Three FortiSandbox flaws actively exploited including two patched since April  ·  Cisco patches eighth actively exploited SD-WAN zero-day this year  ·  Second LiteSpeed cPanel root privilege escalation flaw hits shared hosting  ·  CYBERSIP.NET  ·  ISSUE 65
CYBERSIPTM
Daily Cyber Brief  ·  Intelligence Without the Noise
Issue No. 65June 16, 2026cybersip.net
Issue No. 65  ·  June 16, 2026  ·  3 active items  ·  Under 5 min read
Today’s picture
Threat intelligence firm Defused reported active exploitation of three FortiSandbox vulnerabilities within the past 24 hours, including two flaws Fortinet patched back in April and a third patched only last week. The exploit attempts against the most recent flaw appear to have been generated with AI assistance and are reportedly buggy, though that has not stopped attackers from trying. Cisco patched CVE-2026-20262, an arbitrary file write vulnerability in Catalyst SD-WAN Manager exploited to escalate to root, marking the eighth Cisco SD-WAN flaw flagged as actively exploited this year. CISA added CVE-2026-54420, a second LiteSpeed cPanel plugin privilege escalation flaw, to its Known Exploited Vulnerabilities catalog, giving federal agencies until June 18 to patch shared hosting environments running CloudLinux or CageFS.
Threat snapshot
3 active items · 2 monitoring
FortiSandbox / 3 CVEs exploited / two patched since April Cisco SD-WAN / eighth exploited zero-day 2026 / patched LiteSpeed cPanel / second flaw / CISA June 18 3 items this issue
Last 24 HoursFortiSandbox3 CVEs Exploited
Attackers are exploiting three FortiSandbox vulnerabilities, two patched since April and one patched last week. CVE-2026-39813 had no prior recorded exploitation before this wave.
CVE-2026-39813 and CVE-2026-39808 carry CVSS 9.1 and 9.8 respectively and were patched in April. CVE-2026-25089, covered in Issue 60, was patched last week. Defused noted the exploit attempt for CVE-2026-25089 appears AI-generated and likely faulty, but attackers are still throwing it at unpatched systems and finding traction.
June 15Cisco SD-WANPatched
Cisco patches CVE-2026-20262, an arbitrary file write in Catalyst SD-WAN Manager exploited to escalate to root. Eighth Cisco SD-WAN flaw flagged as actively exploited in 2026.
Exploitation requires valid low-privilege credentials with write access. Cisco discovered the flaw internally and confirmed limited, targeted exploitation. CISA added it to KEV with a June 29 federal deadline. This closes the loop on CVE-2026-20245, the unpatched seventh zero-day tracked since Issue 56.
June 16LiteSpeed cPanelCISA June 18
CISA adds CVE-2026-54420, a second LiteSpeed cPanel privilege escalation flaw, to KEV. Affects shared hosting servers running CloudLinux or CageFS. Federal deadline June 18.
A user with FTP or web shell access can escalate to root via a symlink mishandling flaw. This is the second LiteSpeed cPanel plugin flaw exploited in the wild within three weeks, following CVE-2026-48172 in late May. Upgrade to LiteSpeed WHM Plugin v5.3.2.1 or higher.
Detailed intelligence
Full analysis
01 FortiSandbox 3 CVEs Exploited
Three FortiSandbox vulnerabilities under active exploitation. Two were patched in April. The third, covered in Issue 60, was patched last week. Attackers are still finding unpatched targets.
CVE-2026-39813 · CVE-2026-39808 · CVE-2026-25089
Threat intelligence firm Defused reported exploitation of all three vulnerabilities within the past 24 hours via honeypot detections. CVE-2026-39813, a path traversal authentication bypass, had no prior recorded exploitation before this wave despite being patched in April.
Executive Impact
If your organisation runs FortiSandbox in any deployment mode, on-premises, cloud, or PaaS, confirm you are on the latest patched version: 4.4.9 or later for the 4.4 branch, 5.0.6 or later for the 5.0 branch. FortiSandbox sits inside the security stack, providing threat verdicts that other Fortinet products rely on to make blocking decisions. A compromised sandbox can be manipulated to return false clean verdicts, effectively blinding the rest of the security fabric to active threats.
Don’t Miss
Two of the three exploited flaws have had patches available since April, two months before this exploitation wave began. The gap between patch availability and active exploitation is not unusual for less prominent flaws, but it confirms a pattern this brief has tracked repeatedly: published patches do not equal applied patches, and attackers continue scanning for the gap between the two for months after a fix ships. CVE-2026-25089 was covered in Issue 60 on June 11 as a newly patched flaw. Five days later it is under active exploitation, which is a considerably faster turnaround than the two flaws from April, suggesting either a more accessible exploitation path or simply more attacker attention following recent FortiSandbox coverage.
CyberSip Take
If you patched FortiSandbox when this brief covered CVE-2026-25089 in Issue 60, you are protected against today’s exploitation wave. If you have not yet confirmed patch status on FortiSandbox across all three of these CVEs, today is the day. The AI-generated exploit attempt against CVE-2026-25089 being buggy is not a reason for comfort. Attackers iterate, and a faulty exploit today does not mean a faulty exploit next week.
What happened

