The Lyceum: Cyber Intelligence Daily — Jun 16, 2026

The throughline of the last three days is enterprise software that someone else was supposed to be securing. ShinyHunters' Oracle PeopleSoft zero-day jumped from American universities to the Council of Europe — and its leak deadline expires this evening. Cisco's SD-WAN platform logged its eighth actively-exploited flaw of the year, an AI gateway joined VPNs and firewalls as a standard perimeter target, and a cardiac-monitor company got robbed of patient heart data without a single CVE involved — just a phone call. Attackers are moving faster than patch cycles, and the casualties are the products nobody thought to audit.

• CVE-2026-35273 — Oracle PeopleSoft Enterprise PeopleTools: actively exploited, KEV-listed, ransomware-linked, maturity commoditized. Missing authentication on a critical web component; ShinyHunters used it to breach 100+ organizations before a patch existed.
• CVE-2026-20262 — Cisco Catalyst SD-WAN Manager: actively exploited, KEV-listed (due June 29), maturity operational. Path traversal lets an authenticated attacker write files and escalate to root on the controller.
• CVE-2026-54420 — LiteSpeed cPanel Plugin: actively exploited, KEV-listed (due June 18), maturity operational. Symlink-follow flaw lets any FTP/web-shell user become root on CloudLinux/CageFS shared hosts.
• CVE-2026-10520 — Ivanti Sentry: actively exploited, KEV-listed (due June 14, now passed), maturity operational. OS command injection with no authentication required.
• CVE-2026-42271 — BerriAI LiteLLM: actively exploited, KEV-listed, maturity operational. Command-injection chain (CVSS 9.9 per researchers) hands a low-privilege user full admin of your AI gateway.

What happened: ShinyHunters claims to have breached the Council of Europe — the continent's oldest intergovernmental body — and stolen more than 297 GB of data by exploiting CVE-2026-35273, a missing-authentication flaw in Oracle PeopleSoft. The group says it took over 429,000 documents from multiple Council departments and set a "final warning" deadline of June 16 to leak them — which, as of this writing, expires this evening, not yesterday. The alleged haul includes 409,000+ payslips for 10,000+ staff dating to 2011, in-house personnel files, CVs, and records carrying bank details, tax data, and medical information.

Mandiant and Google Threat Intelligence Group attribute the activity to UNC6240 (ShinyHunters), with exploitation observed between May 27 and June 9 — two weeks before Oracle's advisory. Most of the 100+ victims are US-based, and 68% sit in higher education, according to The Register.

What changes: The Council of Europe breach proves PeopleSoft has stopped being an education-sector story and become a general-purpose initial-access tool. If the group can monetize an intergovernmental body's HR database, every organization running internet-facing PeopleSoft is a target.

What to watch: Whether the dump publishes this evening tells you whether the Council quietly negotiated. If it does, European policy staff should brace for phishing that reads exactly like real HR correspondence. CVE-2026-35273 is in CISA's KEV catalog — check My Oracle Support for your PeopleTools version now.

What happened: Cisco patched CVE-2026-20262 in Catalyst SD-WAN Manager (formerly vManage) — the dashboard that lets admins control up to 6,000 SD-WAN devices at once. The flaw stems from insufficient validation of uploaded files, letting a low-privilege remote attacker write arbitrary files and escalate to root via crafted HTTP requests. Cisco rated it 6.5 and reported "limited exploitation"; CISA added it to KEV with a June 29 federal deadline. It affects every deployment type — on-prem, Cloud-Pro, Cisco Managed, and FedRAMP.

What changes: "Attacker must already be authenticated" sounds reassuring until you remember that management-plane credentials are precisely what infostealers and earlier SD-WAN bugs harvest. This is a post-compromise escalation straight to root on the box that controls your entire WAN — from there an attacker pushes malicious configs, mirrors traffic, and plants persistent backdoors in branch routers.

What to watch: This is the eighth confirmed actively-exploited flaw in this codebase this year. The pattern — not any single CVE — is the story: someone is methodically working through Cisco SD-WAN. If exploitation surfaces in ransomware incident reports, treat SD-WAN controllers like VPNs in your hardening tier. Patch, rotate the controller's credentials, and check for unexpected users or jobs.

