Week in review: 74k Fortinet firewall credentials stolen, Splunk Enterprise RCE under active attack

Microsoft working on patch for RoguePlanet Defender zero-day (CVE-2026-50656) Microsoft has acknowledged the local elevation of privilege issue in Microsoft Defender that can be triggered via the “RoguePlanet” exploit, and is “working to provide a high quality security update that addresses this vulnerability.” The vulnerability, which has been assigned the CVE-2026-50656 identifier, stems from improper link resolution before file access, and can be exploited in low complexity attacks by authenticated attackers, with no user interaction required. The issue is tracked as CVE-2026-20262. Unauthenticated RCE in Splunk Enterprise under active attack (CVE-2026-20253) CISA has added CVE-2026-20253, a critical, remotely exploitable vulnerability in Splunk Enterprise, to its Known Exploited Vulnerabilities catalog, and ordered US federal civilian agencies to apply mitigations by June 21, 2026.

The Vulnerability

SimpleHelp RMM flaw could give attackers full access to managed endpoints (CVE-2026-48558) A critical vulnerability (CVE-2026-48558) in SimpleHelp, a popular remote monitoring and management (RMM) tool, can be exploited remotely by unauthenticated attackers to create a new “Technician” account and use it to remote into managed endpoints, execute scripts, and more.

Further details indicate that attackers are exploiting FortiSandbox vulnerabilities Attackers have been spotted exploiting three vulnerabilities (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) in FortiSandbox, a platform that other Fortinet security products depend on for threat verdicts to enforce blocking decisions and trigger automated responses.

The Chainguard Athena coalition already shipped 2,000 patches across 500 open source projects Chainguard launched Athena, an industry coalition that pools open source vulnerability findings and remediates them under embargo before public disclosure.

Cisco discloses second exploited SD-WAN vulnerability in two weeks (CVE-2026-20262) Cisco has revealed another Catalyst SD-WAN Manager vulnerability (CVE-2026-20262) that its Product Security Incident Response Team observed being exploited by attackers.

Technical Details

CVEs:

• CVE-2026-20262

From a technical standpoint, the vulnerability presents several concerns:

Klue breach lead to Salesforce data theft, Huntress affected Cybersecurity vendor Huntress was among multiple companies hit by a breach originating at Klue, a market intelligence platform used to integrate CRM and sales data across various business tools.

Fake travel sites are multiplying this summer Cyberattacks against hospitality, travel, and recreation organizations rose 24% year over year, reaching an average of 2,291 incidents per organization each week in May 2026, according to Check Point.

Risk & Exposure

The running count for the first few months sits well above the original projection, and the Forum of Incident Response and Security Teams (FIRST) now expects the year to land near 66,000 CVEs. The group went live with more than two dozen member organizations. The security community has largely accepted this reality and shifted focus toward automated detection systems that can intercept and block phishing threats before users see them.

The number doing this in production reached 32 percent in 2026, up from 29 percent the year before, according to Confluent’s annual Data Streaming Report, which surveyed 4,625 IT leaders across 14 countries.

Law enforcement hits SocGholish: 106 servers down, 15,000 sites cleaned SocGholish, an operation that’s been delivering malware to users via fake software updates, has suffered a major blow: the international law enforcement coalition behind Operation Endgame has taken down 106 of its servers and domains, and cleaned up nearly 15,000 websites compromised to serve their malicious payloads.

Timeline

| Date | Event | |, , |, , -| | 2026 | Cisco discloses second exploited SD-WAN vulnerability in two weeks (CVE-2026-20262) Cisco has revealed another Cataly… | | 2026 | SimpleHelp RMM flaw could give attackers full access to managed endpoints (CVE-2026-48558) A critical vulnerability (… | | 2026 | Microsoft working on patch for RoguePlanet Defender zero-day (CVE-2026-50656) Microsoft has acknowledged the local el… | | June 21, 2026 | Unauthenticated RCE in Splunk Enterprise under active attack (CVE-2026-20253) CISA has added CVE-2026-20253, a critic… | | June 8, 2026 | The company discovered unauthorized activity on June 8, 2026, and launched an investigation with the assistance of ex… | | 2025 | More than half of surveyed jurisdictions reported that cybercrime accounts for over 30% of all crimes recorded nation… |

Patching & Remediation

1. The Chainguard Athena coalition already shipped 2,000 patches across 500 open source projects Chainguard launched Athena, an industry coalition that pools open source vulnerability findings and remediates them under embargo before public disclosure.

2. The security community has largely accepted this reality and shifted focus toward automated detection systems that can intercept and block phishing threats before users see them.

3. Crypto scammers are sending couriers to victims’ homes to collect cash Scammers behind cryptocurrency investment schemes are dispatching couriers to pick up cash from victims in person, the FBI warns.

4. AWS Continuum brings AI models to code vulnerability management AWS Continuum for code vulnerabilities, a system built to handle a vulnerability across its lifecycle, from discovery through to a fix, is now available in gated preview.

5. Connect to your office network and your in-office presence updates automatically, no manual status change needed.

6. Microsoft AntiSSRF open-source library helps block server-side request forgery AntiSSRF is an open-source code library from Microsoft that validates URLs and network connections to reduce server-side request forgery (SSRF) risks in web applications.

Analysis

This disclosure adds to a growing pattern of significant vulnerabilities affecting enterprise infrastructure.

Sources

1. https://nvd.nist.gov/vuln/detail/CVE-2026-20262
2. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/CVE-2026-20262