FortiBleed Exploits FortiGate Credentials: 86K Devices

A widespread credential-harvesting campaign, named FortiBleed, targets internet-facing FortiGate firewalls and VPN appliances across 194 countries. Fortinet warned about the operation, which uses previously exposed user credentials and AI-assisted brute-force techniques to gain unauthorized access to network infrastructure. This campaign is one of the largest credential-based threats to Fortinet environments observed recently, with researchers estimating that up to 86,000 FortiGate devices could be at risk.

The campaign succeeds by exploiting weak, reused, or already compromised administrative and VPN user credentials, especially on systems without multi-factor authentication (MFA). Threat actors exploit existing vulnerabilities in access controls rather than a specific zero-day flaw. This demonstrates the risk from poor credential hygiene and insufficient security configurations. Organizations that previously implemented remediation measures from earlier Fortinet advisories are reportedly less likely to be affected.

After successful authentication, actors modify device configurations, create persistent administrative accounts, and establish backdoors for continued access. This compromise can lead to broader network infiltration, particularly in environments integrated with Active Directory or LDAP services. Fortinet notifies potentially impacted customers and coordinates with government agencies like CISA to address the threat.

How the FortiBleed campaign operates

The FortiBleed campaign primarily exploits previously disclosed security incidents. It combines existing compromised credentials with AI-assisted brute-force techniques to authenticate against FortiGate firewalls and VPN appliances. Fortinet's investigation concluded that attackers target systems where multi-factor authentication (MFA) is not enabled, relying on weak or leaked administrator and VPN credentials. This approach allows attackers to bypass initial authentication layers without a new, undisclosed vulnerability.

Upon gaining unauthorized access, threat actors perform post-exploitation actions to establish persistence and expand their foothold. These activities include modifying device configurations, creating unauthorized administrative accounts to maintain access, and setting up persistent pathways into targeted environments. Common rogue account names observed in compromised systems often impersonate legitimate services or support personnel, using variations such as "forticloud," "fortiuser," and "fortinet-support."

In corporate environments where FortiGate devices integrate with services such as Active Directory (AD) or LDAP, a successful breach can enable lateral movement across internal networks. This increases the potential for broader organizational compromise, allowing attackers to access sensitive data, deploy more malware, or disrupt operations. CISA and Fortinet have jointly urged organizations to take immediate steps, including resetting all VPN and administrative credentials and enforcing MFA across all privileged accounts.

Organizations should upgrade to supported FortiOS versions (7.4, 7.6, or later) for enhanced password protection mechanisms, such as PBKDF2 hashing. Security teams should also audit configurations against known-good baselines, remove any suspicious or unauthorized accounts, and monitor logs for unusual login attempts or configuration changes. Identifying such indicators requires treating affected devices as fully compromised and initiating incident response procedures.

What is the usbliter8 iPhone BootROM flaw?

The usbliter8 vulnerability is an unpatchable BootROM-level exploit impacting Apple devices with A12, A13, and S4/S5 chips. Discovered by researchers, this flaw stems from a hardware weakness within the Synopsys DWC2 USB controller and a firmware misconfiguration in SecureROM, which governs the initial boot process. The vulnerability allows an attacker with physical USB access to compromise the entire application processor boot chain before the operating system loads.

The usbliter8 root cause lies in a buffer underflow condition within the DWC2 USB controller. This condition occurs because packet writes correctly increment the DMA pointer (DOEPDMA) based on incoming packet size, but reset operations consistently subtract a fixed 24 bytes, regardless of the actual packet data. This mismatch enables attackers to manipulate DMA memory writes outside of the designated buffer, leading to arbitrary SRAM corruption. On vulnerable A12 and A13 devices, the USB DART (IOMMU) is configured in bypass mode within SecureROM, removing a memory protection layer. Apple addressed this configuration in A14 chips and newer, making them immune to this specific exploitation method.

Exploitation methods vary between chip generations due to differing security features. For A12 and S4/S5 devices, attackers can corrupt a saved Link Register (LR) adjacent to the USB DMA buffer. This grants control of program execution, enabling the deployment of a Return-Oriented Programming (ROP) chain to achieve privileged code execution within SecureROM. On A13 devices, which implement Pointer Authentication (PAC), exploitation is more complex. Researchers bypassed PAC by manipulating DART heap metadata, effectively disabling heap integrity checks and suppressing panic-triggered reboots. This redirected execution through attacker-controlled function pointers. This advanced technique shows a deep understanding of hardware-level protections.

Once arbitrary EL1 code execution is achieved, the exploit installs a custom USB handler, modifies the device serial number to include a "PWND" marker, and restores damaged memory structures to ensure device stability. It recreates SecureROM functionality in SRAM, allowing for persistence across ROM restarts. This successful exploitation defeats Apple's Secure Boot architecture, enabling privileged operations such as SoC demotion and the booting of unsigned iBoot images. This bypasses signature verification and grants full control over the boot process, similar to the broader impacts of a Qualcomm BootROM exploit.

