Q2 2026 Vulnerability Trends Report
AhnLab's Q2 2026 vulnerability trends report identifies 20,701 new CVEs, with Critical-severity vulnerabilities rising 62.5% from Q1 to 2,317. CISA's KEV catalog added 75 new entries, 87% of which were Critical or High severity. Attackers concentrated on externally exposed infrastructure (firewalls, VPNs, management panels) and supply chain compromises. The report highlights ten major CVEs across Ivanti, Fortinet, Palo Alto, Splunk, Google Chrome, Microsoft Exchange, cPanel, Ubiquiti, and DAEMON Tools, with RCE and privilege escalation being the dominant impact categories.
Detection / Hunteropenrouter
What Happened
A security research team published a quarterly report showing that over 20,000 new software security flaws were discovered between April and June of 2026, with more than 2,300 of them rated as the most dangerous category. The number of highly critical flaws jumped by more than 60% compared to the previous quarter. Attackers are primarily targeting systems that are directly reachable from the internet, such as corporate firewalls, remote access tools, and administrator control panels. They are also increasingly tampering with legitimate software downloads and open-source code libraries to sneak malware into organizations. The report lists ten specific software products with serious security holes, including products from Ivanti, Fortinet, Palo Alto Networks, Google, and Microsoft. Organizations should prioritize patching any systems that appear on government exploit watchlists, restrict access to administrative panels, and verify the integrity of software downloaded from third parties.
Key Takeaways
- 20,701 new CVEs reported in Q2 2026, with 2,317 rated Critical (CVSS 9.0+), a 62.5% increase from Q1's 1,426 Critical CVEs
- 75 vulnerabilities added to CISA KEV in Q2 2026; 39 were Critical and 65 were Critical or High combined, with CWE-20 and CWE-306 being the most frequently exploited categories
- Attacks concentrated on externally exposed devices: firewalls, VPNs, enterprise management panels, and authentication portals
- Supply chain attacks via compromised official installation packages and npm packages were a notable trend
- Time between vulnerability disclosure and active exploitation has shortened significantly, partly due to AI-assisted exploit development
Affected Systems
- Ivanti Sentry
- LiteSpeed User-End cPanel Plugin
- Ubiquiti UniFi OS
- Fortinet FortiClientEMS
- Splunk Enterprise (PostgreSQL sidecar endpoint)
- DAEMON Tools Lite
- cPanel & WHM
- Palo Alto Networks PAN-OS (User-ID authentication portal / Captive Portal)
- Google Chrome (Dawn / WebGPU component)
- Microsoft Exchange Server
Vulnerabilities (CVEs)
| CVE | Product | Severity | Description |
|---|---|---|---|
| CVE-2026-10520 | Ivanti Sentry | Critical | Command injection vulnerability allowing an unauthenticated threat actor to achieve remote code execution at root privilege level. |
| CVE-2026-48172 | LiteSpeed User-End cPanel Plugin | Privilege escalation vulnerability with confirmed real-world exploitation. | |
| CVE-2026-34908 | Ubiquiti UniFi OS | Lack of access control allows settings to be changed without administrator authentication. | |
| CVE-2026-35616 | Fortinet FortiClientEMS | Insufficient access control allows an unauthenticated threat actor to carry out a remote attack. | |
| CVE-2026-20253 | Splunk Enterprise (PostgreSQL sidecar endpoint) | Unauthenticated users can invoke file operations on the PostgreSQL sidecar endpoint, potentially leading to remote code execution. | |
| CVE-2026-8398 | DAEMON Tools Lite | A Trojan horse was inserted into the official installation package, representing a supply chain compromise. | |
| CVE-2026-41940 | cPanel & WHM | Authentication bypass vulnerability allowing an unauthenticated remote threat actor to access the control panel. | |
| CVE-2026-0300 | Palo Alto Networks PAN-OS (User-ID authentication portal / Captive Portal) | Buffer overflow vulnerability allowing code execution with root privileges through the User-ID authentication portal. | |
| CVE-2026-5281 | Google Chrome (Dawn / WebGPU) | Use After Free vulnerability in the Dawn WebGPU component that could lead to renderer takeover and sandbox bypass. | |
| CVE-2026-42897 | Microsoft Exchange Server | XSS vulnerability exploited to achieve initial breach via malicious emails or links and to steal administrator privileges. |
Attack Chain
- Initial Access: Attackers exploit externally exposed vulnerabilities in firewalls, VPNs, management panels, or authentication portals (e.g., CVE-2026-0300, CVE-2026-41940, CVE-2026-10520)
- Initial Access (Alternate): Supply chain compromise via trojanized official installation packages or malicious npm packages (e.g., CVE-2026-8398)
- Initial Access (Alternate): XSS in Microsoft Exchange Server exploited via malicious emails or links to steal administrator credentials (CVE-2026-42897)
- Execution & Privilege Escalation: Command injection or buffer overflow enables root-level remote code execution on target systems
- Persistence & Lateral Movement: Authentication bypass and insufficient access control allow attackers to change settings and maintain access without valid credentials
- Impact: Compromised systems can be leveraged for ransomware distribution, botnet deployment, or further network intrusion
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article is a trends report and does not include any detection rules, queries, or signatures. It provides CVE references and high-level attack trend analysis only.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Low | The article describes vulnerabilities in network appliances, management panels, and web applications where EDR agents are typically not installed. Endpoint-based detection for CVE-2026-8398 (trojanized installer) would depend on whether the specific installer package hash is known. |
| Network Visibility | Medium | Exploitation of externally facing services (firewalls, VPNs, captive portals) would generate anomalous network traffic patterns, but the article does not provide specific network indicators. NIDS coverage would require vendor-specific threat signatures for each CVE. |
| Detection Difficulty | Hard | Many affected systems are network appliances and infrastructure components where traditional endpoint telemetry is unavailable. Detection requires vendor-specific patches, IDS signatures, and careful monitoring of externally exposed services. The shortened time-to-exploit further complicates proactive detection. |
Required Log Sources
- Web application firewall (WAF) logs for management panels and authentication portals
- Network appliance system logs (firewall, VPN appliance logs)
