430,000+ FortiGate firewalls targeted. 40,000+ cPanel servers compromised. 3 CVSS 10.0 flaws in Ubiquiti UniFi. 110 million credentials harvested. That was one week.
FortiBleed: When your firewall becomes the leak
This is the story that dominated last week for good reason. A credential-harvesting campaign codenamed FortiBleed has been running since at least February, targeting Fortinet FortiGate firewalls globally. The attackers breached management interfaces, deployed a custom Golang sniffer that passively captured authentication traffic across 24 protocols, and cracked the hashes using a rented GPU cluster over Vast.ai. All orchestrated through a Telegram bot.
The numbers are staggering. 430,000+ firewalls were targeted. 80,553 were compromised. 110 million+ credentials were harvested from 23,466 unique domains. And here's the part every SMB needs to hear: 66% of victims have fewer than 200 employees. Roughly 90% bring in under $100 million annually. This campaign was deliberately targeting businesses like yours because the management interfaces were left exposed and the credentials were never rotated.
If your FortiGate has its management interface on the public internet, assume your credentials are in that dataset. Assume it.
High-profile names made the list too: Oracle, Comcast, Foxconn, Lenovo, Samsung, Siemens, PwC, Accenture, and a NATO-aligned defense contractor. But the attackers didn't discriminate. They built 659 credential-harvesting pipelines and were still actively sniffing traffic on 19,000+ devices as of June 22.
The fix: Kill all admin and VPN sessions immediately. Rotate every credential. Remove management interfaces from direct internet exposure. Enforce MFA on everything. If you're not sure whether your FortiGate was hit, CISA and Fortinet both issued urgent advisories with indicators of compromise to check against.
cPanel: 40,000 servers and counting
The week's second bombshell was CVE-2026-41940, a CVSS 9.8 authentication bypass in cPanel and WHM affecting every version after 11.40. That's almost every cPanel server in existence. Exploitation was spotted as early as February, two full months before the patch came out in late April.
By last week, the number of confirmed compromises had crossed 40,000 servers. The attack chain involves a CRLF injection in the session writer plus an encryption-skip via malformed cookie, letting unauthenticated attackers gain admin access to cPanel. Once they're in, they own the whole server: every database, every website, every email account.
Shodan and Rapid7 estimate about 1.5 million internet-exposed cPanel instances are out there. Major hosting providers like Namecheap, KnownHost, HostPapa, and InMotion preemptively blocked the management ports. But if you run your own cPanel server or use a smaller host, there's a good chance nobody checked your instance for you.
The fix: Update cPanel immediately using /scripts/upcp --force. Then rotate every credential stored in WHM. Check session files under /var/cpanel/sessions/raw for signs of compromise.
Ubiquiti: Three CVSS 10.0 flaws, one patch
Some weeks you get one critical vulnerability. Last week, Ubiquiti gave us three. CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 each score a perfect 10.0 on the CVSS scale. Chained together, they give an unauthenticated network-adjacent attacker root-level control over UniFi OS devices. That includes Cloud Gateways, Network Controllers, Protect NVRs, Access Hubs, Talk appliances, and Dream Machines. Basically, if it runs UniFi OS, it's vulnerable.
CISA added all three to the Known Exploited Vulnerabilities catalog on June 23 with a federal deadline of June 26. Confirmed active exploitation is happening. For SMBs, this is especially painful because Ubiquiti is the most popular networking platform for small businesses worldwide. The devices sit inside the LAN, and once one is compromised, the attacker has a foothold on your internal network.
This isn't a theory. CISA confirmed active exploitation. If you have UniFi gear, patch it today.
The fix: Update all UniFi OS devices to firmware 5.0.8 or 5.1.12+, available in the UniFi Network Controller under System Settings. Isolate management VLANs so admin interfaces aren't reachable from the general network.
The Klue breach: One old password, hundreds of victims
The Icarus extortion group compromised Klue, a market-intelligence platform, using a single stale credential from 2022. They stole OAuth tokens that Klue held on behalf of hundreds of customer organizations, and used those tokens to pull CRM data directly from customer Salesforce instances. The result: companies like LastPass, Recorded Future, Tanium, Jamf, Huntress, HackerOne, BeyondTrust, OneTrust, and dozens more had their CRM data exfiltrated through a third party they'd authorized.
