Daily Threat Intelligence Brief - June 18, 2026

The Operator's Take

The story today is not any single CVE. It is the collapse of the gap that defenders rely on. Oracle PeopleSoft (CVE-2026-35273) was exploited in the wild between May 27 and June 9, roughly two weeks before Oracle published an advisory, which means the patch SLA for this one was negative: you were owned before you knew there was a bug. The crew running it, UNC6240 / ShinyHunters, is the same financially motivated group behind the Council of Europe and DentaQuest extortions, and it is operating a critical unauthenticated zero-day at the speed and discipline that used to belong only to nation-states. The 2026 breakout benchmark is 72 minutes from foothold to exfiltration. Treat criminal and APT as one tier now, because the tooling no longer distinguishes them.

The non-obvious connection runs into the AI layer. The same week ShinyHunters was harvesting PeopleSoft identity stores, OWASP published evidence that prompt injection is not a bug anyone is patching, and an autonomous bot named hackerbot-claw demonstrated the endgame: it stole a publishing token and pushed backdoored LiteLLM packages to 47,000 downstream pulls with no human at the keyboard. Identity-system zero-days and agent supply-chain attacks are the same play aimed at the two places you store the most trust.

What a defender should do differently this week: stop measuring yourself against patch cadence and start measuring against detection on the exploitation path. Hunt PeopleSoft EMHub and Cisco SD-WAN Manager for post-exploitation now, not after the next maintenance window. Then inventory every AI agent you run and ask which ones satisfy the lethal trifecta of private data, untrusted input, and network egress. Any that do are already a breach waiting for a prompt.

Executive Summary

Oracle PeopleSoft CVE-2026-35273 (CVSS 9.8, SSRF leading to RCE) was exploited as a zero-day before disclosure. UNC6240 / ShinyHunters hit 100+ organizations, 68% of them in US higher education. Now in CISA KEV. Rapid7
Cisco Catalyst SD-WAN Manager CVE-2026-20245 is the 7th Cisco SD-WAN zero-day of 2026, granting root via crafted file upload, with no patch at initial disclosure. Added to CISA KEV. SecurityWeek
Microsoft June Patch Tuesday fixed a record 206 flaws including 37 Critical and an actively exploited Exchange Server bug (CVE-2026-42897). BleepingComputer
Android CVE-2025-48595, an Android Framework integer overflow enabling privilege escalation, is under limited targeted exploitation and has been added to CISA KEV. CyberInsider
OWASP published State of Agentic AI Security and Governance v2.01 on June 11, shifting from cataloging plausible threats to cataloging real CVEs, advisories, and breaches across agentic risk categories. Help Net Security
Prompt injection remains OWASP's number one LLM vulnerability, present in 73% of production AI deployments, with attacks up 340% year over year. Kunal Ganglani
ShinyHunters dominated the extortion landscape, claiming the Council of Europe and leaking DentaQuest data affecting an assessed 2.6 million accounts. SharkStriker
Novo Nordisk disclosed unauthorized access to internal IT systems on June 11, including patient personal data. SharkStriker
CISA added multiple entries to KEV this month, including Arista EOS (CVE-2026-7473), Chromium V8 (CVE-2026-11645), and the Cisco SD-WAN flaw, under directive BOD 26-04. CISA

Critical Vulnerabilities

CVE-2026-35273: Oracle PeopleSoft PeopleTools EMHub (CVSS 9.8)

A server-side request forgery flaw (CWE-918) in the Updates Environment Management component of PeopleSoft Enterprise PeopleTools, remotely exploitable without authentication, chained to remote code execution. Oracle published an out-of-band security alert on June 10. According to Mandiant, this was exploited in the wild as a zero-day between May 27 and June 9, predating the advisory by roughly two weeks. The threat group UNC6240 (ShinyHunters) ran the campaign against 100+ organizations, with 68% in US higher education, and the University of Nottingham was among those named. Now listed in CISA KEV.

Status: Actively exploited, patch available via Oracle out-of-band alert.
Action: Apply the Oracle alert immediately, then hunt EMHub access logs for SSRF callbacks and unexpected outbound requests dating back to late May.
Source: Oracle Security Alert, Help Net Security, SOCRadar

CVE-2026-20245: Cisco Catalyst SD-WAN Manager (CVSS 7.8)

An improper encoding flaw in Cisco Catalyst SD-WAN Manager, Controller, and Validator that allows arbitrary command execution as root through a crafted file upload. This is the 7th Cisco SD-WAN product zero-day exploited in the wild in 2026, affecting all deployment types including FedRAMP environments. Cisco PSIRT learned of exploitation in June and rushed disclosure ahead of a full patch. Added to CISA KEV.

Status: Actively exploited, no patch at initial disclosure. Check Cisco advisory for fixed releases.
Action: Restrict management-plane access, monitor for unexpected file uploads to SD-WAN Manager, and review for root-level command execution.
Source: Cisco Security Advisory, Help Net Security

CVE-2026-42897: Microsoft Exchange Server Spoofing (Actively Exploited)

An actively exploited Exchange Server spoofing flaw that lets an attacker execute arbitrary JavaScript in a target's browser via a specially crafted email, in cross-site scripting attacks against Outlook Web Access users. Microsoft revised the earlier May entry to point at the June security update with a recommendation to install as soon as possible.

