Clinical Cyber Dispatch · Free Edition · Issue date: 11 June 2026
Healthcare cyber intelligence — decision brief
Critical-Now Items
6
Confirm local deployment; apply required actions
Vendor actions
6
One action table: required action, due date, sources per row
Exploit signal
5 CISA KEV
3 also corroborated by VulnCheck; No VulnCheck-only additions this window.
Last verified
11 June 2026
17:03 UTC
Retained unresolved risk remains critical; see Retained CVE Watch for closure tracking.
CISO Quick Read
Critical-Now: 6 items requiring local deployment confirmation and remediation by source due date.
CISA KEV: 5 items.
Policy / guidance updates: 2 material AI governance updates.
Retained watch: 1 item remains open.
Incident actions: 0 immediate breach-response actions from verified primary sources.
Decision: Validate deployment for all 6 Critical-Now products, apply the listed vendor action by the due date, and document exceptions. Escalate privacy only with local evidence of unauthorized PHI/ePHI access, use, acquisition, or disclosure. One item is past due.
HRS = Healthcare Relevance Score (1–100). It reflects healthcare operational relevance using clinical exposure, exploit/KEV signal, EPSS, and source-pack confidence. Full rubric: HRS rubric.
CISO Decision Brief
- Critical-Now remediationAll 6 Critical-Now items render in the Critical-Now Action Table with the required action, due date, and sources. Confirm local deployment and prioritize remediation by internet exposure, exploit evidence, business dependency, and HRS.
- Policy / guidance updates2 material policy/guidance updates verified from official sources this window — see the AI & Clinical Automation Watch. Route to AI governance, privacy/legal, procurement, and vendor risk for review.
- Healthcare Incident WatchNo incident in this issue requires immediate breach-response action based on verified primary sources. Three secondary-source awareness items are shown for vendor-risk, disclosure, litigation, or settlement monitoring. Review only if a named organization, vendor, geography, service line, or patient-data relationship is in scope.
What changed since last issue
CVE scope this issue: Decision Board shows all 8 tracked CVE rows — 6 Critical-Now (0 retained from prior issues, 6 newly elevated) and 2 additional monitored rows.
- New Critical-Now items: 6
- Retained Critical-Now items: 0
- Retained watch items still open: 1
- New policy / guidance updates: 2
- Incident actions: 0 immediate action items from verified primary sources
- 6 newly elevated Critical-Now items; 0 retained/open from the prior issue. Confirm local deployment for all 6; each card lists the required action, due date, and sources.
- Exploit-priority signal: 5 CISA KEV items; 3 also corroborated by VulnCheck; No VulnCheck-only additions this window.
- 10 healthcare incident/disclosure candidates reviewed; no verified-material action items. 3 secondary-source awareness cards are shown; 7 additional secondary-awareness items remain tracked but not displayed.
- 2 regulatory or privacy items changed this week.
How to use Critical-Now Items
Use this sequence before assigning escalation work:
- Confirm local deployment, then remediate each Critical-Now item by its due date.
- Investigate only if local telemetry indicates exploitation.
- Start HIPAA breach risk assessment only with evidence of unauthorized PHI/ePHI access, use, or disclosure.
Critical-Now Actions
6 Critical-Now items this week. Every item renders in the Critical-Now Action Table below with the required action, local validation, due date, owner routing, and sources.
Free content: priority, HRS, deadline, action, and source references. HRS uses the Healthcare Relevance Score rubric. HRS rubric.
All 6 Critical-Now items render in the action table below. Each row lists the required action, local validation, due date, owner route, and sources.
| CVE | Product / vendor | Due date | Required action | Local validation | Owner route | Source Pack |
|---|---|---|---|---|---|---|
| CVE-2026-45247 50 | Mirasvit Full Page Cache Warmer | Past due 5 days (deadline 2026-06-06) | Patch to Mirasvit Full Page Cache Warmer version 1.11.12 or later. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date. | confirm whether Mirasvit Full Page Cache Warmer before 1.11.12 is deployed, exposed, and owned locally. | Start with CMDB/service owner. Pull in platform owner, vulnerability management, and change owner. | Source Pack — View sources and technical details
Last verified: 2026-06-11 13:03 ET Source checked: 11 June 2026 12:13 ET (11 June 2026 16:13 UTC) Freshness: current Evidence note: Prioritized because CISA KEV, VulnCheck KEV, vendor source identified Mirasvit Full Page Cache Warmer as a deployed healthcare-relevant technology. Fixed releases
|
| CVE-2026-50751 56 | Check Point Security Gateway / Remote Access VPN / Mobile Access / Quantum Spark where applicable | Due today (deadline 2026-06-11) | Upgrade Check Point Security Gateway to fixed release(s): r81.20, r81.10.17, r82.00.10. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date. | confirm whether Check Point Security Gateway / Remote Access VPN / Mobile Access / Quantum Spark where applicable from r80.40 before r81.20, from r80.20.00 before r81.10.17, from r80.20.00 before r82.00.10 is deployed, exposed, and owned locally. | Start with CMDB/service owner. Pull in network security, remote-access/VPN owner, identity owner, SOC, vulnerability management, and change owner. | Source Pack — View sources and technical details
Last verified: 2026-06-11 13:03 ET Source checked: 11 June 2026 12:13 ET (11 June 2026 16:13 UTC) Freshness: current Evidence note: Prioritized because CISA KEV, VulnCheck KEV, vendor source identified Check Point Security Gateway / Remote Access VPN / Mobile Access / Quantum Spark where applicable as a deployed healthcare-relevant technology. Fixed releases
