ELEVATED 3 min read 20 Jun 2026

NCSC UK Fortinet FortiBleed credential exposure

10 priority findings led by NCSC UK Fortinet FortiBleed credential exposure, with 16 further items tracked below.

Key findings
01
Update: NCSC UK Fortinet FortiBleed credential exposure
HIGH
[High] This item is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Run exposure checks, terminate sessions, rotate administrator and VPN credentials, enforce MFA, inspect for unauthorised accounts, and confirm FortiOS upgrade paths.
02
Update: Splunk Enterprise CVE-2026-20253 active exploitation and patch deadline
MEDIUM
[Medium] CVE-2026-20253 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Treat as P1: patch affected Splunk Enterprise branches, restrict sidecar reachability whilst patching, and hunt for unexpected file creation or truncation.
CVE-2026-20253
03
Finding 3: NCSC-NL Cisco Identity Services Engine vulnerabilities fixed - NCSC-2026-0208
LOW
[Unverified] This item is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Route to NAC and identity owners; validate fixed Cisco ISE releases for high-trust deployments. Evidence quality is single-source.
04
Finding 4: BSI GKE containerd WID-SEC-2026-2009 / CVE-2026-47262
LOW
[Unverified] CVE-2026-47262, WID-SEC-2026-2009 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Map GKE node pools and containerd versions, then track Google remediation and workload isolation controls. Evidence quality is single-source.
CVE-2026-47262
05
Finding 5: Gogs WID-SEC-2026-2013 critical batch
LOW
[Unverified] WID-SEC-2026-2013 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Inventory exposed and internal Gogs services, then validate fixed releases before the next change window. Evidence quality is single-source.
06
Finding 6: Webmin WID-SEC-2026-2014 high-severity advisory
LOW
[Unverified] WID-SEC-2026-2014 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Prioritise internet-facing Webmin hosts and collect version evidence from management-plane owners. Evidence quality is single-source.
07
Finding 7: HAProxy WID-SEC-2026-2012 reverse-proxy advisory
LOW
[Unverified] WID-SEC-2026-2012 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Map edge and internal HAProxy owners, then confirm fixed packages for HTTP routing paths. Evidence quality is single-source.
08
Finding 8: BSI ffmpeg WID-SEC-2026-2011 / CVE-2026-8461
LOW
[Unverified] CVE-2026-8461, WID-SEC-2026-2011 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Patch media-processing paths that handle untrusted audio or video files. Evidence quality is single-source.
CVE-2026-8461
09
Finding 9: ffmpeg WID-SEC-2026-2015 denial-of-service advisory
LOW
[Unverified] WID-SEC-2026-2015 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Patch media-processing paths that handle untrusted audio or video files. Evidence quality is single-source.
10
Finding 10: BSI pgAdmin WID-SEC-2026-2005 / CVE-2026-12044
LOW
[Unverified] CVE-2026-12044, WID-SEC-2026-2005 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Patch pgAdmin, remove public exposure, enforce strong authentication, and review admin access logs. Evidence quality is single-source.
CVE-2026-12044

NCSC UK Fortinet FortiBleed credential exposure

Update: NCSC UK Fortinet FortiBleed credential exposure

This item is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Run exposure checks, terminate sessions, rotate administrator and VPN credentials, enforce MFA, inspect for unauthorised accounts, and confirm FortiOS upgrade paths.

Today's delta is scope expansion: UK-facing advice now aligns with Fortinet PSIRT context and SecurityWeek reporting on credential exposure affecting devices across many countries.

Sources: NCSC UK; Fortinet PSIRT; SecurityWeek. https://www.ncsc.gov.uk/news/advice-following-global-targeting-of-fortinet-firewalls-and-vpn-gateways; https://www.fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices; https://www.securityweek.com/fortibleed-86000-fortinet-device-credentials-compromised/

Update: Splunk Enterprise CVE-2026-20253 active exploitation and patch deadline

CVE-2026-20253 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Treat as P1: patch affected Splunk Enterprise branches, restrict sidecar reachability whilst patching, and hunt for unexpected file creation or truncation.

Today's delta is active-exploitation pressure plus patch timing. Owners should prove branch status and run targeted hunts for arbitrary file operations.

Sources: BleepingComputer; CISA; CVE Program. https://www.bleepingcomputer.com/news/security/cisa-splunk-enterprise-flaw-actively-exploited-patch-by-sunday/; https://www.cisa.gov/known-exploited-vulnerabilities-catalog; https://www.cve.org/CVERecord?id=CVE-2026-20253

Finding 3: NCSC-NL Cisco Identity Services Engine vulnerabilities fixed - NCSC-2026-0208

This item is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Route to NAC and identity owners; validate fixed Cisco ISE releases for high-trust deployments.

Evidence quality is single-source. Keep the confidence label attached when this is turned into a ticket or change request.

Sources: NCSC-NL. https://advisories.ncsc.nl/advisory?id=NCSC-2026-0208

Finding 4: BSI GKE containerd WID-SEC-2026-2009 / CVE-2026-47262

CVE-2026-47262, WID-SEC-2026-2009 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Map GKE node pools and containerd versions, then track Google remediation and workload isolation controls.

Evidence quality is single-source. Keep the confidence label attached when this is turned into a ticket or change request.

Sources: BSI/CERT-Bund. https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2009

Finding 5: Gogs WID-SEC-2026-2013 critical batch

WID-SEC-2026-2013 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Inventory exposed and internal Gogs services, then validate fixed releases before the next change window.

Evidence quality is single-source. Keep the confidence label attached when this is turned into a ticket or change request.

Sources: BSI/CERT-Bund. https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2013

Finding 6: Webmin WID-SEC-2026-2014 high-severity advisory

WID-SEC-2026-2014 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Prioritise internet-facing Webmin hosts and collect version evidence from management-plane owners.

Evidence quality is single-source. Keep the confidence label attached when this is turned into a ticket or change request.

Sources: BSI/CERT-Bund. https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2014

Finding 7: HAProxy WID-SEC-2026-2012 reverse-proxy advisory

WID-SEC-2026-2012 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Map edge and internal HAProxy owners, then confirm fixed packages for HTTP routing paths.

Evidence quality is single-source. Keep the confidence label attached when this is turned into a ticket or change request.

Sources: BSI/CERT-Bund. https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2012

Finding 8: BSI ffmpeg WID-SEC-2026-2011 / CVE-2026-8461

CVE-2026-8461, WID-SEC-2026-2011 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Patch media-processing paths that handle untrusted audio or video files.

Evidence quality is single-source. Keep the confidence label attached when this is turned into a ticket or change request.

Sources: BSI/CERT-Bund. https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2011

Finding 9: ffmpeg WID-SEC-2026-2015 denial-of-service advisory

WID-SEC-2026-2015 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Patch media-processing paths that handle untrusted audio or video files.

Evidence quality is single-source. Keep the confidence label attached when this is turned into a ticket or change request.

Sources: BSI/CERT-Bund. https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2015

Finding 10: BSI pgAdmin WID-SEC-2026-2005 / CVE-2026-12044

CVE-2026-12044, WID-SEC-2026-2005 is now in the daily routing queue. The immediate task is exposure evidence, not broad incident language: Patch pgAdmin, remove public exposure, enforce strong authentication, and review admin access logs.

Evidence quality is single-source. Keep the confidence label attached when this is turned into a ticket or change request.

Sources: BSI/CERT-Bund. https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2005

  • Also tracked
  • CERT-FR Node.js vulnerability batch CERTFR-2026-AVI-0786
  • Langflow BaseFileComponent arbitrary file read to RCE chain CVE-2026-55447
  • dbt MCP Server OAuth helper token leak CVE-2026-55837
  • AWS Bedrock AgentCore Python SDK CVE-2026-12530
  • Network-AI command injection CVE-2026-54051
  • OpenFGA OIDC audience validation CVE-2026-55689
  • OpenBao cross-namespace lease operation issue CVE-2026-55774 · CVE-2026-55774 · High
  • Cloudflare Quiche use-after-free CVE-2026-11941 · CVE-2026-11941 · Medium
  • Microsoft Edge/Chromium WebRTC heap-overflow batch CVE-2026-12447 / CVE-2026-12466
  • F5 / NGINX Open Source CVE-2026-42530 and CVE-2026-42055 patch routing · CVE-2026-42530 · High
  • Traefik Kubernetes Ingress NGINX provider auth-secret fail-open CVE-2026-54762
  • Apple Beats Studio Buds CVE-2025-20701 · CVE-2025-20701 · High
  • MSRC Cowboy HTTP response splitting CVE-2026-43966
  • MSRC opentelemetry-cpp unbounded HTTP response read CVE-2026-44967
  • MSRC GnuTLS PKCS11 use-after-free CVE-2026-42014
  • MSRC Perl Socket heap read CVE-2026-12087
cve-2026-12044cve-2026-12447cve-2026-12466cve-2026-20253cve-2026-47262cve-2026-8461fortinetsplunkuk-cyber

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed