By SAFE Threat Research Team
Recent threat intelligence highlights alarming exploitation trends involving Check Point Security Gateways and Ivanti Sentry platforms. Among the most pressing vulnerabilities, CVE-2026-50751 in Check Point’s system has been targeted by cybercriminals seeking to access sensitive enterprise networks. This vulnerability stands alongside CVE-2026-10520, a critical exposure in Ivanti Sentry, which is being aggressively targeted. The exploitation of these CVEs shows the need for organizations to adopt a targeted patch management strategy.
Threat actors have demonstrated ongoing interest in established products such as Microsoft Exchange Server and Oracle PeopleSoft, while also pivoting to less obvious targets, such as Arista EOS.
Vulnerability Landscape
This is where exposure management becomes useful. A severity-ranked CVE list can show potential impact, but it does not show what should move first. Security teams need to know which vulnerabilities are exploitable, which affected assets are exposed, and which systems matter most to the business.
Trending Vulnerabilities
The real buzz is around CVEs with confirmed exploitation activity, not just newly disclosed ones. Last week, 19 CVEs showed real-world exploitation signals, split between 11 newly published vulnerabilities and 8 older issues that remain useful to attackers.
That split matters because older CVEs often stay active when they affect exposed systems, widely deployed platforms, or assets that are difficult to patch quickly.
Top CVEs to Watch
Ivanti Sentry: unauthenticated command injection under active exploitation (CVE-2026-10520)
Ivanti Sentry, previously known as MobileIron Sentry, contains a critical pre-authenticated OS command injection vulnerability tracked as CVE-2026-10520. Successful exploitation can allow a remote attacker to execute commands with root privileges on affected appliances, particularly where Sentry is unmanaged and vulnerable endpoints are externally reachable. Public technical details and the availability of a proof of concept increase the likelihood of exploitation against exposed deployments. Administrators should upgrade to the fixed versions R10.5.2, R10.6.2, or R10.7.1, and verify deployment-specific protections, including mTLS for EPMM-managed Sentry deployments and restricted internet exposure for Neurons for MDM management/API access. The high EPSS percentile and confirmed exploitation evidence make rapid remediation essential to reduce enterprise exposure.
Google Chromium V8 Under Active Exploitation (CVE-2026-11645)
CVE-2026-11645 is a critical vulnerability in the V8 JavaScript engine of Google Chrome, characterized by an out-of-bounds read and write error that allows remote attackers to execute arbitrary code within the browser’s sandbox. This vulnerability affects multiple Chromium-based browsers, including Microsoft Edge and Opera. KEV lists this flaw as under active exploitation, with Google identifying it as the fifth Chrome zero-day vulnerability of the year. Despite being initially discovered in late April, the zero-day was rapidly weaponized, leading to widespread attacks. Organizations using Chromium-based browsers must apply updates promptly to mitigate the risk, as per vendor instructions.
BerriAI LiteLLM: command injection vulnerability under active exploitation (CVE-2026-42271)
A command injection vulnerability in BerriAI LiteLLM, affecting versions 1.74.2 through 1.83.7, is actively exploited in the wild. The issue exists in two endpoints used for server preview functions: POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list. These endpoints, lacking adequate role-based access control, allow any user with a valid API key to execute arbitrary commands on the host machine with the same privileges as the proxy process, thus posing a significant security risk. BerriAI has addressed this issue in version 1.83.7 by implementing stricter access control measures. Users are advised to upgrade to this version or apply interim mitigations by blocking the affected endpoints through network configuration.
Check Point Security Gateway Improper Authentication Vulnerability (CVE-2026-50751)
CVE-2026-50751 is a critical vulnerability in Check Point Security Gateways that allows attackers to exploit deprecated IKEv1 key exchange configurations. The flaw allows unauthenticated remote attackers to bypass standard user authentication and establish unauthorized remote-access VPN connections. Exploitation activity has been observed and has medium-confidence links to at least one post-compromise case involving a Qilin ransomware affiliate.
