Cybersecurity Weekly Briefing, 3 July

July 3, 2026

CVE-2026-20251 in Splunk Secure Gateway: Unsafe jsonpickle Deserialization Enables RCE for Low-Privileged Attackers

CVE-2026-20251 (CVSSv3 8.8) has been disclosed as a high-severity vulnerability in Splunk Secure Gateway (SSG) allowing low-privileged authenticated users to achieve remote code execution (RCE). The root cause lies in unsafe deserialization of user-controlled data via the Python jsonpickle library: the validation function check_alert_data_valid_json() short-circuits upon encountering an allowed key such as "py/object" without inspecting sibling fields, allowing malicious payloads to be embedded unchecked.

Once validated, data is processed via jsonpickle.decode(..., safe=True); however, dangerous deserialization paths such as "py/reduce" remain exploitable despite the safe flag, allowing attackers to invoke arbitrary Python functions including system-level commands via the subprocess module. Exploitation requires only a low-privilege Splunk account, with no user interaction.

The vulnerability affects SSG versions 3.8.x, 3.9.x, and 3.10.x, as well as Splunk Enterprise versions prior to 10.0.7, 10.2.4, and 10.4.0+. Splunk has patched the issue in SSG 3.8.67, 3.9.20, and 3.10.6.

More info

Glitch SPY: Android RAT with 70+ Commands, Crypto-Clipper, and Hidden Remote Browser Distributed as Fake Polish Rental App

Cyble's CRIL has identified Glitch SPY, an emerging Android malware family distributed through a fraudulent Polish real estate rental website (tutaj-dompl[.]com) that lures users into installing an APK outside official app stores. The downloaded application is the Brokewell Android Loader, which acts as a dropper deploying the Glitch SPY payload, which abuses Android's Accessibility Service to automate permission grants and interact with the device UI.

Glitch SPY maintains a persistent WebSocket channel to its C&C server and supports over 70 commands spanning live screen streaming and remote control, SMS/contact/call log/location theft, camera and microphone surveillance, keylogging, file management, and shell execution. Notably, it includes a crypto-clipper module that replaces copied wallet addresses across multiple formats (ETH/EVM, TRON, Bitcoin legacy, and Bech32), and a hidden remote browser capability that allows the attacker to conduct web-based activity from the victim's own device and IP address, making detection harder for banks or crypto platforms.

More info

LSHIY Campaign Targets Microsoft 365 Accounts via Password Spray Using Default IoT Credentials and Residential Proxies

Researchers have documented the active LSHIY campaign, conducting large-scale password spray attacks against Microsoft 365 accounts by exploiting factory-default credentials on home routers and IoT devices that users have never changed, alongside reused passwords from prior data breaches.

The campaign uses a distributed infrastructure of residential proxies to mask the origin of authentication attempts, applying low-frequency per-account attempt techniques to evade lockout thresholds and SIEM anomaly detection policies. Attackers abuse legacy Basic Authentication and the Device Code OAuth flow, both persistent in many Microsoft 365 enterprise configurations even when administrators have implemented Conditional Access. Affected organizations include mid-sized companies in manufacturing, legal services, and education.

Recommended mitigations include disabling legacy authentication, implementing phishing-resistant MFA, and auditing Device Code Flow usage across the tenant.

More info

FortiBleed Linked to INC and Lynx Ransomware: Campaign Compromised 430,000 FortiGate Firewalls

Follow-up investigations by SOCRadar's Threat Research Unit (STRU) have directly tied the FortiBleed credential theft campaign to members of the INC and Lynx ransomware-as-a-service operations, after identifying a Windows server within the FortiBleed infrastructure that was used to access the negotiation panels of both groups, including dashboards containing victim negotiation chats.

The campaign deployed a custom packet-sniffing tool called "FortiGate Sniffer" on compromised FortiGate firewalls to intercept VPN credentials and authentication data directly from network traffic. New research substantially expands the known scale: the operation targeted more than 430,000 FortiGate firewalls worldwide, deploying sniffers on approximately 19,000 devices, reduced to 11,000 active following victim notifications. SOCRadar also identified over 200 additional operational servers — approximately 500 total — and evidence of overlap between FortiBleed victims and organizations later listed on the INC Ransom leak site.

Researchers also believe attackers exploited an undisclosed Nextcloud zero-day as part of post-compromise operations to expand access. A persistent backdoor account using the username adminin was identified on compromised systems.

More info

CVE-2026-35273: ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Impacting Nissan, NAIC, and Over 100 Organizations

Nissan has confirmed a data breach affecting current and former employees in the US, Canada, Mexico, and Brazil following exploitation of a zero-day vulnerability in Oracle PeopleSoft. Potentially compromised information includes contact details, Social Security Numbers, national identification numbers, and financial and tax information.

Separately, the National Association of Insurance Commissioners (NAIC) confirmed on June 11 unauthorized access to its PeopleSoft systems, though it disputes claims by extortion group ShinyHunters: according to NAIC, stolen data is limited to already-public information, outdated logs, and configuration files, with no evidence of exposed PII or financial data. ShinyHunters claims 3.1 TB of data across 105,000 files, including stored credentials for SERFF, OPTins, and UCAA production environments.

Both incidents stem from exploitation of CVE-2026-35273 in Oracle PeopleSoft PeopleTools between May 27 and June 9, confirmed by Mandiant as zero-day exploitation that has impacted more than 100 organizations, primarily in the education sector.

More info