██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

CISA Flags Four Actively Exploited Flaws; Patch Now

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 23, 2026

Share

cybr.cx Daily Digest — June 23, 2026


Critical Vulnerabilities

No new CVEs meeting the CVSS ≥ 7.0 threshold were published to NVD in the last 24 hours — but the CISA Known Exploited Vulnerabilities catalogue tells a different story. Four actively exploited flaws demand immediate attention.

CVE-2026-20253 — Splunk Enterprise ⚠️ Actively exploited
CISA added this one on June 18 with a remediation deadline that has already passed. An unauthenticated attacker can create or truncate arbitrary files by hitting a PostgreSQL sidecar service endpoint that has no authentication gate. On a SIEM platform that ingests your most sensitive log data, unauthenticated file manipulation is a serious integrity and availability threat. If your Splunk Enterprise instances aren't patched and isolated, treat this as P1 right now.

CVE-2026-48907 — Widget Factory Joomla Content Editor ⚠️ Actively exploited
An improper access control flaw allows unauthenticated users to create new editor profiles and abuse that capability to upload and execute arbitrary PHP code — effectively unauthenticated remote code execution on any Joomla site running this plugin. The remediation deadline of June 19 has passed, and exploitation is confirmed in the wild. If you manage Joomla deployments, audit installed plugins immediately and remove or update this component.

CVE-2026-54420 — LiteSpeed cPanel Plugin ⚠️ Actively exploited
A symlink-following vulnerability in the LiteSpeed cPanel plugin can be abused by any user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS — the very sandboxing technology meant to contain exactly this type of lateral movement. Successful exploitation lets an attacker escape their CageFS jail and access files belonging to other hosting tenants. Shared hosting providers should treat this as urgent; the remediation deadline of June 18 has passed.

CVE-2026-20262 — Cisco Catalyst SD-WAN Manager ⚠️ Actively exploited
An authenticated remote attacker can exploit a path traversal vulnerability to create or overwrite arbitrary files on the underlying filesystem of affected SD-WAN Manager instances. While authentication is required, SD-WAN management planes are frequent targets for credential stuffing and stolen session tokens — don't let "authenticated only" lull you into complacency. Remediation deadline is June 29; patch or implement compensating controls now.


Headline News

Anthropic's Mythos Model Reportedly Penetrated U.S. Classified Systems in Hours

Testimony relayed to the Senate Intelligence Committee and reported internationally describes a controlled evaluation in which Anthropic's Mythos AI model successfully compromised almost every classified system operated by the NSA and U.S. Cyber Command — in a matter of hours. While details of the test environment, rules of engagement, and what "broke into" specifically means in operational terms remain classified or unreported, the claim is extraordinary and has serious implications for both offensive AI capability and the defensive posture of critical national security infrastructure. For practitioners, the story underscores a threat model that has shifted faster than most defensive frameworks anticipated: AI systems capable of autonomous, high-speed vulnerability discovery and exploitation at a scale no human red team can match. Whether or not the full picture is as dramatic as the Senate testimony suggests, the fact that this evaluation was conducted at all — and that results were alarming enough to reach the Senate Intelligence Committee — signals that AI-assisted intrusion is no longer a theoretical concern. Expect accelerated pressure on network segmentation, zero-trust architectures, and AI-specific red-teaming frameworks across government and critical infrastructure sectors.

ShinyHunters Dumps 45GB of MSG Facial Recognition Data After Ransom Deadline Passes

The ShinyHunters threat group has published a 45-gigabyte tranche of data exfiltrated from Madison Square Garden Entertainment after the company reportedly declined to meet a ransom deadline that expired on June 15. The dump includes facial recognition surveillance records — biometric data tied to individuals who attended events at MSG venues — as well as internal threat assessments and associated documentation. Unlike payment card or credential data, biometric records cannot be rotated or reissued; once exposed, affected individuals carry that risk permanently. This incident is a stark illustration of why biometric data deserves a higher protection classification than most organisations currently afford it, and why venue operators, retailers, and any enterprise running facial recognition at scale need to re-examine their data minimisation, retention, and segmentation practices. The involvement of ShinyHunters — a group with a long track record of large-scale breaches and leak-as-leverage extortion — confirms this was a targeted, patient operation rather than opportunistic scraping.

3 Million Texans Exposed in Hunting and Fishing Licence Vendor Breach

Texas Parks and Wildlife has disclosed that a third-party vendor responsible for processing hunting and fishing licence sales suffered a data breach, exposing personal information belonging to more than three million Texas residents. The breach originated at the vendor level rather than within state systems directly, continuing a pattern of supply-chain and third-party processor incidents that have proven particularly difficult for government agencies to prevent through conventional controls. Exposed data likely includes names, addresses, dates of birth, and potentially payment information gathered during licence transactions. For practitioners, the incident is another reminder that vendor risk assessments need to account for the full data lifecycle — including transactional processors who may hold sensitive PII with far less mature security programmes than their government clients. State agencies managing citizen-facing services should be auditing third-party data handling agreements and breach notification clauses as a priority.


Schrödinger's Feed

Q-Dice: True Randomness at 4.1 Gbit/s

Germany's Fraunhofer Institute for Photonic Microsystems has unveiled Q-Dice, a Quantum Random Number Generator engineered to produce genuinely unpredictable random numbers at data rates exceeding 4.1 Gbit/s — leveraging the fundamental indeterminacy of quantum processes rather than the pseudo-random algorithms that underpin most current cryptographic key generation. Traditional PRNGs, however well-seeded, are deterministic in principle; QRNG devices eliminate that theoretical attack surface entirely. As post-quantum cryptographic algorithms (NIST's ML-KEM, ML-DSA, and friends) move from standardisation into production deployment, the quality and throughput of the randomness feeding key generation becomes a meaningful variable. Practitioners evaluating PQC migration roadmaps should add hardware QRNG sourcing to the checklist — this is the kind of infrastructure component that rarely makes it into threat models until it's too late.


/dev/random

The Model That Paints Like It Understands Physics (Because It Sort of Does)

Researchers have published Moebius, a 0.2-billion-parameter image inpainting model that reportedly matches or exceeds the quality of models fifty times its size — roughly 10-billion-parameter class. The trick isn't brute scale but a fundamentally different approach to how the model reasons about masked regions, apparently giving it a coherent sense of scene geometry and lighting that larger, dumber models frequently get wrong. For a field that has spent the last three years in an arms race of ever-larger parameter counts, a 50x efficiency gain from architectural cleverness rather than compute spend is a meaningful data point. It's also the kind of result that should give deepfake detection researchers a quiet moment of reflection, given that "cheap to run, hard to detect" is precisely the capability profile that makes synthetic media genuinely difficult to govern.