Here are today’s top cybersecurity stories for Friday, June 19, 2026.
CISA Warns of FortiBleed: 86,000 Fortinet Device Credentials Exposed
CISA urged all Fortinet customers to immediately secure their devices after a large-scale credential theft campaign exposed credentials for 86,644 Fortinet firewall and VPN devices across 194 countries. The campaign, attributed to Russian-speaking threat actors and dubbed FortiBleed, processed over 1.16 billion credential attempts against more than 320,000 FortiGate targets. Generic admin accounts (35%) and built-in Fortinet system accounts (28.3%) account for the majority of compromised credentials. CISA recommends resetting all device credentials, enabling multi-factor authentication, and reviewing access logs for anomalous activity. BleepingComputer
Microsoft Confirms RoguePlanet Defender Zero-Day — No Patch Available
Microsoft officially acknowledged CVE-2026-50656, a privilege escalation zero-day in Microsoft Defender’s Malware Protection Engine, disclosed by security researcher Nightmare Eclipse on June 10, 2026. The flaw exploits a TOCTOU race condition in Defender’s real-time scanning engine to spawn a command prompt running as NT AUTHORITY\SYSTEM on fully patched Windows 10 and Windows 11 systems. No patch is currently available. Microsoft said it is working to provide a high-quality fix but provided no timeline. SecurityWeek
Microsoft Exposes CryptoBandits: Tor-Backed Crypto Clipper Now Acts as Full Backdoor
Microsoft’s Security Blog disclosed CryptoBandits, a Windows-based cryptocurrency clipper active since February 2026 that deploys a portable Tor client to route command-and-control traffic and doubles as a remote access backdoor. The malware spreads via malicious shortcut payloads and propagates to connected USB drives. It performs high-frequency clipboard theft, screenshot exfiltration, wallet-address substitution, and extraction of seed phrases and private keys, polling its C2 every 500 milliseconds for instructions. Microsoft Security Blog
Splunk CVE-2026-20253 Active Exploitation Confirmed — CISA Demands Federal Patch by June 21
Splunk confirmed that CVE-2026-20253 is being actively exploited in attacks, days after its June 18 disclosure. The CVSS 9.8 flaw in Splunk Enterprise allows an unauthenticated attacker to create or truncate arbitrary files via an unprotected PostgreSQL sidecar service endpoint. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on June 18 and set a June 21 remediation deadline for all Federal Civilian Executive Branch agencies. SecurityWeek
Splunk and Palo Alto Networks Release Broad Vulnerability Patches
Beyond the Splunk CVE-2026-20253 emergency fix, both vendors pushed out comprehensive security updates addressing dozens of additional vulnerabilities. Palo Alto Networks patched CVE-2026-0274, a high-severity improper credential validation flaw in the Cortex XSOAR and Cortex XSIAM CommvaultSecurityIQ integration that allows attackers to access and modify restricted resources without triggering a special configuration. Splunk simultaneously patched roughly three dozen vulnerabilities in third-party components across Splunk Enterprise and Splunk SOAR. SecurityWeek
SolarWinds Serv-U CVE-2026-28318 KEV Deadline Arrives — Unpatched Organizations at Risk
Today marks the CISA-mandated remediation deadline for CVE-2026-28318, an actively exploited denial-of-service vulnerability in SolarWinds Serv-U file transfer software added to the KEV catalog on June 5. The flaw allows unauthenticated attackers to crash Serv-U services via crafted HTTP POST requests. Federal agencies were required to apply the patch — available in Serv-U 15.5.4 Hotfix 1 — by today. Organizations that have not yet patched remain exposed to service disruption attacks. BleepingComputer
Microsoft Secure Boot Certificate Deadline Is One Week Away — Act Before June 26
Organizations have one week before Microsoft’s Secure Boot certificate transition deadline on June 26, 2026. Older Secure Boot certificates that shipped with Windows since 2011 begin expiring, and systems still relying on them will stop receiving boot-critical DBX revocation list updates after the deadline. Systems continue to boot normally, but boot-level security protections degrade permanently without the 2023 certificate applied. IT administrators should verify Secure Boot 2023 certificate status via Windows Security > Device Security before the deadline. Windows Report
Crimson Collective Claims Brightspeed Breach: 1 Million Customer Records Allegedly Stolen
Extortion group Crimson Collective claimed responsibility for a breach of US fiber broadband provider Brightspeed, alleging the theft of data belonging to more than one million customers. The allegedly stolen dataset includes names, physical addresses, phone numbers, email addresses, account details, and limited payment card data. Brightspeed opened an internal investigation. Unlike traditional ransomware groups, Crimson Collective focuses on data theft and reputational extortion rather than file encryption. SecurityWeek
Apple Patches High-Severity Beats Studio Buds Flaw Enabling Eavesdropping by Nearby Attackers
Apple released a firmware update for Beats Studio Buds wireless earbuds to address a high-severity vulnerability that nearby attackers could exploit to eavesdrop on users. The flaw requires physical proximity to the target device. Apple has not published the CVE identifier or full technical details. Users should update Beats Studio Buds firmware through the Beats app or a connected iOS device. The Hacker News
Stay tuned for today’s in-depth analysis posts.
