# CTI Daily Brief — 2026-06-11

> **AI-generated content — no human review.** This brief was produced autonomously by an LLM (Anthropic Claude, specific model not determined) with parallel research and verification by sub-agents (Claude Sonnet 4.6) executing the prompt at `prompts/daily-cti-brief.md` as a Claude Code routine on Anthropic-managed cloud infrastructure. **Nothing here is reviewed or edited by a human before publication.** All facts are linked inline to public sources the agent fetched in this run. Verify any operationally critical claim against the linked primary source before acting.

**Generated by:** Anthropic Claude (specific model not determined) · **Sub-agents:** S1: Claude Sonnet 4.6 · S2: Claude Sonnet 4.6 · S3: Claude Sonnet 4.6 · S4: Claude Sonnet 4.6 · verify: Anthropic Claude Opus 4.8, Claude Sonnet 4.6 · **Classification:** TLP:CLEAR · **Language:** English · **Prompt:** v2.60 · **Recency window:** 36 h (gap to prior brief: 24 h)

## 0. TL;DR

- **ServiceNow shipped a Scripted REST endpoint (`/api/now/related_list_edit/create`) with `requires_authentication=false`, and attackers queried customer instance tables unauthenticated** between 2–4 June before a silent server-side patch on 5 June ([BleepingComputer, 2026-06-09](https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/)). NCSC-CH GovCERT flags it "Actively Exploited"; ServiceNow's own read is that the activity was "likely tied to security researchers" — either way, instance tables holding tickets, tokens and PII were reachable without credentials. No CVE.
- **ShinyHunters claims Oracle PeopleSoft data theft at 100+ organisations across ~300 instances, mostly in higher education**; the University of Nottingham confirmed student and alumni data was accessed ([BleepingComputer, 2026-06-10](https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/)). Post-access lateral movement abuses default PeopleSoft/Oracle SSH service accounts — see the deep dive.
- **Windows Netlogon RCE CVE-2026-41089 (CVSS 9.8, pre-auth SYSTEM on any unpatched DC) is now confirmed exploited in the wild in the EU** by Belgium's CCB; CERT-EU issued advisory 2026-007 ([CERT-EU, 2026-06-10](https://cert.europa.eu/publications/security-advisories/2026-007/)). The fix shipped in May 2026 Patch Tuesday — unpatched domain controllers are a forest-compromise path.
- **Langflow CVE-2026-5027 (CVSS 8.8 path traversal → arbitrary file write) is being exploited in the wild**, made effectively pre-auth by Langflow's default auto-login; ~7,000 instances are internet-exposed and a patch is now available ([BleepingComputer, 2026-06-10](https://www.bleepingcomputer.com/news/security/path-traversal-flaw-in-ai-dev-platform-langflow-exploited-in-attacks/)).
- **A new Microsoft Defender SYSTEM-LPE zero-day, "RoguePlanet," dropped as a public PoC hours after June Patch Tuesday** — a TOCTOU race in the Defender scan engine, no CVE and no patch ([BleepingComputer, 2026-06-09](https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/)). No in-the-wild use reported yet; monitoring is the only mitigation.

## 1. Active Threats, Trending Actors, Notable Incidents & Disclosures

### ServiceNow unauthenticated REST endpoint queried customer instance tables before a silent 5 June patch

ServiceNow disclosed on 9 June 2026 that a Scripted REST Resource at `/api/now/related_list_edit/create` was shipped with `requires_authentication=false`, so the endpoint accepted unauthenticated requests and could be used to query arbitrary customer instance tables ([BleepingComputer, 2026-06-09](https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/)). Anomalous activity was observed from 2–4 June from a single source IP, and ServiceNow applied a server-side fix to hosted instances on 5 June, reconfiguring the endpoint to require authentication ([The Hacker News, 2026-06-10](https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html)). Instances on the "Australia" platform release, or older releases with specific configuration changes, were affected; no CVE has been assigned. ServiceNow's own assessment is that the observed activity was "likely tied to security researchers or customer-led research associated with bug bounty submissions rather than malicious threat actors," while NCSC-CH GovCERT recorded the issue as "Actively Exploited" — the company confirms it saw evidence of successful table queries against a subset of customers regardless of attribution ([TechCrunch, 2026-06-10](https://techcrunch.com/2026/06/10/servicenow-tells-customers-a-bug-left-some-of-their-data-exposed-to-the-internet/)). Technique class: `T1190` Exploit Public-Facing Application → `T1213` Data from Information Repositories, with downstream `T1078` Valid Accounts if tokens stored in tickets were harvested. The advisory (KB3067321) was initially gated behind the customer support portal, so organisations that do not actively monitor it may not know a case was opened on their tenant.

