publishedCritical
Updated 16 June 2026, 12:38 am

Daily Threat Intelligence Update - 2026-06-16

Check Point VPN and PeopleSoft drove the highest-confidence June actions

Executive Summary

  • Check Point VPN exposure became the top urgent item after public reporting tied CVE-2026-50751 zero-day exploitation to Qilin ransomware activity dating back to 2026-05-07.
  • Oracle PeopleSoft CVE-2026-35273 deserved near-equal priority because attacks reportedly occurred before the June 10 fix, making historical log review as important as patching.
  • Identity and endpoint risk both rose this cycle through Kali365 Microsoft 365 token theft and urgent Microsoft and Chrome client-side fixes.

Immediate Triage Actions

  • Patch or mitigate exposed Check Point Mobile Access, Remote Access VPN, and Spark gateways and review auth logs from 2026-05-07 onward.
  • Patch PeopleSoft 8.61 or 8.62 where affected and inspect web, app, and database logs for suspicious access from 2026-05-27 through 2026-06-09.
  • Force June Windows updates and current Chrome stable on privileged users and unmanaged exception devices first.
  • Review device-code sign-ins in Microsoft 365 and restrict or block device-code flow where business impact allows.

Threat Items

3 tracked items
criticalCritical CVE / VPN / RansomwareReview

Check Point CVE-2026-50751 linked to Qilin ransomware activity

A critical authentication bypass affecting certain Check Point VPN deployments was reportedly exploited as a zero-day, with observed activity dating back to May 7.

MITRE: T1133, T1190Owner: Triage

Action: Inventory remote-access services, disable IKEv1 where feasible, patch affected gateways, and investigate unusual VPN sessions.

criticalCritical CVE / ERP / Data TheftReview

Oracle PeopleSoft CVE-2026-35273 pre-patch exploitation window

Oracle warned that a remotely exploitable unauthenticated RCE in PeopleSoft was exploited before the June 10 fix, increasing exposure for internet-reachable ERP environments.

MITRE: T1190, T1041Owner: Triage

Action: Patch exposed instances, inspect logs for suspicious access, and assess whether HR, student, or finance data may have been staged.

highPhishing / Token Theft / Microsoft 365Y

Kali365 lowered the barrier for device-code phishing and token capture

The FBI warned that Kali365 can capture Microsoft 365 OAuth tokens through device-code lures, bypassing traditional credential and MFA assumptions.

MITRE: T1566.002, T1528Owner: Triage

Action: Audit device-code sign-ins, restrict device authentication flow via Conditional Access, and revoke suspicious refresh tokens.