← Back to Threat Briefs

Cyber Threat Brief — June 21 2026

⚠️ This report is AI-generated. Always validate findings.

1. Splunk Enterprise Pre-Auth RCE — CISA Deadline TODAY — CVE-2026-20253

TL;DR: Federal remediation deadline for the Splunk Enterprise PostgreSQL sidecar RCE is today June 21. Active exploitation confirmed June 18. Patch to 10.4.0/10.2.4/10.0.7 immediately.

What’s New:

  • CISA KEV federal deadline is TODAY — first Splunk CVE ever on KEV
  • Limited ITW exploitation confirmed by Splunk PSIRT June 18
  • watchTowr DAG detection tool available on GitHub to test exposure (400 = vulnerable, 401 = patched)
  • No workarounds — patching is the only remediation
  • AWS deployments at elevated risk (sidecar enabled by default)

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
/v1/postgres/recovery/backupURI pathT1190WAF/proxy logsBlock unauthenticated POST
/v1/postgres/recovery/restoreURI pathT1190WAF/proxy logsBlock unauthenticated POST
hostaddr= in HTTP bodyInjection paramT1190WAF deep inspectionAlert on PostgreSQL connection params in body
lo_export in SQL payloadSQL functionT1059.004PostgreSQL audit logsAlert on large object export to filesystem
../ in recovery endpoint paramsPath traversalT1083WAF/proxy logsBlock traversal sequences
.pgpass file accessCredential fileT1552.001Splunk internal logs / auditdAlert on read of .pgpass by non-splunk process

Detection

SourceRuleGap
Splunk ESCUNoneCritical gap — no rule for sidecar endpoint auth bypass or PostgreSQL lo_export abuse
ElasticNoneNo coverage for Splunk-specific attack surface
SigmaNoneNo community rule yet

Sources: Splunk Advisory, watchTowr PoC, CISA KEV, Help Net Security

2. Chrome 149 Patches 7 Critical Use-After-Free Vulnerabilities

TL;DR: Google shipped Chrome 149.0.7827.155/.156 on June 20 with fixes for 33 vulnerabilities — seven rated Critical, all UAF bugs in high-value attack surfaces including Password Manager and WebAuthn.

What’s New:

  • 7 Critical UAF bugs across WebShare, Digital Credentials, File Input, Password Manager, and Web Authentication
  • 26 High-severity bugs spanning Extensions, WebRTC, Safe Browsing (heap overflows, OOB reads)
  • No confirmed ITW exploitation yet but UAF in Password Manager and WebAuthn are high-value targets
  • Firefox also patching 70+ vulnerabilities in concurrent release

Actionable Intel

ArtifactTypeATT&CKLog SourceAction
Chrome < 149.0.7827.155VersionT1203Endpoint agent / SCCMForce-update or block
Unusual chrome.exe child processesProcess chainT1189EDR / Sysmon EID 1Alert on browser spawning shells/LOLBins
renderer crash dumpsCrash telemetryT1203Chrome crash reports / WERInvestigate spikes in renderer crashes

Detection

SourceRuleGap
Splunk ESCUNoneNo Chrome-version-specific detection
ElasticSuspicious Browser Child ProcessCovers post-exploitation only
Sigmaproc_creation_win_browsers_suspicious_child_process.ymlPartial — no pre-exploitation coverage

Sources: SecurityWeek, Chrome Releases Blog

Status Updates

  • CVE-2026-50656 (Microsoft Defender — RoguePlanet): Still UNPATCHED zero-day. TOCTOU race → SYSTEM on fully-patched Win10/11. Defender definition 1.453.20.0 detects PoC binary but root cause unfixed. WDAC/AppLocker blocks execution. Microsoft “working on patch” since June 16. Original brief.
  • CVE-2026-42530 (NGINX HTTP/3 QUIC UAF): Patched in 1.31.2 June 17. No ITW exploitation confirmed. If running HTTP/3 QUIC module on 1.31.0-1.31.1, patch immediately. Original brief.
  • CVE-2026-48907 (Joomla JCE RCE): CISA KEV deadline passed June 19. Automated webshell deployment ongoing. Post-patch IOC sweep required — update alone does not remove attacker artifacts. Original brief.
  • CVE-2026-20262 (Cisco SD-WAN Manager): Zero-day file write, CISA KEV deadline June 29. WAR webshell deployment confirmed. 8th SD-WAN CVE of 2026. Original brief.
  • FortiBleed (73K+ credential dump): CISA urged Fortinet customers June 19 to rotate all credentials on exposed devices. 86,644 compromised devices as of June 19. Original brief.