Week in review

AUSCERT Week in Review for 17th July 2026

Greetings, The Office of the Australian Information Commissioner (OAIC) has concluded its preliminary inquiries into the 2025 Qantas data breach, determining that there is currently insufficient evidence to warrant a formal regulatory investigation or enforcement action against the airline. The decision follows an almost year-long review of the incident, which affected approximately 5.12 million Australians and was one of the country's most significant privacy breaches in recent years. The breach occurred when a threat actor successfully carried out a phone-based social engineering, or “vishing”, attack against an employee at an overseas third-party contact centre used by Qantas. The attacker convinced the employee they were speaking with legitimate IT support and ultimately gained access to customer information through a customer relationship management platform. Qantas detected unusual activity within days, contained the incident, revoked access to the compromised account and began its incident response process. According to the OAIC, approximately 5.67 million customer records were affected, including names, email addresses, phone numbers and Qantas Frequent Flyer details. Around 1.7 million records also contained additional information such as addresses, dates of birth, and gender. Importantly, the compromised system did not store credit card details, financial information, passwords, PINs or passport details. After examining Qantas’ privacy governance, security controls, staff training, third-party oversight arrangements and incident response processes, the OAIC concluded there was no indication the airline had failed to take reasonable steps to protect personal information or ensure compliance with privacy obligations. The regulator noted that Qantas had implemented security audits, mandatory cyber-awareness training, contractual privacy requirements for service providers and a prompt breach response program. While the OAIC has closed its preliminary inquiries, it emphasised that the decision is not an endorsement of Qantas’ practices and that future investigations remain possible if new information emerges. The report highlights the growing threat of sophisticated social engineering attacks and reinforces the importance of strong cyber security controls, employee awareness training, and rapid incident response capabilities. SonicWall warns of SMA1000 flaws exploited in zero-day attacks, patch now Date: 2026-07-14 Author: Bleeping Computer [AUSCERT has contacted members about this vulnerability where possible] SonicWall warns that threat actors have been exploiting two SMA1000 vulnerabilities, tracked as CVE-2026-15409 and CVE-2026-15410, in zero-day attacks and urges customers to install the newly released security updates. CVE-2026-15409 is a critical (CVSS 10.0) server-side request forgery (SSRF) vulnerability in the SMA1000 Appliance Work Place interface that allows a remote, unauthenticated attacker to force an appliance to make requests to unintended locations. CVE-2026-15410 is a high-severity (CVSS 7.2) post-authentication code injection flaw in the SMA1000 Appliance Management Console that could allow a remote authenticated administrator to execute arbitrary operating system commands. CISA warns admins to patch actively exploited SharePoint flaws Date: 2026-07-15 Author: Bleeping Computer The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Tuesday that attackers are actively exploiting three vulnerabilities to hack Internet-exposed on-premises SharePoint Server instances. These security flaws (tracked as CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164) affect all supported self-hosted SharePoint Server versions, including SharePoint Server Subscription Edition (the latest on-premises version, which uses a "continuous update" model). Improve Router Hygiene to Protect Against Russian State-Sponsored Targeting Date: 2026-07-14 Author: ASD ACSC Russian Federal Security Service (FSB) Center 16 cyber actors continue to exploit poorly configured and vulnerable networking devices worldwide, opportunistically compromising multiple critical infrastructure sector networks. This joint Cybersecurity Advisory (CSA) builds on FBI’s Russian Government Cyber Actors Targeting Networking Devices, Critical Infrastructure Public Service Announcement of the decade-plus FSB Center 16 cyber activity by providing additional tactics, techniques, and procedures (TTPs) to enable defenders to more fully understand and counter the threat. SAP warns of critical flaws in NetWeaver and Commerce Cloud Date: 2026-07-14 Author: Bleeping Computer SAP has addressed 16 vulnerabilities across multiple products as part of its July 2026 security updates, including three critical flaws in NetWeaver, Commerce Cloud, and AppRouter. The first critical issue patched this month is a memory corruption security issue (tracked as CVE-2026-44747) stemming from an out-of-bounds write weakness in the NetWeaver Application Server ABAP (AS ABAP), the runtime environment, application server, and development platform for core SAP enterprise software. "SAP NetWeaver Application Server ABAP allows an authenticated attacker to leverage logical errors in memory management to cause a memory corruption that could lead to unauthorized data access, modification, or system unavailability," SAP says. "This has high impact on confidentiality, integrity, and availability of the application." RabbitMQ Vulnerability Threatens Enterprise Systems Date: 2026-07-14 Author: Security Week A vulnerability in RabbitMQ could allow attackers to obtain the broker’s confidential OAuth secret, potentially posing a serious threat to enterprises, according to cybersecurity firm Miggo. RabbitMQ is a popular open source message broker that routes, buffers, and distributes messages, enabling asynchronous communication between applications. Tracked as CVE-2026-5721 (CVSS score of 8.7), the security defect impacts an open management endpoint that returns the OAuth secret to anyone, without authentication. ESB-2026.7869 – VMware Avi Load Balancer: CVSS (Max): 9.8 Broadcom has released updates for VMware Avi Load Balancer to fix seven vulnerabilities, including a critical authentication bypass flaw (CVE-2026-47865). ESB-2026.7892 – Zoom: CVSS (Max): 9.8 Zoom has released updates to address a critical account takeover vulnerability (CVE-2026-53412) affecting Windows-based Zoom products. ESB-2026.7904 – Adobe ColdFusion: CVSS (Max): 9.9 Adobe has released security updates for ColdFusion to address multiple critical vulnerabilities, including arbitrary code execution and server-side request forgery (SSRF). ESB-2026.8009 – Splunk Enterprise: CVSS (Max): 9.8 Splunk has released security updates for Splunk Enterprise to address multiple vulnerabilities affecting Windows and Unix/Linux platforms. ASB-2026.0129 – Microsoft ESU: CVSS (Max): 9.9 Microsoft has released its July 2026 Patch Tuesday update, addressing 335 vulnerabilities across Windows, Exchange Server, and other products, including multiple critical remote code execution and privilege escalation flaws. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 10th July 2026

