CyberSip™ — Issue 67 — June 20, 2026

Today’s picture

CISA added Splunk Enterprise CVE-2026-20253, a CVSS 9.8 unauthenticated flaw allowing arbitrary file creation and remote code execution, to its Known Exploited Vulnerabilities catalog on June 18 with a remediation deadline of today, June 21. Splunk confirmed limited active exploitation in the wild. The flaw sits in a PostgreSQL sidecar service endpoint that lacks authentication entirely. The attack on competitive intelligence platform Klue has cascaded across multiple enterprise customers: attackers compromised a dormant credential, pushed a code update to harvest OAuth tokens, and used them to query Salesforce CRM environments, with cybersecurity vendor Huntress among the confirmed victims. Extortion group Icarus has since demanded ransom from affected organisations. Microsoft’s Defender Security Research Team this week disclosed AutoJack, a three vulnerability chain in AutoGen Studio that lets a single malicious web page direct an AI browsing agent to execute arbitrary operating system commands on the host. The flaw was patched before release and has not been exploited in the wild.

Threat snapshot

3 active items · 2 monitoring

Splunk CVSS 9.8 / exploited / CISA deadline today Klue / Salesforce OAuth theft / extortion underway AutoJack / AI agent RCE / patched before release 3 items this issue

CISA Deadline TodaySplunk EnterpriseCVSS 9.8Actively Exploited

Splunk Enterprise CVE-2026-20253 actively exploited. An unauthenticated network-reachable attacker can create or truncate arbitrary files and chain the access into remote code execution. Patch to 10.4.0, 10.2.4, or 10.0.7. Today is the CISA deadline.

The flaw is in a PostgreSQL sidecar service endpoint that accepts file operations from any network-reachable caller without requiring credentials. Splunk patched on June 10. WatchTowr published exploit details on June 12. Splunk confirmed limited active exploitation. Shadowserver tracks over 1,400 internet-exposed instances. Compromising a Splunk deployment gives an attacker visibility and control over the security data it collects.

June 17–19Klue / SalesforceOAuth Token Theft

Klue platform breach cascades into Salesforce CRM theft across multiple enterprises. Attackers used a dormant credential to harvest OAuth tokens and query Salesforce APIs for hours. Huntress is a confirmed victim. Icarus demanding ransom.

Salesforce has disabled the Klue Battlecards integration. Organisations using Klue should revoke and rotate all OAuth tokens and Salesforce connected app credentials. Audit Salesforce API logs for unusual query volumes from Klue service accounts during June 11 to 17.

June 18AutoJackPatched Before Release

Microsoft discloses AutoJack: a single malicious web page can direct an AutoGen Studio browsing agent to execute OS commands on the host. Patched in development. No exploitation in the wild.

The chain crosses the localhost trust boundary by sending the AI agent to the malicious page, which then reaches the local MCP WebSocket. The vulnerability never shipped in a PyPI release. Covered here as a reference case for the class of attack against AI agent frameworks.

Detailed intelligence

Full analysis

01 Splunk Enterprise CVSS 9.8 CISA Deadline Today

Splunk Enterprise CVE-2026-20253: unauthenticated file write actively exploited, chainable to remote code execution. CISA federal deadline is today. Patch to 10.4.0, 10.2.4, or 10.0.7 immediately.

CVE-2026-20253 · CVSS 9.8

The vulnerability exists in a PostgreSQL sidecar service endpoint in Splunk Enterprise that lacks authentication controls entirely. Any attacker who can reach the service over the network can invoke file creation or truncation operations without credentials. Under certain conditions, this is chainable into full remote code execution. CISA confirmed active exploitation on June 18 and set today as the federal remediation deadline.

Executive Impact

Splunk is deployed as the central log aggregation and security monitoring platform in many enterprise environments. Compromising it gives an attacker the ability to access, tamper with, or delete security telemetry data, effectively blinding the rest of the security operation to ongoing activity. It also provides a pivot point into other internal systems and access to any credentials stored within the Splunk environment. Upgrade to 10.4.0, 10.2.4, or 10.0.7 immediately. If patching cannot happen today, Splunk confirmed that disabling the PostgreSQL sidecar service mitigates the vulnerability, though this may affect certain functionality.

