Skip to main content
Back to NewsletterThreat Intelligence

Your Business Applications Became the Target This Month

July 1, 2026

Last month the fighting was at the edge. This stretch it moved inside. Over the past two weeks the systems that actually run an organization showed up on the actively-exploited list: the software that processes payments, stores HR records, watches the network for attacks, and manages product designs. When attackers reach the back office, a single unpatched server can hand them payroll data, financials, and a foothold everywhere else. Here is what deserves your attention and what to do about it.

Oracle became the season's favorite way in

Two Oracle flaws are driving real damage right now. The most urgent is CVE-2026-46817, a vulnerability in the Payments component of Oracle E-Business Suite that lets an unauthenticated attacker take over the system with a single crafted web request. Oracle shipped a fix in its May 2026 Critical Patch Update, but threat researchers reported active exploitation starting the weekend of June 27, and the internet-scanning group Shadowserver counts roughly 950 E-Business Suite servers reachable from the open internet. There is no public exploit code yet, which means whoever is doing this built their own and has a head start.

The second is CVE-2026-35273, a missing-authentication flaw in Oracle PeopleSoft that gives an attacker full control of the server with no login required. It was exploited as a zero-day between May 27 and June 9, before Oracle put out an emergency alert. Google's Mandiant tied the campaign to an extortion crew and notified more than 100 organizations. Sixty-eight percent of them were colleges and universities. Confirmed victims include Nottingham University and the National Association of Insurance Commissioners, and Nissan has since disclosed a breach traced to its own PeopleSoft system.

If you run either product, this is a same-week job. Oracle's fixes for both are available, the May update for E-Business Suite and an out-of-cycle alert for PeopleSoft that CISA flagged as actively exploited on June 12. Get both systems off the public internet if they are exposed, since neither belongs in front of the open web. Then assume you may have been probed already and review access logs back to late May for logins and requests you cannot account for.

Your security tools are a target too

The uncomfortable story this stretch is CVE-2026-20253, a critical flaw in Splunk Enterprise, the platform many organizations use to collect logs and detect attacks. A background database service that ships with Splunk was left without any authentication, so anyone who can reach it over the network can create or overwrite files on the server. Researchers turned that into full remote code execution within days, and CISA confirmed active exploitation on June 18 with a three-day federal patch deadline.

Consider what it means for an attacker to own the system that is supposed to watch for attackers. They can read your security data, delete the record of what they did, harvest stored credentials, and move deeper into your network from a box your team trusts. This affects on-premises Splunk Enterprise versions 10.0 and 10.2. The hosted Splunk Cloud service is not affected. Upgrade to 10.2.4, 10.0.7, or 10.4.0. If you cannot patch this week, Splunk's advisory explains how to disable the vulnerable database service, though that breaks some data-pipeline features, so test it before you rely on it.

Phone systems and factory-floor software made the list

Two more business systems that rarely enter a patch conversation are now being exploited. CVE-2026-20230 affects Cisco Unified Communications Manager, the software behind many organizations' phone and conferencing systems, and lets an unauthenticated attacker reach internal systems through crafted web requests. Cisco patched it on June 3, and attackers began using it in the days before CISA set a June 28 deadline. In the same update, CISA flagged CVE-2026-12569, a remote code execution flaw in PTC Windchill and FlexPLM, the product-lifecycle software that manufacturers and product companies use to manage designs and specifications. Both carried the same June 28 deadline.

The thread connecting these is that "business application" now includes systems nobody pictures as internet infrastructure. Your phone platform, your engineering software, and your monitoring stack all run code, all sit on the network, and all need patching on a schedule someone owns. If no one owns that schedule, attackers will find the gap.

What to do this week

  1. Patch in order of exposure and damage: any internet-facing Oracle E-Business Suite or PeopleSoft server first, then Splunk Enterprise, then Cisco Unified Communications Manager and PTC Windchill.
  2. Pull your business applications off the public internet. Financial systems, HR platforms, and management consoles belong behind a VPN or on an internal network, reachable only by the people who need them.
  3. Build one list of your business-critical applications and who is responsible for patching each. Include the systems that are easy to forget: phone platforms, monitoring tools, and engineering software.
  4. For the Oracle and Splunk flaws, review logs across the exploitation windows above and look for new accounts, unexpected files, or database activity you cannot tie to normal work.

Quick hits

  • Ivanti Sentry (CVE-2026-10520): a maximum-severity flaw that lets an unauthenticated attacker run commands as root on this mobile-management gateway. A working exploit went public a day after the fix, and CISA added it to the exploited list on June 11. If you run Sentry, patch it now.
  • Joomla Content Editor (CVE-2026-48907): a maximum-severity flaw in a widely used Joomla editing extension that lets an unauthenticated user upload and run code on the website. CISA flagged active exploitation on June 16, and the vendor fixed it in the update released June 3. If your public site runs Joomla with this editor, update it.

The bottom line

The pattern this month is plain. Attackers have moved from the doors and windows of the network to the rooms where the valuable work happens. The defense is knowing what you run, keeping it off the open internet, and patching it before someone else finds it first. If keeping a current picture of which business systems you own, where they are exposed, and which ones need patching is the hard part, that is the visibility a vendor operations layer is built to provide.

Get the next issue in your inbox

Harborcoat Threat Watch delivers clear, practical cybersecurity guidance for business and IT leaders, about twice a month.