Defused Cyber reported on June 15 that it observed exploitation attempts against three Fortinet FortiSandbox vulnerabilities within a 24 hour window via its honeypot network. CVE-2026-39813, a CVSS 9.1 path traversal vulnerability in the FortiSandbox JRPC API, allows an unauthenticated attacker to bypass authentication using crafted HTTP requests and access sensitive system data including configuration backups and version details. CVE-2026-39808, carrying a CVSS score as high as 9.8 depending on the scoring source, is an OS command injection flaw allowing unauthenticated remote code execution as root. Both were patched by Fortinet in April 2026 and credited to Fortinet’s own PSIRT team and a researcher at KPMG Spain respectively.

CVE-2026-25089, the third flaw, was covered in this brief in Issue 60 on June 11 as a newly disclosed and patched command injection vulnerability affecting FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS. Defused noted that the exploitation attempt against this flaw shows signs of being generated with AI assistance and appears unreliable, with no fully working public exploit yet disclosed. Despite the apparent quality issues in the exploit code, attackers continue attempting it against exposed systems.

Fortinet has not publicly responded to inquiries about the scope of this exploitation activity. FortiSandbox products are widely deployed in enterprise environments specifically to detect and analyse advanced malware threats, connecting to other Fortinet security products through the Security Fabric to enforce blocking decisions based on its verdicts.

Recommended actions
Derived from BleepingComputer, Help Net Security, and The Register reporting on FortiSandbox exploitation, June 15–16, 2026.
02 Cisco SD-WAN Patched
Cisco patches CVE-2026-20262, an arbitrary file write in Catalyst SD-WAN Manager exploited to gain root. The eighth Cisco SD-WAN flaw flagged as actively exploited this year.
CVE-2026-20262 · CVSS 6.5
Cisco discovered the vulnerability internally and confirmed limited, targeted exploitation in attacks during June. The flaw allows an authenticated attacker with valid write-access credentials to create or overwrite files on the underlying operating system, which can be used to escalate to root.
Executive Impact
Catalyst SD-WAN Manager centrally manages up to 6,000 edge routing devices from a single dashboard, making it a high-value target whose compromise gives an attacker visibility and control across an organisation’s entire SD-WAN fleet. Apply Cisco’s patch immediately across all deployment types, including on-premises, cloud, and government deployments. Review logs for upload attempts of unexpected files, particularly index.jsp or .war files, which Cisco specifically flagged as indicators of this exploitation technique.
Don’t Miss
This brief has tracked Cisco SD-WAN Manager zero-days since Issue 56, when CVE-2026-20245 appeared with no patch available and was carried in the monitoring strip for six days. CVE-2026-20262 is now the eighth Cisco SD-WAN flaw confirmed actively exploited in 2026 alone, following CVE-2026-20245, CVE-2026-20182, CVE-2026-20127, CVE-2026-20122, CVE-2026-20128, CVE-2026-20133, and CVE-2022-20775. Exploitation of several of these has been attributed to an advanced persistent threat actor tracked as UAT-8616. Eight actively exploited zero-days in a single product line within one calendar year is an unusually sustained level of attacker attention, suggesting either a deep well of undiscovered vulnerabilities in the SD-WAN Manager codebase or a threat actor with significant resources dedicated specifically to this platform.
CyberSip Take
CVE-2026-20245 from Issue 56, carried as unpatched for six days in the monitoring strip, has effectively been followed by a new zero-day in the same product. If your organisation runs Catalyst SD-WAN Manager, patching needs to be a standing monthly review item rather than a one-time task, given the frequency of new actively exploited flaws in this specific platform across 2026.
What happened

