Published by Jennifer Hudsen for The IT Guys at the June 18, 2026 5 PM recap window. Today’s roundup focuses on practical technology news for home users, small businesses, and anyone responsible for keeping systems patched, backed up, and reasonably sane.
Quick Take
- Patch now: CISA added an exploited Splunk Enterprise flaw, CVE-2026-20253, to its Known Exploited Vulnerabilities catalog, with a June 21, 2026 remediation due date for covered federal systems.
- Web servers need attention: F5 shipped out-of-band fixes for critical NGINX vulnerabilities, according to BleepingComputer’s June 18 report.
- WordPress had a mixed day: law enforcement cleaned nearly 15,000 SocGholish-infected WordPress sites, while a separate ShapedPlugin update-flow compromise showed why plugin updates still need oversight.
- VPN administrators should review Fortinet exposure: a reported FortiBleed leak exposed credentials tied to more than 73,000 Fortinet VPN and FortiGate firewall URLs.
- Good operational news: Microsoft says it fixed the Windows Server 2016 June security update failure affecting systems that were not fully current.
- AI infrastructure keeps scaling: reports tracked by Techmeme point to major AI data-center and chip moves from Meta, Crusoe, and Amazon.
Security: The Most Important Work Today
The security headline that deserves the fastest action is CISA’s June 18 KEV entry for Splunk Enterprise CVE-2026-20253. CISA’s catalog says the vulnerability involves missing authentication for a critical function, and the required action is to apply vendor mitigations or discontinue use if mitigations are not available. Even if your organization is not a federal agency, KEV additions are worth treating as a practical signal: attackers are already using the issue somewhere, so asset owners should stop waiting for a convenient patch window.
Local-business takeaway: if Splunk is used for log management, security monitoring, or compliance reporting, confirm the version, internet exposure, vendor guidance, and change ticket today. Security tools are high-value targets because they often hold sensitive logs, credentials, integrations, and visibility into the rest of the network.
F5’s out-of-band NGINX patches are another item for administrators to check quickly. NGINX sits in front of a lot of websites and applications as a web server, reverse proxy, load balancer, or ingress component. That means a vulnerable package may not be sitting on a desktop where someone notices it; it may be inside a hosting control panel, container image, appliance, or managed service.
What to do: identify where NGINX is used, check your vendor’s package version or advisory, and patch the systems that are internet-facing first. If a third-party host manages NGINX for you, ask for confirmation instead of assuming the update already happened.
WordPress: Good Cleanup News, Bad Supply-Chain Reminder
There was a useful win today: international law enforcement cleaned nearly 15,000 SocGholish-infected WordPress websites and took down more than 100 servers linked to Evil Corp infrastructure. That matters because SocGholish-style campaigns often abuse legitimate websites to trick visitors into installing fake browser updates or other malware.
The bad side is that attackers are still leaning hard into the WordPress ecosystem. BleepingComputer also reported that multiple ShapedPlugin commercial plugin updates were compromised through the vendor’s official update system. This is exactly the kind of supply-chain scenario that catches careful site owners off guard: the update looks legitimate because it came through the expected path.
Small-business takeaway: paid plugins are not automatically safer than free plugins. Keep off-site backups, review administrator accounts, use a web application firewall where appropriate, and avoid installing niche plugins unless they are truly needed. After any plugin incident, check file integrity, admin users, scheduled tasks, and recent changed files.
For a simple daily habit that reduces damage from account and browser confusion, see our related guide: separate work, banking, and personal browsing with browser profiles.
Fortinet VPN Credentials: Rotate Before You Rationalize
The reported FortiBleed leak includes credentials tied to 73,932 Fortinet and FortiGate VPN firewall URLs. Public reporting on credential leaks can evolve, but the defensive playbook is straightforward: inventory exposed VPN portals, rotate credentials, enforce MFA, disable stale accounts, and review logs for unusual successful logins.
Customer impact: a VPN credential leak is not just an IT problem. It can become payroll access, file-server access, remote-desktop access, bookkeeping-system access, and email access if the same account has too much reach. This is why MFA and least-privilege access matter even when a firewall is fully patched.
Microsoft And Apple: Updates Worth Installing
Microsoft says it fixed a known issue that caused June 2026 security updates to fail on Windows Server 2016 systems that were not fully current. If your business still has Server 2016 in production, confirm that June updates actually installed. A patch marked “attempted” is not the same thing as a patch marked “successful.”
Apple also released security updates for a high-severity flaw in Beats Studio Buds that could let an attacker within Bluetooth range spy on conversations, according to BleepingComputer. That is not the kind of vulnerability most home users need to panic about, but it is a good reminder that earbuds, watches, phones, routers, cameras, and printers are all computers now. They need updates too.
Third-Party Data Exposure: Nintendo And TinyPulse
Nintendo confirmed that survey data was stolen from the third-party TinyPulse service used internally, while saying Nintendo’s own systems were not compromised. This is the part of cybersecurity that frustrates business owners: you can do a lot right internally and still have exposure through a vendor.
Practical step: when a vendor asks to store employee, customer, survey, HR, or CRM data, treat that data as shared risk. Ask what they store, how long they keep it, whether MFA is required, and how quickly they notify customers after an incident.
AI Infrastructure: Bigger, Faster, More Expensive
Techmeme tracked several AI infrastructure stories today. Bloomberg reported that Meta is under contract to buy roughly 1.6 gigawatts of computing capacity from Crusoe across data centers in Texas and Missouri. Bloomberg also reported that Amazon is in talks to sell its custom Trainium AI chips for use in third-party data centers. Artificial Analysis reported that GLM-5.2 is now a leading open-weights model on its Intelligence Index.
The good news is that AI tools should continue getting more capable and more widely available. The caution is that “AI-ready” business tools can quietly increase cloud bills, data-sharing risk, and vendor lock-in. Before turning on new AI features in email, CRM, phone systems, or document storage, decide what data the tool can see, whether the output is logged, who can export it, and whether the feature is actually solving a business problem.
Today’s policy story points in the same direction. Politico reported, via Techmeme’s summary, that the White House and Anthropic are working on a framework for assessing the severity of AI security flaws. That is a sign the industry is slowly building the kind of severity language software teams already use for traditional vulnerabilities.
Apple App Store Changes In Brazil
Apple opened iOS to alternative app marketplaces in Brazil and changed parts of its App Store commission structure after a settlement with competition watchdog CADE, according to 9to5Mac coverage tracked by Techmeme. For most local users, nothing has to change today. For developers and businesses that distribute apps internationally, the larger lesson is that app-store rules are becoming regional. What is allowed in the European Union, Brazil, the United States, or another market may differ.
What We Would Prioritize Tomorrow Morning
- Check for Splunk Enterprise exposure and remediation guidance for CVE-2026-20253.
- Patch or verify vendor-managed NGINX components, especially anything internet-facing.
- Review WordPress plugin inventory, backups, administrator accounts, and recent file changes.
- Rotate exposed or high-risk VPN credentials, especially for Fortinet/FortiGate environments, and enforce MFA.
- Confirm Windows Server 2016 June security updates installed successfully.
- Update personal devices, including earbuds and other Bluetooth accessories, when vendor security fixes are available.
Security work is rarely glamorous, but today’s news is a good example of why it matters. The useful path is boring on purpose: know what you run, patch what faces the internet, keep backups separate from the site or server they protect, and avoid giving any single account more access than it needs.