This Cybersecurity Weekly Report: June 8 -14, 2026 Presents that Some weeks test defenders with volume. Others test them with velocity. This one managed both.
Microsoft’s June Patch Tuesday landed as the largest in the program’s 23-year history 206 vulnerabilities in a single drop. While security teams were still triaging that workload, a criminal extortion group called ShinyHunters had already finished breaching more than 100 organizations using a zero-day that Oracle hadn’t patched yet.
Law enforcement pushed back hard, dismantling a €336 million cryptocurrency laundering network that had been quietly servicing the ransomware underground since 2021. And late on Saturday, reports emerged that four major Iranian banks had their shared network disrupted in a cyberattack a development that, given the region’s current geopolitical state, carries more weight than a typical financial sector incident.
The through-line connecting most of this week’s activity is one that defenders need to internalize: attackers are consistently reaching enterprise systems that require no authentication to exploit. Oracle PeopleSoft, Check Point VPN, and multiple flaws added to CISA’s KEV catalog this week all share that characteristic. Network access is enough. No credentials, no phishing, no social engineering.
If your organization runs PeopleSoft, patch now do not wait for your next change window. If Check Point VPN is in your stack and IKEv1 is still active, apply the hotfix today. And if Microsoft’s June cumulative update hasn’t been prioritized yet, it needs to move up the queue before the weekend.
Major Incidents
1. ShinyHunters Exploits Oracle PeopleSoft Zero-Day – 100+ Organizations Breached
This story didn’t start on Monday. It started on May 27.
That’s when ShinyHunters tracked by Google’s Mandiant under the designation UNC6240 began systematically compromising Oracle PeopleSoft environments using CVE-2026-35273, a remote code execution vulnerability rated CVSS 9.8. The flaw sits in the Environment Management Hub (PSEMHUB) component and requires no authentication whatsoever. An attacker with HTTP network access to that endpoint has everything they need to take over the server.
Oracle didn’t publish its advisory until June 10. That means the group operated against a true zero-day for nearly two weeks hitting organizations that had no vendor-issued patch to apply and, in many cases, no awareness that the flaw even existed. By the time the advisory dropped, ShinyHunters had already claimed breaches across more than 100 organizations spanning roughly 300 PeopleSoft instances. Mandiant confirmed those numbers, noting it had notified over 100 global organizations whose IP addresses matched vulnerable endpoints.
The University of Nottingham became the first confirmed victim to go public. ShinyHunters published roughly 40 GB of stolen data on its leak site personal details and academic records belonging to approximately 454,600 current and former students. The group told The Register it had “only just started outreach to affected organizations,” which is their way of saying more ransom demands were coming.
Sixty-eight percent of compromised organizations were in higher education, most of them in the United States. Victims also appeared across Europe, Asia, and Australia. Read more
Why This Matters
PeopleSoft isn’t a legacy system sitting quietly in a corner. It’s the operational backbone of HR, payroll, student records, and billing at some of the largest enterprises and universities in the world. What changed this week is the attacker profile an industrialized extortion crew using automated scripts to scan and compromise at scale. ERP infrastructure is no longer considered too complex or too opaque to attack. The barrier has dropped, and the playbook now exists. Expect imitation.
2. Microsoft June 2026 Patch Tuesday – Largest in Program History
206 vulnerabilities. One Patch Tuesday. A record that stretches back to October 2003.
Microsoft’s June release includes 32 Critical flaws, 28 of which are Remote Code Execution vulnerabilities. Three were publicly disclosed and therefore known to potential attackers before patches were available. None of the three show confirmed active exploitation yet, but that distinction can change quickly once researcher write-ups and PoC code start circulating.
The vulnerability demanding the most urgent attention is CVE-2026-45657, a use-after-free flaw in the Windows Kernel’s TCP/IP handling, rated CVSS 9.8. Microsoft has flagged it as potentially wormable under certain network configurations, meaning a successful exploit could propagate across systems with no user interaction required. That’s the profile defenders least want to see ahead of a summer patch cycle.
