73,932
Fortinet firewalls with leaked admin credentials across 194 countries
24B
username and password pairs circulating on dark web markets
3x CVSS 10.0
Ubiquiti UniFi CVEs all rated maximum severity, added to CISA KEV June 23
1.16B
authentication attempts logged against FortiGate targets in the FortiBleed campaign

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Seventy-three thousand, nine hundred and thirty-two Fortinet firewalls are sitting on the internet right now with confirmed working administrator credentials in criminal hands, and that is just one of five threats your team needs to resolve before the end of this week.

The week of June 22-29, 2026 produced a convergence of high-severity events that individually would each justify emergency response. The FortiBleed credential campaign is still generating active intrusion attempts against FortiGate devices across 194 countries, with 1.16 billion authentication attempts logged against over 320,000 targets. Simultaneously, a dark web elasticsearch server leaked 24 billion credentials, a North Korean APT embedded backdoors in npm packages, three Ubiquiti UniFi vulnerabilities rated CVSS 10.0 received CISA KEV listings with a three-day federal patch deadline that has already lapsed, and ShinyHunters continued exploiting Oracle PeopleSoft to breach organizations in education and enterprise sectors.

This weekly cybersecurity threat briefing ranks each threat by operational urgency: active exploitation status, CISA KEV inclusion, affected asset count, and how quickly an unpatched environment can be compromised. Your Monday morning action list starts with confirming your Fortinet and Ubiquiti devices are patched and clean, auditing npm dependencies on developer machines, and verifying whether your organization's credentials appear in the 24 billion record dump. Each section below provides the specific IOCs, affected versions, and remediation steps you need to act today.

Threat 1: FortiBleed Update: 73,932 Fortinet Firewalls Still Exposed

The weekly cybersecurity threat briefing leads with FortiBleed because the credential exposure is ongoing and the window to rotate credentials before an attacker succeeds continues to shrink. A Russian-speaking criminal group extracted configuration files from internet-facing FortiGate devices and cracked stored administrator password hashes using a 45-GPU offline cracking infrastructure, yielding verified working credentials for 73,932 FortiGate firewalls, VPN gateways, and SSL-VPN instances across 194 countries.

Affected organizations confirmed by researchers include Samsung, Siemens, Foxconn, Oracle, Accenture, DHL, Infosys, and Fortinet itself. Security researcher Volodymyr Diachenko identified the leaked credential database on an exposed server, but the data had already propagated across criminal forums before discovery.

The attack exploits a weakness in FortiOS credential migration: when devices upgrade from older firmware versions, administrator passwords remain stored as weaker SHA-256 hashes until an administrator manually logs in post-upgrade. Attackers brute-forced those hashes at scale with a GPU cluster. Approximately 1.16 billion authentication attempts targeted over 320,000 FortiGate devices, with roughly 50 percent of all internet-reachable FortiGate instances estimated as affected across 194 countries.

CISA issued an advisory on June 18 ordering immediate action. Fortinet confirmed the breach vector in its PSIRT blog. See the full FortiBleed credential leak analysis for detailed forensic indicators and configuration validation commands.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Terminate all active sessions

Log into FortiGate admin console and terminate all active SSL VPN and administrative sessions immediately on every internet-facing device.

Reset all credentials

Reset administrator accounts, local user accounts, and SSL VPN credentials across all FortiGate devices. Treat every device as potentially compromised regardless of whether compromise has been confirmed.

Upgrade firmware

Update to FortiOS 7.2.11, 7.4.8, 7.6.1, or later. These versions enforce PBKDF2 password hashing on first admin login post-upgrade, which eliminates the crackable SHA-256 hash vulnerability.

Enable MFA on all accounts

Enable multi-factor authentication across all FortiGate admin and VPN accounts. Do not allow password-only authentication on any internet-facing FortiGate management interface.

Audit admin accounts for backdoors

Run `diagnose sys admin list` and identify any accounts not recognized by your team. Disable and investigate any unknown accounts immediately, as attackers may have created persistence.

Threat 2: 24 Billion Credentials Circulating on Dark Web Markets

A 24 billion username-and-password combination dataset was discovered on a publicly accessible elasticsearch server with no authentication configured, representing one of the largest credential aggregation leaks on record. The database consolidates data from hundreds of prior breaches and credential-stuffing campaigns into a single searchable resource that threat actors are actively querying for account takeover operations against enterprise VPNs and cloud consoles.

Unlike a targeted breach of a single organization, this aggregated dump creates persistent risk for any organization whose employees use personal email addresses or reuse passwords across corporate and consumer accounts. The dataset contains corporate email addresses, consumer accounts linked to enterprise SSO systems, and service account credentials harvested from prior vendor breaches.