**Why it matters to us:** ServiceNow is a reference ITSM/CMDB/HR platform across the Swiss Confederation, cantonal administrations and EU institutions, and its instances routinely hold support-ticket credentials, embedded API tokens, asset inventories and security-incident records. Audit all Scripted REST Resources for `requires_authentication=false` (filter `sys_ws_operation` on `acl.requires_authentication=false`), review `access_log_transaction` for requests to `/api/now/related_list_edit` in the 2–5 June window, and rotate any secrets exposed in support workflows.

— *Source: [NCSC-CH GovCERT](https://security-hub.ncsc.admin.ch/#/posts/12621) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/) · Additional source: [The Hacker News](https://thehackernews.com/2026/06/servicenow-flaw-exploited-to-gain.html) · Additional source: [TechCrunch](https://techcrunch.com/2026/06/10/servicenow-tells-customers-a-bug-left-some-of-their-data-exposed-to-the-internet/) · Tags: cloud, data-breach, identity, auth-bypass, actively-exploited · Region: global · Sector: public-sector, finance, technology*

### "RoguePlanet" Microsoft Defender zero-day: TOCTOU race in the scan engine yields a SYSTEM shell, no CVE, no patch

A researcher operating as "Nightmare Eclipse" (also tracked as Chaotic Eclipse) published a working proof-of-concept named RoguePlanet on 9 June 2026 — hours after Microsoft patched two of the researcher's earlier disclosures (YellowKey/CVE-2026-45585 and GreenPlasma/CVE-2026-50507) in June Patch Tuesday ([BleepingComputer, 2026-06-09](https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/)). RoguePlanet abuses a time-of-check/time-of-use race condition in the Microsoft Defender real-time scan engine (`MsMpEng.exe`, running as SYSTEM): an attacker times a file-system operation to coincide with Defender's scan pass and redirects it, achieving local privilege escalation to SYSTEM on fully-patched Windows 10 and 11 ([SecurityWeek, 2026-06-10](https://www.securityweek.com/new-windows-zero-day-exploit-rogueplanet-released/)). NCSC-CH GovCERT consolidated this disclosure alongside the researcher's prior 2026 Defender drops — BlueHammer, RedSun, UnDefend, YellowKey and GreenPlasma ([NCSC-CH GovCERT, 2026-06-10](https://security-hub.ncsc.admin.ch/#/posts/12622)). The primitive requires local code execution first (a standard-user foothold is sufficient) and is reliability-limited by the race; no in-the-wild exploitation has been reported and Microsoft has not assigned a CVE or issued an advisory. Technique class: `T1068` Exploitation for Privilege Escalation.

**Why it matters to us:** Microsoft Defender is the default endpoint protection on Windows fleets across Swiss federal and EU public-sector environments, so the affected component is universal. With no patch, detection is the control: alert on `MsMpEng.exe` spawning `cmd.exe`/`powershell.exe` child processes (Sysmon EID 1 / Windows 4688 with parent image in the Defender path) and on SYSTEM-context shells not tied to a service restart.