Confirmed affected devices include the iPhone XS, iPhone XR, iPhone 11 series, iPad Pro (2018), and Apple Watch Series 4 and 5. As the vulnerability resides in immutable hardware, software or firmware updates cannot patch it. The primary mitigation is upgrading to devices powered by A14 or newer processors, which correctly configure DART protections. While Apple's Secure Enclave Processor (SEP) maintains a separate security boundary, researchers note that the boot-chain compromise afforded by usbliter8 could facilitate more sophisticated attacks against other protected components, leveraging capabilities typically associated with memory corruption vulnerabilities.

Public PoC Released for libssh2 Client-Side SSH Vulnerability CVE-2026-55200

A public proof-of-concept (PoC) has been released for CVE-2026-55200, a client-side vulnerability in the libssh2 library that carries a CVSS 4.0 score of 9.2. This flaw enables a malicious or compromised SSH server to trigger memory corruption on a connecting client, with the potential for remote code execution (RCE) without user interaction or authentication credentials. The bug affects all libssh2 releases up to and including 1.11.1.

libssh2 is a widely adopted client-side SSH library, not a server. Applications linking this library and initiating outbound SSH connections to untrusted endpoints are potential targets. Its integration into numerous products, including curl, Git, PHP, various backup agents, firmware updaters, and many appliances, broadens its attack surface. Many instances of libssh2 are statically linked, meaning standard operating system package updates may not remediate the vulnerability, requiring targeted action from vendors.

The vulnerability resides within the ssh2_transport_read() function in transport.c, which parses incoming SSH packets during the handshake phase. The flaw allows an attacker-controlled packet_length field to be read without an upper bound check. When a packet_length of 0xffffffff is supplied, 32-bit arithmetic causes the size calculation to wrap around to a small number. This results in libssh2 allocating a small buffer while attempting to write a full, oversized packet into it, leading to an out-of-bounds heap write. This integer overflow leading to a buffer overflow, classified as CWE-680, is a classic way to achieve code execution, similar to how a buffer overflow in zlib could be exploited.

The fix, implemented in commit 97acf3dfda80c91c3a8c9f2372546301d4a1a7a8, adds the necessary upper-bound check, rejecting any packet_length exceeding LIBSSH2_PACKET_MAXPAYLOAD before arithmetic operations. This is not the first time libssh2 has faced such issues; a similar integer overflow in its transport read function, CVE-2019-3855, was patched in 2019. Security researcher Tristan Madani reported the current issue, with the patch merged on June 12 and the CVE published on June 17 by VulnCheck.

A public proof-of-concept has been published in the "exploitarium" GitHub archive, providing an SSH trigger scaffold and a local RCE harness for the bug. However, it is not a turnkey remote exploit, and reliable code execution depends on specific target binary characteristics, allocator behavior, and how the software integrates libssh2. CISA's exploitation rating for CVE-2026-55200 remains "none," with no in-the-wild exploitation reported.

There is currently no official fixed libssh2 release, as a tagged version is still being prepared. Linux distributions and downstream projects are backporting the patch independently; Debian, for instance, already provides a repaired build in its testing repositories. NHS England Digital has issued an advisory, CC-4799, urging affected organizations to update. Beyond CVE-2026-55200, organizations are also advised to patch CVE-2026-55199 (CVSS 8.2), a denial-of-service vulnerability, and CVE-2025-15661 (CVSS 8.3), an SFTP heap over-read.

How Bluekit phishing attacks evade detection

A new Phishing-as-a-Service (PHaaS) platform named Bluekit facilitates credential theft through Browser-in-the-Middle (BitM) attacks designed to evade detection. Initially identified by Varonis Threat Labs earlier this year, Netcraft recently reported a rapid increase in its activity, discovering approximately 70 active website names using the system within a single week. This indicates that Bluekit is now fully operational at scale.

Traditional phishing schemes often use static fake login pages or simple proxying of web traffic. Bluekit changes this by loading a genuine login page, such as a Microsoft authentication portal, directly within a browser controlled by the attackers. Then, an open-source software tool called rrweb records and streams live Document Object Model (DOM) interactions to the victim over a WebSocket connection. This ensures the victim interacts with a real, functional page rather than a static image or video stream.

When a target enters credentials or clicks elements on the perceived login page, these actions transmit directly to the hacker's controlled browser. The victim unknowingly authenticates into their account within the attacker's environment, making the entire process appear legitimate. This method makes it significantly harder for victims to detect the attack, as they do not see visual artifacts typically associated with manipulated pages.

Before rendering the fake login page, Bluekit uses a "layered evasion architecture" to bypass automated security tools. Netcraft's research details a pre-engagement evasion phase that involves over 20 distinct bot checks. These checks analyze various client-side details, including RAM, screen size, and browser language. Using WebRTC technology, Bluekit connects to a STUN server to assess a user's web settings, allowing it to detect the use of proxies or VPNs. If the visitor is identified as human, a fake security check page, often impersonating a legitimate service like Cloudflare, appears before the BitM attack commences.

