The National Association of Insurance Commissioners disclosed on 23 June 2026 that attackers exploited an Oracle PeopleSoft zero-day to access part of its environment, and by 25 June the extortion group ShinyHunters had published the stolen data online, claiming more than 3.1 terabytes.
Victim
National Association of Insurance Commissioners (NAIC)
Researchers disclosed a Microsoft Defender privilege-escalation zero-day dubbed RoguePlanet (CVE-2026-47281) that abuses a race condition to redirect a SYSTEM-level file operation and hand a local attacker full SYSTEM access on fully updated Windows machines.
Oracle issued an emergency out-of-band alert after the ShinyHunters crew exploited a critical unauthenticated remote-code-execution zero-day in PeopleSoft PeopleTools to steal data from more than 100 organisations, most of them universities.
Google shipped an emergency Chrome update fixing CVE-2026-11645, a high-severity out-of-bounds memory flaw in the V8 engine that lets a crafted web page run arbitrary code and for which an exploit already exists in the wild.
Check Point disclosed that attackers, including a Qilin ransomware affiliate, were actively exploiting a critical authentication-bypass zero-day (CVE-2026-50751) in its Remote Access and Mobile Access VPN products to log in without a valid password.
Cisco warned that an unpatched high-severity zero-day in Catalyst SD-WAN Manager (CVE-2026-20245) was being actively exploited to execute arbitrary commands and escalate to root, after Mandiant reported a limited number of real-world attacks.
Google's June 2026 Android security update fixed 124 vulnerabilities, including CVE-2025-48595, an actively exploited integer-overflow flaw in the Android Framework that lets a local attacker escalate privileges without user interaction.
Cl0p exploited CVE-2023-34362 in Progress Software's MOVEit Transfer to mass-extort over 2,700 organizations, including the BBC, British Airways, and the U.S. Department of Energy.
Victim
Progress Software MOVEit Transfer (2,700+ downstream)
A trivially exploitable remote code execution flaw in Apache Log4j 2, the ubiquitous Java logging library, scored a maximum CVSS 10.0 and exposed hundreds of millions of devices and applications worldwide to instant takeover via a single crafted log string.
China-linked group Hafnium chained four Exchange Server zero-days (ProxyLogon) to plant web shells and steal email; after Microsoft's emergency patch, mass exploitation by multiple groups compromised an estimated 60,000+ organisations worldwide.
Victim
Microsoft Exchange Server on-premises customers (global)