Organizations are strongly advised to disable IKEv1 settings and apply fixes as outlined in Check Point’s advisory. Securing the gateway with updated configurations protects against potential data exfiltration and lateral movement risks. The vulnerability’s inclusion in the CISA KEV underlines its threat to enterprise security.
Arista EOS: actively exploited tunnel decapsulation flaw (CVE-2026-7473)
CVE-2026-7473 affects Arista Extensible Operating System (EOS)-based platforms with a tunnel decapsulation configuration. This vulnerability allows switches to incorrectly process and forward unexpected tunneled packets due to an incomplete validation of tunnel protocol types. The flawed logic in tunnel decapsulation poses a significant risk, as it can lead to unauthorized packet forwarding, potentially exposing sensitive data or disrupting the network. The vulnerability is actively being exploited in the wild, as evidenced by its inclusion in the CISA Known Exploited Vulnerabilities (KEV) Catalog. Arista advises users to apply the prescribed mitigations specified in their advisory documents.
Oracle PeopleSoft Enterprise PeopleTools Authentication Flaw Under Active Exploitation (CVE-2026-35273)
CVE-2026-35273 affects Oracle’s PeopleSoft Enterprise PeopleTools by introducing a critical flaw that omits necessary authentication checks. This missing authentication for critical functions allows unauthenticated attackers to gain control over the affected system via HTTP network access. Given the vulnerability’s critical CVSS score of 9.8, the risk is amplified by its active exploitation in the wild. Notably, the threat actor group ShinyHunters is reported to be leveraging this flaw, particularly targeting the education sector.
Organizations should urgently implement Oracle’s prescribed mitigations and ensure compliance with CISA’s Binding Operational Directive (BOD) 26-04, which emphasizes the application of security updates based on risk assessment. Where feasible, exposure-reduction measures such as minimizing the internet-facing footprint of affected assets should be prioritized.
Cisco Catalyst SD-WAN Manager: improper encoding or escaping of output vulnerability actively exploited (CVE-2026-20245)
The CVE-2026-20245 vulnerability in Cisco Catalyst SD-WAN Manager allows authenticated local attackers with netadmin privileges to execute commands as root by exploiting a flaw in the input validation process. Cisco observed limited exploitation, resulting in configuration changes spreading to edge devices. With its presence in the CISA Known Exploited Vulnerabilities catalog, it’s crucial to apply vendor-recommended mitigations immediately.
Langflow Path Traversal Vulnerability Under Active Exploitation (CVE-2026-5027)
CVE-2026-5027 presents a critical path traversal vulnerability within the Langflow application, particularly affecting the ‘POST /api/v2/files’ endpoint. An absence of sanitation for the ‘filename’ parameter allows attackers to exploit this flaw, facilitating arbitrary file writes and possible remote code execution without authentication. Despite its disclosure in March 2026, a patch has yet to be released. Business leaders relying on Langflow must implement stringent network segmentation and access controls to prevent potential intrusions.
What Security Teams Should Prioritize
- Patch CVE-2026-50751 and CVE-2026-10520 first, where Check Point Security Gateway or Ivanti Sentry are exposed or business-critical.
- Review internet-facing Exchange, PeopleSoft, SD-WAN, VPN, gateway, and management-plane assets for affected versions.
- For older exploited CVEs, confirm whether the affected systems are still reachable from the internet or trusted internal zones.
- Use segmentation and access restrictions to reduce blast radius where patching cannot happen immediately.
- Prioritize CVEs where exploitation evidence, asset exposure, and business impact overlap.
Most organizations do not have a CVE awareness problem. They have a prioritization problem. SAFE CTEM helps teams cut through disclosure volume by identifying the vulnerabilities most likely to matter in their own environment, based on exposure, exploitability, and business context.
To learn how SAFE CTEM helps teams prioritize by business context, visit our platform today.