Cisco disclosed on June 15 that it had identified active exploitation of CVE-2026-20262, an arbitrary file write vulnerability in the web interface of Catalyst SD-WAN Manager, formerly known as SD-WAN vManage. The flaw stems from inadequate validation of user-supplied input during a file upload process. An authenticated attacker with valid write-access credentials can send crafted HTTP requests to an affected API endpoint to create or overwrite files on the underlying operating system, which can subsequently be used to escalate privileges to root.

Cisco stated it discovered the vulnerability internally and became aware of limited, targeted exploitation in June 2026. The company did not disclose extensive technical details about the observed attacks but advised administrators to review SD-WAN Manager logs for attempts to upload index.jsp or .war files, which is consistent with the exploitation technique. CISA added the flaw to its Known Exploited Vulnerabilities catalog, setting a remediation deadline of June 29, 2026 for federal civilian agencies. The vulnerability affects all Catalyst SD-WAN Manager deployment types, including on-premises, Cloud-Pro, Cisco Managed Cloud, and FedRAMP government deployments.

Recommended actions
Derived from The Hacker News, Security Affairs, and BleepingComputer reporting on CVE-2026-20262, June 15–16, 2026.
03 LiteSpeed cPanel CISA June 18
CISA adds a second LiteSpeed cPanel privilege escalation flaw to its Known Exploited Vulnerabilities catalog. Affects shared hosting servers running CloudLinux or CageFS. Federal deadline June 18.
CVE-2026-54420 · CVSS 8.5
CISA added CVE-2026-54420 to KEV today. The flaw allows a user with FTP or web shell access on a shared hosting server running CloudLinux or CageFS to escalate privileges to root by exploiting symlink mishandling in the LiteSpeed cPanel plugin. Namecheap reported the issue to LiteSpeed on May 31.
Executive Impact
Hosting providers and any organisation running shared hosting environments with the LiteSpeed cPanel plugin should upgrade to LiteSpeed WHM Plugin v5.3.2.1 or higher, which bundles cPanel plugin v2.4.8, immediately. The flaw is particularly relevant in multi-tenant shared hosting environments, where a single compromised or malicious customer account could be used to escalate to root and potentially affect every other tenant on the same physical or virtual host.
Don’t Miss
This is the second LiteSpeed cPanel plugin privilege escalation flaw confirmed exploited in the wild within roughly three weeks. CVE-2026-48172, added to KEV on May 26 with a CVSS score as high as 10.0 depending on the scoring version used, affected the LiteSpeed user-end cPanel plugin and was exploited as a zero-day before a patch existed. CVE-2026-54420 is a separate, independently discovered flaw in the same plugin family. Two distinct privilege escalation vulnerabilities surfacing in close succession in widely deployed shared hosting infrastructure software suggests either increased scrutiny on the LiteSpeed codebase following the first disclosure, or underlying structural weaknesses in how the plugin handles privilege boundaries between cPanel users and the underlying host.
CyberSip Take
If your organisation runs shared hosting infrastructure with LiteSpeed and cPanel, the deadline is June 18 for federal agencies and effectively now for everyone else given confirmed active exploitation. Two privilege escalation flaws in the same plugin family within three weeks is worth a broader review of the plugin’s privilege model, not just patching the two specific CVEs disclosed so far.
What happened

CISA added CVE-2026-54420 to its Known Exploited Vulnerabilities catalog on June 16, 2026, confirming active exploitation. The vulnerability exists in LiteSpeed cPanel Plugin versions before 2.4.8, as distributed in LiteSpeed WHM Plugin before 5.3.2.0, and affects shared hosting servers running CloudLinux with CageFS. The plugin mishandles symlinks provided by a user who has FTP or web shell access, allowing that user to escalate privileges to root.