Threat actors use these aggregated dumps to execute credential-stuffing attacks at scale against enterprise identity providers, VPN portals, and partner extranet systems. Given the timing alongside the FortiBleed campaign, any organization with both a compromised FortiGate credential in the FortiBleed database and employee passwords in this dump faces a compounded risk: attackers can pair firewall admin credentials with corresponding employee accounts for coordinated intrusion.

The full 24 billion credential exposure breakdown covers verification steps organized by identity provider and corporate domain.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Check corporate domain on Have I Been Pwned

Search your corporate email domain at haveibeenpwned.com to identify compromised addresses. The API supports bulk domain-level queries for enterprise accounts.

Force password resets on matched accounts

Initiate mandatory password resets for all accounts whose email addresses appear in breach notification results from this or any recently discovered dump.

Audit SSO provider for anomalous logins

Review your identity provider (Entra ID, Okta, Google Workspace) for logins from unexpected geographies or impossible travel events over the past 14 days.

Deploy dark web monitoring

Enable a dark web monitoring service that alerts when your corporate domain appears in new credential dumps. Several major MDR and threat intelligence platforms include this capability.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

How Does the Sapphire Sleet npm Supply Chain Attack Work?

Sapphire Sleet is a North Korean APT tracked by Microsoft as Sapphire Sleet and by Recorded Future as BlueNoroff and UNC4899, specializing in financial theft and supply chain infiltration since at least 2019. In the week of June 22, CYFIRMA and Recorded Future confirmed the group embedded the Mastra backdoor into multiple npm packages, with activity attributed to cluster CL-STA-1062 targeting state-owned enterprises in energy and government sectors.

The attack method begins with fake recruiter messages on LinkedIn and GitHub directing developers to install technical assessment packages. Infected packages included components from the Mini Shai-Hulud, Miasma, and Hades malware family, which propagated from npm into the Go ecosystem through transitive dependency chains. Once installed, the implant establishes persistence through scheduled task entries and Windows registry modifications before exfiltrating cryptocurrency wallet credentials, source code repositories, and corporate authentication tokens.

The Go ecosystem propagation path is particularly dangerous because Go module checksums may not detect a malicious transitive dependency if the compromised npm package was already pinned in a lockfile before the attack was identified. Developer workstations that installed affected packages during the week of June 22 should be treated as potentially compromised.

The complete technical analysis including all affected package names and hashes is in our Sapphire Sleet supply chain attack investigation.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Audit npm dependencies on developer machines

Run `npm audit` on developer workstations and build servers. Cross-reference recently installed packages against official npm registry checksums for any package added in the past 30 days.

Check Task Scheduler for Sapphire Sleet persistence

On developer workstations and CI/CD build servers, search Task Scheduler for entries named SvcUpdateHelper or WindowsDefenderCache that were not configured by your team.

Alert developers to the fake recruiter vector

Circulate an internal advisory: any LinkedIn or GitHub message from an unfamiliar recruiter that requires package installation as part of a technical assessment is a known North Korean APT technique.

Scan for Mastra C2 callbacks

Use your EDR to search for HTTP POST requests from developer machines to domains registered within the past 90 days with randomized subdomains, which is the Mastra backdoor C2 communication pattern.

Threat 4: Ubiquiti UniFi Triple CVSS 10.0: CISA Patch Deadline Passed

CISA added three Ubiquiti UniFi OS vulnerabilities to the Known Exploited Vulnerabilities catalog on June 23, 2026, with a mandatory federal patch deadline of June 26. That deadline has passed. Any federal agency or contractor with UniFi devices that has not applied the available patches is in active violation of BOD 26-04.

CVE-2026-34908 (CVSS 10.0, CWE-284) is an improper access control flaw allowing unauthenticated configuration changes to UniFi OS without any credentials. CVE-2026-34909 (CVSS 10.0, CWE-22) is a path traversal vulnerability enabling file read and manipulation. CVE-2026-34910 (CVSS 10.0, CWE-20) is an improper input validation flaw allowing arbitrary OS command injection on the host. Chained together, an attacker on the same network segment achieves root-level code execution on any UniFi OS device without authentication.

Affected devices include UniFi Cloud Gateways, Network Controllers, Protect NVRs, Access Hubs, and Talk appliances. Active exploitation includes a Mirai and Gaafgyt botnet campaign systematically scanning for vulnerable UniFi devices on ports 443 and 8443, incorporating compromised devices into DDoS infrastructure.

Patches have been available since May 22, 2026: UniFi OS Server 5.0.8+ and firmware 5.1.12+ (Express 4.0.14, UNAS 5.1.10).

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Verify current firmware version immediately

Log into UniFi OS and confirm version is 5.0.8 or later for the server and firmware 5.1.12+ for devices. Run the update from Settings > System > Firmware Updates.

