Fortinet Firewalls Breached Worldwide; Update Expiring Secure Boot Certificates; KEV Adds cPanel, Cisco SD-WAN, and Splunk Flaws

Russian-speaking threat actors have breached Fortinet firewalls at organizations in nearly every country in the world. In all, nearly 74,000 Fortinet devices were compromised across more than 21,000 domains, and the credentials have been leaked online. The database of stolen information was discovered by security researcher Bob Diachenko, who found and accessed the threat actors' operational infrastructure. Affected organizations include Oracle, Chevron, Lenovo, Federal Express, a NATO defense contractor, and Fortinet. On June 17, researcher Kevin Beaumont confirmed that most of the compromised devices were still online, and that the compromised devices account for nearly half of all internet-facing Fortinet devices. Researchers at Hudson Rock published their analysis of the data, addressing the attackers' methodology, the scope of the breach, and a look into the attackers' logs. The UK's National Cyber Security Centre (NCSC) has also published guidance for Fortinet users, and the US Cybersecurity and Infrastructure Security Agency (CISA) is urging Fortinet users to secure their devices. Suggested mitigations include removing the devices from internet exposure; forcing credential rotation and upgrading hashing; assuming compromise and checking for backdoors; enforcing strict MFA; monitoring for stolen credentials; and upgrading to the most recent FortiOS release. Beaumont adds, "if you see suspect success logins to admin users, I would suggest replacing the device as they may have altered settings to backdoor a device."

Certificates for the cryptographic keys in the Secure Boot process on computers running Windows and Linux will expire on June 24, 2026. Users must ensure their certificates are upgraded in order to protect against attacks on the UEFI (Unified Extensible Firmware Interface), including bootkits, which inhabit a machine where the firmware initializes the boot process, outside the operating system. Secure Boot relies on cryptography to validate the trust in each piece of the boot process, protecting against unrecognized or malicious firmware. The expiring certificates were issued in 2011, and the replacements were created in 2023 after the discovery of a flaw dubbed "LogoFail," which exploits logo images displayed during startup to inject rogue certificates and bypass Secure Boot. Users of Windows 11 and of Windows 10 with extended security updates should receive the new certificates automatically through Windows Update, and many Linux distributions provide them in their software updaters; systems that do not receive the new certificates will still function, but will not have UEFI Secure Boot protection.

In the past week, the US Cybersecurity and Infrastructure Security Agency (CISA) has added four CVEs to the Known Exploited Vulnerabilities (KEV) catalog; of those, three have been assigned three-day mitigation deadlines for Federal Civilian Executive Branch (FCEB) agencies. CVE-2026-54420, a high-severity UNIX Symbolic Link (Symlink) following issue in LiteSpeed cPanel plugin before 2.4.8, was added to KEV on June 15 with a mitigation deadline of June 18. The vulnerability was addressed in a June 1 update from LiteSpeed. CVE-2026-20262, a medium-severity path traversal vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, was also added to KEV on June 15; it has been assigned a mitigation deadline of June 29. This is the second Cisco SD-WAN Manager vulnerability that has been actively exploited this month. CVE-2026-48907, a critical improper access control vulnerability in the Joomla Content Editor (JCE) extension for Joomla was added to KEV on June 16 with a mitigation deadline of June 19. CVE-2026-20253, a critical Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint issue in Splunk Enterprise was added to KEV on June 18 with a mitigation deadline of June 21.

Research by cybersecurity journalist Zack Whittaker shows that among the 100 highest-revenue companies in the United States, about a third do not have a reporting channel for cybersecurity vulnerabilities. These companies lack what Whittaker characterizes as the "open door" that includes bug bounty programs, formal disclosure programs, web forms, or a dedicated email address, leaving researchers and consumers with no means of escalating issues. This rules out a means for companies to learn about issues and possible risks, and it chills the environment for researchers who may fear legal action or other repercussions for reporting: "Having a way to let people report flaws sends a message to the outside world that the company is willing to be helped, rather than ready to sue someone into silence." Whittaker notes that a basic measure companies can take is to create a security[.]txt file "in a well-known location on a company's domain that contains the best email address for researchers to contact;" only 17 companies in the Fortune 100 currently have this file. While 65 of the companies have a disclosure policy or bug bounty program, nearly half of the bug bounty programs do not offer financial rewards, "despite being run by some of the most revenue-driving companies in the United States." Whittaker recommends companies look into the security[.]txt project by EdOverflow and read Luta Security CEO Katie Moussouris's blog to learn about bug bounties and disclosure programs. Researchers can look for security contact information at disclose.io by Casey Ellis and at findsecuritycontacts.com.

