CISA published Binding Operational Directive 26-04, "Prioritizing Security Updates Based on Risk," on June 10. If you use the KEV catalog as a patch SLA, this changes the clock. BOD 22-01 gave every KEV entry the same flat deadline. BOD 26-04 replaces that with a deadline that depends on how exploitable and how exposed the bug actually is.

The directive ranks each vulnerability on four questions. Asset Exposure: is the vulnerable asset publicly exposed? KEV Status: is the CVE on CISA's Known Exploited Vulnerabilities Catalog? Exploit Automation: "Is an adversary able to automate all the steps necessary to exploit the vulnerability?" Technical Impact: "Does an adversary gain partial control or total control of the vulnerable asset after exploitation?" The worse the answers, the shorter the window. A bug that hits all four — internet-facing, on KEV, fully automatable, and granting total control — gets three days, and the agency must also run a forensic triage of the asset to check whether it was already compromised. The directive notes "Days are calendar days," and the clock starts when CISA adds the CVE to KEV or the agency finds it on an asset, whichever comes first.

You can see the tiering in this week's KEV additions. CISA added five CVEs to the catalog between June 11 and June 16. The four unauthenticated, internet-reachable ones drew short, three-day windows: Ivanti Sentry (added June 11, due June 14), Oracle PeopleSoft (June 12, due June 15), the LiteSpeed cPanel plugin (June 15, due June 18), and a Joomla content-editor bug (June 16, due June 19). The one that needs an authenticated session — a Cisco Catalyst SD-WAN Manager file-write flaw — got two weeks, due June 29. Same catalog, different clocks, and the difference tracks exposure and automatability, not raw CVSS.

BOD 26-04 is binding only on federal civilian agencies, not on your clients. But it is the clearest public statement CISA has made about how it ranks exploitation risk, and the model is a better triage rubric than "patch the whole KEV list by one date." It also gives you language for client conversations: the bugs that earn a three-day response are the ones an attacker can reach from the internet and automate to take control. That is a sharper filter than severity alone — a CVSS 9.8 on an internal-only service can wait behind a 7.5 on an exposed gateway.

The directive's own milestones are worth noting if you support federal or FCEB-adjacent clients. Phase I is effective immediately: review and update vulnerability-management policies. Phase II lands within 60 days: update the procedures. Phase III is within 180 days of issuance: remediate on the new timelines and report status through the CDM dashboard. None of that binds a commercial MSP, but the prioritization logic in Phase I is the part worth copying now.

What to do this week:

1. Re-rank your KEV-driven patch queue by the four signals, not by CVSS alone. Pull your KEV-mapped findings and sort: internet-exposed + on KEV + automatable + grants control goes to the top as your three-day tier. Everything authenticated or internal-only drops a tier.
2. Clear this week's three-day tier first. Ivanti Sentry and Oracle PeopleSoft are the two that combine all four signals — both are covered below, both are exploited or have public exploit code, and both due dates have already passed.
3. Write the rubric down. Put the four questions into your patch-triage runbook so the next KEV add gets tiered the same way without a debate. The point of BOD 26-04 is a repeatable rule, not a one-time sort.

Advisories

Ivanti Sentry: a CVSS 10.0 unauthenticated root RCE and a 9.9 auth bypass, one on KEV

If you run Ivanti Sentry (formerly MobileIron Sentry) for any client, patch it now. Ivanti's advisory pairs two unauthenticated criticals. CVE-2026-10520 is an OS command injection that lets "a remote unauthenticated user achieve root-level remote code execution" — NVD rates it CVSS 10.0, the maximum. CVE-2026-10523 is an authentication bypass (CWE-288) at CVSS 9.9 that lets an unauthenticated attacker "create arbitrary administrative accounts and obtain full administrative access." CISA added the RCE to the KEV catalog on June 11 with a June 14 due date, and proof-of-concept exploit code is publicly available.

Action: update Sentry to R10.5.2, R10.6.2, or R10.7.1 to match your branch. The exposure is worst when, per CISA, "the Sentry appliance is in an unmanaged state with its endpoints externally reachable" — so confirm the management interface is not internet-facing, since "the use of mTLS with EPMM or restricted HTTPS access through Neurons for MDM makes interfaces inaccessible to external actors." With public exploit code and a maxed-out RCE, treat any externally reachable Sentry as patch-tonight, then hunt for unexpected admin accounts created before you patched.

Oracle PeopleSoft PeopleTools zero-day exploited before the patch shipped

If you or a client run Oracle PeopleSoft, this is the week's other three-day bug. CVE-2026-35273 is a missing-authentication flaw (CWE-306) in the PeopleTools "Updates Environment Management" component that is, per Oracle's Security Alert, "remotely exploitable without authentication" and "may result in remote code execution." NVD scores it CVSS 9.8 and notes "successful attacks of this vulnerability can result in takeover of PeopleSoft." Oracle shipped the fix as an out-of-band Security Alert on June 10 — outside its quarterly cycle — and CISA added the CVE to KEV on June 12 with the knownRansomwareCampaignUse flag set to Known and a June 15 due date.