Don’t Miss

SecurityWeek noted that this is the first Splunk vulnerability to be added to CISA’s Known Exploited Vulnerabilities catalog. That is notable given how widely Splunk is deployed in security operations centers. The timeline from patch to active exploitation was short: Splunk released fixes on June 10, WatchTowr published a technical write-up with proof-of-concept exploit code on June 12, and limited exploitation was confirmed shortly after. A public exploit and a two day gap to confirmed attacks is the pattern this brief has tracked across PeopleSoft, Ivanti, and FortiSandbox. The WatchTowr PoC code and the Nuclei detection template make both exploitation and detection accessible, which cuts both ways.

CyberSip Take

An attacker with access to your Splunk deployment can manipulate the logs that your security team uses to detect them. That is the specific consequence that makes this more serious than a typical unauthenticated server flaw. Patch today. If you cannot patch today, disable the PostgreSQL sidecar service and review logs for path traversal sequences or unexpected outbound PostgreSQL connections from Splunk hosts, which are the indicators Resecurity flagged.

What happened

CVE-2026-20253 is a missing authentication vulnerability in the PostgreSQL sidecar service endpoint in Splunk Enterprise versions 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6. The endpoint accepts file creation and truncation operations from any network-reachable caller without checking credentials. An unauthenticated attacker who can reach the service can write files to the Splunk host, and under certain conditions can use that file write access to escalate to remote code execution on the Splunk application environment.

Splunk released patches on June 10, 2026, fixing the flaw in versions 10.4.0, 10.2.4, and 10.0.7. On June 12, WatchTowr published a detailed technical write-up and a modified proof-of-concept exploit. Splunk updated its advisory on June 18 to confirm limited active exploitation, stating that its PSIRT team had become aware of exploitation in June. CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog the same day and set a June 21 remediation deadline for federal civilian agencies under BOD 26-04.

Shadowserver Foundation tracks more than 1,400 internet-exposed Splunk Enterprise instances, the majority in North America and Europe. Resecurity confirmed active exploitation and identified specific IOCs including path traversal sequences in requests, PostgreSQL-specific connection parameters in payloads, and unexpected outbound connections from Splunk services to external PostgreSQL servers.

Recommended actions

Upgrade Splunk Enterprise to 10.4.0, 10.2.4, or 10.0.7 immediately. Today is the CISA federal deadline under BOD 26-04.
If patching cannot happen today, disable the PostgreSQL sidecar service as a temporary mitigation. Splunk confirmed this removes the vulnerable attack surface, though it may affect certain functionality.
Review Splunk access logs for requests containing path traversal sequences, PostgreSQL connection parameters such as hostaddr, dbname, or port, and unexpected outbound connections from Splunk services to external servers.
Restrict network access to Splunk management interfaces to trusted internal networks and management infrastructure rather than allowing internet-wide access.

Derived from BleepingComputer, Help Net Security, SecurityWeek, and Splunk PSIRT advisory on CVE-2026-20253, June 18–20, 2026.

02 Klue / Salesforce OAuth Token Theft

Klue platform breach cascades to Salesforce CRM theft across multiple enterprises. A dormant credential gave attackers access to harvest OAuth tokens. Huntress is a confirmed victim. Extortion underway.

Klue · Salesforce · June 11–17

Attackers gained access to Klue’s backend infrastructure on June 11 using a long-dormant API credential created for an abandoned integration prototype. They pushed a code update that collected OAuth tokens from connected customer Salesforce environments, then ran automated REST API queries against those environments for hours, exfiltrating CRM data including account records, contact details, deal outcomes, and pricing.

Executive Impact

Organisations using the Klue Battlecards integration with Salesforce should treat their Salesforce OAuth tokens and connected app credentials for Klue as compromised, regardless of whether they have been directly notified. Revoke and rotate the integration’s credentials immediately. Audit Salesforce API logs for high-volume query activity from Klue service accounts between June 11 and 17. Salesforce has disabled the Klue connection platform-wide as a containment measure.

Don’t Miss

Huntress, a cybersecurity vendor, published a detailed timeline of the incident on June 18 after receiving extortion emails from Icarus on June 16, stating that stolen data would be leaked unless negotiations began within 48 hours. Huntress attributed the initial access to a long-dormant API credential created for a prototype that was never deployed, the same root cause pattern this brief has documented in the Mastra npm attack, the Nx Console compromise, and the Miasma worm. The Klue attack closely resembles previous OAuth-abuse campaigns against Salesforce ecosystems, including the Salesloft Drift compromise attributed to UNC6395 in 2025. ReliaQuest observed the attack pattern before formal confirmation, identifying unusual Python-urllib user-agent strings in Salesforce API logs and near-continuous query loops running for approximately 24 hours.

