Critical Vulnerabilities Exploited, Data Exfiltration

Executive Summary

This week's intelligence shows swift exploitation of critical vulnerabilities and persistent data exfiltration campaigns. Adversaries continue to use newly identified flaws in widely adopted enterprise systems and network-edge infrastructure.

Key Developments

  • Active exploitation of a critical zero-day vulnerability in Check Point VPN appliances by the Qilin ransomware group was observed. This activity affects organizations globally that rely on these devices for secure network access.
  • An actively exploited zero-day Remote Code Execution (RCE) vulnerability in Ivanti EPMM was confirmed, matching a CISA alert. This impacts organizations using Ivanti's mobile device management solutions, which can lead to broad system compromise.
  • The ShinyHunters group exploited a zero-day vulnerability in Oracle PeopleSoft (CVE-2026-35273) to breach multiple universities, compromising extensive student and staff data. This shows continued targeting of Enterprise Resource Planning (ERP) systems.
  • Over 400 packages in the Arch Linux AUR repository were found compromised, deploying infostealers and eBPF rootkits. This indicates ongoing supply chain integrity risks for developer environments and potentially downstream systems.

Business Impact

These activities create exposure for organizational data confidentiality and business operations. Exploitation of network access points, mobile management platforms, and core ERP systems can lead to unauthorized access, data theft, and potential disruption of critical business functions. The ongoing listing of national-scale datasets on dark web markets also shows widespread data compromise, affecting privacy and regulatory standing.

The rapid weaponization of newly disclosed vulnerabilities in network-edge and enterprise systems remains consistent, mirroring previous weeks. Data exfiltration continues as a primary objective for various groups, including those involved in ransomware operations. A change seen this period is the increased visibility of supply chain compromises targeting software repositories. Ransomware groups, like LockBit and Payload, maintain widespread activity, increasingly targeting telecom backbone providers and international institutions, while criminal forums show resilience through infrastructure upgrades.

Outlook

Active exploitation of recently disclosed critical vulnerabilities in network infrastructure and enterprise applications is expected to persist. Data exfiltration operations, often stemming from compromises of third-party services or direct system breaches, will likely remain prevalent. Ransomware campaigns are anticipated to continue at current levels, employing data theft tactics and exploring new victim sectors. Adversary capabilities involving AI for reconnaissance and exploitation development are expected to evolve further.

Key Threat Intelligence Highlights

A critical zero-day vulnerability in Check Point VPN devices is under active exploitation, allowing remote code execution by attackers. This exploit has directly facilitated Qilin ransomware deployments, endangering organizations using these security gateways. Prompt patching is essential to prevent data compromise and encryption.

CISA has mandated federal agencies apply an urgent patch for a critical Ivanti deserialization flaw that is under active exploitation. This vulnerability allows for remote code execution. This led to an Emergency Directive for agencies to address it by Sunday or disconnect affected Connect Secure and Policy Secure gateways to prevent unauthorized access. The directive shows the immediate danger this internet-facing vulnerability poses to federal systems.

Cybercriminal group ShinyHunters exploited a zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft, leading to the breach of multiple universities. This attack permitted unauthorized access to institutional data, showing the significant challenge from unpatched software flaws in widely used enterprise systems.

AI-powered scams have resulted in nearly $900 million in losses for Americans, according to FBI data. These sophisticated schemes use artificial intelligence to craft highly convincing and deceptive tactics, making them increasingly difficult for victims to identify. The growing use of AI in fraudulent activities is a serious and expanding danger to individuals' financial well-being.

Malicious actors compromised over 400 Arch Linux AUR packages, executing a supply chain attack to inject an infostealer and an eBPF rootkit into user systems. This scheme enabled data exfiltration and persistent system control, raising serious concerns about the integrity of open-source software distribution channels.

Additional Threat Intelligence Context

The Council of Europe suffered a data breach of HR and payroll data by ShinyHunters/SLSH, now under extortion.

