██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

Oracle PeopleSoft Zero-Day Exploited by ShinyHunters in Mass Attack

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 13, 2026

Share

cybr.cx — Daily Digest | June 13, 2026


Critical Vulnerabilities

⚠️ Actively exploited — CVE-2026-35273 | Oracle PeopleSoft Enterprise PeopleTools | CVSS: N/A
A missing authentication vulnerability in Oracle PeopleSoft PeopleTools allows unauthenticated attackers to fully take over affected instances. This is being actively weaponised right now by ShinyHunters in a mass-exploitation campaign — see Headline News below. CISA's remediation deadline was June 15. If you run PeopleSoft and haven't patched, treat this as a fire drill.

⚠️ Actively exploited — CVE-2026-10520 | Ivanti Sentry | CVSS: N/A
An OS command injection flaw in Ivanti Sentry (formerly MobileIron Sentry) lets a remote, unauthenticated attacker achieve root-level RCE — particularly dangerous when the appliance is in an unmanaged state. CISA's remediation deadline was June 14, meaning federal agencies should already be patched. Everyone else: this is Ivanti, treat it as critical regardless of formal scoring.

⚠️ Actively exploited — CVE-2026-11645 | Google Chromium V8 | CVSS: N/A
An out-of-bounds read/write in the V8 JavaScript engine enables arbitrary code execution inside the browser sandbox via a crafted HTML page. Affects Chrome, Edge, and any Chromium-based browser. Drive-by exploitation is viable. Push browser updates across your fleet now — deadline June 23 for federal, sooner for everyone else.

⚠️ Actively exploited — CVE-2026-50751 | Check Point Security Gateway | CVSS: N/A
An improper authentication flaw in IKEv1 key exchange allows unauthenticated remote attackers to bypass user authentication and establish a VPN session without valid credentials. Remote access infrastructure being compromised without passwords is about as bad as it gets. CISA's deadline has already passed (June 11) — if you haven't acted, assume risk.

⚠️ Actively exploited — CVE-2026-42271 | BerriAI LiteLLM | CVSS: N/A
A command injection vulnerability in LiteLLM allows any authenticated user — including low-privilege internal-user keys — to execute arbitrary commands on the host. Given how widely LiteLLM is deployed in AI/ML pipelines, the blast radius here is significant. Patch or isolate immediately.

⚠️ Actively exploited — CVE-2026-20245 | Cisco Catalyst SD-WAN Manager | CVSS: N/A
An improper output encoding flaw allows an authenticated local attacker to escalate to root by supplying a crafted file. Network infrastructure compromise via SD-WAN is a high-value target for lateral movement. Deadline June 23; don't wait.

⚠️ Actively exploited — CVE-2026-7473 | Arista Extensible Operating System (EOS) | CVSS: N/A
Arista EOS incorrectly decapsulates and forwards unexpected tunnelled packets when the destination IP matches a configured decapsulation IP, enabling traffic bypass and potential network manipulation. Actively exploited in enterprise switching environments. Deadline June 23.

⚠️ Actively exploited — CVE-2026-28318 | SolarWinds Serv-U | CVSS: N/A
Unauthenticated attackers can crash Serv-U by sending a specially crafted POST request with a Content-Encoding: deflate header — no login required. A reliable DoS primitive against file-transfer infrastructure that is already a perennial attacker target.

CVE-2026-53817 | OpenClaw (before 2026.5.22) | CVSS: 8.8 — HIGH
Insufficient locality validation in Control UI pairing allows network-adjacent attackers to spoof locality and obtain persistent, admin-capable device tokens that survive rotation. This converts temporary shared access into a durable backdoor.

CVE-2026-53806 / CVE-2026-53807 / CVE-2026-53810 / CVE-2026-53811 / CVE-2026-53819 | OpenClaw (multiple versions) | CVSS: 8.8 — HIGH
A cluster of six high-severity flaws across OpenClaw covers shell option bypass for exec revalidation, Telegram callback authorisation bypass, malicious marketplace extension metadata loading, Matrix display-name spoofing for privilege escalation, and .env-based Homebrew executable hijacking during skill installs. The breadth of the attack surface here is notable — update to 2026.5.27 or later across the board.

CVE-2026-12059 | Cellopoint CelloOS SSH Service | CVSS: 8.8 — HIGH
Authenticated remote attackers can escape enforced SSH command restrictions and execute arbitrary OS commands. Any device with SSH exposed to untrusted users is at risk. Restrict SSH access and apply vendor patches.

