A patch-heavy week for Indian defenders: an exploited ERP zero-day, several edge and VPN flaws under active attack, and a Pakistan-aligned group still grinding at Indian government desktops. Six things to have acted on.
1
Oracle PeopleSoft zero-day exploited before patch (CVE-2026-35273)
Oracle issued an out-of-band alert on 10 June for a critical PeopleSoft PeopleTools flaw. Google's Mandiant reported exploitation ahead of the patch and tracked the activity to UNC6240 (ShinyHunters); CISA added the CVE to its Known Exploited Vulnerabilities catalogue on 12 June.
India exposurePeopleSoft-class HR, payroll, finance and campus systems across PSU banks, insurers, universities and public-sector-aligned organisations.
ActionPatch immediately, inventory internet-exposed PeopleSoft components, and hunt for suspicious access between late May and patch deployment.
SourceOracle; Google/Mandiant; CISA KEV.
2
Check Point VPN authentication bypass under active exploitation (CVE-2026-50751)
Check Point disclosed an actively exploited authentication bypass affecting Remote Access VPN, Mobile Access and Spark deployments using deprecated IKEv1. CISA added it to KEV on 8 June.
India exposureBFSI, IT services, MSPs and enterprises still running legacy VPN configurations.
ActionApply Check Point's fix, disable deprecated IKEv1 remote-access paths where possible, and audit VPN sessions from May onward for post-authentication activity.
SourceCheck Point; Rapid7; CISA KEV.
3HighCVSS 7.8
Cisco Catalyst SD-WAN Manager zero-day — exploited and unpatched (CVE-2026-20245)
Cisco confirmed in-the-wild exploitation of a privilege-escalation flaw (CVSS 7.8) in Catalyst SD-WAN Manager; an attacker with netadmin rights can inject commands and run as root, and Cisco observed config changes pushed to edge devices. CISA added it to KEV on 9 June; no patch was available during the week.
India exposureTelecom operators, large BFSI networks and government WANs that run Cisco SD-WAN as their backbone.
ActionRemove SD-WAN Manager instances from internet exposure and tightly restrict and audit netadmin accounts until Cisco ships a fix.
SourceCisco Security Advisory; CISA KEV; The Hacker News.
4CriticalCVSS 10.0
Ivanti Sentry critical RCE and admin-account takeover (CVE-2026-10520 / CVE-2026-10523)
Ivanti published fixes on 9 June. CVE-2026-10520 is an unauthenticated remote code execution flaw (CVSS 10.0); CVE-2026-10523 allows unauthenticated admin-account creation.
India exposureOrganisations using Ivanti/MobileIron-style mobile gateways for managed-device access into internal applications.
ActionUpgrade Sentry immediately, restrict management-interface exposure, and review appliance logs for unexpected admin creation or command execution.
SourceIvanti; Rapid7.
5
Microsoft's largest-ever Patch Tuesday and an exploited Chrome V8 zero-day (CVE-2026-11645)
Microsoft's June update addressed around 208 vulnerabilities (38 Critical) — the biggest single release since Patch Tuesday began in 2003 — formally patching an already-exploited Defender elevation-of-privilege flaw (CVE-2026-41091, KEV-listed in May). Separately, Google's 8 June Chrome update fixed an exploited V8 out-of-bounds memory flaw (CVE-2026-11645).
India exposureEffectively every Windows estate and Chrome/Chromium desktop fleet — government, BFSI, healthcare, manufacturing.
ActionConfirm Defender platform updates applied; force-update Chrome/Edge and verify the fixed version through endpoint management, prioritising high-risk users.
SourceMicrosoft Security Update Guide; Google Chrome Releases; Zero Day Initiative; CISA KEV.
6
APT36 / Transparent Tribe keeps targeting Indian government Linux desktops
The Pakistan-aligned group continues its DeskRAT campaign against BOSS Linux, the Indian government's homegrown distribution, using defence-themed phishing that drops a Go-based remote-access trojan. Documented by Sekoia and CYFIRMA; this remains the live India-targeted thread of the week.
India exposureDefence establishments, central and state government bodies, and academic institutions running BOSS Linux.
ActionTreat Linux endpoints as in-scope for EDR and phishing controls; block execution from user-writable paths and inspect outbound traffic from desktop Linux hosts.
SourceSekoia; CYFIRMA; The Hacker News.
AI-watch: A LiteLLM command-injection flaw (CVE-2026-42271) was added to CISA KEV on 8 June — relevant to teams running internal LLM gateways for model routing. Upgrade to fixed versions and restrict exposed endpoints.
The takeaway: This was a perimeter-and-platform week. The route into Indian enterprises ran through VPNs, ERP, mobile gateways and browsers, while APT36 supplied the regional intent to use that access against Indian targets. Patch the edge; watch the desktops.
Nirad Bharat Threat Feed | Bharat-first threat intelligence
