MAGNET S2 WEEKLY SNAPSHOT – 260621-1200z

Download a PDF version of this report

MAGNET S2 WEEKLY SNAPSHOT — 260621-1200Z
MAGNET S2
Weekly OSINT Intelligence Snapshot
DTG: 260621-1200Z  |  Reporting Period: 14–21 June 2026  |  United States Focus
www.magnethf.com
MAGCON STATUS
MAGCON
LEVEL 3
ELEVATED
 MAGCON HOLDS AT LEVEL 3 – ELEVATED. The dominant development this week is the signing of the US–Iran MOU at the Palace of Versailles on 18 June 2026 — the most significant diplomatic event of the conflict — immediately followed by Iran’s re-closure of the Strait of Hormuz on 20 June citing Israeli non-compliance with MOU Clause 1 (permanent termination of military ops on all fronts including Lebanon). As of DTG, Hormuz remains CLOSED despite the signed MOU. Nuclear follow-on talks are underway today in Switzerland (Witkoff, Kushner). The Lebanon blocking variable — which nearly prevented signing — remains the active risk factor post-signing. Israel has explicitly stated it is NOT bound by the US–Iran ceasefire and continues Lebanon operations. NEW KEV CRITICAL: Splunk CVE-2026-20253 (CVSS 9.8) federal deadline is TODAY — public PoC active since June 13. DAEMON Tools and Nx Console KEV deadlines PASSED 17 June. Delaney Hall detainee hunger strike now 30 days; ACLU reports 5+ other ICE facility strikes nationwide. DOJ charged 15 for Minnesota anti-ICE conspiracy. FIFA World Cup enters Week 2 — ISIS propaganda targeting venues detected.
TREND VS LAST WEEK:  WORSENING THEN IMPROVING THEN WORSENING — MOU SIGNED BUT HORMUZ RE-CLOSED / LEBANON BLOCKING VARIABLE ACTIVE POST-SIGNING / SPLUNK CVSS 9.8 KEV DEADLINE TODAY / DELANEY HALL ESCALATION / NUCLEAR TALKS BEGIN
PRIMARY RISK DRIVERS
  • Iran–US MOU SIGNED at Versailles (18 June) — then Hormuz RE-CLOSED (20 June): Trump and Iranian President Pezeshkian signed the 14-point MOU on 18 June at the G7 summit in France. Key terms: Iran opens Hormuz toll-free for 60 days; US lifts naval blockade; $25B+ frozen Iranian assets released; oil sanctions waived; 60-day window to negotiate nuclear issues. Supreme Leader Khamenei endorsed via written statement 18 June. Trump declared June 20: “Ships of the World, start your engines. Let the oil flow!” — but Iran announced the SAME DAY (20 June) it was re-closing Hormuz citing Israel’s continued Lebanon operations as MOU Clause 1 violation. IRGC warned commercial vessels not to approach the Strait. US military denied any MOU violation. As of DTG, Hormuz status is AMBIGUOUS.
  • Switzerland Nuclear Talks — underway TODAY (21 June): US envoys Steve Witkoff and Jared Kushner are in Switzerland as of DTG. Pakistan continues as primary mediator. VP Vance said he may join; stated “great progress has been made.” Iranians declined to stand beside US/Pakistan/Qatar for cameras. A Middle Eastern official indicated special envoys are out of sync with Rubio, particularly on Lebanon strategy. The 60-day window to resolve nuclear enrichment, HEU stockpile, ballistic missiles, and proxy network begins this week.
  • Lebanon / Israel–Hezbollah — MOU Clause 1 compliance crisis: MOU Clause 1 calls for “immediate and permanent termination of military operations on all fronts, including in Lebanon.” Israel has explicitly stated it is NOT bound by the US–Iran ceasefire; Defense Minister Katz said troops would remain in southern Lebanon indefinitely. Hezbollah continues strikes. Iran re-closed Hormuz June 20 in direct response. Trump on June 19 announced a renewed ceasefire facilitated by US, Qatar, and Iran — but fighting continued same day with Hezbollah attacking Israeli forces at Nabatieh.
  • NEW — Splunk CVE-2026-20253 — CVSS 9.8 — KEV DEADLINE TODAY (21 June): Unauthenticated pre-auth RCE via PostgreSQL sidecar service bundled with Splunk Enterprise. Affects versions 10.0.0–10.0.6 and 10.2.0–10.2.3. Public PoC on GitHub since June 13. Splunk confirmed limited exploitation in June 2026. CISA KEV due date: TODAY. Upgrade to 10.4.0, 10.2.4, or 10.0.7 immediately. Temporary workaround: disable PostgreSQL sidecar (may break Edge Processor and SPL2 pipelines). Splunk Cloud Platform is NOT affected.
  • NEW — CVE-2026-48907 Widget Factory Joomla Content Editor — KEV added 16 June: Improper access control allows unauthenticated users to upload and execute PHP code via new editor profile creation. Affects Joomla CMS sites running JCE plugin. Apply vendor updates immediately per BOD 26-04.
  • PASSED DEADLINES — DAEMON Tools CVE-2026-8398 and Nx Console CVE-2026-48027 (17 June): Both federal deadlines PASSED as of yesterday. Audit all DAEMON Tools installations from Apr–May 2026, rotate credentials, update to v12.6.0.2445. Scan all developer workstations for malicious Nx Console VS extension. If not done, treat as potential compromise.
