Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. Review affected assets, prioritize patch validation, and map remediation against managed client inventory.
Jun 10, 2026, 11:16 PM
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 92.3% EPSS.
Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request that triggers an overflow during path canonicalization.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-06-03.
May 19, 2026, 7:00 PM
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 98.8% EPSS.
Microsoft Internet Explorer Use-After-Free Vulnerability
critical
activeCISA KEVCVE-2010-0806
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-06-03.
May 19, 2026, 7:00 PM
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 82.2% EPSS.
Microsoft Internet Explorer Use-After-Free Vulnerability
critical
activeCISA KEVCVE-2010-0249
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-06-03.
May 19, 2026, 7:00 PM
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 91.9% EPSS.
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. Review affected assets, prioritize patch validation, and map remediation against managed client inventory.
Jun 10, 2026, 1:16 PM
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 88.2% EPSS.
A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Review affected assets, prioritize patch validation, and map remediation against managed client inventory.
Jun 8, 2026, 7:16 AM
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 71.1% EPSS.
Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Updates Environment Management). Supported versions that are affected are 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. Review affected assets, prioritize patch validation, and map remediation against managed client inventory.
CRITICALCVE-2026-35273
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 92.3% EPSS.
Microsoft Windows contains a buffer overflow vulnerability in the Windows Server Service that allows remote attackers to execute arbitrary code via a crafted RPC request that triggers an overflow during path canonicalization.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-06-03.
criticalCVE-2008-4250
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 98.8% EPSS.
Microsoft Internet Explorer Use-After-Free Vulnerability
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code via vectors involving access to an invalid pointer after the deletion of an object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-06-03.
criticalCVE-2010-0806
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 82.2% EPSS.
Microsoft Internet Explorer Use-After-Free Vulnerability
Microsoft Internet Explorer contains an use-after-free vulnerability that could allow remote attackers to execute arbitrary code by accessing a pointer associated with a deleted object. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Due date: 2026-06-03.
criticalCVE-2010-0249
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 91.9% EPSS.
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. Review affected assets, prioritize patch validation, and map remediation against managed client inventory.
CRITICALCVE-2026-20253
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 88.2% EPSS.
A logic flow weakness in Remote Access and Mobile Access certificate validation in deprecated IKEv1 key exchange allows an unauthenticated remote attacker to bypass user authentication and establish a remote access VPN connection without a valid user password.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Review affected assets, prioritize patch validation, and map remediation against managed client inventory.
CRITICALCVE-2026-50751
Critical
Priority score blends severity, KEV, recency, source signal, and EPSS where available. 71.1% EPSS.
Quick answers to the questions we hear most often about Threat Radar.
What is the ITECS MSP Threat Radar?
It is a self-updating resource hub that combines official threat feeds, vendor advisories, and live service incidents into one operational watch page for Dallas-area business teams.
Which sources does Threat Radar track?
The feed is built from official sources including CISA Known Exploited Vulnerabilities, the National Vulnerability Database, Microsoft Security Update Guide, Cisco advisories, Fortinet PSIRT, Cloudflare Status, Vercel Status for Next.js hosting operations, and Google Workspace Status.
How should businesses use Threat Radar?
Use it to spot active issues faster, validate whether they affect Microsoft 365, Cisco, Fortinet, or core SaaS dependencies, and then move into assessment, remediation, or managed support planning.
Can ITECS help after an item appears on Threat Radar?
Yes. ITECS can help translate the alert into patch prioritization, compensating controls, vendor-specific action plans, and broader managed cybersecurity or managed IT follow-through.