Action: apply Oracle's June 10 Security Alert patch to PeopleTools 8.61 and 8.62. An out-of-band Oracle release plus a KEV ransomware flag is about as clear a "move now" signal as the catalog gives. PeopleSoft front ends are often internet-reachable for remote staff, so check exposure and review application and web-server logs for unauthenticated requests to PeopleTools endpoints around and before the patch date.

LiteSpeed cPanel plugin symlink bug is exploited on shared hosting

For anyone running cPanel/WHM on CloudLinux — common in MSP and reseller web hosting — CVE-2026-54420 is on KEV and being used in attacks. LiteSpeed's advisory describes a symlink-following flaw that "enables a user with FTP or web shell access to escalate privileges to root on shared hosting servers running CloudLinux/CageFS," and states plainly: "This vulnerability is being actively exploited." NVD rates it CVSS 8.5 and notes exploitation in the wild in May 2026; CISA added it on June 15 with a June 18 due date.

Action: update to the LiteSpeed cPanel plugin v2.4.8 (LiteSpeed WHM Plugin v5.3.2.1). The attacker needs an existing foothold — an FTP account or a web shell — so this is a privilege-escalation lever on a multi-tenant box: one compromised account becomes root over every site on the server. After patching, audit the shared host for web shells and unexpected FTP accounts rather than assuming the update alone closes the incident.

KEV also added Cisco Catalyst SD-WAN Manager and a Joomla editor RCE

Two more KEV entries round out the week. CVE-2026-20262 in Cisco Catalyst SD-WAN Manager (formerly vManage) lets "an authenticated, remote attacker create a file or overwrite any file on the filesystem" through a file-upload endpoint that does not validate input. NVD rates it CVSS 6.5; because it needs an authenticated session, it drew the two-week KEV window (added June 15, due June 29) rather than three days. CVE-2026-48907 in the JCE editor for Joomla is the opposite profile — unauthenticated — and "allows the creation of new editor profiles for unauthenticated users, ultimately resulting in PHP code upload and execution," scored CVSS v4.0 10.0 (added June 16, due June 19).

Action: patch SD-WAN Manager into your next network-gear window and keep its web UI off the public internet — this is the second SD-WAN Manager bug on KEV in two weeks, so treat the controller as a recurring target. For Joomla, update the JCE extension now and scan for newly created editor profiles and recently uploaded PHP files; an unauthenticated code-execution path on a public CMS is a fast route to a web shell.

Chrome ships 33 fixes, seven of them Critical

Google shipped Chrome Stable 149.0.7827.155/.156 for Windows and Mac (149.0.7827.155 for Linux) on June 16. Per the release post, "this update includes 33 security fixes," and seven carry a Critical rating — a run of use-after-free bugs in WebShare, WebView, Digital Credentials, File Input, Passwords, and Web Authentication. Microsoft Edge shares the Chromium base and inherits these on its own cadence.

Action: confirm managed Chrome fleets are pulling 149.0.7827.155 or newer and push a relaunch rather than waiting for users to restart. Seven Critical use-after-frees in one release is a heavier-than-usual browser update; watch for the matching Edge Stable build and enforce it on the same schedule.

Product changes

Defender XDR adds a human-identities view and takes three cloud-hunting tables to GA

The June 2026 Defender XDR What's new entries add a Human identities card to the Identity Security dashboard (preview), giving one view of human identities by source — Entra ID, SaaS, and on-premises. Separately, three advanced-hunting tables reached general availability: CloudAuditEvents, CloudDnsEvents, and CloudProcessEvents, the last covering "process events in multicloud hosted environments."

Action: if you run cross-tenant hunting, the CloudProcessEvents GA is the useful one — process-level telemetry across multicloud hosts is now a stable table you can build detections against rather than a preview that might change schema. Migrate any preview queries to the GA tables and add CloudProcessEvents to your saved cloud-investigation hunts.

Intune previews a redesigned single device page

The week of June 15, the Intune What's new page added a public preview of a redesigned single device page — the Devices > All Devices > [device] view that admins land on for day-to-day device troubleshooting. The same June service release (2605) also adds a preview capability to "detect and block Shadow AI" — local AI agents — on Windows devices enrolled in Intune, using the properties catalog, device query, and a security baseline.

Action: pilot the new device page on an internal tenant before it reaches your client admin centers, so your techs are not relearning the layout under a live ticket. If clients are wrestling with unsanctioned local AI tools, the shadow-AI detection preview is worth a look on a test device group.

Field notes

Microsoft reports post-delivery email remediation is catching the bulk of what slips through

Microsoft published email-security benchmarking on June 15 covering a year of Defender for Office 365 data. The figure worth noting for operators: post-delivery remediation — the automatic pull-back of mail that was clean at delivery and later found malicious — now averages 96% of malicious messages, up from 70.8% the prior quarter.

Action: the practical takeaway is to leave zero-hour auto purge (ZAP) and post-delivery remediation enabled, especially if you front Defender with a third-party email gateway. Some MSPs disable Defender's post-delivery actions to avoid overlap with an ICES product; this data is the argument for keeping it on as the backstop that catches what the gateway passed.