|
| CVE-2026-7654 62 | Admin Columns (WordPress) | Due 2026-06-18 | Validate whether Admin Columns (WordPress) is installed in the affected version range identified by the source. If present, confirm the vendor-supported fixed release before closure; apply compensating controls or disable affected functionality until remediation is verified Vendor-recommended fixed release(s): 7.0.18. | confirm whether Admin Columns (WordPress) ['before 7.0.18'] is installed. | Start with CMDB/service owner. Pull in web platform owner, marketing/digital team, application owner, vulnerability management, and change owner. | Source Pack — View sources and technical detailsLast verified: 2026-06-11 13:03 ET Source checked: 11 June 2026 12:13 ET (11 June 2026 16:13 UTC) Freshness: current Evidence note: Prioritized because NVD/vendor review identified Admin Columns (WordPress) as a deployed healthcare-relevant technology. Fixed releases
|
| CVE-2026-42271 72 | LiteLLM | Due 2026-06-22 | Upgrade LiteLLM to fixed release(s): 1.83.7. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date. | confirm whether LiteLLM is deployed in AI gateway or model-routing workflows, verify version and key scope, and review Postgres query logs, database query history, LiteLLM application logs, and provider API key usage logs before closure. | Start with CMDB/service owner. Pull in AI platform owner, application owner, security engineering, vulnerability management, and privacy if PHI-adjacent. | Source Pack — View sources and technical details
Last verified: 2026-06-11 13:03 ET Source checked: 11 June 2026 12:13 ET (11 June 2026 16:13 UTC) Freshness: current Evidence note: Prioritized because CISA KEV, VulnCheck KEV, vendor source identified LiteLLM as a deployed healthcare-relevant technology. Fixed releases
|
| CVE-2026-11645 80 | Google Chrome / Chromium V8 | Due 2026-06-23 | Upgrade Google Chrome to fixed release(s): 149.0.7827.103. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date. | confirm whether Google Chrome / Chromium V8 before 149.0.7827.103 is deployed, exposed, and owned locally. | Start with CMDB/service owner. Pull in platform owner, vulnerability management, and change owner. | Source Pack — View sources and technical detailsLast verified: 2026-06-11 13:03 ET Source checked: 11 June 2026 12:13 ET (11 June 2026 16:13 UTC) Freshness: current Evidence note: Prioritized because CISA KEV, vendor source identified Google Chrome / Chromium V8 as a deployed healthcare-relevant technology. Fixed releases
|
| CVE-2026-20245 64 | Cisco catalyst SD-WAN manager; Cisco SD-WAN vsmart controller | Due 2026-06-23 | Upgrade all Cisco Catalyst SD-WAN control components to the Cisco fixed release for their current train: 20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.15.506, 20.18.2.2. Collect admin-tech files before upgrading; after upgrade, open a Cisco TAC case referencing this CVE for indicator-of-compromise scanning. If immediate patching is not possible, document exception, compensating controls, owner, and target remediation date. | confirm whether Cisco catalyst SD-WAN manager; Cisco SD-WAN vsmart controller before 20.9.9.1, from 20.10 before 20.12.5.4, from 20.12.6 before 20.12.6.2, from 20.13 before 20.15.4.4, from 20.15.5 before 20.15.5.2, from 20.16 before 20.18.2.2, from 26.1 before 26.1.1.1 is deployed, exposed, and owned locally. | Start with CMDB/service owner. Pull in platform owner, vulnerability management, and change owner. | Source Pack — View sources and technical detailsLast verified: 2026-06-11 13:03 ET Source checked: 11 June 2026 12:13 ET (11 June 2026 16:13 UTC) Freshness: current Evidence note: Prioritized because CISA KEV, vendor source identified Cisco catalyst SD-WAN manager; Cisco SD-WAN vsmart controller as a deployed healthcare-relevant technology. Fixed releases
|
Retained CVE Watch — 1 prior open item (1 critical/KEV) retained from prior issues and outside this week's Critical-Now Items.
Retention policy: CISA KEV, VulnCheck KEV, active-exploitation, and operational CRITICAL-priority items remain for 30 days unless resolved; HIGH items retain for 14 days; MEDIUM watch items retain for 7 days.
CVE-2026-20182 — Cisco Catalyst SD-WAN
Prior status: previously tracked. Current status: retained-watch.
Why retained: CISA KEV / critical-exploitation retention window (30 days)
Material change: none.
Current action: Review CISA Emergency Directive 26-03 and Cisco SD-WAN guidance, verify affected controllers/managers, apply the Cisco fixed release for the deployed train (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.15.506, 20.18.2.2), and document mitigation or exception status
Patch status: Fixed-release or mitigation guidance is documented in the CISA/Cisco source; verify the affected train and apply the Cisco fixed release for the deployed train (20.9.9.1, 20.12.5.4, 20.12.6.2, 20.12.7.1, 20.15.4.4, 20.15.5.2, 20.15.506, 20.18.2.2) or the required mitigation.
Source deadline: 2026-05-17. Age-out date: 2026-06-13 (2 days remaining).
KEV status: CISA KEV — federal mandate, patch by 2026-05-17.
Landscape Watch
Sector read
10 healthcare incident/disclosure candidates reviewed; no verified-material action items. 3 secondary-source awareness cards are shown; 7 additional secondary-awareness items remain tracked but not displayed. Vendor advisory watch: no reader action this week.
Named actor and tooling watch
Actor/tooling items are shown here as bounded Landscape Watch context. They become current healthcare alerts only when this window includes an HPH-sector source, healthcare victim, or healthcare-specific campaign evidence.
