FortiBleed Exposes 75,000 Firewalls: What State Government CISOs Must Do Right Now

<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> <em> (Raised from GUARDED &mdash; driven by the FortiBleed credential exposure campaign and compounding unpatched zero-day risk) </em> </p> <h2> <strong> Executive Summary </strong> </h2> <p> A Russian-speaking threat group has extracted working administrator credentials from approximately 75,000 Fortinet FortiGate firewalls worldwide &mdash; including confirmed government agencies. Simultaneously, a Windows Defender privilege escalation zero-day (CVE-2026-50656) remains unpatched with a public exploit circulating for eight days, and critical NGINX vulnerabilities enable remote code execution on citizen-facing web infrastructure. For state government IT leaders, these three developments create a fully-enabled attack chain: perimeter credential theft &rarr; endpoint privilege escalation &rarr; ransomware deployment. Active ransomware groups (Qilin, Play, Krybit, Gunra) were all updated this week and are positioned to exploit exactly this combination. </p> <p> This is not theoretical. Murray County, Georgia paid a $200,000 ransom on June 16 after a ransomware attack encrypted tax, court, and law enforcement systems &mdash; including backups. Your state could be next. </p> <h2> <strong> What Changed </strong> </h2> <p> The past 72 hours introduced a convergence of threats that individually warrant attention but together represent a compounding crisis: </p> <ul> <li> <strong> FortiBleed (June 17&ndash;18): </strong> A productized credential catalog &mdash; not a traditional breach &mdash; containing admin passwords for ~75,000 FortiGate devices across 194 countries, enriched with business intelligence metadata (industry, revenue, employee count) and formatted for eCrime marketplace sales. A 45-GPU cracking cluster processed 1.16 billion credential attempts against 320,777 targets. </li> <li> <strong> CVE-2026-50656 "RoguePlanet" (Day 8 unpatched): </strong> A TOCTOU race condition in Microsoft Defender's file-processing workflow enables SYSTEM-level privilege escalation on all Windows 10/11 endpoints. Public proof-of-concept by "Nightmare Eclipse" has been circulating since June 10. Microsoft has acknowledged but released no fix. </li> <li> <strong> F5 NGINX Critical RCE (June 18): </strong> Out-of-band patches for CVE-2026-42530 (HTTP/3 use-after-free) and CVE-2026-42055 (heap overflow) enabling unauthenticated remote code execution. F5 also disclosed that state-backed attackers breached F5 systems in August 2025, stealing BIG-IP source code. </li> <li> <strong> 5 Rockwell Automation ICS Advisories (June 16): </strong> Including account takeover on FLEX I/O EtherNet/IP adapters used in water treatment and energy SCADA environments. </li> <li> <strong> Oracle PeopleSoft Mass Exploitation (June 12&ndash;present): </strong> ShinyHunters/UNC6040 began exploiting CVE-2026-35273 as a zero-day on June 12, compromising approximately 100 organizations in five days. State HR and finance PeopleSoft instances managing payroll for tens of thousands of employees are confirmed high-value targets. </li> <li> <strong> Nation-State Pre-Positioning: </strong> APT29 (Russia SVR) is running an active cloud campaign against government targets (June 16); China-nexus actors are conducting IIS exploitation (June 17); Sandworm/Electrum IOCs were updated June 18; UNC5435 (Russia-nexus) is running a Signal phishing campaign against government personnel (June 16); and VOID MANTICORE/Handala (IRGC-affiliated) confirmed a breach of California water utilities on June 12. </li> <li> <strong> Ransomware operators active: </strong> Qilin confirmed targeting government sector (June 8 spree), Play and Krybit updated June 17, Gunra updated June 12. </li> </ul> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Impact </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> May 13, 2026 </p> </td> <td> <p> Murray County, GA ransomware attack encrypts tax, court, and law enforcement systems </p> </td> <td> <p> County operations paralyzed; backups destroyed </p> </td> </tr> <tr> <td> <p> Jun 8, 2026 </p> </td> <td> <p> Qilin ransomware spree confirmed (ZeroFox) </p> </td> <td> <p> Government sector targeting continues </p> </td> </tr> <tr> <td> <p> Jun 10, 2026 </p> </td> <td> <p> CVE-2026-50656 "RoguePlanet" PoC published </p> </td> <td> <p> Every Windows endpoint vulnerable to LPE </p> </td> </tr> <tr> <td> <p> Jun 12, 2026 </p> </td> <td> <p> ShinyHunters/UNC6040 mass exploitation of Oracle PeopleSoft (CVE-2026-35273) begins </p> </td> <td> <p> ~100 organizations compromised in 5 days </p> </td> </tr> <tr> <td> <p> Jun 12, 2026 </p> </td> <td> <p> Handala/VOID MANTICORE breaches California water utilities </p> </td> <td> <p> <strong> IRGC-affiliated actor targeting U.S. critical infrastructure </strong> </p> </td> </tr> <tr> <td> <p> Jun 16, 2026 </p> </td> <td> <p> Murray County pays $200,000 ransom </p> </td> <td> <p> Demonstrates state/local government willingness to pay </p> </td> </tr> <tr> <td> <p> Jun 16, 2026 </p> </td> <td> <p> CISA adds CVE-2026-48907 to KEV (active exploitation) </p> </td> <td> <p> Product details pending NVD publication </p> </td> </tr> <tr> <td> <p> Jun 16, 2026 </p> </td> <td> <p> CISA publishes 5 Rockwell ICS advisories </p> </td> <td> <p> Water/energy SCADA at risk </p> </td> </tr> <tr> <td> <p> Jun 17, 2026 </p> </td> <td> <p> FortiBleed dataset surfaces publicly </p> </td> <td> <p> 75,000 FortiGate admin credentials exposed </p> </td> </tr> <tr> <td> <p> Jun 17, 2026 </p> </td> <td> <p> Play, Krybit ransomware groups update operations </p> </td> <td> <p> Active targeting posture confirmed </p> </td> </tr> <tr> <td> <p> Jun 18, 2026 </p> </td> <td> <p> <strong> F5 NGINX critical RCE patches released (CVE-2026-42530, CVE-2026-42055) </strong> </p> </td> <td> <p> Citizen-facing web apps exposed </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. FortiBleed: The Largest Credential Exposure of 2026 </strong> </h3> <p> This is not a vulnerability &mdash; it's an industrialized access-broker operation. The threat group extracted plaintext admin credentials from FortiGate device configurations, cracked hashed passwords using a 45-GPU cluster, and packaged the results as a curated sales catalog for ransomware operators and nation-state actors. </p> <p> <strong> Why state government is at elevated risk: </strong> </p> <ul> <li> Fortinet FortiGate is standard procurement across state agencies </li> <li> The dataset includes government agencies by name </li> <li> Credentials are formatted with industry/revenue metadata &mdash; government targets are explicitly tagged </li> <li> Access brokers sell to ransomware operators who specifically target state/local government for media attention and weak security budgets </li> </ul> <p> <strong> Relevant ATT&amp;CK techniques: </strong> T1078 (Valid Accounts), T1552.001 (Credentials in Files), T1110.002 (Password Cracking), T1133 (External Remote Services) </p> <h3> <strong> 2. CVE-2026-50656 "RoguePlanet": The Unpatched Escalation Path </strong> </h3> <p> With FortiBleed providing initial access and RoguePlanet providing privilege escalation, ransomware operators have a complete kill chain requiring zero custom tooling. The PoC is reliable, automated retry mechanisms are being developed by the community, and Microsoft has provided no patch timeline. </p> <p> <strong> CVSS: </strong> 7.8 | <strong> CWE: </strong> CWE-362 (Race Condition) </p> <p> <strong> Affected: </strong> All fully-patched Windows 10 and Windows 11 endpoints </p> <h3> <strong> 3. Nation-State Pre-Positioning Continues </strong> </h3> <p> Active campaigns this cycle include: </p> <ul> <li> <strong> WARLORD KITTEN / Handala / VOID MANTICORE </strong> (IRGC-affiliated, Iran) &mdash; confirmed breach of California water utilities </li> <li> <strong> APT29 </strong> (Russia SVR) &mdash; active cloud campaign targeting government (June 16) </li> <li> <strong> China-nexus </strong> &mdash; IIS exploitation campaign (June 17) </li> <li> <strong> Sandworm/Electrum </strong> (Russia GRU) &mdash; active IOCs updated June 18 </li> <li> <strong> UNC5435 </strong> (Russia-nexus) &mdash; Signal phishing campaign targeting government personnel (June 16) </li> </ul> <p> <strong> Critical absence: </strong> Volt Typhoon / Salt Typhoon activity is not detected this cycle. Given their documented pre-positioning in U.S. critical infrastructure, silence should prompt proactive hunting &mdash; not