— *Source: [BleepingComputer](https://www.bleepingcomputer.com/news/microsoft/microsoft-defender-rogueplanet-zero-day-grants-system-privileges/) · Additional source: [SecurityWeek](https://www.securityweek.com/new-windows-zero-day-exploit-rogueplanet-released/) · Additional source: [NCSC-CH GovCERT](https://security-hub.ncsc.admin.ch/#/posts/12622) · Tags: vulnerabilities, zero-day, lpe, priv-esc, poc-public, no-patch · Region: global · Sector: public-sector*

### EDPB adopts a harmonised GDPR Article 33 breach-notification template; consultation open to 5 August

The European Data Protection Board adopted a common EU/EEA template for personal-data-breach notifications under GDPR Article 33 at its 10 June 2026 plenary, opening it for public consultation until 5 August 2026 ([EDPB, 2026-06-10](https://www.edpb.europa.eu/news/news/2026/edpb-meets-eu-commissioner-mcgrath-and-adopts-common-data-breach-notification_en)). The template provides predefined fields aligned to Article 33 content requirements — categories of data and data subjects, approximate number of individuals affected, likely consequences, and measures taken — and is intended to replace the current patchwork of national DPA forms, reducing notification friction for cross-border incidents and for smaller organisations without dedicated DPOs ([EDPB template, 2026-06-10](https://www.edpb.europa.eu/our-work-tools/our-documents/other/template-personal-data-breach-notification_en)). After the consultation closes the EDPB will set an adoption timeline for national authorities.

**Defender takeaway:** Incident-response runbooks built around individual national-DPA notification forms should be reviewed against the harmonised schema once the post-consultation version lands (expected Q4 2026). Swiss organisations subject to nDSG Article 24 breach-notification duties will want to track convergence with the EU template for cross-border cases.

— *Source: [EDPB](https://www.edpb.europa.eu/news/news/2026/edpb-meets-eu-commissioner-mcgrath-and-adopts-common-data-breach-notification_en) · Additional source: [EDPB template](https://www.edpb.europa.eu/our-work-tools/our-documents/other/template-personal-data-breach-notification_en) · Additional source: [CNIL](https://www.cnil.fr/en/edpb-meets-eu-commissioner-mcgrath-and-adopts-common-data-breach-notification-template) · Tags: data-breach, law-enforcement, eu-nexus · Region: europe · Sector: public-sector*

## 2. Trending Vulnerabilities

### CVE-2026-5027 — Langflow: unauthenticated path traversal to arbitrary file write, exploited in the wild

CVE-2026-5027 (CVSS 8.8, CWE-22) is a path-traversal flaw in Langflow — the widely deployed open-source low-code platform for building LLM pipelines, RAG systems and agentic workflows. The `POST /api/v2/files` endpoint fails to sanitise the `filename` parameter in multipart form data, allowing `../` sequences to write files to arbitrary filesystem locations ([BleepingComputer, 2026-06-10](https://www.bleepingcomputer.com/news/security/path-traversal-flaw-in-ai-dev-platform-langflow-exploited-in-attacks/)). It is effectively pre-authentication: Langflow ships with `LANGFLOW_AUTO_LOGIN` enabled by default, so a single unauthenticated request obtains a valid session token before reaching the file-write primitive, which chains to code execution via webshell placement or `.pth` injection. Tenable discovered and disclosed the flaw on 27 March 2026 after two months of unsuccessful vendor contact ([Tenable TRA-2026-26, 2026-03-27](https://www.tenable.com/security/research/tra-2026-26)); VulnCheck subsequently observed active exploitation in honeypots, with attackers staging test files on victim systems, and Censys data shows roughly 7,000 publicly exposed instances. A patch is now available (Langflow 1.9.0 / langflow-base 0.8.3, with 1.10.0 released 10 June). Technique: `T1190` Exploit Public-Facing Application → `T1505.003` Web Shell.

— *Source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/path-traversal-flaw-in-ai-dev-platform-langflow-exploited-in-attacks/) · Additional source: [Tenable TRA-2026-26](https://www.tenable.com/security/research/tra-2026-26) · Tags: vulnerabilities, actively-exploited, pre-auth, path-traversal, rce, patch-available · Region: global · Sector: technology · CVE: CVE-2026-5027 · CVSS: 8.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, patch-available*

