☕ Good Morning Security Gang,
Today’s episode highlighted a harsh reality: attackers don’t need sophisticated zero-days when organizations continue struggling with the basics. Unpatched Splunk servers, stale Fortinet credentials, overprivileged SaaS integrations, and vulnerable web infrastructure are creating opportunities that threat actors continue exploiting at scale.
We also saw continued evidence that supply chain risk isn’t limited to software development environments. Business platforms, CRM systems, and third-party integrations have become high-value targets because they provide access to customer relationships, pricing strategies, and organizational intelligence.
If there was one theme that connected every story today, it was this: security hygiene remains the highest return-on-investment activity in cybersecurity.
Double espresso in hand. Coffee cup cheers, gang. Let’s get into it.
“Security is ninety percent hygiene and ten percent fancy rules.” James Azar
🧭 Executive Summary
Today’s cybersecurity landscape highlighted three persistent challenges.
First, attackers continue weaponizing vulnerabilities within security products themselves. Splunk, Fortinet, and endpoint security platforms remain prime targets because compromising defensive infrastructure creates asymmetric advantages.
Second, third-party integrations continue expanding enterprise attack surfaces in ways many organizations fail to monitor effectively. OAuth permissions, API connections, and SaaS ecosystems increasingly represent soft entry points into sensitive environments.
Finally, organizations continue underestimating the value of basic operational security controls such as credential rotation, access reviews, and configuration management.
The technology is changing rapidly.
The fundamentals are not.
📰 Top Stories & Deep Dive Analysis
🚨 Splunk Vulnerability Added to CISA KEV Days After Disclosure
Splunk Enterprise administrators face an urgent remediation requirement after CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog just days after public disclosure. The flaw affects Splunk’s PostgreSQL sidecar service and enables unauthenticated attackers to perform arbitrary file operations that can be chained into full remote code execution.
Researchers published proof-of-concept exploit code within forty-eight hours of disclosure, and Splunk confirmed active exploitation shortly afterward.
The vulnerability is particularly concerning because Splunk often serves as the backbone of enterprise detection and response programs. A successful compromise could allow attackers to manipulate logs, disable detections, erase forensic evidence, and pivot into additional environments.
This marks the first time a Splunk vulnerability has been added to CISA’s KEV catalog.
Organizations should immediately upgrade to supported versions, review all Splunk activity since June 10, and treat any unpatched internet-accessible instances as potentially compromised.
🔥 More Than 86,000 Fortinet Credentials Exposed
CISA warned organizations that over 86,000 Fortinet devices now appear in attacker credential databases, creating a significant risk for organizations relying on VPN and perimeter security infrastructure. Importantly, this campaign does not rely on a new vulnerability.
Instead, attackers are leveraging default accounts, stale credentials, and passwords recovered from previous breaches. Researchers found that generic administrative accounts represented approximately 35% of exposed credentials, while another 28% involved built-in Fortinet accounts.
Many organizations upgraded to newer FortiOS versions supporting stronger password hashing algorithms but never required administrators to log in again, leaving older password hashes intact.
This is not a technology failure. It’s a fundamentals failure.
Organizations should terminate active sessions, rotate all administrative and VPN credentials, verify migration to stronger password hashing mechanisms, and enforce phishing-resistant MFA across all internet-facing management interfaces.
🔗 KlueSupply Chain Breach Impacts Huntress and Recorded Future
Security vendors Huntress and Recorded Future confirmed they were impacted by a breach involving Klue, a market intelligence platform integrated into numerous sales and customer relationship workflows.
Attackers compromised Klue’s backend systems and distributed malicious code updates that harvested OAuth tokens connected to customer environments.
Affected integrations included:
Salesforce
HubSpot
SharePoint
Zoom
Gong
Clari
Slack
Google Drive
The attackers leveraged harvested tokens to query Salesforce environments and exfiltrate customer relationship data. While neither Huntress nor Recorded Future reported exposure of threat intelligence or engineering systems, the stolen data included customer contacts, pricing information, sales messaging, and contract details.
This incident reinforces an increasingly important lesson. Third-party SaaS integrations frequently hold broad permissions but receive limited security oversight. Organizations should audit OAuth scopes, review API access logs, and reassess the business necessity of every connected application.
🌐 Critical NGINX Vulnerabilities Could Enable Remote Code Execution
F5 released patches for two critical vulnerabilities affecting NGINX Open Source and NGINX Plus deployments. Both flaws carry CVSS scores of 9.2 and impact core web infrastructure used across enterprise environments.
The first vulnerability affects HTTP/3 processing and can trigger memory corruption through crafted sessions. The second involves a heap-based buffer overflow affecting proxy and gRPC modules when specific configurations are enabled.