Background SOC context
These items are retained as low-prominence SOC context. They are not current healthcare alerts unless this window includes healthcare victim, HPH-sector, or campaign-specific evidence.
- Cobalt Strike — background SOC context. Generic IOC activity observed; no current healthcare-specific campaign verified. Evidence sources: AlienVault OTX threat pulses, ThreatFox IOC feed (Abuse.ch).
Medical device / OT watch: No material healthcare OT/ICS or medical-device signal crossed the action threshold this week.
Healthcare Incident Watch — no verified material action items
10 healthcare incident/disclosure candidates reviewed; no verified-material action items. 3 secondary-source awareness cards are shown; 7 additional secondary-awareness items remain tracked but not displayed.
Source quality: official/regulator notices outrank secondary reporting. Methodology. Monitored incident feeds checked: 7 sources; 20 candidate items reviewed.
New lawsuit
10 Jun 2026 · DataBreaches.net
LA: St. George fire district sues IT company over cyberattack
Editorial summary: settlement or litigation pattern relevant to privacy/compliance monitoring and notification-file completeness; local action depends on organizational, vendor, patient-data, or contractual scope.
Currentness: source 10 Jun 2026; new lawsuit.
Source quality: Secondary-source awareness; official notice not verified.
Why selected: Current healthcare-sector cyber awareness reported for LA: privacy, vendor-risk, settlement, disclosure, or social-engineering relevance.
Reader relevance: Useful for litigation, privacy/compliance trend monitoring, and vendor-contract awareness; not evidence of a new breach wave.
Recent incident/disclosure window
10 Jun 2026 · DataBreaches.net
67 million Thais exposed in massive data leak, parliament launches probe
Editorial summary: secondary-source awareness item selected for disclosure-pattern monitoring; do not treat it as a verified material action item without local scope or primary-source confirmation.
Currentness: source 10 Jun 2026; recent incident/disclosure window.
Source quality: Secondary-source awareness; official notice not verified.
Why selected: Current healthcare-sector cyber awareness reported for 67 million Thais exposed in massive data leak, parliament launches pro: privacy, vendor-risk, settlement, disclosure, or social-engineering relevance.
Reader relevance: Awareness item only. Review if your organization, vendor, region, service line, or patient-data relationship is in scope; do not initiate breach response from secondary reporting alone.
Recent incident/disclosure window
11 Jun 2026 · HIPAA Journal
Florida Law Firm Data Breach Affects 65,000 Individuals
Editorial summary: secondary-source awareness item selected for disclosure-pattern monitoring; do not treat it as a verified material action item without local scope or primary-source confirmation.
Currentness: source 11 Jun 2026; recent incident/disclosure window.
Source quality: Secondary-source awareness; official notice not verified.
Why selected: Current healthcare-sector cyber awareness reported for Florida Law Firm Data Breach Affects 65,000 Individuals: privacy, vendor-risk, settlement, disclosure, or social-engineering relevance.
Reader relevance: Awareness item only. Review if your organization, vendor, region, service line, or patient-data relationship is in scope; do not initiate breach response from secondary reporting alone.
7 additional secondary-awareness items remain tracked but not displayed unless local scope is confirmed.
Sector Readiness / Industry Guidance Watch
Non-binding healthcare-sector guidance and readiness events are shown here when current or future-dated source material changes planning, participation, or sector-awareness decisions.
Operation Vital Signs
Organizer: HSCC
Event date(s): July 21-22, 2026
Status: Consider participation / readiness planning
Reader action: Route to security, incident response, emergency management, privacy/legal, and clinical operations leaders if tabletop participation or lessons learned apply.
Regulatory & Privacy
What we are watching
2 regulatory/privacy items crossed the material-change threshold this window.
Standing watch: CIRCIA final rule timing, HIPAA Security Rule modernization, Health Care Cybersecurity and Resiliency Act movement, OCR settlement patterns, FDA medical-device cybersecurity, HHS HC3 sector alerts, CISA KEV healthcare exposure, and federal AI policy that changes healthcare vendor diligence.
This week: Review the table below and assign a policy owner for each changed item. Last checked: 11 June 2026 16:13 UTC.
Regulatory action this week: None. No material movement this window; standing watch items remain available below for reference.
Standing watchlist (no changes) · 11 items
No standing item changed a deadline, owner, privacy posture, or security action this week.
Collapsed groups: 8 federal actions; 3 state or international items.
Standing-watch methodology and canonical source list: /methodology/.