Greetings, The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has issued a critical alert following a large-scale cyber campaign targeting vulnerabilities in website content management systems (CMS) across the globe, including Australia. Small and medium-sized businesses have been particularly affected, with attackers actively scanning websites for weaknesses in popular CMS platforms and plugins. According to the ACSC, malicious actors are exploiting known vulnerabilities that enable unauthenticated file uploads, remote code execution and other forms of server compromise. Their primary objective is to deploy webshells, which are malicious scripts that provide remote access and control over web servers. Once installed, webshells can be used to deface websites, steal credentials and sensitive data, distribute additional malware, or provide a foothold for broader network compromise. The campaign is exploiting vulnerabilities in a range of widely used CMS products and plugins, particularly within the WordPress ecosystem, as well as other platforms including Craft CMS, MaxSite CMS, MetInfo CMS and Joomla components. The ACSC noted that this activity highlights the growing cyber threat landscape, with advances in artificial intelligence contributing to faster identification and exploitation of newly disclosed vulnerabilities. Website owners and administrators are being urged to inspect systems for signs of compromise, review logs for suspicious activity, isolate affected servers and restore websites from known-good backups where necessary. The ACSC also recommends prioritising patching, monitoring for unauthorised file creation and restricting file access to reduce the risk of webshell deployment. Organisations should ensure all website software and plugins remain up to date and consider additional controls to detect unusual processes and limit potential movement within corporate networks. Max severity Adobe ColdFusion flaw now exploited in attacks Date: 2026-07-06 Author: Bleeping Computer [Please see AUSCERT Bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.7232/] [AUSCERT has contacted affected members where applicable] Attackers are now exploiting a maximum-severity Adobe ColdFusion vulnerability tracked as CVE-2026-48282, according to vulnerability intelligence company KEVIntel. ColdFusion is a commercial web app development platform designed to help build and deploy enterprise-grade websites. The CVE-2026-48282 security flaw affects ColdFusion versions 2025.9, 2023.20, and earlier, and can be exploited by attackers without privileges to gain remote code execution on unpatched systems. Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution Date: 2026-07-03 Author: Security Week Two critical vulnerabilities in the popular AI code editor Cursor could lead to remote code execution on the underlying operating system, Cato Networks reports. The security defects are tracked as CVE-2026-50548 and CVE-2026-50549 (CVSS score of 9.8) and are referred to as DuneSlide, given that they lead to remote code execution (RCE) outside of the IDE’s sandbox. According to Cato, the flaws abuse Cursor’s automatic terminal command execution inside the sandbox, which does not prompt the user for approval, and can be triggered when a victim prompts the IDE to ingest an attacker-controlled payload. BeyondTrust warns of critical flaws in remote access software Date: 2026-07-07 Author: Bleeping Computer BeyondTrust warned customers to patch two critical security flaws in its Remote Support (RS) and Privileged Remote Access (PRA) software that could allow attackers to