Elsewhere in the release: the Remote Desktop Client collected 11 CVE patches, four of them Critical. Windows Hyper-V carries three Critical guest-escape RCE flaws that could allow code execution on the host from inside a virtual machine. Microsoft Office (Outlook and Word) received Critical patches for vulnerabilities exploitable via malicious document delivery notably, some are triggerable through the Preview Pane before a file is even opened. Read more
Why This Matters
A release of this size reflects compounding debt, not a single bad month. Security teams should resist the urge to work through the list alphabetically. Prioritize the wormable kernel flaw CVE-2026-45657 first. Then CVE-2026-50507 (BitLocker bypass, relevant for compliance-driven device protection programs) and CVE-2026-49160 (HTTP/2 denial-of-service for any organization running internet-facing IIS). Everything else should be risk-ranked against your exposure.
3. Europol Dismantles AudiA6 – €336M Crypto Laundering Pipeline Cut
On June 10, a coordinated international operation took down AudiA6 one of the more sophisticated cryptocurrency laundering services the ransomware ecosystem had quietly relied on for the past five years.
The numbers are significant. Since 2021, AudiA6 is estimated to have processed over €336 million (approximately $389 million) in illicit proceeds. It operated as a mixer-as-a-service: cybercriminals transferred stolen cryptocurrency in, and received cleaned funds back within roughly an hour. The mechanism behind that speed was industrial more than 6,000 KYC-verified money mule accounts, opened using stolen or purchased identities, routed funds through fraudulent exchange accounts before returning them to clients. The platform charged commissions of 3% to 10%.
AudiA6 also ran Dark2Web, a dark web forum where criminal actors advertised services and connected with each other.
The June 10 operation coordinated between Europol, the U.S. Department of Justice, the Secret Service, IRS Criminal Investigation, and Georgian authorities resulted in the arrest of two alleged administrators in Batumi, Georgia: a 37-year-old Ukrainian national and a 25-year-old Russian national, both now facing extradition to the United States. Authorities seized 25 domains, more than 30 servers, froze €692,000 in cryptocurrency, and replaced both AudiA6 and Dark2Web’s web presence with law enforcement seizure banners. Read more
Why This Matters
Attacking the financial plumbing of the ransomware ecosystem is proving to be among the most effective approaches law enforcement has. Ransomware groups don’t operate on ideology they operate on profit. When the cash-out infrastructure gets disrupted, their operational tempo slows and their choices narrow. This takedown builds on a September 2025 Polish Police arrest of an AudiA6 affiliate, showing how persistent, multi-jurisdiction investigations can eventually reach the core of an organization. The service has been linked to more than 15 active ransomware investigations globally. Those investigations now have a lot more evidence to work with.
4. Check Point VPN CVE-2026-50751 – IKEv1 Authentication Bypass Under Active Exploitation
Check Point Research disclosed on June 9 that it had confirmed active exploitation of CVE-2026-50751, a CVSS 9.3 authentication bypass vulnerability in its Remote Access VPN and Mobile Access products when configured with the deprecated IKEv1 key exchange protocol.
The mechanics are straightforward and dangerous. A logic flaw in certificate validation allows an attacker to establish a full VPN session without possessing a valid user password. Post-authentication steps are still required to reach internal resources but the network perimeter has already been crossed. Exploitation has been confirmed at dozens of organizations globally.
At least one incident involved confirmed post-compromise activity from a Qilin ransomware affiliate. The Dutch National Cyber Security Centre followed Check Point’s disclosure with a warning anticipating imminent large-scale automated scanning the standard escalation pattern where targeted exploitation transitions to mass internet-wide scanning within days of public disclosure.
Check Point’s investigation also surfaced a companion vulnerability: CVE-2026-50752 (CVSS 7.4), which could enable man-in-the-middle attacks against site-to-site VPN connections. No active exploitation of CVE-2026-50752 has been observed yet, but the vendor recommends patching both. Read more
Why This Matters
VPN edge devices are where ransomware intrusions most commonly begin right now. The Qilin connection here isn’t coincidental it’s a case study in how quickly affiliates pivot from newly disclosed network vulnerabilities to active ransomware deployment. If IKEv1 is still active in your environment and the hotfix isn’t applied, the Dutch NCSC warning about imminent mass scanning should change your sense of urgency. Treat this as an emergency.