Restrict management port access

Firewall UniFi management ports 443, 8443, and 8080 to known management IP ranges. Remove all public internet access to the controller interface.

Audit for botnet compromise indicators

Review firewall logs for unexpected outbound traffic from UniFi device IPs. Mirai implants establish C2 connections on non-standard ports and generate unusual outbound volume.

Isolate unpatched devices

Any UniFi OS device that cannot be immediately updated should be isolated from the network until patching is complete. Unpatched devices on an internal segment remain vulnerable to the network-adjacent attack vector.

Threat 5: ShinyHunters Oracle PeopleSoft Campaign Continues

ShinyHunters is a financially motivated cybercriminal group (tracked by Mandiant as UNC6240) that has operated since 2020, responsible for more than 400 confirmed organizational breaches. The group is actively exploiting CVE-2026-35273, a CVSS 9.8 unauthenticated remote code execution vulnerability in Oracle PeopleSoft PeopleTools 8.61 and 8.62, in a campaign that began May 27 and continued through the week of June 28.

Moreover than 100 organizations were compromised before Oracle issued its emergency patch on June 10, with 68 percent of victims confirmed as higher education institutions. ShinyHunters published a fresh set of claimed victims on June 28, indicating the group continues to find organizations that have not yet applied the Oracle emergency patch or that patched too late to prevent initial access.

The exploitation technique targets the PeopleSoft Environment Management Hub via HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector, requiring no credentials and no user interaction. After gaining access, the group deploys MeshCentral agents branded as Microsoft Azure services for persistent access, then exfiltrates employee HR data, salary records, and student information via SSH to attacker-controlled infrastructure.

Organizations running PeopleSoft PeopleTools 8.61 or 8.62 that applied the Oracle June 10 emergency patch more than 48 hours after its release should conduct a full log review for exploitation indicators dating back to May 27.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Apply Oracle CVE-2026-35273 emergency patch

Apply Oracle's out-of-band emergency patch released June 10, 2026. Verify CPU application in your PeopleSoft environment manager before any other steps.

Block PSEMHub endpoint from internet access

Restrict /psemhub/ and /PSEMHUB/ from external internet access immediately. Place the endpoint behind a VPN or zero-trust gateway if it must remain accessible to third-party integrations.

Audit PeopleSoft web server logs from May 27

Search access logs for HTTP POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector from external IPs dating back to May 27, 2026. Any such request confirms an exploitation attempt.

Hunt for MeshCentral persistence artifacts

Search EDR telemetry for processes named meshagent64-azure-ops.exe or meshagent64-v2.exe. Search filesystem for README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT in WebLogic or Process Scheduler directories.

Block ShinyHunters IOCs at network perimeter

Add outbound block rules for azurenetfiles.net and the 142.11.200.186/29 IP subnet. Alert on WebSocket Secure connections on port 443 to domains outside your approved SaaS allowlist.

Why This Week's Threat Convergence Matters for Your Security Team

Five simultaneous active threat campaigns across network infrastructure, supply chain, credential markets, IoT devices, and enterprise applications signal what security researchers have documented as a late-June acceleration pattern. Criminal groups and state-sponsored APTs increase operational tempo before the July holiday period, anticipating reduced security staffing and delayed response times in Western enterprise environments.

FortiBleed, the 24 billion credential dump, and the Ubiquiti botnet campaign are opportunistic: they target organizations that have not maintained consistent patching and credential hygiene. Sapphire Sleet and ShinyHunters are targeted operations requiring specific intelligence about which organizations run affected software.

For any organization with FortiGate devices or Ubiquiti infrastructure, this week should be treated as an active incident response scenario until devices are confirmed patched and credentials rotated. The 73,932 FortiGate credential sets in the FortiBleed database are being tested continuously. Organizations that rotate credentials today face significantly lower risk than those that wait until the July maintenance window.

The Sapphire Sleet supply chain vector introduces a distinct category of risk. Developer workstations that installed affected npm packages during the week of June 22 should be treated as potentially compromised, with a full EDR investigation initiated before those machines are used to deploy to production infrastructure. Credential theft from developer environments provides access to source code repositories, CI/CD pipelines, and cloud infrastructure at a blast radius far exceeding a single compromised endpoint.

The bottom line

The week of June 22-29, 2026 produced five simultaneous active threats that require Monday morning action. FortiBleed remains the most operationally dangerous: 73,932 FortiGate firewalls have working administrator credentials in criminal hands across 194 countries, with 1.16 billion active authentication attempts logged against targets. Rotate Fortinet credentials, patch Ubiquiti UniFi OS to version 5.0.8+, audit npm packages on developer machines for Sapphire Sleet indicators, verify your organization's domain against the 24 billion credential dump, and check Oracle PeopleSoft patch status against the June 10 emergency advisory. All five actions before end of business today.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is FortiBleed and how does it affect my organization?

FortiBleed is a large-scale credential theft campaign that exposed working administrator credentials for 73,932 Fortinet FortiGate firewalls and VPN gateways across 194 countries. Attackers exploited a weakness in FortiOS password storage: devices upgraded from older firmware retain weaker SHA-256 password hashes until an administrator manually logs in post-upgrade. A GPU-based cracking cluster broke those hashes at scale. If your organization runs internet-facing FortiGate devices, assume your credentials may be in the leaked database and rotate them immediately regardless of whether you can confirm compromise.

How do I check if my Fortinet firewall was included in the FortiBleed leak?

CISA and Fortinet have not published a searchable lookup tool for the full device list. The safest approach is to treat every internet-facing FortiGate device as potentially compromised and take action regardless: terminate all active sessions, reset all administrator and VPN credentials, and upgrade to FortiOS 7.2.11, 7.4.8, or 7.6.1+. SOCRadar operates a free FortiBleed check tool that accepts public IP addresses and returns whether a device appears in the known compromised list at socradar.io.

What CVEs should I patch this week based on CISA KEV additions?

The highest-priority CISA KEV additions from the week of June 22-29 are CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 for Ubiquiti UniFi OS (all CVSS 10.0, federal deadline June 26 already passed), CVE-2026-20253 for Splunk Enterprise (actively exploited, patch to version 10.0.7 or 10.2.4+), and CVE-2026-35273 for Oracle PeopleSoft PSEMHub (CVSS 9.8, ShinyHunters actively exploiting). Ubiquiti patches are available in UniFi OS Server 5.0.8+ and firmware 5.1.12+.

What is the Sapphire Sleet npm supply chain attack?

Sapphire Sleet is a North Korean APT (also tracked as BlueNoroff and UNC4899) that embedded the Mastra backdoor into multiple npm packages during the week of June 22. The attack targets developers in energy and government sectors through fake LinkedIn recruiter messages directing targets to install technical assessment packages containing the backdoor. Once installed, the malware exfiltrates cryptocurrency wallet credentials, source code, and authentication tokens. Run npm audit and check Task Scheduler for SvcUpdateHelper or WindowsDefenderCache entries on developer machines.

How were 24 billion credentials leaked to the dark web?

Security researchers discovered a publicly accessible elasticsearch server with no authentication configured, hosting 24 billion username and password combinations compiled from hundreds of prior breach datasets over several years. This is a credential aggregation leak rather than a single new breach. The consolidated database reduces the effort required for credential-stuffing attacks against corporate VPN portals, cloud consoles, and partner extranet systems. Check your corporate email domain against Have I Been Pwned and enforce password resets for any matched accounts immediately.

Are Ubiquiti UniFi devices still being actively exploited?

Yes. CISA confirmed active exploitation when it added CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 to the KEV catalog on June 23 with a three-day federal patch deadline that has already passed. A Mirai and Gaafgyt botnet campaign is actively scanning for vulnerable UniFi OS devices on ports 443 and 8443. Any UniFi device running UniFi OS Server below 5.0.8 or firmware below 5.1.12 is at immediate risk of unauthenticated device takeover. Patch now and restrict management ports to known IP ranges.

Which companies were confirmed affected by FortiBleed?

Researchers confirmed leaked credentials for devices belonging to Samsung, Siemens, Foxconn, Oracle, Accenture, DHL, Infosys, and Fortinet itself, among thousands of smaller organizations. The 73,932-device list spans government agencies, healthcare systems, financial institutions, and critical infrastructure operators across 194 countries. Credential exposure does not confirm network breach, but those working credentials are actively being tested against enterprise networks right now.

What is the Monday Intel Drop and how should I use it?

The Monday Intel Drop is a weekly Decryption Digest brief that ranks the top three to five active cybersecurity threats from the prior week by operational urgency. Each entry includes the threat name, exploitation status, affected products and versions, confirmed IOCs, and a prioritized remediation checklist. Use it as your Monday morning starting point: identify which threats apply to your technology stack, assign remediation tasks to your team, and validate completion by end of week. Each threat links to a full technical deep-dive for additional IOCs and analysis.

Sources & references

  1. CISA: Urges Hardening Fortinet Devices After FortiBleed
  2. CISA KEV Catalog: June 23 Additions (Ubiquiti UniFi)
  3. BleepingComputer: FortiBleed Exposes 73,000 Fortinet Devices
  4. Help Net Security: 74,000 Fortinet Credentials Exposed in FortiBleed
  5. Arctic Wolf: Active FortiBleed Campaign Across 194 Countries
  6. CYFIRMA: Weekly Intelligence Report June 26, 2026

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.