June 2026 was a brutal month for anyone who runs internet-facing infrastructure. A run of critical, actively-exploited vulnerabilities landed one after another, and the pattern was the same each time: a vendor publishes a patch, a technical writeup drops, and attackers are exploiting it in the wild within hours to days. Not weeks. Hours. This is a practical, no-fluff briefing on the June bugs that got hit, how they work, how to check if you are exposed, and exactly what to patch – with the commands and links you need to act.
If you only do one thing: check whether you run SimpleHelp, Citrix NetScaler, or Adobe ColdFusion on anything reachable from the internet, and patch those first. Detection and version checks are under each entry below.

The short version (TL;DR)
- SimpleHelp – CVE-2026-48558 (CVSS 10.0): unauthenticated auth bypass in the RMM tool. Forge a token, become a technician, own every managed endpoint. Added to CISA KEV June 29, exploited with the TaskWeaver loader.
- Citrix NetScaler – CVE-2026-8451 (“CitrixBleed 3”): unauthenticated memory leak that spills session tokens. Public PoC, exploited within days of the late-June disclosure. Patch and rotate sessions.
- Adobe ColdFusion – CVE-2026-48282: path traversal leading to unauthenticated RCE. Exploited minutes after a public writeup. On the CISA KEV list.
- Windows Defender – CVE-2026-50656 (“RoguePlanet”): local privilege escalation to SYSTEM, public PoC, and the patch itself has a nasty side effect. Auto-updated via the malware engine.
- The theme of 2026: time-to-exploit has collapsed. Treat any internet-facing CVE with a public PoC as “patch today,” not “patch this sprint.”

1. SimpleHelp – CVE-2026-48558 (CVSS 10.0)
What it is: SimpleHelp is a remote monitoring and management (RMM) tool that managed service providers use to control thousands of client endpoints from one console. The flaw is an authentication bypass in its OIDC login flow: when OIDC is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. A remote, unauthenticated attacker can mint a forged token with arbitrary identity claims, land a fully authenticated technician session, and in some configurations bypass MFA entirely.
Why it is urgent: this is a perfect CVSS 10.0 and a one-to-many disaster. A technician session on the RMM server means administrative control over every endpoint it manages – a classic supply-chain-style foothold. CISA added it to the Known Exploited Vulnerabilities catalog on June 29, 2026 with a 3-day deadline under BOD 26-04, and attackers were already deploying the TaskWeaver loader malware through compromised SimpleHelp instances (Threat-Modeling.com).
Are you exposed and were you hit?
# Shodan: internet-exposed SimpleHelp servers
http.title:"SimpleHelp" OR http.favicon.hash:<SimpleHelp favicon>
# In the admin console: review Technicians / Administrators for accounts
# you did not create, and check auth logs for OIDC logins with no
# matching event on your identity provider (IdP) side.What to do:
- Update SimpleHelp to the fixed release per the vendor security advisory immediately.
- Assume technician sessions may be forged: rotate technician credentials and API tokens, and remove any unrecognized accounts.
- Hunt managed endpoints for the TaskWeaver loader and other post-exploitation activity, and restrict the SimpleHelp server to a dedicated admin network – it should not be broadly internet-exposed.
Reference: NVD – CVE-2026-48558 · Vulnerability intelligence report (June 30, 2026)
2. Citrix NetScaler – CVE-2026-8451 (“CitrixBleed 3”)
What it is: a memory overread in Citrix NetScaler ADC and NetScaler Gateway when configured for SAML. An unauthenticated attacker sends a crafted request and the appliance leaks chunks of its own memory back in the response – including the NSC_TASS cookie and other session material. If that sounds familiar, it should: this is the same class of bug as the original CitrixBleed, which fed directly into major intrusions.
Why it is urgent: disclosed at the end of June 2026, with in-the-wild exploitation following within days – a window measured in hours, not weeks. A working proof of concept is public (CVSS 8.8), and threat intel saw dozens of distinct attacking IPs almost immediately (see the CrowdSec tracking report). The most common goal in the telemetry is infrastructure takeover.
