Hidden in Plain Sight: Zero-Day Exploitation Meets Ransomware's New Cover

This week's threat landscape was defined by aggressive zero-day exploitation and increasingly sophisticated ransomware tradecraft. CISA expanded its Known Exploited Vulnerabilities catalog with five new entries spanning Ivanti, Oracle, the LiteSpeed cPanel plugin, the Widget Factory Joomla extension, and Cisco, while active exploitation was also confirmed in the Gravity SMTP plugin for WordPress and Jenkins core - underscoring how attackers continue to target both enterprise infrastructure and widely deployed web components.

The week's most significant development was the exploitation of Oracle zero-day CVE-2026-35273, which Mandiant and GTIG say ShinyHunters (UNC6240) weaponized between May 27 and June 9, ahead of Oracle's June 10 advisory, primarily hitting the education sector and leading to the leak of roughly 455,000 sensitive records from the University of Nottingham, with Cl0p also reported to be exploiting the same flaw. In parallel, Symantec detailed an evolution in DragonForce's ransomware operations, revealing the group's use of a custom backdoor to tunnel C2 traffic through Microsoft Teams infrastructure for the first time, alongside multiple BYOVD techniques and DLL sideloading to evade defenses and enable credential theft and lateral movement post-compromise.

Key points:

• 5 vulnerabilities added to the CISA KEV catalog  
• Active exploitation detected in Jenkins Core and Gravity SMTP plugin for WordPress plugin
• Oracle Zero-Day CVE-2026-35273 Exploited by ShinyHunters and Cl0p
• DragonForce deploys Backdoor.Turn and BYOVD Evasion Techniques

Several high-impact vulnerabilities are currently trending across the cybersecurity community, demanding immediate attention and patch prioritization. Monitoring these emerging and widely discussed threats provides valuable insights, enabling organizations to make informed security decisions and strengthen their overall defense posture.

CVE-2026-4020 - Unauthenticated Sensitive Information Exposure vulnerability in Gravity SMTP plugin for WordPress

An Unauthenticated Sensitive Information Exposure vulnerability in Gravity SMTP plugin for WordPress in all versions up to and including 2.1.4 allows any unauthenticated visitor to access a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, exposing detailed system configuration data without authentication or user interaction. The vulnerability stems from the plugin's register_connector_data() method populating internal connector data when the ?page=gravitysmtp-settings query parameter is appended, causing the endpoint to return approximately 365 KB of JSON containing the full System Report including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys or tokens configured in the plugin. This vulnerability is being actively exploited at massive scale; the Wordfence Firewall has blocked over 17 million exploit attempts targeting this vulnerability, demonstrating widespread weaponization and opportunistic scanning for unpatched WordPress installations relying on the popular Gravity SMTP plugin. The exposure of API keys, database credentials, and complete system architecture details enables attackers to pivot toward secondary attacks, privilege escalation, and lateral movement within compromised WordPress environments and their underlying infrastructure.

CVE-2026-10520 - OS Command Injection vulnerability in Ivanti Sentry

An OS Command Injection vulnerability in Ivanti Sentry (formerly MobileIron Sentry) that allows remote unauthenticated attackers to achieve root-level remote code execution on unmanaged appliances with externally reachable endpoints, compromising a critical secure gateway appliance that brokers ActiveSync email traffic to Microsoft Exchange and controls mobile and device access to corporate resources. The vulnerability resides in the ConfigServiceController class within the Sentry web application and is reachable via an unauthenticated HTTP POST request to /mics/api/v2/sentry/mics-config/handleMessage; the root cause is an API designed to accept internal configuration commands that instead accepts commands from any unauthenticated party able to reach it over the internet, enabling direct root-level code execution without authentication or user interaction. Ivanti Sentry versions 10.5.1, 10.6.1, 10.7.0 and prior were affected; Ivanti released patched versions 10.5.2, 10.6.2, and 10.7.1 on 9 June 2026 and initially reported no customer exploitation, but within 24 hours of watchTowr's public technical analysis and Python-based proof-of-concept release on 10 June 2026, the Shadowserver Foundation observed a large volume of exploitation attempts, identifying 19 vulnerable instances in its scans with at least 2 already backdoored. CISA added CVE-2026-10520 to its KEV catalog, confirming active exploitation of this critical appliance that grants attackers direct access to mailboxes, calendars, and enterprise applications managed through compromised Sentry gateways.

