← All Briefings
Briefings


CVE-2026-21587, the Oracle E-Business Suite authentication bypass patched in April, is now confirmed in active exploitation across APAC financial services deployments, with BleepingComputer's threat feed logging attacker-controlled infrastructure reaching EBS instances at three unnamed institutions as of mid-June. The technique is credential-free: an unauthenticated HTTP request to the eBusiness Suite's servlet layer returns a session token with elevated privileges, which is to say that the access control model Oracle spent a decade certifying for SOX and MAS TRM compliance failed on the protocol boundary Oracle itself defined. Mustang Panda's concurrent Zoho exploit chain -- documented by The Hacker News as a command-and-control pivot through ManageEngine's ServiceDesk cloud tenant -- confirms the adversary posture: the target is the authenticated session layer of enterprise SaaS and ERP stacks, specifically because that layer sits above the network controls that most regional CISOs treat as their perimeter.

The SFC circular from this week urging licensed institutions to accelerate AI transformation lands, against this backdrop, as a governance sequencing problem. The SFC wants AI in the workflow. Mustang Panda wants AI in the workflow too -- specifically, North Korea's separate campaign, disclosed in the same news cycle, uses prompt injection to suppress AI-generated analysis of malware samples, which is a direct attack on the AI-assisted triage layer that institutions are now being encouraged to deploy as a cost-efficiency measure. The Oracle EBS flaw had a patch available since April 17, 2026; institutions running unpatched EBS instances while simultaneously onboarding AI-assisted threat analysis tools have built an architecture where the detection layer is being targeted at the same moment the entry point is open.

Strong. The governance sequencing observation in the second paragraph is the piece. Most correspondents would have left it as atmosphere.-- WR
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.