Happy Friday! Since the last release notes, two previous IAI deliverables have preceded new known exploitation in our canary network: CVE-2026-25939 and CVE-2026-27760. Stay safe out there! The following are the release notes for the vulnerabilities the Initial Access team worked on this week:
The team developed an exploit for CVE-2026-50751, a critical authentication bypass in Check Point VPN gateways. This vulnerability was added to both VulnCheck KEV on June 8, 2026, and has been reported to have been used by threat actors deploying Qilin ransomware. Unfortunately, the software is widely deployed. Our Censys query finds over 90,000 exposed gateways online.
Included with our exploit are Suricata and Snort rules, PCAPs, and integration with a VulnCheck-patched fork of an open-source Check Point VPN client for full tunnel establishment. To our knowledge, this is the first working "full path" implementation of its kind to be made available.
This week, the team added coverage for CVE-2026-53435, an authenticated deserialization vulnerability impacting Jenkins versions below 2.568 and LTS 2.555.3. Disclosed on June 10, 2026, exploitation soon followed on June 15, according to evidence shared by DefusedCyber. CVE-2026-53435 was then added to the VulnCheck KEV list, but it has yet to be added to the CISA KEV. Our Target Intelligence query identifies over 6,300 publicly exposed instances vulnerable to this issue. More broadly, our Censys query identifies over 50,000 Jenkins instances online.
Coverage includes an exploit, PCAPs, a Suricata rule, ASM queries, and a Docker target.
The team developed an exploit for CVE-2024-10915, an unauthenticated OS command injection affecting the D-Link ShareCenter NAS line (DNS-320, DNS-320LW, DNS-325, and DNS-340L). This vulnerability is well known to attackers, first being added to VulnCheck KEV in November 2025 and first observed in our canary network in April 2026. The vulnerability has previously been associated with Mirai variants and ShadowV2.
Our exploit ships with a version scanner, a PCAP, Suricata and Snort detection rules, and ASM queries.
The team developed an exploit for CVE-2026-32985, an unauthenticated file upload vulnerability in Xerte Online Toolkits (XOT) that leads to remote code execution. VulnCheck CNA assigned this CVE to cover a Metasploit module published in August 2025. No evidence of exploitation exists, but the vulnerability has an especially high EPSS percentile of 0.98488. While not widely deployed across the internet, the product advertises its use across many higher education institutions.
With the exploit, our team delivered Snort and Suricata rules, a PCAP, and ASM queries.