Accelerated by:
Certifications:
Light Eyes is part of Apolo Cybersecurity
ENG
ENG
%402x.svg){kind=icon}
A high-impact week: AI agents in CI/CD as a new attack vector, two top-tier corporate firewalls with active VPN bypasses, the densest Patch Tuesday of the year, and an extortion group spending 14 days inside university systems before the vendor publishes the advisory. The summary you need before the weekend.
🔴 The Claude Code GitHub Action was exposing your CI/CD pipeline secrets via prompt injection
Microsoft Threat Intelligence discovered and responsibly disclosed a vulnerability in the official Claude Code GitHub Action: an attacker could insert hidden instructions in an HTML comment in an issue or PR — invisible to the human reviewer, visible to the model — and have the AI agent read /proc/self/environ from the CI/CD runner, where API keys, GitHub tokens, AWS credentials and any workflow secrets live. The patch has been available since 5 May in Claude Code 2.1.128. Microsoft introduces the “Agents Rule of Two”: no AI workflow should simultaneously have untrusted input, sensitive secrets and the ability to act externally.
→ What you should do: Update the GitHub Action to v1.0.94+ and Claude Code to 2.1.128+. Audit all workflows using AI agents against the Agents Rule of Two. Full analysis →
🔴 Check Point VPN CVE-2026-50751: IKEv1 authentication bypass active since May with a Qilin affiliate inside
A logic flaw in certificate validation for the IKEv1 protocol (from 1998, still active in thousands of environments for legacy compatibility) allows an unauthenticated remote attacker to establish a VPN session without a password. Attacks began on 7 May — one month before the public advisory — and one case is linked to a Qilin affiliate, the same group that attacked Ahorramas. Emergency hotfixes available for supported versions. R81.10, R81 and R80.40 are EOL and will not receive a patch.
→ What you should do: Check whether IKEv1 is enabled in SmartConsole. Apply the emergency hotfix. If you cannot, disable IKEv1 and require IKEv2 only. Review VPN logs from 7 May onwards. Full analysis →
🔴 June 2026 Patch Tuesday: 200 vulnerabilities, wormable Windows kernel (CVSS 9.8) and the definitive fix for Exchange CVE-2026-42897
The biggest Patch Tuesday of the year: 200+ vulnerabilities, 6 zero-days and 33 Critical. The headline is CVE-2026-45657, a Windows kernel RCE with CVSS 9.8 that Zero Day Initiative classifies as potentially wormable — same technical pattern as EternalBlue. Also: CVE-2026-47291 (HTTP.sys RCE, CVSS 9.8, “exploitation more likely” with temporary mitigation available), CVE-2026-44815 (DHCP Client RCE, CVSS 9.8) and finally the permanent patch for Exchange CVE-2026-42897, the zero-day active since May.
→ What you should do: Top priority this week: CVE-2026-41091 (Defender, actively exploited), CVE-2026-45657 (wormable kernel), CVE-2026-47291 (HTTP.sys, mitigation available). Apply the definitive Exchange patch. Full analysis →
🔴 ShinyHunters exploited Oracle PeopleSoft CVE-2026-35273 as a zero-day 14 days before the advisory: 100+ organisations, 68% universities
Mandiant and Google GTIG confirm that ShinyHunters (UNC6240) exploited an unauthenticated RCE (CVSS 9.8) in Oracle PeopleSoft’s Environment Management Hub from 27 May to 9 June. Oracle published the advisory on day 10, when the attacks had already concluded. Over 100 organisations compromised, 68% universities. Among them, the University of Nottingham with 500,000 student records. The same group that attacked Canvas/Instructure in May.
→ What you should do: Verify whether /PSEMHUB/* is internet-accessible and block it immediately. Apply the Oracle patch (My Oracle Support). Review logs from 27 May and look for outbound SMB traffic on port 445. Full analysis →
Every Friday we break down the news that really matters for your organisation’s security. If you want to know how exposed your business is to any of these threats, we’re one click away.