An AI-assisted phishing-as-a-service platform, Outsider Enterprise, was dismantled; it had enabled widespread credit card fraud.

CVE-2026-10520 | CVSS: 10.0 (VERY CRITICAL) - Ivanti Sentry OS command injection () and authentication bypass (CVE-2026-10523) are under active exploitation, allowing unauthenticated remote code execution and corporate network access.

Available Exploits:

  • CVE-2026-10520 Exploit
  • CVE-2026-10520 Exploit
  • CVE-2026-10520 Exploit
  • CVE-2026-10520 Exploit

Analysis: # CVE Analysis Report: CVE-2026-10520

  • Title: watchTowr Ivanti Sentry RCE Detection PoC
  • CVE: CVE-2026-10520, CVE-2026-10523 (CVSS: 10.0, VERY CRITICAL)
  • CVSS Score: 10.0
  • CVSS Severity: VERY CRITICAL

The analysis shows:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: No...

Risk Score: 100/100

_Based on ease of use, potential impact, how widel...

CVE-2026-35273 | CVSS: 9.8 (VERY CRITICAL) - ShinyHunters is extensively exploiting Oracle PeopleSoft () for unauthenticated RCE against higher-education ERP systems, leading to the exfiltration of student, staff, and financial data.

Available Exploits:

  • CVE-2026-35273 Exploit
  • CVE-2026-35273 Exploit

Analysis: # CVE Analysis Report: CVE-2026-35273

GitHub Link:

  • Title: CVE-2026-35273 Detection Script
  • CVE: CVE-2026-35273 (CVSS: 9.8, VERY CRITICAL)
  • CVSS Score: 9.8
  • CVSS Severity: VERY CRITICAL

The analysis shows:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

_Based on ease of use, potential impact, how widel...

CVE-2026-20253 | CVSS: 9.8 (CRITICAL) - A critical Splunk Enterprise vulnerability () is actively exploited, with public proof-of-concept code available for on-prem instances.

Available Exploits:

  • CVE-2026-20253 Exploit
  • CVE-2026-20253 Exploit
  • CVE-2026-20253 Exploit

Analysis: # CVE Analysis Report: CVE-2026-20253

GitHub Link:

  • Title: watchTowr-vs-Splunk-CVE-2026-20253 PoC
  • CVE: CVE-2026-20253 (CVSS: 9.8, CRITICAL)
  • CVSS Score: 9.8
  • CVSS Severity: CRITICAL

The analysis shows:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Authenticated
  • Privilege Required: None

Risk Score: 100/100

_Based on ease of use, potentia...

CVE-2026-48558 - The SimpleHelp OIDC authentication bypass () (CVSS 10.0) is actively exploited, allowing attackers to impersonate technicians and seize administrative control.

Widespread data leaks result from the Anodot SaaS integrator compromise, affecting Snowflake and BigQuery datasets for major brands including Rockstar Games, Zara, and Ticketmaster.

CVE-2026-50751 | CVSS: NA (CRITICAL) - Ongoing ransomware and extortion campaigns by groups like LockBit, Payload, SLSH, and Qilin target diverse sectors, frequently using vulnerabilities such as Check Point IKEv1 VPN authentication bypass ().

Available Exploits:

  • CVE-2026-50751 Exploit
  • CVE-2026-50751 Exploit
  • CVE-2026-50751 Exploit
  • CVE-2026-50751 Exploit
  • CVE-2026-50751 Exploit

Analysis: # CVE Analysis Report: CVE-2026-50751

GitHub Link:

  • Title: CVE-2026-50751 IKEv1 Safe Probe
  • CVE: CVE-2026-50751 (CRITICAL)
  • CVSS Score: NA
  • CVSS Severity: CRITICAL

The analysis shows:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 91/100

_Based on ease of use, potential impact, how widely it could spread, and...

An Arch Linux AUR supply-chain compromise hijacked over 400 packages to deliver a Rust-based credential stealer and optional eBPF rootkit.