  • Check Point CVE-2026-50751 — Qilin ransomware affiliate confirmed: New intelligence confirms exploitation campaign linked to Qilin ransomware affiliate with medium confidence. Post-exploit ELF payload delivery. Infrastructure: VPS hosts at Kaupo Cloud HK, Shock Hosting, Vultr Holdings. Run SmartConsole log searches from 2026-05-07 onward for IOCs. Apply hotfix immediately if not done.
  • Delaney Hall — 30+ days, hunger strike inside, 5+ facilities nationwide, DOJ charges in MN: ~300 detainees on hunger and labor strike since May 22. ACLU reports strikes now at 5 additional facilities: Tacoma WA (9 strikes in 2026), Alvarado TX, Phillipsburg PA, Baldwin MI, Adelanto CA. Newark Mayor Baraka and NY AG filed suit against GEO Group. NJ AG filed separate suit. DOJ charged 15 for anti-ICE conspiracy in Minnesota. Rep. McIver faces federal charges from Delaney Hall oversight visit.
  • FIFA World Cup — Week 2 active; ISIS propaganda detected targeting venues: Tournament in full swing across 11 US host cities. Pro-ISIS media released World Cup-themed propaganda targeting venues. 13,000+ fake FIFA domains registered. July 4th weekend (July 3–5) represents convergence of World Cup and US 250th Independence Day — elevated threat window. Iran coaching staff denied visas creates adversarial dimension.
  • Section 702 — still lapsed; no emergency session: FISA Section 702 authority lapsed 12 June. No emergency legislative session confirmed as of DTG. Active domestic SIGINT gap continues during sensitive nuclear negotiations.
DELTA SUMMARY – CHANGES FROM LAST REPORT (260614-1200Z)
TOPIC DELTA FROM 260614-1200Z STATUS
Iran–US MOU — SIGNED AT VERSAILLES (18 June) MAJOR DEVELOPMENT. MOU signed by Trump at G7 Versailles 18 June; Pezeshkian signed separately. 14-point framework: toll-free Hormuz 60 days, US blockade lifted, $25B assets, oil sanctions waived, 60-day nuclear window. Supreme Leader Khamenei endorsed 18 June. Trump June 20: “Ships of the World, start your engines.” IMPROVING THEN WORSENING
Hormuz — Re-Closed by Iran (20 June) NEW — CRITICAL REVERSAL. Iran announced Hormuz closure on 20 June citing Israel’s Lebanon operations as MOU Clause 1 violation. IRGC warned commercial vessels away. US military denied MOU violation. MOU signed but implementation suspended as of DTG. CRITICAL / SUSPENDED
Switzerland Nuclear Talks (21 June) NEW — ACTIVE TODAY. Witkoff and Kushner in Switzerland. Pakistan mediating. VP Vance may join. 60-day window starts. Iranians declined cameras. Envoys reportedly out of sync with Rubio on Lebanon strategy. NEW / ONGOING
Lebanon / Israel–Hezbollah Ceasefire ONGOING — BLOCKING VARIABLE. Trump announced renewed ceasefire 19 June; fighting continued same day. Israel explicitly not bound by US–Iran deal. Hezbollah attacked at Nabatieh 19 June. Iran re-closed Hormuz in direct response to Israeli non-compliance. ONGOING / WORSENING
Oil / Energy Prices IMPROVING THEN UNCERTAIN. Brent fell sharply on MOU signing week. Iran’s June 20 re-closure may reverse price gains. 54+ supertankers waiting in Gulf. Supply normalization to take months even if fully reopened. Monitor Monday market open. UNCERTAIN
Splunk CVE-2026-20253 (KEV — TODAY) NEW — CRITICAL. CVSS 9.8 pre-auth RCE via PostgreSQL sidecar. Public PoC since June 13. KEV deadline TODAY June 21. Upgrade to 10.4.0, 10.2.4, or 10.0.7 immediately. NEW / CRITICAL
CVE-2026-48907 Joomla JCE (KEV — 16 June) NEW — KEV ADDED 16 June. Unauthenticated PHP code execution on JCE plugin. Apply updates immediately per BOD 26-04. NEW
DAEMON Tools / Nx Console KEV Deadlines PASSED. Both federal deadlines expired 17 June. If not patched, audit and treat as potential compromise. Rotate all credentials from affected environments now. PASSED
Check Point CVE-2026-50751 ESCALATED. Qilin ransomware affiliate confirmed exploitation actor with medium confidence. ELF payloads, Tox protocol comms observed. Run SmartConsole log search from 2026-05-07. Apply hotfix immediately. ONGOING / ESCALATED
Delaney Hall — 30+ Days / Hunger Strike ESCALATING. ~300 detainees on hunger/labor strike since May 22 (30 days). ACLU: 5 additional ICE facility strikes nationwide. Newark Mayor + NY AG filed suit vs GEO Group. DOJ charged 15 in MN anti-ICE conspiracy. Rep. McIver faces federal charges. ONGOING / ESCALATING
FIFA World Cup — Week 2 ONGOING / ELEVATED. Tournament in full swing. ISIS-linked media released venue-targeting propaganda. 13,000+ fake domains. July 4th weekend convergence approaching. Iran coaching staff visa denials add adversarial dimension. ONGOING
Section 702 Lapse ONGOING — NO CHANGE. Still lapsed. No emergency session. SIGINT gap continues during active nuclear negotiations. NO CHANGE
GKN Garden Grove / Converse Reservoir ONGOING — NO CHANGE. No arrest, no contamination results, no suspect or motive as of DTG. NO CHANGE
NO CHANGE:
  • MAGCON level holds at 3 – ELEVATED
