The Lyceum: Cyber Intelligence Daily — Jun 10, 2026

This is the week patch fatigue met adversarial patience, and patience won. Microsoft shipped the largest Patch Tuesday in its history — over 200 fixes and three publicly disclosed zero-days from a single researcher waging a one-man protest war against the company — while ServiceNow quietly patched a live breach four days before telling anyone, ransomware crews ran a Check Point VPN zero-day for over a month before disclosure, and Russian APTs kept living inside a WinRAR flaw that's been patchable for nearly a year. The headline isn't the new vulnerabilities. It's that the gap between "patch exists" and "you're actually safe" has stretched into the territory where attackers simply live in it.

• CVE-2026-50751 — Check Point Security Gateway (IKEv1 key exchange): actively exploited, ransomware-linked, in CISA KEV (maturity 3/commoditized). Authentication bypass on the VPN handshake; federal patch deadline is Wednesday, June 11.
• CVE-2026-44963 — Veeam Backup & Replication v12 through build 12.3.2.4465: patched in 12.3.2.4854 (v13.x unaffected). CVSS 9.4; an authenticated domain user can run code on the backup server.
• CVE-2026-11645 — Google Chromium V8: actively exploited, in CISA KEV. Out-of-bounds read/write enabling remote code execution via a crafted page.
• CVE-2026-7473 — Arista EOS (tunnel endpoint config): actively exploited, in KEV, no patch planned — mitigation or device retirement only.
• CVE-2026-28318 — SolarWinds Serv-U: in KEV (maturity 2/operational). Uncontrolled resource consumption via crafted POST requests.
• IronWorm — a self-propagating npm supply-chain worm that compromised 36 packages in the last 24 hours; spreading through the JavaScript package registry. First reported in Russian-language press, no English coverage yet.
• Miasma worm — compromised 73 of Microsoft's own GitHub repos across Azure, microsoft, Azure-Samples, and MicrosoftDocs, planting an infostealer and disrupting CI/CD pipelines.

Tuesday was the most important patch day of the year. Microsoft shipped fixes for roughly 200 CVEs — its largest release since the Patch Tuesday program began — with three publicly disclosed zero-days. Security Affairs and CyberScoop put the total slightly higher at 206–208 depending on how Azure and Office advisories are counted; the order of magnitude is what matters.

All three zero-days trace to one researcher operating as "Nightmare Eclipse" (also "Chaotic Eclipse"), who has been dropping Windows exploits like protest flyers over Microsoft's bug bounty practices. Two of them — GreenPlasma and MiniPlasma — are privilege escalation flaws in Windows' Collaborative Translation Framework and Cloud Files Mini Filter Driver. They hand a local attacker a SYSTEM shell on a fully patched machine: the highest privilege level on Windows, above administrator, able to disable antivirus and survive reboots. The third, YellowKey (CVE-2026-45585), lets an attacker with physical access bypass BitLocker on Windows 11 and Server 2022/2025 — the full-disk encryption organizations trust to protect lost laptops.

The GreenPlasma/MiniPlasma pair is exactly the kind of escalation tool that gets bolted onto phishing campaigns, requiring no physical access. Per Trend Micro's Zero Day Initiative, Nightmare Eclipse has promised a "bone shattering" drop on June 14. Watch whether Microsoft negotiates before then; if a fresh zero-day lands, the multi-day window before an out-of-band fix will show up in incident-response telemetry by month's end. Apply the June updates now.

ServiceNow is the platform your IT department uses to track every support ticket, security incident, and access request. When attackers exploit an unauthenticated API endpoint to query customer instance data, it's your data on the line.

The root cause was almost insultingly simple: a Scripted REST Resource shipped with requires_authentication set to false — a single flag that let the endpoint accept requests with no session, token, or credential. According to Triskele Labs, observed activity traces to June 2–3. ServiceNow patched hosted instances on June 5 and disclosed publicly on June 9 — a four-day gap during which enterprise customers had no way to assess exposure they weren't told about, as AI Weekly first flagged.