Federal watch items
- CIRCIA — Cyber Incident Reporting for Critical Infrastructure Act — Final rule pending; CISA NPRM published 2024-04; comment period closed 2024-07. Healthcare designated as covered critical infrastructure sector. Why we watch: Mandatory 72-hour cyber incident reporting and 24-hour ransomware payment reporting for covered healthcare entities once the final rule takes effect. Forecast: Expect a final-rule implementation runway; the operational burden will be evidence preservation, reporting clock ownership, and ransomware-payment governance. CISA CIRCIA overview: “report to CISA any covered cyber incidents no later than 72 hours.” (Monitor; no action this week.) Source
- HIPAA Security Rule update (NPRM 2024) — NPRM published Federal Register 2025-01-06. Final rule timeline not yet announced. Adds explicit MFA, encryption, and incident response controls. Why we watch: First substantive HIPAA Security Rule update in over a decade — closes longstanding gaps around MFA, vulnerability management, and incident-response evidence workflows. Forecast: If finalized substantially as proposed, expect heavier documentation, MFA, encryption, segmentation, testing, and incident-response evidence requirements. HHS OCR HIPAA Security Rule NPRM fact sheet: “Require the use of multi-factor authentication, with limited exceptions.” (Monitor; no action this week.) Source
- Health Care Cybersecurity and Resiliency Act of 2025 — Reported / not final. Senate companion under HELP Committee review. Provides authorities for HHS-CISA coordination and minimum cyber standards for healthcare entities. Why we watch: Would codify mandatory minimum cybersecurity standards for healthcare and authorize HHS-CISA cyber incident coordination — the closest thing to a sector-wide cyber baseline currently moving. Forecast: If the bill advances, anticipate procurement and governance pressure around baseline controls rather than an immediate compliance deadline. (Monitor; no action this week.) Source
- OCR HIPAA enforcement and incident-reporting activity — Routine OCR enforcement and reporting updates monitored. Watch for resolution agreements citing security-rule failures (risk analysis, MFA, log retention). Why we watch: OCR settlements reveal which control failures are actively being penalized — direct input into your control-prioritization roadmap. Forecast: Expect OCR enforcement patterns to keep rewarding demonstrable risk analysis, risk management, and evidence of security-rule follow-through. (Monitor; no action this week.) Source
- FDA medical-device cybersecurity guidance & safety communications — FDA pre-market cybersecurity guidance (2023) in effect. Watch for SaMD AI/ML cyber guidance and post-market vulnerability advisories. Why we watch: Vendor must demonstrate cybersecurity in pre-market submission. Post-market FDA safety communications can drive emergency clinical-engineering action. Forecast: Expect continued vendor-evidence pressure for device cybersecurity, especially patchability, post-market monitoring, and coordinated vulnerability disclosure. (Monitor; no action this week.) Source
- HHS HC3 / sector cyber alerts — Routine sector alerts and threat briefs monitored. Higher-frequency advisories during active campaign periods. Why we watch: HC3 issues healthcare-specific TTP intel (ransomware groups targeting clinics, telehealth-specific threats) often days ahead of industry coverage. Forecast: Expect this to remain a weekly threat-intel input, with higher action value when HC3 names a campaign, sector target, or mitigation. (Monitor; no action this week.) Source
- CISA KEV additions affecting healthcare-deployed software — Tracked daily. Healthcare-relevant additions surface in CVE Decision Board with operational priority Critical. Why we watch: CISA KEV addition = federal mandate (BOD 22-01 timelines) for FCEB agencies and a strong signal for healthcare. Immediate-action trigger. Forecast: Expect KEV additions to remain the strongest public signal for urgent patch governance and exception review in healthcare environments. (Monitor; no action this week.) Source
- White House / OMB / NIST / CAISI AI policy affecting healthcare — Active. Federal AI policy posture is shifting; watch for AI executive orders, NIST AI RMF updates, and CAISI evaluation guidance affecting healthcare AI deployments. Why we watch: Federal AI governance defines what evaluations, evidence, and assurances healthcare AI vendors must produce — direct procurement and validation impact. Forecast: Expect AI governance to translate into vendor-diligence questions before it becomes a single healthcare-specific compliance checklist. (Monitor; no action this week.) Source
State / international watch items
- Washington My Health My Data Act — State health-data privacy law in force. Watch for enforcement activity and vendor-contract implications involving non-HIPAA consumer health data. Why we watch: Healthcare-adjacent apps, digital front doors, marketing pixels, and wellness programs can create state-law privacy exposure even when HIPAA does not apply. Forecast: Expect continued state attention on consumer health data, especially web tracking, apps, and non-HIPAA wellness workflows. (Monitor; no action this week.) Source
- California CPPA / CCPA health-data privacy enforcement — State privacy enforcement monitored for health-data, tracking-technology, and vendor-processing implications. Why we watch: Large health systems with California patients or web properties need a view of privacy notices, tracking tech, and service-provider obligations outside HIPAA. Forecast: Expect California privacy enforcement to keep shaping tracking-technology reviews and service-provider contract evidence. (Monitor; no action this week.) Source
- EU AI Act / NIS2 healthcare supplier exposure — International regulatory posture monitored for multinational health systems and suppliers serving EU-regulated healthcare environments. Why we watch: EU AI and cyber-resilience obligations can affect vendor due diligence, clinical AI assurance, and supplier security evidence for global healthcare organizations. Forecast: Expect multinational suppliers to package EU AI and cyber evidence into healthcare procurement responses over the next planning cycle. (Monitor; no action this week.) Source
Official regulatory source update detected this window.
Last verified: 11 June 2026 16:13 UTC
AI & Clinical Automation Watch
Editorial read
1 AI-infrastructure item reached the action threshold this window: CVE-2026-42271 (LiteLLM). This is middleware risk, not a confirmed clinical AI failure.
This week: Patch the affected gateway, confirm whether prompts or provider keys touch patient-context workflows, and review logs before rotating keys.
AI Watch shows elevated decision-relevant items only. Additional AI policy, acquisition, and governance signals remain under internal monitoring unless they cross the public-action threshold.
Agentic-ai and healthcare ai-vendor watch areas stayed below the public-action threshold this week based on the official-source sweep.
1. AI Policy & Model Governance Material change
Health Industry AI Cybersecurity Governance Framework Implementation Guide
Material changeWhy healthcare cares: Sector-specific implementation guidance for AI cybersecurity governance in healthcare: it sets the benchmark vendors, assessors, and customer security questionnaires will reference for AI governance, inventory, vendor diligence, model monitoring, and incident response.