  • Iranian APT cyber targeting of US ICS/OT remains active
  • Bab el-Mandeb / Red Sea threat stable at ELEVATED (Houthi posture unchanged)
  • CIRCIA mandatory cyber incident reporting rule finalization still pending
  • CISA CI Fortify initiative ongoing
  • Microsoft Exchange CVE-2026-42897 (XSS/OWA) — patch still required
  • Canvas LMS breach phishing risk ongoing through mid-August
  • GKN Aerospace Garden Grove criminal investigation — no new arrest or contamination results
  • Converse Reservoir IED (Mobile, AL) — FBI investigation ongoing, no suspect or motive
SECTOR THREAT LEVELS
SECTORLEVELNOTES
Terrorism / Extremism ELEVATED FIFA World Cup Week 2 active across 11 US host cities through 19 July. ISIS-linked media released World Cup venue-targeting propaganda this week. Confirmed unresolved IED near KC fan zone (March 2026). July 4th weekend (July 3–5): convergence of World Cup matches and US 250th anniversary creates maximum elevated threat window.
Cyber Activity ELEVATED NEW: Splunk CVE-2026-20253 CVSS 9.8 — KEV deadline TODAY June 21. NEW: Joomla JCE CVE-2026-48907 KEV added 16 June. Check Point CVE-2026-50751 now confirmed Qilin ransomware actor. DAEMON Tools/Nx Console KEV deadlines PASSED 17 June — treat unpatched as compromised. Microsoft June Patch Tuesday 198 vulns still require application on unpatched systems.
Critical Infrastructure ELEVATED Converse Reservoir IED (Mobile, AL) investigation ongoing — no arrest. GKN Garden Grove long-tail active. Splunk CVE-2026-20253 pre-auth RCE directly threatens SIEM/SOC infrastructure. Section 702 lapse creates domestic surveillance gap during nuclear negotiations.
Energy / Fuel Sector CRITICAL Hormuz MOU signed 18 June but IRAN RE-CLOSED 20 June citing Lebanon MOU violation. Status ambiguous as of DTG. DO NOT route commercial traffic pending confirmation. 54+ supertankers waiting in Gulf. Oil price normalization delayed. Iran may impose transit fee post-60-day period.
Education Sector ELEVATED Canvas breach phishing risk continues through mid-August. No new developments.
Civil Unrest ELEVATED PERSISTENT / ESCALATING. Delaney Hall detainee hunger/labor strike 30+ days. ACLU: 5+ other ICE facilities now on strike nationwide. Newark Mayor + NY AG sued GEO Group. DOJ charged 15 in MN anti-ICE conspiracy. Federal charges against Rep. McIver for oversight visit.
Transportation Systems CRITICAL Hormuz re-closed June 20 despite signed MOU. Swiss nuclear talks may determine implementation. Mine clearance and infrastructure repair needed. FIFA World Cup travel surge stressing transit in 11 US host cities. Iran “service fee” ambiguity on post-60-day Hormuz terms.
Supply Chain / Logistics ELEVATED Hormuz closure continues to impact supply chains. DAEMON Tools/Nx Console deadlines passed — developer supply chain compromise risk active. Splunk SIEM compromise risk threatens SOC visibility. Supertanker backlog of 54+ vessels in Gulf.
Food / Fertilizer Security ELEVATED Gulf shipping disruption persists. MOU signing offered hope but Iran re-closure June 20 resets risk. WFP food insecurity warning remains active. Fertilizer/agricultural trade lane disruption ongoing.
Mass Gatherings / Public Safety HIGH FIFA World Cup Week 2 active. ISIS propaganda targeting venues this week. 13,000+ fake domains active. July 4th World Cup convergence approaching (July 3–5) — elevated threat for all host cities. Ebola WHO PHEIC concurrent with mass international travel remains active.
GLOBAL CHOKEPOINT WATCH
CHOKEPOINTSTATUSASSESSMENT
Strait of Hormuz CRITICAL / SUSPENDED MOU signed 18 June — Iran re-closed 20 June citing Lebanon MOU violation. IRGC warned commercial vessels away. US military denied MOU violation. Swiss talks (21 June) must resolve Lebanon compliance dispute. DO NOT route commercial traffic until confirmed open and mines cleared. Mine clearance 30-day window not yet started. Post-60-day Iran “service fee” ambiguity unresolved.
Kuwait International Airport RECOVERING Partial operations ongoing since June 3 Iranian drone strike (1 killed, 63 wounded). Continue monitoring. No new incidents this week.
Bab el-Mandeb / Red Sea ELEVATED Stable. Houthi threat posture unchanged. No significant new incidents this week. MOU does not explicitly address Houthi posture.
Panama Canal ROUTINE Stable. Normal operations.
Strait of Malacca ELEVATED SE Asia energy stress from Hormuz closure persists. India–US maritime friction continues (India summoned US deputy mission chief June 12). Stable but watching for post-MOU/re-closure regional reactions.
Oman — Mina Al Fahal Terminal ELEVATED Operations resumed after June 5 explosion. MOU assigns Iran–Oman dialogue to define future Hormuz administration — Iran re-closure complicates this process. Monitor for follow-on incidents.
KEY INCIDENTS
US–IRAN MOU SIGNED AT VERSAILLES — THEN IRAN RE-CLOSES HORMUZ (14–21 JUNE 2026)