5. Cyberattack Disrupts Four Major Iranian Banks – June 14
Late in the reporting week, a cyberattack disrupted the shared communication network used by four major Iranian banks, causing service outages across multiple financial institutions. Iranian officials confirmed the incident publicly, though attribution and the technical specifics remain unconfirmed at time of writing.
The attack echoes the August 2024 IRLeaks campaign, which Iranian officials described as the worst cyberattack against the country’s banking sector in history. That incident saw attackers compromise roughly 20 credit institutions and subsequently demand millions in ransom.
Context matters here. Since the U.S.-Israeli joint military operations in February 2026 (Operation Epic Fury / Operation Roaring Lion), Iranian-linked groups including Seedworm (MuddyWater) and Handala have significantly escalated their activity against financial and government targets internationally. Whether Saturday’s attack is retaliation, an unrelated criminal operation, or something else entirely is still unclear. Read more
Why This Matters
Financial sector attacks tied to geopolitical conflict rarely stay contained. Organizations in banking, insurance, critical infrastructure, and government particularly those with exposure to Middle Eastern operations or counterparty relationships should treat this as an active threat signal and increase monitoring accordingly. This story is developing.
ANALYST INSIGHT Three of this week’s most serious incidents share an architectural failure mode: enterprise software reachable from the internet with no authentication required. Oracle PeopleSoft’s PSEMHUB, Check Point VPN’s IKEv1 endpoint, and the Arista/Chromium/Cisco flaws added to CISA KEV this week all follow the same pattern. Network access is sufficient. No credentials. No social engineering. The practical implication for security architecture is clear: any internet-facing enterprise application that doesn’t require authentication to reach critical functionality is a liability — not a convenience.
New Vulnerabilities & Patches
CVE-2026-35273 – Oracle PeopleSoft Environment Management RCE
Vendor: Oracle | Product: PeopleSoft Enterprise PeopleTools 8.61 / 8.62 | CVSS: 9.8 | Status: Actively exploited as zero-day (May 27–Jun 9); patch released Jun 10
Technical Impact
The flaw sits in PeopleSoft’s Environment Management Hub (PSEMHUB) component. Attackers exploited a gadget chain combining known and novel vulnerabilities to achieve unauthenticated remote code execution. Post-exploitation activity included lateral SSH movement using a hardcoded credential list, credential harvesting, data exfiltration compressed via zstd, and C2 communication routed through azurenetfiles[.]net a domain chosen to pass cursory inspection as legitimate Azure NetApp Files traffic.
Business Impact
PeopleSoft is the system of record for HR, payroll, student administration, and supply chain operations at enterprises and universities globally. With over 100 organizations confirmed compromised and extortion campaigns already underway, this is an active incident for any organization still running unpatched PeopleTools 8.61 or 8.62.
CVE-2026-45657 – Windows Kernel Wormable RCE
Vendor: Microsoft | Product: Windows (multiple versions) | CVSS: 9.8 | Status: Patched June 10; no confirmed active exploitation
Technical Impact
A use-after-free vulnerability in the Windows Kernel’s TCP/IP stack. An unauthenticated remote attacker can execute arbitrary code at SYSTEM level without any user interaction. Microsoft’s classification of the flaw as potentially wormable under specific network configurations is the detail defenders need to act on immediately.
Business Impact
Wormable kernel vulnerabilities have historically led to some of the most damaging ransomware campaigns. This flaw is unpatched on every Windows system that hasn’t received the June cumulative update. The risk window is open right now.