Namecheap brought the issue to LiteSpeed’s attention on May 31, 2026. LiteSpeed has urged users to upgrade to LiteSpeed WHM Plugin v5.3.2.1 or higher, which bundles the patched cPanel plugin v2.4.8. The specific technical details of how the vulnerability is being exploited in the wild, and whether any of those attacks have succeeded, have not been publicly disclosed as of today.

This follows CVE-2026-48172, a separate LiteSpeed cPanel plugin privilege escalation vulnerability that CISA added to KEV on May 26 after confirming it had been exploited as a zero-day. That earlier flaw affected the LiteSpeed user-end cPanel plugin specifically and was patched in version 2.4.5. LiteSpeed stated at the time that its WHM plugin was not affected by that particular flaw, though the user-end plugin is bundled with the WHM plugin in most deployments.

Recommended actions
Derived from The Hacker News reporting on CVE-2026-54420 and CISA KEV catalog update, June 16, 2026.
Still watching
Aging items · days 2–5
Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.
LiteLLM CVSS 9.9 vulnerability chain (Issue 64). Patch available since May 2 in v1.83.14-stable. A separate flaw, CVE-2026-42271, is in CISA KEV with a June 22 deadline. Upgrade and rotate all API keys. Day 2
Ivanti Sentry CVE-2026-10520 CVSS 10.0 (Issue 63). Backdoored instances confirmed. CISA deadline has passed. Patch to R10.5.2, R10.6.2, or R10.7.1. Verify port 8443 is not internet-exposed. Day 3
Cross-source standouts
01
A patched vulnerability is not a closed vulnerability until the patch is applied everywhere
CVE-2026-39813 and CVE-2026-39808 in FortiSandbox have been patchable since April. CVE-2026-20245 in Cisco SD-WAN Manager, the unpatched zero-day from Issue 56, has now effectively been superseded by a new exploited flaw in the same product. CVE-2026-48172 in LiteSpeed cPanel, exploited in May, has now been followed by a second distinct privilege escalation flaw in the same plugin family. Across three unrelated vendors today, the same structural pattern repeats: a published patch closes the vulnerability on paper, but the actual closure depends entirely on deployment, and attackers continue to find unpatched instances months after fixes ship. The CyberSip monitoring strip exists specifically to track this gap. A flaw dropping out of the strip after seven days does not mean it is resolved everywhere, only that it is no longer fresh news.
02
Network and security management platforms remain the most consistently targeted product category in 2026
Cisco SD-WAN Manager has now had eight actively exploited zero-days in a single year. FortiSandbox has had at least four critical vulnerabilities exploited or actively targeted since April. Ivanti Sentry, Ivanti EPMM, Veeam Backup, and FortiClient EMS have all appeared in this brief with critical exploited flaws since May. These products share a common trait: they sit inside the management and security layer of enterprise environments, with the kind of broad access and elevated trust that makes their compromise more consequential than a typical application server. Attacker research effort tends to follow the products that, once compromised, yield the broadest access. That has clearly been the management and security layer in 2026, not the application layer.
Our methodology
  • Federal cybersecurity advisories
  • Law enforcement threat bulletins
  • National vulnerability databases
  • Major vendor security advisories
  • Cross-referenced for relevance and corroboration
About CyberSip
A cyber brief for leaders and practitioners who need signal, not noise. Intelligence without the noise, published on cybersip.net.

CyberSip aggregates cybersecurity information from publicly available sources for informational purposes only. CyberSip does not provide legal, technical, incident response, or compliance advice, and makes no guarantee regarding completeness, accuracy, or timeliness. Organizations should validate all findings within their own environments and consult qualified professionals as appropriate. Original advisories, remediation guidance, and technical details remain with the referenced source organizations. Items remain active for no more than 7 days from publication unless materially updated.