June 25 / 2026 / Reading Time: 12 minutes

Weekly Situation Report : 6/22/26

EXECUTIVE SUMMARY

This article is to inform our partners and clients on the various happenings within the cybersecurity space. That includes items such as relevant breaches, emerging vulnerabilities, research, threat actor movement, and what you need to do as an organization to mitigate a future threat.

KEY TAKEAWAYS

  • A critical pre-authentication remote code execution vulnerability in Splunk Enterprise (CVE-2026-20253) has left more than 13,000 internet-exposed instances at risk.
  • A vulnerability in SimpleHelp allows attackers to create unauthorized accounts on affected systems.
  • The DragonForce ransomware group previously abused Microsoft Teams TURN relay servers to facilitate malicious communications during an attack.
  • An incident dubbed “FortiBleed” involves the active compromise of more than 75,000 FortiGate devices.
  • Three critical vulnerabilities in Fortinet Sandbox products are being actively exploited in the wild.
  • The ICARUS extortion group is imitating ShinyHunters tactics and has compromised Salesforce data belonging to Klue.

1. Splunk Enterprise CVE-2026-20253 Pre-Auth RCE, 13K+ Instances Exposed Publicly

SUMMARY

Researchers discovered and detailed a critical vulnerability (CVE-2026-20253) in Splunk's PostgreSQL Sidecar Service Endpoint. The vulnerability allows for arbitrary file creation and truncation resulting in remote code execution, due to a lack of authentication controls. It impacts Splunk versions 10 and above, especially those deployed on AWS.

Category

Critical Vulnerabilities

Industry

Multiple (especially cloud deployed versions such as on AWS)

Sources

https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/

https://advisory.splunk.com/advisories/SVD-2026-0603

https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus

https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba

Internal OSec Research

ANALYST COMMENTS

Splunk Enterprise is a software platform that collects and analyzes machine-generated data, indexing logs and metrics for real-time querying and analysis. A recent vulnerability, CVE-2026-20253, affects Splunk versions 10 and above and involves the PostgreSQL Sidecar Service Endpoint, which lacks authentication controls. This allows any user to create or truncate files without needing credentials. The vulnerability is particularly exploitable on Splunk Enterprise installed on AWS, where the PostgreSQL Sidecar Service is installed and enabled by default. Through a series of HTTP requests, attackers can leverage the endpoint to create empty files at any location or overwrite existing files, potentially leading to arbitrary code execution if the files contain executable scripts. 

The vulnerability is not currently known to be exploited in the wild. This assessment is based on the absence of detected signals from our own and other public honeypots that would indicate active exploitation at this time. We have observed scanning activity that is likely attempting to identify potential Splunk targets. However, exploitation is likely due to the release of the researcher analysis and a viable PoC. We have high confidence that this will likely be exploited in the short-term due to the public release of the PoC code.

The current PoC exploit code abuses Splunk’s backup and restore endpoints to execute arbitrary file overwrites. This can allow malicious code to be introduced through database backups and loaded onto a vulnerable Splunk instance, potentially enabling code execution when the Splunk web root is accessed through a browser.

ACTIONABLE GUIDANCE

A patch is available for the affected versions of Splunk and should be applied as soon as possible, as exploitation is likely in the short-term. If immediate patching is not possible, a workaround is available that involves disabling support for the PostgreSQL sidecar service. 

Product	Base Version	Component	Affected Version			Fix Version
Splunk Enterprise		10.4		splunkd	Not affected		10.4.0
Splunk Enterprise		10.2		splunkd	10.2.0 to 10.2.3	10.2.4
Splunk Enterprise		10.0		splunkd	10.0.0 to 10.0.6	10.0.7
Splunk Enterprise		9.4			splunkd	Not affected		NA
Splunk Enterprise		9.3			splunkd	Not affected		NA

 

2. SimpleHelp Vulnerability Allows Creation of Accounts

SUMMARY

A critical vulnerability (CVE-2026-48558) in SimpleHelp's remote management software allows unauthenticated attackers to create privileged technician accounts via OIDC. The issue affects versions 5.5.15 and older, and 6.0 pre-releases. Exploitation requires specific configurations, but approximately 14,000 exposed servers may be affected.

