Palo Alto Exploited, Chrome Zero-Day Patched, and Three Critical CVEs
TL;DR - Ransomware actors are exploiting the Windows BlueHammer flaw, and attackers are abusing Oracle and SimpleHelp weaknesses in the wild. - AWS, Gorse, Coolify, and a WordPress plugin also have critical issues requiring review. - Prioritize exposed internet-facing apps, patch now, and hunt for signs of credential and data theft.
Top Stories
BlueHammer exploitation has moved into ransomware playbooks
CISA says the Windows “BlueHammer” flaw is now being exploited by ransomware gangs, raising the urgency for defenders who may have treated this as a narrower privilege escalation issue. According to BleepingComputer, the bug affects Microsoft Defender and had already seen zero-day abuse before being tied to ransomware operations (source).
Why this matters:
Privilege escalation bugs become much more dangerous once they are folded into commodity ransomware tradecraft. Even if initial access comes from phishing, RMM abuse, or exposed services, local elevation can help operators disable defenses, dump credentials, and move laterally.
What to do now: - Validate patch status for all affected Windows endpoints and servers. - Review EDR alerts for Defender tampering, suspicious service changes, and privilege escalation events. - Hunt for ransomware precursors on hosts missing recent updates.
Oracle-linked PeopleSoft breaches continue to spread
Nissan disclosed an employee data breach tied to attacks exploiting an Oracle PeopleSoft vulnerability, with current and former employee data reportedly affected (source). In a separate case, NAIC said attackers linked to ShinyHunters accessed only public data, outdated logs, and configuration files after exploiting a PeopleSoft zero-day (source).
Why this matters:
Even when an organization reports limited impact, repeated exploitation across multiple victims is a sign that internet-facing ERP and HR platforms are being actively targeted for extortion and data theft.
What to do now: - Identify all exposed PeopleSoft instances and restrict access where possible. - Rotate credentials stored in configuration files or historical logs. - Review web access logs, reverse proxy logs, and database activity for anomalous exports. - Prepare employee and regulator notification workflows if HR or payroll systems are involved.
Apple says it is accelerating updates amid AI-related security concerns
Reuters reports Apple is releasing updates earlier in response to AI cybersecurity concerns (source).
Why this matters:
Faster vendor release cycles compress defender testing windows. Organizations managing Apple fleets should expect less lead time between disclosure and deployment expectations.
What to do now: - Tighten mobile device management update SLAs. - Separate emergency patch workflows from standard monthly maintenance. - Track exceptions for unmanaged BYOD Apple devices.
WhatsApp privacy and threat activity both made news
WhatsApp is rolling out usernames so users can avoid exposing phone numbers to non-contacts (source). Separately, the U.S. State Department is offering up to $10 million for information on actors targeting WhatsApp and Signal users, including UNC5792 and UNC4221 (source).
Why this matters:
Secure messaging remains a prime target for surveillance and credential theft. Privacy features help, but they do not replace device hardening and phishing resistance.
What to do now: - Encourage staff in sensitive roles to enable all app privacy protections. - Enforce strong mobile device security baselines. - Educate users about registration hijacking, OTP theft, and malicious support scams.
SimpleHelp exploitation is leading to cross-platform infostealer deployment
Attackers are exploiting SimpleHelp flaw CVE-2026-48558 to deploy Djinn Stealer, targeting Windows, macOS, and Linux systems (source).
Why this matters:
Remote support tools are high-value targets because they often bridge MSP environments and customer networks. A compromise can yield credentials, session tokens, and direct remote control.
What to do now: - Patch or take vulnerable SimpleHelp servers offline. - Review remote support sessions and admin logins for unusual source IPs. - Reset credentials and revoke tokens if compromise is suspected.
Oracle E-Business Suite flaw is now under active exploitation
Attackers are exploiting CVE-2026-46817 in Oracle E-Business Suite, according to reporting from BleepingComputer citing threat intelligence research (source).
Why this matters:
EBS often sits close to financial processes and sensitive enterprise data. Active exploitation means patching delays directly increase business risk.
What to do now: - Prioritize external-facing EBS systems. - Limit access through VPN, allowlists, or reverse proxy protections where practical. - Inspect for unusual application requests, admin changes, and outbound data movement.
Critical Vulnerabilities
CVE-2026-57331: Paid Videochat Turnkey Site arbitrary file deletion
- CVSS: 9.9
- Affected: Paid Videochat Turnkey Site plugin versions up to 7.4.8
- Risk: Arbitrary file deletion could lead to denial of service or follow-on compromise depending on deployment and file permissions.
- Reference: Patchstack advisory (source)
Defender takeaway:
If this plugin is present on any internet-facing WordPress instance, treat it as urgent. SMBs and agencies running many WordPress properties should inventory immediately.
CVE-2026-56782: Gorse unauthenticated dump and restore
- CVSS: 9.8
- Affected: Gorse before 0.5.10
- Risk: If
admin_api_keyis empty, unauthenticated attackers can dump or overwrite the entire database via/api/dumpand/api/restore. - References: GitHub commit (source), issue (source), PR (source), VulnCheck advisory (source)
Defender takeaway:
Default or empty administrative secrets remain a recurring failure mode. Any recommender or analytics service exposing APIs should be reviewed for internet exposure and weak defaults.
CVE-2026-13762: AWS CloudFront with AWS WAF HTTP/2 body inspection bypass
- CVSS: 9.8
- Affected: Amazon CloudFront with AWS WAF enabled
- Risk: Crafted HTTP/2 requests may fragment request bodies in a way that causes only partial inspection.
- Reference: AWS bulletin (source)
Defender takeaway:
AWS says this issue was remediated server-side and no customer action is required. Still, defenders should validate logging, review blocked-versus-allowed request patterns, and confirm assumptions around WAF coverage.
CVE-2026-13763: AWS ALB with AWS WAF HTTP/2 body inspection bypass
- CVSS: 9.8
- Affected: AWS Application Load Balancer with AWS WAF enabled, specifically HTTP/2 target groups
- Risk: Crafted HTTP/2 requests may bypass managed rule body inspection.
- References: AWS bulletin (source), AWS remediation guidance (source)
Defender takeaway:
This one does require customer action. If you use ALB plus AWS WAF, verify target group settings immediately.
CVE-2026-57498: Coolify cross-team resource deployment
- CVSS: 9.6
- Affected: Coolify before 4.0.0-beta.474
- Risk: Insufficient ownership validation in Livewire UI components can allow cross-team resource deployment.
- Reference: GitHub advisory (source)
Defender takeaway:
Multi-tenant admin panels deserve the same scrutiny as public apps. Even internal platform tooling can become a boundary-break risk.
What Defenders Should Do Today
1. Patch based on exploit status, not just CVSS
The highest operational priorities today are: 1. BlueHammer systems under active ransomware exploitation. 2. Oracle PeopleSoft and Oracle EBS systems with active attack reporting. 3. SimpleHelp deployments vulnerable to CVE-2026-48558. 4. Internet-facing Gorse, WordPress, and Coolify instances. 5. AWS ALB deployments affected by CVE-2026-13763.
A practical prioritization model: - Priority 1: Internet-facing and actively exploited - Priority 2: Internet-facing and critical severity - Priority 3: Internal-only but high privilege or sensitive data exposure - Priority 4: Lab, dev, or low-value systems with compensating controls
2. Restrict exposure for enterprise apps and remote access tools
If patching cannot happen immediately: - Put administrative interfaces behind VPN or identity-aware proxy. - Apply IP allowlists to support tools and ERP portals. - Disable unused modules and public access paths. - Increase log retention on web gateways and reverse proxies.
3. Hunt for post-exploitation activity
Focus on: - New privileged accounts - Unexpected archive creation - Database export activity - Suspicious support tool sessions - Webshell-like request patterns - Credential dumping or token theft activity
Technical Notes
Example: find publicly exposed WordPress, SimpleHelp, or custom app endpoints
# Replace with your asset list or DNS scope
cat assets.txt | while read host; do
for path in /wp-login.php /wp-admin/ /api/dump /api/restore /; do
curl -sk --max-time 5 "https://$host$path" -o /dev/null -w "$host $path %{http_code}\n"
done
done
Example: search reverse proxy logs for suspicious dump/restore access
grep -E '"/api/(dump|restore)' /var/log/nginx/access.log*
Example log patterns worth reviewing
POST /api/dump
POST /api/restore
HTTP/2.0
/wp-admin/admin-ajax.php
/simplehelp/
peopleSoft
E-Business
4. Validate AWS ALB mitigation for HTTP/2 inspection
For CVE-2026-13763, AWS advises enabling the Inspect after sufficient data target group configuration for ALB deployments using AWS WAF and HTTP/2 target groups (source).
Operational check: - Identify ALBs fronting sensitive apps. - Confirm which target groups handle HTTP/2 traffic. - Validate the target group attribute has been updated. - Re-test WAF detections against request body rules after the change.
Technical Notes
AWS CLI inventory example
aws elbv2 describe-load-balancers \
--query 'LoadBalancers[].{Name:LoadBalancerName,DNS:DNSName,Arn:LoadBalancerArn}' \
--output table
aws elbv2 describe-target-groups \
--query 'TargetGroups[].{Name:TargetGroupName,Arn:TargetGroupArn,Protocol:Protocol,Port:Port}' \
--output table
WAF verification approach
# Review WAF web ACL associations
aws wafv2 list-web-acls --scope REGIONAL
aws wafv2 list-web-acls --scope CLOUDFRONT
5. Treat HR, finance, and collaboration data as breach-sensitive
The Nissan and NAIC cases reinforce that back-office platforms remain valuable targets. Even when attackers claim limited access, defenders should assume: - configuration files may reveal secrets, - logs may expose usernames, tokens, or internal paths, - old exports may still contain regulated data.
Immediate steps: - Rotate secrets found in app config directories. - Invalidate stale API keys. - Review service account use from the affected timeframe. - Notify legal, HR, and privacy teams early.
So What for SMBs and Lean IT Teams
If you do not have a dedicated SOC, keep today’s response simple:
- Patch anything internet-facing that matches the affected technologies.
- Take remote support tools and admin panels off the public internet if possible.
- Ask your MSP or hosting provider whether any client portals, WordPress plugins, or ERP apps match the reported issues.
- Enable MFA everywhere it is available.
- Save logs now before attackers rotate or delete them.
Closing Assessment
Today’s cybersecurity threats in June 2026 show a familiar pattern: attackers are focusing on systems that deliver leverage quickly, such as endpoint security products, remote support tools, ERP applications, and edge services. The practical response is not complicated: patch exposed systems, reduce public access, validate cloud security controls, and hunt for signs of data staging and privilege escalation.
If you need one priority list for the day, make it this: 1. BlueHammer-exposed Windows systems 2. Oracle PeopleSoft and Oracle EBS 3. SimpleHelp 4. AWS ALB plus WAF HTTP/2 configurations 5. Gorse, Coolify, and affected WordPress plugin deployments
This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.