Threat Report Zero-Day Exploits and Credential Dumps

Executive Summary

The past week revealed malicious actors continued aggressive activity, focused on gaining initial access and monetizing data. Compromised credentials and immediate exploitation of critical vulnerabilities were widespread across various sectors.

Key Developments:

Business Impact:

Organizations across various sectors experienced exposure of sensitive data, including customer, financial, and employee records due to large-scale breaches and ongoing credential theft. Operational disruption from ransomware activity remained widespread, affecting transport, logistics, healthcare, industrial, and retail functions globally. Government entities and critical infrastructure providers observed denial-of-service and defacement activities linked to geopolitical motivations.

Notable Trends and Changes vs Last Week:

The rapid pace of zero-day exploitation following public disclosure and proof-of-concept availability remained consistent. The underground economy for initial access and stolen data remained strong, supported by extensive credential dumps from sources like FortiGate VPNs. A new development involved the advertising for sale of the entire BreachForums Version 5 database, indicating that even criminal platforms are subject to compromise, potentially exposing malicious actor data. Emerging malware designed to evade AI analysis was also noted.

Outlook:

Initial access brokering and data monetization operations are expected to remain highly active, with further trade in stolen credentials and large datasets. Ransomware groups are likely to maintain opportunistic targeting across many industries. Geopolitically motivated cyber operations, including denial-of-service and defacement, are expected to continue against government and critical infrastructure targets. Exploitation of recently publicized vulnerabilities will probably continue.


Key Threat Intelligence Highlights

A campaign dubbed FortiBleed exploited a vulnerability (CVE-2023-27997) in FortiGate SSL VPN devices, leading to the collection of 110 million user credentials. This widespread data compromise creates a significant risk of account takeovers and further cyberattacks. The operation's scale shows organizations must promptly patch security flaws in widely deployed network appliances.


A zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN is under active exploitation, granting attackers root access to affected devices. This critical flaw allows complete system control, posing a direct and severe risk to enterprise network infrastructure.


A zero-day flaw in Oracle PeopleSoft, identified as CVE-2026-35273, is being actively exploited by the ShinyHunters cybercrime group. This unpatched vulnerability allows adversaries to compromise systems that manage vital organizational data and operations. Organizations must take swift action to protect affected environments.


An international operation successfully dismantled the Amadey and StealC malware network, a widespread cybercrime infrastructure used for stealing credentials and deploying other malicious tools. This action resulted in the recovery of 27 million stolen credentials, significantly weakening many cybercriminals reliant on these loaders. The global law enforcement effort shows effective collaboration in disrupting organized digital crime and protecting users from widespread data theft.


A critical vulnerability has been identified within Microsoft 365 Copilot, allowing direct unauthorized access. This flaw enables attackers to exfiltrate sensitive user data and potentially manipulate information across an organization's cloud environment. All users must patch promptly to prevent corporate espionage and widespread data breaches.

Additional Threat Intelligence Context

Fortinet FortiGate Credential Exposure (CVE-N/A "FortiBleed"): Thousands of ip:port:login:pass datasets are being sold, granting direct VPN access into US enterprise and government networks.

Critical Vulnerabilities Under Active Exploitation:

CVE-2026-20230 | CVSS: 8.6 (CRITICAL) - Cisco Unified CM WebDialer SSRF (): Leads to JSP web shell deployment and root-level RCE. Rapid weaponization after public proof-of-concept release.

Available Exploits:

  • CVE-2026-20230 Exploit
  • CVE-2026-20230 Exploit
  • CVE-2026-20230 Exploit

Analysis: # CVE Analysis Report: CVE-2026-20230

GitHub Link:

  • Title: CVE-2026-20230 - CUCM SSRF File Write PoC
  • CVE: CVE-2026-20230 (CVSS: 8.6, CRITICAL)
  • CVSS Score: 8.6
  • CVSS Severity: CRITICAL
  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: Low

Risk Score: 100/100

_Based on ease of use, potential impact, how widely...

CVE-2026-20245 | CVSS: 7.8 (PROBLEMATIC) - Cisco SD-WAN (, CVE-2026-20127, CVE-2026-20182): CLI command injection and authentication bypass flaws exploited for root access.