Category

Critical Vulnerabilities

Industry

Technology, Healthcare, Financial and Fintech

Sources

https://www.bleepingcomputer.com/news/security/simplehelp-bug-lets-hackers-create-rogue-remote-support-accounts/

https://simple-help.com/security/simplehelp-security-update-2026-05

https://horizon3.ai/attack-research/disclosures/cve-2026-48558-simplehelp-authentication-bypass-iocs/

https://x.com/DailyDarkWeb/status/2067154940212949185

ANALYST COMMENTS

A critical vulnerability (CVE-2026-48558) in SimpleHelp versions 5.5.15 and older, as well as 6.0 pre-release versions, allows unauthenticated attackers to create privileged technician accounts through OpenID Connect (OIDC), bypassing multi-factor authentication. This flaw enables attackers to perform privileged management activities like remotely accessing managed endpoints and executing scripts. The vulnerability affects SimpleHelp servers that rely on OIDC and have specific group settings enabled, impacting approximately 1,008 servers worldwide. SimpleHelp has patched this issue in versions 5.5.16 and 6.0RC2. organizations should update to these versions or restrict technician login sources with IP-based allowlists.

The vulnerability will likely be used to abuse legitimate sources and URLs during later stages of attack chains. Attackers may compromise SimpleHelp instances to gain access to hosted environments for reconnaissance, but the higher value is likely in using vulnerable SimpleHelp instances to execute attacks against external organizations or internal hosts. This is more likely given recent threat actor trends involving abuse of RMM software for initial access and C2 operations. In normal scenarios, a victim would likely need to download and install an RMM binary first. By compromising SimpleHelp infrastructure directly, attackers may bypass that step and increase the likelihood of successful targeting against one or more victims.

ACTIONABLE GUIDANCE

Applying the patch or upgrading to the most recent version of the software is recommended to reduce the risk of compromise. Indicators of potential abuse may include unfamiliar OIDC authentication activity in SimpleHelp logs or unknown technician accounts identified during an audit of currently logged in users. The fixed versions are as follows:

5.5.16
6.0RC2

 

3. Dragonforce Ransomware Abused Microsoft Teams TURN Relay Servers in Past Incident 

SUMMARY

DragonForce ransomware employs a custom malware called Backdoor.Turn to conceal its command-and-control communications by leveraging Microsoft Teams' TURN protocol. This marks the first known in-the-wild abuse of this infrastructure for malicious purposes, which uses advanced techniques including Bring Your Own Vulnerable Driver (BYOVD) to gain kernel-level access and evade detection.

Category

Ransomware

Industry

Business Services, Agriculture and Food, Construction, Manufacturing, Hospitality and Tourism

Sources

https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/
https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor
https://www.praetorian.com/blog/ghost-calls-abusing-web-conferencing-for-covert-command-control-part-2-of-2/
https://www.group-ib.com/blog/dragonforce-ransomware/

ANALYST COMMENTS

DragonForce ransomware leverages custom malware called Backdoor.Turn to disguise its command-and-control traffic by exploiting Microsoft Teams' TURN protocol, enabling it to hide communications within trusted network traffic. This technique, observed in attacks against a major U.S. services company, allows attackers to establish stealthy communication channels and avoid detection by security systems. The malware uses legitimate Teams credentials and TURN relays to mask its command-and-control traffic, making it appear as normal Teams traffic to defenders. In addition to its sophisticated communication tactics, DragonForce employs various techniques including exploitation of vulnerabilities and BYOVD tactics with drivers from different vendors.

The technique, known as TURNt, uses relay servers from Microsoft, Zoom (currently patched), and likely other providers such as Cisco or Google to act as C2 infrastructure for attacks. In regards to Microsoft Team relay servers, the TURN servers it relays will usually follow the pattern below:

*.relay.teams.microsoft.com

Aside from the novel technique, many of the threat actor’s tactics, techniques, and processes remain consistent. This is corroborated by reports of this incident and separate reporting on the threat actor in January. Initial access is typically achieved through exploitation of unpatched services or software, such as MSSQL in this case, or through the use of valid domain credentials against exposed RDP servers. 

The threat actor also makes heavy use of PowerShell and known reconnaissance and exploitation tools, such as ADFind, Netscan, and Mimikatz. The threat actor will also use DLL sideloading VirtualBox related DLLs for security evasion (vboxrt.dll), and using BYOVD techniques to disable security monitoring solutions. For persistence, the threat actor is known to rely on scheduled tasks and Windows Run keys within the registry, such as Software\Microsoft\Windows\CurrentVersion\Rune.