CVE-2026-50751 – Check Point VPN IKEv1 Authentication Bypass
Vendor: Check Point | Product: Remote Access VPN / Mobile Access (IKEv1) | CVSS: 9.3 | Status: Actively exploited; Qilin ransomware affiliate confirmed
Technical Impact
A certificate validation logic flaw allows an attacker to establish a VPN session without a valid user password. The companion vulnerability CVE-2026-50752 (CVSS 7.4) introduces MitM risk on site-to-site connections. Dutch NCSC has warned of imminent large-scale automated exploitation following public disclosure.
Business Impact
VPN authentication bypass is a direct path to ransomware. The Qilin link isn’t theoretical it’s a confirmed post-compromise case. Organizations running IKEv1-configured Check Point deployments should apply the hotfix and disable IKEv1 regardless of whether they believe they’ve been targeted.
CVE-2026-11645 – Google Chromium V8 Out-of-Bounds Read/Write (RCE)
Vendor: Google | Product: Chrome, Microsoft Edge, Opera, and all Chromium-based browsers | CVSS: High | Status: Actively exploited; CISA KEV addition June 9; federal deadline June 23
Technical Impact
An out-of-bounds read and write vulnerability in Chromium’s V8 JavaScript engine allows remote code execution inside the browser sandbox via a crafted HTML page. The exploit requires nothing from the user beyond visiting a malicious URL no clicks, no downloads, no interaction beyond navigation.
Business Impact
Every employee with a browser is a potential victim. At the enterprise scale, browser-based RCE with no user interaction is one of the broadest attack surfaces that exists. Push Chrome and Edge updates now and validate that auto-update policies have reached all endpoints including those not frequently docked to corporate networks.
CVE-2026-50507 – Windows BitLocker Security Feature Bypass (YellowKey)
Vendor: Microsoft | Product: Windows BitLocker | CVSS: Important | Status: Publicly disclosed before patch; patched June 10; no active exploitation confirmed
Technical Impact
An attacker with physical access to a device can bypass BitLocker’s full-disk encryption and access protected data without decryption credentials. Exploitation requires local physical access and an elevated privilege context.
Business Impact
BitLocker is widely deployed as a compliance control for data-at-rest protection on laptops and endpoints. This flaw undermines that control for lost or stolen devices exactly the scenario BitLocker is meant to address. Organizations treating BitLocker as a regulatory checkbox for standards like ISO 27001 or HIPAA should apply the June update and verify patch status across their endpoint fleet.
PRIORITY ACTION Two actions should happen today, not at the next change window. First: apply Oracle’s out-of-band patch for CVE-2026-35273 and block external access to PeopleSoft’s Environment Management Hub as an interim control while patching proceeds. Second: deploy Check Point’s hotfix for CVE-2026-50751 and disable IKEv1 if it isn’t operationally required. These are the two most actively exploited vulnerabilities of the week, with real victims already counted.
Ransomware Activity
Active Groups
Qilin (Agenda) is the group most directly in focus this week, with a confirmed affiliate implicated in post-compromise activity following a Check Point VPN intrusion. The group has been a consistent top-tier threat through 2026. Its Rust-based Qilin.B variant continues to be deployed for its speed and its ability to complicate static analysis, and the group operates across Windows, Linux ESXi, and Nutanix AHV environments a cross-platform reach that makes it relevant to virtually any enterprise stack.
Two other groups posted new claims this week. Brain Cipher asserted an attack on regional Australian newspaper The Adviser, claiming 350 GB of stolen data with a ransom deadline that has since passed without public response from the target. SafePay listed Energy Action, an Australian energy management firm, with approximately 470 GB of alleged stolen data and screenshots published as proof of access. Neither victim has publicly confirmed or denied the claims.
Tactics & Trends
The headline number in ransomware right now is stability, not escalation. GuidePoint Research characterized Q1 2026 as “business as usual” activity elevated well above pre-2024 baselines but not spiking. What’s shifting is the method, not the volume.
Ransomware operators are increasingly pursuing identity-first compromise. Instead of noisy exploitation, they’re going after credentials
harvesting browser session tokens, recruiting corporate insiders through native English-speaking intermediaries, and staging attacks through systems that don’t have E/XDR coverage. CrowdStrike documented cases where threat actors interacted with a single managed endpoint across a three-hour intrusion window and deliberately routed everything else through unmonitored infrastructure. The goal is to stay invisible as long as possible before detonating ransomware.