Both vulnerabilities are remotely exploitable without authentication and may allow remote code execution under certain conditions. NGINX underpins a significant percentage of internet-facing applications, APIs, and cloud-native services.
Recent history suggests attackers move quickly when critical NGINX vulnerabilities become public. Organizations should prioritize patching immediately and disable HTTP/3 functionality where updates cannot be deployed quickly.
⚡ Need to Know
🛡️ GentleKiller Malware Targets EDR Platforms
Researchers identified a new EDR-killing framework used by the Gentlemen ransomware operation. The malware disables more than 400 security processes across 48 vendors by exploiting vulnerable signed drivers in classic bring-your-own-vulnerable-driver attacks. Enable Microsoft’s vulnerable driver block list and implement strict driver allow-listing controls.
📦 North Korea Targets npm Supply Chain
Microsoft attributed a supply chain attack involving more than 60 npm packages to North Korean threat actors associated with Sapphire Sleet. The campaign targeted developer credentials and cryptocurrency wallets through typosquatted dependencies. Organizations should review development environments and dependency trees immediately.
🖥️ Joomla and LiteSpeed Vulnerabilities Under Active Exploitation
Attackers are actively exploiting critical vulnerabilities affecting Joomla’s JCE Editor and LiteSpeed cPanel plugins. Both flaws enable remote code execution and privilege escalation against exposed hosting environments. Immediate patching is recommended.
🏞️ Texas Parks and Wildlife Breach Exposes 3 Million Records
A third-party vendor supporting Texas Parks and Wildlife disclosed a breach exposing driver’s license numbers, passport information, email addresses, phone numbers, and physical addresses belonging to more than three million individuals. The affected vendor has not yet been publicly identified.
🏭 Accenture Expands Into OT Security
Accenture announced a $4.1 billion transaction involving a majority stake in Dragos alongside acquisitions of RunZero and NetRise. The deal signals growing demand for integrated operational technology security capabilities as industrial environments face increasing cyber threats.
🇬🇧 UK Critical Infrastructure Faces Rising State Threats
The UK’s National Cyber Security Centre reported handling more than 200 critical infrastructure incidents over the past year, with approximately 75 percent linked to nation-state actors associated with Russia, China, and Iran. Officials warned AI will accelerate exploitation of known vulnerabilities by 2028.
🪖 Defense Spending Increases Cybersecurity Requirements
Proposed U.S. defense authorization legislation includes expanded CMMC requirements and additional AI security obligations for defense contractors, highlighting continued emphasis on supply chain security within the defense industrial base.
🎯 Key Takeaway
Today’s episode wasn’t about sophisticated attacks.
It was about neglected fundamentals.
Default credentials.
Overprivileged OAuth scopes.
Unpatched infrastructure.
Weak password hygiene.
Excessive third-party trust.
None of these problems require artificial intelligence to exploit.
They simply require defenders to ignore the basics long enough for attackers to notice.
"The basics are still the battlefield. Default Fortinet credentials. Unauthenticated Postgres endpoints. OAuth tokens nobody scoped down. None of this is exotic. All of it is preventable. And that's the real warning. Patch what you can. Rotate what you should. Audit those third-party integrations. Security is ninety percent hygiene, ten percent fancy rules." James Azar
🧠 James Azar’s CISOs Take
What stood out to me today is how consistently attackers continue winning through preventable failures. 86,000 Fortinet devices weren’t compromised because attackers discovered a revolutionary new technique. They succeeded because organizations failed to rotate credentials, remove default accounts, and validate upgrades. The Splunk issue reinforces the same lesson. Security tools themselves have become high-value targets, and defenders need to apply the same rigor to monitoring those platforms that they apply to every other critical asset.
The second takeaway is that third-party integrations have quietly become one of the largest unmanaged attack surfaces in enterprise environments. The Clu incident demonstrates how quickly OAuth tokens can become pathways into CRM systems, contract data, and customer intelligence. Organizations need to stop treating SaaS integrations as simple business enablement tools and start governing them like privileged infrastructure. Visibility into API permissions, token scopes, and application access is no longer optional.
🛠️ Action Items
Patch Splunk Enterprise instances immediately
Review Splunk activity logs dating back to June 10
Rotate all Fortinet administrative and VPN credentials
Remove default and generic administrator accounts
Enforce phishing-resistant MFA on perimeter devices
Audit all Salesforce and SaaS OAuth integrations
Review API access logs for unusual activity
Patch NGINX Open Source and NGINX Plus deployments
Enable Microsoft’s vulnerable driver block list
Audit npm dependencies for typosquatted packages
Patch Joomla JCE Editor and LiteSpeed environments
Review third-party vendor security requirements and data access permissions