Names, emails, phone numbers, physical addresses, job titles, sales records, and support case histories all walked out through an integration nobody thought to audit. Then things got stranger: a second threat actor stole the data from Icarus itself and started a second extortion campaign. The whole chain reads like a case study in how supply chain risk actually works, not how it's described in slide decks. Last week's roundup covered exactly this kind of supply chain attack in detail.
The lesson: Any OAuth integration you connected three years ago and forgot about is a potential pipeline into your data. Audit them. Revoke the ones you don't actively use. For the ones you keep, reissue the tokens periodically.
Signal users: Your recovery key is the new target
The FBI and CISA updated their advisory on Russian intelligence targeting Signal users, and the tactics have shifted. Attackers are now specifically asking for Backup Recovery Keys, impersonating Signal support and claiming mandatory two-factor verification is required. The phishing pages look convincing, and handing over the recovery key lets attackers restore your entire message history, including group chats, shared media, and private messages. Even after you change your phone number.
If your team uses Signal for business communication, every person needs to understand this. Generating a new recovery key in Signal settings is a five-second task that invalidates any key an attacker might have already phished. But it only works if you do it before the attacker restores your history, not after.
The rule: Never enter your Signal recovery key into any website. Legitimate Signal support will never contact you in the app. Generate a new key from Settings, Privacy, Advanced, and share this advice with your team.
Operation Endgame: A takedown that actually landed
Microsoft's Digital Crimes Unit, working with Europol, ESET, BitSight, IBM X-Force, and Proofpoint, simultaneously disrupted the infrastructure behind two major malware platforms: Amadey, a loader active since 2018, and StealC, an infostealer active since 2023. AI-assisted analysis revealed they shared the same command-and-control infrastructure, so prosecutors treated both as part of a single conspiracy.
The numbers: 200+ C2 servers disrupted. 18,000+ victim machines identified and secured. 25 million+ credentials recovered. $47 million in crypto assets flagged. And from the first two weeks of May alone, 140,000 infections were tracked. Infostealers like StealC are how initial access brokers get corporate VPN credentials, SSO tokens, and session cookies, often from employees' personal devices. This takedown is genuinely good news, but the scale shows how pervasive the threat is.
Bluekit evolves: Phishing gets a live feed
Bluekit, a phishing-as-a-service platform, has added browser-in-the-middle (BitM) capabilities. Using the open-source rrweb library, attackers can now serialize the entire page DOM and stream it over WebSocket to watch victims type in real time, with five-second update intervals. Nearly 70 new Bluekit hostnames appeared last week alone. The kit also includes randomized CSS filters to defeat screenshot detection, a 1MB+ obfuscated JavaScript bundle that rotates frequently, custom CAPTCHAs, and browser fingerprinting to detect researchers and security crawlers before deploying the payload.
For SMBs, this matters because phishing is still the number one entry point. Business email compromise alone drained .77 billion last year - same entry point, older tactic. And the kits targeting you are getting smarter, not dumber.
The rest of the week in one take
- CISA KEV additions: Critical RCE in PTC Windchill and FlexPLM (CVSS 9.3) and an unauthenticated SSRF in Cisco Unified Communications Manager received June 28 remediation deadlines. Both have active, confirmed exploitation.
- cURL 8.21.0: Patched a record 18 CVEs, including CVE-2026-8932, a bug that had been lurking in the codebase for 25 years (since curl 7.7 in March 2001). cURL is on roughly 20 billion devices, making this possibly the most impactful patch release of the month.
- Five Eyes AI warning: The US, UK, Canada, Australia, and New Zealand issued a rare joint statement calling AI an urgent cybersecurity threat, warning that frontier models will transform both offense and defense within months, not years.
- BlueHammer exploited: CISA warned that ransomware gangs are now actively exploiting a Windows privilege-escalation flaw tracked as BlueHammer, giving attackers SYSTEM-level access on fully patched systems.
- MSG breach: 26 million visitor records including facial recognition data were published by ShinyHunters after a vishing call tricked a low-level employee. The breach vector was a phone call, not a sophisticated exploit.
If last week proved anything, it's that attackers have figured out the infrastructure small businesses actually use: FortiGate firewalls, cPanel hosting, Ubiquiti networking, SaaS integrations with OAuth tokens. These are the systems you touch every day, and they're exactly what's being targeted right now.
Do you know which of these apply to your business?
Book a 30-minute infrastructure check
We will review your exposed management interfaces, OAuth integrations, and patch posture. No pitch, just a practical look at where you stand.