CVE-2026-9082 | CVSS: 6.5 (CRITICAL) - Drupal JSON:API SQL injection () is actively exploited in the wild, allowing data extraction from node endpoints.

Available Exploits:

  • CVE-2026-9082 Exploit
  • CVE-2026-9082 Exploit
  • CVE-2026-9082 Exploit
  • CVE-2026-9082 Exploit
  • CVE-2026-9082 Exploit

Analysis: # CVE Analysis Report: CVE-2026-9082

GitHub Link:

  • Title: SA-CORE-2026-004 Detection PoC (Drupal JSON:API IN filter SQLi)
  • CVE: CVE-2026-9082 (CVSS: 6.5, CRITICAL)
  • CVSS Score: 6.5
  • CVSS Severity: CRITICAL

The analysis shows:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

_Based on ease of use, potentia...

CVE-2024-20399 | CVSS: 6.0 (MEDIUM) - Cisco NX-OS command injection () has been used by Velvet Ant for backdooring network infrastructure in long-dwell intrusion campaigns.

Available Exploits:

  • CVE-2024-20399 Exploit

CVE-2026-47291 | CVSS: 9.8 (VERY CRITICAL) - Windows HTTP.sys integer-overflow RCE () poses an anticipated exploitation risk against internet-facing Windows infrastructure despite patching.

Available Exploits:

  • CVE-2026-47291 Exploit

Analysis: # CVE Analysis Report: CVE-2026-47291

GitHub Link:

  • Title: CVE-2026-47291 Windows HTTP.sys RCE PoC
  • CVE: CVE-2026-47291 (CVSS: 9.8, VERY CRITICAL)
  • CVSS Score: 9.8
  • CVSS Severity: VERY CRITICAL

The analysis shows:

  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

_Based on ease of use, potentia...

Ransomware Activity Overview

The illicit trade of national-scale datasets remains active, with listings for over 160 million credit records from Vietnam, 160 million Iranian insurance records, 2.7 million Singaporean citizen records, and older, substantial dumps such as Turkey's TTNET. Criminal forums, like BreachForums, show resilience with confirmed infrastructure upgrades. Ransomware groups, including Medusa, LockBit, and SLSH, continue using data theft and double-extortion tactics, targeting public sector, healthcare, education, industrial, and professional services entities. They are also increasingly targeting telecom backbone providers and international institutions. Geopolitical motives influence cyber operations, with Russia-aligned actors exploiting WinRAR against Ukrainian targets, hacktivist groups conducting defacements and leaks against governmental sites in Indonesia and Malaysia, and the Z-Pentest Alliance launching a platform to solicit classified materials on opposing states. Data breach markets also show this trend, featuring leaks such as a NATO internal meeting document, potential Pakistani diplomatic and defense-related data, a substantial US SSN database, and extensive PII bundles from various services like SoundCloud, Betterment, and Crunchbase, alongside threats against Singaporean financial institutions and alleged compromises of UK Parliament-linked sites.

During the reporting period, 166 total victims were identified across 37 active ransomware groups. The top 5 most active groups accounted for 80 victims.

Top 5 Ransomware Groups

Qilin - 25 victim(s)

  • Notable victims: Altavista strategic partners, Bekman marder hopper malarkey & perlin, Bitek system, C.c. creations, Dbhms (and 20 more)

The_Gentlemen - 21 victim(s)

  • Notable victims: Allensbach volunteer, Central arkansas pediatrics, Danzo group, Empty, Fesco adecco (and 16 more)

DragonForce - 13 victim(s)

  • Notable victims: A. liberty engineering co. ltd, Al ishrak contracting, Al shafar grc, Areco, Astec valves & fittings pvt (and 8 more)

LockBit - 12 victim(s)

  • Notable victims: 5deagosto.com.br, abandw.com, ag-360.ca, amc.co.th, casaandina.com.co (and 7 more)

Akira - 9 victim(s)

  • Notable victims: Associated investor services, Centre ellipse, Ddc domus design collection, Hrc sicherheitsdienste, Port air express (and 4 more)

Deep Web

Deep Web Activity Report: Week Ending June 16, 2026

Deep web observations this week show a range of data compromises and sophisticated offensive tools available, affecting both government entities and major corporations globally. Activities included mass PII leaks affecting many people, highly sensitive defense and electoral data exposures, and the marketing of advanced mobile exploitation capabilities.

