Weekly Cyber Update: 12 June 2026

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris. Here’s our pick of the top stories, and why you should care.

---

WhatsApp claims NSO Group is still trying to compromise its users

WhatsApp has demanded a blacklisted Israeli spyware firm be held in contempt of court after claiming it is targeting its users again. NSO Group developed Pegasus spyware, which has been used by various clients worldwide to spy on mobile users. The latest report suggests the firm is now tricking victims into clicking on malicious links, rather than relying on zero-click exploits.

Why it matters

Commercial vendors are now using a variety of techniques to get their wares onto targets’ devices. For high-profile business executives, commercial spyware is a persistent threat given its use by nation-states to eavesdrop on people of interest. The threat of legal action appears to have had little impact on the developers of commercial spyware.

Assured’s recommended action

Block IoCs mentioned in the report. Review mobile device management policies to ensure executives are running appropriate mobile threat defence/EDR software. Update user awareness programmes, and consider a specialised programme for executives. Consider enforcing Lockdown Mode (iOS) for at-risk individuals.

---

Ivanti maximum-severity flaw exploited in the wild

Ivanti Sentry customers are being urged to patch a critical vulnerability in the security gateway product. CVE-2026-10520 is an OS command injection flaw with a CVSS score of 10.0. It could enable threat actors to achieve remote code execution as root on any internet-exposed gateways. There’s already evidence of exploitation.

Why it matters

Ivanti solutions, which are used by tens of thousands of global customers, are regularly targeted by threat actors. Compromising the security gateway product could provide access into the corporate mobile ecosystem, internal applications, email systems and more.

Assured’s recommended action

Audit for use of Ivanti Sentry and patch affected systems. Search logs for suspicious activity.

---

Microsoft patches Exchange Server bug currently under exploitation

Microsoft has patched a high-severity spoofing vulnerability which remote attackers could exploit with zero privileges. CVE-2026-42897 affects Exchange Server 2016, Exchange Server 2019, and Exchange Server Subscription Edition (SE) and can be exploited by attackers to target Outlook Web Access users via phishing emails. It has been added to CISA’s list of known exploited vulnerabilities.

Why it matters

Attackers could exploit the flaw to execute arbitrary JavaScript in the browser, thereby accessing a victim’s inbox. Exchange is a stepping stone into wider corporate systems, as well as a tier-0 system in its own right.

Assured’s recommended action

Patch all affected servers ASAP and review OWA and Exchange logs for suspicious activity.

---

Oracle PeopleSoft and TargetConnect campaign

Nottingham University has become the latest in a long line of organisations impacted by exploitation of an unauthenticated remote code execution vulnerability in Oracle PeopleSoft. The software’s integration with the higher education platform TargetConnect allowed the ShinyHunters extortion group to access student records, graduate placement data, and, in some cases, staff HR information. Over 100 organisations globally have been impacted by zero-day exploitation of CVE-2026-35273, which has a CVSS score of 9.8. NHS Digital has warned of potentially affected healthcare deployments of PeopleSoft.

Why it matters

Exploitation could result in unauthenticated access to sensitive business information, including HR records, payroll and financial data, and personally identifiable information (PII). If ShinyHunters are responsible, extortion attempts will follow.

Assured’s recommended action

Apply Oracle’s mitigations for CVE-2026-35273 immediately. Audit third-party integrations for lateral access and check whether TargetConnect or similar student/HR platforms have exposure.

---

ServiceNow bug exploited to gain access to customer instances

ServiceNow has revealed details of an unusual security incident in which some customers had data queried by unauthorised third parties. The firm said the issue mainly affects customers running the Australia platform release or those on older releases who made specific configuration changes. The flaw in question, which the hackers exploited via a vulnerable API endpoint, has not been assigned a CVE. ServiceNow claims the incident was caused by “security researchers or customer research”, but is still investigating.

Why it matters

ServiceNow represents a goldmine of corporate information including HR data, IT operations data, incident records, change management workflows, and financial approvals. It’s deeply integrated and trusted by default. Support cases, in particular, are a popular target for threat actors, as they often contain credentials, API tokens, sensitive internal documents, and other secrets.

Assured’s recommended action

Check your API access controls, review what data is accessible via external-facing endpoints, and audit integration permissions. If you haven’t conducted a ServiceNow security review recently, this incident should be a good opportunity to do so.