Welcome to the June 2026 edition of the MEDITECH Customer Security Newsletter. This month, we provide critical updates on vulnerabilities added to federal catalogs and strategic intelligence on threat actors targeting essential infrastructure. Our goal is to provide you with actionable information and resources to strengthen your organization's security posture. This data has been gleaned from the review of public records on file with CISA, H-ISAC and Health Sector Cybersecurity Coordination Center (HC3) alerts. Please note the Talk To Us section, as we would like to tailor future editions of the newsletter to address specific concerns.
Known Exploited Vulnerabilities
Between May 13 and June 10, 2026, CISA added 27 vulnerabilities to its "Known Exploited Vulnerabilities" catalog. These additions are based on evidence of active exploitation in the wild. Because these vulnerabilities are frequent attack vectors for malicious actors, they pose a significant risk to organizational security.
| CVE-2026-20245 (High) | Cisco Catalyst SD-WAN Manager | Improper Encoding or Escaping (Root RCE via File Upload) |
|---|---|---|
| CVE-2026-7473 (High) | Arista Extensible Operating System (EOS) | Incomplete Comparison (Tunnel Decapsulation Bypass) |
| CVE-2026-11645 (Critical) | Google Chromium V8 Engine | Out-of-Bounds Read and Write (Sandbox Escape / RCE) |
| CVE-2026-50751 (Critical) | Check Point Security Gateway | Improper Authentication (IKEv1 VPN Key Exchange Bypass) |
| CVE-2026-42271 (Critical) | BerriAI LiteLLM AI Gateway | Command Injection (Privileged Host Command Execution) |
| CVE-2026-28318 (Medium) | SolarWinds Serv-U | Uncontrolled Resource Consumption (DoS via Deflate Compression) |
| CVE-2026-45247 (Critical) | Mirasvit Full Page Cache Warmer for Magento | Insecure Deserialization (Remote Code Execution) |
| CVE-2022-0492 (High) | Linux Kernel | Improper Authentication (cgroups v1 Privilege Escalation) |
| CVE-2025-48595 (High) | Android Framework | Integer Overflow (Local Privilege Escalation) |
| CVE-2024-21182 (Critical) | Oracle WebLogic Server | Unspecified Vulnerability (T3/IIOP Remote Code Execution) |
| CVE-2026-0257 (Critical) | Palo Alto Networks PAN-OS GlobalProtect | Authentication Bypass (VPN Cookie Forgery) |
| CVE-2026-8398 (High) | Daemon Tools Lite | Embedded Malicious Code (Software Supply Chain Compromise) |
| CVE-2026-45321 (Medium) | TanStack Router | Unspecified Flaw (Malicious npm Credential Harvesting) |
| CVE-2026-48027 (High) | Nx Console Developer Extension | Embedded Malicious Code (Developer Secret Exfiltration) |
| CVE-2026-48172 (High) | LiteSpeed cPanel Plugin | Privilege Escalation (Local Root Shell Execution) |
| CVE-2026-9082 (Critical) | Drupal Core | SQL Injection (Database Abstraction API RCE) |
| CVE-2025-34291 (Medium) | Langflow AI Framework | Origin Validation Error (Permissive CORS & SameSite Bypass) |
| CVE-2026-34926 (High) | Trend Micro Apex One (On-Premise) | Directory Traversal (Endpoint Agent Tampering) |
| CVE-2008-4250 (Critical) | Microsoft Windows Server Service | Buffer Overflow Vulnerability (Remote Code Execution / MS08-067) |
| CVE-2009-1537 (High) | Microsoft DirectX | NULL Byte Overwrite Vulnerability |
| CVE-2009-3459 (Critical) | Adobe Acrobat and Reader | Heap-Based Buffer Overflow Vulnerability |
| CVE-2010-0249 (High) | Microsoft Internet Explorer | Use-After-Free Vulnerability (Aurora Campaign Vector) |
| CVE-2010-0806 (Critical) | Microsoft Internet Explorer | Use-After-Free Vulnerability |
| CVE-2026-41091 (High) | Microsoft Defender | Elevation of Privilege Vulnerability |
| CVE-2026-45498 (Medium) | Microsoft Defender | Denial of Service Vulnerability |
| CVE-2026-42897 (High) | Microsoft Exchange Server | Cross-Site Scripting (OWA Spoofing / Session Abuse) |
| CVE-2026-20182 (Critical) | Cisco Catalyst SD-WAN Controller | Improper Authentication (Administrative vHub Peer Bypass) |
Threat Actor Spotlight: Silent Ransom Group (SRG)
A sophisticated and highly aggressive corporate data-theft campaign orchestrated by the Silent Ransom Group (also tracked as Luna Moth, Chatty Spider, or UNC3753) has rapidly expanded its footprint across multiple industries. While historically focused almost exclusively on U.S. law firms, the financially motivated threat group has aggressively scaled its operations into the healthcare, insurance, and financial services sectors, utilizing an alarming mix of cyber and physical tactics.