The AudiA6 takedown introduces genuine friction into that ecosystem. Groups relying on that service for cash-out now need alternatives and finding reliable, fast, low-visibility alternatives takes time and creates exposure.
Law Enforcement
The pattern of multi-jurisdictional law enforcement action continues to produce results. Beyond AudiA6, Operation Ramz running from October 2025 through February 2026 across 13 MENA-region countries resulted in 201 arrests. Underground forums RAMP (January 2026) and LeakBase (March 2026) were both seized, reducing the infrastructure available to operators for advertising, coordination, and data publication. Each takedown individually is a setback. Cumulatively, they’re reshaping the operating environment for ransomware groups in meaningful ways.
Threat Intelligence
Active Campaigns
ShinyHunters (UNC6240) is the operationally dominant financially motivated threat actor this week by a significant margin. The PeopleSoft campaign is the visible surface but the group’s underlying posture is broader. They maintain automated scanning capabilities across enterprise SaaS and ERP platforms, using SSH lateral movement scripts with hardcoded credential lists to propagate from initial access points to additional internal hosts.
C2 infrastructure confirmed this week: azurenetfiles[.]net a domain constructed to resemble Azure NetApp Files and evade DNS blocklists relying on pattern matching. Mandiant’s advisory published June 11 includes specific IOCs defenders should load immediately.
Separately, China’s TA4922 was flagged this week by Dark Reading for expanding its cybercrime activity geographically. Technical details and confirmed victim information are still emerging from threat intelligence teams.
New Malware
OnyxC2 is a newly disclosed command-and-control framework that targets more than 200 applications and browser extensions. SecurityWeek reported on the framework June 11, noting that it evades detection through encrypted payloads, DLL sideloading, and fully in-memory execution a combination designed to minimize on-disk artifacts that endpoint tools typically flag.
The scope of OnyxC2’s targeting is what elevates it beyond typical C2 frameworks. Browsers, credential managers, productivity tools the goal appears to be deep credential harvesting across everything a compromised workstation touches. Attribution hasn’t been confirmed. Security teams should check threat intelligence feeds and update detection rules accordingly.
APT Activity
Iranian APT group Seedworm (also tracked as MuddyWater and Static Kitten) has maintained persistent access to the networks of multiple U.S. organizations since February 2026. Confirmed targets include a bank, an airport, a non-profit, and the Israeli operations of a U.S. software company. Activity has continued in recent weeks despite the disruption caused by regional military operations. The June 14 banking attack adds another data point to the escalation pattern and raises the realistic possibility of retaliatory campaigns against Western financial targets in the near term.
On the supply chain front, a developer-targeting campaign researchers have compared to the Shai-Hulud pattern continues to circulate. The approach is methodical: compromise developer credentials, then use those credentials to propagate infections upstream through software supply chains. Organizations with significant open-source dependencies or contractor developer populations should be running supply chain-aware threat hunting as a routine practice, not a periodic one.
CYBERINFOS TAKEAWAY The Oracle PeopleSoft zero-day is the defining incident of this cybersecurity weekly report – not just for its scale, but for what it illustrates about how defenders and vendors are out of sync. ShinyHunters operated for 14 days against a vulnerability that Oracle hadn’t patched and hadn’t warned anyone about. The organizations that weathered that campaign were not the ones who waited for the advisory. They were the ones with network segmentation that made PSEMHUB unreachable from the internet, anomaly detection that flagged unusual outbound traffic, and threat hunting programs that weren’t calendar-driven. Vendor advisories confirm what happened. They do not prevent it.
Industry News
Regulations & Government
The 2026 FIFA World Cup is generating a steady stream of cybersecurity advisories from CISA, the NCSC, and allied agencies and for good reason. High-profile sporting events create a concentration of targets: ticketing platforms, payment systems, broadcast infrastructure, hospitality networks, and the personal devices of hundreds of thousands of international visitors. The geopolitical backdrop ongoing tensions involving multiple nations whose state-sponsored threat groups are currently active makes this year’s tournament a more attractive target than most.
