Exploitation attempts targeting a critical vulnerability (CVE-2026-46817) in Oracle Payments, the payment-processing module within Oracle’s E-Business Suite (EBS), have been spotted over the weekend, threat intelligence company Defused warned on Monday.

The detected exploitation attempts (Source: Defused)

“On 27 June 2026 our Oracle E-Business Suite decoys recorded the first in-the-wild exploitation of CVE-2026-46817 — roughly six weeks after Oracle’s May 2026 patch and before any public proof-of-concept existed,” the company said.

“The activity was a single source running an unauthenticated file-read against the Payments component: a targeted proof-of-concept, not broad scanning.”

The exploit targets the ibytransmit endpoint in Oracle Payments’ File Transmission component, and calls an internal Oracle Java function directly, redirecting it to read a file (/etc/passwd) from the server.

But the same technique could be used to reach more sensitive files, such as configuration files containing database credentials, encryption keys, or payment processor API keys.

Advice for organizations

Oracle Payments is the payment-processing engine built into Oracle’s E-Business Suite, centralizing how the company’s finance applications send and receive payments through banks and card networks.

CVE-2026-46817 affects the File Transmission component of Oracle Payments, and is caused by improper privilege management, improper authentication, and missing authentication for a critical function.

Oracle considers it to be an easily exploitable vulnerability. It can be exploited remotely, by unauthenticated attackers with network access via HTTP, to compromise and take over Oracle Payments.

The vulnerability was patched by Oracle in late May 2026.

Administrators running Oracle E-Business Suite versions 12.2.3 to 12.2.15 should apply Oracle’s May 2026 Critical Security Patch Update immediately. Until patched, EBS web interfaces should be restricted to internal networks and not exposed to the public internet.

Security teams should treat any internet-facing EBS instance left unpatched past May 28 as potentially compromised, and should review logs for suspicious POST requests to /OA_HTML/ibytransmit. If evidennce of compromise is discovered, they should perform a full forensic review and rotate all credentials and keys stored on that host.

Also, given the pattern of repeated critical EBS vulnerabilities exploited by attackers in the last year, security teams should review whether their EBS installation’s needs any internet-facing components at all.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

from Help Net Security https://ift.tt/blLpfO7

Cequence Security has announced general availability of Cequence Platform 9.0, an AI-native release that changes how users interact with API security tools.

Platform 9.0 ships with a built-in AI Assistant, an open Model Context Protocol (MCP) server that exposes every platform capability to an organisation’s agents or automation workflows, a compliance-ready risk rules library mapped to 25 global regulatory frameworks, and a re-architected API security engine built to handle the largest enterprise API estates without performance degradation.

Agentic AI is transforming how enterprises interact with their customers, and internal IT teams are adopting AI agents faster than their security tools can keep up. Unlike vendors that add a simple chatbot to their existing product, Cequence took the opposite approach; the entire platform is AI-native and open, enabling customers to use Cequence’s built-in model or one of their choosing.

With Platform 9.0, any practitioner can open a conversation and start asking the questions they actually care about, without knowing the interface, navigating menus, or understanding how the product works. The platform finds the answers. Teams with sophisticated AI workflows can use their own agents to directly drive these same capabilities through the open MCP architecture, with no custom integration required.

Ameya Talwalkar, CEO at Cequence, said: “Most vendors looked at the agentic era and added a chatbot. We looked at it and rebuilt the architecture. Cequence Platform 9.0 exposes the entire Cequence platform through an open MCP architecture so any agent can operate it directly, whether through our built-in AI Assistant, or a customer’s own agent. That is what AI-native actually means: the UI becomes optional. We are building for the way the agentic enterprise already works, while making sure a human approves every change along the way.”

AI-native platform with a built-in AI assistant

Cequence Platform 9.0 ships with a built-in AI Assistant that answers plain-language questions such as “What is my biggest risk right now?” with ranked, evidence-backed findings drawn from live platform data. Unlike most security chatbots that only deliver value in the hands of experienced practitioners, the Cequence AI Assistant arrives with skills built on years of application, API, and data protection work in high-traffic enterprise environments, able to guide practitioners of all skill levels from day 1.

