gear flaws to its mandatory remediation list. CVE-2026-20245 (CVSS score: 7.8) – An improper encoding or escaping of output vulnerability in Cisco Catalyst SD-WAN Manager that could allow an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the affected system. CVE-2026-7473 (CVSS score: 6.9) – An incomplete comparison with missing factors vulnerability in Arista Extensible Operating System (EOS) that could be exploited to process non-configured tunnel traffic. Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply the necessary fixes or mitigations by June 23, 2026. The additions underscore how attackers increasingly target the management plane of enterprise network infrastructure.
7. Novo Nordisk Discloses Clinical Trial Data Breach
   
   Danish pharmaceutical giant Novo Nordisk reported attackers stole sensitive trial information from its internal systems. Novo Nordisk disclosed a data breach affecting patient information from some clinical trials. Attackers gained access to its internal IT systems and data related to patients participating in some clinical trials, including their patient IDs, information on trial participation, sex, year of birth, biomarkers, health/immunogenicity data, and lifestyle factors. The company said the data was pseudonymized, so victims cannot be directly identified by name. The data breach also affects an undisclosed number of healthcare professionals, whose names, registration numbers, e-mail addresses, phone numbers, WhatsApp details, and office locations have been exposed. Affected staff were warned of impersonation-based phishing risks.
8. Bug Bounty Research Triggers ServiceNow Alert
   
   ServiceNow disclosed a security incident affecting customer data that it later linked to research activity rather than malicious actors. ServiceNow has published an advisory stating it believes the observed activity was likely tied to security researchers or customer-led research associated with bug bounty submissions rather than malicious threat actors. The company also disclosed that it received a confidential bug bounty submission describing a similar issue on April 22, 2026, but did not apply a security update until June 5, after activity targeting customer instances reportedly began days earlier. The gap between disclosure and remediation drew scrutiny over patch timelines for cloud platforms holding large volumes of enterprise customer records.
9. Kyushu Electric Loses Drive With 10.9 Million Records
   
   Japanese utility Kyushu Electric Power suffered a physical security incident exposing a vast trove of customer data. Kyushu Electric Power Co., Inc. has disclosed a physical security incident that affects private data of more than 10 million customers. Due to capacity constraints, on April 27 an external storage device was used for backup, then stored in a server room cabinet; on May 26, IT staff found the cabinet unlocked and the drive missing. The incident impacts up to 10.9 million accounts. Exposed fields included names, service addresses, electricity usage, and phone numbers, though no financial data. The unencrypted drive remains unrecovered, and authorities have demanded a full incident report.
10. Authorities Seize AudiA6 Crypto Laundering Service
    
    Law enforcement dismantled a money-laundering platform heavily used by ransomware operators. Feds seized AudiA6 and Dark2Web in a major crypto laundering case, arresting two suspects linked to over $389M in alleged illicit transactions. The two individuals arrested have been identified as 37-year-old Ukrainian national Ruslan Igorevich Tkachuk and 25-year-old Russian Alexander Vladimirovich Ledenev. AudiA6 promised to conceal the origin of traceable cryptocurrency for a fee of up to five percent. Approximately 10,333 Bitcoin were received in AudiA6 wallets since its launch in 2021, with 393.39 BTC coming directly from ransomware organizations, dark web markets, and similar cybercrime platforms. Both suspects await extradition.