Are you exposed? Find internet-facing NetScaler with a Shodan/Censys sweep and check your build on the CLI:
# Shodan: exposed NetScaler / Citrix Gateway login pages
http.title:"Citrix Gateway" OR http.html:"NSC_TASS"
# On the appliance CLI - confirm your firmware build
show version
# Vulnerable if below 14.1-72.61 or 13.1-63.18 (apply your branch's fixed build)What to do:
- Upgrade to NetScaler 14.1-72.61 / 13.1-63.18 or later (apply the current fixed build for your branch).
- Patching is not enough on its own. Like CitrixBleed, leaked tokens keep working after the patch – after upgrading, run
kill aaa session -allandkill icaconnection -all, and rotate/invalidate tokens. - Hunt your logs for anomalous requests to the SAML endpoints and any authenticated sessions from unexpected geolocations before you patched.
Reference: NVD – CVE-2026-8451 · CrowdSec exploitation report
3. Adobe ColdFusion – CVE-2026-48282
What it is: a path traversal vulnerability that a remote, unauthenticated attacker can chain into arbitrary code execution by sending a crafted HTTP request to upload a malicious file to a web-accessible location. It was one of ten critical ColdFusion bugs Adobe patched in late June 2026.
Why it is urgent: exploitation was detected within days, mere minutes after researchers published a technical analysis – a textbook example of how fast a public writeup gets weaponized (Help Net Security). CISA added it to the Known Exploited Vulnerabilities catalog. One mitigating detail: the most dangerous path requires ColdFusion’s RDS to be enabled with authentication disabled (not the default), but do not bet your web root on that.
Are you exposed and were you hit? Find ColdFusion, confirm the update, and hunt for dropped files:
# Shodan: exposed ColdFusion admin
http.component:"Adobe ColdFusion" OR http.html:"/CFIDE/administrator"
# Hunt for attacker-dropped webshells in the web root and CFIDE
find /path/to/webroot /path/to/CFIDE -type f \( -name "*.cfm" -o -name "*.cfml" -o -name "*.jsp" \) -mtime -14 -ls
# Patch to: ColdFusion 2025 Update 10 OR ColdFusion 2023 Update 21What to do:
- Upgrade to ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21.
- Make sure RDS is disabled, or at minimum has authentication enabled.
- If your server was internet-facing recently, hunt for indicators of compromise: unexpected files in the web root and
/CFIDE/, and any unfamiliar scheduled tasks.
Reference: NVD – CVE-2026-48282 · Exploitation detected (Help Net Security)
4. Windows Defender – CVE-2026-50656 (“RoguePlanet”)
What it is: an elevation-of-privilege flaw in the Windows Defender engine (CVSS 7.8) that lets an attacker go from a basic user to SYSTEM – full control of the machine – and it works even when real-time protection is turned off. It surfaced in June 2026 with a public PoC from the pseudonymous researcher NightmareEclipse, who has been in a running, very public feud with Microsoft over disclosure (Dark Reading).
The twist: Microsoft’s fix, delivered through the Malware Protection Engine, reportedly introduced a new problem. According to the researcher, defense-in-depth changes in mpengine.dll can leak a few bytes when opening files, and combined with SpyNet behavior may let an attacker exhaust all free disk space by triggering massive file writes (Ars Technica). So this is a patch you want, but one worth monitoring after it lands.
Confirm the engine actually updated (PowerShell):
# Check the Malware Protection Engine version on each endpoint
Get-MpComputerStatus | Select AMEngineVersion, AMProductVersion, AntivirusSignatureVersion
# Force an engine/signature update if it is behind
Update-MpSignature- The fix ships as an automatic Malware Protection Engine update – confirm your endpoints actually pulled it rather than assuming.