This BitM technique distinguishes Bluekit from earlier sophisticated phishing kits like Evilginx. With Evilginx, session cookies or active sessions had to be transferred from the phishing server to a new machine, which could trigger security alarms due to browser fingerprint mismatches. Bluekit avoids this by initiating the entire session on the hacker's machine from the outset, maintaining consistent browser details throughout the interaction. This approach reduces the chances of detection by security systems, providing a smooth user experience where only a subtle lag in mouse clicks might be noticeable.

North Korean Threat Actors Deploy Python Infostealer via Hijacked npm and Go Packages

Cybersecurity researchers have uncovered a campaign deploying a Python-based information stealer on compromised Windows, Linux, and macOS hosts, using hijacked npm and Go packages. JFrog reported that the attack avoids common npm execution paths, specifically lifecycle scripts, possibly to bypass newer security hardenings in npm v12. The campaign has been attributed to North Korean threat actors, tracked by the OpenSourceMalware team under the moniker "Fake Font," as a variant of the "Contagious Interview" campaign which targets software developers.

The initial infection vector involves hidden Microsoft Visual Studio Code (VS Code) tasks. Two identified npm packages, html-to-gutenberg and its dependency fetch-page-assets, contained a tasks.json configuration with a task named "eslint-check." This task, configured with runOn: 'folderOpen', automatically triggers arbitrary code execution when the project folder is opened as a workspace in an IDE like VS Code or Cursor, and marked as trusted. The malicious payload is disguised as a font file, public/fonts/fa-solid-400.woff2, despite containing JavaScript code. This method of abusing VS Code auto-run tasks and disguising JavaScript malware as font files aligns with previously observed tactics of North Korean hacking groups.

The bogus font file initiates a multi-stage loader that uses blockchain infrastructure as a dead drop resolver. It relies on TronGrid and Aptos as fallback mechanisms to fetch subsequent JavaScript payloads, making the command-and-control (C2) communication resilient to takedown efforts. This JavaScript stage then repeats the dead drop retrieval pattern to configure a C2 server, facilitating file uploads and the eventual delivery of the Python infostealer. A Socket.io backdoor is established, granting the attacker remote control over the infected host with capabilities such as shell execution, clipboard harvesting, file system operations, and process management.

In parallel with the Socket.io backdoor, a Python loader component launches, responsible for retrieving the Python infostealer from the C2 server and installing its required dependencies. The Python infostealer is designed for extensive credential harvesting, targeting data stored in Chromium-based and Mozilla Firefox browsers, various password managers, and authenticators. It also targets cryptocurrency wallets, showing the financial motivation behind the campaign.

The infostealer also harvests developer-oriented information, including Git credentials, GitHub CLI hosts.yml files, GitHub Desktop logs, and data from VS Code and its global storage. It targets operating system credential managers such as Windows Credential Manager, Linux Secret Service, KDE Wallet, and macOS Keychain. It collects cloud storage metadata for services including Dropbox, Google Drive, Microsoft OneDrive, Apple iCloud, Box, Mega, and pCloud. Collected data is then compressed into ZIP archives and exfiltrated to the C2 server, with an option to also send it to a Telegram bot if a token is provided.

The campaign's reach extends beyond the npm ecosystem to the Go ecosystem. Nextron Systems discovered 16 Go packages containing the same malware. Most of these appear to be legitimate packages whose latest released versions were updated to include the malware alongside their original content, maintaining the same structure and fake font file. Users who have installed the implicated packages should remove them immediately, search their developer machines for hidden VS Code folder-open tasks, and rotate all potentially compromised credentials, tokens, cloud credentials, and API keys.

Technical Takeaways

  • The FortiBleed campaign demonstrates active exploitation of weak and reused credentials, affecting an estimated 86,000 FortiGate devices across 194 countries through AI-assisted brute-force attacks.
  • The usbliter8 BootROM vulnerability is an unpatchable hardware flaw in Apple A12, A13, S4/S5 chips, allowing full boot-chain compromise via physical USB access due to a Synopsys DWC2 USB controller buffer underflow condition.
  • CVE-2026-55200 exposes a client-side libssh2 vulnerability (CVSS 9.2) where a malicious SSH server can trigger memory corruption and potential RCE on connecting clients, impacting widely embedded applications like curl and Git.
  • The Bluekit PHaaS platform uses Browser-in-the-Middle (BitM) attacks to stream real login pages from attacker-controlled browsers. It leverages rrweb and WebSockets to evade traditional detection methods and bypass MFA.
  • North Korean threat actors deploy a Python-based infostealer delivered through hijacked npm and Go packages. It exploits VS Code auto-run tasks, uses blockchain as a C2 dead drop, and establishes a Socket.io backdoor for credential, wallet, and developer artifact theft.