Cyber Threat Brief — June 19 2026
⚠️ This report is AI-generated. Always validate findings.
1. NGINX HTTP/3 & Proxy Critical RCE — CVE-2026-42530 / CVE-2026-42055
TL;DR: Two CVSS 9.2 vulnerabilities in NGINX Open Source and NGINX Plus enable unauthenticated remote DoS and potential RCE via crafted HTTP/3 or HTTP/2 proxy traffic. F5 released out-of-band patches June 17. No ITW exploitation yet but trivial to trigger.
What’s New:
- CVE-2026-42530: use-after-free in
ngx_http_v3_modulevia QPACK encoder stream reopening; crafted QUIC session crashes worker or achieves RCE when ASLR is disabled/bypassed - CVE-2026-42055: heap buffer overflow in
ngx_http_proxy_v2_moduleandngx_http_grpc_modulevia oversized headers; requiresignore_invalid_headers off+large_client_header_buffers> 2MB - Affects NGINX Open Source 1.30.0-1.31.1 and NGINX Plus R33-R36, 37.0.0-37.0.1; fixed in NGINX Open Source 1.31.2/1.30.3 and NGINX Plus 37.0.2.1/R36 P6
- F5 WAF for NGINX, NGINX App Protect, and NGINX Instance Manager affected but no direct fix yet — mitigations only
- Broadest NGINX advisory since CVE-2026-42945 (NGINX Rift) in May
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| QUIC traffic with malformed QPACK encoder stream reopening | Exploitation | T1190 | NGINX error logs / packet capture | Monitor for repeated worker crashes on HTTP/3 endpoints |
| NGINX worker process crash/restart pattern | DoS indicator | T1499.004 | NGINX error log, systemd journal | Alert on rapid worker respawns (worker process exited on signal 11) |
| Oversized HTTP/2 headers to proxy/grpc endpoints | Exploitation | T1190 | WAF / NGINX access logs | Enforce large_client_header_buffers <= 2MB; enable ignore_invalid_headers on |
| NGINX child process spawning shell | Post-exploitation | T1059.004 | EDR / auditd | Alert on shell spawn from NGINX worker PID |
| NGINX version < 1.31.2 or < 1.30.3 | Vulnerable asset | T1190 | Asset inventory | Prioritize patching all exposed NGINX instances |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No NGINX-specific crash/exploit detection; need NGINX error log ingestion + worker crash correlation |
| Elastic | None | No NGINX HTTP/3 or proxy exploitation rules |
| Sigma | None | No coverage; need NGINX worker signal 11 crash pattern rule |
Sources: F5 Advisory CVE-2026-42530 · THN · BleepingComputer · SecurityWeek
2. Splunk AI Toolkit OS Command Injection — CVE-2026-20266
TL;DR: CVSS 9.1 OS command injection in the btool configuration helper lets any Splunk admin execute arbitrary OS commands on the host. Published June 17. No detection available — upgrade to 5.7.4 or uninstall.
What’s New:
- Unsafe shell execution in btool configuration helper constructs OS command strings from dynamic parameters without disabling shell interpretation (CWE-78)
- Scope impact marked as Changed (S:C) — successful exploit affects components beyond the Splunk instance itself
- Affects Splunk AI Toolkit versions < 5.7.4; fixed in 5.7.4
- Splunk confirms NO detection mechanisms are available; only workaround is uninstall
- Admin role required but post-exploitation achieves full host OS command execution
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Splunk AI Toolkit version < 5.7.4 | Vulnerable asset | T1190 | Splunk REST API (/services/apps/local) | Audit all Splunk instances for AI Toolkit version |
| btool invocations with shell metacharacters | Exploitation | T1059.004 | Splunk internal logs / auditd | Monitor btool process command lines for injection patterns |
| Unexpected child processes from Splunk process tree | Post-exploitation | T1059 | EDR / process monitoring | Alert on non-standard child processes of splunkd |
| Splunk admin role assignments | Pre-requisite | T1078.002 | Splunk audit logs | Audit admin role membership; apply least privilege |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | Vendor confirms no detection available; need btool command-line anomaly rule |
| Elastic | None | No Splunk-specific exploitation detection |
| Sigma | None | No coverage; need Splunk process tree anomaly rule |
Sources: Splunk Advisory SVD-2026-0614 · SecurityWeek · CyberSecurityNews
Status Updates
- CVE-2026-0257 (Palo Alto GlobalProtect): CISA KEV federal deadline TODAY June 19. Auth bypass via forged VPN cookies exploited since May 17. Patch PAN-OS immediately. Original brief
- CVE-2026-28318 (SolarWinds Serv-U): CISA KEV federal deadline TODAY June 19. DoS via deflate POST. Patch to 15.5.4 Hotfix 1. Original brief
- CVE-2026-50751 (Check Point VPN): PoC public since June 12 (watchTowr). Qilin ransomware exploitation ongoing. 4 public PoCs on GitHub. If still running IKEv1 Remote Access VPN, treat as compromised. Original brief
- FortiSandbox triple-chain (CVE-2026-39808/39813/25089): Active exploitation continues per Defused Cyber. AI-generated exploit code observed for CVE-2026-25089. No new IOCs. Original brief