WEEKLY TOP TEN: June 22, 2026, 16:00 GMT
- CISA Orders Federal Patch of Exploited Splunk Enterprise Flaw
A critical Splunk Enterprise flaw tracked as CVE-2026-20253 is under active exploitation, prompting CISA to add it to the Known Exploited Vulnerabilities catalog and order federal agencies to patch within days under Binding Operational Directive 26-04. The vulnerability affects Splunk Enterprise versions 10.2.0–10.2.3 and 10.0.0–10.0.6, allowing unauthenticated remote attackers to create or truncate arbitrary files through an unauthenticated PostgreSQL sidecar service endpoint, enabling remote code execution. WatchTowr published proof-of-concept exploit code days after Splunk’s patch release. Splunk advised admins who cannot immediately patch to disable the PostgreSQL sidecar service to remove the attack surface. - Klue OAuth Breach Fuels Icarus Salesforce Data Theft
Market intelligence platform Klue suffered an OAuth breach that let the newly active Icarus extortion group steal Salesforce CRM data from numerous customers. Attackers used a dormant legacy integration credential to access Klue’s backend, pushed malicious code that harvested customer OAuth tokens, then queried connected Salesforce environments directly. Confirmed victims include Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity, with stolen data covering business contacts, sales communications, pricing, and competitive intelligence. Salesforce disabled the Klue Battlecards integration, and Klue engaged CrowdStrike, revoked credentials, and notified law enforcement. Affected firms warn the data could fuel phishing and social engineering. - Operation Endgame Dismantles SocGholish Malware Infrastructure
International law enforcement disrupted the long-running SocGholish (FakeUpdates) operation, taking down 106 servers and domains and remediating 14,971 compromised WordPress sites. Agencies from the Netherlands, Canada, the United States, and Germany, supported by Europol, Eurojust, Proofpoint, Infoblox, and Shadowserver, targeted TA569, a major initial access broker tied to Evil Corp and multiple ransomware gangs since 2017. SocGholish compromised legitimate WordPress sites to push fake browser-update lures that delivered loaders and ransomware including LockBit and RansomHub. Infoblox reported that about 55% of its cloud customers reached SocGholish infrastructure this year. WordPress owners were urged to rotate credentials, enable MFA, and patch. - Cisco Patches Exploited SD-WAN Manager Root Privilege Bug
Cisco disclosed active exploitation of CVE-2026-20262, a critical flaw in Catalyst SD-WAN Manager that lets attackers escalate to root. The bug stems from improper input validation in the web management interface; an authenticated attacker with at least a low-privileged account can send a crafted HTTP request to create or overwrite arbitrary files and elevate to root. Affected versions span 20.3.1 through 20.12.2, covering nearly three years of releases. Cisco confirmed limited in-the-wild exploitation and released fixes, noting no workarounds. Organizations in finance, healthcare, and government running centralized SD-WAN controllers face elevated risk of network-wide compromise. - Three Critical Fortinet FortiSandbox Bugs Hit By Attackers
Unknown attackers began exploiting multiple critical vulnerabilities in Fortinet’s FortiSandbox threat-detection platform, each carrying a 9.1 CVSS rating. CVE-2026-39813 is a path traversal flaw enabling authentication bypass via crafted HTTP requests, while CVE-2026-39808 and CVE-2026-25089 are OS command injection bugs allowing unauthenticated attackers to execute unauthorized commands. Threat intelligence firms observed exploitation within a 24-hour window, though a working exploit for CVE-2026-25089 was assessed as faulty. Fortinet credited researchers from KPMG Spain and its own team and urged immediate upgrades to FortiSandbox 4.4.9 or 5.0.6 and above. Fortinet appliances remain a recurring target for attackers seeking initial access. - CISA Flags Actively Exploited Joomla Content Editor Flaw
CISA added a maximum-severity flaw in the Widget Factory Joomla Content Editor (JCE) extension, CVE-2026-48907, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. JCE is one of the most widely deployed content-editing extensions for Joomla, making the flaw broadly relevant to website operators running the CMS. The vulnerability allows attackers to execute PHP code on affected installations, giving them a path to full site compromise. Federal agencies were ordered to remediate under Binding Operational Directive timelines, and the Joomla Content Editor team published a security update and a free patch for older sites. Administrators were urged to update immediately. - RoguePlanet Defender Zero-Day Grants SYSTEM Privileges
A researcher known as Nightmare Eclipse released a Microsoft Defender zero-day called RoguePlanet just hours after June Patch Tuesday, affecting fully patched Windows 10 and Windows 11 devices. The race-condition flaw lets attackers spawn a command prompt with SYSTEM privileges, with proof-of-concept code shared on a self-hosted Git repository. Originally developed as a remote code execution issue exploiting Defender’s handling of files on remote SMB shares, it was reworked after Microsoft silently hardened the engine. Microsoft is developing a patch. The release continues an ongoing dispute between the researcher and Microsoft over disclosure and bug bounty practices, following prior Defender and BitLocker zero-days. - DragonForce Hides C2 Traffic In Microsoft Teams Relays
Threat actors tied to the DragonForce ransomware operation concealed command-and-control traffic inside Microsoft Teams relay infrastructure using a custom Go-based remote access trojan called Backdoor.Turn. By routing communications through legitimate Microsoft services, the attackers made malicious activity resemble routine corporate collaboration, evading detection for an extended period. Researchers at Symantec and Carbon Black observed the backdoor deployed against a major U.S. services firm, with the intrusion reportedly going unnoticed for roughly two months. The technique highlights the growing abuse of trusted SaaS and collaboration platforms to mask malware traffic, complicating network monitoring and detection for defenders relying on conventional egress controls. - Microsoft Ties Mastra npm Supply Chain Attack To Sapphire Sleet
Microsoft attributed a supply chain attack compromising more than 140 npm packages in the Mastra AI framework to North Korean state actor Sapphire Sleet (BlueNoroff). Attackers hijacked the dormant “ehindero” maintainer account and, in an 88-minute automated campaign on June 17, republished packages across the @mastra scope with an injected malicious dependency, easy-day-js, a typosquat of dayjs. Its postinstall hook disabled TLS verification, contacted attacker infrastructure, and dropped a cross-platform credential and cryptocurrency stealer with SYSTEM-level persistence. Any developer workstation or CI/CD pipeline that ran installs during the window is considered compromised. Microsoft linked the tradecraft to the earlier Axios npm compromise. - Exposed Database Leaks 24 Billion Stolen Credentials
Researchers discovered an exposed Elasticsearch cluster holding 24 billion records totaling more than 8.3 terabytes, primarily infostealer logs containing stolen usernames, passwords, and the services those credentials unlocked. The data, compiled from infostealer malware, Telegram channels, and prior breach collections, represents one of the largest credential exposures recorded and places billions of accounts at serious risk of takeover, particularly those without multi-factor authentication. The sheer scale makes the leak dangerous regardless of source, as attackers can weaponize aggregated credentials for credential stuffing and account compromise across countless organizations. Defenders were urged to enforce MFA, rotate exposed credentials, and monitor for unauthorized access.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The previous 10 stories were determined to be most significant during the course of the week, ranked by highest risk, and using multiple sources when available.