Agent capabilities in Platform 9.0 include:

• Drive valuable actions from simple conversation: use plain-English to easily and quickly drive results. The possibilities are endless. Have the AI Assistant classify APIs, identify risks, draft rules, and create reports, all without navigating the UI.
• Open MCP server: any MCP-capable agent, SOAR platform, or automation workflow can interact with, configure, and pull insights from the platform through an open API contract, with no custom integration, incorporating API security into broader agentic workflows
• Human in the loop: read actions run freely; every proposed write shows the exact change and requires explicit human approval before anything happens
• Full transparency: every answer exposes the AI Assistant’s reasoning and the underlying tool calls; when it lacks a tool for a task, it says so rather than guessing

“Most security chatbots are only as useful as the person asking the questions, which means they fall flat in the hands of anyone who is not already an expert. We built the Platform 9.0 agent differently. It runs a full agentic loop, planning which tools answer the question, calling them, and synthesising ranked, evidence-backed recommendations while showing you exactly how it got there. When it does not have the tool to do something, it tells you instead of guessing. That governance-first design is not an afterthought. It is the same conviction behind the Cequence AI Gateway, and it is what makes this safe to put in front of any practitioner on Day 1,” said Shreyans Mehta, CTO at Cequence.

Compliance-ready risk rules and compliance packages

Compliance is the most common forcing function for an API security purchase, and the most common place programs stall. Platform 9.0 ships the rules, frameworks, and reports to make customers audit-ready immediately, with no professional services and no custom rule development required.

Compliance capabilities in Platform 9.0 include:

• 250+ pre-built risk rules: more than four times the previous version, mapped to 25 global compliance frameworks including OWASP API Security Top 10 (all versions), PCI DSS, GDPR, HIPAA, SOC 2, ISO 27001, NIST CSF, DORA, NIS2, LGPD, SAMA, MAS TRM, and additional regional frameworks across the Americas, EMEA, and APAC
• One-click audit-ready reports: each report builds from live data, maps findings to the framework’s specific controls, scores risk by control area, and provides remediation guidance for every gap; reports can be company or partner branded
  Observe mode: see how proposed rules perform for testing purposes without raising formal issues, allowing teams can add frameworks without a flood of unreviewed findings
• Test panel: validates any rule against sample request and response data before activation

Re-architected API security engine built for enterprise scale

Agentic AI is accelerating API endpoint growth faster than any prior technology wave. Platform 9.0 includes a complete rebuild of the engine that discovers, catalogues, and scores risk across an organisation’s API estate, delivering higher performance at a smaller CPU footprint.

API security engine improvements in Platform 9.0 include:

• 50x increase in API endpoints supported: with sub-five-second page load times across every view regardless of endpoint count
• Reduced compute costs: CPU footprint improvements translate directly into lower infrastructure costs, especially for on-premise deployments

from Help Net Security https://ift.tt/7Q1PabI

Jamf has announced general availability of AI Governance, a new capability within Jamf for Mac that enables IT and security teams to discover actively-used AI tools, enforce policy controls, and generate audit-ready reporting.

Many organizations struggle to confidently audit and report on AI tool usage across their device fleet, including both sanctioned applications and unsanctioned or prohibited tools. AI Governance provides comprehensive visibility into which AI applications are in use, along with detailed insights into how they behave on the endpoint.

This enables organizations to understand AI activity at a level that network- and cloud-based reporting solutions alone cannot provide, helping security teams identify risk, support compliance, and make informed governance decisions.

With launch support for Claude Code, Claude Desktop, and OpenAI Codex, the capability provides deep governance coverage across model access, tenancy, network permissions, file system controls, MCP server restrictions, and other vendor-specific AI configurations.

