Threat Intelligence Brief - Wednesday, July 1, 2026

Operational threat reporting for defenders who need signal, not noise.

By DevSecOpsDad

Threat Radar

  • ACTIVE EXPLOITATION IN PROGRESS: Over 900 Oracle E-Business Suite instances are internet-exposed and under active attack. If your organization runs EBS, treat it as a target until confirmed otherwise.

  • Adobe patched seven maximum-severity (CVSS 10/10) vulnerabilities in ColdFusion and Campaign Classic — both are established targets for initial access and code execution campaigns.

  • Citrix NetScaler has six new vulnerabilities, including an HTTP/2 Bomb denial-of-service flaw and a CitrixBleed-style memory disclosure bug. Edge infrastructure risk is elevated for unpatched deployments.

  • The Adobe and Citrix releases land simultaneously, creating patch prioritization pressure for teams managing both application servers and network edge infrastructure this week.

  • The FTC’s $2.25M fine against Amazon for blocking fraud victims’ access to transaction records signals regulatory scrutiny around evidence preservation and fraud response obligations — a compliance exposure for any organization handling consumer data.


Immediate Action Required

  • Oracle E-Business Suite — Active Exploitation: Confirm whether any EBS instances are internet-facing. If yes, treat this as an active incident response situation. Restrict external access immediately, review recent access logs for anomalous activity, and apply available patches without delay. Exploitation is confirmed in the wild. (T1190)

  • Adobe ColdFusion & Campaign Classic — Critical Patches: Seven flaws rated CVSS 10/10 with arbitrary code execution potential. Inventory all ColdFusion and Campaign Classic deployments, prioritize internet-facing instances, and apply patches this week. Exploitation status is currently unconfirmed, but severity warrants no delay. (T1059)

  • Citrix NetScaler — Edge Infrastructure Patches: Six vulnerabilities including a CitrixBleed-style information disclosure bug and an HTTP/2 Bomb DoS flaw. NetScaler sits at the network edge — patch immediately to prevent session data exposure or service disruption. Citrix is urging customers to act.


High-Impact Developments

Oracle E-Business Suite Under Active Attack

  • What happened: Researchers identified over 900 Oracle E-Business Suite instances exposed to the internet, with active exploitation of a critical vulnerability confirmed and ongoing.

  • Why it matters: Oracle EBS is a core enterprise platform handling financials, HR, and supply chain data. Active exploitation of internet-exposed instances means attackers are already in the kill chain against real targets. The attack surface is large and the business impact of a successful compromise is severe.

  • Who should care: Enterprise IT, application owners running Oracle EBS, and SOC teams responsible for monitoring ERP infrastructure.

  • Recommended action: Immediately audit internet exposure of all Oracle EBS instances. Any instance reachable from the public internet should be treated as potentially compromised pending investigation. Apply Oracle patches, enforce network access controls, and review authentication logs for anomalous access patterns.

  • Confidence: High — active exploitation confirmed.

  • Search metadata: T1190, Oracle E-Business Suite

Intelligence Context


Critical Vendor Patches: Adobe and Citrix Infrastructure at Risk

  • What happened: Adobe patched seven critical vulnerabilities (CVSS 10/10) in ColdFusion and Campaign Classic enabling arbitrary code execution. Separately, Citrix patched six NetScaler vulnerabilities including a new HTTP/2 Bomb denial-of-service flaw and a high-severity CitrixBleed-style bug capable of exposing sensitive session information.

  • Why it matters: ColdFusion is a historically targeted application server with a track record of rapid exploitation post-disclosure. Campaign Classic handles marketing and customer data pipelines. NetScaler is a widely deployed edge access and load-balancing platform — a CitrixBleed-style flaw is particularly concerning given how aggressively the original CitrixBleed was exploited in 2023. Neither vendor has confirmed active exploitation, but the severity and product profiles make both high-probability targets.

  • Who should care: Application owners running ColdFusion or Campaign Classic, network and security infrastructure teams managing NetScaler appliances, and SOC teams monitoring edge access infrastructure.

  • Recommended action: Patch Adobe ColdFusion and Campaign Classic this week — prioritize internet-facing deployments. Apply Citrix NetScaler patches immediately given the edge infrastructure risk and the CitrixBleed precedent. Validate that no exploitation occurred in the window between disclosure and patching.

  • Confidence: High — patches confirmed released; exploitation status unconfirmed for both vendors.

  • Search metadata: T1059, Adobe ColdFusion, Adobe Campaign Classic, Citrix NetScaler, HTTP/2 Bomb, CitrixBleed, information disclosure, denial of service

Intelligence Context


Monitor Only

  • FTC fines Amazon $2.25M for blocking identity theft victims’ access to transaction records — The enforcement action establishes a regulatory precedent: organizations that impede fraud victims’ access to their own transaction data face civil penalties. Legal, compliance, and risk teams should review internal fraud response procedures and evidence-preservation policies against this standard.

Analyst Observation

Today’s brief is dominated by a patch-heavy day with an active exploitation situation layered on top. The Oracle EBS story is the most operationally urgent — 900+ exposed instances with confirmed in-the-wild exploitation is not a “patch when convenient” situation, and ERP platforms are high-value targets for both financial fraud and espionage. The Adobe and Citrix releases arriving on the same day create real prioritization friction for lean security teams; given NetScaler’s edge position and the CitrixBleed precedent, that should move ahead of the Adobe items unless ColdFusion is internet-facing. The Amazon FTC action warrants a brief conversation with legal and compliance — the fine itself is modest, but the principle that organizations must cooperate with fraud victims’ evidence requests has broader applicability than retail platforms alone.



Generated by DevSecOpsDadAttack cyber threat intelligence.

Share: X (Twitter) LinkedIn