RoguePlanet, Check Point VPN, Cisco SD-WAN: Three Critical June 2026 Vulnerabilities Under Active Exploitation
Imagine your company's VPN gateway accepting connections from anyone without a password or certificate, simply because they know how to ask correctly. Or an attacker who intercepts a single UDP datagram on port 12346 instantly becoming an authenticated peer in your entire SD-WAN control plane. Or Microsoft Defender, the software installed on virtually every Windows machine, being turned into a tool for gaining SYSTEM privileges with no warning, no administrative rights, and no visible trace.
These are not hypothetical scenarios. They are real vulnerabilities being actively exploited in June 2026.
Three Layers, Three Attack Vectors
June 2026 brought three vulnerabilities with one thing in common: each targets a different layer of enterprise infrastructure. RoguePlanet strikes at the endpoint level, specifically Microsoft Defender, the software administrators rely on as a protective shield. CVE-2026-50751 opens the gate at the network perimeter: the Check Point VPN gateway through which remote workers connect to the corporate network. And CVE-2026-20182 strikes at the very backbone of network architecture: the Cisco SD-WAN control plane, on which the connectivity of the entire network depends.
Attackers don't target these layers randomly. They operate methodically: first the perimeter, then the backbone, then the endpoint. Or all at once, given sufficient network access. Together, these three vulnerabilities give an attacker a path from initial access to full control.
RoguePlanet — Defender as the Attacker's Entry Point
What This Is
RoguePlanet is a zero-day in Microsoft Defender published by the researcher known as Nightmare Eclipse, the same person behind YellowKey, GreenPlasma, and RedSun. The disclosure came on June 10, 2026, the same day as June's Patch Tuesday. The timing was deliberate: the researcher was responding to the way Microsoft communicates, or rather fails to communicate, with the security community.
RoguePlanet exploits a race condition in the way Defender processes files. An attacker with ordinary user rights can use this to obtain a SYSTEM shell, the highest privilege level in the operating system. The exploit works on fully patched Windows 10 and Windows 11, including the June 2026 Patch Tuesday updates.
No patch exists for RoguePlanet. Microsoft is "investigating."
Technical Card
Parameter | Value |
|---|---|
Name | RoguePlanet |
Vulnerability type | Privilege escalation (Local Privilege Escalation) — TOCTOU race condition in Microsoft Defender |
CVE | |
CVSS score | 9.6 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) |
Requires physical access | No |
Requires login | Yes — attacker must be logged in as any user without administrative rights |
Public exploit (PoC) | Yes — published by researcher Nightmare Eclipse on June 10, 2026 |
Actively exploited | Confirmed — active exploitation in real attacks following PoC publication |
Patch | Does not exist — Microsoft "investigating" |
Microsoft MSRC |
How the Attack Works
Defender has a function that processes files flagged as threats and in certain conditions runs this remediation operation from a privileged context. RoguePlanet exploits the timing window (TOCTOU, Time Of Check vs. Time Of Use) between the moment Defender verifies a file path and the moment it acts on it.
The attacker prepares a specially crafted file that triggers a Defender detection during processing. Defender verifies the path, but before it acts, the attacker redirects it using an NTFS junction and an opportunistic lock into a system directory. Defender completes the operation with SYSTEM privileges, and the result is executable code placed in a privileged context.
The exploit was originally designed as remote code execution via a specially crafted VHD file or shared SMB folder, with no prior access to the system required. Microsoft quietly patched part of this attack surface in the May Defender update. The researcher rewrote the exploit as a local privilege escalation and published this path publicly, citing frustration with Microsoft's communication.
What makes RoguePlanet stand out is its reliability: ThreatLocker labs verified the exploit on fully patched systems with a success rate estimated near one hundred percent.
Which Systems Are Affected
Virtually every Windows machine with active Microsoft Defender: Windows 10 in all editions, Windows 11 in all editions, Windows Server 2016, 2019, 2022 and 2025. Defender is present as primary or backup protection on the vast majority of Windows devices.
Check Point VPN — Security That Depended on Whom You Asked
What This Is
CVE-2026-50751 is a critical vulnerability in Check Point's Remote Access VPN and Mobile Access products. It allows an attacker to connect to the VPN without valid credentials or a certificate. All it takes is a specially crafted IKEv1 handshake packet.
The vulnerability was actively exploited from early May 2026, several weeks before disclosure and patching. The exploit was linked to the Qilin ransomware group, which used it as an initial access vector into corporate networks. A patch was released on June 8, 2026.
Technical Card
Parameter | Value |
|---|---|
Name | — (internally tracked as CPE-Auth-Bypass) |
Vulnerability type | Authentication bypass (CWE-287 Improper Authentication) — IKEv1 Remote Access VPN |
CVE | |
CVSS score | 9.3 Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
Requires physical access | No — attack occurs remotely over UDP 500/4500 or TCP 443 |
Requires login | No — authentication is bypassed entirely |
Public exploit (PoC) | Yes — published after patch; exploit was circulating in the community since May |
Actively exploited | Confirmed — Qilin ransomware affiliate from early May 2026 |
Patch | Released June 8, 2026 — see Check Point Security Advisory sk182671 |
Reference | |
Companion CVE | CVE-2026-50752 (CVSS 7.4) — MitM certificate bypass in weakened configurations |
How the Attack Worked
IKEv1 (Internet Key Exchange version 1) is the protocol VPNs use to establish an encrypted tunnel and verify the identity of a remote client. During this process, both sides exchange Vendor ID payloads, extensions that can carry information about a client's capabilities.
Check Point implemented a proprietary Vendor ID payload called VPNExtFeatures in their IKEv1 implementation. This payload includes 4 bytes that determine which authentication features are active. The flaw: the Check Point server read these bytes directly from the client-supplied payload and wrote them into the internal authentication flag register at offset 0x4bc4.
This gave an attacker direct control over how the server approached verifying their identity. Setting bit 0x4 disabled signature verification. Setting bit 0x2 skipped certificate processing entirely. The server then opened a VPN session without the client proving its identity in any way.
The result was full VPN access without a password, a certificate, or any authentication material. The server had simply asked the client whether to verify it, and the client said no.
Which Systems Are Affected
The vulnerability affected Check Point security products with Remote Access VPN or Mobile Access enabled: specifically CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark. The patch is included in the Hotfix released June 8, 2026. A full list of affected versions is in Security Advisory sk182671.
Cisco SD-WAN — One Packet as the Key to the Entire Network's Control Plane
What This Is
CVE-2026-20182 carries a CVSS score of 10.0, the maximum, in the Cisco Catalyst SD-WAN Controller (formerly vSmart Controller). It allows a remote, unauthenticated attacker to take full control of an SD-WAN network's control plane.
The vulnerability was discovered by security researchers Stephen Fewer and Jonah Burgess of Rapid7 Labs and disclosed on May 14, 2026. A patch from Cisco is available. Despite this, the vulnerability was actively exploited by threat actor UAT-8616 before the disclosure.
Technical Card
Parameter | Value |
|---|---|
Name | — |
Vulnerability type | Authentication bypass (CWE-306 Missing Authentication for Critical Function) — vHub bypass in Cisco SD-WAN Controller |
CVE | |
CVSS score | 10.0 Critical (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) |
Requires physical access | No — attack occurs remotely over UDP port 12346 (DTLS) |
Requires login | No — authentication is completely bypassed |
Public exploit (PoC) | Yes — Metasploit module published by Rapid7 at disclosure |
Actively exploited | Confirmed — UAT-8616 before disclosure; escalation after Metasploit module release |
Patch | Available — see Cisco Security Advisory; update to fixed versions required |
Reference |
How the Attack Worked
The Cisco SD-WAN Controller (vSmart) communicates with other nodes over DTLS protocol on UDP port 12346. Part of this process is a challenge-response (CHALLENGE_ACK) where a remote node must prove itself with a valid certificate.
Cisco internally distinguishes several device types. Type 2 designates the vHub device category, an auxiliary hub node used as a transit point in SD-WAN topologies. The flaw was simple: the code inside function vbond_proc_challenge_ack() contained no verification logic for the vHub type. An attacker who identified themselves as device type 2 in the DTLS handshake passed immediately: no certificate, no key, no verification of any kind. The server marked them as an authenticated peer (peer->authenticated = 1).
After authentication, one step remained: via a message type 14 (MSG_VMANAGE_TO_PEER), the attacker injected their own SSH public key directly into /home/vmanage-admin/.ssh/authorized_keys on the vSmart controller. The fputs() function wrote the key without any validation. The attacker then SSH'd to TCP port 830 (NETCONF) as vmanage-admin with full administrative rights and could issue arbitrary commands to the entire SD-WAN fabric: alter routing policies, add nodes, intercept traffic, or shut the network down entirely.
The complete attack required a single DTLS handshake packet, followed by a key injection and an SSH connection. Rapid7 documented the full chain and released a working Metasploit module alongside disclosure.
Which Systems Are Affected
Cisco Catalyst SD-WAN Controller (vSmart Controller) in versions with the vulnerable vbond_proc_challenge_ack() implementation. A detailed table of affected and patched versions is included in the Cisco Security Advisory.
What to Do Now
For RoguePlanet
No patch exists and the timeline is unknown. If your infrastructure relies primarily on Microsoft Defender, consider deploying a supplemental EDR solution: CrowdStrike, SentinelOne, or Sophos. This flaw is specific to how Defender implements file remediation and other solutions don't share it.
