June 30, 2026 opens with a convergence of threats that should put every SOC on elevated alert. Three distinct attack surfaces are under active exploitation simultaneously: Oracle enterprise applications, a widely deployed remote support tool, and legitimate cloud storage being weaponized as a covert command channel. The common thread is speed — attackers are moving from initial access to data exfiltration before many organizations have even assessed their exposure. Here is what you need to know and do today.

Oracle Under Siege: EBS and PeopleSoft Both Actively Exploited

The most urgent story of the day is the active exploitation of CVE-2026-46817, a critical flaw in Oracle E-Business Suite carrying a CVSS score of 9.8. The vulnerability involves improper privilege management and authentication weaknesses in Oracle Payments, meaning an unauthenticated or low-privileged attacker could potentially escalate access to sensitive financial and operational data. Oracle EBS environments frequently sit at the heart of enterprise finance, HR, and supply chain operations, making successful exploitation catastrophic in scope.

Parallel to this, the ShinyHunters extortion group has been actively exploiting a zero-day vulnerability in Oracle PeopleSoft, with confirmed victims now including Nissan and the National Association of Insurance Commissioners. Nissan has disclosed that current and former employee data was compromised. The NAIC breach, while reportedly limited to publicly available data, outdated logs, and configuration files, demonstrates that even partial access to enterprise systems can yield intelligence useful for follow-on attacks — credential stuffing, phishing, and social engineering campaigns built on harvested employee and organizational data.

Organizations running Oracle EBS or PeopleSoft must treat patching as a fire drill, not a scheduled maintenance window. If patches are not yet available or cannot be applied immediately, consider the following interim actions:
- Isolate Oracle application servers from direct internet exposure behind authenticated reverse proxies or VPNs
- Audit and restrict service accounts with elevated privileges in both EBS and PeopleSoft environments
- Enable detailed access logging on Oracle application tiers and ship logs to your SIEM immediately
- Hunt for anomalous authentication events, especially privilege escalation patterns or access from unexpected source IPs
- Review all active sessions and revoke any that cannot be attributed to known users or processes

SimpleHelp Authentication Bypass Added to CISA KEV

CISA has added CVE-2026-48558, an authentication bypass vulnerability in SimpleHelp, to its Known Exploited Vulnerabilities catalog. SimpleHelp is a remote support and access platform used by managed service providers and IT teams globally. Authentication bypass flaws in remote access tools are among the most dangerous vulnerability classes because they hand attackers a ready-made, trusted foothold inside the network — often with the same level of access as a legitimate support technician.

Federal agencies are bound by BOD 22-01 to remediate KEV entries on mandated timelines, but every organization using SimpleHelp should treat this with the same urgency regardless of sector. Recommended actions:
- Apply the vendor patch immediately; if unavailable, restrict SimpleHelp access to known management IP ranges only
- Audit all active SimpleHelp sessions and terminate any that are unrecognized
- Review SimpleHelp server logs for authentication attempts that succeeded without expected credential patterns
- Consider temporarily disabling external-facing SimpleHelp instances until patching is confirmed complete
- Ensure multi-factor authentication is enforced on all remote access tooling across the environment

Mustang Panda Turns Zoho WorkDrive Into a Covert Command Channel

On the espionage front, the China-aligned threat actor Mustang Panda has been observed running active campaigns against Indian government and hydropower sector targets, deploying new malware and using Zoho WorkDrive as a command-and-control channel. This technique — abusing legitimate, trusted cloud services for C2 — is increasingly common among sophisticated actors because it blends malicious traffic with normal business activity, defeating many traditional network-based detections that rely on known-bad domains or IP reputation.

For defenders, this means perimeter controls alone are insufficient. Recommended actions:
- Implement behavioral analytics to detect unusual outbound data volumes to cloud storage platforms, even trusted ones like Zoho, Google Drive, or OneDrive
- Monitor for processes making unexpected connections to cloud storage APIs, particularly from endpoints that have no business reason to do so
- Enforce application allowlisting on sensitive government and critical infrastructure endpoints to prevent unauthorized binaries from executing
- Review DNS and proxy logs for cloud storage access patterns that occur outside business hours or from servers rather than user workstations
- Threat hunt for indicators associated with Mustang Panda tooling as published by Acronis Threat Research Unit

Defensive Priorities for Today

Ranking your response effort for June 30:
- First: Patch or isolate Oracle EBS and PeopleSoft instances — active exploitation with confirmed breaches is in progress
- Second: Patch SimpleHelp immediately and audit all remote access sessions — CISA KEV listing confirms real-world exploitation
- Third: Tune SIEM and proxy rules to detect cloud storage C2 patterns and hunt for Mustang Panda indicators in government and critical infrastructure environments
- Ongoing: Ensure privileged access management controls, MFA enforcement, and network segmentation are validated across all enterprise systems

The convergence of enterprise application exploitation, remote access tool abuse, and cloud-native C2 on a single day is a reminder that threat actors operate across multiple vectors simultaneously. Defense must be equally broad.

This briefing is informational and does not substitute for official vendor advisories, CISA guidance, or your organization's own risk assessment processes.