What deep web activities were most apparent this week?

Deep web forums and marketplaces this week presented a range of illicit offerings, focused on large-scale data breaches, access to critical infrastructure, and the sale of advanced cyber exploitation tools. Government data, particularly from national security, defense, and electoral institutions, was a key target. An active market persists for personal identifiable information (PII) and financial fraud tools, serving a broad spectrum of cybercriminal operations. The emergence of a zero-click mobile exploit chain also shows the continued evolution and commercialization of advanced attack capabilities.

Which data leaks and access claims warrant immediate attention?

Several incidents observed this week are particularly consequential due to their scale, nature, or the sensitivity of the compromised entities:

  • Shanghai National Police Database Leak: An alleged database containing 1.2 billion records of Shanghai National Police identity records (SHGA) was posted for sale. The dataset, spanning 10.9 GB (compressed), purportedly includes names and Chinese Resident Identity Card Numbers, an extensive collection of PII.
  • Pakistani Government Data Exposure: A vendor claimed to possess and offer data from both the Pakistani Embassy in Türkiye and the Directorate General Munitions Production (DGMP). The embassy data (8.88 GB) reportedly contains defense cooperation intelligence, internal operational manuals, identification documents, MFA governmental email access, SSL VPN credentials, and NADRA RCMS access points. The DGMP data (670 MB) is said to include highly classified information on the Pakistan Navy, DGMP, trilateral defense cooperation with Türkiye and China (2025-2035), foreign intelligence on the USSF arsenal, and internal documents related to the China-Pakistan Economic Corridor (CPAC).
  • Ecuador National Electoral Council (CNE) Cloud Access: An actor claimed full and persistent access to cloud.cne.gob.ec, the cloud infrastructure of Ecuador's National Electoral Council. The access purportedly includes confidential files, credentials, memorandums, and critical electoral documents, with WebDAV remote access capabilities confirmed by provided code. The actor explicitly linked this compromise to upcoming elections, claiming potential for system manipulation.
  • Dynatrace Internal GitHub Organization Dump: Internal infrastructure data from Dynatrace, a $13.2 billion observability/monitoring SaaS platform, was advertised. The dump, including 246 repositories (8.46 GB compressed), allegedly came from a developer's Personal Access Token (PAT). It is said to contain complete infrastructure topology, CI/CD pipeline details, secret management configurations (Vault endpoints, AWS/GCP infrastructure), and employee records (1000+ GitHub handles, names, corporate emails).
  • CVE-2026-32157 Advanced Zero-Click RCS Exploit Chain: A vendor offered a full exploit chain for CVE-2026-32157, targeting the RCS messaging protocol across modern Android and iOS devices (Pixel 9 Pro, Galaxy S25 Ultra, iPhone 16 Pro, iPhone 17 series). This sophisticated capability allows zero-click to one-click compromise, which provides full remote control, persistence, real-time surveillance (call recording, keylogging, credential harvesting), phishing, and telephony control (SMS/call spoofing and interception).
  • CIC Vietnam National Credit Registry Leak: A database of over 160 million records from CIC Vietnam (cic.gov.vn), the national credit registry, was posted for sale. The data, available in SQL/CSV format, reportedly includes full names, dates of birth, national identification numbers (CCCD, CMND, passport), loan data, balances, debt, tax IDs, company information, audit logs, and addresses.
  • Global PII and Fraud Tool Marketplace: An actor advertised a full inventory of "FULLZ" (complete personal information sets) and various documents and tools that enable fraud. This listing includes worldwide identification documents (DL, ID, passport photos with selfies/videos), financial account details (dumps with PINs, bank statements), various categories of leads (investors, healthcare, job seekers), and a collection of hacking/scamming tools (BTC hacking tools, carding tutorials, scam pages, RATs, mailers).

