Check Point's Remote Access VPN carried a critical authentication-bypass flaw for roughly a month before its 8 June hotfix, and a Qilin ransomware affiliate is already inside one victim. CISA set a three-day federal deadline. The same fortnight, Arista declined to patch an exploited flaw at all and Microsoft shipped its overdue Exchange fix 16 days late.
Perimeter zero-days are ransomware's front door and the patch machine designed to close them is failing three different ways in a single fortnight.
Check Point disclosed a CVSS 9.3 authentication bypass in its Remote Access VPN on 8 June, roughly a month after attackers had begun exploiting it, with a Qilin ransomware affiliate already inside one victim.
Check Point disclosed on 8 June 2026 that a critical-rated VPN (virtual private network) authentication bypass had been exploited for roughly 30 days before a hotfix shipped. Attackers used a logic flaw in the deprecated IKEv1 protocol to self-certify their own credentials as valid.
The Cybersecurity and Infrastructure Security Agency gave US federal agencies a three-day deadline to apply the fix. A Qilin ransomware affiliate had already reached at least one victim before the hotfix appeared.
Arista Networks told customers it has no plans to fix CVE-2026-7473, an exploited tunnel-verification flaw on CISA's mandatory-remediation list, leaving federal agencies legally bound to fix something the vendor will not.
Arista Networks confirmed on 9 June 2026 it will never ship a fix for a tunnel verification flaw in its 7020R, 7280R, and 7500R switch series. The US Cybersecurity and Infrastructure Security Agency listed the flaw the same day with a 23 June deadline for federal agencies.
Federal agencies are limited to access-control list workarounds. This is the second mandatory patch deadline in 2026 set for a flaw with no vendor remedy, following the Exchange zero-day case .
Microsoft's June Patch Tuesday fixed roughly 200 vulnerabilities including six zero-days, and finally shipped the overdue Exchange patch 16 days after its federal deadline.
Microsoft's June 2026 Patch Tuesday on 9 June fixed roughly 200 security flaws, including six already being exploited. Two separate BitLocker disk-encryption bypasses and a top-rated Windows Defender escalation called RoguePlanet were among the most notable.
The same release patched an Exchange Server flaw that US agencies were required to fix by 29 May, arriving 16 days late .
UNC6780 released its Shai-Hulud repository-poisoning worm as open-source under an MIT licence, turning a bespoke operation into a kit anyone can run; a copycat used it to poison 5,561 repositories in six hours.
UNC6780 published its Shai-Hulud supply-chain attack kit as open-source on 12 May 2026 and offered a $1,000 Monero prize for the largest attack. A copycat poisoned 5,561 code repositories on GitHub in six hours.
A variant called Phantom Gyp appeared on 3 June. It hid malicious code in a native build file that npm, the standard JavaScript package installer, does not scan. Cryptographic provenance certificates from the SLSA (Supply-chain Levels for Software Artifacts) framework were confirmed on the poisoned packages.
The UK Cyber Security and Resilience Bill reached report stage and third reading in the Commons on 10 June, but the consulted ransomware-payment ban and economy-wide reporting duty are absent from the published text.
The UK Cyber Security and Resilience Bill passed its third reading in the House of Commons on 10 June 2026 and advances to the House of Lords. The bill adds ransomware and attacker pre-positioning to the list of incidents that organisations must report.
A proposed ransomware-payment disclosure requirement was not included in the published text. Maximum fines reach £17 million or 4 per cent of global turnover. Canada's parallel cyber infrastructure law cleared its Senate the same week.
Bitdefender's June debrief found affiliates now claiming victims already posted by rival crews, one group adding physical break-ins, and construction overtaking manufacturing as the most-targeted sector.
Bitdefender's June 2026 report found ransomware affiliates buying access to the same victim from the same underground broker and each claiming credit on their own leak sites. The Silent Ransomware Group added physical break-ins at law firms and financial companies alongside network intrusions.
Construction firms overtook manufacturers as the most-targeted sector. MedusaLocker rebranded as Bavacai and entered the top ten after Europol's Operation Saffron seized 25 gangs' infrastructure .
CISA added a SolarWinds Serv-U denial-of-service flaw to its exploited-vulnerabilities catalogue on 5 June and flagged it as a ransomware risk; SolarWinds has shipped a hotfix.
On 5 June 2026, US federal cyber authorities listed a denial-of-service flaw in SolarWinds Serv-U file-transfer software. The federal deadline for agencies to patch was 19 June, with a ransomware-exploitation warning attached. An unauthenticated attacker can crash the Serv-U service with a malformed web request.
SolarWinds shipped a fix in Serv-U 15.5.4 Hotfix 1. The ransomware flag is unusual for a crash-only flaw; investigators believe criminals deliberately crash Serv-U to disable monitoring before stealing data.
The EU's NIS2 regime reached full force on 1 June, with personal fines for directors now at the statutory maximum and the Commission referring laggard member states to its top court.
From 1 June 2026, company directors in EU countries that have transposed NIS2 can be fined personally at the full statutory rate for serious cybersecurity failures. The European Commission also referred non-transposing member states to the EU Court of Justice.
The EU's cybersecurity agency placed water, rail, and waste water utilities in its highest-risk category. Their maturity gaps make them the most likely targets for early enforcement action.
Escalating on the perimeter-device front, where a working WatchTowr proof-of-concept for the Check Point CVSS 9.3 bypass is public as of 8 June and Qilin's confirmed post-compromise presence signals the window has moved from targeted to opportunistic. The Arista case is unresolved at a permanent level: without a hardware refresh, the CVE-2026-7473 exposure survives the 23 June federal deadline indefinitely. Supply-chain risk from Shai-Hulud's open-source release on 12 May is elevated and accelerating; the Phantom Gyp binding.gyp evasion had no npm fix published as of the 14 June briefing date. Regulatory pressure is increasing with NIS2 full-enforcement from 1 June and the UK bill advancing, but the ransomware-payment reporting omission from the CS&R Bill reduces the UK's instrument set precisely when the ransomware market is fragmenting fastest.