bypass authentication. The first vulnerability, tracked as CVE-2026-40138, affects the company's RS remote desktop and assistance platform (versions 25.3.2 or earlier) and the PRA enterprise cybersecurity solution (versions 25.3.2 or earlier). This vulnerability stems from an improper authentication weakness in the authentication subsystem, and successful exploitation enables attackers without privileges to bypass access controls and access targeted appliances, including accounts with elevated privileges. Critical Gitea Flaw Under Active Exploitation, Researchers Warn Date: 2026-07-07 Author: Security Week Threat actors are exploiting a vulnerability in Gitea’s reverse-proxy authentication mechanism to access internet-accessible instances by supplying only a valid username. Specific to Gitea’s official Docker images, the critical-severity security defect is tracked as CVE-2026-20896 (CVSS score of 9.8) and can be exploited with a single HTTP header, Sysdig Sr. Director of Threat Research Michael Clark says. The issue exists because, in Gitea Docker images before 1.26.3, the default settings allow connections from any source IP address instead of enforcing an allowlist, security researcher Ali Mustafa, who was credited for finding the bug, explains. Suspected China-Aligned Hackers Exploit Roundcube Flaws Against Universities Date: 2026-07-07 Author: The Hacker News A suspected China-aligned threat activity cluster has been observed exploiting Roundcube webmail software belonging to physics and engineering departments of U.S. and Canadian universities as part of a new campaign. The activity involves the exploitation of now-patched, critical security flaws in the open-source email solution, such as CVE-2024-42009 (CVSS score: 9.3), to siphon credentials, followed by either the deployment of a web shell for persistent access or a known post-exploitation tool called VShell. ASB-2026.0125 – ALERT CMS and Plugins: CVSS (Max): 10.0* ACSC has published a critical alert warning of a large-scale campaign actively exploiting vulnerabilities in multiple CMS platforms to compromise websites, urging organisations to patch affected systems and check for signs of compromise. ESB-2026.7592 – IBM MQ container software: CVSS (Max): 10.0 IBM has released updates to fix multiple vulnerabilities affecting IBM MQ Operator and Queue manager container images. The update addresses security issues including Improper Privilege Management, Exposure of Sensitive Information to an Unauthorized Actor, and Improper Validation of Integrity Check Value in components such as OpenSSL, WebSphere Application Server Liberty, and Java SE. ESB-2026.7596 – ALERT Palo Alto Prisma Browser: CVSS (Max): 9.6* Palo Alto Networks has incorporated Chromium security fixes into its products. These fixes are included in Google’s Chrome 150 release, which addresses 433 security fixes, including 20 Critical vulnerabilities affecting components such as Browser, V8, ANGLE, Skia, Blink, and FileSystem. ESB-2026.7647 – ALERT Juniper Networks CTPView: CVSS (Max): 10.0 Juniper Networks has released CTPView 9.3R2-3, addressing multiple vulnerabilities. Juniper SIRT is not aware of any malicious exploitation, and no workarounds are available. ESB-2026.7681 – OpenPLC v3: CVSS (Max): 9.9 Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary files to the filesystem. Through the standard OpenPLC program compilation process, this may be escalated to arbitrary native code execution, potentially resulting in code execution as the OpenPLC runtime user. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 3rd July 2026