#### CVE Summary Table

| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-5027 | Langflow (`POST /api/v2/files`) | 8.8 | n/a | No | Yes (VulnCheck) | 1.9.0 / 1.10.0 | [BleepingComputer](https://www.bleepingcomputer.com/news/security/path-traversal-flaw-in-ai-dev-platform-langflow-exploited-in-attacks/) |
| CVE-2026-41089 | Windows Netlogon (Server 2012–2025) | 9.8 | n/a | No | Yes (CCB Belgium) | May 2026 Patch Tuesday | [CERT-EU 2026-007](https://cert.europa.eu/publications/security-advisories/2026-007/) |

*CVE-2026-41089 is carried as a § 4 update — see below; it is listed here for the consolidated vulnerability view.*

## 3. Research & Investigative Reporting

### Black Lotus Labs: the Volt Typhoon-linked JDY botnet doubles to 1,500+ devices and weaponises CVE disclosures within hours

Lumen's Black Lotus Labs reports that the JDY botnet — the reconnaissance cluster that survived the 2024 KV-botnet takedown and is assessed with high confidence to support multiple China-nexus actors including Volt Typhoon — has more than doubled from roughly 650 bots in January 2024 to over 1,500 compromised SOHO and IoT devices ([Lumen Black Lotus Labs, 2026-06-10](https://www.lumen.com/blog/en-us/expanded-jdy-iot-and-soho-botnet-enables-rapid-vulnerability-exploitation)). The botnet now spans Cisco, Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision and Linksys devices, performs multiprotocol service fingerprinting, banner-grabbing and TLS-certificate collection at scale, and routes C2 through hidden Tor services while managing victims with the open-source Platypus reverse-shell server. The operationally significant finding: scanning of Fortinet devices spiked within hours of the public disclosure of CVE-2026-35616, demonstrating sub-24-hour integration of new vulnerability intelligence into the recon-to-exploitation pipeline ([The Hacker News, 2026-06-10](https://thehackernews.com/2026/06/china-linked-jdy-botnet-expands-to-1500.html)). Targeting centres on US military and associated entities, with distributed European nodes. Technique mapping: `T1595.002` Active Scanning: Vulnerability Scanning, `T1590` Gather Victim Network Information, `T1584.005` Compromise Infrastructure: Botnet.

**Why it matters to us:** JDY scanning should be treated as a precursor to targeted exploitation, not background noise — the sub-24-hour weaponisation window means CH/EU public-sector and critical-infrastructure operators must compress patch cycles for internet-facing edge appliances to hours, not weeks, after a disclosure. Hunt for outbound connections from edge/SOHO devices to the Platypus default service, unusual high-rate outbound SYN scanning, and unexpected TLS-certificate harvesting.

— *Source: [Lumen Black Lotus Labs](https://www.lumen.com/blog/en-us/expanded-jdy-iot-and-soho-botnet-enables-rapid-vulnerability-exploitation) · Additional source: [The Hacker News](https://thehackernews.com/2026/06/china-linked-jdy-botnet-expands-to-1500.html) · Tags: nation-state, espionage, botnet, china-nexus · Region: global · Sector: defense, telco, public-sector · CVE: CVE-2026-35616*

### ANNUAL REPORT [SINGLE-SOURCE] — CrowdStrike 2026 Technology Threat Landscape Report: technology is now the most-targeted sector

CrowdStrike published its 2026 Technology Threat Landscape Report on 9 June 2026 ([CrowdStrike, 2026-06-09](https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-technology-threat-landscape-report/)). The findings most relevant to a Swiss/EU public-sector SOC running AI and cloud DevOps infrastructure: China-nexus adversaries (named clusters include MURKY PANDA, MUSTANG PANDA and WARP PANDA) drove more than 58% of state-sponsored intrusions against the technology sector, focused on AI capabilities, training data, ML infrastructure and semiconductor IP; and DPRK-nexus FAMOUS CHOLLIMA accounted for 47% of state-sponsored hands-on-keyboard activity through IT-worker infiltration using AI-enhanced personas and front companies across North America, Europe and Asia. The report frames AI/ML development pipelines and model weights as espionage targets warranting the same protection as source code and credentials. CrowdStrike also names a compromise of the `axios` npm package as part of a DPRK-linked supply-chain operation — a notable claim, but in this run only CrowdStrike asserts it, so treat the `axios` element as single-source pending independent corroboration.

