FortiBleed Credential Theft Tied to Lynx and INC Ransomware
SOCRadar links FortiBleed to INC and Lynx ransomware operations. 430,000 FortiGate firewalls targeted, 110 million credentials stolen, 12+ ransomware deployments confirmed.
18 articles tagged with "Fortinet"
SOCRadar links FortiBleed to INC and Lynx ransomware operations. 430,000 FortiGate firewalls targeted, 110 million credentials stolen, 12+ ransomware deployments confirmed.
Three critical FortiSandbox vulnerabilities (CVE-2026-39813, CVE-2026-39808, CVE-2026-25089) are under active exploitation. All carry CVSS 9.1 scores and allow unauthenticated remote code execution.
Russian-speaking threat group harvested plaintext credentials for 73,000+ Fortinet firewalls across 194 countries. Samsung, Oracle, and NATO contractor among victims.
Attackers weaponize CVE-2026-35616 to deploy EKZ infostealer via FortiClient EMS management features. Fake Fortinet patch harvests browser passwords and cookies.
Fortinet discloses CVE-2026-44277 and CVE-2026-26083, unauthenticated RCE flaws affecting FortiSandbox and FortiAuthenticator. Patch now before attackers weaponize these.
Fortinet patches two critical FortiSandbox vulnerabilities allowing unauthenticated attackers to bypass authentication and execute code. Upgrade to 4.4.9 or 5.0.6 immediately.
CISA adds CVE-2026-35616 to KEV catalog with April 9 deadline for federal agencies. Nearly 2,000 FortiClient EMS instances remain exposed as exploitation continues.
CVE-2026-35616 lets attackers bypass API authentication in FortiClient EMS 7.4.5-7.4.6 for unauthenticated RCE. Exploitation began March 31. Emergency hotfixes available.
CVE-2026-21643 exploitation began March 26, six weeks after Fortinet's patch. Around 1,000 internet-exposed EMS instances remain vulnerable to unauthenticated RCE.
Fortinet's March 2026 security advisory addresses 11 vulnerabilities including auth bypass, SQL injection, and buffer overflow flaws affecting enterprise management products.
CVE-2026-21643 allows unauthenticated attackers to chain SQL injection with command execution in FortiClient EMS. CVSS 9.8 affects version 7.4.4—upgrade to 7.4.5 immediately.
CVE-2026-24858 allows attackers with FortiCloud accounts to log into other organizations' FortiGate devices. Patches rolling out now.
Arctic Wolf reports automated attacks creating rogue admin accounts on supposedly patched FortiGate devices. Fortinet acknowledges incomplete fix.
CVE-2025-64155 in Fortinet's SIEM product enables unauthenticated command injection via phMonitor service. CVSS 9.4, patches now available.
From Fortinet to SonicWall, authentication bypass vulnerabilities share common traits. Understanding these patterns helps security teams prioritize patching.
A threat actor called RedTeam is selling a $1,500 credential-stuffing tool with built-in scanning, proxy rotation, and multi-protocol support aimed at enterprise VPN infrastructure.
CVE-2020-12812 allows attackers to bypass two-factor authentication on FortiGate devices by simply changing username case. Fortinet issued fresh advisory on December 25.
Two critical CVSS 9.8 vulnerabilities in FortiGate devices are being actively exploited just days after patch release. Attackers targeting SSO authentication.