Available Exploits:

  • CVE-2026-20245 Exploit
  • CVE-2026-20245 Exploit
  • CVE-2026-20245 Exploit

Analysis: # CVE Analysis Report: CVE-2026-20245

GitHub Link:

  • Title: CVE-2026-20245 PoC (template)
  • CVE: CVE-2026-20245 (CVSS: 7.8, PROBLEMATIC)
  • CVSS Score: 7.8
  • CVSS Severity: PROBLEMATIC
  • Complexity Score: NA
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 75/100

_Based on ease of use, potential impact, how widely it coul...

CVE-2026-12569 - PTC Windchill PDMlink / FlexPLM RCE (): Enables JSP shell drops on engineering and manufacturing platforms.

CVE-2026-35273 | CVSS: 9.8 (VERY CRITICAL) - Oracle PeopleSoft PeopleTools unauthenticated RCE (): Actively exploited by ShinyHunters to deploy MeshCentral agents.

Available Exploits:

  • CVE-2026-35273 Exploit
  • CVE-2026-35273 Exploit
  • CVE-2026-35273 Exploit

Analysis: # CVE Analysis Report: CVE-2026-35273

GitHub Link:

  • Title: CVE-2026-35273 Detection Script
  • CVE: CVE-2026-35273 (CVSS: 9.8, VERY CRITICAL)
  • CVSS Score: 9.8
  • CVSS Severity: VERY CRITICAL
  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

_Based on ease of use, potential impact, how widel...

CVE-2026-55200 | CVSS: 8.1 (CRITICAL) - libssh2 Client-Side Out-of-Bounds Write (): Public exploit code allows remote code execution when applications connect to malicious SSH-like servers.

Available Exploits:

  • CVE-2026-55200 Exploit

Analysis: # CVE Analysis Report: CVE-2026-55200

GitHub Link:

  • Title: CVE-2026-55200 libssh2 OOB PoC
  • CVE: CVE-2026-55200 (CVSS: 8.1, CRITICAL)
  • CVSS Score: 8.1
  • CVSS Severity: CRITICAL
  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 100/100

_Based on ease of use, potential impact, how widely it could...

CVE-2026-52943 | CVSS: None (CRITICAL) - Linux Kernel Privilege Escalation ( "skbuff use-after-free", CVE-2026-46243 "CIFS / cifs.spnego", CVE-2026-43503 "DirtyClone", CVE-2026-46331 "pedit COW"): Public proof-of-concept code allows local users or containers to obtain root privileges.

Available Exploits:

  • CVE-2026-52943 Exploit

Analysis: # CVE Analysis Report: CVE-2026-52943

GitHub Link:

  • Title: CVE-2026-52943 - Linux kernel UAF PoC (skbuff)
  • CVE: CVE-2026-52943 (CVSS: None, CRITICAL)
  • CVSS Score: None
  • CVSS Severity: CRITICAL
  • Complexity Score: High
  • Remote/Local: Local
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: User

Risk Score: 28/100

_Based on ease of use, potential impact, ho...

CVE-2026-50751 | CVSS: NA (CRITICAL) - Check Point Remote Access VPN (): Pre-patch exploitation granted adversaries authenticated access for six weeks.

Available Exploits:

  • CVE-2026-50751 Exploit
  • CVE-2026-50751 Exploit
  • CVE-2026-50751 Exploit
  • CVE-2026-50751 Exploit
  • CVE-2026-50751 Exploit

Analysis: # CVE Analysis Report: CVE-2026-50751

GitHub Link:

  • Title: CVE-2026-50751 IKEv1 Safe Probe
  • CVE: CVE-2026-50751 (CRITICAL)
  • CVSS Score: NA
  • CVSS Severity: CRITICAL
  • Complexity Score: Easy
  • Remote/Local: Remote
  • Authenticated/Unauthenticated: Unauthenticated
  • Privilege Required: None

Risk Score: 91/100

_Based on ease of use, potential impact, how widely it could spread, and...

Extensive Government and Financial Data Leaks:

  • Russian health insurance (FOMS - 62 million records), Turkish citizenship (101 million records), and Santander Bank (30 million customer records, 28 million full card numbers with CVV/AVS).
  • KDDI and partner ISPs (14.2 million Japanese email accounts and passwords), SK Telecom (21 million records), Mint Mobile (50 million users), and Texas Parks & Wildlife Department (over 3 million customers' PII).

