19 Jun 2026
Week in review
Greetings,
A newly uncovered data exposure incident dubbed “FortiBleed” has revealed a large number of Fortinet VPN credentials tied to organisations worldwide. The dataset contains usernames, email addresses, and plaintext passwords linked to more than 73,000 firewall devices across 194 countries, spanning industries from telecommunications and finance to government and manufacturing.
The scale and sophistication of the operation suggest a highly organised campaign. Analysis indicates attackers carried out billions of login attempts against hundreds of thousands of systems, harvesting and cracking authentication data using advanced computing resources. The resulting database catalogued verified credentials as well as contextual details such as company size and industry, which is likely intended to help prioritise high-value targets.
Independent researchers have validated portions of the leaked data, confirming that at least some credentials are authentic and recent. Many of the affected devices remain accessible online, amplifying the potential risk. Experts believe the information may have originated from exported Fortinet configuration files, though it is still unclear whether the exact source was a new vulnerability or previously compromised data.
Despite the severity, Fortinet has stated that the leak does not stem from a newly identified flaw, but rather from a combination of past incidents and credential harvesting techniques such as brute-force attacks.
Organisations who appear in the dataset are urged to immediately reset passwords linked to Fortinet VPN and administrative systems, implement multi-factor authentication, review gateway logs for any signs of suspicious activity, and keep a close watch for compromised employee credentials.
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
Date: 2026-06-13
Author: The Hacker News
[See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.6480]
Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution.
The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system.
"In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint," Splunk said in an alert this week.
Cisco fixes SD-WAN vManage flaw exploited in zero-day attacks
Date: 2026-06-15
Author: Bleeping Computer
[See also AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.6638/]
Cisco has released security updates to address a vulnerability in the Catalyst SD-WAN Manager, tracked as CVE-2026-20262, that was exploited in attacks to escalate to root privileges.
Formerly known as SD-WAN vManage, this network management software allows admins to manage up to 6,000 SD-WAN devices from a single dashboard.
The now-patched zero-day security flaw affects all deployment types, regardless of device configuration, including on-prem deployments, Cisco SD-WAN Cloud-Pro, Cisco SD-WAN Cloud (Cisco Managed), and Cisco SD-WAN for Government (FedRAMP).
Oracle’s Second Monthly Security Updates Deliver 245 Patches
Date: 2026-06-17
Author: Security Week
[Please also see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2026.6735/]
Oracle on Tuesday announced the release of its June 2026 Critical Security Patch Update (CSPU), the second since it began releasing monthly patches.
The company still releases its quarterly Critical Patch Updates, but it recently decided to supplement them with monthly patches to address more severe vulnerabilities.
The software giant said the latest round of CSPU updates delivers 245 new patches, including for Communications, E-Business Suite, Enterprise Manager, Fusion Middleware, JD Edwards, MySQL, PeopleSoft, Siebel CRM, Supply Chain, Systems, and Virtualization products.
Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Flaw
Date: 2026-06-15
Author: The Hacker News
[AUSCERT has shared IoCs related to CVE-2026-0257 via its MISP instance]
Palo Alto Networks has revealed that it has observed "active exploitation" of a recently disclosed PAN-OS vulnerability by an unknown threat actor to obtain unauthorized access to GlobalProtect portals.
The vulnerability in question is CVE-2026-0257 (CVSS score: 7.8), an authentication bypass flaw affecting the portal and gateway components of PAN-OS software that could be exploited by bad actors to set up VPN connections.
According to the network security company, the security defect could be exploited by a bad actor to bypass security controls and initiate VPN connections.
FortiBleed leak exposes Fortinet VPN credentials for 73,000 devices.
Date: 2026-06-18
Author: Bleeping Computer
[AUSCERT have contacted the potentially impacted members via email]
A newly discovered data leak dubbed "FortiBleed" has exposed what appears to be a collection of Fortinet and FortiGate VPN credentials for 73,932 firewall URLs at organizations worldwide.
The exposed data was first discovered by security researcher Bob Diachenko, who says he found a server containing what appeared to be valid Fortinet VPN credentials, including usernames, email addresses, and plaintext passwords.
ESB-2026.6674 – Firefox 152: CVSS (Max): 9.1*
Mozilla released the Firefox 152 update addressing multiple security vulnerabilities. The fixes include memory safety bugs, sandbox escapes, privilege escalation vulnerabilities, and other security issues across browser components
ESB-2026.6681 – Atlassian Products: CVSS (Max): 10
Atlassian has released product versions over the past month that fix 76 high-severity vulnerabilities and 24 critical-severity third-party vulnerabilities.
ESB-2026.6735 – Oracle Products: CVSS (Max): 9.8*
The June 2026 Critical Security Patch Update contains 245 new security patches across multiple Oracle product families. It includes Oracle PeopleSoft PeopleTools and Oracle PeopleSoft Enterprise Applications patches addressing CVE-2026-35273.
ESB-2026.6778 – Cisco Identity Services Engine: CVSS (Max): 9.1
Cisco has released software updates addressing multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). These vulnerabilities could allow a remote attacker to achieve remote code execution or disclose information on affected devices.
ESB-2026.6796 – NGINX: CVSS (Max): 8.1
F5 has released updates for affected products to address a vulnerability in NGINX Open Source. The issue may allow a remote unauthenticated attacker to trigger a use-after-free condition via a specially crafted HTTP/3 session, potentially leading to denial of service or code execution under certain conditions.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