CVE-2026-6211 | Global IT WEOLL (2.0.9 – < 3.2.45.33) | CVSS: 8.7 — HIGH
Unrestricted file upload allows attackers to bypass ACL controls and upload files of dangerous types, potentially leading to remote code execution. Upgrade to 3.2.45.33 or later.


Headline News

ShinyHunters Weaponises Oracle PeopleSoft Zero-Day in Mass-Breach Campaign

The ShinyHunters extortion group has exploited CVE-2026-35273 — a missing authentication vulnerability in Oracle PeopleSoft PeopleTools — to breach more than 100 organisations, with universities emerging as primary victims. Google's Mandiant team formally attributed the campaign to ShinyHunters and directly notified over a hundred organisations running potentially vulnerable instances. The University of Nottingham has been confirmed among the victims, with the group leaking approximately 40GB of data reportedly containing personal and financial records for up to 450,000 students and staff. The attack pattern is consistent with ShinyHunters' established playbook: mass exploitation of a critical unauthenticated flaw, rapid data exfiltration, and extortion demands before public disclosure. For defenders, the lesson is familiar but painful — internet-facing enterprise HR and ERP platforms are high-value targets, and the window between public CVE disclosure and active mass exploitation continues to compress toward zero.

AUR Package Repository Hit by Infostealer and Rootkit Supply-Chain Attack

Approximately 400 packages in the Arch User Repository (AUR) were found to have been compromised with an infostealer and rootkit payload, representing a significant supply-chain incident for the Linux community. AUR packages are community-maintained and lack the automated security review of official Arch repositories, making them an attractive vector for attackers willing to invest in upstream poisoning. The infostealer component targets credentials and sensitive files, while the rootkit provides persistence and concealment — a combination designed for long-term, stealthy access rather than smash-and-grab operations. Security teams supporting developer workstations running Arch or Arch-based distributions (Manjaro, EndeavourOS, etc.) should audit recently installed AUR packages against the confirmed compromise list and treat affected systems as potentially owned. This incident reinforces the broader risk of developer toolchain compromise as an initial access vector into enterprise environments.

Malware Authors Embed Weapons of Mass Destruction Text in Spyware Code

Researchers flagged a striking and deliberate tactic: malware developers have embedded text referencing nuclear and biological weapons directly inside their spyware code. While the embedded content does not grant any actual capability related to such weapons, the technique appears designed to weaponise legal and export-control frameworks — code containing such references can trigger heightened scrutiny, complicate forensic analysis, and potentially expose researchers or victims to regulatory complications simply for possessing or analysing the sample. The discovery underscores how threat actors are increasingly thinking beyond technical evasion toward legal and procedural harassment of defenders. Malware analysts handling samples from this family should be aware of the content before sharing or submitting to external sandboxes and consult their organisation's legal counsel on handling requirements.


Schrödinger's Feed

Microsoft and Quantinuum have published peer-reviewed data in Nature detailing real-world physical implementations of quantum error correction (QEC), demonstrating measurable improvements in logical error rates on trapped-ion hardware. QEC is the foundational problem standing between today's noisy intermediate-scale quantum (NISQ) devices and the fault-tolerant machines that would threaten current public-key cryptography — so peer-reviewed progress here is a meaningful signal, not just a press release. The paper's title — "Improved quantum processor logical error rates via correction and detection" — is deliberately understated for something that moves the needle on one of the hardest engineering problems in physics. Practitioners planning cryptographic infrastructure lifetimes should watch QEC milestone publications closely: the gap between "interesting research result" and "RSA is a problem" is shrinking, and the timeline for PQC migration is not getting longer.


/dev/random

A developer published a detailed post titled "I Am Not a Reverse Centaur" — which turns out not to be an identity crisis but a technical argument about the increasingly common software architecture where AI makes the high-level decisions and a human executes the physical actions, the inversion of the old "human thinks, machine does" model. The post coins "reverse centaur" for this pattern (human body, machine brain) and argues that many modern AI-assisted workflows have quietly arrived at exactly this structure without anyone formally noticing. It's a useful mental model for security teams thinking about how AI-driven SOC tooling actually distributes decision-making authority — and whether "human in the loop" still means what they think it means. Worth a coffee-break read, if only to check whether your own workflows have accidentally made you the legs.