- Microsoft and CISA have not confirmed in-the-wild exploitation, but a public PoC exists, so treat it as high priority for privilege-escalation hardening.
- Watch disk-space metrics on endpoints after updating, given the reported side effect.
Reference: NVD – CVE-2026-50656 · Patch side-effect (Ars Technica)
Why everything is getting exploited so fast now
These bugs went from disclosure to active exploitation within days. That is not a coincidence, it is the new normal. Public PoCs drop alongside or right after the advisory, AI-assisted tooling turns a writeup into a working exploit quickly, and edge and management software is high-value because one unauthenticated bug equals a foothold into the whole network. If you want the bigger picture on how AI is accelerating this, we covered it in our piece on AI and the 2026 CVE flood.
The practical takeaway: stop treating “patch available” as the finish line and “exploited in the wild” as the starting gun. For internet-facing, unauthenticated, PoC-available bugs, those two events are now days apart at most.
Patch-now checklist
- Inventory internet-facing SimpleHelp, Citrix NetScaler, and ColdFusion instances today (Shodan/Censys queries above).
- Patch to the fixed versions listed, starting with anything unauthenticated and internet-reachable.
- For SimpleHelp, rotate technician credentials and API tokens and remove unrecognized accounts – a forged session survives a naive patch.
- After the Citrix patch, kill and rotate all sessions – the patch alone does not kill leaked tokens.
- Hunt ColdFusion web root and
/CFIDE/for dropped files if you were exposed. - Confirm Windows Defender engine updates deployed with
Get-MpComputerStatus, and watch endpoint disk space. - Cross-check the CISA KEV catalog and prioritize anything on it with a near-term deadline.
FAQ
Why is the SimpleHelp bug rated CVSS 10.0?
Because it is unauthenticated, trivial to exploit, and its blast radius is enormous. SimpleHelp is an RMM platform, so one forged technician session can mean administrative control over every endpoint the server manages. That combination of no auth, low complexity, and total impact is exactly what a perfect 10.0 describes.
Is CVE-2026-8451 really “CitrixBleed 3”?
It is the same class of bug – an unauthenticated memory disclosure in NetScaler that leaks session tokens – which is why responders reach for the CitrixBleed comparison. The critical lesson carries over too: patching does not retroactively kill tokens that already leaked, so you must rotate sessions after upgrading.
What is the CISA KEV catalog and why does it matter?
The Known Exploited Vulnerabilities catalog is CISA’s list of flaws confirmed to be exploited in the wild, each with a remediation deadline for US federal agencies. For everyone else it is a fantastic free priority feed: if a CVE is on KEV, it is being actively used, so it jumps to the front of your patch queue.
How do I know if I have already been hit?
Look for the product-specific indicators: unrecognized technician accounts and TaskWeaver activity for SimpleHelp, unexpected files in the ColdFusion web root and /CFIDE/, and unfamiliar authenticated sessions on NetScaler. For any device that was internet-facing and unpatched during the exploitation window, assume it may be compromised and investigate rather than hope.
Sources and further reading
- Threat-Modeling.com – Vulnerability intelligence report, June 30, 2026 (SimpleHelp CVE-2026-48558)
- HivePro – CISA KEV catalog additions, June 2026
- CrowdSec – CVE-2026-8451 Citrix NetScaler under active exploitation
- Help Net Security – Attackers exploit Adobe ColdFusion CVE-2026-48282
- Ars Technica – Windows Defender RoguePlanet patch side-effect
- CISA – Known Exploited Vulnerabilities catalog
Bottom line
SimpleHelp, Citrix, and ColdFusion were all hit within days of disclosure in June 2026, and RoguePlanet gives attackers an easy path to SYSTEM on Windows. None of these require a sophisticated adversary – public PoCs did the hard part. Inventory your edge and management software, patch in priority order, rotate what may have leaked, and get admin interfaces off the public internet. The gap between a patch dropping and a mass-exploitation wave is now measured in hours, so assume the clock started the moment the advisory went live.