🚨 What Mattered This Week
Klue compromise turned a dormant integration into a Salesforce data-access path
Huntress reported that attackers compromised backend systems used by market-intelligence provider Klue and pushed code capable of collecting OAuth tokens that customers used to connect Klue with other platforms. The incident affected multiple security vendors and shows how compromise of a vendor’s build or deployment path can silently weaponize customer integrations—not merely expose the vendor’s own SaaS environment. Dormant prototypes and SaaS-to-SaaS connections can retain durable access to production data long after their original purpose has faded.
Sources: Huntress
💡 Key Takeaway: Inventory every connected app with Salesforce access, revoke Klue-related tokens, review API and OAuth activity beginning June 11, and remove dormant integrations instead of merely disabling their user interface.
Splunk Enterprise flaw exposed a pre-authentication path to file creation and code execution
Splunk disclosed CVE-2026-20253 under advisory SVD-2026-0603, a critical vulnerability in a PostgreSQL sidecar service endpoint that lacks authentication. Affected releases are Splunk Enterprise 10.2.0–10.2.3 and 10.0.0–10.0.6; Splunk lists 10.4, 9.4, and 9.3 as not affected. The flaw can allow a network-reachable attacker to create or truncate arbitrary files, and follow-on research demonstrated a path to unauthenticated remote code execution.
Sources: Splunk advisory · watchTowr Labs
💡 Key Takeaway: Upgrade 10.2 deployments to 10.2.4 or later and 10.0 deployments to 10.0.7 or later. Restrict sidecar access and review filesystem, service, and process telemetry for unexpected file writes or execution under Splunk-associated accounts.
UNC6508 stayed inside North American research institutions for more than a year
Google Threat Intelligence Group attributed a long-running campaign against North American academic, medical, and military research organizations to the PRC-nexus actor UNC6508. The group exploited internet-facing web applications, deployed bespoke malware, stole REDCap credentials, pivoted toward sensitive systems, and abused legitimate enterprise administration and content-compliance tools for covert exfiltration.
Sources: Google Threat Intelligence Group
💡 Key Takeaway: Treat REDCap and similar research platforms as high-value identity systems. Patch exposed applications, rotate application credentials, review administrative-tool use, and hunt for long-duration access rather than only recent indicators.
📈 Defender Trend
Trusted access paths are becoming the shortest route to broad compromise
Klue’s Salesforce OAuth tokens, Splunk Enterprise’s sidecar service, Cisco Catalyst SD-WAN Manager, FortiGate credentials, and FortiSandbox all sit close to high-value data or enforcement points. The common failure is not simply an unpatched product. It is durable trust combined with weak visibility into how an integration, appliance, or security platform is being used after access is obtained.
💡 Key Takeaway: Maintain a named control-plane register covering SaaS integrations, SIEM, network management, firewalls, security consoles, and externally exposed research platforms. Every entry should have an owner, authentication method, logging source, emergency revocation path, and last validation date.
🔎 Other Signals
Cisco Catalyst SD-WAN Manager flaw was exploited to write files and gain root
Cisco patched CVE-2026-20262, an authenticated arbitrary file-write vulnerability in Catalyst SD-WAN Manager that has been exploited in limited attacks. A crafted upload can create or overwrite files and ultimately lead to root-level access.
Sources: Cisco advisory · The Hacker News
💡 Key Takeaway: Upgrade affected managers, preserve logs before remediation, and hunt for index.jsp, WAR-file uploads, unexpected application deployments, and unapproved configuration changes pushed to edge devices.
FortiSandbox vulnerabilities moved from advisory to active attacker interest
Researchers reported targeting of recently patched FortiSandbox vulnerabilities, including critical command-injection and path-handling flaws. CVE-2026-25089 can allow unauthenticated command execution against affected FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS versions.
Sources: CSA Singapore · SecurityWeek
💡 Key Takeaway: Patch FortiSandbox to fixed releases, restrict administrative and service exposure, and review web, command, and appliance logs for crafted requests or unexpected system changes.
FortiBleed put tens of thousands of firewall and VPN credentials into circulation
Researchers validated a large dataset of potentially working credentials tied to internet-facing Fortinet firewalls and SSL VPN gateways. Fortinet said the material appears to combine prior incidents and brute forcing rather than a new product breach, but the operational result is the same: credentials associated with active perimeter devices may still be usable.
Sources: Field Effect · SecurityWeek
💡 Key Takeaway: Assume listed credentials are compromised. Use Field Effect’s post for its validation methodology and indicators, then rotate firewall, VPN, and related directory credentials; enable MFA; remove public management exposure; and review at least 90 days of authentication and configuration activity.
Gravity SMTP exploitation exposed email-provider secrets and OAuth tokens
Attackers have actively targeted CVE-2026-4020 in Gravity SMTP for WordPress. The unauthenticated information-disclosure flaw affects versions through 2.1.4 and can expose configuration details, API keys, secrets, and OAuth tokens used by connected email services.
💡 Key Takeaway: Update to 2.1.5 or later, rotate every mail-service credential stored in the plugin, inspect REST API access logs, and review provider-side sending activity for abuse.
Operation Endgame disrupted SocGholish infrastructure and cleaned compromised sites
International law enforcement and private-sector partners disrupted infrastructure associated with TA569 and SocGholish, the fake-update delivery operation linked to downstream ransomware access. The action included server and domain seizures and remediation of thousands of compromised websites, but disruption of delivery infrastructure does not remove residual webshells, injected scripts, staged payloads, or attacker footholds from every previously affected site and endpoint.
Sources: Proofpoint · Infoblox
💡 Key Takeaway: Do not treat the takedown as proof that previously compromised sites or endpoints are clean. Re-scan affected web properties, review persistence and file-integrity changes, and keep detections for fake browser updates, JavaScript payloads, suspicious archive execution, and SocGholish infrastructure active.
⚔️ This Week’s Defensive Check
Run a Trusted Integration and Control-Plane Access Review
Action: Open one time-boxed ticket to identify integrations and platforms that can read sensitive data, change infrastructure, distribute configuration, or administer security controls.
Who runs it: SaaS security or IAM owns connected-app review; infrastructure and network teams own appliances; the SOC owns log validation; application owners confirm business need.
Check these specifically:
- Salesforce connected apps, OAuth grants, dormant prototypes, and high-volume API activity
- REDCap and other externally exposed research platforms: patch exposed applications, rotate application credentials, and review administrative-tool use
- Splunk Enterprise versions, sidecar exposure, unexpected file writes, and service-account execution
- Cisco SD-WAN Manager uploads, WAR/JSP artifacts, admin actions, and edge configuration changes
- FortiGate management exposure, VPN/admin credential rotation, MFA coverage, and historical logins
- FortiSandbox versions and externally reachable management or service interfaces
- WordPress SMTP plugins and every API key, OAuth token, or mail credential stored inside them
Evidence you’re done: A reviewed register showing system or integration, owner, business purpose, privilege scope, authentication type, last activity, logging source, remediation taken, and next validation date.
💡 Key Takeaway: The objective is not a perfect inventory. It is to eliminate forgotten trust and prove that the systems capable of changing or observing the environment are still behaving as intended.
🧠 Final Word
Final Word
This week’s incidents show why defenders cannot separate vulnerability management from identity and integration governance. A patched platform can remain compromised, a revoked user can leave an OAuth app behind, and a security appliance can become an attacker’s distribution point. The practical standard should be patch, revoke, validate, and hunt—especially anywhere one trusted system can reach many others.