A vendor control tracking engine continuously monitors supported AI platforms for new or updated controls, helping organizations keep governance policies current as AI tools rapidly evolve. All of these policies are in place offline and before a user’s first login to an AI agent, enforcing a foundational day-zero and tamper-resistant policy baseline.

Native Mac control plane for enterprise AI

AI tools run natively on Apple Silicon and operate as processes that existing network proxies and cloud-based tooling cannot fully see or govern. No existing tool unifies platform-native device management, deep AI tool configuration coverage, and a workflow that translates governance intent into vendor-correct configuration on macOS.

Jamf AI Governance closes that gap by enabling visibility of shadow AI and providing granular AI configurations natively, deployed in minutes, through the same endpoint management control plane that admins use today, offering:

• Visibility: AI application visibility and shadow AI discovery surface AI tools, agents, and LLM runtime across the fleet (including CLI-based developer tools and background agents) using Jamf’s existing telemetry agent, which uses native and high-performance macOS frameworks. No new agent is required.
• Control: AI access policy controls let IT define sanctioned tools, deploy access policy at scale, and scope different postures to different teams. Vendor-correct configurations can be applied automatically at scale.
• Governance: An executive AI posture report provides CIOs and CISOs with a snapshot-in-time summary of AI usage. The capability offers SIEM compatibility and is designed to assist companies in reporting against their existing compliance frameworks.

“AI adoption across the enterprise is moving faster than existing technology policies can keep up,” said Beth Tschida, CEO at Jamf. “Organizations need governance that matches the way AI tools actually operate on Mac. This means visibility into what’s running, policy controls enforced directly on the endpoint, and reporting that helps security teams demonstrate compliance. Our AI Governance capability delivers that natively from the same platform customers already trust to manage and secure Apple devices.”

“Like many organizations, we want to enable teams to use AI tools productively while maintaining appropriate governance and oversight,” said Sam Lalli, Security Engineering & SOC Manager at Eventbrite. “What impressed us about Jamf’s AI Governance was how quickly we could apply policy across our Mac fleet without adding another point solution or creating friction for developers. Having this critical capability built into the same device management platform we already use, really simplifies AI governance for our team.”

Beyond essential visibility and control, Jamf’s AI Governance policies can more effectively deploy and govern partner AI solutions.

IT and security teams can use Jamf to discover AI tools running across MacOS devices and register those agents directly with Okta for AI Agents. This gives each one a managed identity and scoped access to only the resources it is allowed to reach. Jamf controls which MCP servers can run on the device while Okta controls what cloud resources those MCP servers can reach.

Rather than long-lived static keys, agents use short-lived, vaulted credentials, and every action is authorized and logged from the endpoint to the cloud. The Okta integration deploys directly from Jamf’s console without manual API setup or certificate management required.

Organizations can also configure their preferred agent builder platform, such as Amazon Bedrock AgentCore, ensuring AI traffic routes through and is processed on sanctioned cloud infrastructure.

With Jamf handling device visibility and policy enforcement, and Okta managing agent identity and access, organizations can answer: which agents ran on which endpoints, what they were authorized to reach, and what they did along the path from a MacOS device to the SaaS app.

“While some enterprise AI agents run locally, they access data across a vast cloud ecosystem, requiring coordinated security between the endpoint and identity layers,” said Harish Peri, SVP & GM of AI Security, Okta. “By anchoring Okta for AI Agents to Jamf’s endpoint enforcement, every agentic connection on a managed Mac is authenticated, authorized, and fully visible from the device to the data. Together, we’re helping organizations become secure agentic enterprises by giving them more control over what AI agents can access and on whose behalf.”

AI governance urgency is accelerating

The need for enterprise AI governance is accelerating as organizations adopt AI-powered tools across employee workflows. Jamf’s recently released AI Governance Survey found that organizations with deeply integrated AI are 40% more likely to report an incident than those still in the exploration phase, suggesting AI governance is quickly becoming an operational requirement rather than a future planning exercise.

