Skip to content
feed: live about
>_ 0dayNews
Briefing · 2026-06-29-weekly

Week in Review: Five Zero-Days, One Pattern — Edge Devices Are the Front Line

This week's SITREP: Cisco IOS XE, Citrix Bleed, the Ivanti Connect Secure chain, PAN-OS GlobalProtect, and Outlook's MonikerLink bug — plus what's still active in the CISA KEV catalog and what to watch next.

tldr.txt
  • Five vulnerabilities this desk profiled this week share a common shape: perimeter and edge devices (firewalls, VPN gateways, network OS) remain the preferred initial-access vector for both nation-state and ransomware actors
  • Citrix Bleed (CVE-2023-4966) and the Ivanti Connect Secure chain (CVE-2023-46805 / CVE-2024-21887) both demonstrate that patching alone is not remediation — stolen sessions and deployed implants can survive a patch
  • Cisco IOS XE's CVE-2023-20198 and Palo Alto Networks' CVE-2024-3400 were both exploited as true zero-days, before any patch existed — underscoring that 'patch on release day' is necessary but not sufficient
  • Outlook's MonikerLink (CVE-2024-21413) shows the other major attack surface: a single click on a crafted link bypassing Protected View, no macro or attachment required
  • CISA's Known Exploited Vulnerabilities catalog remains the single best low-noise signal for prioritization — every CVE in this week's coverage is KEV-listed or has confirmed in-the-wild exploitation

This week’s desk coverage profiled five distinct vulnerabilities, but they share one structural theme worth naming up front: the devices and applications sitting at the network edge or handling the first click of a phishing chain remain the most consistently exploited targets, regardless of vendor.

Top stories this week

Cisco IOS XE Web UI Zero-Day — A maximum-severity privilege-escalation flaw in IOS XE’s web management interface, CVE-2023-20198, was exploited at mass scale before Cisco’s patch shipped. Independent scans found tens of thousands of compromised devices within days. The lesson administrators took away: disable internet-facing web management wherever it isn’t strictly required, and check for implants specifically — patching does not remove a backdoor already installed.

Citrix Bleed ExplainedCVE-2023-4966 let attackers pull live session tokens directly from NetScaler ADC and Gateway memory, hijacking authenticated sessions without ever touching a password or MFA prompt. Ransomware-affiliated actors used it against multiple large enterprises. Critically, the patch alone didn’t help organizations that failed to also kill existing sessions — old tokens stayed valid.

The Ivanti Connect Secure ChainCVE-2023-46805 and CVE-2024-21887, chained together, gave a suspected nation-state actor unauthenticated remote code execution on Ivanti’s VPN gateways for weeks before patches existed — severe enough that CISA issued an emergency directive ordering federal agencies to disconnect affected appliances outright.

PAN-OS GlobalProtect Zero-DayCVE-2024-3400, a root-level command-injection flaw in Palo Alto Networks’ GlobalProtect feature, was exploited in the wild before disclosure by an actor deploying a custom backdoor dubbed UPSTYLE. When the firewall itself is the compromised device, the entire perimeter-security model is undermined.

Outlook’s MonikerLink BugCVE-2024-21413 is the odd one out on this list: not confirmed exploited pre-disclosure, but a near-zero-friction trigger (one click on a crafted link) that bypassed Outlook’s Protected View sandbox entirely. Patched in February 2024’s Patch Tuesday.

Also on the radar

A handful of additional CVEs from earlier in the year remain relevant context for this week’s coverage and are tracked on our KEV tracker:

  • CVE-2023-22515 — Atlassian Confluence’s broken-access-control flaw, which handed out admin accounts to unauthenticated attackers before Atlassian’s October 2023 fix.
  • CVE-2024-27198 — JetBrains TeamCity’s authentication-bypass bug, a reminder that CI/CD infrastructure compromise threatens the entire downstream software supply chain.
  • CVE-2023-28771 — A Zyxel firewall command-injection flaw that Mirai-variant botnets weaponized within weeks of disclosure, the kind of bug that thrives on unmanaged consumer and SMB edge hardware.
  • CVE-2023-34362 — The MOVEit Transfer SQL injection flaw behind one of 2023’s largest mass data-theft campaigns, exploited by the Clop ransomware group before a patch existed.

What to watch next week

  1. Whether any of this week’s five CVEs see new exploitation techniques or expanded KEV catalog deadlines as more telemetry comes in from affected vendors.
  2. Patch-adoption telemetry for PAN-OS and Ivanti customers — both vendors published mitigation options for organizations that can’t immediately apply the full patch.
  3. Any new CISA KEV catalog additions; we track new entries within 24 hours of publication.

Tip the desk

Source, document, or context on any vulnerability we’re tracking — or one we should be? Reach us at contact@0daynews.com or, for sensitive coordinated-disclosure matters, takedown@0daynews.com.

— The 0day News desk

Sources