The second week of June 2026 is marked by a high-velocity exploitation cycle targeting critical infrastructure and endpoints. Google Chrome faces its fifth zero-day of the year via an Out-of-Bounds (OOB) Read/Write in the V8 engine (CVE-2026-11645) and a Use-After-Free vulnerability (CVE-2026-11634). Simultaneously, Microsoft Exchange on-premises servers are targeted by an active zero-day (CVE-2026-42897). Infrastructure risks include a critical RCE in Unbound DNSSEC (CVE-2026-33278) and KEV-listed flaws in Arista and Cisco devices. A critical supply chain failure occurred when a CISA contractor exposed privileged AWS GovCloud credentials on GitHub, compromising high-security federal cloud environments. Immediate patching to Chrome v149.0.7827.102/.103 and remediation of KEV-listed assets are mandated.
-
Endpoint & Browser Vulnerabilities: Google Chrome
- CVE-2026-11645 involves a high-severity Out-of-Bounds (OOB) Read/Write within the Chromium V8 JavaScript engine.
- CVE-2026-11634 identifies a critical Use-After-Free (UAF) condition enabling potential arbitrary code execution.
- The occurrence of five exploited zero-days within a single year suggests an increasingly efficient exploitation cycle, potentially accelerated by AI-driven vulnerability discovery.
-
Enterprise Server & Infrastructure Risks
- Microsoft Exchange on-premises is under active exploitation via CVE-2026-42897, presenting a high risk to enterprise mail environments.
- Unbound DNSSEC Validator contains a critical RCE (CVE-2026-33278) that threatens global DNS security and validation integrity.
- Arista EOS (CVE-2026-7473) and Cisco Catalyst SD-WAN Manager (CVE-2026-20245) have been added to the CISA KEV catalog due to active exploitation.
-
Cloud Supply Chain & Credential Exposure
- Privileged AWS GovCloud credentials were leaked via a public GitHub repository by a CISA contractor.
- This event highlights a fundamental failure in credential hygiene and secret management within high-security federal ecosystems.
- The exposure creates a direct path for unauthorized access to sensitive government cloud workloads.
-
Regulatory Mandates & Defensive Remediation
- CISA BOD 22-01 mandates the immediate remediation of all vulnerabilities listed in the Known Exploited Vulnerabilities (KEV) catalog.
- Endpoint administrators must ensure Chrome is updated to version 149.0.7827.102 (Windows) or .103 (macOS/Linux).
- Organizations are advised to implement automated secret scanning for public repositories to prevent similar GovCloud credential leaks.
Related posts
- Krebs on Security — CISA Admin Leaked AWS GovCloud Keys on Github
- Wiu
- Tenable
- Akeyless
- Hkcert
- Chromereleases
- bleepingcomputer.com — Google patches new Chrome zero-day flaw exploited in the wild
- helpnetsecurity.com — Google patches Chrome zero-day exploited in the wild (CVE-2026-11645)
- CISA Cybersecurity Advisories — CISA Adds Three Known Exploited Vulnerabilities to Catalog
- SC Media — Google releases emergency update for fifth Chrome zero-day exploited in the wild this year
- Thehackernews
- Socprime
- Forbes
- cybersecuritydive.com — IT sector faces growing threats from IP-hungry China, AI-enabled cybercriminals
- socprime.com — CVE-2026-11645: Chrome Zero-Day Vulnerability Exploited in the Wild
- threat-modeling.com — Google Chromium V8 Out-of-Bounds Read/Write (CVE-2026-11645): Remote Code Execution via Crafted HTML, Added to CISA KEV
- Mlq
- Cryptobriefing
- Securityaffairs
- eSecurity Planet — Zero-Days, AI Exploits, and Supply Chain Risks Define This Week in Cybersecurity in June 2026
- cybersecuritydive.com — Agentic AI surges in financial sector even as many firms fail to manage security risks
