top of page

Cybersecurity Weekly Update: 29 June – 6 July 2026

  • Writer: SOC Team
    SOC Team
  • 1 day ago
  • 4 min read

1. Global "FortiBleed" Perimeter Credential Compromise Campaign


A massive, coordinated threat update published on July 2, 2026, has officially linked the widespread “FortiBleed” perimeter harvesting campaign directly to active ransomware deployment by the INC and Lynx syndicates. Threat researchers discovered that attackers have scaled their operations to target over 430,000 internet-facing FortiGate portals globally, deploying a custom Golang-based packet sniffer (FortigateSniffer) that abuses native system diagnostic commands to passively intercept and siphon cleartext authentication traffic across 24 protocols.  


  • CVE ID: CVE-2026-35616 (CVSS Score: 9.8)

  • Why It Matters: This represents a major escalation from a static credential leak into an active, weaponized initial access pipeline. By combining legacy credential-cracking datasets with active sniffing infrastructure, initial access brokers have successfully compromised administrative portals across enterprise network boundaries. Threat intelligence confirms that this harvested access has already bypassed perimeter defenses to execute full domain takeovers and trigger multi-endpoint enterprise ransomware encryption.  

  • Key Recommendations:

    • Rotate all local administrator, service account, and SSL VPN credentials immediately across the entire firewall architecture.  

    • Audit active processes for unauthorized use of the native diagnose sniffer packet utility.

    • Immediately apply the emergency out-of-band hotfixes or upgrade FortiClient EMS to version 7.4.7 or later to nullify the adjacent access control vectors fueling the campaign's endpoint infiltration.  

  • Source: RH-ISAC Cyber Threat Intelligence Briefing / Orca Security Threat Research Blog


2. Microsoft SharePoint Server Remote Code Execution


A critical deserialization of untrusted data vulnerability within Microsoft SharePoint Server is being actively exploited by advanced persistent threat (APT) groups and financial extortion syndicates. Due to verified real-world threat activity, CISA officially added this flaw to its Known Exploited Vulnerabilities (KEV) Catalog on July 1, 2026.

  

  • CVE ID: CVE-2026-45659 (CVSS Score: 8.8)  

  • Why It Matters: SharePoint functions as an operational document-sharing backbone across defense contractors, banking networks, and academic environments. An authenticated attacker possessing basic "Site Member" privileges (the standard contributor role) can exploit this flaw by submitting a crafted HTTP request with a malicious serialized object graph. This allows the attacker to bypass access controls, execute arbitrary code directly on the host server, elevate privileges, and establish persistent lateral movement channels.

  • Key Recommendations:

    • Immediately verify that your SharePoint environments have the required patch applied.  

    • While the software fix was quietly embedded within Microsoft’s May 2026 security rollout, the specific CVE designation was inadvertently left off the original documentation headers, requiring infrastructure teams to manually verify asset patch states.

    • Review all internal and guest accounts holding Site Member privileges.

  • Source: RedLegg Cyber Security Intelligence Bulletin


3. SimpleHelp RMM Authentication Bypass


An authentication bypass flaw rooted in the OpenID Connect (OIDC) validation workflow of SimpleHelp Remote Monitoring and Management (RMM) software has been weaponized in the wild. Attackers are exploiting a complete failure by the server to cryptographically verify identity tokens, prompting CISA to add the vulnerability to the KEV Catalog on June 29, 2026.  


  • CVE ID: CVE-2026-48558 (CVSS Score: 10.0)

  • Why It Matters: RMM software tools are extremely high-value targets for threat groups because they possess innate administrative system privileges down into thousands of endpoints. Attackers are using this bypass to secure fully authenticated technician sessions without needing credentials, dropping specialized multi-platform malware like "Djinn Stealer" to harvest cloud keys, SSH keys, and completely compromise multi-tenant financial or corporate networks.  

  • Key Recommendations:

    • Upgrade all active SimpleHelp instances running versions 5.5.1 through 5.5.15 to version 5.5.16 or later (or 6.0 releases to 6.0 RC2 or later).  

    • As an emergency mitigation, immediately disable OIDC authentication or uncheck the "Allow group authenticated logins" parameter within your Technician Group control menus.

  • Source: Dark Reading Cyberattack Breakdowns / DevOps Data Protection Report


4. Cisco Unified Communications Manager Server-Side Request Forgery


A critical Server-Side Request Forgery (SSRF) security flaw inside Cisco Unified Communications Manager is currently being actively exploited in the wild. The vulnerability is caused by improper input validation of specific HTTP requests processed by the platform's WebDialer service, allowing an unauthenticated remote attacker to compromise the application layer.


  • CVE ID: CVE-2026-20230 (CVSS Score: 8.6)  

  • Why It Matters: Unified CM serves as the foundational communication hub for massive enterprise, financial, and defense infrastructures across Europe and South Africa. If successfully exploited, an attacker can write arbitrary files directly to the underlying operating system. These unauthorized files can later be leveraged by adversaries to elevate privileges to full root access, giving them unchecked control to disrupt communication streams or launch deeper internal pivot attacks.

  • Key Recommendations:

    • Upgrade all affected systems immediately to Unified CM 14SU6 or later, or Unified CM 15SU5 or later.

    • If your daily business operations do not strictly require it, completely disable the WebDialer feature (which is disabled by default) to eliminate the attack vector entirely.

  • Source:  SOCRadar Cyber Intelligence Blog


Executive Action Plan: Key Recommendations

Enforce Zero-Trust Boundary Controls for Edge & Operational DevicesPerimeter systems like Fortinet FortiGate firewalls and management tools like SimpleHelp RMM must never sit entirely exposed to the public internet. Isolate all administrative, management, and console interfaces behind an out-of-band management subnet guarded by strict, phishing-resistant Multi-Factor Authentication (MFA).  
Audit Web-Exposed Enterprise Services ImmediatelyEnterprise document repositories like Microsoft SharePoint and communication hubs like Cisco Unified CM are being actively picked apart via web-based protocols and data deserialization vulnerabilities. Audit your application footprint right away—disable unused peripheral features (such as Cisco's WebDialer service) and scan web log traffic for unauthorized serialization or command-execution anomalies.  
Establish Rigid CISA KEV Remediation DeadlinesStandard, drawn-out monthly patch management timelines are insufficient when dealing with flaws actively weaponized in the wild. Treat the vendor security updates for SharePoint (CVE-2026-45659), SimpleHelp (CVE-2026-48558), and Cisco Unified CM (CVE-2026-20230) as immediate, out-of-band emergency tickets to block remote takeover before persistence is established.

 
 
bottom of page