Microsoft June 2026 Patch Tuesday Fixes 6 Zero-Days, 200 Flaws
Microsoft’s June 2026 Patch Tuesday addressed a staggering 200 vulnerabilities, including five publicly disclosed zero-days and one being actively exploited in the wild. Among the most severe is CVE-2026-45657, a wormable Windows Kernel RCE rated CVSS 9.8 that allows remote, unauthenticated attackers to execute code at SYSTEM level with no user interaction required. Also notable is CVE-2026-49160, dubbed “HTTP/2 Bomb,” a denial-of-service flaw that lets attackers send tiny payloads to force servers into allocating disproportionately large amounts of memory — affecting NGINX, Apache, IIS, Envoy, and Cloudflare infrastructure. With 33 critical vulnerabilities patched this cycle, security teams should prioritize deployment of this update immediately.
ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
The ShinyHunters extortion group exploited a critical, unauthenticated remote code execution flaw in Oracle PeopleSoft — CVE-2026-35273, rated CVSS 9.8 — as a zero-day before Oracle published its advisory on June 10. Google’s Mandiant tracked the campaign between May 27 and June 9, attributing it to a group designated UNC6240, with 68% of more than 100 compromised organizations falling in the higher education sector, predominantly in the US. The University of Nottingham has confirmed a breach resulting in roughly 455,000 unique email addresses being leaked, including names, addresses, passport numbers, and disability records. The attackers used MeshCentral remote-management agents disguised as Microsoft Azure binaries and spread laterally using SSH credential spraying; Oracle’s immediate mitigation guidance is to disable or restrict access to the PSEMHUB and PSIGW endpoints.
Hackers Exploit Langflow Vulnerability for Remote Code Execution
Threat actors have begun actively exploiting CVE-2026-5027 (CVSS 8.8), a path traversal vulnerability in Langflow — the popular open-source, low-code platform for building AI agents and RAG workflows — to achieve unauthenticated remote code execution on exposed servers. The flaw exists in the POST /api/v2/files endpoint, which fails to sanitize the filename parameter in multipart form data, allowing attackers to write files to arbitrary locations via path traversal sequences. Because Langflow enables unauthenticated auto-login by default, attackers need only a single request to obtain a valid session token before chaining into the exploit. Approximately 7,000 Langflow instances are publicly accessible on the internet; a fix was included in version 1.9.0 released April 15, and users should upgrade to at least version 1.10.0 immediately.
Authorities Dismantle Crypto Laundering Service That Moved €336 Million for Cybercriminals
An 11-nation law enforcement operation coordinated by Europol dismantled AudiA6, a cryptocurrency mixing service that laundered more than €336 million (~$389 million) in illicit proceeds for ransomware gangs and cybercriminals since its launch in 2021. The service marketed itself as a fast, anonymous cryptocurrency mixer, guaranteeing cleaned funds within an hour and charging commissions of 3–10%, and was linked to at least 15 international investigations including the dark web cybercrime forum Dark2Web. On June 10, two alleged administrators of Ukrainian and Russian nationality were arrested in Georgia, with 30-plus servers seized, 25 domains taken down, over 80 vehicles confiscated, and approximately €692,000 in cryptocurrency frozen. The investigation — led by the US Secret Service, IRS Criminal Investigation, and Polish Police — was built in part on intelligence gathered from a Ukrainian suspect arrested in September 2025.
ServiceNow Tells Customers a Bug Left Some of Their Data Exposed to the Internet
ServiceNow patched a security bug on June 5 after discovering that an unauthenticated API endpoint — specifically /api/now/related_list_edit/create, configured with requires_authentication=false — had allowed anyone on the internet to query data from enterprise customer instances without credentials. The flaw was first reported via a bug bounty submission on April 22, and anomalous activity was detected in customer instances on June 2–3, with the company applying a fix three days later. While ServiceNow has characterized the activity as stemming from security researcher testing and says no data was retained or misused, affected customers beyond the initially scoped Australian platform instances have reported evidence of external access in their logs, with defenders sharing a suspected attacker IP of 51.159.98.241 as an indicator of compromise to investigate. The incident underscores the risk posed by misconfigured API endpoints in enterprise SaaS platforms that serve as connective tissue to sensitive HR, IT, and credential-containing systems.