Greetings, Citrix has released patches for six vulnerabilities affecting NetScaler ADC and NetScaler Gateway appliances, but industry attention is firmly focused on CVE-2026-8451, a high-severity memory disclosure flaw that researchers say belongs to the same family of vulnerabilities as the infamous “CitrixBleed” attacks that have plagued organisations in recent years. The flaw carries a CVSS score of 8.8 and impacts NetScaler deployments configured as a SAML Identity Provider, a common setup for single sign-on environments. The vulnerability was discovered by security researchers at watchTowr while they were analysing another NetScaler issue disclosed earlier this year. According to the researchers, CVE-2026-8451 stems from insufficient input validation in the way NetScaler processes SAML authentication requests, creating an out-of-bounds memory read condition that could allow sensitive data to be exposed before authentication. In its analysis, watchTowr argued that the issue highlights a broader pattern of memory management weaknesses within NetScaler appliances. The researchers noted that similar memory disclosure vulnerabilities have repeatedly emerged in the product line, leading them to dub the latest flaw “CitrixBleed To Infinity And Beyond.” While there is currently no public evidence that CVE-2026-8451 is being actively exploited, security teams are taking the issue seriously. A closely related NetScaler vulnerability disclosed in March 2026 was exploited in the wild shortly after publication and was subsequently added to CISA’s Known Exploited Vulnerabilities catalogue. Organisations running affected NetScaler versions are strongly encouraged to apply Citrix’s latest updates as soon as possible and review vendor guidance for any additional mitigation steps. Critical SimpleHelp flaw exploited to deploy new stealer malware Date: 2026-06-29 Author: bleepingcomputer Hackers are exploiting a recently disclosed critical vulnerability (CVE-2026-48558) in SimpleHelp to deploy Djinn Stealer, a previously undocumented cross-platform information stealer targeting Windows, macOS, and Linux. The SimpleHelp platform is primarily used by managed service providers (MSPs), IT departments, helpdesks, and system administrators for remote monitoring and management (RMM). Hackers now exploit critical Oracle E-Business flaw in attacks Date: 2026-06-29 Author: Bleeping Computer [See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.5874/] [AUSCERT has contacted affected members where applicable] Attackers have begun exploiting a critical vulnerability (tracked as CVE-2026-46817) in the Oracle E-Business Suite (EBS) financial application, according to threat intelligence company Defused. This security flaw was found in the File Transmission component of EBS's Oracle Payments product and enables unauthenticated malicious actors with HTTP network access to take over vulnerable systems through low-complexity attacks. Anonymous researcher drops 0-day 'exploitarium' repo Date: 2026-06-29 Author: The Register [AUSCERT has published security bulletins for CVE-2026-55200] Not everyone is willing to follow responsible disclosure of vulns. An anonymous researcher has dumped what they say is working exploit code for zero-day vulnerabilities across 15 software products and open source projects without notifying any vendors or maintainers prior to publishing – and attackers are already exploiting at least two of these. The first is CVE-2026-55200, a critical, pre-authentication remote code execution (RCE) vulnerability in libssh2, a popular client-side C library that implements the SSH2 protocol. DirtyClone: A Linux Privilege Escalation That Leaves No Trace on DiskDirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to Root Date: 2026-06-27 Author: Security Affairs DirtyClone: a Linux kernel privilege escalation that silently rewrites executables in memory, leaving no disk trace. Patch now. JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation they call DirtyClone. It’s the fourth vulnerability in the DirtyFrag family, all sharing the same root failure: file-backed memory gets treated as packet data, and an in-place network operation writes where it should have copied. CVSSIf your kernel doesn’t have the May 21 mainline patch, update now. CISA: Windows BlueHammer flaw now exploited by ransomware gangs Date: 2026-06-30 Author: Bleeping Computer CISA confirmed on Monday that ransomware gangs have begun exploiting a high-severity Microsoft Defender privilege escalation vulnerability that has previously been abused in zero-day attacks. Dubbed BlueHammer, the security flaw (CVE-2026-33825) was leaked by a security researcher known as "Nightmare Eclipse" in early April, together with proof-of-concept exploit code, in protest at how the Microsoft Security Response Center (MSRC) handles the disclosure process. ESB-2026.7189 – Apple iOS and iPadOS: CVSS (Max): 8.8* Apple has released updates for iOS and iPadOS to address multiple vulnerabilities affecting Kernel, WebKit, WebRTC, and other components, including issues that may allow unexpected system termination, cross-origin data exposure, and sensitive information disclosure. ESB-2026.7232 – Adobe ColdFusion: CVSS (Max): 10.0 Adobe has released security updates for ColdFusion versions 2025 and 2023 to address multiple critical and important vulnerabilities. These vulnerabilities could allow arbitrary code execution, privilege escalation, unauthorized file system access, and security feature bypass. ESB-2026.7296 – NetScaler ADC and NetScaler Gateway: CVSS (Max): 8.8 Multiple vulnerabilities have been identified in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). Cloud Software Group strongly recommends updating as soon as possible. ESB-2026.7324 – Splunk: CVSS (Max): 9.8 Splunk has remediated multiple Common Vulnerabilities and Exposures (CVEs) affecting third-party packages included in Python for Scientific Computing version 4.3.2 and later. ESB-2026.7358 – IBM MQ for HPE NonStop: CVSS (Max): 9.8 IBM MQ for HPE NonStop is affected by multiple OpenSSL vulnerabilities, including CVE-2026-31789. The most severe issue may lead to a heap buffer overflow when processing specially crafted X.509 certificates, potentially resulting in a crash or code execution. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Blogs

Strengthening Cyber Resilience in the Pacific: AUSCERT’s Ongoing Commitment

Earlier this year, AUSCERT designed and facilitated customised tabletop exercises for two higher education institutions in the Pacific. These engagements built on the cyber security training courses previously delivered by AUSCERT to micro businesses in Fiji and Papua New Guinea throughout 2025. Our collaboration with Pacific Adventist University (PAU) in Papua New Guinea and a university in Fiji reflects AUSCERT’s continued commitment to strengthening cyber security capabilities across the region. Cyber threats are increasingly global in nature, but their impacts are often felt most acutely at the local level. Recognising this, AUSCERT has been working closely with universities in the Pacific region to build practical, sustainable cyber resilience. Through tailored exercises and training, we aim to empower institutions with the knowledge, skills and confidence needed to respond effectively to evolving threats. AUSCERT’s Tabletop Exercise service is a strong example of this collaborative approach, as key stakeholders were brought together within PAU to simulate a realistic cyber incident scenario. Participants were challenged to test their response processes, communication channels, and decision-making under pressure in a safe and controlled environment. Participants from both universities received a detailed After Action Report, a key component of AUSCERT’s capability-building approach. This report captured our observations from the exercise and provided targeted and actionable recommendations to strengthen future incident response efforts. PAU shared the following feedback on the experience: “AUSCERT delivered a professional and well-structured tabletop exercise for Pacific Adventist University. The scenario design was relevant, thoughtfully developed, and facilitated in a manner that encouraged meaningful participation across all stakeholders. AUSCERT demonstrated expertise, ensuring the session remained both engaging and instructive”. The accompanying After Action Report was comprehensive and insightful, clearly outlining areas for improvement and providing practical recommendations to enhance our preparedness and strengthen our organisational resilience. This engagement has significantly contributed to PAU’s capability uplift, and we sincerely value AUSCERT’s partnership.” Extending Support Across the Region Alongside the tabletop exercises, AUSCERT delivered a series of online cyber security training sessions for micro businesses in Fiji and Papua New Guinea. The training focused on building cyber security awareness, strengthening practical cyber hygiene, and improving participants’ confidence in recognising and responding to common cyber threats. Building a Stronger Global Cyber Community AUSCERT’s work in the Pacific forms part of a broader mission to foster a connected, collaborative global cyber community. We believe that sharing knowledge, experience, and best practices across borders is essential to addressing the collective challenges of cyber security. We are proud to support our partners in the Pacific and look forward to continuing this collaboration to help strengthen cyber resilience across the region and beyond.