Operating entirely as an extortion-only outfit, the group completely bypasses the traditional deployment of file-encrypting ransomware. Instead, their playbook relies on an extraordinarily aggressive dual-track social engineering framework to exfiltrate critical corporate and patient data:
- Vishing and Remote Management Abuse: Attackers launch targeted voice-phishing (vishing) calls and deceptive email campaigns while impersonating internal IT help desk personnel. They pressure employees into initiating remote screen-sharing sessions to "address urgent security compliance or system updates," utilizing legitimate, unmonitored remote monitoring and management (RMM) utilities like AnyDesk, Zoho Assist, Atera, or Splashtop to quietly harvest and stage internal files.
- Onsite Physical Intrusions: In a highly unusual tactical departure from conventional cybercrime ecosystems, the group deploys physical, in-person operatives directly to corporate workspaces if initial remote access attempts fail or raise suspicion. Disguised as local IT contractors or technicians sent to perform manual system backups, these threat actors walk straight into physical offices and insert external hard drives or USB media into endpoints to drain data directly from localized workstations.
Once the group successfully aggregates sensitive data, they move files off-network using hidden or altered versions of standard data-transfer tools like WinSCP or Rclone to private cloud repositories. Within hours, the group issues a strict 72-hour extortion demand, threatening to publicly leak the stolen files or contact external clients, partners, and patients directly to maximize psychological leverage if a payout is not negotiated.
Defending against this multifaceted hybrid threat requires a tight integration of technical and physical safeguards. Corporate network environments must enforce mandatory, out-of-band identity verification loops for any internal IT service request and block unauthorized RMM software execution. On the physical security front, organizations must strictly log all visitors, mandate multi-factor identification before allowing access to terminal hardware, and implement group policies that entirely disable removable USB and external storage media execution on corporate endpoints.
News
New CISA Submission Portal Streamlines Community Reporting of Actively Exploited Exploits
CISA has upgraded its Known Exploited Vulnerabilities (KEV) ecosystem by introducing a standardized web nomination form that allows public and private sector researchers to directly submit evidence of active, real-world vulnerability exploitation.
Navigating HIPAA Changes: Why Device Inventory and PHI Mapping are the Next Big Hurdles for Health IT
Health-ISAC’s Phil Englert warns that comprehensive device inventory tracking and end-to-end PHI mapping will be the two most challenging operational hurdles for healthcare CISOs when the upcoming HIPAA Security Rule updates take effect.
Additional Resources
- HHS 405(d) Aligning Health Care Industry Security Approaches - The 405(d) Program and Task Group is a collaborative effort between industry and the federal government, which aims to raise awareness, provide vetted cybersecurity practices, and move healthcare organizations towards consistency in mitigating the current most pertinent cybersecurity threats to the sector. Their website provides the latest resources and information as well as an opportunity for involvement.
- Helpful resources CISA has provided can be found on the following pages:
Talk to us!
We at MEDITECH would love to hear your feedback about this newsletter and we’d like to know what is on your mind. Is there something you would like us to address?
We also have a question for you that is important to us. What are your largest concerns or security hopes for 2026?
Please let us know by contacting us !
Until next time, stay alert out there!