IOCs based on TURN relay exploitation incident from external reporting:

# Malware hashes

82b37a92589dfd4d67ca87eb9e52ac8e682e8e60d2211f59074cd5ccc693013b – Downloader

821da79d727351dd67ce5df7950e9a3de6647a3cf474bb3a093f67507fed92a6 – Backdoor.Turn

b6628d201c2a68d2a3de2a87de7a5acfe21b101a97928e1c8d5c82102d967383 – GameDriverx64 vulnerable driver

ce66b8221446c9b6d83f0ce6382f430e519601641e5daaaf1ca7a8a8806cb0b0 – Shellcode containing Backdoor.Turn

f174c19902523dcf005fa044b6598403a5e5c0a5982398d1bc0dcc5ec1cd351b – Sideloaded DLL mimicking VirtualBox

142bac0e2148e0d47891b6cd7311195c4acbe33b700fad54a201c52a2bc46219 – ADExplore
8395b621bb4415090f232c59fc41d24ea41a519b58eabe512f3ae7d2fdf049a3 – ADExplore

9335f61f8ad276d94455c5b6876fea48152c3cea759f2598c8108ee461fa5759 – Malicious ZIP archive

cd078957167e1af4de39aecdb981cd14156fa81d5a9c6ac51e74ae5b6199a12a – Malicious ZIP archive

b16e217cdca19e00c1b68bdfb28ead53b20adeabd6edcd91542f9fbf48942877 – K7 vulnerable driver

d20a3c928761fe00ac522eeb474612b5804cd9108453ea8591106d5d4428428e - sideloaded DLL mimicking VirtualBox

8284c8676cc22c4b2e66826ac16986da7ddecba1f2776b16771be17bfdc45dc2 – ABYSSWORKER driver

65ab49119c845801f29a57e8aa177146b2ffbd289d4278109b146f933380f951 – ABYSSWORKER driver

6bbf10bcbef7ac5102b54c81137859891a3802dbacd888be90f990d50e18b0b4 – AV killer

252a8bb2eb9c96c5e6cc7cab822e2ed0d508032f9350351221781684e86c03ab – Topaz Antifraud vulnerable driver

8a4033425d36cd99fe23e6faef9764fbf555f362ebdb5b72379342fbbe4c5531 – Havoc Process Terminator

e45b18c93d187aac5c4486f57483bc87580e15def82a312bfb377ff16eb96b22 – DragonForce ransomware

087f002df0a02c8c74f3ba5cd99cf29fb9efff38bf57b3d808e34a5dd4200dd2 – Tower of Fantasy vulnerable driver

048e18416177de2ead251abdf4d89837f6807c6aba4d5b1debe49adfdecbf05c – Backdoor.Turn

6f9fbe29f8cc2788e2bc9d631e0eea2a8e9837076837b55838005a0e654f0a9e – AV killer

d0da2832ae1e13a98f7ce7e33a66c1b0d9797b81f69ece134e4462ea55ac923e – Netscan

aea26980059ef2ad11e99556a4edfa1f8ec769fa9f06aa573b81bedf319954b5 – Netscan

# Network Indicators

projetosmecanicos.com[.]br – C&C for downloading additional tools

socialbizsolutions[.]com - C&C for downloading additional tools

professionalhomebasedbusiness[.]com - C&C for downloading additional tools

safefire[.]jo - C&C for downloading additional tools

glanz-gmbh[.]de - C&C for downloading additional tools

turnkeyaiagents[.]com - C&C for downloading additional tools

comunidadesparentais.com[.]br - C&C for downloading additional tools

mysimerp[.]net - C&C for downloading additional tools

http://192.36.27[.]51/TechSupV18Fix3.zip - Malicious zip archive download URL

62.164.177[.]25 - Backdoor.Turn C&C

ACTIONABLE GUIDANCE

Monitor for excessive traffic to *.relay.teams.microsoft.com. Alerts should also be considered when relay server activity differs from legitimate requests, such as unexpected regional subdomains. 

Organizations should restrict the use of PowerShell for non-administrator users, enforce timely patching of internet exposed software and devices, and audit exposed services to reduce the attack service available to threat actors. Disruption to security monitoring controls may also indicate potential compromise if it cannot be attributed to regular maintenance. If VirtualBox is used within the environment, replacement or alteration of files such as VBoxRT.dll is a known signal associated with this threat actor.

4. Active Compromise of 75k+ FortiGate devices, Incident Dubbed FortiBleed

SUMMARY

A security incident has been identified that resulted in impact to 75,000 Fortinet FortiGate devices, resulting in the leakage of hashed passwords. This incident has been dubbed FortiBleed by researchers.