CyberSip Take

Three separate supply chain incidents in this brief this week share the same root cause: a credential that outlived its useful purpose but retained its access. The ehindero npm account from Issue 66, the Klue prototype API credential here, and the pattern identified in prior incidents with Nx Console and Mastra. Reviewing and revoking stale credentials across SaaS integrations is not a one-time task. It is a recurring control that prevents a dormant credential from becoming the entry point into an active production environment.

What happened

On June 11, 2026, attackers gained access to Klue’s backend infrastructure using a long-dormant API credential that had been created to test a third-party integration prototype which was never ultimately deployed. The credential had remained active with valid access rights despite the integration project having been abandoned. Using this access, the attackers pushed a code update to Klue’s systems that was capable of collecting OAuth tokens that Klue’s customers use to connect their Salesforce environments to the Klue Battlecards application.

Klue detected anomalous activity on June 12 and took steps to remove the malicious code and revoke compromised credentials. The company issued a general customer alert on June 13, though Huntress noted the alert did not specify which customers were affected. Salesforce became aware of unusual activity and announced on June 17 that it had disabled the Klue Battlecards integration across all customer environments as a containment measure.

Huntress, a managed detection and response vendor, published its own incident timeline on June 18 confirming it was among the victims. Huntress staff received extortion emails on June 16, signed by a group calling itself Icarus, threatening to leak stolen data unless negotiations began within 48 hours. ReliaQuest researchers observed the attack pattern in Salesforce API logs, identifying automated Python scripts running bulk query loops for approximately 24 hours and describing the tactics as closely resembling the UNC6395 Salesloft Drift attacks from 2025.

Recommended actions

Revoke and rotate all OAuth tokens, refresh tokens, client secrets, and active OAuth grants associated with the Klue Battlecards integration in your Salesforce environment.
Audit Salesforce API logs for the period June 11 to 17 for unusual query volume from Klue service accounts, Python-urllib user agent strings, and bulk query patterns using the QueryMore cursor.
Review and scope all other third-party Salesforce integrations to confirm each holds only the minimum permissions necessary for its function.
Conduct a broader audit of API credentials and OAuth grants across SaaS integrations for inactive or prototype credentials that retain active access.

Derived from The Hacker News, Help Net Security, ReliaQuest, and Huntress incident blog on Klue and Salesforce breach, June 17–19, 2026.

03 AutoJack Patched Before Release

AutoJack: Microsoft discloses how a single malicious web page can direct an AI browsing agent to execute OS commands on the host. Patched in the development branch. Never shipped in a release. No exploitation in the wild.

AutoJack · AutoGen Studio · June 18

Microsoft’s Defender Security Research Team disclosed AutoJack on June 18, a three-vulnerability chain in AutoGen Studio’s MCP WebSocket surface that allows untrusted web content rendered by an AI browsing agent to reach the localhost service and execute attacker-supplied OS commands. The maintainers patched the chain before it shipped in any PyPI release. Covered here as a reference case for a growing class of attack against AI agent frameworks.

Executive Impact

AutoJack does not require patching by end users since the vulnerable code never shipped in a release. The operational lesson is structural: AI agents that browse untrusted web content and have access to local services inherit those services’ capabilities. A browsing agent running as the developer’s own account, with access to local tools, is an execution path that untrusted web content can potentially reach. Any AI agent framework that lets an agent browse arbitrary web pages and also exposes local services should have strong authentication on those local services and restrict what the agent can execute autonomously.

Don’t Miss

Microsoft explicitly noted that it expects the same attack shape to exist in other agent frameworks: a local service with excessive privileges, a localhost check treated as a security boundary rather than a network control, and an agent that opens untrusted pages without content-level isolation. The AutoJack chain used three individually minor weaknesses: the MCP WebSocket accepted connections from localhost without distinguishing between human browser tabs and agent-controlled headless browsers; the authentication middleware explicitly skipped all MCP API paths; and the endpoint accepted a base64-encoded OS command as a query parameter. None of the three weaknesses is severe on its own. Their combination, in the context of an agent that autonomously browses pages, creates a path from a remote web page to arbitrary host code execution. The Agentjacking attack covered in Issue 63 followed the same structural pattern through a different delivery mechanism. This is a class of vulnerability, not a one-off implementation error.

