In early June, Google, Cisco, and SolarWinds released high-priority security updates to address high-impact flaws with either active exploitation or public exploit code that enable remote code execution (RCE) across enterprise endpoints, voice/collaboration infrastructure, and file transfer servers. This comes at a time when, for the first time in the 19-year history of Verizon’s Data Breach Investigations Report, exploited software vulnerabilities have surpassed stolen credentials as the top attack vector.
Andrew Storms, embedded security lead at Kilo Code, has a theory as to why all of this is happening now. “My bet is on either AI making more RCE-like bugs, or AI finding more of them that likely already existed and were not found,” he said. “AI is finding the vulnerabilities we shipped years ago and forgot. One of the FFmpeg flaws surfaced this month was written into the code in 2003 and sat there untouched for more than twenty years. And it is not a one-off.”
Storms detailed the example of an Anthropic researcher using Claude Code to find a heap overflow in the Linux kernel that had been there for 23 years, in NFS, code that has been audited and fuzzed for two decades. “The bugs are old. What is new is that something finally went looking,” Storms said.
Related:
Bill Brenner
George V. Hulme
The increasingly vulnerable enterprise tech stack
Theories aside, this current trio of RCE flaws highlights how vulnerable enterprises are across their technology stacks today. In its June 2026 Android security bulletin, Google released fixes for 124 vulnerabilities, including a high-severity elevation-of-privilege flaw in the Android Framework tracked as CVE-2025-48595. The company said the bug, which affects Android 14, 15, 16, and 16 QPR2, has already been exploited in limited, targeted attacks.
Security patch levels of 2026 06 05 or later include the fix, and Google urged users and enterprises to ensure devices are updated.
Cisco, meanwhile, addressed the vulnerability in its Unified Communications Manager (Unified CM) and Unified CM Session Management Edition, identified as CVE 2026 20230. The flaw is described as a server-side request forgery issue arising from improper validation of specific HTTP requests. According to Cisco and external analyses, a remote, unauthenticated attacker could send crafted requests that perform arbitrary file writes on the underlying operating system, paving the way to root-level access. Cisco has assigned a high-severity rating to the issue and released patches, while security researchers have reported publicly available proof-of-concept exploit code targeting the flaw.
SolarWinds issued an update for its Serv-U file transfer software to fix CVE 2026 28318, a high-severity vulnerability involving uncontrolled resource consumption. Documentation and vulnerability listings describe how unauthenticated attackers can send specially crafted HTTP POST requests, including those that use certain content encoding headers, to cause the Serv-U service to crash, resulting in a denial-of-service condition. The flaw has been corrected in Serv-U version 15.5.4 HF1.
The U.S. Cybersecurity and Infrastructure Security Agency added CVE 2026 28318 to its Known Exploited Vulnerabilities catalog, citing evidence that the issue is being used in the wild to crash exposed Serv-U instances, and has urged organizations to apply the vendor’s updates by specified deadlines.
The three June flaws create vulnerabilities across three distinct layers of enterprise environments that are commonly reachable from the internet or semi-trusted networks: Android devices are widely used in both bring-your-own-device and corporate-owned environments, while Cisco Unified CM underpins voice and collaboration infrastructure in many enterprises and public-sector organizations. Serv-U is deployed to handle secure file transfers between internal systems and external partners and often sits at or near the network edge.
The trio’s disclosure comes as Verizon’s 2026 Data Breach Investigations Report reported a notable shift: for the first time in the report’s 19-year history, exploitation of software vulnerabilities has overtaken stolen credentials as the most common initial access vector in breaches. Verizon and commentators on the report highlight that exploited vulnerabilities now account for roughly 31% of initial access paths, surpassing the share attributed to credential theft and reuse.
The consensus of the DBIR findings also points to a growing focus by attackers on externally exposed services and appliances, including VPNs, file transfer systems, unified communications platforms, and other Internet-facing infrastructure. The combination of automated scanning, the availability of exploit code, and delays in patching is cited as a factor in the rise of vulnerability exploitation as a preferred entry method.
Mitigation and defense
Security advisories related to the June flaws emphasize the importance of promptly applying vendor patches and updates. Google’s bulletin instructs users and administrators to move devices to the June 2026 patch level or later. Cisco’s guidance provides fixed software releases for Unified CM and Unified CM Session Management Edition and recommends that customers upgrade to remediated versions as soon as practical. SolarWinds has directed Serv-U customers to install the updated release and has documented the conditions under which the vulnerability can be triggered, while CISA’s listing of CVE 2026 28318 in the Known Exploited Vulnerabilities catalog makes remediation a time-bound requirement for many U.S. federal agencies.
In addition to software updates, some advisories and third-party commentary recommend interim mitigations where immediate patching is not possible. These include restricting network access to affected services, placing them behind reverse proxies or application firewalls, and tightening authentication and logging on related systems. Enterprises are also being advised to verify their inventories of Android devices, unified communications deployments, and file transfer servers to ensure that all relevant assets receive the necessary updates and that no legacy or shadow systems remain exposed.
Vendors and security organizations continue to publish technical details, detection guidance, and indicators associated with these vulnerabilities and their exploits. As information evolves, enterprises will be forced to adjust their patching priorities and monitoring strategies.
“Get your testing and patching in order now, the tsunami is already here,” Storms said. “There is no clever new answer here. It is the oldest one in the book. Patch your stuff. We are back to 2004 again, except this time the bug pile refills itself. AI has made finding flaws cheap and nearly endless, so the queue that already broke us is about to get much bigger,” he concluded.
