June 19, 2026 by sig9

Hacker Wars - June 19, 2026

bulletin-feature-image

Your daily dose of infosec chaos

Today’s batch has a little something for everyone: a Splunk vuln being exploited faster than you can say “patch cycle,” ransomware gangs shipping their own EDR kill suites like it’s a SaaS product, Bluetooth earbuds that double as surveillance devices, and a rare win for the good guys with a massive botnet takedown.

Splunk Enterprise RCE Exploited In the Wild, CISA Gives 3 Days to Patch

CVE-2026-20253 is an unauthenticated remote code execution flaw in Splunk Enterprise, and attackers are already exploiting it just days after disclosure. CISA has added it to the KEV catalog and given federal agencies a three-day deadline to patch, which is their polite way of saying “this is really bad, drop everything.” If you’re running Splunk on anything internet-facing, you’re on the clock.

What to do: Patch Splunk Enterprise immediately. If you can’t patch yet, restrict network access to Splunk instances and monitor for suspicious activity.

Gentlemen Ransomware Ships Dedicated EDR Killers for Affiliates

The Gentlemen RaaS operation isn’t just encrypting files - it’s actively developing and maintaining a suite of EDR killer tools to help its affiliates blind your security stack before deploying payloads. This is ransomware-as-a-service maturing into ransomware-as-a-platform, with dedicated tooling for defense evasion. Affiliates don’t need to figure out how to kill your EDR anymore; it comes bundled in the kit.

What to do: Layer your defenses beyond EDR - network segmentation, immutable backups, and application control are your safety net when endpoint protection gets neutralized.

Apple Patches Beats Studio Buds Eavesdropping Flaw (CVE-2025-20701)

Apple pushed an update for Beats Studio Buds to fix a high-severity Bluetooth vulnerability (CVSS 8.8) in the Airoha chipset that could let a nearby attacker eavesdrop on your conversations through the earbuds’ microphones. The flaw was in the authorization logic, meaning the buds would happily connect to unauthorized devices without asking. Great for attackers, terrible for your board meetings.

What to do: Update your Beats Studio Buds firmware immediately. If you’re in a sensitive environment, maybe don’t discuss your incident response plan over Bluetooth headphones.

SocGholish Botnet Knocked Offline, 15,000 WordPress Sites Cleaned

In a refreshing change of pace, law enforcement and private sector partners took down 106 SocGholish command-and-control servers and domains as part of Operation Endgame. SocGholish has been one of the most prolific initial access brokers, using compromised WordPress sites to serve fake browser updates that drop malware. The cleanup removed infections from 15,000 WordPress sites. A small victory, but we’ll take it.

What to do: If you run WordPress, audit your site for injected scripts and fake update prompts. Keep plugins updated and consider a web application firewall to catch injection attempts.

That’s a wrap. Back tomorrow with more digital warfare.

Brought to you by sig9 - sig9.ch | Protecting the unseen, securing the unknown

This bulletin is provided for informational purposes. Contact us for tailored security analysis.