Learn more

Week in review

AUSCERT Week in Review for 26th June 2026

Greetings, Global cyber security leaders are urging organisations to rethink their approach to risk as AI rapidly reshapes both the scale and speed of cyber attacks. In a joint statement, the Five Eyes alliance, comprising Australia, the United States, the United Kingdom, Canada and New Zealand, has warned that the impact of frontier AI models will be felt far sooner than many organisations expect. According to the advisory, these next-generation systems are poised to transform offensive and defensive cyber capabilities “within months, not years,” dramatically reducing the time between discovering and exploiting vulnerabilities. This acceleration is lowering barriers to entry for malicious actors, enabling less sophisticated attackers to launch complex, high-impact operations with increasing efficiency. Coverage from The Record reinforces this message, highlighting growing government concern that powerful AI tools can already identify and exploit software flaws at a pace that exceeds human response. In some cases, advanced models have demonstrated an ability to uncover vulnerabilities and generate exploit pathways in hours, intensifying fears that cyber defences may struggle to keep up. Despite the urgency, the Five Eyes agencies emphasise that the fundamentals of cyber security remain critical. Their guidance focuses on strengthening baseline practices such as rapid patching, reducing system exposure, improving identity controls and preparing thoroughly for inevitable breaches. They also stress that cyber risk is now a core organisational risk, rather than a purely technical issue, requiring strategy and leadership accountability. Importantly, the statement balances its warning with opportunity. While adversaries are already leveraging AI, organisations are urged to adopt the same technologies to enhance detection, improve resilience and respond more quickly to incidents. This message serves as an important reminder that AI is a present and accelerating force. Organisations that act decisively now will be better positioned to manage emerging risks, while those that delay may face growing operational, financial and reputational consequences. Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure Date: 2026-06-19 Author: Security Week A critical Splunk Enterprise vulnerability is being exploited in attacks only days after its public disclosure, and organizations have been urged to patch it immediately. The vulnerability is tracked as CVE-2026-20253 and Splunk’s advisory says it can be exploited by an unauthenticated attacker to create or truncate arbitrary files via a PostgreSQL sidecar service endpoint. “The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials,” Splunk said in its advisory. Cisco Unified CM flaw CVE-2026-20230 now exploited in attacks Date: 2026-06-23 Author: Bleeping Computer [See AUSCERT Bulletin https://portal.auscert.org.au/bulletins/ESB-2026.6126] A high-severity SSRF vulnerability, tracked as CVE-2026-20230, in Cisco Unified Communications Manager Server is now being exploited in attacks. Cisco released security updates for the CVE-2026-20230 flaw on June 3, warning that exploitation could give attackers root privileges on the device. "A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to conduct server-side request forgery (SSRF) attacks through an affected device," warned Cisco. ASD to retire Essential Eight cyber security framework within next two years Date: 2026-06-24 Author: iTnews Its replacement reflects a changing reality for security teams. The Australian Signals Directorate intends to retire its Essential Eight guidance framework within two years, to keep up with shifting cyber security sands. Replacing Essential Eight will be a broader "Essentials" series designed to cover enterprise IT, cloud, operational technology, and potentially agentic artificial intelligence (AI) as distinct security domains. 15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown Date: 2026-06-19 Author: Security Week [AUSCERT have contacted the potentially impacted members via email] Law enforcement agencies in four countries, working with Europol and private partners, have disrupted SocGholish infrastructure and cleaned up nearly 15,000 infected WordPress websites. Active since 2017 and also known as FakeUpdates, SocGholish is a malware framework injected into websites running popular content management systems, such as WordPress, Joomla, and Drupal, either via known vulnerabilities or stolen credentials. FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Date: 2026-06-23 Author: The Hacker News A Russian-speaking initial access broker (IAB) driven by financial gain is assessed to be behind a large-scale credential-harvesting operation known as FortiBleed that has targeted over 430,000 FortiGate firewalls globally. The campaign, active since February 2026, involves collecting credential lists, searching for exposed services, brute-forcing accessible systems, and deploying bespoke sniffers on compromised firewalls. "Once deployed, these sniffers capture cleartext and hashed credentials from traffic passing through compromised devices," SOCRadar said [PDF] in a fresh report. "The actors then crack, validate, and reuse the credentials against Active Directory domains and other exposed services." ESB-2026.6227.3 – Cisco Catalyst SD-WAN Manager: CVSS (Max): 10.0 A severe vulnerability allowed an authenticated, local attacker to execute arbitrary commands as root via a crafted file into the affected system. Cisco has released updates that address this issue. ESB-2026.6871 – MISP: CVSS (Max): 9.4 This MISP update addresses two RCE vectors, an authentication hardening issue and various fixes across the controller layer. Upgrading is strongly recommended. ESB-2026.6891 – IBM MQ container software: CVSS (Max): 10.0* IBM MQ Operator and Queue Manager container images had multiple severe vulnerabilities addressed. IBM strongly recommends applying the latest container images. ESB-2026.6951 – Tenable Identity Exposure: CVSS (Max): 9.9 Several third party components of Tenable Identity Exposure were found to contain numerous vulnerabilities. Updated/patched versions have been provided by the respective vendors to address reported vulnerabilities. ESB-2026.7052 – chromium: CVSS (Max): 9.6* Execution of arbitrary code, denial of service and information disclosure were security issues recently discovered in Chromium. These issues have been addressed in version 149.0.7827.196-1~deb13u1. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more