Binding status: nonbinding sector guidance
Recommended action: Use the guide to update the AI governance charter, AI inventory, AI vendor diligence, procurement control language, model monitoring, incident response, and the AI risk acceptance process.
Owner route: CISO, CIO, CMIO, AI governance, privacy, compliance, clinical engineering, procurement, vendor risk
Confidence: High — official HSCC source
Source ↗ — 2026-06-11
Signed executive order — Promoting Advanced Artificial Intelligence Innovation and Security
Material changeWhy healthcare cares: This signed executive order is a material AI policy/governance update. It shapes AI vendor assurance, model-assurance expectations, critical-infrastructure cybersecurity tooling, and the federal evaluation programs healthcare AI vendors may rely on. It does not by itself create healthcare-specific compliance duties.
Binding status: official executive order
Recommended action: Update AI vendor diligence and model-assurance questions, track cybersecurity evaluation requirements, maintain critical-infrastructure cyber tooling awareness, and schedule an AI governance review.
Owner route: CIO, CISO, CMIO, AI governance, privacy/legal, procurement, vendor risk
Confidence: High — official White House source
Source ↗ — 2026-06-11
AI Infrastructure Watch Material change
CVE-2026-42271 — LiteLLM (CRITICAL-NOW priority)
VulnerabilityWhy healthcare cares: Relevant only where LiteLLM or similar AI gateway handles provider keys, prompts, or patient-context workflows. Exposure may affect provider keys, unauthorized model access, or prompt data; it is not evidence of clinical AI failure.
Recommended action: Patch immediately. Audit access logs if the affected version was reachable from an untrusted network. Suggested internal routing: AI Platform / IT Operations; customize locally.
Confidence: High — NVD/KEV verified
Source ↗ — 2026-06-11
Retained AI & Clinical Automation Watch No change
Advancing Artificial Intelligence Education for American Youth | 4/23/2025
Retained watchWhy healthcare cares: Retained from a prior issue pending source-confirmed change or age-out.
Recommended action: Re-check the source for changes affecting AI governance, vendor diligence, or security posture; close or carry forward with documented rationale.
Prior status: unknown. Current status: retained-ai-watch.
Material change: material change confirmed from official source.
Retention timing: Review due: 2026-06-11. Age-out: 2026-07-11. 30 days remaining.
Confidence: Medium — White House AI government source
Source ↗ — 2026-06-11
Accelerating Federal Permitting of Data Center Infrastructure | 7/23/2025
Retained watchWhy healthcare cares: Retained from a prior issue pending source-confirmed change or age-out.
Recommended action: Re-check the source for changes affecting AI governance, vendor diligence, or security posture; close or carry forward with documented rationale.
Prior status: unknown. Current status: retained-ai-watch.
Material change: material change confirmed from official source.
Retention timing: Review due: 2026-06-11. Age-out: 2026-07-11. 30 days remaining.
Confidence: Medium — White House AI government source
Source ↗ — 2026-06-11
Preventing Woke AI in the Federal Government | 7/23/2025
Retained watchWhy healthcare cares: Retained from a prior issue pending source-confirmed change or age-out.
Recommended action: Re-check the source for changes affecting AI governance, vendor diligence, or security posture; close or carry forward with documented rationale.
Prior status: unknown. Current status: retained-ai-watch.
Material change: material change confirmed from official source.
Retention timing: Review due: 2026-06-11. Age-out: 2026-07-11. 30 days remaining.
Confidence: Medium — White House AI government source
Source ↗ — 2026-06-11
Promoting the Export of the American AI Technology Stack | 7/23/2025
Retained watchWhy healthcare cares: Retained from a prior issue pending source-confirmed change or age-out.
Recommended action: Re-check the source for changes affecting AI governance, vendor diligence, or security posture; close or carry forward with documented rationale.
Prior status: unknown. Current status: retained-ai-watch.
Material change: material change confirmed from official source.
Retention timing: Review due: 2026-06-11. Age-out: 2026-07-11. 30 days remaining.
Confidence: Medium — White House AI government source
Source ↗ — 2026-06-11
Trending tactics: attackers continue to favor internet-reachable control planes, API gateways, and automation middleware because those systems often hold tokens, route requests, and bridge multiple clinical or administrative workflows. Treat AI gateways like identity-adjacent infrastructure: log access, narrow network reachability, and review prompt or key exposure before rotating credentials.
AI Action This Week
- Patch any AI gateway / inference component listed in AI Infrastructure Watch, using the CVE-specific remediation and source evidence shown there.
- Forward any items in AI Policy & Model Governance to CIO/CMIO and procurement; refresh AI vendor diligence questions accordingly.
- If AI gateways may handle PHI, confirm BAA review, PHI-redaction, audit logging, and human-in-the-loop controls.