Following the failed signing attempt of 14 June (blocked by Israeli Dahiyeh strikes), diplomatic momentum resumed and the 14-point Memorandum of Understanding was signed on 18 June 2026 at the Palace of Versailles, France, during the G7 summit. Trump signed the document in video published by French President Macron; Iranian President Pezeshkian signed separately in Tehran per Iranian state media. Trump stated: “It’s signed. Signed in Versailles. Just signed it.”

The MOU terms include: (1) immediate and permanent termination of military operations on all fronts including Lebanon; (2) Iran opens Hormuz toll-free for 60 days; (3) US lifts naval blockade; (4) US issues oil sanctions waivers immediately; (5) up to $25B+ in frozen Iranian assets made available; (6) 60-day negotiating window for nuclear issues, HEU stockpile, and remaining provisions; (7) executive monitoring mechanism with binding UNSC resolution. Iranian Supreme Leader Khamenei issued a written endorsement on 18 June. On June 19, Trump announced a renewed Israel–Hezbollah ceasefire.

However, on June 20 — two days after signing — Iran announced the closure of the Strait of Hormuz, citing Israeli military operations in Lebanon as a violation of MOU Clause 1. Israel has explicitly stated it is not bound by the US–Iran agreement. Defense Minister Katz said troops would remain in southern Lebanon indefinitely. The IRGC issued warnings to commercial vessels not to approach Hormuz. The US military denied any MOU violation had occurred.

Assessment: The MOU represents the most significant diplomatic achievement of the conflict, but is at immediate risk of unraveling via the Lebanon variable — the same blocking factor that nearly prevented signing. The signed document exists and the legal framework is in place; whether Hormuz actually opens depends on resolution of the Lebanon compliance dispute in Swiss follow-on talks beginning today (21 June). This is the highest-leverage 72-hour window of the conflict.

SWITZERLAND NUCLEAR TALKS — UNDERWAY TODAY (21 JUNE 2026)

US Special Envoys Steve Witkoff and Jared Kushner are in Switzerland as of DTG for negotiations under the Islamabad MOU framework. Pakistan continues as primary mediator. Qatar is also involved. VP Vance said he may join in coming days and stated “great progress has been made.” Iranians declined to stand beside US/Pakistan/Qatar delegations for cameras at the opening.

The talks must address: Iran’s nuclear program and enrichment levels, HEU stockpile disposition (mechanism still unresolved in MOU), ballistic missile program (not addressed in MOU), Iran’s regional proxy network (not addressed in MOU), and critically the Lebanon compliance dispute that triggered the June 20 Hormuz re-closure. Per Vance: “The president has committed us to see a full regional ceasefire.” Sen. Graham warned: “If diplomacy fails, Trump is going to take the Strait of Hormuz. We’re going to run it.”

A Middle Eastern official indicated US special envoys are out of sync with Secretary Rubio, particularly on Lebanon/Hezbollah strategy. Rubio had worked to keep the US–Iran and Israel–Hezbollah conflicts diplomatically separate; MOU Clause 1 linking Lebanon to the Hormuz framework bypassed that effort — Israeli officials saw this as a concession to Iran. Assessment: Swiss talks are the central event of this reporting period. Watch for any Iranian formal statement on Hormuz status within the next 24 hours.

DELANEY HALL — 30-DAY HUNGER STRIKE / NATIONWIDE EXPANSION / LEGAL ESCALATION

The hunger and labor strike inside Delaney Hall ICE detention facility in Newark, NJ has reached 30 continuous days (begun May 22). Approximately 300 detainees issued open letters documenting conditions described as “torturous”: moldy and expired food, inadequate medical care, overcrowding, and lack of air conditioning. The ACLU reported that ICE agents met detained people and peaceful protesters “with violence and retaliation.”

The situation has expanded nationally: ACLU reports active hunger/labor strikes at 5+ additional ICE facilities — Tacoma WA (9 strikes in 2026), Alvarado TX, Phillipsburg PA, Baldwin MI, and Adelanto CA. Newark Mayor Ras Baraka and the New York AG filed suit against GEO Group (operator) for failure to allow health department inspections. The New Jersey AG filed a separate lawsuit. Rep. LaMonica McIver continues oversight visits despite facing federal charges from a prior visit; House Minority Leader Jeffries called conditions he witnessed “not America.”

