🚨 Critical Alerts
CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure (FortiBleed)
Source: CISA Advisories, The Hacker News, BleepingComputer
CISA updated its alert, urging Fortinet customers to secure internet-accessible FortiGate appliances and associated SSL VPN gateways against ongoing malicious activity, codenamed 'FortiBleed'. This campaign involves the exposure of leaked credentials for approximately 74,000 devices, believed to be the work of Russian-speaking threat actors. Organizations must immediately terminate sessions, reset VPN and administrative passwords with strong policies, ensure PBKDF2 for admin credentials, review logs for unusual activity, enable phishing-resistant MFA, and restrict management interface access.
CISA Adds Critical Splunk Enterprise Vulnerability to Known Exploited Vulnerabilities (KEV) Catalog
Source: CISA Advisories, BleepingComputer
CISA has added CVE-2026-20253, a critical Splunk Enterprise Missing Authentication for Critical Function vulnerability, to its KEV Catalog based on evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to prioritize rapid remediation of this high-risk vulnerability on publicly exposed assets by Sunday, June 21, 2026.
🔓 Breaches & Attacks
Klue OAuth Breach Victim List Grows as Icarus Hackers Claim Attack
Source: BleepingComputer, The Hacker News
Market intelligence platform Klue confirmed a security incident where threat actors stole OAuth tokens used to connect to customers' Salesforce environments. The new 'Icarus' extortion group has publicly claimed responsibility for the attack, leading Salesforce to disable the Klue Battlecards app integration.
Texas Government Data Breach Exposes Over 3 Million Driver’s Licenses
Source: BleepingComputer
The Texas Parks and Wildlife Department (TPWD) disclosed a data breach at its license system vendor, exposing personal information for more than three million individuals.
New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer
Source: The Hacker News
A new campaign is distributing CastleStealer malware via a previously unreported loader called OXLOADER. Threat actors leverage malicious Google Ads as an initial infection vector, with evidence suggesting a Russian-speaking, financially motivated group is behind the activity.
🛡️ Vulnerabilities & Patches
CVE-2026-40624 (CVSS: 9.8 CRITICAL)
An improper input validation vulnerability in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras allows a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request.
Remediation: AVer has provided a firmware fix to address this vulnerability. Users should immediately download and apply the firmware update from AVer's official support channels.
CVE-2026-42530 (CVSS: 9.2 CRITICAL)
A use-after-free vulnerability in the ngx_http_v3_module of NGINX Open Source can be triggered by a remote unauthenticated attacker when NGINX Open Source is configured to handle HTTP/3 requests, potentially leading to arbitrary code execution.
Remediation: Apply the security updates released by F5 for NGINX Open Source that address this vulnerability.
CVE-2026-47729 (CVSS: 6.5 MEDIUM)
A 29-year-old heap over-read bug dubbed 'Squidbleed' in the Squid web proxy's default configuration can leak cleartext HTTP requests, including credentials or session tokens, to any user already allowed to send traffic through the same proxy.
Remediation: Monitor for updates from Calif.io or Squid maintainers and apply patches immediately. Consider reviewing proxy configurations and isolating proxy traffic for sensitive data until a fix is deployed.
🥷 Threat Actor Spotlight
Sapphire Sleet (BlueNoroff)
Targets: Software supply chain, potentially developers and organizations using compromised packages.
Tactics: Supply chain attacks targeting npm packages, observed in the Mastra AI attack.
DragonForce Ransomware
Targets: Major U.S. services firms and other enterprises.
Tactics: Deployment of custom Go-based remote access trojans (Backdoor.Turn) to conceal Command and Control (C2) traffic by relaying through Microsoft Teams infrastructure.
📋 Compliance & Deadlines
Google Android Developer Verification
Deadline: September 30, 2026
Summary: Google will begin enforcing Android developer verification in Brazil, Indonesia, Singapore, and Thailand. Certified Android phones in these countries will block normal installs of apps from developers who have not registered an identity with Google. Organizations deploying internal Android applications or managing devices in these regions must ensure developer compliance.
PCI DSS 4.0
Deadline: N/A
Summary: New PCI DSS rules now extend to third-party scripts on checkout pages. Any external script can be leveraged by attackers for skimming, making a re-evaluation of security programs for compliance necessary to prevent unauthorized access to cardholder data via client-side components.
📰 Industry News
Emerging 'Search Your Target' Market for Stolen Credentials
An emerging underground market now allows attackers to pay for targeted searches within stolen credential databases. This eliminates the need for attackers to sift through massive dumps, enabling more efficient reconnaissance for specific companies, domains, and accounts.
AI Agent Security Blind Spots and Access Control Concerns
Rapid AI adoption is outpacing security programs, creating significant blind spots. Attackers are circumventing AI security by using legacy infrastructure to hijack AI agents. The primary concern has shifted from data leakage to access control, as AI agents become new identities with extensive privileges, often lacking oversight and proper governance.
Stay secure. If you found this briefing useful, please subscribe to 0DayDaily and share.