Here are today’s top cybersecurity stories for Thursday, June 18, 2026.
F5 Issues Emergency Patches for Critical NGINX Vulnerabilities
F5 released an out-of-band advisory addressing multiple high-severity flaws in NGINX, including two critical-severity bugs — CVE-2026-42530 and CVE-2026-42055 (CVSS 9.2) — that allow unauthenticated remote attackers to trigger code execution or denial-of-service conditions in HTTP/2, HTTP/3, and gRPC traffic paths. A second advisory covers two additional high-severity flaws in NGINX Gateway Fabric affecting authenticated configuration injection. NGINX Open Source, NGINX Plus, and NGINX Ingress Controller are all in scope. Updated patches were published June 18, 2026. BleepingComputer
Klue OAuth Breach Exposes Salesforce CRM Data Across Multiple Organizations
Market intelligence platform Klue suffered a compromise beginning June 11 when attackers pushed a malicious code update to steal OAuth tokens customers use to connect Klue’s Battlecards product to Salesforce. The “Icarus” extortion group — active since April 2026 — used the stolen tokens to query connected Salesforce environments and exfiltrate CRM data including business contacts, sales communications, price quotes, and competitive intelligence reports. Salesforce has disabled the Klue Battlecards integration while the investigation continues; affected organizations include Huntress, whose security team published a detailed post-mortem. BleepingComputer
Kodak Confirms ShinyHunters Breach as June 18 Leak Deadline Arrives
Kodak confirmed a data breach after ShinyHunters listed the company on its dark web site on June 15, claiming 2.2 million records containing customer personal information and internal data. ShinyHunters set a June 18 deadline before threatening to publish the data. Kodak stated that an unauthorized third party temporarily accessed a limited amount of company data and engaged external cybersecurity experts and law enforcement; the company did not confirm whether the 2.2 million figure is accurate. This follows a 2026 campaign by ShinyHunters that also targeted Instructure Canvas, Charter Communications, and Oracle PeopleSoft. BleepingComputer
Accenture Acquires Dragos for $3.25B in $4.18B OT Security Push
Accenture announced agreements on June 18 to acquire a majority stake in industrial cybersecurity firm Dragos at a $3.25 billion valuation, along with full ownership of runZero and NetRise, in a combined deal valued at approximately $4.18 billion. The acquisitions represent Accenture’s first large-scale entry into operational technology security and aim to provide end-to-end OT protection for power grids, pipelines, manufacturing facilities, and data centres. Transactions are expected to close in August or September 2026 pending regulatory approval. CyberScoop
Splunk Patches Critical CVSS 9.8 Flaw Allowing Unauthenticated File Operations
Splunk released security updates addressing CVE-2026-20253 (CVSS 9.8), a critical-severity arbitrary file creation and truncation vulnerability in Splunk Enterprise. Unauthenticated attackers can exploit a PostgreSQL sidecar service endpoint that lacks access controls to invoke file operations across the network without credentials. Additional fixes address three high-severity RCE, SSRF, and XSS defects, plus roughly three dozen third-party component vulnerabilities across Splunk Enterprise and Splunk SOAR. SecurityWeek
INC Ransomware Surpasses 830 Victims as RaaS Operation Matures
Security researchers have documented INC ransomware’s evolution from a nascent group into one of the most prolific ransomware-as-a-service operations of 2026, claiming over 830 victims since August 2023. INC ranked fourth in Q1 2026 by victim count, behind Qilin, Akira, and The Gentlemen, with US organizations making up 65% of victims across legal services, manufacturing, construction, technology, and healthcare. The group has rewritten its Windows and Linux/ESXi encryptors in Rust and updated its credential dumper to target newer Veeam backup deployments using salted DPAPI encryption. The Hacker News
Salt Typhoon Breached US National Guard Networks in Every State for Nine Months
Department of Homeland Security documents obtained via FOIA request confirm that China-linked Salt Typhoon maintained access to an unnamed state’s Army National Guard network for approximately nine months, exfiltrating administrator credentials, network diagrams, geographic maps, and service members’ personal information. DHS concluded the breach likely provided Beijing with data to facilitate attacks against other states’ National Guard units and their cybersecurity partners. The disclosure follows prior reporting of Salt Typhoon campaigns against US telecommunications carriers and government entities across 200 or more organizations in 80 countries. Dark Reading
Federal Audit Slams NIST’s NVD for 27,000-Entry Backlog and 88% Accuracy Failure
A Department of Commerce inspector general report found that NIST has mismanaged the National Vulnerability Database through poor planning, inefficient operations, and failure to coordinate with CISA’s Vulnrichment program — at one point both agencies hired the same contractor to do identical work. The NVD backlog grew from 13,000 unprocessed vulnerabilities in February 2024 to over 27,000 by end of 2025. Independent testing of NIST’s severity scores found they matched evaluators only 12% of the time. NIST has until July 25, 2026 to submit a remediation plan. CyberScoop
Stay tuned for today’s in-depth analysis posts.
