Vulnerability Intelligence Report — June 15, 2026
Coverage: June 1–15, 2026 | New CISA KEV additions (period): 12 | New KEV since yesterday: 0 | KEV deadline TODAY: Oracle PeopleSoft | Ivanti Sentry deadline passed (June 14) | Overdue KEVs: 6
Previous reports: June 14, 2026 | June 13, 2026
Today — Sunday, June 15, 2026 — is the CISA KEV remediation deadline for Oracle PeopleSoft CVE-2026-35273. This is the second of the rare weekend double-deadline; Ivanti Sentry CVE-2026-10520 passed yesterday. No new CISA KEV entries have been added since June 12, bringing a period of relative calm after the earlier June surge. The weekend vulnerability disclosure cycle is characteristically quiet, with most new CVEs being low-to-medium severity or affecting niche products. Two significant threat intelligence stories broke this morning: researchers have demonstrated that Microsoft 365 Copilot can be weaponized as a one-click data theft tool by exploiting its automated document retrieval and summarisation capabilities, and the FBI announced the disruption of a massive AI-powered phishing-as-a-service operation using over a million malicious URLs. On the vulnerability front, notable items include a timing discrepancy in Linux-PAM’s pam_userdb module, OS command injection in widely-used Perl libraries (Config::IniFiles, GD), and a deserialization vulnerability in Comma AI’s Openpilot autonomous driving software.
Quick Reference — Most Important Items Today
Oracle PeopleSoft: CVE-2026-35273 (CISA KEV DEADLINE TODAY Sunday June 15, ransomware, ShinyHunters — patch today or disconnect)
Ivanti Sentry: CVE-2026-10520 (KEV deadline passed June 14 — NOW OVERDUE, patch immediately if not done yesterday)
Microsoft 365 Copilot: NEW attack vector — AI assistant weaponized as 1-click data theft tool via automated document retrieval
FBI AI-Phishing Takedown: Massive phishing-as-a-service operation with 1M+ URLs disrupted — coordinated with international partners
Linux-PAM CVE-2026-54411: Timing discrepancy in pam_userdb password comparison (MEDIUM 5.9) — local account enumeration
Perl Config::IniFiles CVE-2026-11527 / GD CVE-2026-11526: OS command injection via 2-arg open() — widely used libraries
Comma AI Openpilot CVE-2026-12191: Pickle deserialization (HIGH 7.8) — autonomous driving research platforms
nanoMODBUS CVE-2026-54410: Off-by-one buffer overflow in Modbus/TCP server (HIGH 8.6) — ICS/IIoT environments
Overdue KEV: Ivanti +1 | Check Point +4 | Nx Console +5 | Mirasvit +9 | Android +10 | PAN-OS +14
Oracle PeopleSoft — CVE-2026-35273 (KEV DEADLINE TODAY)
Software affected: Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62.
CVE: CVE-2026-35273 | CISA KEV deadline today — Sunday, June 15, 2026 | CVSS 9.8 | Missing authentication enables complete PeopleSoft takeover via HTTP | Known ransomware campaign use | Actively exploited by ShinyHunters targeting HR, payroll, and financial data.
Status: Today is the remediation deadline. Falling on a Sunday, this deadline presents practical challenges for organisations with weekend change freezes or reduced staffing. The BOD 26-04 3-day mandate means federal agencies must demonstrate compliance or face potential enforcement action. Organisations with internet-facing PeopleSoft that have not yet patched are now at the deadline — either patch today or disconnect from the network. ShinyHunters exploitation is confirmed and ongoing. Full coverage in the dedicated CVE-2026-35273 advisory.
Recommended action: Patch today — this is the final deadline. If patching is not possible on a Sunday, immediately restrict all network access to PeopleSoft until patched on Monday. Review access logs for ShinyHunters IOCs. Rotate credentials after patching. Federal agencies: BOD 26-04 compliance required.
Official source: Oracle Security Alert CVE-2026-35273 | CISA KEV Catalog
Ivanti Sentry — CVE-2026-10520 (Deadline Passed — Now Overdue)
Software affected: Ivanti Sentry (formerly MobileIron Sentry) — all versions prior to patched release.
CVE: CVE-2026-10520 | CISA KEV deadline was yesterday — June 14, 2026 — NOW OVERDUE | OS command injection enabling unauthenticated root-level RCE | Actively exploited | First test of BOD 26-04’s 3-day mandate — deadline has now passed.
Status: The deadline has passed. This was the first weekend deadline in the current cycle and the first BOD 26-04 deadline to fall on a Saturday. Organisations that missed the deadline should treat this as immediately overdue — patch as soon as possible, and disconnect internet-facing Sentry appliances in the interim. Active exploitation continues.
Recommended action: Patch immediately — one day overdue. Disconnect internet-facing Sentry appliances if not already done. BOD 26-04 compliance reporting expected this week.
Official source: Ivanti Security Advisory | CISA KEV Catalog
Microsoft 365 Copilot Weaponized — New AI-Assisted Data Theft Vector
Affected platforms: Microsoft 365 Copilot — organisations with Copilot enabled and broad document access permissions.
Status: Security researchers have demonstrated a novel attack that turns Microsoft 365 Copilot into a one-click data theft tool. The attack exploits Copilot’s automated document retrieval, summarisation, and cross-document correlation capabilities. By crafting a malicious prompt embedded in a document or email, an attacker can cause Copilot to search across the victim’s entire accessible SharePoint, OneDrive, and email corpus, aggregate sensitive information, and exfiltrate it — all through legitimate Copilot API calls that appear as normal AI assistant usage.
Impact: This is not a traditional CVE — it is an abuse of legitimate AI functionality. The attack surface is determined by the Copilot user’s document access scope. Organisations with broadly permissive SharePoint access controls are most exposed. The attack bypasses traditional DLP controls because Copilot’s retrieval and summarisation are authorised operations. Microsoft has been notified and is investigating mitigations.
