← Back to Threat Briefs

Cyber Threat Brief — June 12 2026

⚠️ This report is AI-generated. Always validate findings.

1. ShinyHunters Oracle PeopleSoft Zero-Day RCE — CVE-2026-35273

TL;DR: CVSS 9.8 unauth RCE in PeopleSoft Environment Management Hub exploited as zero-day by ShinyHunters (UNC6240) from May 27–June 9; 100+ orgs notified, 68% higher education. Mandiant/GTIG published full IOC set June 11.

What’s New:

  • Mandiant blog June 11 details complete campaign: exploitation of /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints for RCE
  • MeshCentral agents (meshagent64-azure-ops.exe) hardcoded to C2 wss://azurenetfiles[.]net:443/agent.ashx
  • Lateral movement via [victim]_fanout.sh — SSH credential spray from /etc/hosts, drops README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
  • Data exfil compressed with zstd, SSH’d to ShinyHunters DLS at 176.120.22[.]24
  • Oracle advisory released June 10 — this was a zero-day the entire exploitation window

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
142.11.200.186–190IP (staging)T1583.003Firewall/proxyBlock
azurenetfiles[.]netDomain (C2)T1071.001DNS/proxyBlock
176.120.22[.]24IP (exfil/DLS)T1041Firewall/NetFlowBlock
POST /PSEMHUB/hub from external IPHTTP requestT1190WAF/WebLogic access logAlert
POST /PSIGW/HttpListeningConnector from external IPHTTP requestT1190WAF/WebLogic access logAlert
meshagent64-azure-ops.exef02a924c9ff9...SHA-256T1219EDRBlock
meshagent32-azure-ops.exec7e9332731b0...SHA-256T1219EDRBlock
.bash_history2ab684d93c15...SHA-256T1059.004ForensicHunt
.jsp files under PSEMHUB.war/ not shippedWebshellT1505.003FIMAlert
Outbound SMB (TCP 445) from PeopleSoft hostsNetworkT1187Firewall/NetFlowAlert
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXTFilenameT1491.001FIMAlert

Detection

SourceRuleGap
Splunk ESCUWeb or Application Server Spawning a Shell (generic)Need PeopleSoft-specific /PSEMHUB/hub POST detection rule
ElasticWeb Shell Detection: Script Process Child (generic)No PeopleSoft PSEMHUB-specific rule
Sigmawebshell_detection_file_creation.yml (generic)Need .jsp creation under PSEMHUB.war/ path filter

Sources: Mandiant/GTIG blog, Oracle advisory, The Hacker News

2. Ivanti Sentry Pre-Auth Root RCE — CVE-2026-10520

TL;DR: CVSS 10.0 unauth OS command injection in Ivanti Sentry’s /mics/api/v2/sentry/mics-config/handleMessage endpoint gives root RCE. CISA KEV added June 11, federal deadline June 14. WatchTowr PoC and detection script public; Shadowserver confirms exploitation post-patch.

What’s New:

  • WatchTowr published full technical analysis and PoC June 10 — XML commandexec payload to unauthenticated API endpoint
  • Companion CVE-2026-10523 (auth bypass to create admin accounts) patched same release
  • Shadowserver found many internet-exposed Sentry gateways already backdoored
  • Compromising Sentry exposes credentials, session tokens, and allows impersonation of legitimate users accessing internal apps/email
  • Affects versions 10.5.1, 10.6.1, 10.7.0 and prior; fixed in 10.5.2, 10.6.2, 10.7.1

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
POST /mics/api/v2/sentry/mics-config/handleMessage from externalHTTP requestT1190WAF/reverse proxyBlock external access
XML commandexec payload in request bodyRequest bodyT1059WAF deep inspectionAlert
Unexpected shell processes spawned by Sentry Java processProcess chainT1059.004EDR/SysmonAlert
WatchTowr detection script: GitHubScannerManualScan

Detection

SourceRuleGap
Splunk ESCUNoneNo Ivanti Sentry-specific detection; need handleMessage endpoint monitoring
ElasticWeb Shell Detection: Script Process Child (generic)No Sentry-specific rule
SigmaNoneNeed Sentry API command injection detection rule

Sources: WatchTowr analysis, CISA KEV, Help Net Security, Rapid7

3. Windows HTTP.sys RCE — CVE-2026-47291

TL;DR: CVSS 9.8 integer overflow in HTTP.sys kernel driver enables unauth RCE against IIS, WinRM, and any HTTP Server API consumer. Patched June 10. Systems using default MaxRequestBytes are NOT affected — verify with Microsoft’s PowerShell script.

What’s New:

  • Patched in June 10 Patch Tuesday (record 208 CVEs)
  • Integer overflow + heap buffer overflow in kernel-mode HTTP protocol stack — no user interaction required
  • Microsoft rates Exploitation More Likely
  • Default MaxRequestBytes registry value mitigates; non-default configurations are vulnerable
  • No PoC or ITW exploitation yet, but HTTP.sys has strong exploitation history (CVE-2015-1635, CVE-2021-31166, CVE-2022-21907)
  • Also noteworthy: CVE-2026-44815 (CVSS 9.8 DHCP Client RCE stack overflow) patched same day — rogue DHCP server triggers code execution

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
Non-default MaxRequestBytes registry valueConfigT1190Registry auditVerify/remediate
HTTP.sys crash events (httpEID 1/15)Service crashT1499Windows Event LogHunt
Unusual svchost children after HTTP.sys processingProcess chainT1190Sysmon EID 1Alert

Detection

SourceRuleGap
Splunk ESCUNoneNo HTTP.sys integer overflow detection; need registry baseline for MaxRequestBytes
ElasticNoneNo HTTP.sys-specific rule
SigmaNoneNeed HTTP.sys crash/exploitation detection rule

Sources: ZDI June 2026 review, threat-modeling.com, CrowdStrike Patch Tuesday, Talos

Status Updates

  • CVE-2026-42897 (Exchange OWA XSS): Permanent patch delivered June 10 Patch Tuesday. CISA KEV deadline July 1. Apply SU immediately. Original brief.
  • CVE-2026-47281 (RoguePlanet Defender LPE): Still UNPATCHED zero-day. Defender definition 1.453.20.0 detects compiled PoC but recompilation bypasses. CVE-2026-41091 (RedSun) patched June 10. Original brief.
  • CVE-2026-10520 (Ivanti Sentry): See full section above — escalated from advisory to CISA KEV with confirmed exploitation.
  • CVE-2026-35616 (FortiClient EMS): Arctic Wolf EKZ Infostealer campaign ongoing. No new IOCs since May 31. Original brief.