June 20, 2026 Daily Cyber Briefing — Critical Fortinet, Splunk, and Joomla Vulnerabilities Exploited; New Ransomware and Supply Chain Attacks Emerge

🚨 Critical Alerts

CISA Warns of Actively Exploited Joomla JCE Flaw Allowing PHP Code Execution

Source: The Hacker News / All CISA Advisories
CISA has added a maximum-severity security flaw in Widget Factory Joomla Content Editor (JCE), CVE-2026-48907 (CVSS 10.0), to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. The improper access control vulnerability could facilitate arbitrary PHP code execution.

CISA: Splunk Enterprise Flaw Actively Exploited, Patch by Sunday

Source: BleepingComputer / All CISA Advisories
CISA has urged U.S. federal agencies to secure their systems by Sunday against a critical Splunk Enterprise vulnerability (CVE-2026-20253, Missing Authentication) that is being actively exploited. This vulnerability is a frequent attack vector and poses significant risks.

CISA Warns Fortinet Customers After FortiBleed Credential Exposure

Source: All CISA Advisories / BleepingComputer
CISA urged Fortinet customers to harden devices after reports of malicious cyber actors targeting internet-accessible Fortinet devices (FortiGate appliances, SSL VPN gateways) using compromised credentials in a campaign dubbed 'FortiBleed,' exposing nearly 74,000 credentials.

🔓 Breaches & Attacks

Texas Govt Data Breach Exposes Over 3 Million Driver’s Licenses

Source: BleepingComputer
The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at its license system vendor, exposing personal information for over three million individuals.

Klue OAuth Breach Linked to 'Icarus' Salesforce Data Theft

Source: BleepingComputer
Market intelligence platform Klue confirmed a security incident where 'Icarus' threat actors stole OAuth tokens used to connect to customers' Salesforce environments in an ongoing extortion campaign.

Microsoft Links Mastra AI Supply Chain Attack to North Korean Hackers

Source: BleepingComputer
Microsoft has attributed a recent supply chain attack on Mastra AI, which compromised over 140 npm packages, to the North Korean hacking group Sapphire Sleet (aka BlueNoroff).

🛡️ Vulnerabilities & Patches

CVE-2026-48907 (CVSS: 10.0 CRITICAL)

An improper access control vulnerability in Widget Factory Joomla Content Editor (JCE) could allow unauthenticated attackers to achieve arbitrary PHP code execution. This flaw is actively being exploited.

Remediation: Apply the latest security patch for the Widget Factory Joomla Content Editor (JCE) immediately.

CVE-2026-20253

A critical Splunk Enterprise Missing Authentication for Critical Function vulnerability that is being actively exploited in attacks. CISA has added this to its Known Exploited Vulnerabilities catalog.

Remediation: U.S. federal agencies are urged to patch affected Splunk Enterprise systems by Sunday and to conduct a forensic analysis to determine if systems were compromised before the patch was applied. All organizations should prioritize this update.

CVE-2026-40624 (CVSS: 9.8 CRITICAL)

An improper input validation vulnerability in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras may allow a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request.

Remediation: Apply the firmware fix provided by AVer. The fix can be found at https://presentation.aver.com/DownloadFile.aspx?n=6617|1C01A887-7CDC-4C96-AD9A-11D53DE1AD71&t=ServiceDownload.

🥷 Threat Actor Spotlight

Sapphire Sleet (aka BlueNoroff)

Targets: AI application frameworks (Mastra AI).
Tactics: Supply chain attacks, compromising npm packages.

Icarus

Targets: Market intelligence platforms (Klue) and their customers' Salesforce environments.
Tactics: OAuth token theft, extortion campaigns.

Prinz Eugen

Targets: N/A (General ransomware targets implied).
Tactics: New ransomware operation, prioritizes recently modified files for encryption, leaves no ransom note.

📋 Compliance & Deadlines

CISA Binding Operational Directive (BOD) 26-04

Deadline: Ongoing, with specific remediation deadlines for KEVs (e.g., Splunk vulnerability by Sunday)
Summary: This directive mandates Federal Civilian Executive Branch (FCEB) agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those in CISA’s Known Exploited Vulnerabilities (KEV) Catalog, especially on publicly exposed assets. It also requires agencies to check for system compromise before applying patches for KEVs.

📰 Industry News

AI Agents Pose New Identity and Governance Challenges

The rapid adoption of AI agents in enterprises is creating significant identity and governance challenges, with these agents often having access to critical data and systems with little oversight. The concern around 'Shadow AI' has shifted from data leakage to an access control problem, highlighting the need to identify and manage orphaned agents and standing privileges.

Modern Phishing Bypasses MFA, Behavioral AI Offers Defense

Modern phishing attacks, including Device Code phishing, are increasingly effective at undermining MFA protections to gain access to corporate accounts without needing passwords. Behavioral AI is emerging as a solution to detect compromised accounts faster and automate response workflows.

Stay secure. If you found this briefing useful, please subscribe to 0DayDaily and share.