DOJ separately charged 15 individuals with conspiracy for anti-ICE protests in Minnesota (unrelated facility, related pattern). DHS Secretary Mullin continues to defend operations and deny misconduct. Assessment: This has exceeded the threshold of a local protest and become a national civil unrest and institutional credibility issue with legal, political, and humanitarian dimensions. MAGNET operators: avoid Doremus Ave vicinity Newark; monitor for spread to other ICE facilities in NJ, NY, and adjacent states.

FIFA WORLD CUP 2026 — WEEK 2 / ISIS PROPAGANDA / JULY 4 CONVERGENCE APPROACHING

The 2026 FIFA World Cup enters Week 2 as of DTG with no confirmed major security incidents at venues. However, Flashpoint reported this week that a pro-ISIS media outlet released World Cup-themed propaganda materials designed to portray major football venues and international sporting events as symbolic targets — underscoring the continued lone-actor threat to mass gatherings.

Cyber threats remain elevated: 13,000+ fake FIFA-themed domains registered January–May 2026 (8.8% malicious per FortiGuard Labs); GHOST STADIUM cloned website network estimated to generate $71M–$500M in losses; FBI IC3 warning on FIFA spoofing sites remains active. Iranian players were ultimately granted visas, but substantial coaching and management staff were denied entry, creating adversarial conditions and potential influence operation vectors.

Critical upcoming dates: July 3 matches in Dallas and Kansas City; July 4 matches in Houston and Philadelphia; July 5 match in New York City. The convergence of World Cup matches with the US 250th Independence Day celebrations creates a maximum threat window. MAGNET operator guidance for host-city regions: recommend escalation to MAGCON L2 HIGH on Quarterfinal, Semifinal, Final, and July 4th match days.

CYBER / INFRASTRUCTURE KEV BULLETIN
PATCH-IMMEDIATELY TABLE
CVE / SYSTEMSEVERITYACTION REQUIRED
CVE-2026-20253
Splunk Enterprise
PostgreSQL Sidecar		 CVSS 9.8 DEADLINE TODAY KEV June 21. Pre-auth RCE via PostgreSQL sidecar. Public PoC on GitHub since June 13. Upgrade to 10.4.0, 10.2.4, or 10.0.7. Disable sidecar as temp workaround. Assume compromise if internet-exposed before patch. Cloud Platform NOT affected.
CVE-2026-48907
Joomla Content Editor (JCE)		 HIGH NEW KEV added 16 June. Unauthenticated PHP code execution via improper access control. Apply JCE plugin update immediately per BOD 26-04. Review web server logs for anomalous file creation.
CVE-2026-47281
Windows Defender/VSCode
“RoguePlanet”		 CVSS 9.6 ONGOING — Patch Tuesday 10 June. Zero-day, actively exploited. SYSTEM escalation via Defender/VSCode. Apply June 2026 Microsoft patches immediately.
CVE-2026-45657
Windows Kernel (RCE)		 CVSS 9.8 ONGOING — Patch Tuesday 10 June. Zero-day, actively exploited. Use-after-free kernel RCE. Apply June 2026 Microsoft patches immediately.
CVE-2026-50751
Check Point Security Gateway		 CVSS 9.3 ONGOING / ESCALATED — IKEv1 auth bypass. Qilin ransomware affiliate confirmed. Run SmartConsole log search from 2026-05-07. Apply Check Point hotfix NOW. Review VPN gateway logs for IOCs (Kaupo Cloud HK, Shock Hosting, Vultr Holdings).
CVE-2026-8398
DAEMON Tools Lite		 CVSS 9.3 DEADLINE PASSED 17 JUN Supply chain RCE via compromised official installers. Update to v12.6.0.2445 or uninstall. Rotate all credentials. Treat unpatched as compromised.
CVE-2026-48027
Nx Console (VS Extension)		 CVSS 9.3 DEADLINE PASSED 17 JUN Malicious extension on VS Marketplace and OpenVSX. Scan all developer workstations. Rotate credentials. Treat unpatched as compromised.
CVE-2026-45321
TanStack (npm)		 CVSS 9.5 DEADLINE PASSED 10 JUN 84 malicious npm versions via hijacked GitHub Actions. Audit all package-lock files. Rotate all CI/CD credentials now.
CVE-2026-36891
BitLocker Bypass		 HIGH ONGOING — Patch Tuesday 10 June. Zero-day. Disk encryption protection circumvented. Apply June 2026 Microsoft patches.
CVE-2026-11645
Google Chromium V8		 HIGH ONGOING — KEV 9 June. Out-of-bounds RCE sandbox escape via crafted HTML. Apply browser updates: Chrome, Edge, Opera.
CVE-2026-7473
Arista EOS		 HIGH ONGOING — KEV 9 June. Federal deadline applies. Apply Arista patches.
CVE-2026-20245
Cisco Catalyst SD-WAN Mgr		 HIGH ONGOING — KEV 9 June. Improper encoding/escaping. Apply Cisco patches per federal deadline.
CVE-2026-31431
Linux Kernel “Copy Fail”		 CVSS 7.8 DEADLINE PASSED 15 MAY Patch to kernel 6.18.22/6.19.12/7.0. Treat as active incident in cloud/container environments.
CVE-2026-20182
Cisco Catalyst SD-WAN		 CVSS 10.0 DEADLINE PASSED 17 MAY If not patched, assume compromise. Apply ED-26-03 or discontinue.
CVE-2026-42897
Microsoft Exchange Server		 HIGH ONGOING — XSS in Outlook Web Access. Apply MSRC mitigations. Confirmed active exploitation.
EMERGING INDICATORS
  • Watch: Hormuz status from Swiss talks (21 June) — Iran re-closed June 20; talks must resolve Lebanon compliance dispute. Watch for any Iranian formal announcement on Hormuz status in next 12–24 hours. An Iranian commitment to open could move oil markets Monday.
  • Watch: Lebanon ceasefire compliance — Israel explicitly not bound by US–Iran MOU. Any major IDF operation in Lebanon could trigger full Hormuz re-closure and MOU collapse. Watch for Iranian formal suspension statement.
  • Watch: Splunk CVE-2026-20253 KEV deadline TODAY (June 21) — public PoC active since June 13. Organizations with internet-exposed Splunk Enterprise 10.0.x or 10.2.x should assume attempted exploitation. Review logs; upgrade immediately.
  • Watch: Oil price Monday open — Brent was trending toward $70s–$80s on MOU optimism; Iran re-closure June 20 may drive reversal. Price signal will indicate market assessment of MOU survivability.
  • Watch: FIFA July 4th weekend (July 3–5) — convergence of World Cup matches and US 250th anniversary in Dallas, KC, Houston, Philadelphia, NYC. Maximum threat window. Host-city MAGNET operators: recommend MAGCON L2 HIGH.
  • Watch: Swiss nuclear talks progress — 60-day window begins this week. Early signals on Iran’s HEU stockpile disposition and enrichment commitments will indicate trajectory of final deal.
  • Watch: Iran “service fee” post-60-day Hormuz ambiguity — even if Hormuz reopens, Iran has asserted right to charge transit fees after 60-day toll-free period expires. Legal/routing implications for commercial maritime.
  • Watch: Delaney Hall legal escalation — NJ AG and Newark Mayor suits against GEO Group now in court. Any court order compelling health inspections or restricting facility operations would be precedent-setting.
  • Watch: DOJ Minnesota anti-ICE conspiracy charges — 15 individuals charged; first major federal conspiracy prosecution of anti-ICE protest activity. Watch for similar charges in NJ or other protest jurisdictions.
  • Watch: DAEMON Tools/Nx Console — deadlines passed 17 June. Organizations that have not patched should treat affected environments as potentially compromised. Credential rotation is now urgent.
  • Watch: Check Point CVE-2026-50751 Qilin ransomware activity — attacker infrastructure may be pivoting to other VPN vendors (Palo Alto, Fortinet, F5). Watch for broader VPN exploitation campaign.
  • Watch: Section 702 emergency session — FISA lapsed June 12. Nuclear talks increase urgency of restoring foreign intelligence surveillance authority. Watch for executive order or emergency Congress return.
  • Watch: Converse Reservoir IED (Mobile, AL) — no suspect/motive. Any attribution changes national CI threat posture for water utility operators.
VERIFIED STATUS
  • CONFIRMED Iran–US MOU signed by Trump at Palace of Versailles 18 June 2026; Pezeshkian signed separately in Tehran; video published by French President Macron. Supreme Leader Khamenei endorsed via written statement 18 June. (NBC News, NPR, ABC News — 17–18 June 2026)
  • CONFIRMED Iran announced closure of Strait of Hormuz on 20 June 2026 citing Israeli Lebanon operations as MOU Clause 1 violation. IRGC warned commercial vessels away. US military denied MOU violation. (CBS News, Wikipedia/Hormuz crisis — 20–21 June 2026)
  • CONFIRMED Switzerland nuclear talks underway 21 June 2026. Witkoff and Kushner in Geneva. Pakistan mediating. Iranians declined cameras with US/Pakistan/Qatar. (CBS News live updates — 21 June 2026)
  • CONFIRMED Splunk CVE-2026-20253 CVSS 9.8 pre-auth RCE — CISA KEV due date TODAY June 21. Public PoC published June 13. Splunk confirmed limited exploitation. (Splunk SVD-2026-0603, CISA KEV — June 2026)
  • CONFIRMED CVE-2026-48907 Widget Factory Joomla Content Editor added to CISA KEV on 16 June 2026. (CISA.gov — 16 June 2026)
  • CONFIRMED DAEMON Tools CVE-2026-8398 and Nx Console CVE-2026-48027 federal KEV deadlines PASSED June 17, 2026. (CISA KEV)
  • CONFIRMED Check Point CVE-2026-50751: Qilin ransomware affiliate confirmed as exploitation actor with medium confidence. ELF payload delivery, Tox protocol IOCs. (Rapid7, Check Point Research, watchTowr Labs — June 2026)
  • CONFIRMED Delaney Hall detainee hunger/labor strike 30+ days (since May 22). ACLU: 5+ other ICE facility strikes. Newark Mayor + NY AG sued GEO Group. NJ AG filed separate suit. (ACLU, ABC7NY — June 2026)
  • CONFIRMED DOJ charged 15 individuals with conspiracy for anti-ICE protests in Minnesota. (Democracy Now, CBS — June 2026)
  • CONFIRMED FIFA World Cup 2026 Week 2 active; ISIS-linked media released venue-targeting propaganda. 13,000+ fake domains. (Flashpoint, Recorded Future — June 2026)
  • CONFIRMED Trump announced renewed Israel–Hezbollah ceasefire on June 19 (US, Qatar, Iran facilitated). Fighting continued same day. (Wikipedia, CBS News — 19 June 2026)
  • NOT CONFIRMED Strait of Hormuz confirmed open for commercial transit. Still closed/ambiguous as of DTG June 21.
  • NOT CONFIRMED Lebanon/Israel ceasefire holding. Fighting continued June 19–20 despite announced ceasefire.
  • NOT CONFIRMED Iran–US MOU nuclear provisions agreed. 60-day talks underway — unresolved.
  • NOT CONFIRMED GKN Garden Grove groundwater contamination confirmed. Testing ongoing.
  • NOT CONFIRMED Converse Reservoir IED — suspect identified or motive confirmed. Investigation ongoing.
OPERATOR GUIDANCE
  • HORMUZ STATUS — DO NOT ROUTE (21 June): Iran re-closed Hormuz June 20 citing Lebanon MOU violation. MOU is signed but implementation suspended. DO NOT plan commercial maritime routing through Hormuz until confirmed open, mines cleared, and Swiss talks resolve Lebanon compliance dispute. Verify through TRANSCOM for any operational requirements.
  • MONITOR SWISS TALKS IN NEXT 24 HOURS: Lebanon compliance is the hinge point. If Iran confirms Hormuz opening per MOU terms, energy prices will shift significantly. If talks collapse, energy prices reverse and military resumption risk escalates. Prepare contingencies for both outcomes.
  • PATCH SPLUNK IMMEDIATELY — CVE-2026-20253 DEADLINE TODAY: If Splunk Enterprise 10.0.x or 10.2.x is internet-exposed, assume attempted exploitation. Preserve logs before upgrading. Upgrade to 10.4.0, 10.2.4, or 10.0.7. If emergency window unavailable, disable PostgreSQL sidecar as temporary workaround.
  • AUDIT DAEMON TOOLS / NX CONSOLE NOW (Deadlines PASSED June 17): Treat affected environments as potentially compromised. Run SCA scans on all developer workstations. Rotate all credentials and CI/CD tokens accessible from affected builds. File incident report if compromise is confirmed.
  • JOOMLA / JCE SITES — Patch CVE-2026-48907 immediately (KEV June 16): Unauthenticated PHP code execution on any unpatched JCE-enabled Joomla site. Review web server access logs for anomalous file creation activity.
  • CHECK POINT VPN — FINAL CALL (CVE-2026-50751): Qilin ransomware actor confirmed. Apply hotfix immediately. Run SmartConsole log search from 2026-05-07 for attacker IOCs (Kaupo Cloud HK, Shock Hosting, Vultr Holdings IPs). Disable IKEv1 if hotfix cannot be applied immediately.
