Top stories.
- CISA directs agencies to “patch smarter, not harder.”
- Anthropic rejects Fable 5 jailbreak claims.
- Google confirms ShinyHunters exploited a critical Oracle PeopleSoft vulnerability.
CISA directive orders agencies to prioritize vulnerability patching in a new way.
CISA issued a new Binding Operational Directive (BOD 26-04) that requires federal civilian agencies to prioritize vulnerability remediation based on risk rather than treating all vulnerabilities equally. The directive evaluates vulnerabilities using four criteria:
- Whether the affected asset is publicly exposed.
- Whether the vulnerability is being actively exploited.
- Whether the exploitation can be fully automated.
- Whether exploitation would give an attacker control of the system.
Agencies are also required to update vulnerability management policies immediately, revise remediation processes within sixty days, and fully comply with the new timelines within 180 days.
This move reflects a broader shift towards risk-based vulnerability management, which CISA described as "patch smarter, not harder."
Anthropic disputed Fable 5 AI jailbreak.
Anthropic rejected claims that its newly public AI model, Claude Fable 5, was successfully jailbroken. Recently, Pliny the Liberator, claimed that they had "liberated" the model by circumventing its restrictive safety layer using a coordinated prompt-based attack. Anthropic has disputed this characterization that this incident was a true jailbreak.
Instead, Anthropic argued that the attack did not compromise the underlying model and instead targeted the classifier system responsible for identifying and rerouting sensitive cybersecurity, biology, and chemistry queries to a less capable model. Additionally, Anthropic also directed attention to over 1,000 hours of pre-release red team testing that failed to uncover any universal jailbreak.
Google confirms ShinyHunters exploited a critical Oracle PeopleSoft vulnerability.
Google confirmed that ShinyHunters, an infamous threat group, exploited a critical Oracle PeopleSoft vulnerability. Google's threat intelligence teams, Mandiant and GTIG, found that the threat actors exploited CVE-2026-35273, which was a zero-day vulnerability before Oracle was able to publicly disclose mitigation options. The flaw itself is a critical unauthenticated remote code execution vulnerability affecting PeopleSoft Enterprise PeopleTools versions 8.61 and 8.62.
With this exploitation, ShinyHunters primarily targeted the education sector, with Google observing attacks between May 27 and June 9. Roughly 68% of the identified targets belonged to higher education institutions. The attacker reportedly used the vulnerability to access systems, steal data, and conduct extortion operations.
Oracle has issued mitigations, but patches do not yet appear to be available.