reassurance. </p> <h3> <strong> 4. Oracle PeopleSoft Under Active Mass Exploitation </strong> </h3> <p> ShinyHunters/UNC6040 exploited CVE-2026-35273 as a zero-day beginning June 12, compromising approximately 100 organizations in five days. State HR/Finance PeopleSoft instances managing payroll for 50,000+ employees are high-value targets. The June 2026 Critical Patch Update addresses 243 CVEs. </p> <h3> <strong> 5. ICS/SCADA: Accelerating Vulnerability Discovery </strong> </h3> <p> Five Rockwell Automation advisories in a single batch &mdash; the third consecutive cycle with Rockwell vulnerabilities. The FLEX I/O EtherNet/IP account takeover vulnerability is particularly concerning for water treatment and energy SCADA environments where these adapters control physical processes. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> FortiBleed credentials appear on eCrime forums, triggering opportunistic attacks against unrotated credentials </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> 48 hours </p> </td> <td> <p> Dataset is formatted as sales catalog; access-broker monetization patterns </p> </td> </tr> <tr> <td> <p> CVE-2026-50656 exploitation observed in the wild </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> <strong> Public PoC, no patch, high reliability, low complexity </strong> </p> </td> </tr> <tr> <td> <p> State government entity targeted via FortiBleed credentials </p> </td> <td> <p> <strong> 30% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Government agencies confirmed in dataset; ransomware operators actively seeking government targets </p> </td> </tr> <tr> <td> <p> Ransomware deployment leveraging FortiBleed + RoguePlanet chain </p> </td> <td> <p> <strong> 40% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> All components available; Qilin/Play/Krybit actively targeting government </p> </td> </tr> <tr> <td> <p> NGINX RCE exploitation against government web infrastructure </p> </td> <td> <p> <strong> 25% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Requires non-default config (HTTP/3); state adoption of QUIC is limited but growing </p> </td> </tr> <tr> <td> <p> Rockwell ICS exploitation in water/energy environment </p> </td> <td> <p> <strong> 20% </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Advisories just published; exploitation requires network access to OT segment </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> What to Monitor </strong> </p> </th> <th> <p> <strong> ATT&amp;CK ID </strong> </p> </th> <th> <p> <strong> Detection Logic </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> FortiGate admin logins from unexpected IPs/times </p> </td> <td> <p> T1078 </p> </td> <td> <p> Alert on admin authentication from non-whitelisted source IPs; correlate with FortiBleed exposure check </p> </td> </tr> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> Rapid file-substitution in Defender scan paths </p> </td> <td> <p> T1068 </p> </td> <td> <p> Monitor C:\ProgramData\Microsoft\Windows Defender\Scans\ for rapid file creation/deletion patterns; alert on unexpected SYSTEM process spawning from Defender workers </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> New admin accounts on FortiGate devices </p> </td> <td> <p> T1136.001 </p> </td> <td> <p> Audit FortiGate local user database for accounts created since January 2026 </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> LSASS memory access post-RoguePlanet </p> </td> <td> <p> T1003.001 </p> </td> <td> <p> Enhanced LSASS protection monitoring; alert on non-standard processes accessing LSASS </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Anomalous M365 Copilot cross-application queries </p> </td> <td> <p> T1530 </p> </td> <td> <p> Review Copilot audit logs for bulk data retrieval spanning email + SharePoint + OneDrive in single session </p> </td> </tr> <tr> <td> <p> <strong> MODERATE </strong> </p> </td> <td> <p> External Remote Services on FortiGate </p> </td> <td> <p> T1133 </p> </td> <td> <p> Audit VPN/SSL-VPN sessions for credential reuse patterns; look for simultaneous sessions from geographically impossible locations </p> </td> </tr> <tr> <td> <p> <strong> MODERATE </strong> </p> </td> <td> <p> Living-off-the-land on edge devices </p> </td> <td> <p> T1059 </p> </td> <td> <p> Hunt for unexpected CLI commands, scheduled tasks, or firmware modifications on Cisco/Fortinet/Palo Alto devices </p> </td> </tr> </tbody> </table> <h3> <strong> Hunting Hypotheses </strong> </h3> <ol> <li> <strong> "Has FortiBleed already been used against us?" </strong> &mdash; Query FortiGate admin authentication logs for successful logins from unrecognized IPs since January 2026. Cross-reference with any new admin accounts, firewall rule modifications, or VPN tunnel creations during non-business hours. </li> <li> <strong> "Is Volt Typhoon pre-positioned on our edge devices?" </strong> &mdash; Hunt for living-off-the-land indicators on Cisco and Fortinet perimeter devices: unexpected scheduled tasks, modified firmware images, unusual outbound connections from management interfaces, or configuration changes not matching change management tickets. </li> <li> <strong> "Has RoguePlanet been weaponized in our environment?" </strong> &mdash; Search EDR telemetry for processes interacting with Windows Defender scan directories at high frequency, particularly any non-Defender process writing to C:\ProgramData\Microsoft\Windows Defender\Scans\. Look for unexpected SYSTEM-level cmd.exe or PowerShell spawning from MsMpEng.exe or related Defender service processes. </li> <li> <strong> "Are our PeopleSoft instances compromised?" </strong> &mdash; Audit Oracle PeopleSoft web server logs for exploitation patterns matching CVE-2026-35273. Review database audit logs for unauthorized data exports from HR/payroll tables since June 12. </li> </ol> <h3> <strong> Blocking Guidance </strong> </h3> <ul> <li> Block management interface access to FortiGate devices from all external IPs immediately </li> <li> Implement conditional access policies requiring hardware tokens for all network device administration </li> <li> If NGINX HTTP/3 (QUIC) is enabled on citizen-facing applications, disable it pending patching or apply vendor patches immediately </li> </ul> <p> <em> For specific network IOCs (IPs, domains, hashes) associated with the campaigns discussed in this report, refer to Anomali ThreatStream Next-Gen for the latest indicators. </em> </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Tax Systems, Benefits Processing) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> FortiBleed credentials enabling access to financial transaction systems; ransomware targeting tax processing during fiscal year-end </li> <li> <strong> Priority action: </strong> Verify FortiGate devices protecting treasury/tax network segments are not in the FortiBleed dataset; rotate all privileged credentials on financial systems; ensure Oracle PeopleSoft financial modules are patched against CVE-2026-35273 </li> <li> <strong> Detection focus: </strong> Anomalous database queries against tax records, bulk PII export, unauthorized ACH/wire transfer configurations </li> </ul> <h3> <strong> Energy (State-Managed Utilities, Grid Operations) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Rockwell FLEX I/O account takeover (ICSA-26-167-05) in SCADA environments; IRGC-affiliated actors (VOID MANTICORE) demonstrated capability against U.S. water utilities </li> <li> <strong> Priority action: </strong> Patch FLEX I/O EtherNet/IP adapters immediately; verify IT/OT network segmentation prevents lateral movement from compromised FortiGate to SCADA networks; audit remote access to energy management systems </li> <li> <strong> Detection focus: </strong> Unauthorized CIP protocol commands to Logix controllers, new accounts on FLEX I/O adapters, anomalous traffic crossing IT/OT boundaries </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware operators (Qilin, Play) actively targeting healthcare-adjacent government systems; PeopleSoft HR systems containing employee health data </li> <li> <strong> Priority action: </strong> Validate backup integrity for Medicaid claims processing systems; ensure RoguePlanet detection is deployed on clinical and administrative endpoints; review third-party vendor access to health data systems </li> <li> <strong> Detection focus: </strong> Encryption activity on file shares containing PHI, lateral movement from compromised endpoints to Medicaid databases, unauthorized access to benefits eligibility systems </li> </ul> <h3> <strong> Government (Executive Branch Agencies, Law Enforcement) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> The Murray County attack demonstrates that law enforcement systems are explicitly targeted; FortiBleed provides the initial access vector; nation-state actors (APT29, China-nexus) conducting espionage against government personnel </li> <li> <strong> Priority action: </strong> Emergency FortiGate credential rotation across all agencies; deploy RoguePlanet detection on all domain-joined endpoints; brief agency heads on Signal phishing campaign (UNC5435) targeting government personnel </li> <li> <strong> Detection focus: </strong> Admin account creation on network devices, VPN connections from unusual geographies, bulk email/document access via compromised credentials, anomalous Copilot queries accessing cross-agency data </li> </ul> <h3> <strong> Aviation/Logistics (State DOT, Airport Authorities, Port Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Volt Typhoon pre-positioning in transportation infrastructure; Rockwell CompactLogix DoS vulnerabilities affecting traffic management and port control systems </li> <li> <strong> Priority action: </strong> Patch CompactLogix controllers in traffic management systems; conduct proactive hunt for living-off-the-land activity on edge networking equipment at DOT facilities; verify segmentation between corporate IT and operational traffic management networks </li> <li> <strong> Detection focus: </strong> Unexpected firmware updates on traffic controllers, anomalous DNS queries from OT segments, unauthorized remote access to transportation SCADA systems </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Responsible Team </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Verify all state FortiGate devices against the FortiBleed exposure dataset. If ANY state domains appear, rotate ALL admin credentials within 4 hours and audit for unauthorized accounts created since January 2026. </p> </td> <td> <p> IT Operations / Network Security </p> </td> </tr> <tr> <td> <p> Disable internet-facing FortiGate management interfaces. Enforce MFA on all FortiGate admin accounts. Force admin re-login to trigger PBKDF2 credential storage migration. </p> </td> <td> <p> IT Operations </p> </td> </tr> <tr> <td> <p> Deploy EDR detection rules for RoguePlanet exploitation patterns: rapid file operations in Defender scan paths and unexpected SYSTEM process creation from Defender worker processes. </p> </td> <td> <p> SOC </p> </td> </tr> <tr> <td> <p> Brief executive leadership: FortiBleed may constitute an active compromise of state perimeter infrastructure. Request emergency maintenance window approval for credential rotation. </p> </td> <td> <p> CISO </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Responsible Team </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Audit all NGINX deployments on citizen-facing web infrastructure. Patch to latest version or disable HTTP/3 (QUIC) by removing 'quic' from listen directives. Verify ASLR is enabled on all NGINX hosts. </p> </td> <td> <p> IT Operations / Web Infrastructure </p> </td> </tr> <tr> <td> <p> Apply Rockwell firmware updates for Logix 5370/5570, RSLinx, FLEX I/O, CompactLogix, and FactoryTalk Analytics PavilionX. Prioritize FLEX I/O in water/energy SCADA. </p> </td> <td> <p> OT/ICS Team </p> </td> </tr> <tr> <td> <p> Validate M365 Copilot Enterprise Search data access boundaries. Review Copilot audit logs for anomalous cross-application data retrieval. </p> </td> <td> <p> Cloud Security / Identity Team </p> </td> </tr> <tr> <td> <p> Conduct proactive threat hunt for Volt Typhoon living-off-the-land indicators on all Cisco, Fortinet, and Palo Alto edge devices. </p> </td> <td> <p> SOC / Threat Hunting </p> </td> </tr> <tr> <td> <p> <strong> Verify Oracle PeopleSoft patching status against CVE-2026-35273. If unpatched, apply June 2026 Critical Patch Update immediately. </strong> </p> </td> <td> <p> Database/ERP Team </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Action </strong> </p> </th> <th> <p> <strong> Responsible Team </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Commission assessment of state exposure to the access-broker ecosystem. Evaluate zero-trust architecture acceleration for all internet-facing management planes. </p> </td> <td> <p> CISO / Enterprise Architecture </p> </td> </tr> <tr> <td> <p> Implement certificate-based or hardware-token authentication for all network device administration, eliminating password-based admin access to perimeter devices. </p> </td> <td> <p> Identity &amp; Access Management </p> </td> </tr> <tr> <td> <p> Accelerate IT/OT network segmentation program. Three consecutive cycles of Rockwell advisories indicate systemic vulnerability patterns requiring architectural mitigation. </p> </td> <td> <p> OT Security / Network Architecture </p> </td> </tr> <tr> <td> <p> Evaluate AI-layer security controls: treat M365 Copilot and similar AI assistants as privileged identities requiring access controls, logging, and anomaly detection equivalent to domain admin accounts. </p> </td> <td> <p> Cloud Security / CISO </p> </td> </tr> <tr> <td> <p> Develop and tabletop an incident response playbook specifically for "perimeter device credential mass compromise" &mdash; the FortiBleed scenario will recur with other vendors. </p> </td> <td> <p> IR Team / CISO </p> </td> </tr> </tbody> </table> <h2> <strong> Bottom Line </strong> </h2> <p> What makes this moment dangerous is not any single vulnerability &mdash; it's the convergence. FortiBleed gives attackers the front door key. RoguePlanet gives them SYSTEM privileges once inside. Active ransomware groups (Qilin, Play, Krybit, Gunra) are positioned to weaponize both within days. And the Murray County attack proves that state and local government systems &mdash; including law enforcement and courts &mdash; are explicitly on the target list. </p> <p> The access-broker ecosystem has industrialized. Credentials are no longer stolen one at a time &mdash; they're harvested at scale, enriched with targeting metadata, and sold to the highest bidder. Your FortiGate admin password may already be in a shopping cart. </p> <p> <strong> The window to act is measured in hours, not days. </strong> Verify your exposure. Rotate your credentials. Hunt for evidence of compromise. The threat actors already have their catalog &mdash; the only question is whether your organization is in it, and whether you'll find out from your SOC or from a ransom note. </p> <h2> <strong> IOC Reference </strong> </h2> <p> IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds. The FortiBleed exposure dataset can be checked via the Hudson Rock lookup tool. CISA ICS advisories (ICSA-26-167-01 through ICSA-26-167-05) contain technical details for Rockwell vulnerabilities. </p> <p> <strong> Key CVEs referenced in this report: </strong> </p> <table> <thead> <tr> <th> <p> <strong> CVE </strong> </p> </th> <th> <p> <strong> Product </strong> </p> </th> <th> <p> <strong> Status </strong> </p> </th> <th> <p> <strong> Severity </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> CVE-2026-50656 </p> </td> <td> <p> Microsoft Windows Defender </p> </td> <td> <p> <strong> UNPATCHED </strong> &mdash; PoC public </p> </td> <td> <p> <strong> 7.8 (High) </strong> </p> </td> </tr> <tr> <td> <p> CVE-2026-42530 </p> </td> <td> <p> F5 NGINX (HTTP/3) </p> </td> <td> <p> Patch available June 18 </p> </td> <td> <p> <strong> Critical (RCE) </strong> </p> </td> </tr> <tr> <td> <p> CVE-2026-42055 </p> </td> <td> <p> F5 NGINX (proxy_v2/grpc) </p> </td> <td> <p> Patch available June 18 </p> </td> <td> <p> <strong> Critical (RCE) </strong> </p> </td> </tr> <tr> <td> <p> CVE-2026-48907 </p> </td> <td> <p> TBD (CISA KEV) </p> </td> <td> <p> Active exploitation confirmed </p> </td> <td> <p> TBD </p> </td> </tr> <tr> <td> <p> CVE-2026-35273 </p> </td> <td> <p> Oracle PeopleSoft </p> </td> <td> <p> Patch available (June CPU) </p> </td> <td> <p> <strong> Critical (mass exploitation) </strong> </p> </td> </tr> <tr> <td> <p> CVE-2026-11311 </p> </td> <td> <p> F5 NGINX </p> </td> <td> <p> Patch available </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> <tr> <td> <p> CVE-2026-50107 </p> </td> <td> <p> F5 NGINX </p> </td> <td> <p> Patch available </p> </td> <td> <p> <strong> High </strong> </p> </td> </tr> </tbody> </table> <p> <em> Published June 18, 2026 | Anomali CTI Desk </em> </p> <p> <em> For questions or to request additional analysis, contact your Anomali account team. </em> </p>