Here are today’s top cybersecurity stories for Friday, June 12, 2026.
Oracle PeopleSoft CVE-2026-35273 Added to CISA KEV as ShinyHunters Breach 100+ Organizations
CISA added CVE-2026-35273 to the Known Exploited Vulnerabilities Catalog on June 12, confirming active exploitation of a critical authentication bypass in Oracle PeopleSoft Enterprise PeopleTools. The flaw, rated CVSS 9.8, requires no authentication and no user interaction — network access over HTTP is sufficient to take over a PeopleSoft server. Mandiant and Google Threat Intelligence confirmed the ShinyHunters group (UNC6240) exploited this flaw between May 27 and June 9 against more than 100 organizations, predominantly universities, leaking nearly 455,000 student records including passport numbers and disability details. Federal agencies must apply Oracle’s fix by July 3, 2026. Source: The Hacker News, BleepingComputer, Help Net Security
France Tchap Government Messaging Platform Breached via Account Hijack
France’s national cybersecurity agency ANSSI detected a breach of the Tchap encrypted messaging platform on June 7 after a threat actor hijacked a valid public servant account through social engineering. The attacker exfiltrated over 13.5 GB of documents and media from public chat rooms, which are not end-to-end encrypted, and also accessed hardcoded LDAP credentials leaked via a PowerShell script. The hacker claims access to 73,000 user accounts, 643,000 messages, and nearly 60,000 media files, though DINUM has not confirmed those figures. Tchap has been mandatory for all French public officials since September 2025 and serves over 825,000 registered civil servants. Source: BleepingComputer
OnyxC2 Malware-as-a-Service Targets Over 210 Applications for $250 Per Month
Security researchers published analysis of OnyxC2, a new Malware-as-a-Service infostealer that targets credentials, session cookies, and sensitive data from more than 210 applications and browser extensions, including two-factor authentication tools, cryptocurrency wallets, FTP clients, VPNs, and password managers. The stealer’s C++ core uses direct syscalls and unique per-build mutation to claim a 99% signature evasion rate, deploying via DLL sideloading paired with legitimately signed binaries. Subscription access starts at $250 per month, and one observed infection yielded 55 saved passwords, 4,717 cookies, and two payment cards from a single host. Source: SecurityWeek
OpenSSL Patches AI-Discovered High-Severity Heap Use-After-Free Flaw CVE-2026-45447
OpenSSL released updates patching 18 vulnerabilities, including a high-severity heap use-after-free bug in PKCS#7 signature verification tracked as CVE-2026-45447. Discovered by a researcher working with Claude AI and Anthropic Research, the flaw can be triggered by a specially crafted S/MIME signed message, potentially leading to heap corruption, process crashes, or remote code execution in affected mail clients and mail transfer agents. This is the second high-severity OpenSSL flaw of 2026. Source: SecurityWeek
Fortinet Patches Critical CVSS 9.1 Unauthenticated Command Injection in FortiSandbox
Fortinet published an advisory for CVE-2026-25089, a critical OS command injection vulnerability in the FortiSandbox Web UI affecting versions 5.0.0 through 5.0.5 and 4.4.0 through 4.4.8, as well as FortiSandbox Cloud and PaaS deployments. An unauthenticated remote attacker can execute arbitrary commands on the underlying system by sending a specially crafted HTTP request. No active exploitation has been reported, but the unauthenticated attack vector and low complexity make this a high-priority patch — fixed in FortiSandbox 5.0.6 and 4.4.9. Source: The Hacker News
Secure Boot Certificate Enforcement Arrives in 14 Days — Are Your Devices Ready?
Organizations have two weeks before Microsoft’s June 26, 2026 Secure Boot enforcement deadline. The legacy Microsoft Corporation KEK CA 2011 certificate expires June 24, and devices without updated 2023-dated certificates will fail to boot with a “Secure Boot violation” error after enforcement flips on. Microsoft recommends organizations use the Intune Autopatch Secure Boot report to identify unready devices. The update process requires approximately 48 hours and at least one restart. Source: Malwarebytes
Ransomware Groups DragonForce, Qilin, TheGentlemen, and Direwolf Post New Victims
Multiple ransomware and extortion groups posted new victims on June 12, 2026. DragonForce listed Areco Steel of Sweden, while Qilin claimed Astec Valves and Fittings in India. TheGentlemen claimed Bitek System Inc. in South Korea and Brian Cox Real Estate in the UK, and Direwolf posted victims in the food and beverage and automotive sectors. The disclosures span manufacturing, real estate, IT services, and food production across five countries. Source: Ransomware.live
Cloudflare 2026 Threat Report: DDoS Doubles, 94% of Login Attempts Are Bots, AI Weaponized
Cloudflare’s 2026 Threat Intelligence Report, based on tracking 230 billion daily threats, found DDoS attacks more than doubled in 2025 to 47.1 million with the largest peaking at 31.4 Tbps. Of all login attempts observed on Cloudflare’s network, 94% originate from bots, and 46% of human login attempts involve already-compromised credentials. Threat actors increasingly use AI to map networks in real time and generate deepfakes, while abusing legitimate cloud services including Google Drive, Microsoft Teams, and Amazon S3 to disguise command-and-control traffic. Source: Cloudflare
Stay tuned for today’s in-depth analysis posts.