Status: Actively exploited, patch available in June update.
Action: Patch on-premises Exchange now. Review OWA for unexpected script execution and audit mailbox rules.
Source: BleepingComputer, CrowdStrike

CVE-2026-48579: Microsoft Exchange Online Information Disclosure (CVSS 9.1)

A critical improper authorization flaw in Microsoft Exchange Online that allows unauthenticated remote attackers to disclose sensitive information over the network with no user interaction and low attack complexity. Microsoft remediated this within its cloud infrastructure without requiring customer action.

Status: Remediated by Microsoft in the cloud, no customer action required.
Action: No patch step. Note the pattern: cloud identity surfaces are now critical-severity targets.
Source: Cybersecurity News

CVE-2025-48595: Android Framework Privilege Escalation

An integer overflow vulnerability in the Android Framework that allows a local attacker to escalate privileges without user interaction. Google reported indications of limited, targeted exploitation. It affects Android 14, 15, 16, and 16 QPR2 and was fixed in the 2026-06-05 patch level. Added to CISA KEV. Google did not attribute the activity, leaving spyware-vendor involvement an open question.

Status: Actively exploited in targeted attacks, patch available.
Action: Push the 2026-06-05 patch level to managed fleets, prioritize high-risk and executive devices, and keep Play Protect enabled.
Source: BleepingComputer, The Cyber Express

CVE-2026-35568: MCP Java SDK Prompt Injection via Tool Poisoning (ContextCrush)

A vulnerability in the Model Context Protocol Java SDK, published April 7 as GHSA-8jxr-pr72-r468, originally discovered by Noma Labs as ContextCrush and disclosed March 5. Research showed an MCP server can act as a delivery lane for attacker-controlled instructions even when the server exposes only narrow, read-only tools. This sits at the center of MCP security concerns and is detailed in the AI section below.

Status: Patched by Upstash. SDK consumers should update.
Action: Pin and update MCP SDK versions, treat all tool metadata as untrusted input, and validate server-supplied tool descriptions.
Source: arXiv 2603.22489, authzed MCP breach timeline

Additional KEV Additions This Month

CISA added several more actively exploited flaws under directive BOD 26-04, including CVE-2026-7473 (Arista Extensible Operating System), CVE-2026-11645 (Google Chromium V8), and CVE-2026-45586 (Windows Collaborative Translation Framework elevation of privilege, suspected to address the GreenPlasma exploit released by Chaotic Eclipse).

Source: CISA KEV additions June 9, Help Net Security RoguePlanet

AI Security Threats

The AI security story this month moved from theory to incident accounting. OWASP's State of Agentic AI Security and Governance v2.01, released June 11, marks the change directly: where the 2025 edition cataloged plausible threats, the 2026 edition catalogs real CVEs, vendor advisories, and breach reports tied to nearly every category of agentic risk. The threats are no longer hypothetical, and the metrics back that up.

Prompt injection is now industrialized, not patched

Prompt injection remains OWASP's number one LLM vulnerability for 2026. Recent audits place it in 73% of production AI deployments, and OWASP's 2026 LLM Security Report records a 340% year-over-year surge in prompt injection attacks. The framing from researchers this month is that prompt injection may be a permanent property of how language models read instructions, not a defect that ships a fix. With agentic systems, a single manipulated output can hijack an agent's planning loop, trigger privileged tool calls, persist malicious instructions in memory, and propagate across connected systems. This is why agentic red teaming has to test the full tool and memory chain, not just the prompt boundary.

Source: TechTimes, Christian Schneider

The lethal trifecta is the default deployment state

The lethal trifecta, articulated by Simon Willison and formalized by Palo Alto Networks in 2026, describes an agent skill that simultaneously holds three properties: access to private data such as SSH keys, API credentials, and wallet or browser data; exposure to untrusted content such as skill instructions, memory files, and emails; and the ability to communicate externally through network egress, webhook calls, or shell commands. The hard part is the finding that most production agent deployments today satisfy all three at once. Any agent in that state should be treated as one well-placed instruction away from exfiltration.

Source: Cloud Security Alliance, Airia

hackerbot-claw: an autonomous attack bot in the supply chain

The clearest demonstration of where this leads is the LiteLLM incident. A backdoor sat on PyPI for roughly three hours in March 2026 and pulled nearly 47,000 downloads. LiteLLM serves as the language-model gateway for CrewAI, DSPy, Microsoft GraphRAG, and dozens of other agent frameworks, so the blast radius was the agent ecosystem itself. An autonomous bot named hackerbot-claw, self-described as powered by a frontier model, harvested LiteLLM's PyPI publishing token through a compromised Trivy GitHub Actions setup at Aqua Security, then pushed two backdoored versions of LiteLLM directly to PyPI with no human direction after launch. This is the supply-chain attack and the autonomous-agent threat collapsing into a single event.