Week in review

AUSCERT Week in Review for 19th June 2026

Greetings, A newly uncovered data exposure incident dubbed “FortiBleed” has revealed a large number of Fortinet VPN credentials tied to organisations worldwide. The dataset contains usernames, email addresses, and plaintext passwords linked to more than 73,000 firewall devices across 194 countries, spanning industries from telecommunications and finance to government and manufacturing. The scale and sophistication of the operation suggest a highly organised campaign. Analysis indicates attackers carried out billions of login attempts against hundreds of thousands of systems, harvesting and cracking authentication data using advanced computing resources. The resulting database catalogued verified credentials as well as contextual details such as company size and industry, which is likely intended to help prioritise high-value targets. Independent researchers have validated portions of the leaked data, confirming that at least some credentials are authentic and recent. Many of the affected devices remain accessible online, amplifying the potential risk. Experts believe the information may have originated from exported Fortinet configuration files, though it is still unclear whether the exact source was a new vulnerability or previously compromised data. Despite the severity, Fortinet has stated that the leak does not stem from a newly identified flaw, but rather from a combination of past incidents and credential harvesting techniques such as brute-force attacks. Organisations who appear in the dataset are urged to immediately reset passwords linked to Fortinet VPN and administrative systems, implement multi-factor authentication, review gateway logs for any signs of suspicious activity, and keep a close watch for compromised employee credentials. Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Date: 2026-06-13 Author: The Hacker News [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.6480] Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system. "In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint," Splunk said in an alert this week. Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks Date: 2026-06-15 Author: Bleeping Computer [See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.6638/] Cisco has released security updates to address a vulnerability in the Catalyst SD-WAN Manager, tracked as CVE-2026-20262, that was exploited in attacks to escalate to root privileges. Formerly known as SD-WAN vManage, this network management software allows admins to manage up to 6,000 SD-WAN devices from a single dashboard. The now-patched zero-day security flaw affects all deployment types, regardless of device configuration, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP). Oracle’s Second Monthly Security Updates Deliver 245 Patches Date: 2026-06-17 Author: Security Week [Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.6735/] Oracle on Tuesday announced the release of its June 2026 Critical Security Patch Update (CSPU), the second since it began releasing monthly patches. The company still releases its quarterly Critical Patch Updates, but it recently decided to supplement them with monthly patches to address more severe vulnerabilities. The software giant said the latest round of CSPU updates delivers 245 new patches, including for Communications, E-Business Suite, Enterprise Manager, Fusion Middleware, JD Edwards, MySQL, PeopleSoft, Siebel CRM, Supply Chain, Systems, and Virtualization products. Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw Date: 2026-06-15 Author: The Hacker News [AUSCERT has shared IoCs related to CVE-2026-0257 via its MISP instance] Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals. The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad actors to set up VPN connections. According to the network security company, the security defect could be exploited by a bad actor to bypass security controls and initiate VPN connections. FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices. Date: 2026-06-18 Author: Bleeping Computer [AUSCERT have contacted the potentially impacted members via email] A newly discovered data leak dubbed "FortiBleed" has exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs at organizations worldwide. The exposed data was first discovered by security researcher Bob Diachenko, who says he found a server containing what appeared to be valid Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords. ESB-2026.6674 – Firefox 152: CVSS (Max): 9.1* Mozilla released the Firefox 152 update addressing multiple security vulnerabilities. The fixes include memory safety bugs, sandbox escapes, privilege escalation vulnerabilities, and other security issues across browser components ESB-2026.6681 – Atlassian Products: CVSS (Max): 10 Atlassian has released product versions over the past month that fix 76 high-severity vulnerabilities and 24 critical-severity third-party vulnerabilities. ESB-2026.6735 – Oracle Products: CVSS (Max): 9.8* The June 2026 Critical Security Patch Update contains 245 new security patches across multiple Oracle product families. It includes Oracle PeopleSoft PeopleTools and Oracle PeopleSoft Enterprise Applications patches addressing CVE-2026-35273. ESB-2026.6778 – Cisco Identity Services Engine: CVSS (Max): 9.1 Cisco has released software updates addressing multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). These vulnerabilities could allow a remote attacker to achieve remote code execution or disclose information on affected devices. ESB-2026.6796 – NGINX: CVSS (Max): 8.1 F5 has released updates for affected products to address a vulnerability in NGINX Open Source. The issue may allow a remote unauthenticated attacker to trigger a use-after-free condition via a specially crafted HTTP/3 session, potentially leading to denial of service or code execution under certain conditions. Stay safe, stay patched and have a good weekend! The AUSCERT team

Learn more