Active Ransomware Operations: Groups including Qilin (transport, logistics, healthcare), Stormous (industrial, retail), Settra (various global sectors), Anubis, SLSH, Akira, and INC_Ransom are compromising organizations across healthcare, insurance, manufacturing, education, and public services globally.

Hacktivist DDoS Campaigns: The "313 Team" hacktivist group conducted a multi-hour DDoS operation against Everbridge, a major emergency notification platform, disrupting web access and logins.

Emerging Malware: New macOS Gaslight malware features prompt injection payloads, showing adversaries are adapting to AI-assisted defense mechanisms.

Ransomware Activity Overview

The underground market for data continues to grow, with ShinyHunters offering 30 million customer records, 6 million account numbers, HR data, and 28 million full card records from Santander Bank. Concurrently, the entire BreachForums Version 5 database and platform are advertised for sale, alongside other datasets like 56 million user records from GameStop and 110 million from Notion. This activity confirms an active market for initial access brokers and data monetization. Ransomware operators Qilin and Stormous remain active; Qilin specifically targets transport, logistics, and healthcare support across the Americas and EMEA, while Stormous affects industrial and retail sectors, sometimes claiming an "ethical" stance toward educational institutions. Geopolitical events continue to spur cyber operations, with ideologically aligned groups like 313 Team and NoName057(16) claiming denial-of-service and defacement attacks against government sites in the US, Luxembourg, Israel, and Thailand, presenting these actions as responses to international situations. Ransomware group Settra continues its opportunistic targeting, listing various global enterprises across manufacturing, chemicals, agriculture, retail, and online services. This points to widespread initial access methods. The broader access-trade market, shown by the FortiGate VPN dumps, directly supports ransomware and other intrusions by providing initial access. The compromise and redistribution of "BreachForums Version 5 Leak 2026" indicates that even major cybercrime platforms are susceptible to breaches, leading to further exposure of criminal actor data.

During the reporting period, 188 total victims were identified across 34 active ransomware groups. The top 5 most active groups accounted for 99 victims.

Top 5 Ransomware Groups

DreamFyre - 43 victim(s)

  • Notable victims: 165, 2025_it, Adana i̇mamoğlu bahçe, Araclar, Bilgi_i̇slem (and 38 more)

The_Gentlemen - 24 victim(s)

  • Notable victims: Al dhow group, Atlas elektronik, Au vieux campeur, Ayres carr & sullivan, p.c., Bds cz (and 19 more)

Settra - 11 victim(s)

  • Notable victims: Canopybrands.us, Conduril.pt, Doosan.com, Dystar.com, Hmcfarms.com (and 6 more)

Stormous - 11 victim(s)

  • Notable victims: Data leak update new, Eogb.co.uk new, Eshacloudqa.com new, Higuchi usa, inc new, Higuchi-inc.co.jp new (and 6 more)

Nova (RALord) - 10 victim(s)

  • Notable victims: Alejandria, Alejandria.biz, Cloudquantum, Ftl-fast transit line, Lpgroup (and 5 more)

Deep Web

Deep Web Activity Report

This week's deep web observations show a steady supply of compromised data, primarily large volumes of system logs and credential dumps. These disclosures show continued efforts by threat actors to monetize stolen information through established forums and communication channels.

Overview of Deep Web Activity

Deep web activity this week largely comprised the distribution of two primary types of illicit data: large archives described as "ULP LOG'S" and extensive lists of email and password combinations. These datasets were posted across several deep web forums, indicating ongoing data exfiltration and brokering operations.

What major data leaks appeared on deep web forums this week?

This week saw the appearance of several large data leaks, including multiple gigabytes of "CLOUD'S ULP LOG'S" and hundreds of thousands of email:password combinations targeting users in various countries.

The "CLOUD'S ULP LOG'S" data was posted by users 'thejackal101' and 'Elite123'. These entries included compressed files ranging from 1.27 GB to 2.63 GB. This indicates a substantial collection of data. While the precise nature of "ULP" is not detailed, the context of "Log : Pass" in one instance (Item 5) suggests these archives contain various logs that often include user credentials, session tokens, browser history, and system information, typically exfiltrated by information-stealing malware. 'thejackal101' also promoted a Telegram channel for additional "fresh Log's," suggesting a broader distribution network beyond the forum.

