July 2026 Pulse


Executive Summary

  • May’s reporting period included 118 vulnerabilities across 86 advisories from seven infrastructure vendors, with network security, SD-WAN, firewall, and management platforms accounting for the highest operational risk.
  • Several vulnerabilities affecting Palo Alto and Cisco platforms are listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog and have public proof-of-concept activity, making them immediate priorities.
  • F5 published the largest volume of disclosures, including command injection, deserialization, path traversal, privilege management, and buffer overflow vulnerabilities affecting BIG-IP and BIG-IQ deployments.
  • Aruba networking and SD-WAN products accounted for a large concentration of HPE disclosures, including command injection, SQL injection, access control, and buffer overflow weaknesses.
  • Security teams should not assume patch deployment records accurately reflect device state. Verification of software versions, firmware posture, and configuration state remains necessary, particularly for internet-facing infrastructure and management platforms.

Overview

The past month was dominated by vulnerabilities affecting network infrastructure, security appliances, SD-WAN platforms, centralized management systems, and access control technologies. The reporting period included 118 vulnerabilities across 86 advisories from F5, HPE, Palo Alto Networks, Cisco, Fortinet, Check Point, and Ivanti. Common vulnerability classes included command injection, authentication bypass, missing authorization, deserialization flaws, path traversal, buffer overflows, SSRF, and signature validation weaknesses.

The concentration of vulnerabilities in management planes and network-edge infrastructure reinforces a recurring challenge: many of the highest-risk assets fall outside the visibility provided by endpoint and OS-focused security tools. As organizations prioritize remediation, they should also verify the integrity and posture of the infrastructure that supports critical business operations.

Advisories to Prioritize

The highest-priority activity this month centers on internet-facing security infrastructure and SD-WAN management platforms. Palo Alto Networks disclosed two critical vulnerabilities affecting PAN-OS and Prisma Access, both of which appear in CISA’s Known Exploited Vulnerabilities catalog and have multiple public proof-of-concept references (CVE-2026-0300, CVE-2026-0257). Cisco Catalyst SD-WAN Manager also warrants immediate attention due to a KEV-listed authentication bypass vulnerability with public exploit activity (CVE-2026-20182). These products frequently occupy privileged positions within enterprise networks, making successful exploitation disproportionately impactful.

Management and orchestration platforms represented a second major area of concern. F5 released 45 advisories covering BIG-IP, BIG-IQ, BIG-IP Next, APM, WAF, DNS, and related technologies. While none of the disclosed F5 vulnerabilities were listed in KEV during the reporting period, the volume and concentration of command injection, deserialization, privilege-management, and path traversal weaknesses increase the likelihood of exposure, particularly where management interfaces are broadly accessible. Cisco Secure Workload (CVE-2026-20223), FortiAuthenticator (CVE-2026-44277), FortiSandbox (CVE-2026-26083), and Ivanti Xtraction (CVE-2026-8043) also introduced critical vulnerabilities affecting privileged administrative functions and management workflows.

A third theme involves networking and SD-WAN ecosystems. HPE ArubaOS and Aruba SD-WAN advisories accounted for 32 vulnerabilities across two advisories, including command injection, SQL injection, access control, buffer overflow, certificate validation, and resource consumption weaknesses. Several affected-product entries relied on CPE, NVD descriptions, or inferred product mapping rather than authoritative product metadata. Security teams should validate affected asset inventories carefully rather than relying solely on vulnerability scanner identification.

Across all vendors, prioritization should be driven by exposure, privilege level, exploit availability, and the ability to verify remediation on affected infrastructure. KEV-listed vulnerabilities with public exploit references deserve immediate action, followed by vulnerabilities affecting management planes, identity infrastructure, firewalls, VPN services, SD-WAN controllers, and centralized orchestration systems.

What Security Teams Should Prioritize

  • Immediately identify and remediate KEV-listed vulnerabilities affecting PAN-OS, Prisma Access, and Cisco Catalyst SD-WAN Manager.
  • Prioritize internet-facing firewalls, VPN gateways, SD-WAN controllers, authentication systems, and centralized management platforms.
  • Review exposure of F5 BIG-IP and BIG-IQ deployments, particularly systems supporting WAF, APM, DNS, and application delivery functions.
  • Validate ArubaOS and Aruba SD-WAN deployments against the latest advisories and verify affected software versions directly.
  • Investigate devices that rely on inferred or incomplete affected-product metadata and confirm exposure manually when necessary.
  • Correlate patching activity with device inventory, configuration state, firmware versions, and integrity validation data to verify remediation.
  • Establish a known-good baseline for critical infrastructure devices and monitor for unauthorized modifications or configuration drift.

Recommended Validation Workflow

  1. Identify affected assets.
    Correlate vulnerability data with firewalls, VPN platforms, SD-WAN controllers, management systems, authentication services, and networking infrastructure.
  2. Validate the affected layer.
    Determine whether exposure exists in firmware, operating systems, management interfaces, control planes, or supporting software components.
  3. Prioritize by exposure and privilege.
    Address internet-facing systems, administrative interfaces, and infrastructure with broad network authority first.
  4. Confirm remediation directly.
    Verify software versions, firmware versions, configuration state, and applied mitigations rather than relying solely on patch deployment records.
  5. Establish or update a known-good baseline.
    Attest firmware integrity and document approved device and firmware posture across critical infrastructure.
  6. Monitor for unauthorized modifications.
    Detect drift, unexpected configuration changes, and indicators of compromise below the OS where traditional security tools may have limited visibility.

Closing Notes

JuneMay’s disclosures reinforce a familiar pattern: the most operationally significant vulnerabilities continue to concentrate around network-edge infrastructure, security appliances, SD-WAN platforms, and centralized management systems. These systems often sit in privileged positions within enterprise environments, making exploitation more consequential than vulnerabilities affecting individual endpoints.

Security teams should treat remediation as a validation exercise rather than a patching exercise. Establishing infrastructure trust requires direct verification of device and firmware posture, confirmation of applied fixes, and ongoing monitoring for unauthorized modifications.

Hardware-level visibility, firmware integrity validation, and continuous assessment of critical infrastructure help organizations verify that remediation efforts have reduced risk rather than simply recorded change activity.