Organizations delivering technology services for World Cup operations, or those in adjacent sectors like travel and hospitality, should be actively threat hunting for reconnaissance activity, not waiting for an alert to fire.
CISA’s June 9 KEV additions – CVE-2026-7473 (Arista EOS), CVE-2026-11645 (Chrome V8), and CVE-2026-20245 (Cisco Catalyst SD-WAN Manager) – come with a June 23 remediation deadline for federal agencies. Non-federal organizations should treat these as the same priority: all three have confirmed in-the-wild exploitation.
Product Announcements & Research
A quiet but meaningful security change landed in the npm ecosystem this week. The npm install command will no longer execute scripts from package dependencies by default unless explicitly permitted. This directly addresses one of the most reliable techniques malicious package authors have used to run code on developer machines during routine package installation. Teams relying on postinstall scripts in their build pipelines need to audit and allowlist those packages explicitly the change is live.
The emerging research concern worth flagging: agentic AI systems handling enterprise email are being studied as a new class of phishing target. Autonomous agents with inbox access and the ability to take actions on behalf of users represent a high-value compromise target. A convincingly crafted message could cause an agent to exfiltrate credentials, forward sensitive data, or execute unintended workflows. This is early-stage research, but it’s the right time to think about access control boundaries for any AI agents deployed in production.
Upcoming Events
SecurityWeek’s Cloud Security Summit (July 15, virtual) and AI Risk Summit (August 11–12, in-person) are the major practitioner gatherings in the near term. Both are likely to surface significant product announcements in cloud detection engineering and AI security tooling areas where vendor capabilities are moving faster than most security programs can evaluate.
Tool Updates
Open Source
Metasploit modules for both CVE-2026-35273 (Oracle PeopleSoft) and CVE-2026-50751 (Check Point VPN) are in active development within the security research community. That’s the expected trajectory after high-profile CVE disclosures, but the timeline between disclosure and weaponized PoC has been compressing. Red and purple team operators should watch those module releases; once they land, the gap between researcher access and attacker access narrows further.
The npm script execution policy change is already live and should be reflected in developer security documentation, CI/CD pipeline configurations, and secure coding guidelines this sprint.
Commercial Tools
Check Point’s BLAST platform the vendor’s own agentic application security tooling – was deployed to investigate CVE-2026-50751 and, in doing so, uncovered the companion flaw CVE-2026-50752. That’s a useful data point for CISOs evaluating AI-assisted vulnerability analysis: in this case, the vendor’s own AI-powered review found a vulnerability the initial investigation hadn’t surfaced. It’s a credible use case for agentic security tooling, and a sign of where vendor-side vulnerability research is heading.
Google Chrome’s patch for CVE-2026-11645 was released the same day CISA added the flaw to the KEV catalog June 9. That alignment is the ideal scenario. Still, browser auto-update policies are notoriously inconsistent in enterprise environments, particularly for endpoints that infrequently connect to corporate networks. Validate actual patch uptake, not just policy configuration.
Detection Content
For organizations hunting for signs of CVE-2026-35273 exploitation in Oracle PeopleSoft environments:
- Monitor for outbound SMB traffic on port 445 from PeopleSoft hosts to external IP addresses – this is a known step in the exploit chain’s NetNTLM hash capture mechanism
- Check for unexpected SSH connections from PSEMHUB endpoints to internal hosts not listed in normal operations
- Search PeopleSoft directories for the marker file
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT, which the attack script drops post-compromise - Review for zstd-compressed outbound data transfers from PeopleSoft hosts
Confirmed attacker-controlled IPs from the ShinyHunters campaign:
142.11.200[.]186–190108.174.202[.]99176.120.22[.]24
Block these at the perimeter and search historical logs for connections, particularly for the window May 27 to June 9.