Category

Known Exploited Vulnerabilities

Industry

Technology, Public Sector and Government Administration, Financial and Fintech

Sources

https://www.hudsonrock.com/fortinet

https://www.linkedin.com/feed/update/urn:li:activity:7471222472193830913/

https://www.theregister.com/security/2025/01/17/fortinet-fortigate-config-leaks-are-genuine-but-misleading/513638

https://github.com/inm7ripe/Fortigate-password-recovery/issues/1

https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/

https://dashboard.shadowserver.org/

Internal OSec Research

ANALYST COMMENTS

A security incident has been identified that resulted in over 75,000 Fortinet FortiGate devices impacted, resulting in the leakage of hashed credentials. It is currently unknown how the attackers obtained the hashed credentials. However, it is highly likely that the threat actors obtained Fortinet device configurations and cracked the contained hashes offline to recover the plain text passwords. The method used to obtain the configurations remains unknown. The information that has been leaked has been confirmed to be genuine by multiple sources. At least one source with insider knowledge of some affected organizations confirmed that the impacted devices had the latest available Fortinet patches applied.

Over the weekend, a security researcher uncovered a compromise of FortiGate credentials. The information was obtained due to the threat actor leaking parts of their infrastructure that allowed the researcher to uncover the compromise. Information has not yet been released explaining how the threat actors obtained the SSL VPN Authentication hashes. Prior to 2025, FortiGate had used a publicly known, hard-coded key in order to create the hashes. If passwords were hashed before the updated hashing mechanism was implemented, they may still be vulnerable to bruteforcing with the old hard-coded key. 

During our research of this incident, we identified suspected signals from underground forum activity at the end of May that may indicate early staging for an attack. However, it is still currently unknown if this activity is related or not. 

More recently, we have observed an overall increase in exploitation traffic against Fortinet devices since Saturday, June 13th. CVE-2026-21643, a FortiClient EMS SQL injection vulnerability, has seen increased exploitation activity. This may align with the reported targeting of MSSQL servers by the attacker. However, this connection remains speculative and should not be regarded as confirmed until more evidence is released or uncovered.

ACTIONABLE GUIDANCE

Credentials should be rotated and MFA should be enforced for all users. FortiGate and other Fortinet devices should be upgraded to the latest versions available, including all current hot fixes. 

Administrators should audit devices for potential compromise, including administrator logins from unknown sources or activity occurring at unusual times without attribution to known employees. If compromise is confirmed, the device should be rebuilt as there is a high likelihood that a backdoor may have been planted. 

Management interfaces should not be exposed to the public internet, as this unnecessarily expands the attack surface and creates additional opportunities for attackers.

*Domain and IP checking is available by request.

5. Three Critical Fortinet Sandbox Bugs Exploited in the Wild

SUMMARY

Three critical vulnerabilities in Fortinet’s FortiSandbox, including authentication bypass and remote code execution, are being actively exploited. Patches are available for two of the vulnerabilities, with a fix for the remaining issue expected soon.

Category

Known Exploited Vulnerabilities

Industry

Multiple

Sources

https://www.theregister.com/security/2026/06/16/three-critical-fortinet-sandbox-bugs-splattered-by-unknown-attackers/5256461

https://xcancel.com/DefusedCyber/status/2066575288503255274#m

https://doublepulsar.com/an-update-on-fortibleed-whats-happening-with-victim-orgs-c0671a50e7f4

https://blog.gayint.org/fortibleed.html

Internal OSec Research

ANALYST COMMENTS

Three critical vulnerabilities in Fortinet’s FortiSandbox have been actively exploited by attackers, allowing for authentication bypass, privilege escalation, and execution of malicious code. The flaws are CVE-2026-39813, CVE-2026-39808, and CVE-2026-25089. CVE-2026-39813 is a path traversal bug allowing for authentication bypass, CVE-2026-39808 is an OS command injection flaw enabling code execution, and CVE-2026-25089 is another OS command vulnerability allowing for unauthorized command execution. Despite Fortinet's patches, threat intelligence researchers report that exploitation has begun, particularly for CVE-2026-25089.

All the vulnerabilities, except CVE-2026-25089, have associated PoCs and are simple to exploit. Exploitation is likely being carried out by multiple threat actor groups. Currently available PoCs for CVE-2026-25089 are likely fake until additional verification is conducted. All the unconfirmed PoCs for this vulnerability target the /api/vnc/start endpoint and are included as reference indicators in case suspicious traffic is observed against this endpoint.

While exploitation of these vulnerabilities have been detected, the publicly exposed attack surface appears to be limited. According to Shodan searches for “http.title:FortiSandbox”, only 44 instances of FortiSandbox are publicly available. Similar searching platforms, such as FOFA, identified approximately 200 instances exposed publicly. A majority of publicly exposed FortiSandbox instances appear to be located in the US. 

Given the limited number of publicly exposed FortiSandbox instances, exploitation is likely to have a reduced overall impact compared to more widespread Fortinet technologies, such as FortiGate and other Fortinet products.