  • FIFA WORLD CUP — HOST CITY OPERATORS (July 4 approaching): See MAGNET S2 report 260608-1600Z. Recommend MAGCON L2 HIGH on July 4th weekend match days (July 3–5) and Quarterfinal, Semifinal, Final. Maintain EMS and comms redundancy. Avoid vehicle traffic in venue perimeters during match windows. ISIS propaganda targeting venues is active — heighten soft target vigilance.
  • NJ / NORTHEAST OPERATORS — DELANEY HALL / ICE FACILITIES: Protests 30+ days with hunger strike inside. Legal proceedings now active. Avoid Doremus Ave vicinity Newark during protest windows. Monitor for spread to other ICE facilities in NJ, NY, and adjacent states. Track court proceedings vs. GEO Group.
  • CANVAS INSTITUTIONS: Maintain elevated phishing awareness through mid-August. Verify any Canvas-branded communication through official channels.
  • WATER / DAM OPERATORS: Converse Reservoir IED investigation ongoing. Maintain enhanced underwater physical security. Report anomalies to FBI and DHS.
  • ENERGY SECTOR: Splunk CVE-2026-20253 and SD-WAN Manager vulnerabilities remain unresolved in many OT/energy environments. Prioritize SIEM and SD-WAN patches. Energy sector OT/ICS remains an Iranian APT targeting priority.
  • Report cyber incidents to cisa.gov or IC3.gov; CI Fortify guidance at cisa.gov. Check magnethf.com/reports for any MAGNET S2 flash reports published since this snapshot.
SOURCE LIST
  • [1]  [A2]  NBC News — Trump and Iran sign MOU at Versailles, 17–18 June 2026 — nbcnews.com
  • [2]  [A1]  NPR — Full text of the US–Iran MOU, 18 June 2026 — npr.org
  • [3]  [A1]  CBS News Live Updates — Iran–US talks, Hormuz re-closure, Switzerland, 21 June 2026 — cbsnews.com
  • [4]  [A1]  NPR — US and Iran reach initial deal, 15 June 2026 — npr.org
  • [5]  [B2]  Wikipedia — 2025–2026 Iran–US Negotiations (updated 21 June 2026) — wikipedia.org
  • [6]  [B2]  Wikipedia — 2026 Strait of Hormuz Crisis (updated 21 June 2026) — wikipedia.org
  • [7]  [A2]  CFR — The Iran Deal Reopens the Strait. Much Remains to Be Done, 18 June 2026 — cfr.org
  • [8]  [A2]  Atlantic Council — What the US–Iran deal means for the Middle East, 18 June 2026 — atlanticcouncil.org
  • [9]  [A1]  Arab Center DC — Full text of US–Iran MOU — arabcenterdc.org
  • [10] [B2]  Discovery Alert — Hormuz Reopening and Oil Prices, 2026 — discoveryalert.com.au
  • [11] [A2]  US Chamber of Commerce — Reopening Hormuz: Impact on Prices, June 2026 — uschamber.com
  • [12] [A1]  Splunk — SVD-2026-0603 Security Advisory CVE-2026-20253 — advisory.splunk.com
  • [13] [A1]  CISA.gov — KEV Catalog (Splunk, Joomla, June 2026) — cisa.gov
  • [14] [A1]  CISA.gov — Adds Joomla CVE-2026-48907, 16 June 2026 — cisa.gov
  • [15] [B2]  Penligent — CVE-2026-20253 Splunk PostgreSQL Sidecar RCE — penligent.ai
  • [16] [A2]  Rapid7 — Check Point CVE-2026-50751, June 2026 — rapid7.com
  • [17] [A1]  Check Point Research — CVE-2026-50751 Advisory — checkpoint.com
  • [18] [A2]  ACLU — Delaney Hall Hunger Strike, June 11, 2026 — aclu.org
  • [19] [B1]  ABC7NY — Newark Mayor Baraka files lawsuit against Delaney Hall, June 3, 2026 — abc7ny.com
  • [20] [B1]  Flashpoint — 2026 FIFA World Cup Threat Landscape — flashpoint.io
  • [21] [A2]  Recorded Future — 2026 FIFA World Cup Cyber & Physical Threats — recordedfuture.com
  • [22] [B2]  Wikipedia — List of 2026 FIFA World Cup Controversies — wikipedia.org
  • [23] [B2]  Computer Weekly — Cyber threats to FIFA World Cup 2026, June 2026 — computerweekly.com
  • [24] [A1]  MAGNET S2 Report 260608-1600Z — FIFA World Cup 2026 Threat Assessment — magnethf.com
  • [25] [A2]  Brookings — Timing of the Impending Crude Crisis, June 2026 — brookings.edu
  • [26] [A1]  Congress CRS — Iran Conflict and Strait of Hormuz, 2026 — congress.gov
  • [27] [B2]  CVEFeed.io — CISA KEV Catalog (June 2026) — cvefeed.io
  • [28] [B2]  The Hacker News — Check Point CVE-2026-50751 IKEv1 Flaw, June 2026 — thehackernews.com
  • [29] [B1]  PBS NewsHour — Delaney Hall protests overview, June 2026 — pbs.org
  • [30] [A1]  PBS NewsHour — US and Iran initial deal, June 2026 — pbs.org
FLMSG VERSION
BT MSGID/MAGNET S2/260621-1200Z// SUBJ/MAGNET S2 WEEKLY OSINT SNAPSHOT – 260621-1200Z// CLASS/UNCLASSIFIED//OSINT//FOUO// FROM: MAGNET S2 OSINT TEAM TO: MAGNET OPERATORS DTG: 260621-1200Z RPT PERIOD: 14-21 JUN 2026 MAGCON: LEVEL 3 ELEVATED // EXEC SUMM: US-IRAN MOU SIGNED VERSAILLES 18 JUN. IRAN RE-CLOSED HORMUZ 20 JUN CITING ISRAEL LEBANON OPS AS CLAUSE 1 VIOLATION. SWISS NUCLEAR TALKS UNDERWAY TODAY. HORMUZ STATUS AMBIGUOUS – DO NOT ROUTE. SPLUNK CVE-2026-20253 CVSS 9.8 KEV DEADLINE TODAY – PUBLIC POC ACTIVE. DAEMON TOOLS/NX CONSOLE DEADLINES PASSED 17 JUN. CHECK POINT IKEV1 CVE-2026-50751 LINKED TO QILIN RANSOMWARE. DELANEY HALL HUNGER STRIKE 30 DAYS; 5+ ICE FACILITIES NATIONWIDE. FIFA WC WEEK 2; ISIS PROPAGANDA ACTIVE; JULY 4 CONVERGENCE APPROACHING. // ACT: DO NOT ROUTE HORMUZ. PATCH SPLUNK NOW. AUDIT DAEMON TOOLS/NX CONSOLE. ESCALATE MAGCON L2 HIGH HOST CITIES JULY 3-5. // REF: MAGNET S2 SNAPSHOT 260621-1200Z – magnethf.com/reports BT
Character count: ~887 — within 1,800 character limit
<