CVE Decision Board — compare action items and monitored CVEs
Operational priority, CVE, product, severity, likelihood, and deadline are shown.
| Priority: CRITICAL-NOW | CVE: CVE-2026-45247 | Product: Mirasvit Full Page Cache Warmer | CVSS: 9.8 Critical | EPSS: 0% Low | HRS: 50 Moderate | Exploit Intel: CISA KEV Confidence: High | Deadline: Past due 5 days (deadline 2026-06-06) |
Retention: Critical-Now / action listed. New this issue. First elevated: 2026-06-08. First seen: 2026-06-08. Age-out: 2026-07-08 (27 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-06. Material change: none. Why healthcare-relevantCategory: Patient-facing digital risk Basis: Mirasvit Full Page Cache Warmer is retained because confirmed exploitation changes remediation priority even when healthcare-specific targeting is not proven. Where it shows up: wherever Mirasvit Full Page Cache Warmer is deployed locally — that may be ordinary IT, patient-facing web, vendor-managed, identity, or care-supporting paths. What could happen: Confirmed exploitation drives urgency, but healthcare impact depends on whether Mirasvit Full Page Cache Warmer is exposed, privileged, or connected to patient-access or clinical workflows. Local check: validate Mirasvit Full Page Cache Warmer presence, affected version, internet reachability, privilege level, and business owner before escalating to privacy or clinical operations. Healthcare concern: The healthcare question is where Mirasvit Full Page Cache Warmer sits: identity path, patient-facing web path, vendor-managed service, clinical support system, or ordinary back-office asset. The answer changes urgency and escalation. Local validation: confirm whether Mirasvit Full Page Cache Warmer before 1.11.12 is deployed, exposed, and owned locally. Validate internet reachability, the business owner for Mirasvit Full Page Cache Warmer, compensating controls, and whether local evidence shows it supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows. Remediation: Upgrade affected Mirasvit Full Page Cache Warmer to the source-listed fixed release for the matching branch: 1.11.12. Document exception and compensating controls if remediation is delayed. | |||||||
| Priority: CRITICAL-NOW | CVE: CVE-2026-50751 | Product: Check Point Security Gateway / Remote Access VPN / Mobile Access / Quantum Spark where applicable | CVSS: 9.3 Critical | EPSS: 0% Low | HRS: 56 Moderate | Exploit Intel: CISA KEV Confidence: High | Deadline: Due today (deadline 2026-06-11) |
Retention: Critical-Now / action listed. New this issue. First elevated: 2026-06-08. First seen: 2026-06-08. Age-out: 2026-07-08 (27 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-11. Material change: none. Why healthcare-relevantCategory: Identity / access risk Basis: This is network, identity, or remote-access infrastructure that can affect multiple healthcare workflows. Where it shows up: remote clinics, VPN, vendor support tunnels, privileged administration, site-to-site connectivity, and cloud or datacenter ingress. What could happen: A flaw can bypass access controls, expose sessions or credentials, or create a foothold toward care-supporting and revenue-cycle systems behind the edge. Local check: check internet exposure, authentication paths, privileged access, segmentation, vendor-managed devices, and change windows. Healthcare concern: These systems can concentrate remote access, vendor connectivity, privileged sessions, and site-to-site traffic, so a flaw can turn into access-control bypass or operational outage across many care-supporting services. Local validation: confirm whether Check Point Security Gateway / Remote Access VPN / Mobile Access / Quantum Spark where applicable from r80.40 before r81.20, from r80.20.00 before r81.10.17, from r80.20.00 before r82.00.10 is deployed, exposed, and owned locally. Validate internet reachability, the business owner for Check Point Security Gateway / Remote Access VPN / Mobile Access / Quantum Spark where applicable, compensating controls, and whether local evidence shows it supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows. Remediation: Upgrade affected Check Point Security Gateway / Remote Access VPN / Mobile Access / Quantum Spark where applicable to the source-listed fixed release for the matching branch: r81.20; r81.10.17; r82.00.10. Document exception and compensating controls if remediation is delayed. | |||||||
| Priority: CRITICAL-NOW | CVE: CVE-2026-42271 | Product: LiteLLM | CVSS: 8.8 High | EPSS: 0% Low | HRS: 72 High | Exploit Intel: CISA KEV Confidence: High | Deadline: Due 2026-06-22 |
Retention: Critical-Now / action listed. New this issue. First elevated: 2026-06-08. First seen: 2026-06-08. Age-out: 2026-07-08 (27 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-22. Material change: none. Why healthcare-relevantCategory: AI gateway/key exposure Basis: This is an AI gateway or model-infrastructure component that may broker requests, logs, prompts, or API keys. Where it shows up: AI gateway, model-routing, summarization, audit, claims, coding, or automation services that broker prompts, logs, API keys, or model access. What could happen: Exposure can leak keys, alter model routing, expose prompt/log data, or weaken audit evidence when the gateway is used near PHI-adjacent workflows. Local check: confirm owner, PHI-adjacent use, API-key scope, prompt/log retention, BAA/vendor posture, and fixed version before treating it as compliance impact. Healthcare concern: Healthcare risk is concentrated in prompt/log handling, API-key scope, model-routing integrity, audit evidence, and whether the gateway is used near PHI-adjacent workflows. Local validation: confirm whether LiteLLM is deployed in AI gateway or model-routing workflows, verify version and key scope, and review Postgres query logs, database query history, LiteLLM application logs, and provider API key usage logs before closure. Remediation: Upgrade affected LiteLLM to the source-listed fixed release for the matching branch: 1.83.7. Document exception and compensating controls if remediation is delayed. | |||||||