Looking Ahead – Week of June 15, 2026
Immediate Priorities
The 72-hour window after this report publishes is critical. Dutch NCSC has warned that mass automated scanning for the Check Point VPN vulnerability is either underway or imminent. Any organization that hasn’t applied the hotfix for CVE-2026-50751 should treat this as an active incident response situation, not a scheduled patching task.
Organizations that did patch PeopleSoft or the Check Point VPN during the week of June 8–14 should also run post-patch log reviews. Patching stops future exploitation it doesn’t tell you whether exploitation occurred before the patch landed. Assume the worst and verify.
Expected Developments
The Iranian banking attack is the story to monitor most closely. Attribution is unconfirmed, technical details are still emerging, and the geopolitical context makes it likely to generate follow-on activity. Financial sector SOC teams should increase their monitoring frequency for the next week and watch for indicators linked to Seedworm, Handala, and other Iranian-adjacent threat groups.
The AudiA6 dismantlement will have a tail. Ransomware groups that relied on that service need replacement infrastructure, and the dark web economy will respond to that demand. Threat intelligence teams should monitor underground forums for new mixer and layering service advertisements in the coming weeks those will be early signals of where the ransomware cash-out ecosystem reassembles.
Patch Priorities for the Coming Week
- Oracle PeopleSoft CVE-2026-35273 – Emergency patch if not already applied; block PSEMHUB external access immediately
- Microsoft June cumulative update – Prioritize CVE-2026-45657 (wormable kernel RCE) and CVE-2026-44801 (critical RDP RCE)
- Check Point VPN CVE-2026-50751 – Apply hotfix now; disable IKEv1 if not operationally required
- Chrome/Edge – Verify CVE-2026-11645 patch has reached all endpoints, including remote workers
- CISA KEV deadline June 23 – Arista EOS, Chrome V8, Cisco SD-WAN Manager: federal agencies must act before deadline; others should treat it the same way
World Cup Cyber Risk Period
The 2026 FIFA World Cup is underway. For the duration of the tournament, organizations in hospitality, travel, payments, telecommunications, and broadcast should anticipate elevated phishing, credential theft, and infrastructure probing – both from financially motivated actors and hacktivists drawn to the event’s global profile. The threat isn’t speculative; past major sporting events have seen documented spikes. This year’s tournament runs against a more complex geopolitical backdrop than most.
PRIORITY ACTION The WATCH item for the coming week is the Oracle PeopleSoft zero-day aftermath. Mandiant confirmed 100+ compromised organizations, but ShinyHunters has stated it is actively continuing outreach to victims — meaning the full breach count will grow. If your organization appeared on Mandiant’s notification list but hasn’t confirmed active compromise, that is not reassurance. It means the triage hasn’t finished. Conduct forensic review of PeopleSoft logs for May 27 through June 9, search for the IOCs listed in this report, and operate on the assumption of access until the investigation proves otherwise.
By The Numbers
All figures sourced from verified public reporting as of June 14, 2026.
| Metric | Data |
|---|---|
| Major CVEs Tracked This Week | 5 highlighted (incl. Microsoft Patch Tuesday 206-vulnerability release) |
| CISA KEV Additions (Jun 9) | 3 new entries: CVE-2026-7473 (Arista), CVE-2026-11645 (Chrome V8), CVE-2026-20245 (Cisco SD-WAN) |
| Microsoft June 2026 Patch Tuesday | 206 vulnerabilities patched — largest in Patch Tuesday history |
| Oracle PeopleSoft Breach (CVE-2026-35273) | 100+ organizations compromised; 300+ instances; 68% higher education |
| University of Nottingham Breach | ~454,600 current/former student records leaked |
| AudiA6 Crypto Laundering Takedown | €336M (~$389M) laundered since 2021; 2 arrested, 25 domains seized |
| Iranian Bank Cyberattack (Jun 14) | 4 major Iranian banks disrupted; developing story |
| Check Point VPN CVE-2026-50751 | CVSS 9.3; IKEv1 authentication bypass; Qilin ransomware linked |
| Ransomware Activity | Qilin, Brain Cipher, SafePay active; identity-first compromise tactics rising |
