Your SIEM becoming the initial access vector is the kind of irony nobody in a SOC wants to experience firsthand. CVE-2026-20253 — an unauthenticated RCE in Splunk Enterprise — went from disclosure to active exploitation in days, and CISA responded with a three-day patch window ending Sunday. That is today’s lead story. Alongside it: a $4.1 billion OT security consolidation play, a Cisco acquisition that reshapes the identity detection landscape, and 86,000 Fortinet devices worth of stolen VPN credentials now circulating freely.

In the News

Splunk Enterprise RCE Exploited in the Wild — CISA Sets Sunday Deadline

CVE-2026-20253 is an unauthenticated remote code execution vulnerability in Splunk Enterprise carrying a CVSS score of 9.8. The flaw requires no authentication — an attacker with network access to the Splunk management port can execute arbitrary code on the underlying server. Exploitation was observed in the wild within days of public disclosure, a timeline that has become disturbingly routine for high-value infrastructure targets.

CISA added CVE-2026-20253 to the Known Exploited Vulnerabilities catalog and issued a Binding Operational Directive requiring federal agencies to patch by Sunday, June 22. The three-day window — rather than the standard 21-day remediation timeline — signals that exploitation is not theoretical. The attack surface is significant: on-premises Splunk Enterprise deployments are common across federal agencies, financial institutions, healthcare systems, and large enterprises.

The operational irony here is sharp. Splunk Enterprise is the detection platform for many organizations — the system they rely on to identify initial access, lateral movement, and data exfiltration. When the SIEM itself is compromised, the attacker gains access to the very telemetry that would reveal their presence. This is not just an RCE — it is a detection blindness vector. Organizations should verify patch status immediately, audit Splunk management port exposure (restrict to management VLANs only), and review Splunk server logs for anomalous authentication attempts or unexpected process execution prior to patching.

What defenders should do: Patch Splunk Enterprise immediately. If patching requires a maintenance window, restrict management port access to trusted management networks only as an interim compensating control. Audit Splunk server process execution logs for signs of pre-patch exploitation. MITRE ATT&CK: T1190 — Exploit Public-Facing Application.

Accenture Acquiring Dragos, runZero, and NetRise for $4.1 Billion

Accenture announced it will acquire a majority stake in Dragos along with the entirety of runZero and NetRise in a combined $4.1 billion transaction. Dragos, the OT/ICS threat detection company, is valued at $3.25 billion in the deal. RunZero brings agentless asset discovery across IT and OT environments, and NetRise adds firmware and software composition analysis for embedded devices and supply chain security.

This is the largest OT cybersecurity acquisition to date and it fundamentally changes the competitive landscape in industrial security. Accenture is assembling a vertically integrated stack: discover every asset (runZero), analyze firmware integrity (NetRise), and detect threats in operational technology networks (Dragos) — all wrapped in Accenture’s consulting and managed services delivery model. Energy, manufacturing, water, and transportation sectors are the primary targets.

For practitioners, the question is whether Dragos retains its product-led approach under a consulting parent or becomes a services-attached offering. Independent OT security tools that can be deployed without a consulting engagement may gain relative appeal for organizations that want the technology without the services contract.

What defenders should do: If you run Dragos, runZero, or NetRise, expect integration roadmap announcements in Q3-Q4. Evaluate whether your OT security architecture depends on any of these tools remaining independent. Begin assessing alternative IT/OT segmentation and asset discovery solutions as contingency planning.

Cisco Acquires WideField Security for Splunk’s Agentic SOC

Cisco announced the acquisition of WideField Security to integrate identity threat detection capabilities into Splunk’s AI-driven SOC platform. WideField specializes in mapping identity relationships, detecting credential misuse, analyzing session anomalies, and identifying lateral movement via valid accounts — the attack patterns that dominate modern intrusions but remain poorly covered by traditional SIEM correlation rules.

Identity-based attacks — stolen tokens, session hijacking, credential stuffing, MFA fatigue — are the most common initial access and persistence vectors in enterprise breaches. Most SIEM platforms treat identity as just another log source rather than a first-class detection domain. WideField’s technology fills that gap by providing identity-native correlation: not just “user X logged in from location Y” but “credential X is being used in a pattern consistent with lateral movement across three systems in 90 seconds.”

What defenders should do: Evaluate whether your SOC’s identity detection coverage extends beyond basic authentication logging. If you run Splunk, watch for WideField integration timelines. MITRE ATT&CK: T1078 — Valid Accounts, T1550 — Use Alternate Authentication Material.

