FortiBleed / Fortinet FortiGate Credential Exposure

FortiBleed / Fortinet FortiGate Credential Exposure

FortiBleed / Fortinet FortiGate Credential Exposure

Previously covered 20 June 2026; today's delta: UK-facing mitigation routing and reporting on roughly 86,000 exposed Fortinet device credentials keep this in the current owner queue.

Treat this as credential recovery. Run FortiGate and FortiOS exposure checks, terminate active sessions, rotate administrator and VPN credentials, enforce MFA, inspect for unauthorised accounts and log anomalies, and validate Fortinet remediation guidance.

Sources: NCSC UK; Fortinet PSIRT; SecurityWeek. https://www.ncsc.gov.uk/news/advice-following-global-targeting-of-fortinet-firewalls-and-vpn-gateways ; https://www.fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices ; https://www.securityweek.com/fortibleed-86000-fortinet-device-credentials-compromised/

Gravity SMTP WordPress Plugin CVE-2026-4020 Exposes Secrets

Gravity SMTP versions up to and including 2.1.4 are reported as actively exploited, with exposure of API keys, OAuth tokens, mail-service configuration, and other connector secrets from WordPress sites. The useful response is not only plugin patching. Owners should assume exposed connector material may need rotation.

Patch Gravity SMTP to 2.1.5 or later, then review outbound mail activity and API access logs for abuse. Wordfence provides the technical exploitation detail, whilst The Hacker News carries the broader exploitation report.

Sources: The Hacker News; Wordfence. https://thehackernews.com/2026/06/hackers-exploit-gravity-smtp-wordpress.html ; https://www.wordfence.com/blog/2026/06/attackers-actively-exploiting-sensitive-information-exposure-vulnerability-in-gravity-smtp-plugin/

Splunk Enterprise CVE-2026-20253 Active Exploitation Patch Deadline

Previously covered 20 June 2026; today's delta: active-exploitation routing and the Sunday patch deadline remain live owner pressure.

Patch affected Splunk Enterprise branches, restrict management and sidecar reachability whilst patching, and hunt for unexpected file creation, truncation, or suspicious administrative activity. CISA's KEV routing and the CVE record are the key references for ticket evidence.

Sources: BleepingComputer; CISA KEV; CVE Program. https://www.bleepingcomputer.com/news/security/cisa-splunk-enterprise-flaw-actively-exploited-patch-by-sunday/ ; https://www.cisa.gov/known-exploited-vulnerabilities-catalog ; https://www.cve.org/CVERecord?id=CVE-2026-20253

F5 NGINX CVE-2026-42055 HTTP/2 Proxy And gRPC Overflow

CVE-2026-42055 affects NGINX deployments using risky HTTP/2 proxy or gRPC directive combinations. The F5 advisory points to fixed releases and a practical mitigation path: remove the unsafe directive combination where patching cannot happen immediately.

Reverse-proxy owners should search repositories and runtime configuration for grpcpass or HTTP/2 proxying combined with ignoreinvalidheaders off and oversized largeclientheaderbuffers. Patch affected NGINX Open Source or NGINX Plus releases, then confirm the live configuration rather than relying only on package status.

Sources: F5; The Hacker News. https://my.f5.com/manage/s/article/K000161584 ; https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html

F5 NGINX CVE-2026-42530 HTTP/3 And QUIC Patch Route

Previously covered 20 June 2026; today's delta: this remains paired with the NGINX owner queue because the same advisory family affects HTTP/3, QUIC, proxy HTTP/2, and gRPC paths.

Prioritise deployments using those modules or directive combinations. Validate fixed releases, then disable risky module paths where change windows lag.

Sources: F5; The Hacker News. https://my.f5.com/manage/s/article/K000161584 ; https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html

Why This Matters

The common failure mode today is trust material escaping its intended boundary. Mail connectors, OAuth apps, developer packages, edge devices, and secrets platforms all sit close to credentials or tokens. Patching is necessary, but it will not be enough if stolen credentials remain valid.

• Recommended Actions
• Patch Gravity SMTP, NGINX, Splunk, OpenBao, and affected firmware where relevant to the estate.
• Rotate or revoke exposed secrets, OAuth tokens, VPN credentials, npm tokens, cloud keys, and LLM credentials where exposure is plausible.
• Inspect Salesforce, mail-service, FortiGate, Splunk, CI/CD, and developer-host logs for abnormal access.
• Keep low-confidence items labelled as such when turning them into owner tickets.

All findings grounded in a13e intelligence sweeps through 04:55 UTC 21 June 2026.

Mastra npm Compromise Attributed To Sapphire Sleet

Microsoft attribution moves the Mastra and easy-day-js compromise out of generic package-poisoning territory and into North Korea-linked developer supply-chain activity associated with Sapphire Sleet / BlueNoroff. That changes the owner group. This belongs with developer platforms, CI/CD owners, and anyone managing agent or LLM build pipelines.

Audit @mastra/* installs after 2026-06-17, remove easy-day-js, pin known-good package versions, and rotate secrets from affected developer or build systems. Treat npm tokens, cloud credentials, wallet material, and LLM credentials as in scope where exposure is plausible.

Sources: Microsoft Security Blog; BleepingComputer. https://www.microsoft.com/en-us/security/blog/2026/06/17/postinstall-payload-inside-mastra-npm-supply-chain-compromise/ ; https://www.bleepingcomputer.com/news/security/microsoft-links-mastra-ai-supply-chain-attack-to-north-korean-hackers/

Klue OAuth And Salesforce Compromise Affects Cybersecurity Firms

Klue is a SaaS trust-boundary problem, not a conventional endpoint exploit. Current reporting says Salesforce instances tied to Klue customers were affected, with named cybersecurity-sector firms including Huntress and Recorded Future.

SaaS owners should enumerate Klue and Salesforce connected-app use, revoke stale or suspect Klue OAuth tokens, and inspect Salesforce REST API activity for unusual extraction. Downstream review should include customer, prospect, and partner data that may have been available through the connected app.

Sources: SecurityWeek; Dark Reading. https://www.securityweek.com/cybersecurity-firms-impacted-by-klue-supply-chain-attack/ ; https://www.darkreading.com/cyberattacks-data-breaches/salesforce-data-thefts-klue-app-compromise

OpenBao CVE-2026-55774 Cross-Namespace Lease Fix

Previously covered 20 June 2026; today's delta: the patch route remains material for secrets-platform isolation.

Apply fixed OpenBao releases and audit lease-management logs for unexpected cross-namespace revoke or renew operations. Keep the confidence label attached because the current evidence is narrower than the higher-priority items above.

Source: GitHub Advisory Database. https://github.com/advisories/GHSA-c36x-h252-g9x2

Apple Beats Studio Buds / Airoha SDK CVE-2025-20701 Patch

Previously covered 20 June 2026; today's delta: firmware validation remains relevant for managed audio devices in sensitive environments.

Validate firmware coverage for managed Beats or Airoha SDK-based audio devices used by executives, security teams, or staff in sensitive rooms. This is a narrower inventory-routing item, not a broad enterprise incident.

Source: The Hacker News. https://thehackernews.com/2026/06/apple-patches-beats-studio-buds-flaw.html