An independent security researcher discovered and disclosed a now-remediated flaw that rendered unchecked control of the entire FIFA World Cup 2026 internal Football Data Platform. The researcher registered a new account in the publicly available FIFA Agent Platform, requiring only an ID and an email address, and noted that the account was also added to FIFA's Microsoft Entra tenant. She tried to log into the Football Data Platform as well and was denied due to insufficient privileges, but discovered that only the client side involved any protection; the backend APIs served "whatever you asked for" without any checks. This included the official live production panel for managing the streaming of every FIFA World Cup 2026 match: controls to start, stop, and schedule video feeds of all camera angles, plus the full infrastructure of live video feed ingest URLs, broadcast output URLs, preview feeds, and stream keys. This could allow a bad actor to push their own video through every official FIFA feed at once — as the researcher noted, "an attacker could have rickrolled the entire FIFA World Cup." Many internal pages could be accessed and modified by an unprivileged account: competitions, matches, teams, tools, an exchange platform, an analysis dashboard, the information system used by live commentators, FIFA AI Pro, admin, and comprehensive data on each match and its officials. An attacker could modify commentary notes and scripts for broadcast, adjust the time of kick-off, or change scores and match statistics. The researcher was also able to access "transfer reports, revenue comparisons, board-level representation data, [and] referee and coach statistics" through an Azure Function App that exposed internal files. The same day, the researcher attempted disclosure via multiple official FIFA emails, WhatsApp, and phone numbers at FIFA, the International Broadcast Centre, and Host Broadcast Services and its parent company, and received no response. Contacts at MediaKind, the US Cybersecurity and Infrastructure Security Agency (CISA), and the FBI took the information, and the next day, the issue was fixed with no acknowledgment from FIFA. The researcher urges FIFA to use a security[.]txt file, publish a vulnerability disclosure policy, enforce authorization beyond the client side, and start a bug bounty program. Major companies' failures to implement vulnerability reporting channels are discussed in another story in this issue of NewsBites.

The Texas Parks and Wildlife Department (TPWD) has published a notice disclosing a data security incident affecting a vendor that handles the system for hunting and fishing licenses. No information has been given about the timing or nature of the attack; Texas Cyber Command first alerted the TPWD to the activity, and investigation indicates that data belonging to over 3 million Texans over the age of 18 may have been stolen, including "driver license information, passport numbers (if provided), email addresses, phone numbers and residential addresses." The TPWD asserts that the data did not include Social Security numbers, dates of birth, or financial information, but a disclosure report with the state's Attorney General lists Social Security numbers and dates of birth in the data affected. The department is implementing additional access controls and security features to protect customer information, and is working with the license system vendor to add new safeguards and monitoring. Those affected are offered one year of free credit monitoring through Kroll.

In May 2024, the Canadian Security Intelligence Service (CSIS) obtained a warrant to access servers, home routers, and Internet of Things (IoT) devices infected with malware to "neutralize two foreign-run botnets." The devices CSIS accessed were all on Canadian soil. "CSIS required the Cyber Threat Reduction Measures Warrant because the necessary threat reduction measures to neutralize the botnets, which are targeted at the devices, would likely constitute offences pursuant to the Criminal Code, RSC 1985, c C-46 [Criminal Code] and, as such, require judicial authorization in accordance with subsection 12.1(3.4) of the CSIS Act." Canada's Federal Court released a public version of the warrant on June 15, 2026. The Cyber Threat Reduction Measures Warrant was the first warrant of its kind to be issued in Canada. The warrant was granted on May 1, 2024 for a period of 120 days, and renewed for an additional 120 days on August 29, 2024.

Canadian power utility company London Hydro has disclosed that it experienced a "data security incident" that may have compromised personal data related to certain accounts. The utility first noticed suspicious activity on a customer account on Thursday, June 18; "the account was used to exploit a system vulnerability, which allowed access to certain information about other customers." London Hydro says it began notifying affected individuals on Friday, June 19, but has provided little additional information about the scope and impact of the incident, not specifying whether the incident affected its operational technology. The company provides electricity to more than 160,000 people in the London, Ontario area.

Over the weekend, Brazil took the country's Public Alert Dissemination Interface (IDAP) system offline after a breach of the country's national emergency alert system allowed it to be used to send false emergency messages to mobile phones in the Brazilian states of São Paulo, Mato Grosso do Sul, Rio de Janeiro, Paraná, and the Federal District. "As an immediate response to contain the attack, the National Secretariat for Civil Protection and Defense (SEDEC) blocked all external access to IDAP and suspended the accounts of users involved in the incident, in addition to preserving system logs and logins for forensic analysis. The Government's Center for Prevention, Treatment and Response to Cyber Incidents (CTIR Gov) was also notified to monitor the case." Brazil's Ministry of Integration and Regional Development (MIDR) is investigating.