The most impactful mitigation available is application allowlisting via Windows Defender Application Control (WDAC) or AppLocker: if unauthorised code cannot execute, the exploit cannot function. Enforcing Least Privilege by minimising unnecessary local administrative rights significantly reduces the value of escalation even when it occurs.
Monitor MSRC records for CVE-2026-47281 and keep automatic updates enabled. When a patch arrives, it will come through a Defender engine update outside the standard Patch Tuesday cycle.
For Check Point VPN
Patch immediately. The patch has been available since June 8, 2026 as the Hotfix described in Security Advisory sk182671. Update all Check Point gateways with Remote Access VPN or Mobile Access enabled.
If patching cannot happen immediately, temporarily disabling IKEv1 is a mitigation option depending on your environment. Review logs from May and early June 2026: the vulnerability was actively exploited for weeks before the patch existed. Look for unexpected VPN connections, particularly from IP addresses or locations outside the normal access pattern.
Companion CVE-2026-50752 (MitM bypass) applies to weakened configurations and is covered by the same sk182671 update.
For Cisco SD-WAN
Patch immediately and verify the versions of all SD-WAN Controller (vSmart) nodes in your infrastructure. The detailed table of fixed versions is in the Cisco Security Advisory.
As a temporary mitigation, restrict access to UDP port 12346 via firewall rules to legitimate SD-WAN nodes only. If this port is reachable from the internet or from untrusted network segments, exposure is critical.
Check the file /home/vmanage-admin/.ssh/authorized_keys on all vSmart controllers: if an attacker injected an SSH key, it will persist after patching the system. Patching closes the entry vector but does not remove existing backdoors.
Review DTLS handshake logs from early 2026. UAT-8616 was active before disclosure and compromise may have occurred significantly earlier than the vulnerability became publicly known.
What to Monitor
For RoguePlanet: Defender remediation operations directing writes to system directories (C:\Windows\System32). NTFS junction creation in user context immediately before a Defender detection event. SYSTEM shell launched from the MsMpEng.exe process. Suspicious COM activation from unexpected contexts.
For Check Point VPN: IKEv1 handshake packets with non-standard VPNExtFeatures Vendor ID payloads. Successful VPN authentication with no record of certificate validation or credential verification. VPN sessions from IP addresses or locations outside the historical access pattern. Any VPN activity from April and May 2026 not confirmed as legitimate.
For Cisco SD-WAN: DTLS handshakes on UDP 12346 from sources outside authorised SD-WAN nodes. Writes to authorized_keys on vSmart controllers. SSH logins to the NETCONF port (TCP 830) from unexpected sources. Changes to routing policies or SD-WAN topology without a corresponding change ticket.
Patch Now — and Check What Already Happened
Check Point (CVE-2026-50751): Security Advisory sk182671, available at support.checkpoint.com. Patch immediately. The exploit was in circulation weeks before the patch existed, and Qilin affiliates are actively using it.
Cisco SD-WAN (CVE-2026-20182): Cisco Security Advisory cisco-sa-sdwan-auth-bypass-2026. A Metasploit module is publicly available, making patch latency critical: every unpatched vSmart controller reachable on a network segment is an immediate target.
RoguePlanet (CVE-2026-47281): No patch exists. Monitor MSRC records and keep automatic Defender definition updates enabled. When a patch arrives, it will come through an engine update outside the standard Patch Tuesday cycle.
The Bigger Picture: June 2026 Attacks Across the Full Depth
Three June 2026 vulnerabilities together cover the full depth of enterprise infrastructure: endpoint, perimeter, backbone. This is not coincidence. It reflects the attack priorities of 2026. Attackers no longer rely on a single vulnerability: they look for a way through the perimeter, then through the network backbone, then escalate privileges on the endpoint.
Check Point and Cisco patches are available, deploying them is priority one. RoguePlanet without a patch requires compensating controls and monitoring. Logs from April and May 2026 are worth reviewing: in both cases, exploitation was underway weeks before a patch existed, and any compromise that occurred during that window won't be cleaned up by patching the system.
If you're uncertain whether your infrastructure is exposed to these threats, or want to quickly assess your network's exposure, get in touch.
Free initial consultation. We respond within 24 hours.
CypherOn monitors the development of these vulnerabilities and updates this advisory as new information becomes available. Last updated: June 16, 2026.
Sources: Rapid7 Blog — Cisco SD-WAN CVE-2026-20182 · Cisco Security Advisory · Check Point Security Advisory sk182671 · BleepingComputer — Check Point VPN · Microsoft MSRC CVE-2026-47281 · ThreatLocker Blog — RoguePlanet Analysis · BleepingComputer — RoguePlanet · The Hacker News — Cisco SD-WAN