Cyber Threat Brief — June 20 2026
⚠️ This report is AI-generated. Always validate findings.
1. Splunk Enterprise Pre-Auth RCE Under Active Exploitation — CVE-2026-20253
TL;DR: The PostgreSQL sidecar RCE chain watchTowr disclosed June 12 is now confirmed exploited in the wild. CISA KEV added June 18; federal deadline is tomorrow June 21. First Splunk CVE ever on KEV.
What’s New:
- CISA added CVE-2026-20253 to KEV June 18 after Splunk acknowledged limited ITW exploitation
- Federal remediation deadline is June 21 (tomorrow)
- watchTowr PoC chains unauthenticated
/v1/postgres/recovery/backupand/restoreendpoints →hostaddr=injection →.pgpasscredential theft →lo_exportarbitrary file write → Python script overwrite for code exec assplunkuser - Affects Splunk Enterprise 10.2.0–10.2.3 and 10.0.0–10.0.6
- Fixed in 10.4.0, 10.2.4, 10.0.7; disabling PostgreSQL sidecar mitigates
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
/v1/postgres/recovery/backup | URI path | T1190 | WAF/proxy logs | Block unauthenticated access |
/v1/postgres/recovery/restore | URI path | T1190 | WAF/proxy logs | Block unauthenticated access |
hostaddr= in request params | Injection indicator | T1190 | Splunk internal logs | Alert on PostgreSQL connection params in sidecar requests |
lo_export in query strings | File write primitive | T1505.003 | PostgreSQL audit logs | Alert on large object export |
Path traversal ../ in sidecar requests | Traversal indicator | T1083 | WAF/proxy logs | Block path traversal sequences |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None (own product) | Need rule for unauthenticated sidecar endpoint access and lo_export abuse |
| Elastic | None | No coverage for Splunk-specific sidecar exploitation |
| Sigma | None | No rule for PostgreSQL sidecar file write chain |
Sources: watchTowr technical deep-dive, CISA KEV, SecurityWeek, BleepingComputer
2. Cisco SD-WAN Manager Zero-Day File Write — CVE-2026-20262
TL;DR: Arbitrary file write via web UI file upload validation bypass, exploited as a zero-day in targeted attacks. CISA KEV June 15; federal deadline June 29. 8th Cisco SD-WAN CVE of 2026.
What’s New:
- CISA KEV addition June 15 with confirmed zero-day exploitation
- CVSS 6.5 file write escalates to web shell deployment and root via crafted upload
- Requires valid credentials with write-level access to web management interface
- Cisco confirmed “limited, targeted” exploitation by sophisticated actor
- No workaround; upgrade is only remediation
- Extends the SD-WAN attack surface alongside CVE-2026-20127, CVE-2026-20245, CVE-2026-20182
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| File upload to non-standard paths via web UI | Behavior | T1105, T1505.003 | SD-WAN Manager audit logs | Alert on file writes outside expected directories |
Web shell artifacts (.jsp, .py) on SD-WAN Manager | File IOC | T1505.003 | Filesystem monitoring | Hunt for unexpected script files |
| Anomalous admin session activity | Behavior | T1078 | SD-WAN Manager auth logs | Correlate with known admin accounts |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No SD-WAN Manager file upload monitoring rule |
| Elastic | None | No coverage |
| Sigma | None | No rule for SD-WAN Manager exploitation |
Sources: CISA KEV, SecurityWeek, BleepingComputer
3. LiteSpeed cPanel Plugin Symlink Privilege Escalation — CVE-2026-54420
TL;DR: Symlink following flaw in LiteSpeed cPanel plugin lets shared hosting tenants escalate to root. Actively exploited since May 2026 for tenant breakout. CISA KEV June 15; deadline passed June 18.
What’s New:
- CISA KEV addition June 15; federal deadline already passed (June 18)
- CVSS 8.5 symlink following (CWE-61) in cPanel plugin < 2.4.8
- Exploitable by any user with FTP or web shell on shared CloudLinux/CageFS hosting
- Attacker symlinks to sensitive files outside CageFS jail → root escalation
- Active exploitation since May 2026 per CISA
- Fixed in cPanel plugin v2.4.8 (bundled with WHM Plugin v5.3.2.1)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Symlinks in user web directories pointing outside CageFS | File IOC | T1548.001 | find -type l on hosting nodes | Hunt for symlinks targeting /etc/, /root/, /var/ |
| LiteSpeed cPanel plugin < 2.4.8 | Version check | T1548.001 | Package manager logs | Patch immediately |
Unauthorized reads of /etc/shadow, /root/.ssh/ | Behavior | T1003.008 | Auditd / file access logs | Alert on sensitive file access from cPanel users |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No cPanel/LiteSpeed symlink detection |
| Elastic | None | No coverage |
| Sigma | None | No shared-hosting symlink traversal rule |
Sources: The Hacker News, BleepingComputer, Code Defence
4. BetterDocs Pro WordPress LFI to RCE — CVE-2026-7515
TL;DR: Unauthenticated local file inclusion via doc_style parameter in BetterDocs Pro plugin escalates to RCE. CVSS 9.8. Two public PoCs dropped June 19. No ITW exploitation confirmed yet but weaponization is imminent.
What’s New:
- CVSS 9.8 unauthenticated LFI via
doc_styleparameter (CWE-98) - Attacker includes arbitrary
.phpfiles on server → code execution - Two public PoC exploits on GitHub (izxci/CVE_2026_7515)
- Affects BetterDocs Pro ≤ 3.8.0; fixed in 3.8.1
- No ITW exploitation confirmed yet but trivial to exploit with public PoCs
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
doc_style= with path traversal in URL params | URI pattern | T1190 | WAF/access logs | Block ../ in doc_style parameter |
| Requests to BetterDocs REST endpoints with traversal | Behavior | T1190 | WordPress access logs | Alert on LFI patterns |
GitHub PoC: izxci/CVE_2026_7515 | Exploit tool | T1588.005 | Threat intel | Track weaponization |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | Web Shell Indicator (generic) | Need WordPress LFI-specific rule |
| Elastic | None | No WordPress doc_style LFI rule |
| Sigma | webshell_detection_file_creation.yml (generic) | Need BetterDocs-specific LFI detection |
Sources: CVEFeed, WPScan, GitHub PoC
Status Updates
- CVE-2026-0257 (PAN-OS GlobalProtect): Federal CISA KEV deadline passed June 19. Exploitation ongoing since May 17. Original brief.
- CVE-2026-28318 (SolarWinds Serv-U): Federal CISA KEV deadline passed June 19. 12,000+ exposed instances. Original brief.
- CVE-2026-42530/42055 (NGINX HTTP/3 & Proxy RCE): No ITW exploitation yet. Patches available (1.31.2/1.30.3). Original brief.
- CVE-2026-4020 (Gravity SMTP WordPress): Mass exploitation surge — 17M+ attempts blocked by Wordfence, 412 unique attacker IPs per CrowdSec. Patch to 2.1.5+. Not previously covered.