Weekly threat intelligence digest: June 22–28, 2026

Executive summary

This week delivered an unusually dense threat landscape dominated by three concurrent narratives: large-scale infrastructure compromise (430,000+ FortiGate devices harvested for credentials), critical authentication bypasses across identity and SSH systems, and a maturing attack surface in AI-assisted workflows. The FortiBleed campaign and related supply-chain compromises represent the most significant operational threat, while the convergence of pre-authentication RCE vulnerabilities (OpenDJ, Lantronix, MCP-Pinot) signals attackers are actively hunting low-hanging fruit in identity and edge infrastructure. Threat level remains critical.

Critical & high priority

FortiBleed: Sustained credential-harvesting campaign against 430,000+ FortiGate firewalls (June 24)

A Russian-speaking initial access broker has been conducting a systematic credential-harvesting operation against Fortinet FortiGate firewalls since February 2026, compromising over 430,000 devices globally and exfiltrating approximately 110 million credentials. This is not a single vulnerability exploitation—it represents a sustained campaign targeting a critical choke point in enterprise network architecture. The sheer scale (430k devices) indicates either widespread vulnerability exploitation, brute-force attacks against weak credentials, or exploitation of exposed management interfaces. These compromised devices now serve as either direct pivot points for lateral movement or commodities for resale in underground markets. Action: Immediately audit FortiGate device exposure (management interface accessibility, credential strength, firmware currency). Enable MFA on admin accounts. Monitor Fortinet advisories for IOCs and check logs for suspicious authentication patterns dating back to February 2026.

OpenDJ JMX RMI pre-authentication RCE (CVE-2026-46495, June 23)

OpenDJ's JMX RMI connector deserializes untrusted data before performing authentication checks, enabling unauthenticated attackers to achieve remote code execution by sending malicious serialized objects. This affects all versions through 5.1.0 and represents a complete authentication bypass on a critical identity component. The pre-auth nature means no credentials are required; network access to the JMX RMI port is the only precondition. Action: Check running OpenDJ instances for exposed JMX RMI ports (default 9010, but configurable). Immediately apply patches for versions ≤5.1.0. If patching is delayed, restrict JMX RMI port access to trusted administrative networks only.

Lantronix EDS5000 RCE actively exploited in production (CVE-2025-67038, June 25)

CISA has confirmed active exploitation of CVE-2025-67038, a code injection flaw in Lantronix EDS5000 Series devices with a CVSS score of 9.8. Federal agencies have been mandated to remediate by June 26, 2026. Lantronix devices are widely deployed as edge serial-to-IP converters in industrial control systems, IoT gateways, and critical infrastructure environments. Active exploitation combined with federal mandate urgency suggests this vulnerability is being actively weaponised. Action: Identify and inventory all Lantronix EDS5000 devices in your environment. Immediately apply security patches. If patching cannot be completed by June 26, isolate affected devices or disable remote management functionality.

MCP-Pinot default insecure configuration enables unauthenticated tool invocation (CVE-2026-49257, June 27)

mcp-pinot ships with OAuth disabled by default and bound to 0.0.0.0 (all network interfaces), allowing any network attacker to invoke MCP tools and execute queries against downstream Pinot clusters using server credentials. The CVSS score of 10.0 reflects the complete authentication bypass. This is particularly dangerous in cloud or containerized environments where the service may be inadvertently exposed to internal networks. Action: Review all mcp-pinot deployments and verify OAuth is explicitly enabled. Restrict network binding to localhost or specific trusted IPs. Audit configuration management to ensure secure defaults are enforced across all instances.

Credential harvesting and authentication bypasses cascade across identity infrastructure

This week saw a cluster of authentication-related vulnerabilities: OpenAM Liberty IDPP anonymous SOAP write access (CVE-2026-45052), OpenAM WebAuthn deserialization RCE (CVE-2026-45051), Go SSH known-hosts CA revocation bypass (CVE-2026-42508), Go SSH authorization bypass via callback confusion (CVE-2026-46595), and motionEye authentication bypass via path traversal. These represent systemic weaknesses in how identity systems validate trust chains and enforce access controls. The OpenAM vulnerabilities enable unauthenticated privilege escalation within identity federations. The Go SSH flaws bypass revocation and source-address validation—core security controls. Action: Audit all OpenAM deployments for storage backend accessibility and WebAuthn attribute permissions. Patch golang.org/x/crypto SSH library immediately across all Go-based infrastructure. Review SSH known-hosts files for revoked CAs and regenerate host keys if necessary.

Brazil Civil Defense Alert System weaponised for false emergency broadcasts (June 23)

Attackers breached Brazil's Civil Defense Alert system and distributed at least a dozen unauthorized emergency alerts, demonstrating how compromised critical infrastructure can erode public trust in legitimate disaster warnings. This is a state-level threat to emergency response systems and represents an asymmetric attack vector—damage is measured not in direct operational impact but in degraded public confidence in crisis communications. Action: Audit alert system authentication and access controls. Implement cryptographic signing of all authoritative alerts. Establish manual verification protocols for anomalous alert patterns. Coordinate with communication agencies to establish secondary validation channels for emergency messages.

Texas Parks & Wildlife Department third-party vendor breach exposes 3 million users (June 22)

A third-party license vendor serving Texas Parks & Wildlife Department was compromised, affecting approximately 3 million individuals' personal data. This represents a classic supply-chain attack surface expansion—the vendor processes customer data on behalf of a government agency but operates with potentially lower security standards. The breach illustrates how outsourcing customer-facing systems creates asymmetric risk: the agency's security posture is only as strong as its least-secure vendor dependency. Action: Conduct immediate audit of all third-party vendors processing customer personal data. Implement contractual requirements for breach notification within 24 hours, security assessment rights, and cyber insurance. Establish monitoring for exposed datasets containing your user populations.

AI-augmented exploitation: Repository poisoning and credential harvesting (June 27–28)

Amazon Q contained a flaw allowing credential exfiltration by poisoning code repositories that the AI assistant indexes. Separately, attackers are crafting innocent-looking GitHub repositories that execute malicious payloads when cloned by AI coding agents, bypassing security scanners and human review. This represents a novel attack surface: AI tools are being used at scale in development workflows, and they inherit all the trust decisions of their human operators without additional verification. Action: Audit AI assistant usage in your development environment. Require manual review of repository setup steps before AI agents execute them. Implement repository scanning at the point of AI ingestion, not just at commit time. Monitor AI tool activity logs for anomalous credential access.

Notable developments

Bucket namespace hijacking across cloud providers (June 23)

Unit 42 disclosed a technique exploiting global namespace uniqueness across cloud storage systems, allowing attackers to claim abandoned or predictably-named buckets to intercept data. This is a configuration error vector rather than a zero-day, but the attack surface is massive given the prevalence of cloud storage misconfigurations. The technique works across multiple CSPs, suggesting namespace coordination or namespace predictability is a systemic issue.

Scattered Spider members convicted in Transport for London ransomware (June 24)

Two Scattered Spider members pleaded guilty on the first day of their UK trial for the August 2024 TfL ransomware attack. Rapid guilty pleas suggest strong prosecution evidence and mark meaningful enforcement progress against a prolific cybercrime group. This is a rare enforcement win and may signal tightened legal risk for major ransomware operators.

Operation Endgame dismantles Amadey and Stealc infrastructure (June 25)

Microsoft, law enforcement, and ESET coordinated takedown of three major malware-as-a-service operations (Stealc, Amadey, Socgholish), removing over 300 servers. This represents a shift in enforcement strategy: targeting malware supply chains rather than individual infections. The operation's success depends on sustained disruption—these families will likely resurface unless law enforcement maintains infrastructure seizure authority.

Five Eyes governments issue coordinated AI cybersecurity warning (June 24)

The Five Eyes intelligence alliance issued a joint alert warning that AI poses an imminent cybersecurity threat with a compressed timeline of months rather than years. This is an unusual coordinated warning and signals government consensus that AI-enabled offensive operations are approaching operational maturity faster than defensive capabilities can scale.

Anthropic's Mythos model identified vulnerabilities in classified US systems (June 24)

Anthropic's Mythos model identified vulnerabilities in classified US government systems during testing, raising questions about model testing protocols and containment boundaries when deploying advanced AI against sensitive infrastructure. Exploitation capability within the testing window remains unclear, but the incident signals risk in current AI evaluation practices.

DCloud Uni-App toolkit weaponised for investment fraud at scale (June 28)

Threat actors have repurposed DCloud's legitimate Uni-App cross-platform development toolkit to generate and deploy investment scam sites, with an estimated 200,000 instances already operational. This represents a significant shift toward abusing benign developer tools for financial crime infrastructure, reducing the technical barrier to entry for threat actors and making detection harder.

Russian intelligence sustained phishing against Ukrainian officials (June 28)

Russian intelligence conducted a sustained phishing campaign using fabricated support messages to harvest credentials from Ukrainian government officials, military personnel, politicians, and activists across Europe and the US. The operation highlights persistent state-level targeting of high-value individuals using social engineering rather than zero-days—a reminder that sophisticated threat actors remain fundamentally focused on attackers' return on investment rather than technical novelty.

Squidbleed: Memory disclosure in legacy Squid proxy infrastructure (June 23)

Squidbleed is a memory disclosure vulnerability in Squid proxy affecting caching infrastructure globally. The flaw's age and ubiquity in enterprise networks creates significant exposure, particularly for organizations using Squid for HTTP caching and filtering in DMZs or perimeter positions.

WhatsApp VBScript phishing campaign delivers RCE (June 23)

Attackers conducted a multi-country phishing campaign via WhatsApp distributing malicious VBScript files disguised as business documents, enabling remote code execution on Windows systems. The abuse of trusted communication platforms (WhatsApp) for malware delivery continues to be effective because users have lower suspicion of messages from established social/business contacts.

Go SSH library regressions introduce authorization bypass (CVE-2026-46595, June 26)

A regression in golang.org/x/crypto/ssh allows attackers to bypass source-address validation by invoking non-public-key callbacks, circumventing the CVE-2024-45337 fix. Regressions are particularly damaging because they reintroduce previously-fixed vulnerabilities and often catch defenders off guard who believed the issue was resolved.

Adblock for YouTube extension contains dormant JavaScript injection capability (June 26)

Adblock for YouTube (10M+ installs, Chrome Web Store featured status) contains dormant arbitrary JavaScript execution capability, raising questions about Chrome Web Store vetting and the risk of supply-chain compromise in browser extensions. The presence of injection mechanisms that are "not currently active" is a significant red flag for future activation.

Cisco Unified CM SSRF exploitation accelerates post-PoC release (CVE-2026-20230, June 24)

A server-side request forgery flaw in Cisco Unified Communications Manager (CVE-2026-20230) is now actively exploited following public proof-of-concept availability. Public PoCs consistently accelerate exploitation timelines; defenders facing this CVE should assume active scanning and exploitation attempts are underway.

OpenAI and Anthropic release tiered AI model variants under government coordination (June 28, June 23)

OpenAI released three variants of GPT-5.6 (Sol, Terra, Luna) in limited preview under U.S. government coordination. Separately, OpenAI expanded its Daybreak initiative with an improved GPT-5.5-Cyber model for trusted defenders. These controlled rollouts signal a regulatory maturation in how advanced AI models are distributed and tested against sensitive systems.

Educational institutions suffer recurring third-party vendor breaches (June 28)

Educational institutions face persistent attack surface through third-party vendor compromises, exposing student data to ransomware and exfiltration. The sector lacks mature vendor risk management practices, enabling threat actors to exploit this gap at scale.

Vulnerability landscape

Vulnerability database summary

This week saw 144 new CVEs tracked, with severity distribution skewed toward high-impact flaws: 110 high-severity, 4 critical, and 30 with unspecified severity. The volume reflects ongoing vulnerability churn in open-source and commercial software ecosystems.

Top affected vendors

n8n accounts for 5 vulnerabilities (workflow automation platform, indicating potential supply-chain risk in DevOps tooling). IBM, WolfSSL, Microsoft, Linux, JetBrains, Cacti, and Anysphere follow with 2-3 vulnerabilities each. The diversity of vendors and use cases (cloud, cryptography, systems management, container security) reflects the broad attack surface across enterprise and infrastructure environments.

Severity distribution and trends

The 4 critical CVEs this week (OpenDJ RCE, Lantronix RCE, MCP-Pinot authentication bypass, Nezha stream hijacking) represent authentication or pre-auth code execution flaws—the highest-impact category. The concentration of critical flaws in identity systems (OpenDJ, MCP-Pinot, Nezha) and edge infrastructure (Lantronix) suggests attackers are systematically hunting choke points in infrastructure architectures.

Recommended actions

Immediate (this week)

1. Inventory and patch critical infrastructure: Identify all Lantronix EDS5000 devices, OpenDJ instances, mcp-pinot deployments, and Cisco Unified CM systems. Prioritize patching for these CVEs by end of week.

2. Audit FortiGate exposure: Review management interface accessibility, credential strength, and firmware version across all FortiGate devices. Correlate logs with the February 2026 start date of the FortiBleed campaign to detect compromises.

3. Restrict JMX RMI and MCP-Pinot network access: If patching is delayed, implement network-level restrictions to limit access to trusted administrative IP ranges.

4. Review Go SSH infrastructure: Audit all golang.org/x/crypto SSH implementations for the authorization bypass and known-hosts CA revocation issues. Apply patches immediately.

This week (priority)

5. Third-party vendor audit: Conduct rapid assessment of all vendors processing customer personal data. Establish baseline of contractual security requirements and breach notification timelines.

6. AI tool governance: If your organization uses Amazon Q, GitHub Copilot, or similar AI coding assistants, implement manual review of repository setup steps and establish monitoring for anomalous credential access.

7. OpenAM assessment: For organizations running OpenAM, audit Liberty IDPP and WebAuthn configurations, verify storage backend access controls, and schedule patching for CVE-2026-45052 and CVE-2026-45051.

Next week (strategic)

8. Build incident response playbooks for authentication compromise: Given the cluster of auth-related CVEs, establish standardized procedures for credential rotation, session invalidation, and lateral movement hunting when authentication systems are compromised.

9. Implement supply-chain monitoring: Establish continuous monitoring for compromises in critical third-party vendors, including vulnerability disclosure tracking and dark web monitoring for vendor data.

10. Develop repository poisoning detection: Implement scanning and analysis of repository setup workflows to detect embedded malware or suspicious bootstrapping logic that might evade traditional static analysis.

Looking ahead

Next week patterns to monitor

Expect continued exploitation of the critical vulnerabilities disclosed this week (Lantronix, OpenDJ, MCP-Pinot) as threat actors actively hunt infrastructure. Monitor for changes in FortiBleed operational tempo or credential market pricing as the 110 million harvested credentials reach underground markets.

Watch for follow-on attacks against Ukrainian government and military infrastructure, building on this week's Russian intelligence phishing campaign. The credential harvesting phase typically precedes targeted ransomware or espionage operations.

The convergence of AI security issues (repository poisoning, credential exfiltration, data poisoning) suggests this attack surface will mature rapidly as threat actors systematize exploitation. Expect more sophisticated repository-based supply chain attacks targeting AI-augmented development workflows.

The Five Eyes AI warning and government-coordinated AI model releases signal that regulation and threat modeling around AI-assisted offense are entering policy maturity. This will likely accelerate capability detection and attribution work, but also potentially create liability for organizations deploying advanced AI models against sensitive infrastructure without explicit authorization.

Monitor for Scattered Spider reconstitution or succession given the guilty pleas and conviction risk in the TfL case. Major ransomware affiliates typically restructure after key personnel face prosecution.

Defensive priorities for next 2 weeks

• Complete patching of critical infrastructure before July 6 to close the window of pre-PoC exploitation.
• Establish baseline on FortiGate compromise scope and implement compensating controls for delayed patches.
• Build tactical response playbooks for authentication system compromise given the velocity of auth-related CVEs.
• Operationalize repository scanning in development pipelines to detect poisoning before AI agents or humans execute code.