This Week in Cybersecurity
Issue 24 arrives on a week shaped by credential-layer attacks at remarkable scale — and by the persistent danger of trusting the wrong third party with OAuth access to your crown jewels.
The dominant story is FortiBleed: a Russian-speaking initial access broker has been systematically harvesting credentials from FortiGate firewalls since February, amassing over 110 million stolen credentials from more than 430,000 devices. The operation is a well-oiled machine — mass scanning, automated exploitation of known FortiOS flaws and weak defaults, credential verification, and resale to ransomware operators. For defenders, FortiBleed is a reminder that network perimeter appliances are as much a target as anything behind them, and that unpatched firewalls with MFA disabled are the skeleton key ransomware affiliates are shopping for on criminal forums.
Competing for headlines is the Klue/Salesforce supply chain breach. The newly emerged Icarus extortion group compromised Klue — an AI-powered competitive intelligence SaaS platform — and abused its OAuth token grants to mass-drain CRM data from hundreds of enterprise Salesforce environments simultaneously. LastPass, Huntress, HackerOne, Recorded Future, and at least six others confirmed exposure. Icarus didn't need to breach each victim individually; they breached the vendor once and pivoted through every OAuth trust relationship Klue held. The stolen data is now leaking publicly. This is the SaaS integration sprawl threat model made concrete.
Squidbleed (CVE-2026-47729) is the week's most technically interesting disclosure: a heap over-read in Squid's FTP parser introduced in a 1997 code change that allows a co-user of a shared proxy to read other users' cleartext HTTP requests, including authorization headers and session tokens. Enterprise proxy environments running shared Squid instances should treat this as urgent — update to Squid 7.7 or disable FTP proxying entirely.
On the positive side, GitHub closed a major CI/CD attack vector with actions/checkout v7, which now blocks the "pwn request" misconfiguration pattern that caused secrets theft at Nx, PostHog, TanStack, and others. It's a rare case of a platform proactively eliminating a systemic misconfiguration rather than waiting for developers to get it right individually.
Top Stories
FortiBleed: 110 Million Credentials Harvested from 430,000 FortiGate Firewalls
A financially motivated Russian-speaking initial access broker (IAB) has been running an industrial-scale credential harvesting operation against FortiGate firewalls since at least February 2026. The numbers are staggering: over 430,000 devices targeted globally, 110 million+ credentials harvested, and the operation still active at time of reporting.
The attack chain is methodical. Automated scanners enumerate internet-facing FortiGate devices via Shodan/Censys, identify firmware versions, and exploit known FortiOS SSL-VPN vulnerabilities or fall back to credential stuffing against default admin accounts. Valid credentials are organized by target type — enterprise, government, MSP — verified, and packaged as network "accesses" for sale on Russian-language criminal markets at $200–$5,000 per access. The buyers are ransomware affiliates. Groups like LockBit, BlackSuit, and Fog routinely purchase FortiGate VPN credentials to launch intrusions.
FortiGate is a perennial IAB target precisely because it's widely deployed and slowly patched. The remediation is straightforward: patch FortiOS to the latest stable release, enable MFA on all VPN and admin interfaces, rotate credentials, and review VPN access logs for the past 120 days. Without MFA, even valid stolen credentials are usable.
Klue/Icarus: One Vendor Breach, Hundreds of Salesforce Orgs Drained
The Icarus extortion group compromised Klue — a competitive intelligence SaaS platform used by over 250,000 enterprise users — and used its OAuth grants to simultaneously drain CRM data from hundreds of customer Salesforce environments. LastPass, Huntress, HackerOne, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, Tanium, and Insurity all confirmed exposure. The Register puts the total victim count in the "hundreds."
Icarus gained initial access via a stale, never-decommissioned integration service account credential, then pushed malicious code to Klue's backend that harvested the OAuth tokens customers had granted for their Salesforce integrations. Automated Python tooling queried Salesforce's REST API at scale, enumerating and exfiltrating CRM records across all affected orgs within a narrow window. Klue detected the activity on June 12, revoked credentials, and notified customers — but the data was already out. Icarus's publication deadline passed June 22, and stolen data is now leaking publicly.
The exposed data is primarily CRM business contact data: customer names, emails, phone numbers, support case details, sales opportunity notes, and pricing data. No password vaults, product systems, or payment data were involved.
The lesson is structural. Klue did not need to be breached at a network perimeter level — Icarus just needed to compromise the vendor once and every OAuth trust relationship became a pivot point. Organizations should audit all connected OAuth applications in Salesforce now, revoke Klue's authorization if still active, review Salesforce API access logs for June 11–17, and expect elevated phishing and social engineering risk using the stolen contact data.
Squidbleed (CVE-2026-47729): 29-Year-Old Squid Proxy Bug Leaks Cleartext HTTP
Researchers disclosed Squidbleed, a heap over-read vulnerability in Squid's FTP directory-listing parser tracing to a 1997 code change that has existed in default Squid configurations for nearly three decades. The flaw allows a user of a shared Squid proxy to read cleartext HTTP request contents — including Authorization headers, session tokens, and cookies — belonging to other co-users.
