Three zero-day style warnings in one morning: ServiceNow, Ivanti Sentry, and protobuf.js under siege—who’s next?

ServiceNow disclosed that unknown threat actors exploited a vulnerability to gain deeper unauthorized access to hosted customer instances, and it tied the incident to a security update applied on June 5, 2026. The advisory indicates that only “susceptible instances” were at risk, implying attackers likely selected targets based on exposure and patch status. In parallel, Ivanti announced patches for two critical flaws in its Sentry secure mobile gateway, including a maximum-severity issue that allows remote attackers to execute code as root. Separately, researchers reported six vulnerabilities in protobuf.js, a widely used JavaScript/TypeScript Protocol Buffers library, warning that successful exploitation could enable remote code execution and denial-of-service conditions in affected Node.js apps. Taken together, the cluster points to a sustained pressure campaign against enterprise software supply chains and remote-access infrastructure rather than isolated bugs. ServiceNow and Ivanti both sit close to enterprise workflows and remote connectivity, so compromise can translate quickly into credential theft, lateral movement, and persistence across business systems. The protobuf.js findings matter because they can be weaponized at scale through common dependencies, turning routine application development into an attack surface. In this dynamic, defenders face a race between patch deployment and attacker dwell time, while threat actors benefit from fragmented visibility across customer environments and third-party integrations. Market and economic implications are most visible in cybersecurity spending, incident-response demand, and risk premia for enterprise software and managed services. While these are not kinetic events, they can still move expectations for vendors’ security posture and increase near-term costs for patching, auditing, and monitoring—especially for firms running ServiceNow instances, Ivanti Sentry gateways, and Node.js stacks using protobuf.js. The most direct instrument-level effects are likely to show up in cybersecurity insurance pricing, MSSP/IR contract activity, and potentially in the valuation sensitivity of software vendors to security incidents. In the short term, the direction is risk-off for unpatched environments and a rotation toward companies with faster remediation cycles, stronger SBOM/dependency governance, and mature vulnerability management. The next watch items are concrete: whether ServiceNow’s advisory expands with indicators of compromise, whether Ivanti reports active exploitation attempts, and how quickly protobuf.js maintainers and downstream frameworks push mitigations. Organizations should track patch availability and deployment timelines for the June 5 ServiceNow update, the Ivanti Sentry root-level execution fix, and the protobuf.js vulnerability releases or recommended upgrade paths. Trigger points include evidence of exploitation in the wild, new advisories referencing the same affected versions, and any observed increase in scanning or exploitation attempts targeting remote gateways and Node.js services. Over the coming days, escalation risk depends on attacker follow-on behavior—if multiple vectors are confirmed as actively exploited, incident-response capacity and security budgets could tighten rapidly across the enterprise sector.

Geopolitical Implications

• 01

  Compromise of widely used enterprise platforms can create strategic leverage for malicious actors across sectors.

• 02

  Dependency-level flaws increase systemic cyber risk and can trigger regulatory and procurement tightening.

• 03

  Active exploitation confirmation would likely accelerate government and critical-infrastructure cyber mandates.

Key Signals

• —Follow-up ServiceNow advisories with IOCs and affected versions.
• —Ivanti statements on whether the Sentry root RCE flaw is under active exploitation.
• —protobuf.js fixed releases and downstream framework mitigation guidance.
• —Traffic patterns showing increased scanning/exploitation attempts against remote gateways and Node.js services.