- Authentication and access logs for cPanel, UniFi OS, and Exchange Server
- Software installation and package manager audit logs for supply chain detection
- CISA KEV catalog monitoring feed
- Vulnerability scanner output for asset inventory cross-referencing
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for anomalous authentication events against externally exposed management panels and captive portals, particularly attempts that succeed without proper credentials, which may indicate exploitation of authentication bypass vulnerabilities such as CVE-2026-41940 or CVE-2026-34908. | Authentication logs, WAF logs, reverse proxy access logs for cPanel, UniFi OS, and PAN-OS Captive Portal endpoints | Initial Access | Medium — legitimate administrative access and load balancer health checks may generate similar patterns |
| Consider hunting for command injection patterns in HTTP requests targeting Ivanti Sentry or PAN-OS authentication portal endpoints, which may indicate exploitation of CVE-2026-10520 or CVE-2026-0300. | WAF logs, network IDS alerts, HTTP request logs for affected appliance management interfaces | Execution | Low — command injection payloads in HTTP requests to appliance management interfaces are rarely benign |
| Consider hunting for newly installed software packages whose signatures or hashes differ from vendor-published originals, which may indicate supply chain compromise such as CVE-2026-8398. | Software inventory logs, package manager audit logs, endpoint installation telemetry | Initial Access | Medium — legitimate software updates and custom builds may trigger alerts if baseline hashes are not maintained |
| Consider hunting for XSS-related activity in Microsoft Exchange Server logs, particularly anomalous emails containing script payloads or unexpected access patterns following email interaction, which may indicate exploitation of CVE-2026-42897. | Exchange Server transport logs, IIS logs, mailbox audit logs, email security gateway logs | Initial Access | Medium — legitimate email campaigns and webmail usage may produce similar traffic patterns |
| Consider hunting for unauthenticated file operations against Splunk Enterprise PostgreSQL sidecar endpoints, which may indicate exploitation of CVE-2026-20253. | Splunk internal logs, web server access logs for Splunk management interfaces, network flow data to Splunk server | Execution | Low — unauthenticated file operations on database sidecar endpoints are highly suspicious |
Control Gaps
- Network appliances (firewalls, VPN concentrators) typically lack EDR coverage, limiting post-exploitation detection on these devices
- WAF and IDS may not have signatures for newly disclosed CVEs given the shortened time-to-exploit window
- Supply chain compromises via trojanized installers may bypass application whitelisting if the installer is digitally signed by the vendor
- Authentication bypass vulnerabilities may not trigger alerts if the access appears to come through legitimate authentication channels
- XSS-based initial access via email may bypass email security gateways if payloads are obfuscated or hosted on legitimate infrastructure
Key Behavioral Indicators
- Unauthenticated access to administrative control panels or settings modification endpoints
- Unexpected root-level process execution originating from web-facing services on network appliances
- HTTP requests containing command injection payloads targeting appliance management interfaces
- Software installation events where the package hash does not match the vendor's published checksum
- Anomalous email content containing script tags or JavaScript payloads targeting Exchange Server users
- Unauthenticated file read/write operations against Splunk PostgreSQL sidecar endpoints
False Positive Assessment
Low — the article describes specific CVEs with confirmed or likely exploitation; detection efforts focused on these vulnerabilities would have low false positive rates when properly scoped to affected products and versions
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Cross-reference all deployed assets against the ten CVEs listed in this report and prioritize patching for any externally exposed instances of Ivanti Sentry, PAN-OS Captive Portal, cPanel & WHM, Splunk Enterprise, and Microsoft Exchange Server.
- Consider checking all internet-facing management panels, authentication portals, and VPN concentrators against the CISA KEV catalog and applying patches for any listed vulnerabilities as a top priority.
- If applicable, consider temporarily restricting internet exposure of management interfaces (cPanel, UniFi OS, FortiClientEMS) to internal IP ranges or VPN-only access until patches can be applied.
- Consider verifying the integrity of any recently downloaded DAEMON Tools Lite installer packages against the vendor's official checksums, and quarantine any packages that do not match.
Infrastructure Hardening
- Evaluate whether all administrative control panels and internal authentication portals can be moved behind a VPN or restricted to internal IP ranges rather than being exposed to the public internet
- Consider implementing multi-factor authentication for all externally accessible management interfaces, especially for cPanel, UniFi OS, and Exchange Server administrator accounts
- If supported by your tooling, consider deploying attack surface management (ASM) solutions to continuously monitor for newly exposed services and ports on your perimeter
- Evaluate whether network segmentation can isolate network appliance management interfaces from general corporate network traffic
- Consider implementing a formal supply chain verification process for all third-party software downloads, including checksum validation and sandboxed installation testing
User Protection
- Consider deploying email security controls that can detect and block XSS payloads in email content targeting Exchange Server users
- If applicable, consider browser security policies that restrict WebGPU API access in Google Chrome to trusted origins only, as a mitigation for CVE-2026-5281
- Evaluate whether endpoint protection can detect trojanized installer packages through behavioral analysis of post-installation activity
Security Awareness
- Consider incorporating supply chain attack awareness into existing security training programs, emphasizing the risk of downloading software from unofficial sources
- Consider briefing administrative staff on the elevated risk of phishing emails containing links that may exploit XSS vulnerabilities in Exchange Server
- If your organization uses npm or other package managers, consider educating development teams on the risk of compromised packages and the importance of dependency verification