FortiBleed Credential Dump Expands to 86,000 Fortinet Devices

The FortiBleed credential leak has grown to 86,000 affected Fortinet firewalls and VPN appliances, up from the initially reported 73,000. CISA issued an advisory. The dump includes plaintext VPN credentials extracted from internet-facing FortiGate devices, representing roughly half of all publicly exposed Fortinet infrastructure globally.

This is not a vulnerability in the traditional sense — it is a mass credential exposure. Attackers with these credentials do not need an exploit chain. They authenticate with valid credentials, and unless organizations have enforced phishing-resistant MFA on VPN sessions, the stolen username and password are sufficient for initial access. The downstream risk is immediate: credential-based access to corporate networks followed by lateral movement, data exfiltration, or ransomware deployment.

What defenders should do: If you operate FortiGate VPN, rotate all VPN credentials immediately regardless of whether your specific device appears in the dump. Enforce phishing-resistant MFA on all VPN authentication. Audit VPN session logs for connections from unexpected source IPs since the dump was published. Consider accelerating zero trust network access adoption to eliminate always-on VPN tunnel architectures. MITRE ATT&CK: T1078.001 — Valid Accounts: Default Accounts, T1133 — External Remote Services.

Today’s Deep Dive — DragonForce Hides C2 Inside Microsoft Teams

DragonForce ransomware operators have deployed a custom remote access trojan designated Backdoor.Turn that tunnels command-and-control communications through Microsoft Teams relay infrastructure. The technique is operationally significant: Teams relay traffic is allowlisted in virtually every enterprise environment, making C2 indistinguishable from legitimate collaboration traffic at the network layer.

The mechanism works by leveraging the Teams relay protocol to encapsulate C2 commands within traffic that flows through Microsoft’s infrastructure. Network detection tools that rely on domain-based allowlisting or IP reputation see only connections to Microsoft’s legitimate relay servers. A major US services firm was compromised using this approach. This is not the first time threat actors have hidden inside allowlisted SaaS traffic — but the combination of a custom RAT purpose-built for Teams relay and an active ransomware operation makes this a detection priority.

Detection requires moving beyond domain and IP-based network monitoring. Behavioral analysis of Teams traffic volume, session duration, and communication patterns is necessary to identify anomalous relay usage. Endpoint detection that monitors for unsigned binaries establishing connections to Teams relay endpoints is the higher-fidelity signal. MITRE ATT&CK: T1071.001 — Application Layer Protocol: Web Protocols, T1102 — Web Service.

Defender Action Items

  • Patch Splunk Enterprise for CVE-2026-20253 immediately. If you cannot patch before Sunday, restrict management port access to trusted networks and audit process execution logs for pre-exploitation indicators.
  • Rotate all Fortinet VPN credentials and enforce phishing-resistant MFA. Audit VPN logs for suspicious source IPs since the FortiBleed dump was published.
  • Apply F5 out-of-band patches for CVE-2026-42530 if you run NGINX with the HTTP/3 module enabled. Use-after-free leading to RCE — no exploitation observed yet, but the attack surface (reverse proxies, load balancers, API gateways) is enormous.
  • Monitor for anomalous Microsoft Teams relay traffic — unexpected session durations, unsigned binaries connecting to Teams relay endpoints, or Teams traffic from servers that do not run Teams clients.
  • Review OAuth integrations with Salesforce and other CRM platforms — the Klue breach via OAuth token abuse is the third Salesforce-integrated app breach in recent months. Audit which third-party apps hold OAuth tokens to your CRM.

Detection Spotlight

DragonForce’s Backdoor.Turn tunnels C2 through Microsoft Teams relay infrastructure. The following Splunk SPL query identifies potential anomalous relay connections by detecting processes other than the legitimate Teams client establishing connections to Teams relay domains:

index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
DestinationHostname="*.relay.teams.microsoft.com" OR DestinationHostname="*.tr.teams.microsoft.com"
NOT (Image="*\\Teams.exe" OR Image="*\\ms-teams.exe" OR Image="*\\MSTeams.exe")
| stats count by Image, DestinationHostname, DestinationIp, Computer
| where count > 5
| sort -count

This query flags non-Teams processes connecting to Teams relay infrastructure — a high-fidelity indicator of relay abuse for C2 tunneling. False positives may include legitimate Teams browser sessions (look for browser process names) or Teams add-ins. Correlate with endpoint detection for unsigned binaries in the flagged Image paths.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.