Concurrently, user 't4ctici4n' posted several credential dumps under the "Email:Pass" designation. These leaks ranged from 14,000 to 484,000+ line items per disclosure, explicitly mentioning specific countries such as Russia, Peru, Philippines, Pakistan, Montenegro, Romania, and Nigeria. These listings contained email addresses paired with their corresponding passwords, presented as "combo lists."

What is the nature and scope of these breaches?

The nature of the observed breaches falls into two categories: full system/user logs and targeted credential compilations, with a global scope spanning multiple nations.

The "ULP LOG'S" datasets, with their substantial sizes, appear to be aggregations of data harvested from compromised systems. Such logs frequently contain sensitive items like login credentials for various online services, cookies, autofill data, browser histories, and system configurations. The "CLOUD'S" prefix may denote that the compromised systems are associated with cloud services or that the credentials within the logs grant access to cloud-based accounts. The lack of a specified geographic location for these logs points to a potentially diffuse source base, or the poster's unwillingness to disclose it.

The "Email:Pass" breaches are straightforward credential dumps, organized by country. For example, the Russia leak contained 484,000+ entries, while the Nigeria leak comprised 14,000+ entries. These lists provide direct email and password pairs, posing a direct risk of account compromise. The consistent "FRESH" and "HQ" (High Quality) labels suggest that these credentials have been recently validated or acquired, making them more valuable for illicit activities.

Several patterns emerge from this week's data disclosures, including a reliance on automated data exfiltration, clear geographic targeting for credential sales, the activity of a few recurring sellers, and an emphasis on data freshness.

  • Automated Data Exfiltration: The recurring "ULP LOG'S" entries, posted by different users ('thejackal101' and 'Elite123') on the same day with identical titles and similar large file sizes, suggest the use of automated information-stealing malware. Such malware collects a broad spectrum of data from infected systems, which is then compiled into these log archives.
  • Geographic Targeting in Credential Sales: The "Email:Pass" dumps explicitly label the country of origin (Russia, Peru, Philippines, etc.). This segmentation allows buyers to acquire credentials specific to target regions, potentially for localized cybercrime activities such as targeted phishing or fraud.
  • Active Data Brokers: Users 'thejackal101', 'Elite123', and 't4ctici4n' appear to be regular contributors to these forums, having joined several months ago and accumulating a considerable number of posts. Their consistent activity indicates established roles in the deep web data economy. 'thejackal101' also uses a Telegram channel to broaden distribution, a common tactic for reaching a wider audience of potential buyers.
  • Emphasis on Data Freshness: Multiple entries are marked as "FRESH" and "HQ" (High Quality), some even stating the exact date of compilation ("29-6-2026"). This descriptor is used to command higher prices or interest, as fresh credentials are more likely to be valid and not yet reset by the original account holders.

What are the potential impacts of the disclosed information?

The disclosed log data and credential dumps carry several potential impacts, ranging from individual account compromise to broader organizational security risks.

The "ULP LOG'S" can facilitate account takeover (ATO) attacks. With access to session tokens, cookies, and various login credentials, malicious actors can bypass multi-factor authentication in some cases and gain unauthorized access to email, banking, social media, and other online accounts. This access can lead to financial fraud, identity theft, and further compromise of connected systems or services. The large volume of data also means that even if a small percentage of credentials are valid, the overall number of compromised accounts could be substantial.

The "Email:Pass" combinations directly enable credential stuffing attacks. Threat actors commonly use these lists against a wide array of online services, exploiting the widespread practice of password reuse. Successful credential stuffing can lead to widespread ATO across multiple platforms. This can also serve as a basis for targeted phishing campaigns, where attackers use verified email addresses to send highly convincing malicious communications. For individuals, this means exposure to financial loss, identity theft, and reputational damage. For organizations, it means potential breaches of employee accounts, customer data, and intellectual property if affected individuals used compromised credentials for work-related services.


Sources

  1. FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation
  2. Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access
  3. Oracle PeopleSoft Zero-Day Vulnerability (CVE-2026-35273) Exploited by ShinyHunters
  4. Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered
  5. Critical Microsoft 365 Copilot Flaw Enables Data Theft