| Priority: CRITICAL-NOW | CVE: CVE-2026-11645 | Product: Google Chrome / Chromium V8 | CVSS: 8.8 High | EPSS: 0% Low | HRS: 80 High | Exploit Intel: CISA KEV Confidence: High | Deadline: Due 2026-06-23 |
Retention: Critical-Now / action listed. New this issue. First elevated: 2026-06-10. First seen: 2026-06-10. Age-out: 2026-07-10 (29 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-23. Material change: none. Why healthcare-relevantCategory: Exploited enterprise platform Basis: Google Chrome / Chromium V8 is retained because confirmed exploitation changes remediation priority even when healthcare-specific targeting is not proven. Where it shows up: wherever Google Chrome / Chromium V8 is deployed locally — that may be ordinary IT, patient-facing web, vendor-managed, identity, or care-supporting paths. What could happen: Confirmed exploitation drives urgency, but healthcare impact depends on whether Google Chrome / Chromium V8 is exposed, privileged, or connected to patient-access or clinical workflows. Local check: validate Google Chrome / Chromium V8 presence, affected version, internet reachability, privilege level, and business owner before escalating to privacy or clinical operations. Healthcare concern: The healthcare question is where Google Chrome / Chromium V8 sits: identity path, patient-facing web path, vendor-managed service, clinical support system, or ordinary back-office asset. The answer changes urgency and escalation. Local validation: confirm whether Google Chrome / Chromium V8 before 149.0.7827.103 is deployed, exposed, and owned locally. Validate internet reachability, the business owner for Google Chrome / Chromium V8, compensating controls, and whether local evidence shows it supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows. Remediation: Upgrade affected Google Chrome / Chromium V8 to the source-listed fixed release for the matching branch: 149.0.7827.103. Document exception and compensating controls if remediation is delayed. | |||||||
| Priority: CRITICAL-NOW | CVE: CVE-2026-20245 | Product: Cisco catalyst SD-WAN manager; Cisco SD-WAN vsmart controller | CVSS: 7.8 High | EPSS: 0% Low | HRS: 64 Moderate | Exploit Intel: CISA KEV Confidence: High | Deadline: Due 2026-06-23 |
Retention: Critical-Now / action listed. New this issue. First elevated: 2026-06-10. First seen: 2026-06-10. Age-out: 2026-07-10 (29 days remaining) unless resolved or source status changes. Retention reason: CISA KEV source status retained for 30 days or until resolved. Source deadline: 2026-06-23. Material change: none. Why healthcare-relevantCategory: Network operations risk Basis: This is network, identity, or remote-access infrastructure that can affect multiple healthcare workflows. Where it shows up: remote clinics, VPN, vendor support tunnels, privileged administration, site-to-site connectivity, and cloud or datacenter ingress. What could happen: A flaw can bypass access controls, expose sessions or credentials, or create a foothold toward care-supporting and revenue-cycle systems behind the edge. Local check: check internet exposure, authentication paths, privileged access, segmentation, vendor-managed devices, and change windows. Healthcare concern: These systems can concentrate remote access, vendor connectivity, privileged sessions, and site-to-site traffic, so a flaw can turn into access-control bypass or operational outage across many care-supporting services. Local validation: confirm whether Cisco catalyst SD-WAN manager; Cisco SD-WAN vsmart controller before 20.9.9.1, from 20.10 before 20.12.5.4, from 20.12.6 before 20.12.6.2, from 20.13 before 20.15.4.4, from 20.15.5 before 20.15.5.2, from 20.16 before 20.18.2.2, from 26.1 before 26.1.1.1 is deployed, exposed, and owned locally. Validate internet reachability, the business owner for Cisco catalyst SD-WAN manager; Cisco SD-WAN vsmart controller, compensating controls, and whether local evidence shows it supports patient-facing, operational, administrative, or PHI/ePHI-bearing workflows. Remediation: Upgrade affected Cisco catalyst SD-WAN manager; Cisco SD-WAN vsmart controller to the source-listed fixed release for the matching branch: 20.9.9.1; 20.12.5.4; 20.12.6.2; plus 4 more affected branches — see the full fixed-release table in the Source Pack and the remediation source. If you cannot patch immediately, apply the source-listed mitigation: no workarounds available Cisco Bug IDs: CSCwt50498 CVE-2026-20182 CWE-287 CVSS Score: Base 10.0 Click Icon to Copy Verbose Score CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:X/RL:X/RC:X CVE-2026-20182 CWE-287 Download CSAF Email Summary May 2026: This security advisory provides the details, fix information for a vulnerability that was discovered, Cisco states all SD-WAN control components require upgrade, or do not rely on partial upgrades. Collect admin-tech files from all control components before upgrade, then open a Cisco TAC case referencing this CVE for indicator-of-compromise scanning. Document exception and compensating controls if remediation is delayed. | |||||||
More monitored CVEs (3)
| Priority: CRITICAL-NOW | CVE: CVE-2026-7654 | Product: Admin Columns (WordPress) | CVSS: 8.8 High | EPSS: 67% High | HRS: 62 Moderate | Exploit Intel: Public PoC Confidence: Medium | Deadline: Due 2026-06-18 |
