Three Critical Zero-Days in 72 Hours: What State Government IT Leaders Must Do Now

<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> Three CISA Known Exploited Vulnerability (KEV) additions in a single 72-hour window &mdash; targeting VPN gateways, mobile device management infrastructure, and endpoint browsers &mdash; have created an unprecedented compressed patching emergency for state government networks. Simultaneously, ransomware operators are actively refreshing campaigns against government targets, and a China-nexus espionage actor remains potentially embedded in state network infrastructure after a suspicious 22-day operational silence. </p> <p> This is not a theoretical risk briefing. These vulnerabilities are being exploited <em> right now </em> , with public exploit code available for the most severe. </p> <h2> <strong> What Changed </strong> </h2> <p> The period from June 9&ndash;11, 2026 saw a rapid escalation in confirmed threats to state government infrastructure: </p> <ul> <li> <strong> June 9: </strong> CISA added CVE-2026-50751 (Check Point Security Gateway authentication bypass, CVSS 9.3) and CVE-2026-11645 (Google Chrome V8 zero-day, CVSS 8.8) to the KEV catalog &mdash; both confirmed actively exploited </li> <li> <strong> June 9: </strong> CVE-2026-7473 (Arista EOS tunnel bypass) confirmed exploited, enabling attackers to inject traffic past network segmentation </li> <li> <strong> June 11: </strong> CISA added CVE-2026-10520 (Ivanti Sentry unauthenticated remote code execution, CVSS 10.0) to the KEV catalog &mdash; public proof-of-concept exploit available </li> <li> <strong> June 11&ndash;12: </strong> Gunra, Qilin, and PUNK SPIDER (Akira) ransomware groups refreshed targeting data confirming active campaigns against North American government entities </li> <li> <strong> June 10&ndash;11: </strong> FAMOUS CHOLLIMA (DPRK) activated new C2 infrastructure and updated the INVISIBLEFERRET malware family, indicating a preparation phase preceding new operations </li> <li> <strong> Ongoing: </strong> APT42/Charming Kitten (Iran &mdash; IRGC-IO) continues active credential harvesting operations via spearphishing and ClickFix social engineering against state government employees with access to law enforcement, regulatory, and infrastructure oversight systems </li> <li> <strong> Ongoing: </strong> China-nexus actor UNC5475 has been dormant for 22 days after confirmed exploitation of state government Cisco infrastructure &mdash; silence that likely indicates successful persistent access, not departure </li> </ul> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Severity </strong> </p> </th> <th> <p> <strong> Actor/Source </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 21 May 2026 </p> </td> <td> <p> UNC5475 last observed exploiting Cisco ASA/FTD zero-days against government networks </p> </td> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> China-nexus (UNC5475) </p> </td> </tr> <tr> <td> <p> 9 Jun 2026 </p> </td> <td> <p> CVE-2026-7473 (Arista EOS tunnel bypass) added to CISA KEV </p> </td> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Unknown actors </p> </td> </tr> <tr> <td> <p> 9 Jun 2026 </p> </td> <td> <p> CVE-2026-50751 (Check Point VPN auth bypass) added to CISA KEV </p> </td> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> Unknown actors </p> </td> </tr> <tr> <td> <p> 9 Jun 2026 </p> </td> <td> <p> CVE-2026-11645 (Chrome V8 RCE) added to CISA KEV </p> </td> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Unknown actors </p> </td> </tr> <tr> <td> <p> 10 Jun 2026 </p> </td> <td> <p> FAMOUS CHOLLIMA (DPRK) activated new C2 infrastructure </p> </td> <td> <p> <strong> MODERATE </strong> </p> </td> <td> <p> DPRK (FAMOUS CHOLLIMA) </p> </td> </tr> <tr> <td> <p> 11 Jun 2026 </p> </td> <td> <p> CVE-2026-10520 (Ivanti Sentry RCE) added to CISA KEV; PoC published </p> </td> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> Unknown actors </p> </td> </tr> <tr> <td> <p> 11 Jun 2026 </p> </td> <td> <p> Qilin ransomware activity update &mdash; government targeting confirmed </p> </td> <td> <p> <strong> MODERATE </strong> </p> </td> <td> <p> Qilin/REVENANT SPIDER </p> </td> </tr> <tr> <td> <p> 12 Jun 2026 </p> </td> <td> <p> Gunra ransomware activity refresh &mdash; North America government targeting </p> </td> <td> <p> <strong> MODERATE </strong> </p> </td> <td> <p> Gunra </p> </td> </tr> </tbody> </table> <h2> <strong> Critical Vulnerability Analysis </strong> </h2> <h3> <strong> CVE-2026-10520: Ivanti Sentry &mdash; Unauthenticated Root RCE (CVSS 10.0) </strong> </h3> <p> This is the single highest-priority item for any state agency running Ivanti Sentry (formerly MobileIron Sentry). An OS command injection flaw allows a <em> remote, unauthenticated </em> attacker to achieve root-level code execution. No credentials required. No user interaction required. Public exploit code is available. </p> <p> <strong> Why this matters for state government: </strong> Ivanti Sentry is widely deployed across government environments as a gateway component for mobile device management. Compromise gives an attacker root access to a system that brokers trust between your MDM platform and managed devices &mdash; including phones and tablets used by agency leadership, law enforcement, and emergency management personnel. </p> <p> <strong> Affected versions: </strong> All versions prior to R10.5.2, R10.6.2, and R10.7.1. </p> <p> This is the third distinct Ivanti product vulnerability requiring emergency response in recent weeks, following CVE-2026-1281 and CVE-2026-1340 in Ivanti EPMM. The pattern indicates systemic code quality issues across the Ivanti product line &mdash; a vendor risk that demands strategic attention beyond individual patches. </p> <h3> <strong> CVE-2026-50751: Check Point Security Gateway &mdash; VPN Without a Password (CVSS 9.3) </strong> </h3> <p> A logic flaw in Check Point's Remote Access VPN implementation using the deprecated IKEv1 protocol allows an unauthenticated attacker to establish a full VPN connection <em> without providing valid credentials </em> . This effectively renders your VPN perimeter meaningless for any gateway still running IKEv1. </p> <p> <strong> Why this matters for state government: </strong> Many state agencies retain IKEv1 configurations for backward compatibility with legacy systems at smaller affiliated agencies or local government partners. This vulnerability turns that technical debt into an open door. </p> <h3> <strong> CVE-2026-11645: Chrome V8 &mdash; Drive-by Browser RCE (CVSS 8.8) </strong> </h3> <p> An out-of-bounds read/write vulnerability in Chrome's V8 JavaScript engine allows remote code execution via a crafted webpage. A state employee simply visiting a compromised or malicious website triggers exploitation &mdash; no clicks, no downloads, no warnings. </p> <p> <strong> Why this matters for state government: </strong> This is a watering-hole and spearphishing enabler. Combined with the VPN and gateway vulnerabilities above, an attacker could chain: credential-free VPN access (Check Point) &rarr; MDM gateway compromise (Ivanti Sentry) &rarr; browser-based lateral movement (Chrome V8). No evidence of active chaining has been observed yet, but the temporal clustering of these three KEVs within 72 hours is notable. </p> <h2> <strong> Ransomware Threat: Gunra, Qilin, and Akira Targeting Government </strong> </h2> <p> <strong> Gunra </strong> , <strong> Qilin </strong> , and <strong> PUNK SPIDER </strong> (Akira) ransomware operations all refreshed their activity profiles on June 11&ndash;12, with confirmed targeting of government, law enforcement, and critical infrastructure sectors in North America. </p> <p> <strong> Gunra </strong> (emerged April 2025) uses a combination of spearphishing and credentials purchased from Initial Access Brokers (IABs) to gain entry. Their ransom note (r3adm3.txt) and Tor-based data leak site indicate a mature double-extortion operation. </p> <p> <strong> Qilin </strong> continues to operate as one of the most prolific ransomware-as-a-service platforms targeting the public sector. </p> <p> <strong> PUNK SPIDER </strong> (Akira ransomware) &mdash; confirmed on June 11 to explicitly target US government entities via SonicWall VPN exploitation (CVE-2024-40766) &mdash; has augmented operations with AI-generated scripts that accelerate credential extraction and encryption timelines. </p> <p> The convergence of multiple ransomware groups simultaneously targeting state and local government reflects the sector's status as the #2 most-targeted vertical for ransomware, driven by limited budgets, legacy systems, and political pressure to restore services. </p> <h2> <strong> Nation-State Espionage: The Silence Is the Signal </strong> </h2> <h3> <strong> UNC5475 (China-Nexus) &mdash; 22 Days of Silence </strong> </h3> <p> UNC5475, a suspected Chinese espionage group, was last observed on May 21 exploiting zero-day vulnerabilities in Cisco ASA/FTD firewalls (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363) targeting government networks in the Americas. Their tradecraft includes deploying custom malware that hooks authentication functions, disables logging, and manipulates crash dumps to avoid forensic detection. </p> <p> Twenty-two days of silence from an actor with confirmed access to government network infrastructure is not reassuring &mdash; it is consistent with "low-and-slow" espionage tradecraft where the initial compromise phase gives way to quiet data collection. The absence of new indicators may mean they have achieved persistent access and no longer need to generate detectable activity. </p> <h3> <strong> APT42/Charming Kitten (Iran &mdash; IRGC-IO) </strong> </h3> <p> Iranian state-sponsored actors continue credential harvesting operations via spearphishing, with the ClickFix social engineering technique confirmed in use. State government employees with access to law enforcement, regulatory, or infrastructure oversight systems remain high-value targets for Iranian intelligence collection. </p> <h3> <strong> FAMOUS CHOLLIMA (DPRK) </strong> </h3> <p> New command-and-control infrastructure was activated on June 10. The INVISIBLEFERRET malware family &mdash; associated with DPRK operations &mdash; received updates on June 11. Malware refresh without corresponding campaign data often indicates a preparation phase preceding new operations. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional Ivanti product vulnerabilities disclosed </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Systemic vendor code quality pattern; three CVEs across two products in recent weeks </p> </td> </tr> <tr> <td> <p> Opportunistic exploitation of CVE-2026-10520 by ransomware actors </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Public PoC + CVSS 10.0 + government targeting preference </p> </td> </tr> <tr> <td> <p> Gunra or Qilin claims a US state/local government victim </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Activity tempo refresh + confirmed government targeting </p> </td> </tr> <tr> <td> <p> UNC5475 resurfaces with new zero-day or pivots to alternative infrastructure vendor </p> </td> <td> <p> <strong> 35% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> 22-day dormancy consistent with operational pivot </p> </td> </tr> <tr> <td> <p> Chained exploitation of Check Point + Ivanti + Chrome against a single target </p> </td> <td> <p> <strong> 25% </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Temporal clustering of KEVs; no confirmed chaining yet </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <p> <strong> For CVE-2026-10520 (Ivanti Sentry): </strong> </p> <ul> <li> Monitor for unexpected outbound connections from Sentry appliances (T1041 &mdash; Exfiltration Over C2 Channel) </li> <li> Hunt for new processes spawned by the Sentry web service with root privileges (T1059.004 &mdash; Unix Shell) </li> <li> Alert on any OS command patterns in Sentry HTTP request logs (T1190 &mdash; Exploit Public-Facing Application) </li> <li> Baseline normal Sentry process trees and alert on deviations </li> </ul> <p> <strong> For CVE-2026-50751 (Check Point VPN): </strong> </p> <ul> <li> Audit all VPN session establishments for sessions lacking proper authentication events (T1133 &mdash; External Remote Services) </li> <li> Hunt for VPN connections using IKEv1 that bypass the normal authentication flow (T1078 &mdash; Valid Accounts) </li> <li> Correlate VPN session logs with identity provider authentication logs &mdash; any VPN session without a corresponding IdP event is suspicious </li> <li> Monitor for new VPN tunnel configurations or policy modifications (T1556 &mdash; Modify Authentication Process) </li> </ul> <p> <strong> For CVE-2026-11645 (Chrome V8): </strong> </p> <ul> <li> Monitor for unusual child processes spawned by Chrome renderer processes (T1203 &mdash; Exploitation for Client Execution) </li> <li> Alert on Chrome crashes followed by suspicious process execution </li> <li> Hunt for drive-by download indicators: unexpected file writes to temp directories following browser navigation (T1189 &mdash; Drive-by Compromise) </li> </ul> <p> <strong> For UNC5475 (Cisco ASA/FTD): </strong> </p> <ul> <li> Hunt for AAA function anomalies on Cisco ASA/FTD appliances (T1014 &mdash; Rootkit) </li> <li> Verify syslog forwarding is functioning &mdash; disabled logging is a primary UNC5475 indicator (T1070.004 &mdash; Indicator Removal) </li> <li> Inspect crash dump files for unexpected modifications </li> <li> Baseline ASA process behavior and alert on deviations from normal </li> </ul> <p> <strong> For Ransomware (Gunra/Qilin/Akira): </strong> </p> <ul> <li> Monitor for the ransom note filename r3adm3.txt appearing on file shares (T1486 &mdash; Data Encrypted for Impact) </li> <li> Hunt for volume shadow copy deletion (T1490 &mdash; Inhibit System Recovery) </li> <li> Alert on bulk file encryption patterns (high-entropy file writes at scale) </li> <li> Monitor for data staging and exfiltration to web services prior to encryption (T1567 &mdash; Exfiltration Over Web Service) </li> </ul> <h3> <strong> Hunting Hypotheses </strong> </h3> <ol> <li> <strong> "An attacker has established VPN access to our network without valid credentials via Check Point IKEv1 bypass." </strong> &mdash; Search for VPN sessions with no corresponding MFA challenge or IdP authentication event in the past 30 days. </li> <li> <strong> "UNC5475 has persistent access to our Cisco infrastructure and is in a quiet collection phase." </strong> &mdash; Audit all ASA/FTD appliances for: disabled syslog, modified AAA configurations, unexpected scheduled tasks, or crash dump files with recent modification timestamps that don't correspond to actual crashes. </li> <li> <strong> "An Initial Access Broker has already sold credentials to our environment to a ransomware operator." </strong> &mdash; Search dark web monitoring feeds for any state agency domain credentials; audit all remote access sessions for anomalous geographic or temporal patterns. </li> <li> <strong> "Ivanti Sentry has been compromised and is being used as a pivot point into our MDM infrastructure." </strong> &mdash; Verify Sentry appliance integrity: check running processes against known-good baselines, audit outbound network connections, verify file system integrity. </li> </ol> <h3> <strong> IOC Blocking Guidance </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Context </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Domain </p> </td> <td> <p> gunrabxbig445sjqa535uaymzerj6fp4nwc6ngc2xughf2pedjdhk4ad[.]onion </p> </td> <td> <p> Gunra ransomware data leak site </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> wthelpdesk[.]com </p> </td> <td> <p> Malicious infrastructure </p> </td> </tr> <tr> <td> <p> URL </p> </td> <td> <p> hxxp://zebra.wthelpdesk[.]com/ </p> </td> <td> <p> Malicious infrastructure </p> </td> </tr> <tr> <td> <p> IP </p> </td> <td> <p> 209.99.40[.]222 </p> </td> <td> <p> Threat infrastructure </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> bb61bbf81a04af3e95195d290fe63b50c8689565391ab79128b29599d9d19e81 </p> </td> <td> <p> Malicious binary </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> 47015b415f0eaaf44583553e8da1aa56f93218ae </p> </td> <td> <p> Malicious binary </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 16a3445c7dc3622605b5532a7c3263ec </p> </td> <td> <p> Malicious binary </p> </td> </tr> <tr> <td> <p> Filename </p> </td> <td> <p> r3adm3.txt </p> </td> <td> <p> Gunra ransomware note </p> </td> </tr> </tbody> </table> <p> Additional IOCs available via Anomali ThreatStream Next-Gen and partner feeds. </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Tax Systems) </strong> </h3> <ul> <li> <strong> Priority: </strong> CVE-2026-50751 (Check Point VPN bypass) &mdash; treasury and tax systems often use VPN for inter-agency financial data exchange. An unauthenticated VPN session could provide direct access to financial transaction systems. </li> <li> <strong> Action: </strong> Immediately audit all Check Point gateways protecting financial system enclaves. Verify that no IKEv1 tunnels exist to banking partners or payment processors. </li> <li> <strong> Ransomware concern: </strong> Tax filing season data and citizen financial PII make revenue agencies prime ransomware targets for double-extortion leverage. </li> </ul> <h3> <strong> Energy (State Energy Regulatory Oversight, Affiliated Utilities) </strong> </h3> <ul> <li> <strong> Priority: </strong> CISA ICS advisories issued this cycle for Schneider Electric EcoStruxure Panel Server and Schneider Modicon Switches &mdash; both common in utility SCADA environments under state regulatory oversight. </li> <li> <strong> Action: </strong> Coordinate with regulated utilities to confirm ICS patch status. Verify network segmentation between IT and OT environments &mdash; CVE-2026-7473 (Arista EOS tunnel bypass) could enable traffic injection across segmentation boundaries. </li> <li> <strong> Nation-state concern: </strong> Volt Typhoon pre-positioning doctrine specifically targets energy infrastructure for potential disruption during geopolitical crisis. </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems, Public Hospitals) </strong> </h3> <ul> <li> <strong> Priority: </strong> Ivanti Sentry (CVE-2026-10520) is widely deployed in healthcare for mobile device management of clinical tablets and provider devices. Compromise could expose patient health information and disrupt clinical workflows. </li> <li> <strong> Action: </strong> Healthcare-affiliated agencies should treat Ivanti Sentry patching as patient-safety-critical. Verify that MDM-managed devices used for e-prescribing and patient records are not accessible via compromised Sentry infrastructure. </li> <li> <strong> Ransomware concern: </strong> Healthcare remains the sector where ransomware most directly threatens life safety. Gunra and Qilin both list healthcare among target verticals. </li> </ul> <h3> <strong> Government (Executive Agencies, Legislature, Courts, Law Enforcement) </strong> </h3> <ul> <li> <strong> Priority: </strong> All three KEV vulnerabilities directly impact standard state government infrastructure. The combination of credential-free VPN access (Check Point), unauthenticated gateway RCE (Ivanti), and drive-by browser exploitation (Chrome) creates a multi-vector threat to government operations. </li> <li> <strong> Action: </strong> Law enforcement and judicial systems should receive priority patching given the sensitivity of criminal justice data. Verify that court case management systems and law enforcement intelligence databases are not accessible from VPN segments using IKEv1. </li> <li> <strong> Espionage concern: </strong> UNC5475's confirmed targeting of government Cisco infrastructure means state law enforcement and regulatory agencies with Cisco ASA/FTD deployments should assume they are potential targets. </li> </ul> <h3> <strong> Aviation/Logistics (State DOT, Port Authorities, Transit Systems) </strong> </h3> <ul> <li> <strong> Priority: </strong> Transportation management systems often rely on network segmentation (Arista switches) to separate operational technology from administrative networks. CVE-2026-7473 undermines this segmentation model. </li> <li> <strong> Action: </strong> Audit Arista EOS switches in transportation management centers for patch currency. Verify that traffic signal control, transit dispatch, and port management systems maintain air-gapped or hardware-enforced segmentation that doesn't rely solely on VLAN/tunnel isolation. </li> <li> <strong> Supply chain concern: </strong> Transportation logistics systems are attractive targets for both ransomware (operational disruption leverage) and nation-state actors (pre-positioning for potential kinetic conflict scenarios). </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🔴 CRITICAL </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Patch all Ivanti Sentry instances </strong> to R10.5.2, R10.6.2, or R10.7.1. If patching cannot be completed within 24 hours, immediately remove Sentry from internet-facing access via firewall rules. CVE-2026-10520 is CVSS 10.0 with public exploit code. </p> </td> </tr> <tr> <td> <p> <strong> 🔴 CRITICAL </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Apply Check Point hotfix </strong> (sk185033) to all Security Gateways. Disable IKEv1 on all gateways where operationally feasible. Any VPN connection using IKEv1 is currently exploitable without credentials. </p> </td> </tr> <tr> <td> <p> <strong> 🔴 CRITICAL </strong> </p> </td> <td> <p> IT Operations / SOC </p> </td> <td> <p> <strong> Force Chrome update </strong> to version 149.0.7827.103+ on all managed endpoints. Implement endpoint policy to block execution of Chrome versions below this threshold. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 HIGH </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Audit VPN session logs </strong> for the past 30 days &mdash; identify any sessions that lack corresponding identity provider authentication events. These may indicate exploitation of CVE-2026-50751. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 HIGH </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Validate MFA enforcement </strong> on all remote access pathways. Confirm that no remote access method allows single-factor authentication. Ransomware groups are actively purchasing IAB credentials. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🟠 HIGH </strong> </p> </td> <td> <p> SOC / Hunt Team </p> </td> <td> <p> <strong> Conduct proactive threat hunt </strong> on all Cisco ASA/FTD appliances for UNC5475 indicators: AAA configuration anomalies, disabled syslog forwarding, unexpected crash dump modifications, unrecognized scheduled tasks. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 HIGH </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Audit all Ivanti products </strong> in the environment (Sentry, EPMM, Connect Secure, Neurons). Confirm patch currency across the entire Ivanti portfolio. Treat Ivanti as an elevated vendor risk requiring enhanced monitoring. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Audit Arista EOS switches </strong> for CVE-2026-7473 patch status. Verify that network segmentation between sensitive enclaves is not solely dependent on tunnel-based isolation. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Review ICS advisory applicability </strong> for Schneider Electric EcoStruxure Panel Server and Modicon Switches in any state-managed or state-regulated facility management systems. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> CISO / Architecture </p> </td> <td> <p> <strong> Develop IKEv1 deprecation plan with migration timeline to IKEv2/IPsec or modern VPN alternatives (WireGuard, ZTNA). IKEv1 is a recurring attack surface that will continue generating critical vulnerabilities. </strong> </p> </td> </tr> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> CISO / Procurement </p> </td> <td> <p> <strong> Evaluate Ivanti vendor risk &mdash; three critical vulnerabilities across two products in recent weeks indicates systemic issues. Assess alternative MDM/gateway solutions for long-term diversification. </strong> </p> </td> </tr> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Commission tabletop exercise </strong> simulating a ransomware attack leveraging IAB-purchased credentials + VPN bypass for initial access. Test incident response procedures, backup restoration timelines, and executive communication plans. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> CISO / IR </p> </td> <td> <p> <strong> Update incident response playbooks </strong> to include scenarios for: (a) Ivanti appliance compromise as pivot point, (b) VPN authentication bypass with no credential indicators, (c) China-nexus persistent access discovery on network infrastructure. </p> </td> </tr> </tbody> </table> <h3> <strong> Executive / IR Preparedness </strong> </h3> <ul> <li> <strong> Brief the Governor's office / agency heads </strong> on the current threat posture. Three simultaneous critical vulnerabilities in perimeter infrastructure, combined with active ransomware targeting of government, warrants executive awareness. </li> <li> <strong> Verify cyber insurance policy </strong> covers the current threat scenarios &mdash; particularly ransomware with data exfiltration and nation-state espionage discovery. </li> <li> <strong> Confirm communication plans </strong> with CISA, MS-ISAC, and state law enforcement cyber units. If UNC5475 persistent access is discovered during hunting, federal coordination will be required. </li> <li> <strong> Pre-position incident response retainer </strong> &mdash; ensure your IR firm is on standby and familiar with your environment. Response time matters when a CVSS 10.0 exploit is public. </li> </ul> <h2> <strong> The Bottom Line </strong> </h2> <p> The 72-hour window of June 9&ndash;11 delivered three confirmed-exploited vulnerabilities targeting the exact infrastructure stack that state governments depend on: VPN gateways, mobile device management, and web browsers. This is not coincidence &mdash; it reflects the reality that state government perimeter infrastructure is under sustained, multi-vector assault from both criminal and nation-state actors simultaneously. </p> <p> The Ivanti Sentry vulnerability (CVE-2026-10520) demands the most urgent response. A CVSS 10.0 unauthenticated RCE with public exploit code on a system that manages trust relationships with every mobile device in your environment is as severe as vulnerabilities get. Every hour it remains unpatched is an hour an attacker can achieve root access without knowing a single credential. </p> <p> But patching alone is insufficient. UNC5475's 22-day silence after confirmed exploitation of government Cisco infrastructure is a reminder that the most dangerous threats are the ones you can't see. Proactive hunting &mdash; not just reactive patching &mdash; is what separates organizations that detect espionage from those that discover it in a congressional hearing. </p> <p> The ransomware groups aren't waiting either. Gunra, Qilin, and Akira are all actively targeting government this week, armed with IAB-purchased credentials and AI-accelerated tooling. Your MFA enforcement, your backup integrity, and your incident response readiness will determine whether a breach becomes a headline. </p> <p> <strong> Act today. Patch the critical vulnerabilities. Hunt for the quiet threats. Prepare for the ransomware attempt that is statistically likely within the next two weeks. </strong> </p> <p> <em> Published 12 June 2026 | Anomali CTI Desk </em> </p> <p> <em> For questions or additional context, contact your Anomali account team or the CTI Desk directly. </em> </p>