Splunk Zero-Auth Flaw Exploited; CISA Deadline Already Passed
Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. June 22, 2026
cybr.cx Daily Digest — June 22, 2026
Critical Vulnerabilities
⚠️ Actively exploited — CVE-2026-20253 | Splunk Enterprise | No CVSS listed (CISA KEV)
An unauthenticated attacker can create or truncate arbitrary files on Splunk Enterprise via a PostgreSQL sidecar service endpoint that requires no authentication. CISA's remediation deadline has already passed (June 21), meaning any unpatched Splunk instance should be treated as potentially compromised right now. Patch immediately and audit recent file system changes.
⚠️ Actively exploited — CVE-2026-48907 | Widget Factory Joomla Content Editor | No CVSS listed (CISA KEV)
Unauthenticated users can create editor profiles in the Joomla Content Editor plugin and leverage improper access controls to upload and execute arbitrary PHP code — effectively a pre-auth RCE on any affected Joomla installation. Active exploitation is confirmed. If you're running this plugin, disable or update it before anything else today.
⚠️ Actively exploited — CVE-2026-20262 | Cisco Catalyst SD-WAN Manager | No CVSS listed (CISA KEV)
An authenticated remote attacker can exploit a path traversal flaw to create or overwrite arbitrary files on the SD-WAN Manager filesystem. Given the role SD-WAN Manager plays in network orchestration, successful exploitation could lead to persistent access or configuration tampering across managed WAN infrastructure. Cisco has a remediation deadline of June 29 — don't wait that long.
⚠️ Actively exploited — CVE-2026-54420 | LiteSpeed cPanel Plugin | No CVSS listed (CISA KEV)
A symlink-following vulnerability in the LiteSpeed cPanel plugin allows a user with FTP or web shell access on a CloudLinux/CageFS shared hosting server to escape their sandbox and access files outside their container. Shared hosting providers running this stack should treat this as an active tenant-escape risk.
CVE-2026-56396 | phpMyFAQ < 4.1.4 | CVSS 8.8 — HIGH
Authenticated users with the edit_user permission can abuse missing authorisation checks in editUser() and updateUserRights() to set the is_superadmin flag on any account, achieving full SuperAdmin access. This is a privilege escalation via logical flaw rather than memory corruption — patch to 4.1.4 and audit admin role assignments.
CVE-2026-12806 | Edimax BR-6478AC V2 firmware 1.23 | CVSS 8.8 — HIGH
The formWlSiteSurvey POST handler on this SOHO router is vulnerable to a remotely exploitable buffer overflow via the selSSID argument. A public exploit exists. These devices are unlikely to receive vendor patches given the disclosure response — consider replacing or isolating them from internet-facing segments.
CVE-2025-71348 / CVE-2025-71357 / CVE-2025-71378 | picklescan < 0.0.30 | CVSS 8.1 — HIGH
Three separate evasion bypasses in the picklescan ML security scanner allow malicious pickle files to invoke legitimate Python functions (torch.utils._config_module.load_config, idlelib.pyshell.ModifiedInterpreter.runcommand, cProfile.runctx) to execute arbitrary code while passing cleanly through picklescan's detection. If your AI/ML pipeline trusts picklescan as a security gate for model files, that gate has holes. Update to 0.0.30 and treat any externally sourced pickle file as untrusted regardless of scan results.
CVE-2026-12778 / CVE-2026-12779 / CVE-2026-12780 | AOMEI Partition Assistant / Dynamic Disk Manager / Backupper ≤ respective versions | CVSS 7.8 — HIGH
Three kernel drivers across AOMEI's disk utility suite (ampa10.sys, ddmdrv.sys, amwrtdrv.sys) implement improper access controls, enabling local privilege escalation. Public exploits exist for all three. The vendor did not respond to disclosure. These tools are common in enterprise endpoint environments — flag them for your vulnerability management team.
Headline News
Mass Exploitation Hits Gravity SMTP Plugin Across 100,000 WordPress Sites
Attackers are actively mass-exploiting CVE-2026-4020 in the Gravity SMTP WordPress plugin, which exposes API keys, OAuth tokens, and detailed system configuration data in response to a single unauthenticated HTTP request — no credentials, no complexity. With the plugin installed on approximately 100,000 sites, the attack surface is substantial, and the simplicity of exploitation means automated scanning and harvesting is almost certainly already underway. Stolen OAuth tokens and API keys for email providers (typically SendGrid, Mailgun, or similar) can be immediately weaponised for phishing campaigns or account takeover. Any WordPress operator running Gravity SMTP should rotate all credentials stored in the plugin configuration and update immediately, regardless of whether exploitation is confirmed — the cost of credential rotation is far lower than the cost of investigating a downstream phishing incident.
USB Worm Combines Clipboard Hijacking, Tor Exfil, and Crypto Theft
Microsoft Threat Intelligence has documented a self-propagating USB worm that monitors the Windows clipboard for cryptocurrency wallet addresses and seed phrases, silently swaps them for attacker-controlled addresses, and exfiltrates stolen data through a bundled portable Tor client — no separate Tor installation required. The malware spreads via infected USB drives, making air-gapped and high-security environments that prohibit internet access a specific concern, since USB is often one of the few permitted data transfer channels. The Tor-based exfiltration is notable because it bypasses many network-layer controls that would detect or block conventional C2 traffic, and the portable Tor binary means no installation footprint. Practitioners managing environments where cryptocurrency custody is relevant — exchanges, DeFi teams, treasury operations — should treat this as a targeted threat model and enforce USB device controls and clipboard monitoring where feasible.
White House Delays Release of Voting Machine Vulnerability Report
A government-commissioned study assessing security vulnerabilities in US voting machines has been delayed by the White House, with the release pushed back as midterm elections approach. The timing is significant: security researchers and election officials have long argued that public disclosure of vulnerability research — even at a high level — is essential for jurisdictions to make informed procurement and remediation decisions. Withholding the report reduces the window for election administrators to act on any findings before voting infrastructure is next deployed at scale. For practitioners working in election security or critical infrastructure, this underscores the persistent tension between controlled disclosure timelines and operational readiness — a dynamic that maps directly onto debates the security community has with vendors every day.
Schrödinger's Feed
IBM's latest readiness report argues that the path to quantum advantage runs through preparation rather than hype — a measured position, but one with sharp implications for cryptography planning. Organisations that have not begun inventorying their asymmetric cryptography dependencies are already behind the curve, as NIST's post-quantum standards are finalised and migration timelines are compressing. The gap between "quantum advantage is still years away" and "your encrypted data is being harvested today for future decryption" is exactly where the real risk lives. Practitioners should be treating PQC migration planning as an active workstream, not a future agenda item.
/dev/random
A post making the rounds this week gives a thorough walkthrough of JSON-LD — the structured data format you embed in HTML <script> tags to tell search engines what your page actually means — aimed at personal website owners. The security-adjacent observation that nobody seems to make loudly enough: JSON-LD is executed-by-reference in the sense that search engines and scrapers trust it implicitly to describe page content, making it a tidy vector for SEO manipulation or misleading rich snippets if injected via XSS or a compromised CMS. The format is completely invisible to most users and rarely audited. Probably fine for your personal blog — less fine if someone else is writing to your <head>.