SECURITYINTEL DAILY BRIEF ■ ThreatIntel BriefFriday, June 19, 2026 INTEL CONFIDENCE 100% | THREAT LEVEL CRITICAL |
|
THREAT OF THE DAY Splunk RCE Actively Exploited; AI Agents Vulnerable | CRITICAL |
|
5 C2 IPs | 51 OTX IOCs | 16 ARTICLES |
|
■ ANALYST TLDR Today's brief highlights several critical vulnerabilities, with Splunk Enterprise RCE (CVE-2026-20253) being actively exploited and requiring immediate patching. Additionally, new research details "AutoJack" exploits targeting AI browsing agents for RCE, and an unpatched Microsoft Defender flaw grants full PC control. Threat actors like UNC6508 continue to target outdated REDCap servers, emphasizing the need for diligent patching and robust security hygiene. |
|
■ CRITICAL STORIES Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure Why it matters: This unauthenticated remote code execution (RCE) vulnerability (CVE-2026-20253) is actively exploited, and CISA has mandated a three-day patching window for federal agencies, indicating extreme urgency. |
AutoJack: How a single page can RCE the host running your AI agent Why it matters: This novel exploit chain demonstrates how malicious webpages can turn AI browsing agents into RCE vectors on host machines, posing a significant risk to systems utilizing such agents. |
Microsoft working on a fix for RoguePlanet, a flaw that grants full PC control Why it matters: An unpatched Microsoft Defender vulnerability can give attackers the highest level of access on Windows systems, making it a critical threat until a fix is released. |
Majority of Internet-Accessible REDCap Servers Outdated Why it matters: Outdated REDCap servers are regularly targeted by China-linked UNC6508 for initial access and backdoor deployment, exposing sensitive data and critical infrastructure to state-sponsored threats. |
|
■ CVEs IDENTIFIED CVE-2026-20253 Splunk Enterprise — Unauthenticated Remote Code Execution |
[CVE-TBD] AI Browsing Agents — Remote Code Execution via malicious webpage |
[CVE-TBD] REDCap Servers — Initial Access & Backdoor Deployment |
[CVE-TBD] Microsoft Defender — Privilege Escalation & Full PC Control |
|
■ THREAT ACTORS UNC6508 | State-sponsored (China-linked) |
Targeting outdated REDCap servers for initial access and backdoor deployment. |
ShinyHunters | Cybercrime Group |
Claimed data breach of Kodak, threatening to leak 2.2 million records. |
Rokarolla operators | Cybercrime Group |
Deploying Rokarolla Banking Trojan on Android devices to harvest sensitive information. |
|
|
|
■ ATT&CK TTPs | T1190 | | Exploit Public-Facing Application | Exploitation of Splunk Enterprise (CVE-2026-20253), AI browsing agents, and outdated REDCap servers. |
| T1059 | | Command and Scripting Interpreter | RCE in Splunk Enterprise, AI browsing agents, OS command injection in Splunk AI Toolkit, and command execution in Cisco ISE. |
| T1068 | | Exploitation for Privilege Escalation | Microsoft Defender flaw and Cisco ISE vulnerability leading to root access. |
| T1204.001 | | Malicious Link | Malicious webpages used in AutoJack exploit chain targeting AI browsing agents. |
| T1204.002 | | Malicious File | Fake GitHub projects distributing malware to retro gaming fans. |
| T1133 | | External Remote Services | Initial access via internet-accessible REDCap servers by UNC6508. |
|
■ PATCH PRIORITY Splunk Enterprise — actively exploited RCE (CVE-2026-20253) — [SW] |
AI Browsing Agents — RCE on host machine — [MSFT] |
Microsoft Defender — unpatched flaw grants full PC control — [MWB] |
Splunk AI Toolkit — OS command injection — [SW] |
|
|
|
■ RECOMMENDED ACTIONS TODAY | 1 | [P1] Immediately patch Splunk Enterprise to address CVE-2026-20253, which is under active exploitation for unauthenticated RCE. |
| 2 | [P1] Monitor for and apply the upcoming fix for the Microsoft Defender "RoguePlanet" vulnerability, which grants full PC control. |
| 3 | [P1] Patch Cisco ISE immediately to remediate the critical command execution and privilege escalation vulnerability. |
| 4 | [P2] Update all internet-accessible REDCap Servers to prevent initial access and backdoor deployment by threat actors like UNC6508. |
| 5 | [P2] Review and secure AI browsing agent configurations, especially regarding localhost trust, authentication, and parameter handling, to mitigate "AutoJack" RCE exploits. |
|
|
|
C2 IP BLOCKLIST · AbuseCH Feodo · Showing 5 of 5 IP ADDRESS 162.243.103.246 | PORT 8080 | STATUS OFFLINE | MALWARE Emotet | COUNTRY US |
IP ADDRESS 50.16.16.211 | PORT 443 | STATUS ONLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 34.204.119.63 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY US |
IP ADDRESS 178.62.3.223 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY GB |
IP ADDRESS 27.133.154.218 | PORT 443 | STATUS OFFLINE | MALWARE QakBot | COUNTRY JP |
|
FULL IOC EXPORT — GOOGLE SHEET All live IOCs with full SHA256 hashes (OTX), IPs, and domains. 2 tabs: C2 IPs · OTX IOCs
Updated daily · Export as CSV to import directly into your tools ■ Open Full IOC Sheet → |
|
IOC SOURCES: AbuseCH Feodo · AlienVault OTX
NEWS: THN · KRB · SANS · REC · BC · SW · AWS · GCP · MSFT · U42 · SCH · MWB |