TL;DR
Oracle PeopleSoft zero-day CVE-2026-35273 actively exploited by ShinyHunters group targeting universities; Windows BitLocker bypass disclosed; The Gentlemen ransomware now claims 478 victims and spreads like worm. Patch Tuesday records broken with ~200 Microsoft fixes.
Executive Summary
- Oracle PeopleSoft vulnerability CVE-2026-35273 is under active exploitation by ShinyHunters extortion group, with universities confirmed as targets.
- Windows BitLocker encryption can be bypassed via recovery partition XML files using newly disclosed GreatXML exploit.
- The Gentlemen ransomware operation claims 478 victims and demonstrates worm-like self-propagation capabilities, with connections to LockBit infrastructure.
- Microsoft released record ~200 security patches in June 2026 Patch Tuesday cycle, including critical fixes.
- OpenClaw AI agent framework vulnerable to code execution and data exfiltration through crafted inputs.
Top Threats Today
1. Oracle PeopleSoft Zero-Day Actively Exploited Against Universities
Severity: CRITICAL Affected: Education
CVE-2026-35273, a critical unauthenticated remote code execution vulnerability in Oracle PeopleSoft Suite, is being actively exploited [1][2] by the ShinyHunters extortion crew to breach enterprise systems, steal data, and demand ransom [1]. Google Mandiant tracks the group as UNC6240 [1]. University of Nottingham has confirmed a cyber incident with ShinyHunters claiming data theft [3], and the attacks have targeted universities broadly [1]. Oracle released mitigations for the flaw [2], though full patch details remain limited .
Sources:[1] The Hacker News[2] BleepingComputer[3] The Record
Recommended Action
- Apply Oracle PeopleSoft mitigations immediately as documented in Oracle security advisories
- Audit PeopleSoft access logs for unauthorized remote connections or code execution attempts
- Isolate vulnerable PeopleSoft instances from untrusted networks pending full patch availability
- Notify students and alumni if personal data exposure is confirmed
2. Windows BitLocker Encryption Bypassed via XML Recovery Partition Exploit
Severity: HIGH Affected: Technology
Security researcher Chaotic Eclipse has released GreatXML, a new exploit that bypasses Windows BitLocker encryption by manipulating recovery partition XML files [1]. The researcher discovered the bypass in 4 hours of testing [1]. This follows the same researcher's earlier disclosure of a Microsoft Defender exploit [1].
Sources:[1] The Hacker News
Recommended Action
- Review BitLocker recovery partition configurations and restrict access to recovery keys
- Monitor Windows logs for unauthorized BitLocker recovery partition access or modifications
- Apply latest Windows security patches from June 2026 Patch Tuesday release
- Consider multi-factor authentication for BitLocker recovery key access where supported
3. The Gentlemen Ransomware Demonstrates Worm-Like Propagation, Claims 478 Victims
Severity: HIGH Affected: Multiple
The Gentlemen ransomware group has emerged as the second most active ransomware gang by victim count, claiming 478 confirmed victims [1]. Analysis reveals the group initially operated as an affiliate leveraging multiple ransomware-as-a-service schemes, including LockBit (also known as Tenacious Mantis) [1]. A significant escalation: the group demonstrates worm-like self-propagation capabilities beyond traditional double-extortion tactics [1], and operates an aggressive recruitment strategy offering affiliates 90 percent of ransom proceeds [2].
Sources:[1] The Hacker News[2] Krebs on Security
Recommended Action
- Implement network segmentation to limit lateral movement and worm-like propagation
- Deploy endpoint detection and response (EDR) with behavioral rules for self-spreading binaries
- Monitor outbound C2 connections and data exfiltration patterns associated with LockBit/Tenacious Mantis infrastructure
- Increase backup frequency and test recovery procedures against ransomware attack scenarios
4. OpenClaw AI Agent Vulnerable to Code Execution and Secret Exfiltration
Severity: HIGH Affected: Technology
Two separate security research teams have demonstrated that OpenClaw, a popular self-hosted AI agent framework, can be driven to execute attacker-controlled code or leak sensitive data through ordinary-looking inputs [1]. Imperva researchers embedded hidden instructions in vCards, shared contacts, and location data to trigger the vulnerabilities [1].
Sources:[1] The Hacker News
Recommended Action
- If running OpenClaw in production, isolate it from sensitive data and elevated-privilege systems
- Implement strict input validation and sanitization for all user-supplied and imported data (vCards, contacts, files)
- Monitor OpenClaw process execution and outbound network connections for suspicious activity
- Review vendor security advisories for code execution patches and apply immediately
5. Microsoft Patch Tuesday Sets Record: ~200 Fixes Released
Severity: MEDIUM Affected: Technology
Microsoft released nearly 200 security updates across Windows operating systems and supported software in its June 2026 Patch Tuesday cycle, setting a record for the company's monthly patching volume [1]. Nearly three dozen of the fixes carry Microsoft's critical severity rating [1]. Exploitation of some vulnerabilities has been confirmed, though details remain limited [1].
Sources:[1] Krebs on Security
Recommended Action
- Prioritize testing and deployment of the ~36 critical-rated patches in isolated environments first
- Check Microsoft's advisories for any vulnerabilities already under active exploitation and prioritize those for immediate rollout
- Automate patch deployment via WSUS, Intune, or equivalent to reduce manual burden of 200-patch month
- Monitor post-patch systems for compatibility issues and have rollback procedures ready
Today’s Action Checklist
- ☐ URGENT: Verify Oracle PeopleSoft is not exposed to internet; apply CVE-2026-35273 mitigations and audit access logs for compromise indicators
- ☐ HIGH: Review Windows systems running BitLocker; assess risk of GreatXML recovery partition bypass in your environment and restrict recovery key access
- ☐ HIGH: Review network segmentation and EDR detection rules to identify and block worm-like ransomware propagation tied to The Gentlemen and LockBit affiliates
- ☐ HIGH: If OpenClaw is deployed, isolate from sensitive data and apply input sanitization; check vendor advisories for patches
- ☐ ROUTINE: Test and deploy highest-priority Microsoft June 2026 Patch Tuesday critical fixes, prioritizing any with confirmed exploitation