Cyber Threat Brief — July 14 2026

⚠️ This report is AI-generated. Always validate findings.

1. Oracle PeopleSoft Second Pre-Auth RCE — CVE-2026-35278

TL;DR: Oracle’s July 15 CPU patches CVE-2026-35278 (CVSS 9.8), a second pre-auth RCE in PeopleSoft PeopleTools chained with already-exploited CVE-2026-35273. ShinyHunters have compromised 300+ instances across 100+ orgs, predominantly higher education.

What’s New:

  • CVE-2026-35278 patches in July 2026 CPU alongside 5 CRITICAL Oracle CVEs (WebLogic CVE-2026-35263 CVSS 9.9, Identity Manager CVE-2026-35268 CVSS 9.9, WebCenter CVE-2026-35270/35280/35281 CVSS 9.1-9.9)
  • ShinyHunters chaining CVE-2026-35273 + CVE-2026-35278 for full unauthenticated RCE to data exfil pipeline
  • Post-exploitation: MeshCentral C2 via azurenetfiles[.]net, SSH spray fanout script, HR/payroll/PII theft
  • Mandiant/GTIG confirmed exploitation May 27–June 9 (zero-day window before June 10 advisory)
  • Victim marker file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT dropped in PeopleSoft directories

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
142.11.200[.]186-190Attacker IPsT1190Firewall/WAFBlock
108.174.202[.]99Attacker IPT1190Firewall/WAFBlock
176.120.22[.]24Attacker IPT1190Firewall/WAFBlock
azurenetfiles[.]netC2 domainT1071.001DNS/ProxyBlock
wss://azurenetfiles.net:443/agent.ashxMeshCentral C2T1219Proxy/NDRBlock+Hunt
/PSIGW/HttpListeningConnectorExploit URIT1190WAF/IIS logsHunt
[victim]_fanout.shLateral movement scriptT1021.004EDR/SysmonHunt
README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXTCompromise markerT1036File integrityHunt
Port 445 outbound from PeopleSoft hostsNetNTLM coercionT1187FirewallAlert

Detection

SourceRuleGap
Splunk ESCUWeb or Application Server Spawning a Shell (generic)No PeopleSoft-specific PSIGW exploit rule
ElasticWeb Shell Detection: Script Process Child of Common Web ProcessesNo PeopleSoft-specific coverage
Sigmawebshell_detection_file_creation.yml (generic)No MeshCentral C2 detection

Sources: Oracle July 2026 CPU Advisory · GTIG/Mandiant ShinyHunters Blog · Arctic Wolf Advisory · Threat-Modeling.com Analysis

2. Microsoft Patch Tuesday July 14 — 127 CVEs, Wormable NEGOEX RCE, Kerberos RC4 Enforcement

TL;DR: Today’s Patch Tuesday drops 127 CVEs. Priority-one is CVE-2025-47981 (CVSS 9.8), a wormable heap overflow in SPNEGO NEGOEX reachable via SMB/RDP/HTTP without auth. Kerberos RC4 Phase 2 enforcement also activates today — systems still using RC4 will fail to authenticate.

What’s New:

  • CVE-2025-47981 (NEGOEX): wormable, no auth, no interaction, targets SMB 445/RDP 3389/HTTP 80,443 — 2 public PoCs on GitHub
  • 127 CVEs total (normalization from June’s 200, still above pre-2026 monthly average)
  • Kerberos RC4 hardening Phase 2 enforced today — RC4-only clients/apps will break
  • Nightmare Eclipse threatened “bone-shattering” exploit dump on July 14 (not formally canceled)
  • GodDamn ransomware (covered July 10) and DragonForce actively exploiting prior month’s CVEs

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
CVE-2025-47981 (NEGOEX)Wormable RCET1210Windows Update/WSUSPatch immediately
SMB 445, RDP 3389, HTTP 80/443Attack surfaceT1190FirewallRestrict internet-facing
Event ID 4771/4772Kerberos auth failureT1558Security event logMonitor for RC4 breakage
Event ID 4649RC4 usage indicatorT1558Security event logIdentify non-compliant systems

Detection

SourceRuleGap
Splunk ESCUNone for NEGOEX-specific exploitationNeed NEGOEX malformed packet / SPNEGO anomaly rule
ElasticNone specificNeed worm propagation detection via SMB 445 + NEGOEX
SigmaNone specificNo coverage for CVE-2025-47981 exploitation indicators

Sources: Microsoft MSRC July 2026 · byteiota Analysis · Zecurit Patch Tuesday Breakdown · Help Net Security Forecast

3. GhostCommit — Prompt Injection via PNG Targets AI Coding Agents

TL;DR: UMKC researchers disclosed GhostCommit (July 11-12), a technique hiding prompt injection inside PNG images referenced from README/AGENTS.md files. Cursor and Antigravity agents exfiltrated .env secrets as integer tuples in code commits. Claude Code refused the injection under all tested models.

What’s New:

  • Malicious instructions rendered as text inside PNG, invisible to human reviewers and conventional scanners
  • AGENTS.md convention file instructs coding agent to “derive a build constant” from the image
  • Exfiltrated secrets encoded as 311-integer tuple embedded in routine-looking code review commits
  • Tested successfully against Sonnet, Gemini, GPT-5.5 running in Cursor and Antigravity
  • No CVE assigned; technique is model/tool-agnostic

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
AGENTS.md referencing PNG filesTrigger fileT1059.006Git repo auditHunt in repos
Large integer tuples in commitsExfil payloadT1048.003Code review / CIFlag anomalous code patterns
.env file reads by AI agentsCredential accessT1552.001EDR / process monitorAlert on unexpected .env access
PNG files with embedded text instructionsPayload carrierT1027.006File inspectionScan repo images for text content

Detection

SourceRuleGap
Splunk ESCUNoneNo AI agent activity monitoring rules
ElasticNoneNo coverage for AI agent credential exfiltration
SigmaNoneNo rules for AGENTS.md-triggered exfiltration patterns

Sources: BleepingComputer · CybersecurityNews


Status Updates

  • CVE-2026-35273 (PeopleSoft): Second RCE CVE-2026-35278 now patched in Oracle July CPU; ShinyHunters exploitation expanded to 300+ instances. Original brief.
  • CVE-2026-50656 (RoguePlanet/Defender): PATCHED July 9 in Malware Protection Engine 1.1.26060.3008. Auto-updates. Original brief.
  • CVE-2026-48939 (iCagenda) / CVE-2026-56291 (Balbooa Forms): Federal CISA KEV deadline passed July 13. Active exploitation ongoing. Original brief.
  • jscrambler npm supply chain: No new IOCs since July 13 initial coverage. Clean version 8.22.0 available. Original brief.