top of page

U.S. CISA Adds Critical Enterprise Software Vulnerabilities to Known Exploited Vulnerabilities Catalog

  • Jun 13
  • 3 min read

Key Findings


  • CISA added Oracle PeopleSoft Enterprise PeopleTools vulnerability CVE-2026-35273 (CVSS 9.8) to its Known Exploited Vulnerabilities catalog following active exploitation by ShinyHunters

  • CISA added Ivanti Sentry vulnerability CVE-2026-10520 (CVSS 10.0) to its Known Exploited Vulnerabilities catalog with a mandatory federal agency patching deadline of June 14, 2026

  • The Oracle flaw was exploited as a zero-day for nearly two weeks before vendor disclosure, affecting over 100 organizations including 68 percent universities and colleges

  • Ivanti Sentry instances are particularly attractive targets because they sit at the trusted network boundary between mobile devices and internal corporate systems

  • Federal agencies and private organizations are required to address both vulnerabilities immediately


Background


Oracle PeopleSoft Enterprise PeopleTools is the underlying platform used to build, run, administer, and customize Oracle PeopleSoft applications. Ivanti Sentry is a secure gateway appliance that protects mobile access to corporate resources by managing communications between internal systems and mobile devices. Both products are critical infrastructure components widely deployed in enterprise environments, making vulnerabilities in them particularly high-impact.


Oracle PeopleSoft Remote Code Execution Vulnerability


CVE-2026-35273 is a critical remote code execution flaw in the Environment Management component that requires no authentication and no user interaction to exploit. An attacker needs only network access to the Environment Management Hub endpoint to take over the server. PeopleTools versions 8.61 and 8.62 are confirmed affected, with earlier unsupported versions likely vulnerable as well.


The vulnerability was actively exploited between May 27 and June 9, 2026, while it remained a zero-day with no available patch or official vendor warning. Oracle did not issue an advisory until June 10, creating a critical exposure window for all targeted organizations.


ShinyHunters Campaign Details


Mandiant and Google Threat Intelligence Group attributed the active compromise and extortion campaign to UNC6240, operating under the ShinyHunters name. The attackers targeted Oracle PeopleSoft application infrastructure at more than 100 organizations, with 68 percent being universities and colleges, predominantly in the United States.


The campaign gained visibility when the attackers left their staging infrastructure exposed with insufficient access controls. Researcher nahamike01 publicly identified open directories on five sequential IP addresses running Python's built-in HTTP server on port 8888. Mandiant accessed these systems and discovered shared bash history files that laid out the entire operation with timestamps.


Attack Methodology


The attackers staged pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services, using names like meshagent32-azure-ops.exe and meshagent64-azure-ops.exe. MeshCentral is legitimate open-source remote management software, allowing the malicious traffic to blend into normal administrative activity and evade detection.


The operational timeline shows deliberate planning. On May 27 at 22:14 UTC, attackers installed MeshCentral version 1.1.59 and installed acme-client eleven minutes later to automate Let's Encrypt SSL certificate provisioning for the command and control domain azurenetfiles.net, which mimicked Microsoft Azure NetApp Files naming conventions.


Attackers used MeshCentral's CLI tool to run commands on compromised endpoints, mapping Oracle PeopleSoft configurations, reading process scheduler config files, and inspecting WebLogic XML configs to identify additional targets. Lateral movement occurred through a script named [victim_abbreviation]_fanout.sh that parsed internal host tables and sprayed hardcoded username and password combinations against internal PeopleSoft nodes over SSH.


The attackers left evidence of compromise by copying a file named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT into WebLogic and Process Scheduler directories as both an extortion marker and propagation confirmation. Data exfiltration was compressed with zstd and sent via SSH to 176.120.22.24, the IP hosting the public ShinyHunters data leak site.


Ivanti Sentry Command Injection Vulnerability


CVE-2026-10520 is a maximum-severity OS command injection flaw in Ivanti Sentry that allows remote unauthenticated users to achieve root-level remote code execution. The vulnerability affects Ivanti Sentry versions before R10.5.2, R10.6.2, and R10.7.1.


Although Ivanti initially reported no evidence of active attacks, the Shadowserver Foundation documented that many internet-exposed Sentry gateways were already backdoored shortly after security updates were released. Shadowserver's own scans identified 19 vulnerable instances with at least 2 confirmed backdoored, with researchers assessing that remaining compromised instances were likely affected as well.


Why Ivanti Sentry Is a High-Value Target


Threat actors frequently target Ivanti flaws because they provide direct access into enterprise networks and enable data theft. Sentry instances are particularly valuable targets because they sit at a critical juncture in network architecture, positioned between mobile devices and internal corporate systems. A compromised Sentry instance means an attacker is no longer outside the network perimeter but effectively inside the trusted boundary, with immediate access to sensitive corporate infrastructure.


Federal Mandates and Recommendations


Under Binding Operational Directive 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies must address identified vulnerabilities by specified due dates. CISA has ordered federal agencies to patch the Ivanti Sentry vulnerability by June 14, 2026. Private organizations are encouraged to review the Known Exploited Vulnerabilities catalog and address these flaws in their infrastructure immediately to prevent similar compromises.


Sources


  • https://securityaffairs.com/193574/security/u-s-cisa-adds-oracle-peoplesoft-enterprise-peopletools-flaw-to-its-known-exploited-vulnerabilities-catalog.html

  • https://securityaffairs.com/193557/security/u-s-cisa-adds-ivanti-sentry-flaw-to-its-known-exploited-vulnerabilities-catalog-and-urges-patching-by-june-14.html

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page