Gartner mentions, “With spending on AI governance expected to reach $492 million in 2026 and surpass $1 billion by 2030, organizations are reassessing the tools and strategies needed to stay ahead of both regulatory and operational risk.”

Further, in its Top Cybersecurity Trends for 2026 report, Gartner also says that, “Cybersecurity leaders must identify both sanctioned and unsanctioned AI agents, enforce robust controls for each and develop incident response playbooks to address potential risks.”

from Help Net Security https://ift.tt/v6DNkx4

If you've been on the same T-Mobile plan for years, listen up: Not only will T-Mobile move you into a new plan this month, you may have to pay more as a result.

As reported by CNET (which is owned by Lifehacker parent company Ziff Davis), T-Mobile will end a number of legacy plans, which will cancel "over 1,100 legacy billing codes." The company has started contacting customers on legacy plans to let them know about these changes. It seems T-Mobile has not specified which plans in particular are on the chopping block, but that some run "10 to 15 years" back. As CNET highlights, that could affect "Simple Choice," "T-Mobile One," "One Plus," and "Magenta" plans. In addition, legacy Sprint plans will likely be affected, if users had plans grandfathered over following Sprint and T-Mobile's merger.

In a statement to Android Authority, T-Mobile explains its reasoning behind the changes. These plans are the company's oldest, many of which were designed for the "3G and 4G eras." In addition, customers transitioning to current plans will have access to a five-year price guarantee. T-Mobile won't be shutting the lights all at once. These changes should take place over the coming weeks, and will be reflected by the following billing cycle. If your plan is affected by these changes, you should receive word either by text or through the T-Life app as soon as today.

How much more will customers pay on new T-Mobile plans?

The immediate downside to losing your legacy plan is, of course, losing your previous rate. While there are no guarantees at this time, it does seem like users who T-Mobile moves to a current plan will largely pay more than they did on their previous plan.

The good news is that the new plan may not be that much more expensive. T-Mobile's statement to Android Authority says that some customers' plans won't change at all, while others will see a "modest adjustment." Android Authority says that T-Mobile confirmed that the "average" change customers will see will be $4 per line.

What do T-Mobile customers have to do?

According to T-Mobile, nothing. The company says it will be automatically enrolling legacy plan customers into current plans. In fact, Allan Samson, T-Mobile's chief marketing officer, said that "absolutely nothing is required of the customer, and it just is going to happen."

T-Mobile will supposedly move you to a "comparable" plan, including "Essentials," "Essentials Saver," "Experience More," "Experience Beyond," and "Better Value." While these may come with new features, they may, of course, come with that added price tag. Unfortunately, it doesn't seem you can contest the change, and must wait until T-Mobile takes action before you know what plan you've moved to.

If you're on a legacy plan, my advice is this: either wait and see what T-Mobile picks for you, or contact the company and negotiate. There's no guarantee what it might offer you, but once you know what your choices are, you can decide whether to move to another provider, or take what T-Mobile is offering.

from Lifehacker https://ift.tt/waqtXUW

The US Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability (CVE-2026-12569) in Windchill and FlexPLM, two product lifecycle management software platforms developed by PTC, to its Known Exploited Vulnerabilities (KEV) catalog.

Entries in the KEV catalog don’t contain links to reports of exploitation, but PTC’s advisory keeps getting updated with indicators of compromise and advice for defenders, confirming that attackers are dropping JSP webshells on vulnerable systems.

CISA ordered US federal civilian government agencies to address CVE-2026-12569 by June 28, but all organizations using one of these two PLM platform should patch (if they haven’t already) and check for the presence of indicators of compromise.

PTC Windchill under attack via CVE-2026-12569

Windchill is PTC’s product lifecycle management platform for manufacturing and engineering-intensive industries, while FlexPLM is a PLM platform for retail, footwear, apparel, and consumer goods industries,

CVE-2026-12569 is an improper input validation vulnerability that allows unauthenticated, remote attackers to execute arbitrary code just by sending a malicious request to the network.