Retention: Critical-Now / action listed. New this issue. First elevated: 2026-06-11. First seen: 2026-06-08. Age-out: 2026-07-11 (30 days remaining) unless resolved or source status changes. Retention reason: exploit-priority signal present; confirm local deployment before emergency change. Source deadline: 2026-06-18. Material change: none. Why healthcare-relevantCategory: Patient-facing digital risk Basis: Admin Columns (WordPress) has code-execution risk on WordPress sites where the vulnerable plugin or theme is active. Where it shows up: public, patient-facing, marketing, physician-practice, intranet, or vendor-managed WordPress properties. What could happen: A plugin or theme flaw can affect site integrity, redirects, credentials, or patient-facing trust depending on how the component is deployed. Local check: confirm deployment, affected version, WAF coverage, admin changes, fixed release, and whether patient-facing workflows are in scope. Healthcare concern: Healthcare relevance depends on patient services, referrals, billing, marketing pixels, or portal handoff; otherwise treat as web-platform remediation. Local validation: confirm whether Admin Columns (WordPress) ['before 7.0.18'] is installed. Prioritize public-facing, patient-facing, marketing, appointment, location-directory, portal-handoff, or form-bearing sites that could run Admin Columns (WordPress). Review administrator accounts, temporary-access activity, recent plugin/theme changes, unexpected files, and web logs before closure. Remediation: Upgrade affected Admin Columns (WordPress) deployment(s) to vendor-supported fixed release(s): 7.0.18. Use the vendor advisory to match the correct branch; isolate affected deployments and document exception ownership if remediation is delayed. | |||||||
| Priority: HIGH | CVE: CVE-2026-10580 | Product: Hippoo Mobile App for WooCommerce (WordPress) | CVSS: 9.8 Critical | EPSS: 55% High | HRS: 62 Moderate | Exploit Intel: Public PoC Confidence: Medium | Deadline: Due 2026-06-25 |
Retention: retained. New this issue. First elevated: 2026-06-11. First seen: 2026-06-08. Age-out: 2026-06-22 (11 days remaining) unless resolved or source status changes. Retention reason: HIGH-priority watch for Hippoo Mobile App for WooCommerce (WordPress) retained while exploit, healthcare, or source signal remains relevant. Source deadline: 2026-06-25. Material change: none. Why healthcare-relevantCategory: Patient-facing digital risk Basis: Hippoo Mobile App for WooCommerce (WordPress) has code-execution risk on WordPress sites where the vulnerable plugin or theme is active. Where it shows up: public, patient-facing, marketing, physician-practice, intranet, or vendor-managed WordPress properties. What could happen: A plugin or theme flaw can affect site integrity, redirects, credentials, or patient-facing trust depending on how the component is deployed. Local check: confirm deployment, affected version, WAF coverage, admin changes, fixed release, and whether patient-facing workflows are in scope. Healthcare concern: Healthcare relevance depends on patient services, referrals, billing, marketing pixels, or portal handoff; otherwise treat as web-platform remediation. Local validation: confirm whether Hippoo Mobile App for WooCommerce (WordPress) before 1.9.4 is installed. Prioritize public-facing, patient-facing, marketing, appointment, location-directory, portal-handoff, or form-bearing sites that could run Hippoo Mobile App for WooCommerce (WordPress). Review administrator accounts, temporary-access activity, recent plugin/theme changes, unexpected files, and web logs before closure. Remediation: Upgrade affected Hippoo Mobile App for WooCommerce (WordPress) deployment(s) to vendor-supported fixed release(s): 1.9.4. Use the vendor advisory to match the correct branch; isolate affected deployments and document exception ownership if remediation is delayed. | |||||||
| Priority: HIGH | CVE: CVE-2024-58348 | Product: WordPress Background Image Cropper | CVSS: 9.8 Critical | EPSS: 40% Moderate | HRS: 62 Moderate | Exploit Intel: Public PoC Confidence: Medium | Deadline: Due 2026-06-25 |
Retention: retained. New this issue. First elevated: 2026-06-11. First seen: 2026-06-08. Age-out: 2026-06-22 (11 days remaining) unless resolved or source status changes. Retention reason: HIGH-priority watch for WordPress Background Image Cropper retained while exploit, healthcare, or source signal remains relevant. Source deadline: 2026-06-25. Material change: none. Why healthcare-relevantCategory: Patient-facing digital risk Basis: WordPress Background Image Cropper has a file-upload validation exposure on WordPress sites where the vulnerable component is active. Where it shows up: WordPress sites with upload features tied to contact, referral, appointment, billing, or portal-support workflows. What could happen: File-upload flaws can lead to web-shell placement, malicious file hosting, form tampering, or redirects on a trusted healthcare domain. Local check: confirm whether uploads are enabled, whether files are executable or public, and whether the site connects to patient-facing workflows. Healthcare concern: File-upload flaws can lead to web-shell placement or malicious content hosting if the site supports patient, referral, billing, or portal-handoff workflows. Local validation: confirm whether WordPress Background Image Cropper before 5.4.19 is installed. Prioritize public-facing, patient-facing, marketing, appointment, location-directory, portal-handoff, or form-bearing sites that could run WordPress Background Image Cropper. Review administrator accounts, temporary-access activity, recent plugin/theme changes, unexpected files, and web logs before closure. Remediation: Upgrade affected WordPress Background Image Cropper deployment(s) to vendor-supported fixed release(s): 5.4.19. Use the vendor advisory to match the correct branch; isolate affected deployments and document exception ownership if remediation is delayed. | |||||||
Sort order prioritizes exploitation signals and deadlines.
Why low-EPSS items can still be Critical-Now
Low EPSS does not mean low operational risk.
EPSS estimates short-term exploit probability; operational priority also weighs confirmed exploitation and source deadlines.
Examples this week: 5 low-EPSS items remain prioritized because exploitation/source signals override low EPSS.
Methodology
8 CVEs analyzed · 5 CISA KEV items; 3 also corroborated by VulnCheck; No VulnCheck-only additions this window. Methodology and limitations are collapsed; standing methodology is available at /methodology/.
Public issue methodology is summary-only to preserve the decision-brief reading path.
Sources used this window include NVD, CISA KEV, VulnCheck KEV, EPSS, healthcare incident sources, and regulatory watch data.
Breach Notification Trigger Framework: CVE presence alone is not a breach assessment; escalate only with local evidence of exploitation, unauthorized access, or PHI/ePHI exposure.
Full standing methodology: /methodology/.