Recommended action: Review Copilot deployment scope and document access permissions — principle of least privilege is the primary mitigation. Audit Microsoft 365 audit logs for anomalous Copilot query patterns (high-volume document retrieval, cross-department searches, summarisation of sensitive labelled documents). Consider restricting Copilot access to sensitive document libraries until Microsoft releases mitigations. This is a TTP alert — treat as an emerging threat vector rather than a patchable vulnerability.
Official source: BleepingComputer Report
Threat Intelligence: FBI Disrupts AI-Powered Phishing Service
In a coordinated takedown with international partners, the FBI has disrupted a massive phishing-as-a-service (PhaaS) operation that leveraged generative AI to create and host over one million unique phishing URLs. The service automated the creation of convincing phishing pages, credential harvesting infrastructure, and evasive URL rotation — making it the largest AI-powered phishing operation disrupted to date. While not a vulnerability, this signals the accelerating industrialisation of AI-assisted cybercrime. Organisations should expect an increase in sophisticated, AI-generated phishing campaigns and should verify that phishing-resistant MFA (FIDO2/WebAuthn) is deployed across all user-facing services.
Linux-PAM, Perl Libraries, Comma AI, nanoMODBUS — Weekend Vulnerability Roundup
Linux-PAM CVE-2026-54411 (CVSS 5.9): Observable timing discrepancy in pam_userdb’s plaintext password comparison path. A local attacker can measure response times to enumerate valid usernames and infer password characteristics via timing side-channel. Affects Linux-PAM through 1.7.2. Mitigate by switching to hashed password backends where possible.
Perl Config::IniFiles CVE-2026-11527 / GD CVE-2026-11526: OS command injection and file overwrite vulnerabilities via unsafe 2-arg open() in widely-used Perl libraries. Config::IniFiles before 3.001000 and GD before 2.86 pass user-controlled filenames to open() without sanitisation. Affects any Perl application using these libraries with untrusted input. Upgrade Config::IniFiles to 3.001000+ and GD to 2.86+.
Comma AI Openpilot CVE-2026-12191 (CVSS 7.8): Unsafe pickle deserialization in the modeld component via pickle.load/loads. A local attacker can achieve code execution by supplying a crafted pickle payload. Affects Openpilot 0.11. Relevant for autonomous driving research and development platforms. Apply vendor patch when available.
nanoMODBUS CVE-2026-54410 (CVSS 8.6): Off-by-one buffer overflow in recv_msg_header() of the Modbus/TCP server implementation. Allows remote unauthenticated attackers to trigger buffer overflows in Modbus/TCP services. Affects nanoMODBUS through 1.23.0. Patch ICS/IIoT devices using this library — Modbus is ubiquitous in industrial environments.
MQTT-C CVE-2026-54412 (CVSS 8.2): Heap-based out-of-bounds read and integer underflow in mqtt_unpack_publish_response(). Affects MQTT-C through 1.1.6 — MQTT is widely used in IoT and industrial messaging. Update library in all dependent projects.
KEV Deadline Watch
TODAY (June 15): Oracle PeopleSoft CVE-2026-35273. Known ransomware. BOD 26-04. Dedicated advisory. DEADLINE.
OVERDUE — June 14: Ivanti Sentry CVE-2026-10520 (+1 day). First BOD 26-04 weekend deadline — patch immediately.
OVERDUE — June 11: Check Point Security Gateway CVE-2026-50751 (+4 days, ransomware). Disable IKEv1.
OVERDUE — June 10: Nx Console CVE-2026-48027 (+5 days, ransomware). Dedicated advisory.
OVERDUE — June 6: Mirasvit Cache Warmer CVE-2026-45247 (+9 days). Unauthenticated RCE on e-commerce.
OVERDUE — June 5: Android Framework CVE-2025-48595 (+10 days).
OVERDUE — June 1: Palo Alto PAN-OS CVE-2026-0257 (+14 days). Dedicated advisory.
June 19: SolarWinds Serv-U CVE-2026-28318 (4 days).
June 22: BerriAI LiteLLM CVE-2026-42271 (7 days).
June 23: Google Chromium V8 CVE-2026-11645 / Arista EOS CVE-2026-7473 / Cisco SD-WAN CVE-2026-20245 (8 days).
Updates on Items from Previous Reports
Oracle PeopleSoft CVE-2026-35273: Deadline today (Sunday). Dedicated advisory: CVE-2026-35273 Advisory. Patch or disconnect this weekend.
Ivanti Sentry CVE-2026-10520: Deadline passed yesterday. Now overdue — patch immediately.
Grafana Operator CVE-2026-11769: Dedicated advisory published. CVE-2026-11769 Advisory. Upgrade to 5.24.0.
LiteSpeed cPanel CVE-2026-54420: Dedicated advisory published. CVE-2026-54420 Advisory.
ABRT/libreport: 4-CVE grouped advisory published. ABRT/libreport Advisory.
MCP CVE-2026-11624: DNS rebinding advisory published. MCP Advisory. Upgrade to v0.25+.
WP Ticket CVE-2026-9848: SQL injection advisory published. CVE-2026-9848 Advisory.
Check Point, Nx Console, Mirasvit, Android, PAN-OS: All significantly past deadline. Overdue KEV count now at 6. Remediate or disconnect.
Arch Linux AUR, Spring, GitLab, UpdraftPlus, Apinizer, Golem OEE: Dedicated advisories published for all. See previous reports for links.
Chinese APT auth-flow hijacking: TTP alert from June 14 report. Review authentication boundary architectures in air-gapped networks. BleepingComputer Report.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.