- techjacksolutions.com — Google Chromium V8 Out-of-Bounds Read/Write Zero-Day, Active Exploitation (CVE-2026-11645)
- Penligent
- Linuxsecurity
- Nvd
- Nhimg
- Dock
- Investingnews
- Csis
- The Register - Security — PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data
- Mandiant Blog — Public and Private Medical Community Targeted by China-Nexus Threat Actor Pursuing Artificial Intelligence, Cyber, Medical, and National Defense Research
- cybersecuritydive.com — China-nexus group linked to multiyear campaign targeting US, Canadian medical research
- Letsdatascience
- Straitstimes
- Securityweek
- Economictimes
- Bleepingcomputer
- Helpnetsecurity
- cyberscoop.com — Google exposes China espionage group that’s been lurking in networks undetected since 2023
- Microsoft Tech Community — Microsoft Leads a New Era of Software Supply Chain Transparency
- techjacksolutions.com — UNC6508: PRC Espionage Campaign Weaponizes REDCap to Steal Defense and Medical Research Across North America
- techjacksolutions.com — Vanderbilt University Medical Center / REDCap (UNC6508 Campaign) — Vulnerability Rollup (2026-06-15)
- Thenextweb
- Gnews
- Elastic
- SC Media — China-linked group uses InfiniteRed malware to target medical research institutions
- Threatprotect
- Lifehacker
- Cve
- arXiv (Computer Science - Cryptography and Security) — FuseChain: Runtime Evidence Reconstruction for Software Supply-Chain Attacks
- helpnetsecurity.com — EU Cybersecurity Act 2.0: When good regulation goes bad
- gbhackers.com — PRC-Nexus Hackers Abuse REDCap Servers to Monitor US Medical Research Organizations
- Security Affairs — China-linked actor spent two years inside medical research networks
- thecyberexpress.com — China Spent Over a Year Inside U.S. Medical Research Networks — And Used Google’s Own Email Rules to Steal Data
- fieldeffect.com — China-nexus actor abuses domain-level compliance rules
- techjacksolutions.com — UNC6508 Targets Medical Research with REDCap-Specific Malware, Exfiltrates Data via Email Compliance Rules
- techjacksolutions.com — UNC6508 Turned Google Workspace Against Its Users: Inside a 26-Month Espionage Campaign Targeting US and Canadian Research Networks
- Kfgo
- Cyber Defense Magazine — AI is Not Solving Cybersecurity Burnout Yet, New ISSA and Omdia Research Warns
- datawater.com — UNC6508: How a Chinese State-Sponsored Group Spent 26 Months Inside US and Canadian Research Labs Using a Misspelled Gmail Rule
- bleepingcomputer.com — Malicious JetBrains Marketplace plugins steal AI API keys from developers
- Google Cloud Security Community — Custom Malware Named INFINITERED - YARA-L Rules to Detect UNC6508
- gbhackers.com — JetBrains Plugin Security Alert: 70,000+ Installs Linked to AI Key Theft
- feeds.feedburner.com — Malicious JetBrains Plugins Steal AI API Keys as Chrome Extensions Capture Chatbot Chats
- Chromereleases
- Kaseya
- Cyberpress
- Hackyourmom
- Scworld
- Hackread
- Infosecurity-magazine
- Aikido
- Blog
- Orca
- Chainalysis
- Eisneramper
- Safeexpat
- Cnas
- techjacksolutions.com — China and DPRK Drive 2025-2026 Technology Sector Targeting Wave: Supply Chains, AI Assets, and IT Worker Fraud at the Core
- techjacksolutions.com — Cisco ISE Carries a Two-Vector Risk: Unauthenticated Credential Exposure Feeds Authenticated RCE, No Full Patch Until August
- Security Affairs — Cisco fixed a critical ISE vulnerability that lets attackers to gain root access
- Services
- Aiweekly
- Sec
- Sentinelone
- Feedly
- Vuldb
- Sharkstriker
- App
- Cyberpedia
- Endorlabs
- Vulert
- Advisory
- Github
- Miggo
- Test
- Socdefenders
- Tenable
- Grassley
- Hassan
- Youtube
- SecurityWeek — Critical Command Execution Vulnerability Patched in Cisco ISE