Source: Help Net Security OWASP

MCP tool poisoning as a delivery lane

Tool poisoning attacks manipulate the metadata, descriptions, and registered preferences of tools served by MCP servers. Because clients receive tool definitions from servers and pass them straight to the model for decision-making, poisoned metadata becomes a path to manipulate the agent. The ContextCrush research (CVE-2026-35568) showed an MCP server delivering attacker-controlled instructions even while exposing only narrow read-only tools. The NSA has published guidance on MCP security, and the defensive direction is layered: static metadata analysis, model decision-path tracking, behavioral anomaly detection, and user-facing transparency on what tools are doing.

Source: Practical DevSecOps, NSA MCP Security CSI

Threat Actor Activity

UNC6240 / ShinyHunters is the standout actor this period. Beyond the PeopleSoft zero-day campaign against 100+ organizations, the group claimed a ransomware-style attack on the Council of Europe and leaked DentaQuest data affecting an assessed 2.6 million accounts. The operating model is financially motivated extortion executed with zero-day access, the kind of capability that used to mark a state program.

Chinese APT activity continued at scale. Reporting indicates Chinese groups breached 50+ telecoms across 42 countries in early 2026, and a previously undocumented Chinese nation-state actor has been targeting government agencies, embassies, and military operations across Africa, the Middle East, and Asia. The objective profile is long-dwell espionage and pre-positioning in critical infrastructure.

Iranian APT Screening Serpens remained active, with a MiniJunk V2 sample surfacing against a Middle East entity in February and a follow-on campaign in March that may have targeted a US entity, per Unit 42 tracking.

The throughline is speed and convergence. The 2026 benchmark for adversary breakout time is 72 minutes from initial foothold to active exfiltration, a fourfold reduction from prior-year averages. Nation-state proxies now mix with financially motivated crews, and the line between espionage, sabotage, and profit is no longer a useful triage signal.

Source: SecurityWeek nation-state, Unit 42 Screening Serpens, Industrial Cyber Intel 471, abhs.in PeopleSoft

Ransomware and Data Breaches

Organization	Actor / Vector	Impact	Date
Council of Europe	ShinyHunters	Ransomware attack on an intergovernmental body	June
DentaQuest	ShinyHunters (leak)	Assessed 2.6 million accounts exposed (US dental benefits)	June
Novo Nordisk A/S	Unauthorized IT access	Patient data: year of birth, biomarkers, lifestyle factors	June 11
Nintendo	ShadowByt3$	Claimed 859 MB: employee personal info and company analytics	June
Oxford University	Career-services breach	Student first names, last names, email addresses	June 1
ServiceNow	Privilege-escalation flaw	Hosted customer instances; unauthenticated access risk	June 5
US higher education	UNC6240 (PeopleSoft 0day)	100+ organizations, 68% US higher ed, identity data exposure	May-Jun

Cross-cutting note: ShinyHunters appears in three separate rows above. A single financially motivated crew running a critical zero-day and multiple high-profile extortions in the same window is the defining pattern of this period.

Source: SharkStriker June 2026 breaches, BleepingComputer ServiceNow, TechCrunch worst breaches 2026

Recommended Actions

Immediate (0 to 72 hours)

Apply the Oracle out-of-band alert for CVE-2026-35273 and hunt PeopleSoft EMHub logs for SSRF callbacks and anomalous outbound requests going back to May 27. Assume pre-patch compromise if you run internet-facing PeopleSoft.
Restrict management access to Cisco Catalyst SD-WAN Manager and monitor for crafted file uploads and root-level command execution per CVE-2026-20245. Apply fixed releases as Cisco publishes them.
Patch on-premises Exchange for CVE-2026-42897 and review OWA for unexpected JavaScript execution and altered mailbox rules.
Push the 2026-06-05 Android patch level to managed devices, prioritizing executive and high-risk handsets, for CVE-2025-48595.
Cross-check your asset inventory against this month's CISA KEV additions and confirm BOD 26-04 due dates for federal and federal-adjacent environments.

Short-Term (1 to 4 weeks)

Complete the full Microsoft June rollout, prioritizing the 37 Critical fixes among the 206 total.
Rotate publishing tokens, CI/CD secrets, and package-registry credentials. The hackerbot-claw incident started with a stolen publishing token in a GitHub Actions setup.
Pin and update MCP SDK versions and treat all server-supplied tool metadata as untrusted input.
Build detection for the 72-minute breakout reality: validate that identity-system and edge-device telemetry reaches your SIEM with alerting, not just logging.

Strategic

Inventory every AI agent in production and flag each one that satisfies the lethal trifecta of private data, untrusted input, and external egress. Break at least one leg of the trifecta for every flagged agent.
Adopt agentic red teaming that exercises the full tool-call and memory chain, not just prompt-level filtering, and align it to the OWASP Top 10 for Agentic Applications 2026.
Shift the operating assumption from patch cadence to exploitation-path detection. When zero-days are exploited before advisories ship, the disclosure-to-patch window is no longer your control surface.
Treat financially motivated and nation-state actors as one capability tier for planning. The tooling, speed, and zero-day access no longer separate them.