U.S. CISA adds BerriAI LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities catalog

AndyC 10 June 2026

U.S. CISA adds BerriAI LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds BerriAI LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds BerriAI LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds BerriAI LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
June 09, 2026

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds BerriAI LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added BerriAI LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities (KEV) catalog.

The two flaws added to the catalog are:

  • CVE-2026-42271 (CVSS score ver.4.0 of 8.7) BerriAI LiteLLM Command Injection Vulnerability
  • CVE-2026-50751 (CVSS score of 9.3) Check Point Security Gateway Improper Authentication Vulnerability

The CVE-2026-42271 flaw is a privilege escalation and remote code execution vulnerability in LiteLLM affecting versions 1.74.2 through 1.83.6. The issue stems from two MCP server testing endpoints that allowed authenticated users to supply custom server configurations, including commands and environment variables. Because the application executed these commands as subprocesses on the host system without enforcing role-based access controls, even low-privileged users with a valid API key could run arbitrary commands on the server. The vulnerability was fixed in LiteLLM version 1.83.7.

The second flaw added to the catalog, tracked as CVE-2026-50751, is a critical authentication bypass flaw in Check Point VPN, Mobile Access, and Spark Firewalls. The vulnerability affects the deprecated IKEv1 key exchange process and allows unauthenticated attackers to establish remote VPN connections without needing valid credentials.

Check Point warns that CVE-2026-50751 is being actively exploited. Attacks have been observed since May 2026, with activity increasing in early June. The campaign appears limited, affecting several dozen organizations, and at least one incident has been linked, with medium confidence, to a Qilin ransomware affiliate.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the Check Point Security Gateway vulnerability by June 11, 2026, and the BerriAI LiteLLM flaw by June 22, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , , ,

What do you feel about this?

More Stories

Google fixes the fifth actively exploited Chrome zero-day of 2026

Google fixes the fifth actively exploited Chrome zero-day of 2026

AndyC 10 June 2026
CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits

CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits

AndyC 10 June 2026
Meta Accuses NSO of Violating WhatsApp Court Injunction

Meta Accuses NSO of Violating WhatsApp Court Injunction

AndyC 9 June 2026
Everest Forms Pro WordPress Flaw is Handing Attackers Admin Access

Everest Forms Pro WordPress Flaw is Handing Attackers Admin Access

AndyC 9 June 2026
UNC3753 Escalates: From Vishing Calls to Physical Office Intrusions at US Legal and Financial Firms

UNC3753 Escalates: From Vishing Calls to Physical Office Intrusions at US Legal and Financial Firms

AndyC 9 June 2026
EU’s cloud sovereignty push leaves room for US hyperscalers

Meta AI Recovery Tool Flaw Exposed 20,000+ Instagram Accounts

AndyC 9 June 2026

You may have missed

Google fixes the fifth actively exploited Chrome zero-day of 2026

Google fixes the fifth actively exploited Chrome zero-day of 2026

AndyC 10 June 2026
U.S. CISA adds BerriAI LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds BerriAI LiteLLM and Check Point Security Gateway flaws to its Known Exploited Vulnerabilities catalog

AndyC 10 June 2026
CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits

CVE-2026-23111: Linux nf_tables Flaw Enables Root Exploits

AndyC 10 June 2026
WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine

WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine

AndyC 10 June 2026
Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models

Researchers Build Self-Replicating AI Worm That Operates Entirely on Local, Open-Weight Models

AndyC 10 June 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.