CVE-2026-20262 - Directory or Path Traversal vulnerability in Cisco Catalyst SD-WAN Manager

A Directory or Path Traversal vulnerability in Cisco Catalyst SD-WAN Manager that allowed authenticated remote attackers to create or overwrite any file on the filesystem of affected systems, potentially escalating privileges to root on enterprise network management infrastructure. The vulnerability stemmed from inadequate validation of user-supplied input during file upload processes; attackers with valid credentials and write access could send crafted HTTP requests to affected API endpoints to manipulate filesystem operations, weaponizing file overwrites for privilege escalation across on-premises, cloud, and FedRAMP-deployed SD-WAN fabrics. Affected versions included Cisco Catalyst SD-WAN Manager releases 20.9.9.1 and earlier, 20.12.7.1 and earlier, 20.15.4.4 and earlier, 20.15.5.2 and earlier, 20.18.3, and 26.1.1.1 and earlier, exposing critical centralized management platforms used by enterprises and government agencies to control large, distributed network infrastructures. Cisco discovered this vulnerability during internal security testing in June 2026 and confirmed limited exploitation in the wild; the company published indicators of compromise advising customers to audit /var/log/nms/vmanage-server.log for suspicious WAR file uploads (such as malicious AnyConnect profiles written to ../../../../var/lib/wildfly/standalone/deployments/suspicious.war) and JSP access-log entries indicating post-exploitation activity. Cisco released patched versions 20.9.9.2, 20.12.7.2, 20.15.4.5, 20.15.5.3, 20.18.3.1, and 26.1.1.2 to remediate the flaw, and CISA added CVE-2026-20262 to its KEV catalog marking it as the eighth actively exploited Cisco SD-WAN vulnerability of 2026.

CVE-2026-35273 - Missing Authentication for Critical Function vulnerability in Oracle PeopleSoft Enterprise PeopleTools

A Missing Authentication for Critical Function vulnerability in Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 that allows unauthenticated remote attackers to execute arbitrary code on PeopleSoft deployments with no login or user interaction required, only network-accessible HTTP endpoints over the Internet. The vulnerability resides in the Updates Environment Management component behind the Environment Management Hub(PSEMHUB) ; attackers send malicious HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector to coerce outbound SMB connections for NetNTLM hash capture, plant unauthorized .jsp webshells under PSEMHUB.war, and establish persistence via XMLDecoder in .xml files under envmetadata/data/environment paths, exploiting Server-Side Request Forgery to bypass access controls. Mandiant observed active exploitation in the wild where attackers deploy customized MeshCentral remote-management agents disguised as Microsoft Azure binaries calling back to command-and-control servers (azurenetfiles.net), map PeopleSoft configurations by inspecting psappsrv.cfg and WebLogic config.xml files, execute lateral-movement scripts spraying hardcoded SSH credentials against internal hosts, and exfiltrate stolen data compressed with zstd over outbound SSH connections to data-leak sites. Oracle released a security alert on 10 June 2026 providing emergency mitigations to lock down PSEMHUB endpoints from external access, and CISA added CVE-2026-35273 to its KEV catalog, confirming active exploitation of this critical foundational component affecting large organizations and universities worldwide.

CVE-2026-48907 - Improper Access Control vulnerability in Widget Factory Joomla Content Editor

An Improper Access Control vulnerability in Widget Factory's Joomla Content Editor (JCE) that allowed attackers to upload and execute PHP code via the creation of new editor profiles without requiring any user authentication. The flaw stemmed from the profile import functionality being accessible to anonymous visitors with no validation, enabling attackers to send unauthenticated POST requests to index.php?option=com_jce&task=profiles.import and create rogue profiles that re-enabled php and txt file uploads with MIME validation disabled, resulting in persistent webshell backdoors. The vulnerability affected all JCE versions from 1.0.0 through 2.9.99.4 and was actively exploited in the wild, with automated botnets compromising hundreds of Joomla sites including Joomla's own official infrastructure (extensions.joomla.org, community.joomla.org, certification.joomla.org) after public exploit code was released on 9 June 2026. Widget Factory released patched versions JCE Pro 2.9.99.5 on 3 June 2026 and a hardening release in 2.9.99.6 on 6 June 2026, with a free patch package also made available for older 2.7.x, 2.8.x and 2.9.x installations that could not update. CISA added CVE-2026-48907 to its KEV catalog acknowledging the severity and active exploitation of this vulnerability as a zero-day in the federal enterprise.  