— *Source: [CrowdStrike](https://www.crowdstrike.com/en-us/blog/crowdstrike-2026-technology-threat-landscape-report/) · Tags: nation-state, espionage, supply-chain, ai-abuse, china-nexus, north-korea-nexus · Region: global · Sector: technology*

## 4. Updates to Prior Coverage

### UPDATE: Windows Netlogon RCE CVE-2026-41089 now confirmed exploited in the wild in the EU; CERT-EU issues advisory 2026-007

> **UPDATE (originally covered 2026-W23 weekly):** CERT-EU published advisory 2026-007 on 10 June 2026 confirming that CVE-2026-41089 — a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon service — is being actively exploited in the wild, citing Belgium's Centre for Cybersecurity (CCB) ([CERT-EU, 2026-06-10](https://cert.europa.eu/publications/security-advisories/2026-007/)). This is the material delta since the weekly's disclosure-only coverage: an EU national authority has now attributed in-the-wild exploitation, roughly 20 days after the May 2026 Patch Tuesday fix.
>
> An unauthenticated remote attacker sends a crafted Netlogon RPC packet to obtain SYSTEM-level code execution on an unpatched domain controller — functionally a full Active Directory forest compromise, in the ZeroLogon lineage of Netlogon-channel attacks ([BleepingComputer, 2026-06-01](https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/)). CERT-EU's advisory carries the per-version patched-build table: Server 2016 before 10.0.14393.9140, Server 2019 before 10.0.17763.8755, Server 2022 before 10.0.20348.5074, Server 2022 23H2 before 10.0.25398.2330, and Server 2025 before 10.0.26100.32772, with Server 2012/2012 R2 also affected.
>
> — *Source: [CERT-EU 2026-007](https://cert.europa.eu/publications/security-advisories/2026-007/) · Additional source: [BleepingComputer](https://www.bleepingcomputer.com/news/microsoft/critical-windows-netlogon-remote-code-execution-flaw-now-exploited-in-attacks/) · Tags: vulnerabilities, actively-exploited, pre-auth, rce, identity · Region: europe, global · Sector: public-sector · CVE: CVE-2026-41089 · CVSS: 9.8 · Vector: zero-click · Auth: pre-auth · Status: exploited, patch-available*

## 5. Deep Dive — ShinyHunters Oracle PeopleSoft campaign: gadget-chain access, SSH default-credential lateral movement, mass exfiltration

ShinyHunters confirmed to BleepingComputer on 10 June 2026 that it had compromised Oracle PeopleSoft servers across approximately 300 instances at more than 100 organisations, with a heavy concentration in higher education ([BleepingComputer, 2026-06-10](https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/)). The University of Nottingham confirmed the same day that student and alumni data had been accessed in a security incident affecting its student-record system, opened a dedicated support line, and notified Action Fraud and the ICO ([University of Nottingham, 2026-06-10](https://www.nottingham.ac.uk/currentstudents/news/student-and-alumni-data-has-been-compromised-in-a-data-security-incident)). TechCrunch independently corroborated the scale of the campaign and the education-sector skew ([TechCrunch, 2026-06-10](https://techcrunch.com/2026/06/10/cybercriminals-claim-breach-of-oracle-peoplesoft-servers-at-100-plus-organizations/)).

**Access and exploitation.** ShinyHunters describes initial access as a "gadget chain" combining legacy PeopleSoft vulnerabilities with claimed zero-days; the actor stresses that exploitation is configuration-dependent and not universal across all internet-reachable instances. Oracle has not published a CVE for the specific flaws in this campaign and did not respond to press inquiries, so the precise initial-access vector remains attacker-asserted rather than vendor-confirmed — treat the "zero-day" framing with appropriate caution. The relevant entry surface is the externally reachable PeopleSoft web and application tier (PIA, Integration Broker, and REST/SAML/OAuth endpoints), mapped to `T1190` Exploit Public-Facing Application.

