Vulnerability Intelligence Report — June 21, 2026 (Sunday Edition)
Coverage: June 1–21, 2026 | Total CISA KEV additions (period): 16 | New KEVs: 0 | KEV deadline TODAY: Splunk Enterprise (actively exploited) | KEV deadline TOMORROW: LiteLLM | Monday: Triple KEV (Chromium/Arista/Cisco SD-WAN) | Overdue KEVs: 10
Previous reports: June 20, 2026 | June 19, 2026
Today — Sunday, June 21, 2026 — is the CISA KEV remediation deadline for Splunk Enterprise CVE-2026-20253, now confirmed as actively exploited. This is the third weekend KEV deadline this period and the second actively exploited one. Tomorrow starts a busy week: LiteLLM CVE-2026-42271 on Monday, followed by the biggest single-day deadline of the period on Tuesday (June 23) with three simultaneous KEVs: Google Chromium V8, Arista EOS, and Cisco SD-WAN Manager. The weekend news cycle brought two significant stories: Microsoft has attributed the Mastra AI supply chain attack to North Korean state-sponsored hackers — a geopolitical escalation in AI-focused cyber operations — and the AryStinger botnet has infected thousands of D-Link routers worldwide, building a substantial DDoS and proxy infrastructure. A new ransomware variant dubbed “Prinz Eugen” prioritises recent files for encryption to maximise operational impact.
Quick Reference — Most Important Items Today
Splunk Enterprise: CVE-2026-20253 (CISA KEV DEADLINE TODAY — actively exploited, patch before end of day or disconnect sidecar)
Microsoft/North Korea: Mastra AI supply chain attack attributed to DPRK state-sponsored hackers — AI ecosystem targeted
AryStinger Botnet: Thousands of D-Link routers infected worldwide — significant DDoS infrastructure
Prinz Eugen Ransomware: New variant prioritising recent files for faster encryption impact
Upcoming deadlines: LiteLLM TOMORROW | Triple KEV Tuesday (Chromium/Arista/Cisco) | Cisco SD-WAN actively exploited June 29
Branda WordPress: CVE-2026-11551 (CRITICAL 9.8) — privilege escalation via account takeover
Overdue KEV: Splunk (today) | Joomla +2, SolarWinds +2, LiteSpeed +3, Oracle PS +6, Ivanti +7, Check Point +10, Nx Console +11, Mirasvit +15, Android +16, PAN-OS +20
Splunk Enterprise — CVE-2026-20253 (KEV DEADLINE TODAY)
Software affected: Splunk Enterprise — SIEM and log analytics platform.
CVE: CVE-2026-20253 | CISA KEV deadline today — Sunday, June 21, 2026 | Now confirmed actively exploited by CISA | Missing authentication (CWE-306) enables unauthenticated file create/truncate via PostgreSQL sidecar endpoint | Second actively exploited KEV this period | BOD 26-04 weekend deadline.
Status: Today is the remediation deadline. CISA confirmed active exploitation on Friday. The PostgreSQL sidecar endpoint allows unauthenticated file operations — write arbitrary files (RCE path via script directories) or truncate files (destroy indexes, configs, audit logs). SIEM compromise is the highest-impact scenario in enterprise security: attackers who control the SIEM can suppress alerts, delete evidence, and operate undetected across the entire environment. Organisations that have not yet patched are now at the final deadline. Dedicated advisory.
Recommended action: Patch Splunk today — this is the deadline. Apply SVD-2026-0603 immediately. If patching is not possible on a Sunday, restrict PostgreSQL sidecar port to localhost only. Verify SIEM functionality after patching — check log ingestion, alert generation, and downstream forwarding.
Official source: Splunk SVD-2026-0603 | CISA KEV Catalog
Microsoft Links Mastra AI Supply Chain Attack to North Korea
Status: Microsoft has attributed the Mastra AI supply chain attack to North Korean state-sponsored hackers. The Mastra framework is an open-source AI agent orchestration platform used to build and deploy AI workflows. North Korean actors compromised the supply chain to distribute malicious packages through the ecosystem, targeting organisations that integrate AI agents into their development and operational pipelines. This represents a significant geopolitical escalation — state-sponsored actors are now actively targeting the AI/ML supply chain as an attack vector. Organisations using Mastra, LangChain, CrewAI, or similar AI orchestration frameworks should audit their dependency trees for compromised packages, verify the integrity of all AI framework components, and review outbound network connections from AI agent execution environments.
Recommended action: Immediately audit AI/ML dependency trees (Mastra, LangChain, CrewAI, and related frameworks). Verify package integrity against known-good checksums. Review network access from AI agent runtime environments — restrict egress to known endpoints only. Monitor for unusual API key usage patterns on AI service accounts. Microsoft has published indicators of compromise — ingest into detection systems.
Official source: BleepingComputer Report | Microsoft Threat Intelligence
AryStinger Botnet, Prinz Eugen Ransomware, Branda WP — Weekend Roundup
AryStinger Botnet — D-Link Routers: A new botnet dubbed AryStinger has infected thousands of D-Link routers worldwide, building a substantial infrastructure for DDoS attacks and proxy services. D-Link routers are common in home and small office environments. Organisations should check whether any D-Link devices operate within their network perimeter, ensure firmware is updated, and monitor for unusual outbound traffic patterns from router IPs.
Prinz Eugen Ransomware: A new ransomware variant prioritises recently accessed and modified files for encryption rather than encrypting files in alphabetical or directory-tree order. This tactic maximises operational impact — the files most critical to current business operations are encrypted first, reducing the victim’s window for detection and intervention. The variant uses the .prinzeugen extension. Standard ransomware defences apply: offline backups, EDR with anti-ransomware capabilities, network segmentation.
Branda WordPress CVE-2026-11551 (CRITICAL 9.8): Privilege escalation via account takeover in the Branda WordPress plugin. All versions up to and including the latest are affected. Unauthenticated attackers can gain administrator access. Patch immediately or disable the plugin.
This Week’s KEV Deadlines — Busy Week Ahead
TODAY (Sunday): Splunk Enterprise CVE-2026-20253. Actively exploited.
TOMORROW (Monday June 22): BerriAI LiteLLM CVE-2026-42271.
Tuesday June 23: TRIPLE DEADLINE — Google Chromium V8 CVE-2026-11645 / Arista EOS CVE-2026-7473 / Cisco SD-WAN CVE-2026-20245.
June 29 (8 days): Cisco SD-WAN CVE-2026-20262. Actively exploited. Dedicated advisory.
OVERDUE — 10 entries: Splunk (today), Joomla +2, SolarWinds +2, LiteSpeed +3, Oracle PS +6, Ivanti +7, Check Point +10, Nx Console +11, Mirasvit +15, Android +16, PAN-OS +20.
Updates on Items from Previous Reports
Splunk CVE-2026-20253: Deadline today. Actively exploited — patch immediately. Dedicated advisory.
Joomla, SolarWinds, LiteSpeed: All past deadline — 3 overdue KEVs.
Oracle CPU: PeopleSoft CVE-2026-35278 remains the highest priority Oracle patch. ShinyHunters campaign continues.
pgAdmin 4, Gravity SMTP, Icarus/Klue: Dedicated advisories published yesterday.
North Korea AI supply chain: Mastra attribution story — dedicated advisory pending. Audit AI framework dependencies immediately.
38 dedicated advisories published this period.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.
