Descriptive Alt Text

Vulnerability Watchlist: Week Ending 28 June 2026

June 29, 2026 Reading Time: 4 minutes

Every week we track what lands in the CISA Known Exploited Vulnerabilities (KEV) catalogue, the list of flaws that attackers are actively using in the wild. These aren’t theoretical risks sitting in a researcher’s notebook. They’re confirmed in-use, which is exactly why they deserve a place at the top of your patching queue.

The week ending 28 June 2026 added six new entries, right in line with the recent 13-week average of about 5.8, so an ordinary week by volume. The severity mix is anything but: five Critical and one High, all six rated actionable, and every one of them already past its CISA remediation deadline. There are no ransomware links this week, but three perfect-10.0 flaws in a single product and a clean sweep of overdue entries put the overall risk for the week at Critical.

The headline issues

The story this week is Ubiquiti UniFi OS, which picked up three separate CVSS 10.0 flaws in the same disclosure; all network-reachable, all requiring no authentication and no user interaction, and all now three days past their 26 June deadline.

CVE-2026-34910 — Ubiquiti UniFi OS (improper input validation) is the one to fix first. It’s a maximum-severity 10.0, and it carries the highest modelled exploitation likelihood of the entire week, sitting in the top 1% (around the 99.5th EPSS percentile). An attacker with network access can leverage the input-validation flaw to achieve command injection on the device.

CVE-2026-34908 — Ubiquiti UniFi OS (improper access control), also CVSS 10.0, lets a network-based attacker make unauthorized changes to the system with no credentials required.

CVE-2026-34909 — Ubiquiti UniFi OS (path traversal) rounds out the trio at CVSS 10.0. It lets a network-based attacker read files on the underlying system that can then be manipulated to reach an underlying account.

Three maximum-severity flaws in one widely deployed network OS, all unauthenticated and all overdue, is not a combination to sit on. If you run UniFi, patch to the fixed release now.

The rest of the watchlist

Three more vulnerabilities rounded out the week; two Critical and one High, all of them already past deadline:

  • CVE-2025-67038 — Lantronix EDS5000. A code injection flaw, CVSS 9.8, that lets an attacker inject arbitrary OS commands through the username parameter — and those commands run with root privileges. Unauthenticated, network-based and low complexity. It’s three days past its 26 June deadline.

  • CVE-2026-12569 — PTC Windchill and FlexPLM. An improper input validation and unsafe-deserialization flaw, CVSS 9.8, that lets an unauthenticated remote attacker execute arbitrary code by sending a crafted request to the network. One day past its 28 June deadline.

  • CVE-2026-20230 — Cisco Unified Communications Manager. The week’s only High at CVSS 8.6, but its 99th-percentile exploitation likelihood is why it earns a place above the noise. The server-side request forgery (SSRF) flaw in Unified CM and Unified CM SME lets an unauthenticated remote attacker write files to the underlying OS — a foothold that can later be used to elevate to root. One day past its 28 June deadline.

What to do with this

The pattern this week is unusual: every single entry is already overdue. There’s no “schedule it for next sprint” tier; all six are past their CISA deadline, so the sequencing is about your exposure, not remaining runway. Start with the Ubiquiti UniFi OS trio, leading on CVE-2026-34910 for its top-1% exploitation likelihood, then the two remaining 10.0s. The Lantronix and PTC criticals follow — both unauthenticated remote code execution — and the Cisco Unified CM SSRF rounds things out, worth pulling forward given how likely it is to be exploited.

A quick caveat worth repeating: the KEV catalogue tells you what’s being exploited, not what’s present in your environment. Absence from this list is not evidence of safety, and the list itself is not a substitute for understanding your own asset inventory. The right move is always to map these CVEs against what you actually run, then patch in priority order.

If you’d like the full breakdown per-vulnerability download the complete report which is available below.

Get the full report

A complete breakdown per-vulnerability exploit mechanics, CVSS and EPSS scoring, remediation deadlines and direct links to every vendor advisory.

Download the PDF

No sign-up required

This summary is provided for information purposes and reflects the CISA KEV catalogue as it stood for the period 22–28 June 2026. The threat landscape changes continually, so scores and deadlines may have moved since publication. Always obtain patches and guidance directly from the vendor.

If you are concerned that you may be affected by any of the vulnerabilities in this report and would like independant assurance, you can get in touch with our testing team via the contact form below.

Let's Talk About Your Project

Leave us your details and one of our team will reach out to explore how we can assist with your cybersecurity requirements.

Postal address

The BASE Enterprise Centre

Railway Road

Stranorlar

Co. Donegal

Ireland

F93 VAK6

Phone number
IE: +353 74 970 7876 | UK: +44 20 4538 2818

Loading contact form…

The form is loading. If it doesn't appear, JavaScript may be disabled in your browser.

You can reach us any time at info@secoraconsulting.com or by phone on +353 74 970 7876.