PTC warned about the flaw on June 17 and proposed remediation steps, then followed up with the release of a patch on June 18, when it confirmed in-the-wild exploitation. Patches for additional versions of the software were released soon after.

News outlet Heise Online reported that, around June 17, Germany’s Federal Office for Information Security (BSI) started notifying German companies of “impending cyberattacks on vulnerable Windchill instances”, and urged them to verify they had applied the patch.

Interestingly enough, a similar warning by the Federal Criminal Police Office (BKA) on behalf of the BSI was given to German companies in late March 2026, when a code injection vulnerability (CVE-2026-4681) in those same two platforms was publicly disclosed.

CVE-2026-4681 also allowed remote code execution and the indicators of compromise provided in the related advisory suggest it was also exploited in the wild, even though the advisory still states that “there is no evidence of confirmed exploitation affecting PTC customers.”

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!

from Help Net Security https://ift.tt/gvPJbCO

PrivacyHawk has announced the general availability of PrivacyHawk Enterprise, a solution that identifies and eliminates the shadow IT accounts, abandoned SaaS subscriptions, and forgotten third-party services quietly exposing organizations to breach risk.

Every organization has an invisible attack surface. Shadow AI tools. Free trials nobody cancelled. Third-party services still holding employee data from years ago. Over time, that hidden footprint grows largely undetected, and traditional security tools were never built to find it.

PrivacyHawk Enterprise solves that gap. The service gives security teams full visibility into their employees’ external digital footprint, automates data deletion across thousands of third-party services, and reduces the exposure that existing tools leave behind.

When a third-party breach hits, the consequences extend beyond that organization to every user of that service as well. Less exposed data means a smaller attack surface and lower risk of sensitive company data being exposed from third party breaches.

“Organizations with hundreds or thousands of employees can have millions of third-party shadow IT accounts they didn’t even know existed,” said Aaron Mendes, CEO of PrivacyHawk. “Every one of those is a potential data exposure waiting to happen. We’ve already helped millions of American consumers reduce their digital footprint — now we’re bringing that same automated capability to businesses, nonprofits, and government agencies that need it just as badly.”

from Help Net Security https://ift.tt/olge7Bv

Interesting research on a new class of weak RSA keys: keys with lots of zeros. It turns out that these keys are out in the wild.

The badkeys project is an open-source service that checks public keys for known vulnerabilities. While developing this tool, Hanno collected a massive number of real-world keys from public sources, including Certificate Transparency logs, internet-wide TLS and SSH scans, PGP keys, and many others. By searching this dataset for unexpectedly sparse RSA moduli, we uncovered a large number of keys in the wild with the patterns in Figure 1.

Both patterns include several regularly spaced blocks of all zeros interleaved with seemingly random data. Pattern 1 appears in CT logs for certificates issued to several large organizations, including Yahoo and Verizon, and on some devices running NetApp software. Fortunately, these certificates have already expired, but we still shared our findings with these companies. We wanted to learn more about which product could be responsible for generating these keys, but we did not hear back. Pattern 2 appears on SSH hosts running the CompleteFTP software from EnterpriseDT. The underlying vulnerability affects RSA keys generated using versions 10.0.0­12.0.0 (Dec 2016­Mar 2019) and DSA keys generated with v10.0.0­23.0.4 (Dec 2016­Dec 2023).

These vulnerabilities affect a small minority of hosts on the internet, but the more interesting takeaway is that independent cryptographic implementations failed in similar ways. More implementations may include the same bugs, and so it’s worth tailoring cryptanalytic algorithms for this particular type of failure.

The article doesn’t speculate, but I will. This could be a deliberately designed backdoor, of the sort I wrote about back in 2013. I could imagine some government agency figuring out how to break this class of RSA keys, and then convincing different providers to hand them out to users.

from Schneier on Security https://ift.tt/yVFQq48