CVE-2026-53435 - Deserialization vulnerability in Jenkins core

A Deserialization vulnerability in Jenkins core that allows attackers with Overall/Read permission plus a non-anonymous user account or any permission allowing POST config.xml (Item/Configure, View/Configure, Agent/Configure) to have Jenkins deserialize arbitrary types from attacker-controlled config.xml submissions, enabling user impersonation, arbitrary file reads, and remote code execution via the Script Console on CI/CD pipeline controllers that hold credentials and deployment access. The vulnerability stemmed from Jenkins' custom deserialization filter (JEP-200) failing to properly restrict types in affected versions 2.567 and earlier and LTS 2.555.2 and earlier; attackers could instantiate arbitrary Jenkins core or plugin types that subsequently handle HTTP requests, effectively compromising the entire Jenkins infrastructure and creating a launchpad for software supply-chain attacks. Security researchers (Defused) observed active exploitation attempts beginning on 11 June 2026 within hours of the Jenkins advisory published on 10 June 2026 with no specific threat-actor group publicly attributed, indicating opportunistic actors were rapidly scanning for exposed Jenkins instances and weaponizing the config.xml deserialization path against internet-facing controllers. Jenkins released patched versions 2.568 and LTS 2.555.3 that restrict deserialization to expected types, and the vulnerability was reported through the Jenkins Bug Bounty Program sponsored by the European Commission, confirming the critical nature of this flaw affecting one of the world's most widely deployed open-source automation servers.

CVE-2026-54420- UNIX Symbolic Link (Symlink) Following vulnerability in LiteSpeed cPanel Plugin

A UNIX symbolic Link (symlink) following privilege-escalation vulnerability in LiteSpeed cPanel Plugin that allowed users with FTP or web shell access on shared hosting servers running CloudLinux/CageFS to escape filesystem isolation and escalate privileges to root, gaining full control of the host and every tenant site on it. The vulnerability stemmed from the plugin's mishandling of symlinks supplied by low-privileged users; attackers could chain specific internal cPanel API calls in unintended ways and plant malicious symlinks to break through CageFS isolation boundaries, ultimately compromising multi-tenant shared hosting environments where customer isolation is critical. The flaw affected all LiteSpeed cPanel plugin versions prior to 2.4.8 and was actively exploited in the wild as early as May 2026, with evidence of real-world compromise across shared hosting providers relying on CloudLinux for tenant segmentation. LiteSpeed Technologies released patched version 2.4.8 (bundled with WHM PlugIn v5.3.2.1) on 1 June 2026; administrators can detect potential exploitation by grepping cPanel logs for paired generateEcCert and packageUserSize API calls for the same user, a sequence that legitimate UI flows do not chain together. CISA added CVE-2026-54420 to its KEV catalog confirming active exploitation and the acute threat posed to shared hosting infrastructure where a single compromised low-privileged account can compromise the entire server and all hosted customers.

Cytellite telemetry captured active exploit attempts and mass scanning campaigns against exposed services globally. The data highlights which vulnerabilities are under attack and provides source IPs and payloads to authorized teams for detailed threat analysis and validation.

Active malware campaigns exploited specific vulnerabilities to deliver payloads and carry out post-exploitation actions. Each targeted vulnerability is proactively monitored, manually analysed, and mapped to MITRE ATT&CK tactics and techniques. Insights are derived from the LOVI vulnerability intelligence platform, which aggregates and curates data from multiple sources, OSINT groups, blogs, and data leak sites.

Oracle Zero-Day CVE-2026-35273 Exploited by ShinyHunters and Cl0p

According to Google's Mandiant and Google Threat Intelligence Group (GTIG), CVE-2026-35273 was exploited as a zero-day by the extortion group ShinyHunters (UNC6240) between May 27 and June 9, 2026, before Oracle released a security advisory on June 10. The campaign primarily targeted the education sector, with more than 100 organizations notified by Mandiant and 68 percent of the exposed endpoints belonging to higher-education institutions, predominantly in the United States. Several organizations suffered compromises and had stolen data published on the ShinyHunters data leak site, with the University of Nottingham emerging as one of the first confirmed victims and approximately 455,000 unique email addresses exposed. The leaked dataset contained sensitive information, including names, addresses, phone numbers, passport numbers, and details related to ethnicity and disabilities affecting current students and alumni. According to Rescana, CVE-2026-35273 is also being exploited by the Cl0p ransomware group, an actor previously associated with large-scale zero-day exploitation campaigns targeting enterprise platforms such as MOVEit, Accellion, and SolarWinds.

DragonForce Deploys Backdoor.Turn and BYOVD Evasion Techniques

According to Symantec, the DragonForce ransomware group used the custom malware Backdoor.Turn to tunnel command-and-control traffic through Microsoft Teams TURN infrastructure, marking the first known abuse of the service in the wild. The intrusion, first observed in December 2025, likely originated from the exploitation of a vulnerable SQL/Microsoft SQL Server environment and employed DLL sideloading to deploy malicious code for reconnaissance, persistence, and defense evasion. The attackers used multiple BYOVD techniques involving vulnerable drivers, including Topaz Antifraud's wsftprm.sys - CVE-2023-52271, Tower of Fantasy's GameDriverx64.sys - CVE-2025-61155, and K7 Security's K7RKScan.sys - CVE-2025-1055, alongside the novel abuse of Huawei's HWAuidoOs2Ec.sys driver. The campaign also leveraged the custom ABYSSWORKER driver to disable security tools, created additional user accounts, modified Windows authentication settings, and altered firewall configurations to maintain access. Backdoor.Turn, deployed after the ransomware payload, enabled command execution, network scanning, Active Directory reconnaissance, credential theft, and lateral movement, highlighting DragonForce's advanced persistence and post-compromise capabilities.

Open-Source Software (OSS) vulnerabilities are security weaknesses discovered in publicly available codebases that can be exploited across widely used libraries, frameworks, and tools, often impacting thousands of downstream applications.

PRE-NVD vulnerabilities refer to security flaws that are discovered, discussed, or even exploited in the wild before their official inclusion in the National Vulnerability Database (NVD). These early-stage vulnerabilities often emerge through threat actor chatter, exploit proof-of-concepts, and technical disclosures shared across social media platforms and underground forums, signaling potential exploitation risks before public awareness.

This week's findings show adversaries rapidly weaponizing new vulnerabilities and abusing trusted infrastructure for maximum impact - from ShinyHunters and Cl0p exploiting the Oracle zero-day for mass data theft, to DragonForce's novel abuse of Microsoft Teams infrastructure and BYOVD techniques for stealthy persistence. The speed of exploitation, often ahead of official advisories, underscores the need for continuous visibility into emerging threats and adversary tradecraft. Platforms such as Loginsoft Vulnerability Intelligence (LOVI) help security teams stay ahead by delivering actionable, timely intelligence on exploited vulnerabilities and threat campaigns before they can be operationalized against their environments.

FAQs

1) What is Ivanti Sentry?

Ivanti Sentry, formerly known as MobileIron Sentry, is a security gateway appliance that secures traffic between back-end corporate systems and remote mobile devices. It's commonly deployed at the network edge to broker access between mobile devices and resources like Microsoft Exchange.

2) What is Jenkins Core?

A) Jenkins Core is the central engine of the Jenkins automation server - the foundational software that provides the build/job scheduling, plugin architecture, web UI, and APIs that the broader Jenkins ecosystem (plugins, pipelines, integrations) is built on top of. It's widely used by development teams for CI/CD - automating the building, testing, and deployment of software - which also makes it a high-value target when vulnerabilities are actively exploited, as flagged this week.

3) Does inclusion in the CISA KEV catalog mean exploitation is widespread?

Not necessarily widespread - but confirmed. KEV inclusion indicates verified in-the-wild exploitation. While the scale may vary, the operational reality is that threat actors possess working exploits, making patch prioritization urgent regardless of observed targeting volume.

4) How does LOVI help organizations manage vulnerabilities effectively?

Loginsoft Vulnerability Intelligence empowers you to efficiently prioritize and respond to potential vulnerabilities by focusing on those actively exploited in the wild. LOVI correlates vulnerability data with real-world threat activity to reduce noise and improve decision-making. This approach enables faster remediation and stronger security posture.

5) What is Cytellite?

Cytellite is a Loginsoft security intelligence platform that provides real-time visibility into emerging threats through a global sensor network. It delivers actionable IP intelligence to help organizations detect, analyze, and respond to attacks quickly. By correlating threat data with live activity, Cytellite strengthens resilience across dynamic threat landscapes.