CyberSip Take

The patch happened before release, which is the right outcome. What matters for this brief is the structural lesson. An AI agent that browses the web on behalf of a developer, running as that developer’s own account, with access to local services over localhost, is not operating in a security boundary. It is operating in an environment where any web page it visits is a potential instruction source. Agentjacking in Issue 63 used a poisoned Sentry error event. AutoJack uses a malicious web page. The delivery mechanism differs. The attack class is the same.

How the chain works

AutoGen Studio is Microsoft Research’s open-source user interface for prototyping multi-agent AI systems. Its MCP WebSocket server, running on localhost port 8081, allows the AI agent to invoke tools and execute processes on the host. Microsoft’s Defender Security Research Team identified three weaknesses that chain together.

First, the WebSocket server restricted incoming connections to localhost addresses, blocking connections from ordinary browser tabs. It did not, however, distinguish between a human browser and a headless browser controlled by an AutoGen browsing agent, which inherits localhost identity. Second, AutoGen Studio’s authentication middleware explicitly skipped all paths under the MCP API route, assuming the WebSocket handler would enforce its own checks, which it never did. Third, the WebSocket endpoint accepted a server-params query parameter, decoded it from base64 into a JSON structure, and parsed it into a parameters object that could specify an OS command to execute.

The resulting attack is straightforward: an attacker publishes a web page containing JavaScript that opens a WebSocket connection to the local MCP server and sends a base64-encoded payload specifying an arbitrary OS command. When an AutoGen Studio browsing agent is directed to that page, the agent renders the JavaScript, which executes in a localhost context, successfully connects to the MCP server, and spawns the attacker-specified process on the host under the developer’s own account. Microsoft reported the chain to MSRC, and the AutoGen maintainers hardened the upstream main branch in commit b047730 before the code shipped in any release. Users installing AutoGen Studio via pip install are not affected.

Recommended actions

No end-user patching required. The vulnerable code never shipped in a PyPI release. Users installing via pip are not exposed.
For organisations building custom AI agent frameworks or deploying development-branch AutoGen Studio: confirm local MCP or tool execution services require authentication and do not trust localhost origin alone as a security control.
Review any AI agent deployment where the agent can browse arbitrary web pages and also has access to local services or tools that can execute code. Audit what those local services accept and whether they validate the identity and authorisation of the caller.

Derived from Microsoft Security Blog, TechRadar, and The Hacker News on AutoJack disclosure, June 18–20, 2026.

Still watching

Aging items · days 2–6

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

RoguePlanet CVE-2026-50656 (Issue 66). Microsoft confirmed working on a patch. No release date. CVSS 7.8 Defender race condition grants SYSTEM on fully patched Windows 10 and 11. Application allowlisting prevents execution. Day 4

LiteLLM CVE-2026-42271 (Issue 64). CISA KEV deadline was June 22. Patch available in v1.83.14-stable since May 2. Upgrade and rotate all API keys if not already done. Day 6

Cross-source standouts

Compromising Splunk means compromising visibility itself

CVE-2026-20253 is not just a server vulnerability. It is a vulnerability in the platform that security teams use to detect attacks. An attacker who achieves code execution on a Splunk deployment can access the logs used to investigate them, tamper with audit trails, suppress alerts, and use the Splunk server as a pivot point into other systems. The practical consequence is that organisations running unpatched Splunk instances are not just exposing a server. They are exposing their ability to see what is happening across their environment. Patching Splunk is not a routine software update. It is a prerequisite for maintaining operational visibility.

The Klue and Mastra attacks this week share the same root cause as three previous incidents in this brief

Klue: a prototype API credential, never deprovisioned, used to access production infrastructure. Mastra in Issue 66: a former contributor account, never deprovisioned, used to publish malicious packages. Nx Console earlier this year: a compromised developer account with scope access that should have been revoked. Miasma from Issue 55: credentials from a May breach that were never rotated, allowing re-exploitation weeks later. Across all four incidents, the entry point was not a sophisticated new vulnerability. It was an access relationship that outlived its purpose and was never formally ended. Deprovisioning inactive credentials and OAuth grants is the control that would have prevented all four. It is also among the least glamorous and least consistently practiced controls in software operations.