The first day of July 2026 lands on a Wednesday, and the security landscape already looks like a long weekend of incident response. Over the past week, three major stories broke: an anonymous researcher dumped proof-of-concept code for more than a dozen zero-days across popular open-source projects, ransomware gangs have started exploiting the Windows Defender privilege escalation flaw CVE-2026-33825 (BlueHammer), and attackers are actively exploiting an Oracle E-Business Suite vulnerability (CVE-2026-46817) while also hammering SimpleHelp servers with a new auth bypass.
These are not theoretical problems. Each of these incidents has working exploit code, active exploitation, or both. If you are responsible for any of the affected software, this post covers what is happening, what the risks are, and what you should do.
The zero-day dump nobody asked for
A security researcher going by Bikini published a repository called Exploratorium containing proof-of-concept exploit code and detailed write-ups for more than a dozen zero-day vulnerabilities. The researcher did not notify any of the vendors before publication. This is not a coordinated disclosure. It is a batch dump.
The exploits cover 15 software projects, including the Linux kernel, libssh2, AnyDesk, FFmpeg, Gogs, Gitea, Ghidra, 7-Zip, MyBB, PHP, OpenVPN, and VLC. Since the dump last week, several projects confirmed the vulnerabilities and started working on patches. Nine have been confirmed and received CVEs so far. Bikini has promised to drop more zero-days in the coming days. The repository was suspended twice over the weekend, likely by the platform, but it keeps coming back.
This is not an isolated event. The article notes that since AI tools started creeping into vulnerability research, the number of non-disclosed vulnerabilities has exploded in 2026. AI-assisted fuzzing and static analysis make it easier to find bugs faster than ever. The researcher is not obligated to disclose them responsibly, and when they choose to dump them without notice, everyone downstream pays the price.
If you run any of those projects, check if you have CVE information or patches. The Linux kernel and PHP communities are usually fast. The smaller projects like Gogs and MyBB may take longer. Monitor their issue trackers. If you are writing detection rules for any of these, the proof-of-concept code is public, so you can build signatures before adversaries do.
SimpleHelp exploitation via OIDC module
According to Blackpoint Cyber, attackers are exploiting a recently disclosed vulnerability in SimpleHelp remote management servers. The bug only affects servers where the OpenID Connect module is enabled. Patches were released in May 2026. The vulnerability was discovered by security firm Horizon3, which used AI to find bugs in software listed in the CISA Known Exploited Vulnerabilities (KEV) database. CISA added this bug to the KEV catalog on Monday.
Attackers are using the exploit to drop the TaskWeaver loader and the Djinn infostealer on compromised servers. If you run SimpleHelp with OIDC enabled and have not patched, assume you are compromised. The exploit bypasses authentication. Once inside, the attacker has full control of the remote management server, which means they can pivot to any client connected to it.
The takeaway here is that AI-assisted vulnerability discovery is no longer hypothetical. Horizon3 explicitly used AI to target software in the KEV catalog, meaning they are automating the work of finding bugs in high-value targets. That same capability is available to adversaries. If your software is commonly listed in CISA's KEV, expect more automated hunting.
Oracle E-Business Suite CVE-2026-46817 exploited
Defused Cyber reported active exploitation of CVE-2026-46817 in Oracle E-Business Suite. The vulnerability is in the Oracle Payments component, specifically the File Transmission component. It carries a CVSS score of 9.8, requires no authentication, and can be exploited over HTTP. Affected versions are 12.2.3 through 12.2.15.
Oracle shipped patches as part of the May 2026 Critical Security Patch Update. Defused Cyber observed exploitation against their honeypots before the June patch window closed. The article from Vulert states that exploitation is authenticated attempts against the File Transmission component, but the CVSS score and description suggest pre-authentication exploitation is possible. Either way, if you have not patched, you are exposed.
Oracle E-Business Suite environments often run finance, procurement, HR, and supply chain workflows. Compromise of Oracle Payments can have direct financial impact. The recommendation from Defused Cyber is to apply the May 2026 patch immediately, restrict network access to the affected component, review logs for suspicious activity, and conduct a compromise assessment. Patching only prevents future exploitation. If attackers already gained access, the patch does not remove backdoors.
BlueHammer: from zero-day to ransomware
CVE-2026-33825, nicknamed BlueHammer, is a Microsoft Defender privilege escalation vulnerability. It was leaked by researcher Nightmare Eclipse in early April along with a proof-of-concept exploit. Microsoft patched it on April 14 as part of April Patch Tuesday. Huntress Labs later found evidence that the flaw had been exploited as a zero-day in attacks with hands-on-keyboard activity.
CISA added BlueHammer to the KEV catalog on April 22, ordering federal agencies to patch within two weeks. Now, CISA has updated that entry to flag the vulnerability as exploited in ransomware campaigns. Ransomware gangs are using it to escalate privileges and deploy their ransomware payloads. Microsoft has not officially tagged it as exploited, but CISA's update is authoritative.
Nightmare Eclipse has been leaking multiple Windows zero-day exploits this year. The list includes RoguePlanet, RedSun, GreenPlasma, MiniPlasma, YellowKey, and UnDefend. Microsoft fixed GreenPlasma, MiniPlasma, and YellowKey in the June 2026 Patch Tuesday updates. The researcher appears to be protesting Microsoft's disclosure handling. Whether you agree with the method or not, the result is a steady stream of weaponized bugs landing in the open.
If you run Windows Defender, you should have applied the April 2026 patches already. If you have not, do it now. The exploit is public. The ransomware groups are using it. There is no reason to wait.
What this week tells us about the state of security
Three things stand out from this week's news.
First, the zero-day dump trend is accelerating. AI tools lower the barrier to finding vulnerabilities. The same tools that help security researchers find bugs also help adversaries and anonymous researchers who have no interest in responsible disclosure. The number of non-disclosed vulnerabilities has exploded this year, and the industry has not figured out how to handle that.
Second, CISA's KEV catalog increasingly drives attacker behavior. Horizon3 used AI to look for bugs in software already on the KEV list. That means the catalog is not just a list for defenders; it is a shopping list for attackers and researchers who want to find additional flaws in the same software. If you maintain software that appears in the KEV, expect more scrutiny.
Third, patches are not enough. The Oracle bug was patched in May, yet exploitation was observed in June. The SimpleHelp bug was patched in May, and attackers are actively exploiting it now. BlueHammer was patched in April, and ransomware groups are still using it. Patching must happen quickly, but it also needs to be combined with compromise assessment and network segmentation. A patch does not undo a prior breach.
Practical steps
If you manage any of the affected software, here is what I would do today:
-
For the zero-day dump projects: check each project's advisory pages. If you use PHP, libssh2, OpenVPN, 7-Zip, or AnyDesk, expect patches within days. For smaller projects like MyBB or Gogs, you may need to apply temporary mitigations such as disabling affected features or restricting network access.
-
For SimpleHelp with OIDC: patch immediately. If the server was exposed before patching, assume compromise. Check for TaskWeaver and Djinn indicators. Review client connections for signs of lateral movement.
-
For Oracle E-Business Suite: apply the May 2026 CPU if you have not. Identify whether the File Transmission component is exposed. Review logs for the period before patching. Look for unusual file transfers, new users, or configuration changes in Oracle Payments.
-
For Windows Defender: confirm that KB5000000 (April 2026) or later is installed. If you cannot patch immediately, restrict local administrator access and monitor for privilege escalation attempts.
None of this is new advice. But the combination of a public zero-day dump, active ransomware exploitation of a leaked bug, and adversaries using AI to find more bugs means the window between disclosure and exploitation is shrinking. The only responsible response is to patch early and often, and to assume that anything you leave unpatched will be exploited.