What happened: iRhythm Holdings — maker of the Zio patch, the wearable cardiac monitor used to evaluate arrhythmias — disclosed in an SEC 8-K filing that on June 9 a threat actor contacted the company claiming to have stolen proprietary data, patient protected health information, and other personal data, demanding payment to stay quiet. iRhythm confirmed data was exfiltrated from third-party-hosted business applications. The access came through social engineering — no CVE, no zero-day, just a person manipulated into handing over credentials. Its medical devices and clinical systems were untouched, and it holds no payment-card data. On June 10 the company deemed the incident material given the data volume.

What changes: A confirmed, material PHI breach triggers HIPAA notification obligations. The lesson for defenders is uncomfortable: the most reliable initial-access vector this week required zero technical sophistication. Your patch program does nothing against a convincing phone call.

What to watch: iRhythm's formal patient notification, due in the coming days, will define scope. If the same social-engineering-into-a-third-party-SaaS pattern surfaces at another healthcare vendor, this becomes a category problem, not an iRhythm problem.

What happened: You didn't click anything. You didn't install anything new. Attackers compromised the content delivery network operated by Awesome Motive — the company behind OptinMonster, TrustPulse, and PushEngage — and tampered with the JavaScript those plugins serve. Any site loading those scripts delivered malicious code to visitors. If a logged-in administrator loaded the page, attackers could spin up a rogue admin account and install a hidden web shell — a backdoor that survives even after the poisoned script is pulled. Combined install base across the three plugins: over 1.2 million sites.

What changes: This is the supply-chain failure mode where the initial compromise is instant and the cleanup is slow. Removing the bad script doesn't remove the backdoor it planted. Expect downstream defacements and credential harvesting traced to this CDN breach for weeks.

What to watch: If you run any of these plugins, update now, audit your admin user list for accounts you don't recognize, and check for plugins installed in the last week. If a wave of "I never logged in but my site is backdoored" reports surfaces, the rogue-admin payload landed widely before anyone noticed.

Russian outlet Xakep detailed an exploit chain nicknamed GreatXML that abuses the Windows Recovery Environment (WinRE) and its XML configuration files to bypass BitLocker — effectively unlocking an encrypted disk without the user's password. WinRE can be booted and steered by crafted XML that controls recovery workflows; by tampering with those configs and how Windows trusts them, an attacker with physical or low-level access can coerce the system into mounting an encrypted volume in a context they control. Microsoft has published no English-language advisory specific to GreatXML, so this article is the only public technical depth right now. For Western defenders, the implication is blunt: your "lost laptop is just paperwork" assumption is only as strong as your WinRE hardening and recovery-key hygiene. Watch the Microsoft Security Response Center over the next 24–48 hours. Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

Xakep reports that more than 400 Arch User Repository packages were compromised to distribute a combined kernel-level rootkit and information-stealer, injected after maintainer credentials were hijacked. The attackers didn't publish obviously malicious new packages — they quietly slipped code into popular existing ones, so routine updates pulled in the payload. The stealer hunts browser data, SSH keys, crypto wallets, and cloud credentials, while the rootkit hides its processes and files from normal tools. The package count and sophistication described here exceed what English-language summaries of the earlier "Atomic Arch" theme have reported, which is the real signal: this looks less like a cleanup event and more like an early-stage trust collapse in community packaging. If Arch sits anywhere near your production path — or on developer laptops holding secrets — audit AUR usage and tighten policy on unofficial repos across all distros. Source: Xakep (Хакер) — Russian. No English-language coverage confirmed at time of publication.

This week: a wearable that watches your heartbeat got robbed by a guy with a telephone, the Council of Europe's payroll department learned about zero-days the hard way, and somewhere a developer ran yay -S and quietly handed a kernel rootkit the keys to production. The AI gateway you bought to centralize and secure model access turned out to be the softest target in the building — which is the kind of irony that doesn't need a punchline, just a patch.

Stay paranoid. Patch the controller.

If you know someone still telling themselves "it's encrypted, so it's fine" — forward this. Gently.