# Today's Top Stories

Microsoft's June 2026 Patch Tuesday set a record with 206 CVEs patched, including 39 Critical and 167 Important severity issues spanning 63 privilege escalation, 56 RCE, and 27 spoofing flaws. Three zero-days were publicly disclosed prior to patching, with at least one actively exploited. Microsoft's security leadership has attributed the surge in vulnerability volume to AI-accelerated discovery tooling.

Microsoft's June 2026 Patch Tuesday addressed 200 flaws including five publicly disclosed zero-days and one actively exploited vulnerability. The release includes fixes for the YellowKey, GreenPlasma, and MiniPlasma zero-days that granted SYSTEM privileges or BitLocker drive access on fully patched Windows systems. Security teams should prioritize immediate deployment given the active exploitation status of at least one flaw.

Microsoft patched three named zero-days — YellowKey, GreenPlasma, and MiniPlasma — in June 2026 Patch Tuesday, where YellowKey and GreenPlasma enable SYSTEM privilege escalation on fully patched Windows, and MiniPlasma grants unauthorized access to BitLocker-protected drives. These were publicly disclosed before patches were available, increasing exploitation risk. Administrators should treat these as priority deployments given the pre-patch disclosure window.

Anonymous researcher Nightmare-Eclipse (also known as Chaotic Eclipse, now operating as 'MSNightmare' on GitHub) released a PoC exploit called RoguePlanet targeting a race condition in Microsoft Defender that achieves SYSTEM-level privilege escalation on fully updated Windows systems. The researcher reports achieving 100% success rate on tested systems despite the race condition nature of the exploit. This continues an ongoing public feud with Microsoft, with multiple Defender zero-days dropped in succession.

ShinyHunters extortion gang has compromised Oracle PeopleSoft servers across more than 100 organizations in an ongoing data theft campaign. The attacks specifically target PeopleSoft deployments, and ShinyHunters is leveraging stolen data for extortion. Organizations running Oracle PeopleSoft should audit external exposure and review access logs for indicators of compromise immediately.

Krebs on Security investigates 'The Gentlemen,' a ransomware group that has rapidly become the second most active by victim count, operating an affiliate model offering 90% ransom splits to attract high-skill hackers. The analysis includes OSINT-derived clues pointing toward the identity of the group's administrator. Security teams tracking ransomware affiliates should add The Gentlemen to active threat monitoring given their accelerating victim count.

CVE-2026-5027 (CVSS 8.8), a path traversal vulnerability in Langflow — the open-source low-code AI application development platform — is under active exploitation in the wild, confirmed by VulnCheck. The flaw allows unauthenticated attackers to write files to arbitrary locations via the 'POST /' endpoint, enabling effective RCE on exposed servers. No patch was available at time of active exploitation, making immediate exposure reduction critical for organizations running Langflow.

Microsoft patched an actively exploited Exchange Server zero-day enabling arbitrary JavaScript execution via cross-site scripting (XSS) in Outlook Web Access, allowing attackers to target OWA users in hybrid or on-premises Exchange deployments. The flaw was under active attack at patch time, making it a critical priority for organizations still running on-premises or hybrid Exchange. The Ghost-Sender technique separately allows spoofing of any email address via Exchange Online in hybrid configurations.

Fortinet, Ivanti, and SAP released coordinated security updates addressing multiple critical vulnerabilities, including CVE-2026-25089 (CVSS 9.1) — a command injection flaw in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI enabling RCE. Ivanti's patches include a maximum-severity flaw in Sentry secure mobile gateway allowing root-level code execution by unauthenticated remote attackers. SAP's June 2026 package covers 15 vulnerabilities including four critical flaws in NetWeaver and Commerce Cloud.

The China-linked JDY botnet has expanded to over 1,500 compromised SOHO and IoT devices and is now actively targeting U.S. military networks for reconnaissance, according to Lumen research. Previously associated with Volt Typhoon, JDY operates as a centrally controlled high-performance scanner designed to fingerprint and map exposed services at scale. The botnet's expansion signals escalating Chinese state-sponsored pre-positioning activity against critical U.S. infrastructure.