The first two vulnerabilities abuse the following endpoints:

# Affected endpoints for CVE-2026-39808 and CVE-2026-39813
/jsonrpc/
/fortisandbox/job-detail/tracer-behavior

ACTIONABLE GUIDANCE

Patches are now available from the vendor for all identified vulnerabilities. 

Suspected malicious behavior is expected to abuse the following endpoints, with crafted HTTP requests containing path traversal strings or encoded OS commands. Confirmed affected endpoints include /jsonrpc/ and /fortisandbox/job-detail/tracer-behavior. The /api/vnc/start endpoint remains unconfirmed for CVE-2026-25089 but is known to be a valid endpoint for the vulnerable component and is included in case suspicious traffic is seen to this location. The following versions are affected per CVE entry:

# CVE-2026-25089

Version					Affected			Solution
FortiSandbox 5.2		Not affected		Not Applicable
FortiSandbox 5.0		5.0.0 through 5.0.5	Upgrade to 5.0.6 or above
FortiSandbox 4.4		4.4.0 through 4.4.8	Upgrade to 4.4.9 or above
FortiSandbox Cloud 5.2	Not affected		Not Applicable
FortiSandbox Cloud 5.0	5.0.4 through 5.0.5	Upgrade to 5.0.6 or above
FortiSandbox Cloud 4.4	Not affected		Not Applicable
FortiSandbox PaaS 23.4	Not affected		Not Applicable
FortiSandbox PaaS 5.2	Not affected		Not Applicable
FortiSandbox PaaS 5.0	5.0.4 through 5.0.5	Upgrade to 5.0.6 or above
FortiSandbox PaaS 4.4	Not affected		Not Applicable

# CVE-2026-39808


Version				Affected			Solution
FortiSandbox 5.0	Not affected		Not Applicable
FortiSandbox 4.4	4.4.0 through 4.4.8	Upgrade to 4.4.9 or above

# CVE-2026-39813


Version				Affected			Solution
FortiSandbox 5.2	Not affected		Not Applicable
FortiSandbox 5.0	5.0.0 through 5.0.5	Upgrade to 5.0.6 or above
FortiSandbox 4.4	4.4.0 through 4.4.8	Upgrade to 4.4.9 or above

6. ICARUS Extortion Group Mimics ShinyHunters Tactics and Compromises Salesforce Data from Klue

SUMMARY

The Icarus extortion group exploited OAuth at the market intelligence platform Klue to steal Salesforce CRM data from multiple organizations as part of an ongoing extortion campaign. In response, Salesforce and Klue have disabled affected integrations while security researchers warn victims to revoke tokens and review logs for malicious activity.

Category

Confirmed Breach

Industry

Business Services

Sources

https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/

https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft

https://www.huntress.com/blog/klue-breach-investigation

Internal OSec Research

ANALYST COMMENTS

The Icarus extortion group exploited OAuth controls to gain access to Klue to steal Salesforce CRM data from multiple organizations as part of an ongoing extortion campaign. In response, Salesforce and Klue have disabled affected integrations while security researchers warn victims to revoke tokens and review logs for malicious activity. The attackers utilized automated scripts to exfiltrate sensitive business data, including sales communications and competitive intelligence, over an extended period before the incident was identified.

Ultimately, the threat actor was able to infiltrate the environment through re-use of an old credential. Once access to the Klue environment was achieved, the threat actor stole the tokens of several customers and used them to exfiltrate customer data. The impacted data appears to primarily consist of non-sensitive CRM data. Review of the threat actor’s dark web site indicates that the data has not yet been made available, and the threat actor claims the data set is less than 1 GB in size. Klue also integrates with a number services that have been disabled until the investigation concludes:

  • Salesforce
  • HubSpot
  • SharePoint
  • Zoom
  • Gong
  • Chorus
  • Clari
  • Google Drive
  • Slack App

The threat actor appears to be very recent, with only three victims, including Klue. Two of these victims have been listed on the group's dark web site. They use notable tactics similar to COM-attributed threat actors such as ShinyHunters, however they are likely a separate group.

ACTIONABLE GUIDANCE

Organizations using Klue integrations, such as Saleforce, Zoom, and other connected services, should revoke and rotate associated credentials. 

Threat hunting teams should look for indicators tied to known user-agent strings or suspicious locations being used with accessing REST API endpoints, especially of those related to Salesforce. Blocking and detecting currently known IOCs can also help reduce the risk of compromise in the short-term.

Get the Complete Report

The full Intelligence Desk brief includes exhaustive IOC lists, YARA detection rules, detailed remediation playbooks, and OSec's original threat research. Delivered weekly to our partners and clients. REQUEST ACCESS

Share This Threat Brief: