CyberSip™ — Issue 68 — June 21, 2026

Today’s picture

CISA issued an alert this week urging Fortinet customers to take immediate steps against a sweeping campaign codenamed FortiBleed, attributed to Russian-speaking threat actors, that has compromised 86,644 internet-accessible FortiGate devices. SOCRadar analysis of the compromised credentials shows the campaign succeeded primarily through default and factory accounts, not through vulnerability exploitation: attackers scanned for devices that still had factory credentials active and logged straight in. F5 issued out-of-band patches on June 17 for two critical NGINX flaws, one in the HTTP/3 module and one in the HTTP/2 proxy module, both rated CVSS 9.2 and both exploitable by unauthenticated attackers under specific non-default configurations. Neither has been confirmed exploited in the wild, but the previous critical NGINX flaw from last month moved from disclosure to active exploitation within days. The Gravity SMTP WordPress plugin, installed on roughly 100,000 sites, is under active exploitation after researchers found a REST API endpoint that unconditionally returns true to all callers, handing over configuration data including API keys and OAuth tokens in a single unauthenticated request.

Threat snapshot

3 active items · 2 monitoring

FortiBleed / 86,644 devices / Russian attribution / default credentials NGINX CVSS 9.2 dual critical / out-of-band patches Gravity SMTP / active exploitation / API key and token theft 3 items this issue

June 19FortiGateRussian Attribution86,644 Devices

FortiBleed: Russian-attributed campaign compromises 86,644 FortiGate devices. The primary attack vector is default and factory credentials, not vulnerabilities. CISA urges Fortinet customers to act immediately.

SOCRadar found that generic admin accounts make up 35% of compromised credentials and built-in Fortinet system accounts account for 28.3%, meaning that more than 63% of compromised devices were accessed using credentials Fortinet shipped with the product. Renaming default accounts and rotating factory credentials would have blocked the majority of these compromises.

June 17NGINXOut-of-Band Patches

F5 patches two critical NGINX flaws out-of-band. CVE-2026-42530 is a use-after-free in the HTTP/3 QUIC module. CVE-2026-42055 is a heap buffer overflow in the HTTP/2 proxy module. Both CVSS 9.2. Unauthenticated under specific configurations.

Not confirmed exploited yet. But the previous critical NGINX flaw from May went from patch to active exploitation within days. Upgrade to NGINX Open Source 1.31.2 or 1.30.3. Temporary mitigations: disable HTTP/3 for CVE-2026-42530, remove the ignore-invalid-headers off directive for CVE-2026-42055.

June 19Gravity SMTPActive Exploitation

Gravity SMTP WordPress plugin CVE-2026-4020 under active exploitation. An open REST endpoint returns 365KB of configuration data including API keys and OAuth tokens to any unauthenticated caller.

Installed on roughly 100,000 sites. A single GET request to the wp-json endpoint with a specific query parameter dumps email integration credentials. The permission callback unconditionally returns true regardless of who is calling. Patch immediately.

Detailed intelligence

Full analysis

01 FortiGate Russian Attribution

FortiBleed: 86,644 FortiGate devices compromised by Russian-attributed actors using default and factory credentials. CISA urges immediate action. Vulnerabilities are not the primary vector.

FortiBleed · CISA Alert · June 19

CISA issued an alert on June 19 urging Fortinet customers with FortiGate appliances to act immediately against ongoing malicious activity attributed to Russian-speaking threat actors. SOCRadar analysis of the compromised credential set found that more than 63% of the 86,644 breached devices were accessed using default or factory-shipped accounts, not exploited vulnerabilities.

Executive Impact

Any organisation running internet-accessible FortiGate appliances should audit active accounts immediately. The specific controls that would have prevented the majority of FortiBleed compromises are concrete and straightforward: rename or disable the generic admin account, rename or disable built-in Fortinet system accounts, and rotate any credentials that were configured during initial provisioning and have not been changed since. These are not patch-related actions. They are credential hygiene actions that can be completed today.

Don’t Miss

The FortiBleed campaign has a direct connection to the China-linked UNC6508 group covered in Issue 64. SecurityWeek noted in its June 18 coverage that REDCap-compromised servers, the initial access vector UNC6508 used for credential theft in the US and Canadian research institution campaign, are regularly targeted for initial access and backdoor deployment via FortiGate appliances. The FortiGate campaign and the UNC6508 research institution campaign therefore share an infrastructure overlap, with Fortinet network devices serving as both targets in FortiBleed and as stepping stones in separate nation-state intrusion chains. Organisations running FortiGate should treat this as both a credential hygiene issue and a potential indicator of broader network infrastructure interest from state-level actors.

CyberSip Take

Eighty-six thousand compromised network security devices, and the majority were accessed by logging in with the credentials the vendor shipped the box with. This brief has spent six months documenting nation-state actors exploiting sophisticated zero-days and supply chain vulnerabilities. FortiBleed is a reminder that the oldest problem in enterprise security, unchanged default credentials on internet-facing infrastructure, is still producing compromises at scale. Patch management and vulnerability response are necessary. They are not sufficient when default credentials remain active on the perimeter.

What happened

CISA issued an alert on June 19, 2026 urging Fortinet customers to take immediate steps to harden internet-accessible FortiGate appliances against an ongoing malicious campaign. The campaign, tracked by threat intelligence companies under the name FortiBleed, has been attributed to Russian-speaking threat actors based on infrastructure patterns and operational indicators. The number of compromised devices stood at 86,644 as of June 19 according to data from SOCRadar, making it one of the largest single-vendor device compromise campaigns documented this year.

SOCRadar analysis of the compromised credential set provides a specific breakdown: generic admin accounts, the default administrative account name that Fortinet ships with FortiGate appliances, account for 35% of compromised credentials. Built-in Fortinet system accounts account for 28.3% of compromised credentials. Organisation-specific accounts created by administrators account for the remaining 36.7%. The combined proportion of default and factory-shipped account compromises exceeds 63%, indicating that the majority of breached devices were accessed not through exploited vulnerabilities but through credentials that were active because they had never been changed from factory defaults.

Fortinet has not published a specific vulnerability advisory in connection with FortiBleed, consistent with the campaign primarily leveraging credential access rather than unpatched flaws. CISA’s alert urges organisations to immediately audit FortiGate accounts, disable or rename factory-default accounts, enforce strong and unique credentials, apply current patches, and enable multi-factor authentication on administrative interfaces.

Recommended actions

Audit all active accounts on internet-accessible FortiGate appliances. Rename or disable the generic admin account and any built-in Fortinet system accounts that are not required for operations.
Rotate all credentials on FortiGate appliances, particularly any that were configured during initial provisioning and have not been changed since deployment.
Enable multi-factor authentication on FortiGate administrative interfaces. Restrict administrative access to trusted management networks rather than allowing internet-wide access.
Review FortiGate authentication logs for unexpected login events, particularly successful logins from unexpected IP addresses using the admin account or built-in system accounts.

Derived from The Hacker News and SOCRadar reporting on the FortiBleed campaign, June 19–21, 2026.

02 NGINX Out-of-Band Patches

F5 issues out-of-band patches for two critical NGINX flaws. CVE-2026-42530 targets HTTP/3 QUIC, CVE-2026-42055 targets HTTP/2 and gRPC proxying. Both CVSS 9.2. Both unauthenticated under specific configurations.

CVE-2026-42530 · CVE-2026-42055 · CVSS 9.2

F5 published an out-of-band security notification on June 17, 2026, bundling patches for two critical memory-corruption vulnerabilities in NGINX Open Source and a range of F5 NGINX products. Out-of-band releases from F5 are rare and reserved for issues the company considers too urgent to wait for the standard quarterly notification cycle.

Executive Impact

NGINX runs at the network edge of a large proportion of modern web infrastructure, serving as the internet-facing component of web applications, API gateways, Kubernetes ingress controllers, and reverse proxies. Upgrade NGINX Open Source to 1.31.2 or 1.30.3. Apply the corresponding product-specific updates for NGINX Plus, NGINX Gateway Fabric 2.6.4, and NGINX Ingress Controller. Organisations that cannot patch immediately can apply temporary mitigations: disable HTTP/3 by removing the quic directive from listen directives for CVE-2026-42530, and remove the ignore-invalid-headers off directive or reduce large-client-header-buffers below 2MB for CVE-2026-42055.

Don’t Miss

F5 has not flagged either flaw as exploited in the wild. The relevant context is what happened with the previous critical NGINX flaw. CVE-2026-42945, called NGINX Rift, was a critical vulnerability patched last month. It moved from public disclosure to active exploitation within days. Both CVE-2026-42530 and CVE-2026-42055 are remotely triggerable without authentication, affect widely deployed infrastructure, and have had researcher attention since the advisory was published. Public discussion and demonstration material for CVE-2026-42530 already exists, indexed under the name nginx-quicburst. The NGINX Rift timeline means the expected window before exploitation attempts begin is days rather than weeks. NGINX deployments running HTTP/3 or HTTP/2 proxy should treat this as an immediate patching priority.

CyberSip Take

F5 does not publish out-of-band advisories unless it judges the risk as too high to sit in a quarterly cycle. That judgment alone is the signal to act. Apply the patches. For teams where patching is not immediate, apply the temporary mitigations, specifically disabling HTTP/3 on edge services if it is not required, which is a clean and low-risk mitigation for CVE-2026-42530. The NGINX Rift precedent from last month is the reason not to wait.

What happened

F5 published an out-of-band security notification on June 17, 2026, covering two critical vulnerabilities in NGINX Open Source, NGINX Plus, and related F5 products. CVE-2026-42530, rated CVSS 9.2, is a use-after-free vulnerability in the ngx_http_v3_module. It can be triggered by a remote unauthenticated attacker when NGINX is configured to use the HTTP/3 QUIC module, by reopening a QPACK encoder stream via a specially crafted HTTP/3 session. Successful exploitation crashes NGINX worker processes and, on systems where Address Space Layout Randomization is disabled or can be bypassed, can lead to arbitrary code execution. The affected NGINX Open Source versions are 1.31.0 and 1.31.1.

CVE-2026-42055, also rated CVSS 9.2, is a heap-based buffer overflow in the ngx_http_proxy_v2_module and ngx_http_grpc_module. Exploitation requires a specific configuration combination: the proxy_http_version directive set to 2 or gRPC pass in use, the ignore_invalid_headers directive set to off rather than its default on, and the large_client_header_buffers directive set to a size above 2MB. When these conditions are met, an unauthenticated attacker can trigger the overflow through crafted HTTP/2 or gRPC traffic. Affected NGINX Open Source versions span 1.13.10 through 1.31.1.

Fixed versions are NGINX Open Source 1.31.2 for the mainline branch and 1.30.3 for the stable branch. For NGINX Plus, the fix is in release R37 P1. For NGINX Gateway Fabric, the fix is in version 2.6.4. Neither vulnerability has been confirmed exploited in the wild at time of writing. Researcher discussion of CVE-2026-42530 is already visible under the name nginx-quicburst.

Recommended actions

Upgrade NGINX Open Source to 1.31.2 or 1.30.3, NGINX Plus to R37 P1, and NGINX Gateway Fabric to 2.6.4. Apply corresponding patches for NGINX Ingress Controller and NGINX Instance Manager.
If immediate patching is not possible, disable HTTP/3 by removing the quic parameter from all listen directives as a mitigation for CVE-2026-42530. This eliminates the vulnerable attack surface with no impact on HTTP/1 and HTTP/2 traffic.
For CVE-2026-42055, remove the ignore-invalid-headers off configuration directive, or reduce large-client-header-buffers below 2MB. If neither change is operationally feasible, treat patching as the only effective control.
Inventory all NGINX deployments, including ingress controllers and sidecar proxies in Kubernetes environments, to ensure coverage is complete and not limited only to front-facing web servers.

Derived from BleepingComputer, The Hacker News, and F5 out-of-band advisory on CVE-2026-42530 and CVE-2026-42055, June 17–21, 2026.

03 Gravity SMTP Active Exploitation

Gravity SMTP plugin CVE-2026-4020 under active exploitation. An open REST endpoint returns full configuration data including API keys and OAuth tokens to any unauthenticated caller. Installed on 100,000 sites.

CVE-2026-4020 · CVSS 5.3

Wordfence reported active exploitation of CVE-2026-4020 in the Gravity SMTP WordPress plugin. The plugin registers a REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data with a permission callback that unconditionally returns true, meaning any unauthenticated visitor can call it and receive the full system report including email integration credentials.

Executive Impact

WordPress sites running Gravity SMTP should patch immediately. The stolen data from a successful exploit call includes API keys, OAuth tokens, client secrets, and SMTP credentials for every email integration the plugin has been configured with. Those credentials can be used to send phishing emails using the site’s legitimate email domain, to access email provider accounts, and potentially to pivot into services connected via OAuth. The CVSS score of 5.3 reflects the limited direct impact of the information disclosure itself, but the downstream value of the stolen credentials in phishing and account-takeover campaigns is significantly higher than that score implies.

Don’t Miss

The specific detail that makes this more significant than a typical information disclosure is the nature of what the endpoint returns. The mock-data endpoint populates all connector data from the plugin’s internal configuration and returns it as a 365KB JSON payload. That payload contains every email provider integration the site has configured: SendGrid API keys, Mailgun API keys, Amazon SES credentials, Google Workspace OAuth tokens, Microsoft 365 OAuth tokens, and similar. An attacker who calls this endpoint on a site using, for example, SendGrid for transactional email can take that API key and send emails that appear to originate from the legitimate domain with full SPF, DKIM, and DMARC alignment. Sites configured with multiple email providers are simultaneously exposing multiple credential sets.

CyberSip Take

A permission callback that returns true is a permission callback that does nothing. The REST endpoint was effectively public, and the payload it returned was exactly the credential bundle attackers need to send convincing phishing from a trusted domain. Patch the plugin, then rotate every email integration credential it held, in that order. If Gravity SMTP is installed on any site in your environment, assume the credentials have been harvested if the site was internet-accessible after the vulnerability became known.

What happened

Wordfence reported on June 19, 2026 that threat actors are actively exploiting CVE-2026-4020, a medium-severity information disclosure vulnerability in the Gravity SMTP WordPress plugin, which is installed on approximately 100,000 sites. The flaw is in a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data. The endpoint registers a permission callback function, a standard WordPress mechanism for restricting REST API access, but that callback unconditionally returns true for all callers regardless of authentication state.

When the endpoint is called with the query parameter ?page=gravitysmtp-settings appended, the plugin’s internal register_connector_data method populates the full connector configuration and returns it in the endpoint response. The response is a JSON payload of approximately 365KB containing the complete system report, including API keys, OAuth tokens, client secrets, and SMTP credentials for every email integration the plugin has been configured with. No authentication or special privileges are required; a single GET request from any network-accessible host is sufficient.

Wordfence confirmed active exploitation in the wild. A patch is available and should be applied immediately. After patching, site operators should rotate all email provider credentials that were stored in the Gravity SMTP configuration.

Recommended actions

Update the Gravity SMTP plugin to the patched version on all WordPress sites where it is installed.
After patching, rotate all email integration credentials stored in the plugin configuration: API keys for SendGrid, Mailgun, and other providers, OAuth tokens for Google Workspace and Microsoft 365, and SMTP account passwords.
If the site was internet-accessible before the patch was applied, treat the exposed credentials as potentially harvested and rotate them regardless of whether direct exploitation has been confirmed.

Derived from The Hacker News and Wordfence reporting on CVE-2026-4020, June 19–21, 2026.

Still watching

Aging items · days 2–5

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

Splunk Enterprise CVE-2026-20253 CVSS 9.8 (Issue 67). Actively exploited. CISA deadline was yesterday. Patch to 10.4.0, 10.2.4, or 10.0.7. Disable the PostgreSQL sidecar service as mitigation if patching is delayed. Day 2

RoguePlanet CVE-2026-50656 (Issue 66). Microsoft confirmed working on patch. No release date. CVSS 7.8 Defender race condition grants SYSTEM on fully patched Windows 10 and 11. Application allowlisting prevents execution. Day 5

Cross-source standouts

FortiBleed reached 86,000 devices without a single new vulnerability

The campaign did not use a zero-day. It did not use a published CVE. It did not require a sophisticated attack chain. It found FortiGate appliances on the internet that still had the credentials Fortinet put on them at the factory and logged in. Sixty-three percent of compromised devices were accessed through either the default admin account name or built-in Fortinet system accounts. This is a meaningful number in context: Fortinet has published clear guidance for years on disabling or renaming factory-default accounts. Those 86,644 compromised devices represent organisations that had internet-facing network security appliances with factory credentials still active. The fix was documented, actionable, and free. The gap between knowing the control exists and applying it is where FortiBleed operated.

Three separate this-week items represent three different tiers of attacker sophistication, all producing real compromises

FortiBleed: factory credentials, no technical skill required beyond scanning and logging in. Gravity SMTP: a REST endpoint that returns credentials to anyone who calls it, no authentication or exploitation needed. NGINX critical flaws: memory-corruption vulnerabilities in HTTP/3 and HTTP/2 modules that require understanding protocol internals and specific configuration conditions to trigger. All three produced confirmed compromises or confirmed exploitation this week. The FortiBleed and Gravity SMTP attacks required almost no attacker capability. The NGINX flaws require more. The security outcome across all three is driven by the same gap: a control that was available, documented, and not applied. Credential hygiene for FortiBleed, plugin patching for Gravity SMTP, and staying current on network infrastructure patches for NGINX.