Patch Tuesday Came Early: Three Active Exploits Targeting Your Network Infrastructure

If you manage UniFi gear, Cisco SD-WAN, or Palo Alto GlobalProtect VPNs, today is a drop-everything-and-patch kind of day.

CVE-2026-47368: Your UniFi OS Is Leaking — Patch It Now

A path traversal vulnerability in UniFi OS — the management layer running on your Dream Machine, Cloud Gateway, and UniFi controllers — is now public and weaponizable. CVE-2026-47368 allows an attacker to walk outside the intended directory structure and read files they have no business touching: think configuration data, credentials, and system internals that could fuel a deeper compromise.

Path traversal bugs sound boring until you realize what UniFi OS sits on top of — your firewall rules, VPN configs, network topology, and user credentials. This isn't a theoretical risk. CyCognito flagged this as an emerging threat, which means exploitation tooling is either already circulating or imminent.

What to do: Log into your UniFi console right now and check your firmware version. Ubiquiti has released a patched build — update every UniFi OS device in your fleet. If you're running a self-hosted controller on top of UniFi OS hardware, that device still needs the OS-level patch regardless of controller version. Prioritize internet-exposed management interfaces first. If your UniFi console is reachable from the WAN for any reason, that's your highest-urgency target. Restrict management access to a dedicated VLAN or VPN tunnel while you work through the patch rollout.

CVE-2026-20262: Cisco SD-WAN Manager Zero-Day Is Being Actively Exploited in the Wild

This one has the worst possible status: confirmed in-the-wild exploitation before the patch dropped. CVE-2026-20262 in Cisco Catalyst SD-WAN Manager (formerly vManage) allows attackers to escalate privileges all the way to root. Federal agencies have a hard deadline of June 29 to remediate — but if you're running SD-WAN Manager in any environment, you shouldn't wait that long.

Root-level access on your SD-WAN orchestration platform means an attacker can push policy changes to every edge device under management, reroute traffic, or establish persistent backdoors across your entire WAN fabric. The blast radius here is enormous in enterprise environments.

Cisco has published patches — BleepingComputer has solid coverage of the specific affected versions and fix builds. The short version: if you're on Catalyst SD-WAN Manager and haven't applied the June 2026 security advisory, you're exposed to an actively exploited root escalation path.

What to do: Pull the Cisco advisory, identify your vManage version, and apply the patch immediately. Audit your vManage access logs for anomalous activity going back at least 30 days. Restrict management plane access to known administrative source IPs if you haven't already — this should have been done at deployment, but now is not the time for retrospection.

CVE-2026-0257: Palo Alto GlobalProtect Authentication Bypass — Unit 42 Confirms Active Exploitation

Palo Alto's own Unit 42 threat intelligence team confirmed active exploitation of CVE-2026-0257, an authentication bypass hitting the GlobalProtect portal and gateway components in PAN-OS. Authentication bypass in a VPN gateway is about as bad as it sounds — attackers can potentially gain access without valid credentials, bypassing the entire identity layer you've built your remote access security around.

GlobalProtect is deployed at scale across enterprise and mid-market organizations. If your remote workforce tunnels through it, or if it's your primary site-to-site VPN solution, this is a critical exposure. Unit 42 flagging active exploitation means this isn't a proof-of-concept situation — real attackers are using this right now.

What to do: Check your PAN-OS version against Palo Alto's security advisory and patch immediately. While you're scheduling the maintenance window, enable Threat Prevention signatures if you're licensed for them — Palo Alto has published signatures that can provide interim mitigation. Review GlobalProtect authentication logs for unusual successful authentications, unexpected source geographies, or access patterns that don't match your user baseline. Consider temporarily requiring certificate-based authentication as an additional layer while patching is underway.

Set Up OpenVPN on Your UniFi Gateway the Right Way

Given the week's theme of VPN security, this community guide from Xeovo Hub is well-timed. If you're running a UniFi gateway and want to stand up an OpenVPN server — whether for remote access to your home lab, a small office, or a client site — this is one of the cleaner walkthroughs available right now.

UniFi's native OpenVPN implementation has historically been a bit buried in the UI, and the certificate management piece trips people up. The Xeovo guide walks through the full flow: generating the CA and client certs, configuring the server profile in UniFi, and getting a client connected. It's community-reviewed, which matters — the steps have been validated by people actually running this in production rather than just screenshotted from a lab VM that never saw real traffic.

What to do: If you've been meaning to lock down remote access to your UniFi environment with a proper VPN tunnel rather than exposing the management interface directly — and given CVE-2026-47368 above, you absolutely should be — this guide is your weekend project. Pair it with a firewall rule that blocks all WAN access to your UniFi console except through the VPN tunnel, and you've meaningfully reduced your attack surface.

Want this in your inbox? Subscribe here · Follow on LinkedIn · Join the Discord