What you need to know today.

CISA adds Oracle PeopleSoft zero-day to KEV as ShinyHunters rampages through higher ed. CVE-2026-35273 is a critical, unauthenticated remote code execution flaw in PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62 that is being actively exploited in the wild by the ShinyHunters ransomware group. As The Register reported, the group claims to have compromised over 100 organizations — predominantly universities — by exploiting this vulnerability to steal sensitive data and extort victims. Mandiant confirmed the attacks and noted the group has been observed moving laterally from PeopleSoft into broader enterprise networks. Oracle issued an out-of-band security alert and mitigation guidance, though a full patch cycle is still pending. CISA's KEV designation means federal agencies must remediate by July 2, 2026, and all PeopleSoft administrators should treat this as an emergency — apply Oracle's mitigations immediately and audit for signs of compromise.

Aqara cloud infrastructure riddled with critical flaws — hardcoded keys, missing auth, and authorization bypasses. Five CVEs published today paint a grim picture of Aqara's smart-home cloud platform. CVE-2026-50086 (CVSS 10.0) exposes the IAM/SSO gateway's signing key to unauthenticated bidirectional AES round-trips. CVE-2026-50083 (CVSS 9.1) reveals hardcoded OAuth client credentials in the same gateway. CVE-2026-50084 (CVSS 9.6) allows any valid developer token to access any account via the Cloud Production API. CVE-2026-50090 (CVSS 9.3) is an OAuth redirect bypass on the authorization endpoint. And CVE-2026-50091 (CVSS 9.1) embeds hardcoded cryptographic keys in the Aqara Home Android app (com.lumiunited.aqarahome) and all white-label clients using the same SDK. Together, these flaws could allow an attacker to forge authentication tokens, access any user's smart-home devices, and pivot into the broader Aqara ecosystem. No patches have been announced; organizations using Aqara devices in any capacity should isolate them from sensitive networks and monitor for vendor updates.

Naxclow IoT platform has two critical flaws under CISA advisory — hardcoded signing salt and device hijacking. CISA published an ICS advisory today covering CVE-2026-28742 (CVSS 9.8) and CVE-2026-42947 (CVSS 8.8) in the Naxclow IoT device platform. The first is a platform-wide hardcoded salt embedded in every firmware image, meaning an attacker who recovers the salt from any single device can forge valid signatures for arbitrary device or cloud API requests. The second flaw allows an attacker to replay a confirm-then-bind sequence during device onboarding, silently reassigning a device to an arbitrary account. Because the affected endpoints validate request signatures (using that hardcoded salt) but don't enforce nonce or freshness checks, both flaws compound into a full device-takeover chain. Organizations using Naxclow devices should treat them as untrusted until firmware updates are available and ensure they are segmented from critical networks.

Microsoft June 2026 Patch Tuesday fixes 200+ flaws including a critical Windows DHCP Server tampering bug. CVE-2026-45602 (CVSS 9.1) is a critical tampering vulnerability in Windows DHCP Server that allows an unauthenticated attacker to corrupt DHCP operations over the network. As BleepingComputer reported, this month's Patch Tuesday addresses over 200 vulnerabilities including three zero-days, though Microsoft has not disclosed active exploitation for this particular DHCP flaw. The DHCP Server vulnerability is especially concerning for enterprise environments where DHCP is a core network service — an attacker who poisons DHCP responses could redirect traffic, conduct man-in-the-middle attacks, or destabilize network operations. Given the critical severity and network-based attack vector, prioritize testing and deploying this patch across Windows Server deployments.

Google Chrome 149 patches 25 bugs including critical sandbox escape. CVE-2026-12027 (CVSS 9.6) is a critical inappropriate implementation in Chrome's Headless mode that allows a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. As Vypr Intelligence noted, this month's release fixes over a dozen sandbox escape vulnerabilities total. The pre-condition — the attacker must first compromise the renderer — means this is typically chained with a separate renderer RCE in exploit kits. Chrome auto-updates should already be rolling out; ensure browser update policies are enforced and remind users to restart their browsers.

SimpleHelp, vm2, Nezha Monitoring, and ApostropheCMS disclose critical flaws across remote management and CMS tooling. SimpleHelp CVE-2026-48558 (CVSS 10.0) is an authentication bypass in the OIDC flow affecting versions 5.5.15 and prior, plus 6.0 pre-releases — anyone using SimpleHelp with OIDC should immediately restrict network access and check for vendor patches. The vm2 Node.js sandbox library disclosed nine sandbox escape CVEs including CVE-2026-47140 and CVE-2026-47131 (both CVSS 10.0), which bypass the denylist for dangerous builtins like process and inspector — upgrade to vm2 3.11.4 immediately. Nezha Monitoring CVE-2026-46716 (CVSS 9.9) allows a RoleMember user to create cron tasks with arbitrary command execution via the Cover=CronCoverAll parameter; upgrade to version 2.0.8. ApostropheCMS CVE-2026-53609 (CVSS 9.1) is a prototype pollution via apos.util.set() that lets authenticated editors achieve RCE, while CVE-2026-53608 (CVSS 8.7) is a server-side template injection in the SEO package — both require upgrading to the latest versions.