**Post-access lateral movement.** The better-evidenced — and more directly defender-actionable — phase is what follows initial access. The actor's tooling attempts SSH connections against common PeopleSoft/Oracle operating-system service accounts (`psoft`, `oracle`, `linuxadm`) using password and key-based fallback, then runs a shell script that performs bulk data retrieval and drops ransom notes into PeopleSoft web/application server directories ([BleepingComputer, 2026-06-10](https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/)). This maps to `T1078.004` Valid Accounts: Cloud/default service accounts, `T1021.004` Remote Services: SSH, and `T1213` Data from Information Repositories, culminating in `T1567` Exfiltration Over Web Service. Exfiltrated data categories stated by the actor include student and applicant records, financial-aid data, immigration status, health records, and contact details — the full sensitive payload of a campus-management deployment.

**Detection and hunting concepts (no IOCs).** Watch for SSH authentication attempts to PeopleSoft hosts using the `psoft`/`oracle`/`linuxadm` account names from external or unexpected source ranges; correlate against successful logons followed by interactive shell activity. On the application tier, alert on anomalous bulk-query volumes or out-of-hours mass record retrieval in PeopleTools security-audit logs, and on egress anomalies consistent with bulk data transfer to non-standard destinations (`T1071`). Treat the appearance of unexpected ransom-note text files in web/app server document roots as a high-confidence lateral-movement indicator and review `authorized_keys` and `/etc/hosts` for unauthorised additions.

**Hardening / mitigation.** Rename or disable the default `psoft`/`oracle`/`linuxadm` OS service accounts and enforce SSH key-only authentication; restrict PeopleSoft administrative interfaces to jump-host access and remove direct internet exposure of the management tier; enable PeopleTools security-audit logging if not already on; and apply any outstanding Oracle Critical Patch Update advisories for PeopleSoft, recognising that the campaign's specific CVEs are undisclosed so defence-in-depth around authentication and exposure is the dependable control. Public-sector and university SOCs running PeopleSoft Campus Solutions or HCM should audit external reachability of the web/app tier as the first action.

— *Source: [BleepingComputer](https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/) · Additional source: [University of Nottingham](https://www.nottingham.ac.uk/currentstudents/news/student-and-alumni-data-has-been-compromised-in-a-data-security-incident) · Additional source: [TechCrunch](https://techcrunch.com/2026/06/10/cybercriminals-claim-breach-of-oracle-peoplesoft-servers-at-100-plus-organizations/) · Tags: data-breach, organized-crime, supply-chain · Region: uk, europe, global · Sector: education, public-sector*

## 6. Action Items

- **Confirm all domain controllers carry the May 2026 Patch Tuesday update (CVE-2026-41089).** Pre-auth Netlogon RCE giving SYSTEM on any unpatched DC is now confirmed exploited in the wild in the EU by Belgium's CCB. Where a DC cannot be patched immediately (legacy Server 2012/2012 R2 past ESU), isolate it behind a management VLAN with firewall rules blocking Netlogon from untrusted subnets. See § 4.
- **Audit ServiceNow Scripted REST Resources for `requires_authentication=false` and rotate exposed secrets.** Check `sys_ws_operation` for unauthenticated endpoints, review `access_log_transaction` for requests to `/api/now/related_list_edit` in the 2–5 June window, and rotate any credentials or API tokens stored in support-ticket workflows. Confirm via the support portal whether a case was opened on your tenant. See § 1.
- **Patch Langflow (1.9.0 / 1.10.0) and disable auto-login (CVE-2026-5027).** This pre-auth path-traversal-to-RCE is exploited in the wild with ~7,000 instances exposed. If patching is delayed, set `LANGFLOW_AUTO_LOGIN=false`, remove the instance from internet exposure, and hunt web logs for `POST /api/v2/files` requests containing `../` or `%2e%2e%2f`. See § 2.
- **For PeopleSoft operators: rotate default SSH service accounts and hunt for ransom-note artefacts.** Rename/disable `psoft`, `oracle`, `linuxadm`; enforce SSH key-only auth; restrict the admin tier to jump-host access; review `authorized_keys`; and treat unexpected ransom-note text files in web/app document roots as a lateral-movement indicator. See § 5.
- **With no patch for "RoguePlanet," instrument Defender process-tree monitoring.** Alert on `MsMpEng.exe` spawning `cmd.exe`/`powershell.exe` (Sysmon EID 1 / Windows 4688) and on SYSTEM-context shells not tied to a service restart. See § 1.

— *Source: [CERT-EU 2026-007](https://cert.europa.eu/publications/security-advisories/2026-007/) · Additional source: [BleepingComputer — ServiceNow](https://www.bleepingcomputer.com/news/security/servicenow-discloses-security-incident-exposing-customer-data/) · Tags: vulnerabilities, actively-exploited, identity, cloud · Region: europe, global · Sector: public-sector*

## 7. Verification Notes

- **Items dropped:**
  - **CVE-2026-25089 (FortiSandbox unauthenticated OS command injection, CVSS 9.8, patched 9 June)** — dropped from § 2 because it cleared no inclusion gate: not in CISA KEV, no confirmed ENISA EUVD listing, no in-the-wild exploitation reported, and no public PoC. The Fortinet PSIRT page (FG-IR-26-141) returned "Unavailable" on fetch, so no primary advisory URL could be cited. Will reassess if exploitation or a working PoC emerges.
  - **EVERTEC / Banco Popular de Puerto Rico SEC 8-K (third-party support-platform breach, payment-card data)** — dropped: no Switzerland/EU and no public-sector nexus (Puerto Rico banking). Logged as a third-party-vendor-risk pattern only; not within audience scope this run.
  - **BACS/NCSC-CH G7 Évian pre-event threat bulletin** — dropped: the campaign is already covered (`campaign:g7-evian-2026`) and the primary advisory is dated 1 June 2026, outside the 36 h recency window, with no fresh in-window delta.
- **Single-source items:** CrowdStrike's claim of an `axios` npm-package compromise (§ 3) is asserted only by CrowdStrike in this run — flagged single-source-vendor pending independent corroboration. The rest of the CrowdStrike report is treated under the PD-9 one-treatment rule for periodic reports.
- **Contradiction resolved:** Langflow CVE-2026-5027 patch status — one research stream reported "no patch available," another reported a fix in Langflow 1.9.0 / langflow-base 0.8.3 with 1.10.0 on 10 June. Brief reports patch-available on the basis of the more recent, BleepingComputer-sourced read; defenders should confirm the fixed version against the vendor release notes.
- **Attribution caveat:** ServiceNow (§ 1) — exploitation was observed against a subset of customers, but ServiceNow attributes the activity to "likely security researchers / bug-bounty," while NCSC-CH GovCERT records it as "Actively Exploited." The brief presents both framings rather than asserting malicious exploitation. The ShinyHunters PeopleSoft "gadget chain of zero-days" (§ 5) is attacker-asserted and not vendor-confirmed.
- **Cross-source discrepancy (GreenPlasma CVE):** the RoguePlanet item's cited primary, NCSC-CH GovCERT post 12622, maps the GreenPlasma zero-day to CVE-2026-50507, and SecurityWeek lists CVE-2026-45586 as a separate Windows CTFMON elevation-of-privilege flaw; a separate (non-cited) June Patch Tuesday round-up instead associates CVE-2026-45586 with GreenPlasma. The brief follows its cited primary (NCSC-CH 12622) and reports GreenPlasma as CVE-2026-50507. The GreenPlasma/YellowKey CVEs are background context for the RoguePlanet disclosure, not the operative item.
- **Coverage gaps:** databreaches-net (Cloudflare challenge / no usable Wayback snapshot — bridge blocked); sec-disclosures-edgar (EDGAR full-text bridge returned 0 results across all tested windows, direct fetch 403 "Undeclared Automated Tool"; EVERTEC 8-K found via WebSearch fallback); inside-it-ch (Cloudflare Managed Challenge on all attempts); sophos-xops (known 503 pattern, not attempted); greynoise (no in-window posts); fortiguard-psirt (FG-IR-26-141 returned "Unavailable"); cert-fr-actu (feed capped at 2025 entries); ncsc-ch-kw24 (Week-24 review not yet published as of run time).