The root cause is subtle: an attacker-controlled FTP server sends a directory listing line that terminates after the timestamp field with no filename, causing Squid's parser to walk a pointer beyond the buffer boundary into adjacent heap memory. Because Squid reuses freed 4KB buffers without zeroing them, the out-of-bounds read returns stale HTTP request data from other connections. The parallels to Heartbleed are intentional — same class, same impact category.
Exploitation requires proxy access, a reachable FTP server, and a victim sending HTTP (not HTTPS) traffic through the same proxy. The threat model is corporate enterprise environments where many users share a centralized Squid instance and legacy internal systems still use Basic authentication over HTTP.
Patch to Squid 7.7, or — preferably — disable FTP proxying entirely. Modern browsers dropped native FTP support years ago; the attack surface removal has negligible operational cost.
GitHub Closes Pwn Request Attack Vector in actions/checkout v7
GitHub released actions/checkout v7 on June 18, adding default protections that block the "pwn request" CI/CD attack pattern — a widely exploited misconfiguration that caused secrets theft at the Nx, PostHog, and TanStack ecosystems, among others.
The attack exploits pull_request_target, a GitHub Actions trigger that runs workflows with base repository privileges (including access to secrets and the privileged GITHUB_TOKEN). When developers also check out and execute fork code in that privileged context — a common but dangerous pattern — attackers can poison the fork with malicious build scripts to exfiltrate secrets or push compromised artifacts.
Checkout v7 now refuses to fetch fork PR code when running inside pull_request_target and unsafe conditions are detected. Projects that genuinely need fork code checkout in a privileged context must explicitly opt in with allow-unsafe-pr-checkout: 'true'. The protection will be backported to all currently supported major versions on July 16, 2026.
Workflow maintainers should upgrade to actions/checkout@v7 now, or audit any pull_request_target workflows referencing github.event.pull_request.head.ref for unintentional fork code execution.
OpenAI Expands Daybreak With GPT-5.5-Cyber for Vulnerability Research
OpenAI released GPT-5.5-Cyber, a purpose-built AI model for the vulnerability research and patch pipeline, as part of its Daybreak security initiative. The model targets real-world vulnerabilities in Chrome V8, Safari, Firefox, cURL, and Python — high-value open-source infrastructure with massive downstream exposure.
GPT-5.5-Cyber's capabilities address a bottleneck that has become acute as AI speeds up vulnerability discovery: finding bugs is now faster than remediating them. The model handles codebase analysis at scale, controlled environment validation of findings, and codebase-specific patch generation rather than generic fixes. OpenAI is making it available to trusted defenders, positioning it as a force multiplier for defensive security teams rather than a general-release tool.
The initiative reflects a broader shift in how AI is being applied to security — not just as a threat (AI-assisted phishing, deepfakes) but as a defensive tool that can potentially close the gap between discovery and patch deployment.
Security Corner
10 CVEs are newly published in the Security Advisories section this week. Key advisories to prioritize:
CVE-2026-11374 — ManageEngine SSO Ticket Prediction Enables Unauthenticated Account Takeover A critical authentication vulnerability in ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus allows unauthenticated attackers to predict SSO session tickets and take over accounts. All four products are in scope. Patches are available — apply immediately and review SSO session logs for anomalous access patterns. Full advisory →
CVE-2026-12866 — expr-eval npm Package RCE via toJSFunction()
All versions of the expr-eval JavaScript package are vulnerable to arbitrary code execution via the toJSFunction() API. Crafted expressions escape the sandbox through new Function(), enabling attackers to run arbitrary Node.js code. If your application accepts user-supplied expressions and passes them through expr-eval, treat this as an immediate critical risk. Audit for the affected API and replace with a sandboxed alternative.
Full advisory →
CVE-2026-52715 — GEO my WordPress Unauthenticated SQL Injection (CVSS 9.3 Critical)
An unauthenticated SQL injection in GEO my WordPress (versions ≤ 4.5.5) allows full database extraction with no credentials. Admin password hashes, API keys in wp_options, and customer PII are all reachable. Automatable with standard sqlmap tooling. Update the plugin immediately; deploy WAF SQL injection rules if patching cannot happen today.
Full advisory →
Also published this week:
- CVE-2026-6933 — Unauthenticated RCE in Premmerce Dev Tools WordPress Plugin (CVSS 8.8) → Advisory →
- CVE-2026-39574 — Critical SQL Injection in InPost Gallery WordPress Plugin (CVSS 9.3) → Advisory →
- CVE-2026-9733 → Advisory →
- CVE-2026-9862 → Advisory →
- CVE-2026-8935 → Advisory →
- CVE-2026-7515 → Advisory →
- CVE-2025-67038 — Lantronix EDS5000 Code Injection → Advisory →
Quick Takes
-
FortiBleed — Custom Sniffer on Fortigate Devices: Alongside the credential harvesting operation, researchers confirmed that FortiBleed attackers also deployed a custom packet sniffer on compromised FortiGate devices to capture credentials transiting the firewall — not just credentials for the device itself. Organizations recovering from a FortiGate compromise should treat the device as fully untrusted and audit all traffic that traversed it. Read more →
-
WhatsApp VBScript Campaign Installs ManageEngine RMM Tool: Attackers are distributing fake business documents over WhatsApp that deliver a VBScript-based loader installing ManageEngine RMM software as a remote access backdoor. No traditional malware binary is deployed — the legitimate RMM tool provides persistent remote control while evading endpoint detection that focuses on known malicious executables. Read more →
-
ShapedPlugin WordPress Pro Plugins Backdoored in Supply Chain Attack: Multiple premium WordPress plugins from ShapedPlugin — including Slider Revolution alternatives and gallery plugins — were compromised in a supply chain attack that inserted backdoors into plugin update packages. Site owners running ShapedPlugin premium plugins should verify plugin file integrity and update immediately from the official source. Read more →
-
OxLoader Uses Malicious Google Ads to Deliver CastleStealer: A new loader family dubbed OxLoader is being distributed via malicious Google Ads masquerading as legitimate software downloads. Victims who click the ads are served CastleStealer, an infostealer targeting browser credentials, cryptocurrency wallets, and session tokens. Malvertising continues to be a high-volume delivery channel that security teams underweight in their threat models. Read more →
-
JaredFromSubway MEV Bot Hacked — $15M Crypto Theft: A MEV (maximal extractable value) bot associated with the pseudonymous "JaredFromSubway" was exploited for $15 million in cryptocurrency. The attacker identified a flaw in the bot's logic and front-ran its own transactions to drain the balance. MEV bots operate in a highly adversarial on-chain environment; this incident underscores that bot operators are themselves targets for sophisticated on-chain attackers. Read more →
-
FFmpeg Patches PixelSmash Flaw in Widely Used Video Decoder: FFmpeg released a patch for PixelSmash (CVE-2026-47729), a memory corruption vulnerability in a widely used video decoder that could be exploited via crafted media files. Given FFmpeg's ubiquity as a media processing backend in video platforms, streaming services, and applications, operators should update their FFmpeg deployments promptly. Read more →
-
Dify AI Platform Data Exposure Flaws Threaten 1 Million Apps: Researchers disclosed DifyTap, a set of data exposure vulnerabilities in Dify — an AI application development platform used by over one million applications — that could leak AI chat histories and sensitive data across tenants. Multi-tenant AI platforms are an expanding attack surface; organizations building on Dify should review the DifyTap disclosure and assess their exposure. Read more →
-
Microsoft Fixes AutoGen Studio Flaw Enabling Code Execution: Microsoft patched a code execution vulnerability in AutoGen Studio, its multi-agent AI development framework. The flaw could be exploited by a malicious agent or crafted input to execute arbitrary code in the AutoGen Studio environment. Developers using AutoGen Studio for AI agent prototyping should update to the patched version. Read more →
Upcoming
-
FortiBleed Credential Rotation Window: Organizations that have not yet rotated FortiGate admin and VPN credentials should treat the next 72 hours as the critical remediation window. Threat intelligence reporting confirms the FortiBleed operation is ongoing. Every day without credential rotation and MFA enablement is another day an IAB may be reselling active access to your network.
-
Klue OAuth Audit Deadline: Salesforce audit logs retain data for limited periods. Organizations that had Klue's Salesforce integration active should pull and retain API access logs from June 11–17 before the retention window closes. These logs are the only forensic record of what data was accessed and whether your organization was among the affected.
-
actions/checkout Backport — July 16: Projects pinned to
actions/checkout@v3,@v4, or@v5will automatically receive the pwn-request protection when the backport ships July 16. Use the time before then to auditpull_request_targetworkflows for any fork code checkout patterns — and decide now whether those patterns are intentional or accidental. -
Samsung Knox Eight-Year Flaw Disclosure: A newly disclosed eight-year-old vulnerability in Samsung Knox exposed millions of Galaxy devices to kernel-level attacks. Samsung patches are beginning to roll out; ensure Galaxy devices in your fleet receive the update and review MDM policies for Galaxy device patch compliance. More context →
-
ManageEngine SSO Patch Deadline: CVE-2026-11374 affects four ManageEngine products with a predictable SSO ticket flaw enabling unauthenticated account takeover. ManageEngine patches are available. Set an internal deadline of 48 hours for ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus deployments.
By the Numbers
| Metric | Value |
|---|---|
| FortiBleed — devices targeted | 430,000+ FortiGate firewalls |
| FortiBleed — credentials harvested | 110 million+ |
| Klue breach — confirmed enterprise victims | 10+ named; "hundreds" total |
| Klue breach — Salesforce orgs compromised simultaneously | Hundreds |
| Squidbleed — age of the underlying code bug | 29 years (1997) |
| JaredFromSubway MEV hack — crypto stolen | $15 million |
| Dify AI platform — applications at risk | 1 million+ |
| New CVEs published this week | 10 |
CosmicBytez Labs — IT & Cybersecurity Intelligence Hub