Seventy-three thousand FortiGate VPN credential sets are now public. That is not a vulnerability disclosure or a theoretical risk — it is an exposure event where the initial access is already done for any attacker who downloads the dump. Today also brings emergency NGINX patches from F5, a root-level command execution fix for Cisco ISE, and a CVSS 10 Joomla plugin flaw that CISA wants patched by Friday. The defensive priorities are clear: rotate, patch, segment.

In the News

FortiBleed Leak Exposes VPN Credentials for 73,000 FortiGate Devices

A threat actor published a dataset dubbed “FortiBleed” containing VPN credentials — plaintext usernames, passwords, and device configuration fragments — for approximately 73,000 FortiGate SSL-VPN appliances worldwide. The scale is significant: these are not hashed credentials requiring offline cracking. They are ready-to-use initial access material for any threat actor who downloads the dump.

The exposure likely stems from a combination of previously disclosed Fortinet vulnerabilities that were exploited before organizations applied patches. Credential harvesting campaigns targeting FortiGate devices have been documented repeatedly over the past two years, and this dump represents the aggregated output of sustained exploitation. The configuration fragments included in the leak compound the risk — they reveal internal network topology, VLAN assignments, and firewall rule structure that make post-authentication lateral movement significantly easier.

For defenders, the immediate response is credential rotation on every FortiGate VPN account, regardless of whether the organization has confirmed its presence in the dump. Waiting for confirmation is operationally slower than the rotation itself. Beyond the immediate response, this is a structural argument for phishing-resistant MFA on all remote access and for accelerating migration from traditional VPN to zero-trust network access architectures where stolen credentials alone are insufficient for access.

What defenders should do: Force credential rotation on all FortiGate VPN accounts. Enable MFA on VPN access if not already enforced. Audit FortiGate firmware versions against CISA’s Fortinet advisories and apply all outstanding patches. Review logs for unauthorized VPN sessions from unexpected geolocations during the exposure window.

F5 Ships Out-of-Band Patches for Two Critical NGINX Vulnerabilities

F5 released emergency out-of-band patches for two critical vulnerabilities in NGINX that carry remote code execution risk. The flaws affect configurations commonly deployed as reverse proxies, API gateways, and load balancers — infrastructure components that sit at the boundary between the internet and internal application stacks. F5 issuing patches outside their normal release cycle is an explicit signal that the severity warrants immediate attention.

NGINX handles a substantial share of global web traffic. The affected configurations are not exotic — they are standard deployment patterns for application delivery. Organizations running NGINX in any internet-facing capacity should apply the patches immediately. For environments where immediate patching is not feasible, web application firewall rules and application-layer inspection at the network perimeter serve as compensating controls while the update is staged.

What defenders should do: Identify all NGINX instances in the environment — including shadow deployments in containerized workloads and CI/CD pipelines. Apply F5’s out-of-band patches. Deploy WAF rules to detect exploitation attempts against the disclosed vulnerability classes.

Cisco Patches Critical Command Execution Flaw in ISE

Cisco released patches for a critical command execution vulnerability in Identity Services Engine (ISE) that allows an authenticated attacker to escalate privileges to root on the underlying operating system. ISE is the policy decision point for network access control, 802.1X enforcement, and segmentation policy in Cisco network environments. Root access to ISE means an attacker can modify the access policies themselves — effectively rewriting the rules that determine who and what is permitted on the network.

The vulnerability requires authenticated access, which limits the attack surface to environments where ISE admin credentials have already been compromised or where admin accounts lack MFA. That said, ISE admin compromise is exactly the kind of post-exploitation objective that threat actors pursue after initial access through other vectors. The authentication requirement should not be mistaken for a meaningful barrier in a post-compromise scenario.

What defenders should do: Patch ISE immediately per the Cisco advisory. Enforce phishing-resistant MFA on all ISE administrative accounts. Place ISE management interfaces on dedicated, segmented management networks. Monitor ISE admin sessions for anomalous command execution patterns.

Tor-Routed Crypto Clipper Campaign Adds Worm Propagation

Microsoft documented a crypto clipper campaign that significantly exceeds the typical clipboard-hijacking stealer in both capability and stealth. The malware bundles a Tor client, routes all command-and-control traffic through localhost:9050, self-propagates across accessible SMB network shares, and establishes persistent backdoor access on infected hosts.

The Tor C2 mechanism is the most operationally significant element. Because the traffic routes through a localhost listener, it does not traverse the network as outbound Tor traffic that a proxy or next-gen firewall would inspect. Detection requires either DNS-layer visibility into Tor entry node resolution (before the Tor circuit is established) or endpoint-level behavioral analytics that flag unexpected localhost listeners. The worm-like SMB propagation is the second priority: organizations without east-west segmentation policies limiting SMB traffic between endpoints are at risk of rapid lateral spread. This is a MITRE ATT&CK T1090.003 (Multi-hop Proxy) combined with T1021.002 (Remote Services: SMB/Windows Admin Shares) for lateral movement.

What defenders should do: Monitor DNS for Tor entry node lookups. Deploy endpoint behavioral rules to detect localhost listeners on port 9050. Enforce SMB segmentation between endpoints. Review network shares for unexpected executable files.

Defender Action Items

  • FortiBleed response: Rotate all FortiGate VPN credentials immediately. Enable MFA. Audit firmware versions against CISA advisories and patch to current.
  • NGINX patching: Apply F5 out-of-band patches to all NGINX instances. Inventory containerized and shadow NGINX deployments.
  • Cisco ISE patching: Apply Cisco’s ISE patch. Enforce MFA on ISE admin accounts. Segment ISE management interfaces.
  • CVE-2026-48907 (Joomla JCE): Patch or disable the JCE plugin before CISA’s Friday June 20 deadline. CVSS 10, confirmed exploitation.
  • CVE-2026-50656 (Microsoft Defender): No patch available yet. Monitor the Microsoft advisory for updates. Apply compensating endpoint hardening.
  • Tor C2 detection: Add DNS-layer monitoring for Tor entry node resolution. Create endpoint alerts for localhost:9050 listeners.

Detection Spotlight

The Tor-routed clipper campaign documented by Microsoft routes C2 through a localhost Tor SOCKS proxy on port 9050. Traditional network-based detection misses this because the traffic exits the host as encrypted Tor traffic after the local proxy hop. The earliest detection opportunity is at the DNS layer — the malware must resolve Tor entry node addresses before establishing circuits. The following Splunk SPL query identifies DNS lookups to known Tor directory authority domains, which precede circuit establishment:

index=dns sourcetype=stream:dns OR sourcetype=sysmon EventCode=22
| where like(query, "%.torproject.org")
    OR like(query, "%dir-spec%")
    OR like(query, "%tor26%")
    OR like(query, "%gabelmoo%")
    OR like(query, "%moria%")
    OR like(query, "%dizum%")
| stats count by src_ip, query, _time
| where count > 0
| sort -_time

This query targets Tor directory authority hostnames that a bundled Tor client must resolve. False positive rate is low in enterprise environments — legitimate Tor usage is uncommon and should be policy-controlled. Pair with an endpoint query for processes listening on TCP 9050 to correlate DNS resolution with active Tor SOCKS proxy operation.

References

Subscribe to the it-learn Brief

Get the daily cybersecurity brief in your inbox every weekday morning — news, SE angles, and detection queries.