Home · Live brief · Daily brief 2026-06-18
CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (CVSS 10.0) and PeopleSoft RCE (9.8)
Part of run 2026-06-18-aa7ee817 (intel · Anthropic Claude (specific model not determined))
Oracle's June 2026 Critical Security Patch Update shipped 245 fixes on 2026-06-17, ~100 of them remotely exploitable without authentication (SecurityWeek, 2026-06-17 · Oracle, 2026-06-17). The two standouts for this audience are both pre-auth: CVE-2026-46978 (CVSS 10.0) in the Oracle Solaris 11.4 Remote Administration Daemon (RAD), reachable by an unauthenticated attacker over its default HTTPS management interface, and CVE-2026-35278 (CVSS 9.8), a missing-authentication RCE in PeopleSoft PeopleTools 8.61/8.62 Performance Monitor (T1190). Oracle reports no in-the-wild exploitation at publication; the unauthenticated network vectors warrant emergency prioritisation. Patch internet-facing PeopleSoft and middleware tiers first; as interim hardening, scope the Solaris RAD daemon to localhost where remote administration is not required.
Action items
- Patch the Oracle June 2026 CSPU, internet-facing tiers first (§ 2). Prioritise the unauthenticated Solaris RAD flaw (CVE-2026-46978, CVSS 10.0) and PeopleSoft Performance Monitor (CVE-2026-35278, CVSS 9.8); interim-scope the Solaris RAD daemon to localhost where remote admin is not needed.