CyberSip™ — Issue 71 — June 24, 2026

Today’s picture

SOCRadar published a detailed attribution report today confirming that FortiBleed is a financially motivated Russian initial access broker operation, not simply an opportunistic credential campaign. The actor is using Masscan and Shodan to identify targets, conducting SSH brute-force attacks, deploying a custom Golang sniffer called FortigateSniffer to passively intercept authentication traffic, then cracking captured hashes and selling that access. The operation now affects over 430,000 FortiGate firewalls worldwide and is confirmed multi-vendor. Of the 80,000 identified targets, more than 19,000 are still being actively sniffed as of today. Cisco Unified CM CVE-2026-20230, an unauthenticated SSRF vulnerability that chains into arbitrary file write and root privilege escalation, has moved from PoC-available to active exploitation. Defused confirmed honeypot hits, and SSD Secure published a technical write-up showing attackers can use the WebDialer component to write webshells. Klue has now confirmed at nine or more organizations that Salesforce data was stolen, attributing the breach to compromised legacy credentials and working with CrowdStrike on the investigation.

Threat snapshot

3 active items · 2 monitoring

FortiBleed / Russian IAB / multi-vendor / 19,000 active sniffers Cisco Unified CM CVE-2026-20230 / now exploited / webshells Klue / 9 plus confirmed victims / legacy credentials / CrowdStrike 3 items this issue

Updated TodayFortiBleedRussian IABMulti-Vendor

FortiBleed confirmed as a Russian initial access broker operation targeting over 430,000 firewalls across multiple vendors. 19,000 devices are still being actively sniffed today. The attacker cracks harvested credentials and sells access.

The operation uses a custom Golang tool called FortigateSniffer that abuses a legitimate FortiOS diagnostic command to passively capture authentication traffic without triggering standard detection. MSPs and IT services firms managing Fortinet devices for multiple customers are directly in scope, making this a supply chain risk for their downstream clients as well as their own environments.

June 24Cisco Unified CMNow Exploited

Cisco Unified CM CVE-2026-20230 now exploited in the wild. Unauthenticated attackers are using the WebDialer SSRF to write webshells to disk, chainable to root. Requires WebDialer to be enabled. Patch to 14SU6 or 15SU5.

Defused confirmed honeypot hits. SSD Secure published a full technical write-up showing the file:// URI technique used to write arbitrary files. CVSS 8.6 understates the risk because the end state is full root compromise. Disable WebDialer immediately if patching is delayed.

June 24Klue Breach

Klue breach confirmed at 9 or more organizations. Klue attributes access to compromised legacy credentials and is working with CrowdStrike and law enforcement. Icarus stated data release deadline has now passed.

Klue confirmed the attacker used those legacy credentials to obtain OAuth tokens connected to Salesforce and other third-party platforms and access customer data. Multiple cybersecurity firms are among the confirmed victims. The full scope continues to expand as organizations complete their forensic reviews.

Detailed intelligence

Full analysis

01 FortiBleed Russian IAB Multi-Vendor

FortiBleed confirmed as a financially motivated Russian initial access broker operation. 430,000 firewalls in scope, multi-vendor, 19,000 actively sniffed today. Access sold after credential cracking.

FortiBleed · SOCRadar · June 24

SOCRadar published a detailed attribution and technical report today confirming FortiBleed is operated by a financially motivated Russian-speaking threat actor working as an initial access broker. The operation is not limited to Fortinet. While FortiGate is the primary target, the actor uses the same methodology against other exposed firewall and network appliance vendors. 19,000 devices remain under active sniffing as of today.

Executive Impact

The confirmation that this is an initial access broker operation changes the risk model. The attacker is not conducting targeted espionage. He is building and selling access at scale. That means compromised credentials from a FortiGate sniffing operation may have already been purchased and are being held for use by ransomware groups, nation-state actors, or other threat actors the broker sold to. Patching FortiGate and rotating credentials addresses the harvesting. It does not retract access that has already been sold. Organizations that were among the compromised should treat credential rotation as urgent and should monitor for lateral movement indicators that may represent a buyer using purchased access.

Don’t Miss

SOCRadar specifically calls out MSPs and IT services firms that manage Fortinet devices on behalf of their clients as squarely within the scope of FortiBleed targeting. A managed service provider with a compromised FortiGate device is not just exposed for its own environment. It is potentially a pivot point into every client organization whose network runs through that device. FortigateSniffer, the custom Golang tool the attacker deploys, abuses a legitimate FortiOS diagnostic command to capture authentication traffic passively. It does not create new processes or network connections that differ significantly from normal FortiOS activity, which makes it particularly difficult to detect through standard log monitoring. SOCRadar notes the attacker then uses the stolen session cookies to establish persistent access that survives password rotation, unless those sessions are explicitly invalidated.

CyberSip Take

FortiBleed started as a large-scale default credential compromise. It has become a documented Russian IAB operation with 110 million captured credentials, active sniffers on 19,000 devices today, and access sold to downstream buyers. Each day that a device remains compromised and sniffing adds more credentials to that database and more buyers to the downstream risk. The remediation actions from Issues 68 and 69 have not changed, but the urgency of acting on them has only increased.

What is new today

SOCRadar published a comprehensive technical and attribution report today on FortiBleed, confirming it is a financially motivated Russian initial access broker operation. The report names the actor as a known Russian-speaking IAB who has been operating FortiBleed since at least February 2026 and has been identified in prior campaigns targeting network infrastructure. The scope has expanded from the 86,644 verified device credentials reported on June 19 to cover over 430,000 FortiGate firewalls identified as within the operation’s scanning scope, with 80,000 positively identified as targets and more than 19,000 still being actively sniffed as of today.

The operation is confirmed multi-vendor. While the majority of targets are Fortinet devices, the same methodology has been observed against other exposed firewall and network appliance products. SOCRadar describes a four-stage operation: Masscan and Shodan are used to discover exposed management interfaces; SSH brute-force attacks are conducted against devices, with default and factory credentials succeeding on the majority of initial compromises as documented in Issue 68; FortigateSniffer is deployed on compromised devices to passively capture authentication traffic using the legitimate FortiOS diagnostic command; and captured credential hashes are exfiltrated, cracked using GPU clusters, validated, and sold on criminal forums as access packages for downstream buyers.

The report notes that stolen session cookies provide persistent access that survives password rotation unless sessions are explicitly invalidated at the server side, and that FortigateSniffer blends into normal FortiOS activity, making it difficult to detect through standard authentication log monitoring alone. MSPs and IT services firms managing Fortinet devices on behalf of clients are specifically identified as high-value targets whose compromise creates downstream exposure for all of their managed clients.

Recommended actions

Apply the latest FortiGate firmware, rotate all administrator and VPN user credentials, and explicitly invalidate all active sessions rather than relying on password rotation alone. Active sessions survive password changes unless terminated server-side.
Audit FortiGate for the presence of unexpected diagnostic processes or scheduled tasks, and review outbound connections from FortiGate devices for unexpected traffic, since FortigateSniffer uses a legitimate diagnostic command that may not trigger standard alerts.
For MSPs managing Fortinet environments for multiple clients, treat a compromised device as a potential pivot point into all managed client networks and conduct expanded incident response accordingly.
Monitor for lateral movement indicators within the network perimeter, since access sold by an IAB may have already been purchased and used before this report was published.

Derived from SecurityWeek and SOCRadar FortiBleed attribution report, June 24, 2026.

02 Cisco Unified CM Now Exploited

Cisco Unified CM CVE-2026-20230 now confirmed exploited in the wild. Attackers use the WebDialer SSRF to write webshells to disk. The chain leads to root. Disable WebDialer and patch to 14SU6 or 15SU5.

CVE-2026-20230 · CVSS 8.6

Defused confirmed exploitation attempts on honeypots today. SSD Secure published a detailed technical write-up showing attackers are abusing the WebDialer component’s handling of user-supplied URLs to force the server to write arbitrary files to the OS using file:// URIs. Cisco patched CVE-2026-20230 on June 3 with a public PoC already available at advisory time. The window between patch and active exploitation was three weeks.

Executive Impact

Organizations running Cisco Unified CM or Unified CM Session Management Edition with WebDialer enabled should treat this as an immediate patching priority. Patch to Release 14SU6 or Release 15SU5, or apply the available COP file for Release 15 environments. If patching cannot happen immediately, disable the WebDialer service now, since the vulnerability is only exploitable when WebDialer is running. Audit the underlying OS file system on any Unified CM instance where WebDialer was enabled and internet-accessible since June 3 for unexpected files in the /tmp directory, webshell patterns in the web application directories, and unexpected scheduled tasks or processes.

Don’t Miss

The CVSS score of 8.6 reflects only the file write primitive, not the root escalation that follows from it. Cisco rated its own advisory Critical specifically because a successful file write can be chained into full root compromise of the Unified CM server, even though the direct CVSS impact registers only as an integrity violation. This is a known limitation of CVSS for multi-stage attack chains, and it is exactly the pattern this brief flagged when the patch first dropped three weeks ago. The gap between the CVSS score and the real-world risk is the reason to follow Cisco’s own advisory severity rating rather than the numerical score when making patching priority decisions. Unified CM is enterprise telephony infrastructure. A root compromise gives an attacker access to authentication data, internal network pivots, and the ability to intercept or redirect voice and collaboration traffic.

CyberSip Take

Three weeks from public PoC to confirmed exploitation is exactly the window this brief predicted when the patch dropped. Cisco patched, a PoC immediately appeared, and now the window has closed. Disable WebDialer today on any Unified CM instance that has not yet been patched. Treat any instance where WebDialer was running and network-accessible since June 3 as a potential compromise and audit accordingly.

What happened

Defused reported today that its honeypot network has detected exploitation attempts against Cisco Unified CM targeting CVE-2026-20230. The exploitation activity observed appears focused on scanning for vulnerable instances by attempting to write a test file, /tmp/cve-2026-20230-test.txt, to confirm the file write primitive is accessible. SSD Secure published a full technical write-up today explaining the exploitation chain in detail.

CVE-2026-20230 is a server-side request forgery vulnerability in the Cisco Unified CM WebDialer component. WebDialer is a browser-based click-to-dial service that allows users to initiate calls from directory pages. It ships disabled by default but is commonly enabled in enterprise Unified CM deployments. The flaw exists because WebDialer improperly validates user-supplied URLs in certain HTTP requests. An attacker can supply a crafted file:// URI that causes the WebDialer process to open a file path on the underlying operating system and write attacker-controlled content to it. Because the WebDialer process runs with elevated privileges, the file write can target sensitive system paths. Cisco confirmed in its June 3 advisory that files written through this mechanism can later be used to escalate to root.

Cisco first patched the vulnerability on June 3, 2026, and confirmed at the time that public proof-of-concept exploit code was already available. Cisco’s PSIRT stated no malicious exploitation had been detected at that date. The gap between PoC publication and confirmed exploitation was approximately three weeks, consistent with the exploitation timeline seen on previous high-profile Cisco vulnerabilities. This is the third significant privilege-escalation vulnerability in Cisco Unified CM in roughly two years, following CVE-2024-20253 in January 2024 and CVE-2026-20045, which was actively exploited as a zero-day before a patch was available, in January 2026.

Recommended actions

Patch Cisco Unified CM and Unified CM SME to Release 14SU6 or Release 15SU5. Apply the available COP file for Release 15 environments as an interim step if the full update cannot happen immediately.
If patching is delayed, disable the WebDialer service immediately. Exploitation is gated on WebDialer being enabled, and disabling it removes the attack surface entirely without requiring a maintenance window.
Audit any Unified CM instance where WebDialer was enabled and network-accessible since June 3 for unexpected files in /tmp, webshell patterns in web application directories such as .jsp and .php files, and unexpected scheduled tasks or background processes.

Derived from BleepingComputer and SecurityWeek reporting on CVE-2026-20230 exploitation, June 24, 2026.

03 Klue Breach Expanding

Klue breach confirmed at 9 or more organizations. Klue attributes entry to compromised legacy credentials and is working with CrowdStrike and law enforcement. The Icarus stated data release deadline has passed.

Klue · CrowdStrike · June 24

SecurityWeek confirmed today that at least nine organizations have publicly acknowledged that Salesforce data was stolen through their Klue integration. Klue issued a formal statement confirming the breach originated from a legacy credential compromise and that the attacker used that access to collect OAuth tokens from connected customer platforms. CrowdStrike and law enforcement are engaged.

Executive Impact

If your organization has not yet received direct confirmation of impact from Klue, do not interpret that as confirmation you were unaffected. Klue is still completing its forensic review and the scope continues to expand. Any organization that used the Klue Battlecards integration with Salesforce between June 11 and June 17 should proactively audit Salesforce API logs for the indicators described in Issue 67, rotate all Salesforce OAuth tokens and connected app credentials for the Klue integration, and review what other third-party platforms were connected to Klue in their environment.

Don’t Miss

Klue’s statement confirming legacy credentials as the entry point aligns with the pattern this brief has documented repeatedly in 2026: Mastra, Nx Console, the Miasma worm, Klue, and FortiBleed all share the same root cause. An access relationship that outlived its usefulness and was never formally ended became the entry point for a significant incident. Klue is now working with CrowdStrike and law enforcement, Salesforce has disabled the Klue integration platform-wide, and the Icarus extortion group’s June 22 data release deadline has passed without confirmed publication of the full dataset. That deadline passing does not close the extortion risk. Icarus may publish in batches, extend the timeline, or sell the data to another party rather than releasing it publicly.

CyberSip Take

The Icarus deadline passed. The breach scope is still expanding. Klue has now formally confirmed what Huntress documented a week ago. The practical actions for organizations that used Klue and Salesforce together are unchanged from Issue 67. What has changed is that nine or more confirmed victims are now on the record, the investigation is formally underway with CrowdStrike, and waiting for Klue to contact you is no longer a reasonable posture for organizations who have not yet conducted their own audit.

What is new today

SecurityWeek reported today that at least nine organizations have publicly confirmed that data was stolen from their Salesforce instances through the Klue Battlecards integration, including multiple cybersecurity vendors. Klue issued a formal statement on Friday confirming the full scope of what occurred and publicly acknowledging legacy credentials as the entry point for the first time.

Klue said the attacker used compromised legacy credentials to gain access to its systems on June 11 and 12, then collected OAuth tokens connecting Klue to Salesforce and other third-party platforms for a number of customer environments. The company revoked the affected credentials and tokens, disabled the relevant integrations, and is working with CrowdStrike to investigate the incident. Law enforcement has also been engaged. Klue stated it has been notifying affected customers and will continue to do so as its investigation progresses.

The extortion group Icarus’s stated June 22 deadline for data publication or negotiations has passed. As of today, the full stolen dataset has not been confirmed as publicly released, though Icarus has previously stated responsibility for the attack on its Tor-based leak site. The investigation and victim scope remain active and ongoing.

Recommended actions

Audit Salesforce API logs for the period June 11 to 17 for the indicators documented in Issue 67: unusual query volumes from Klue service accounts, Python-urllib user-agent strings, and bulk record access patterns. Do not wait for Klue to confirm your organization was impacted before conducting this review.
Revoke and rotate all Salesforce OAuth tokens and connected app credentials for the Klue integration if not already completed.
Audit other third-party platforms connected to Klue in your environment beyond Salesforce, since Klue’s statement confirms the attacker collected OAuth tokens for multiple connected platforms, not only Salesforce.

Derived from SecurityWeek reporting on expanded Klue breach disclosure, June 24, 2026.

Still watching

Aging items · days 2–5

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

Squidbleed CVE-2026-47729 (Issue 70). 29-year-old Squid Proxy heap overread, no patch yet. Disable FTP in squid.conf as immediate mitigation. Squid 7.7 will contain the fix. Not yet confirmed exploited in the wild. Day 2

RoguePlanet CVE-2026-50656 (Issue 66). Microsoft patch still pending. CVSS 7.8. Application allowlisting prevents execution. Monitor MSRC for release. Day 7

Cross-source standouts

FortiBleed is an access supply chain. The end buyer is unknown.

An initial access broker does not compromise and use access for a single purpose. He packages it and sells it. FortiBleed has been harvesting credentials since February, cracking them with GPU clusters, validating them, and listing them for sale on criminal forums. The organizations whose FortiGate devices were compromised are not just exposed to the IAB who harvested the credentials. They are exposed to every actor who purchased that access since February. Some of those buyers will be ransomware operators. Some may be nation-state groups who use IAB services to maintain deniability. Some may be sitting on the access they purchased, waiting for an operational moment. Rotating credentials and patching FortiGate closes the harvesting channel. It does not retract access already sold. Monitoring for lateral movement from previously valid-looking credentials is the next control organizations need to apply.

Three weeks is now the observed window between PoC publication and active exploitation for Cisco enterprise vulnerabilities

CVE-2026-20045 in Cisco Unified CM was exploited as a zero-day before a patch existed. CVE-2026-20230, patched on June 3 with a public PoC available the same day, moved to confirmed active exploitation in three weeks. The Cisco SD-WAN Manager flaws documented across Issues 56 and 65 of this brief averaged a similar gap between advisory and confirmed exploitation. For Cisco enterprise telephony and networking products, the operational patching window is measured in weeks, not months. That is not enough time for most enterprise change management processes to complete a standard patch cycle. The implication is that organizations running Cisco Unified CM, SD-WAN Manager, or similar high-value enterprise platforms should treat critical and high-severity advisories for those products as emergency-level items requiring expedited change control, not normal cycle candidates.