What changes if a CVE gets assigned: a high CVSS rating would trigger mandatory patching timelines under SOC 2, FedRAMP, and HIPAA, and could force retroactive breach-notification reviews. None has been assigned yet. The issue affects customers on the Australia platform release or those who made certain config changes on earlier releases. If you run ServiceNow, search transaction logs for requests to /api/now/related_list_edit/create from IP 51.159.98.241 — the attacker IP circulating in admin communities — and verify directly rather than assuming silence means safety.

CVE-2026-50751 is the only ransomware-linked entry in this week's KEV batch, and it's already commoditized. The flaw lives in Check Point Security Gateway's IKEv1 key exchange — the handshake that establishes a VPN tunnel — and lets an attacker reaching the endpoint bypass authentication without valid credentials.

Per Xakep's Russian-language reporting, ransomware operators exploited this as a zero-day for over a month before a patch existed. JPCERT/CC issued its own advisory this week, and the CISA federal deadline is Wednesday, June 11 — meaning agencies are right at the wire as you read this.

If you haven't patched, this isn't a future risk — it's a possible active compromise. The 35-plus-day window means anyone still exposed should treat this as a hunt, not a maintenance task. Review VPN authentication logs back to early May for anomalous access. If federal agencies miss tomorrow's deadline at scale, expect a CISA emergency directive within days, and the operators who had a clean month inside government networks will have had a very productive spring.

Ivanti is back. Again. The company patched two critical flaws in Sentry, its secure mobile gateway, including CVE-2026-10520 — a maximum-severity OS command injection that lets an unauthenticated attacker execute code as root. The companion bug, CVE-2026-10523, is an authentication bypass that allows rogue admin account creation.

Sentry sits between a company's mobile fleet and internal systems like Microsoft Exchange, enforcing which devices can reach what. Compromising it hands attackers a direct path inward — and Sentry works alongside Ivanti EPMM, so the blast radius extends across the whole mobile-access architecture.

Ivanti says there's no evidence of exploitation yet and shipped fixes in versions R10.5.2, R10.6.2, and R10.7.1. "No evidence yet" against a CVSS 10 pre-auth bug is a countdown, not a reassurance. The observable signal will be GreyNoise scanning spikes against Sentry endpoints, which Ivanti's history suggests arrive within days. Patch before the weekend.

Russian security outlet Xakep reported this morning that a new self-propagating worm called IronWorm is moving through the npm JavaScript package registry, compromising packages and using them to spread further — 36 hit in the last 24 hours. This lands the same week as the Miasma worm against Microsoft's GitHub repos, making it the second registry-borne worm in a single news cycle. The package-registry-as-attack-surface model is no longer a one-off; it's a category. If you run Node.js applications, audit anything published or updated in the last 48 hours. Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

CERT-UA published a fresh advisory cataloging three new malware families deployed by the cluster it tracks as UAC-0057, a group long associated with Belarus-aligned operations against Ukrainian and EU institutions. The continued OYSTER toolkit evolution matters because this cluster has a documented history of starting in Ukraine and pivoting to NATO supply chains within weeks — meaning Western defenders monitoring partner organizations should be ingesting these IOCs now, not after the Western trade press catches up. Source: CERT-UA — Ukrainian. No English-language coverage confirmed at time of publication.

Xakep's Russian-language write-up on CVE-2026-50751 provides the operational color the English KEV listing doesn't: ransomware crews had a working exploit running against Check Point VPN endpoints for more than 35 days before a patch shipped. The reporting underscores why tomorrow's federal deadline is closing the barn door on a horse that's already toured the county — anyone still unpatched should assume active compromise, not pending risk. Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

A lone researcher mailing Microsoft a zero-day a month like a ransom note that pays him nothing, France's bespoke "secure" chat app undone by one borrowed login, and a worm cheerfully strolling through npm packages while a different worm loots Microsoft's own GitHub next door. Somewhere a CISO is reading that backups are now an attack surface, the firewall is now an attack surface, and the antivirus is now an attack surface, and quietly wondering whether the only thing left to defend is the air gap they decommissioned in 2019. Patch what you can; assume the rest.

Forward this to the friend who still thinks their VPN is the safe part.