What is the character and extent of these compromises?

The nature of the observed breaches includes direct exfiltration of sensitive databases, unauthorized persistent access to critical systems, and the development of advanced offensive cyber tools.

The Shanghai National Police leak represents a database exposure of very large scale, affecting over a billion individuals with basic yet fundamental PII. This volume alone makes it a significant event.

The Pakistani government and defense data involves a blend of diplomatic and military intelligence, operational manuals, and identification documents. The inclusion of trilateral defense cooperation details and foreign intelligence on USSF arsenal suggests state-level espionage or insider activity, with potential compromise of national security interests across multiple nations.

The Ecuador CNE access is a breach of an electoral system, extending beyond data theft to potential direct manipulation capabilities. The claim of persistent WebDAV access and privilege escalation suggests a deep and enduring compromise, which raises concerns about democratic processes.

The Dynatrace GitHub dump is an intellectual property and internal systems blueprint compromise. While not immediately affecting end-users, it provides adversaries with a full understanding of Dynatrace's internal operations, infrastructure, and employee identities, which could enable future sophisticated supply chain attacks or internal network penetration. Its value lies in the strategic intelligence it offers to well-resourced actors.

The CVE-2026-32157 exploit chain is a product offering for offensive cyber operations, rather than a breach itself. Its zero-click capabilities across modern mobile platforms show a high level of sophistication, developed to bypass advanced mitigations. The detailed feature list, including remote control, surveillance, and telephony manipulation, describes a tool capable of full espionage.

The CIC Vietnam leak is a substantial financial data breach, exposing the credit and personal details of a large segment of the Vietnamese population. This data is granular, including loan histories and tax IDs, making it ideal for identity theft and financial fraud.

The "FULLZ" and fraud tool marketplace shows a well-organized cybercriminal ecosystem. It's a retail outlet for fraud, offering a wide array of raw materials (PII, financial data) and the tools/knowledge necessary to exploit them for financial gain. The global scope and variety of data/services show a mature and active criminal economy.

Are there emerging patterns in this week's data?

Several patterns are visible in this week's deep web activity:

  1. Government and Critical Infrastructure as Key Targets: A pattern exists of government entities experiencing data theft or unauthorized access. This includes national police, electoral commissions, embassies, and defense production bodies across different geographies (China, Pakistan, Ecuador). This suggests continued state-sponsored activity or politically motivated attacks.
  2. Massive PII Datasets Continually Surfacing: The leaks from Shanghai National Police and CIC Vietnam collectively account for well over a billion records of personal information. This confirms the ongoing, large-scale aggregation and monetization of PII on deep web markets, which fuels identity theft and financial fraud on an industrial scale.
  3. Sophistication of Offensive Capabilities: The availability of a zero-click, cross-platform mobile exploit chain (CVE-2026-32157) shows that highly advanced cyber weapons are regularly developed and offered for sale. These tools are tailored to bypass contemporary security measures, showing ongoing innovation among offensive security actors.
  4. Supply Chain and Corporate Intellectual Property Risk: The Dynatrace GitHub dump shows the continuing vulnerability of corporate intellectual property and internal infrastructure to compromise. Such leaks provide detailed blueprints for sophisticated adversaries to do reconnaissance, develop tailored attacks, and potentially start supply chain compromises affecting downstream customers.
  5. Geopolitical and Strategic Implications: Multiple incidents, particularly the Pakistani government data and the Ecuador CNE access, carry distinct geopolitical ramifications. These are potentially intelligence operations or actions intended to influence national stability or international relations, rather than just financial crimes.

What are the downstream implications of these data exposures?

The potential downstream implications are extensive and varied:

  • For Individuals: The leaks of PII, especially the Shanghai National Police and CIC Vietnam data, create a high risk of identity theft, financial fraud, and targeted scams for millions. Individuals may experience unauthorized account access, fraudulent loan applications, or social engineering attacks using their detailed personal and financial information. The availability of "FULLZ" further worsens this risk globally.
  • For Government and National Security: Compromises involving entities like the Pakistani Embassy, DGMP, and FSB documents directly endanger national security. This can lead to the exposure of intelligence operations, diplomatic vulnerabilities, military capabilities, and sensitive strategic plans, potentially affecting international relations and national defense posture. The Ecuador CNE compromise directly threatens democratic integrity and public trust in electoral processes.
  • For Corporations and Critical Infrastructure: The Dynatrace leak offers adversaries a full understanding of a key software provider's internal systems. This knowledge can be used to create sophisticated attacks against Dynatrace itself or its Fortune 500 customers via supply chain vectors. This could result in widespread service disruptions, further data breaches, or intellectual property theft.
  • Proliferation of Advanced Cyber Capabilities: The sale of zero-click mobile exploits lowers the barrier for nation-state actors and well-resourced criminal groups to conduct advanced surveillance and espionage. Such tools can be used to target high-value individuals, activists, journalists, or government officials with minimal risk of detection, creating pervasive digital insecurity.
  • Erosion of Trust: Widespread breaches of sensitive personal data and governmental systems contribute to a general erosion of public trust in institutions responsible for data protection and national security. This can have far-reaching societal and political consequences.

Sources

  1. Alert! Critical Check Point zero-day exploited in the wild, Qilin ransomware already at work
  2. CISA orders feds to patch actively exploited Ivanti flaw by Sunday
  3. ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
  4. Americans lost nearly $900 million to AI-powered scams, FBI says
  5. Over 400 Arch Linux AUR Packages Hijacked to Deploy Infostealer and eBPF Rootkit

Mitigation Priorities for Security Teams

Organizations should immediately prioritize patching the vulnerabilities identified in this report. Key actions include:

  • Check Point VPN: Apply vendor patches immediately and audit VPN access logs for anomalous authentication patterns
  • Ivanti EPMM: Follow CISA emergency directives and isolate affected MDM infrastructure pending patching
  • Oracle PeopleSoft: Review CVE-2026-35273 advisories and restrict external-facing ERP access
  • Arch Linux AUR: Audit developer environments for compromised packages and scan for eBPF rootkit indicators

Prioritize network-edge devices and identity infrastructure, as these remain primary adversary entry points across all observed campaigns.

Threat Actor Tactics and Attribution Insights

This reporting period highlights distinct adversary behaviors worth tracking:

  • Qilin ransomware group continues evolving its initial access methodology, now actively leveraging VPN zero-days before lateral movement
  • ShinyHunters demonstrates increasing focus on higher education ERP systems, likely motivated by high-volume personally identifiable information (PII) for resale
  • Supply chain attackers targeting developer toolchains show sophisticated persistence through eBPF rootkits, evading traditional endpoint detection

Understanding these patterns enables defenders to anticipate targeting and apply threat-informed detection rules proactively.

Indicators of Compromise and Detection Guidance

Security operations teams should update detection pipelines based on this week's activity:

  • Monitor for unusual outbound data transfers exceeding baseline thresholds, a key signal in active data exfiltration campaigns
  • Deploy YARA rules targeting infostealer payloads associated with compromised AUR packages
  • Alert on unexpected MDM configuration changes consistent with Ivanti EPMM exploitation behavior
  • Implement integrity monitoring on ERP login portals and database query logs
  • Cross-reference threat intelligence feeds for ShinyHunters and Qilin infrastructure indicators

Proactive hunting using these signals significantly reduces dwell time across all identified threat vectors.