Weekly Threat Roundup: Ivanti & Chrome Zero-Days (June 8-14)

This Week at a Glance

This week saw critical, actively exploited vulnerabilities in Ivanti Sentry (CVSS 10.0) and Google Chrome V8, alongside a data breach at the University of Nottingham exposing 455K accounts. CISA added multiple flaws to its KEV catalog, and threat actors resumed targeting education and financial sectors on the dark web.

Top Vulnerabilities

• CVE-2026-10520 (CVSS 10.0, Critical) [ACTIVELY EXPLOITED]: An OS Command Injection in Ivanti Sentry allows remote unauthenticated code execution. Patch immediately. Full advisory
• CVE-2026-35273 (CVSS 9.8, Critical) [ACTIVELY EXPLOITED]: Oracle PeopleSoft PeopleTools vulnerability enabling unauthenticated takeover. Full advisory
• CVE-2026-11645 (CVSS 8.8, High) [ACTIVELY EXPLOITED]: Chrome V8 out-of-bounds read/write used in the wild. Update Chrome to 149.0.7827.103+. Full advisory
• CVE-2026-25089 (CVSS 9.8, Critical): OS command injection in Fortinet FortiSandbox enabling unauthenticated RCE. Full advisory

Data Breaches

• University of Nottingham: 455K accounts exposed. Full report
• Berkadia: 305K accounts leaked by ShinyHunters. Full report
• Infinite Campus: 137K staff accounts exposed. Full report

Threat Intelligence

Dark web actors claimed breaches at Global Schools Foundation (by FulcrumSec), HDFC Fund (by Morpheus), and a 40GB dump from the University of Nottingham (by ShinyHunters). CISA also added Cisco, Chrome, and Arista flaws to its KEV catalog, while a critical Check Point VPN flaw is being exploited to bypass IKEv1 passwords. The LiteLLM flaw (CVE-2026-42271) is being chained for unauthenticated RCE. Full intel reports

Key Takeaway

Attackers are increasingly chaining low-severity flaws (like LiteLLM) into full unauthenticated RCE chains. Security teams should prioritize patch management for edge devices (Ivanti, Fortinet) and browser updates (Chrome) while monitoring for post-exploitation lateral movement from initial access gained via these vectors.