⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More

Threat of the Week

FortiBleed Campaign Identifies Over 80K Targets - A large-scale campaign codenamed FortiBleed has systematically targeted and compromised Fortinet FortiGate firewall and SSL VPN gateway devices worldwide. According to SOCRadar, it has been running since at least February 2026, with over 80,000 devices identified with working usernames and passwords that have been tested by suspected Russian-speaking threat actors using automated tools running around the clock.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers with FortiGate appliances to take steps to secure against ongoing malicious activity aimed at thousands of internet-accessible devices. Fortinet also said the campaign likely involves the threat actors reusing credentials from previous incidents, such as CVE-2026-24858, CVE-2025-59718, and CVE-2025-59719, along with employing brute-force techniques against devices with weak password hygiene and no multi-factor authentication (MFA).

Top News

Salesforce Disables Klue App Integration After New Extortion Campaign - Salesforce revealed that it disabled the Klue Battlecards app integration within its platform in response to a security incident impacting the competitive intelligence company on June 11, 2026.

"Salesforce took this action because our security teams recently detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app's connection to Salesforce," the company said. "This issue is limited to Klue's app connection and does not arise from a vulnerability within the Salesforce platform."

The development comes as an extortion group dubbed Icarus compromised and exfiltrated data from customers of Klue after obtaining access through a compromised legacy credential associated with an integration service. A number of companies have publicly acknowledged the incident, but noted the impact is limited.

The Gentlemen RaaS Develops GentleKiller EDR Killer Suite - The Gentlemen ransomware-as-a-service (RaaS) operation is actively developing and maintaining a suite of endpoint detection and response (EDR) killers that it hands out to affiliates for shutting down endpoint detection and response (EDR) products before deploying the encryptor.

The centerpiece of the group's EDR-disabling capability is GentleKiller, an in-house developed framework that comes in eight different variants, each one impersonating a different legitimate product and abusing a different vulnerable or malicious kernel driver. GentleKiller targets over 400 processes belonging to 48 security products, including CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Kaspersky, and ESET itself.

Splunk Flaw Actively Exploited in the Wild - Splunk's Product Security Incident Response Team (PSIRT) said it became aware of "limited exploitation" of CVE-2026-20253, a critical flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution.

"In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint," Splunk said. "The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials."

In an analysis of the flaw, Resecurity said it's "particularly dangerous" as it can be exploited remotely without authentication or user interaction. "By chaining multiple weaknesses together, an attacker can progress from unauthenticated access to arbitrary file operations and ultimately Remote Code Execution (RCE)," it said. "A successful compromise may expose sensitive logs, credentials, security alerts, and operational data while providing attackers with a foothold for persistence, defense evasion, and lateral movement within the environment."

Unpatchable 'usbliter8' Exploit Targets Apple A12 and A13 Chips - Security researchers at Paradigm Shift released details of a working exploit dubbed usbliter8 that could be abused to achieve arbitrary code execution inside the SecureROM of Apple's A12 and A13 chips. The vulnerability is classified as a hardware bug residing in the Synopsys DWC2 USB controller, meaning the issue can never be patched. That said, a successful exploitation requires an attacker to have physical access to a vulnerable device. A proof-of-concept for usbliter8 has been made publicly available.

Operation Endgame Disrupts SocGholish Servers - Dutch law enforcement authorities, along with counterparts from Canada, Germany, and the U.S., have disrupted malicious infrastructure associated with SocGholish and cleaned up nearly 15,000 infected WordPress websites. The takedown is part of Operation Endgame, an ongoing international law enforcement initiative to combat botnets and associated criminal infrastructures. It was launched in 2024.

As part of the effort, 106 servers linked to SocGholish have been taken down, and 14,971 WordPress sites have been rid of the infections. Website owners have been notified to update their content management system (CMS), change their credentials, and delete any suspicious accounts.

Malicious Campaign Fakes Popularity to Deliver Crypto Clipper - A cryptocurrency-stealing malware campaign has been targeting cryptocurrency asset holders and online gamblers by faking its own popularity, dressing up booby-trapped sniper bots and crash-game predictors with bogus GitHub stars, inflated download counts, and artificial intelligence (AI)-narrated YouTube tutorials.

The activity has been traced to a Rust-based clipper malware targeting Windows and macOS users. The lures are "edge" tools that promise easy money, crypto sniper bots, and "predictors" that claim to forecast crash-gambling games, aimed at traders and gamblers chasing shortcuts, while a WordPress phishing page acts as the hub, funneling victims to the downloads.

Rokarolla Android Trojan Combines Banking Fraud with Screen Surveillance - A new "invasive" Android trojan dubbed Rokarolla is being distributed via malicious websites, while masquerading as popular applications like TikTok or Google Chrome. It's designed to target 217 distinct cryptocurrency and banking applications by serving fake overlay login screens, in addition to leveraging 137 commands that grant it complete control of a compromised device.

It can:

• Harvest lock screen credentials
• Exfiltrate sensitive contact lists and SMS data
• Monitor the screen to capture WhatsApp data
• Take screenshots by abusing Android's accessibility services
• Redirect cryptocurrency transactions
• Utilize keyloggers to continuously record user input

The malware also actively hides its presence from the launcher screen and disrupts user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect.

"The infection process begins when a dropper misleads users into installing a secondary payload containing the core malware," Zimperium said. "By masquerading as Google Play Protect, the dropper facilitates the installation of this payload. This strategy allows the malware to evade Android restrictions and exploit Accessibility services."

Trending CVEs

Bugs drop weekly, and the gap between a patch and an exploit is shrinking fast. These are the heavy hitters for the week: high-severity, widely used, or already being poked at in the wild. Check the list, patch what you have, and hit the ones marked urgent first:

• CVE-2026-20262 (Cisco SD-WAN Manager)
• CVE-2026-54420 (LiteSpeed cPanel Plugin)
• CVE-2026-48907 (Widget Factory Joomla Content Editor)
• CVE-2026-4020 (Gravity SMTP WordPress Plugin)
• CVE-2026-47101, CVE-2026-47102, CVE-2026-40217, CVE-2026-49468 (LiteLLM)
• CVE-2026-24190 (NVIDIA Display Driver for Windows and Linux)
• CVE-2026-48558 (SimpleHelp)
• CVE-2026-39449 (Contact Form to Any API WordPress plugin)
• CVE-2026-39849, CVE-2026-44693 (Pi-hole FTL)
• CVE-2026-49980, CVE-2026-41179, CVE-2026-41176 (Rclone)
• CVE-2026-54157 (@lobehub/lobehub)
• CVE-2026-48746 (vllm)
• CVE-2026-48519 (Langflow)
• CVE-2026-38329 (Bludit CMS)
• CVE-2026-39949 (Cacti)
• CVE-2026-8444 (WP Review Slider Pro WordPress plugin)
• CVE-2026-52697 (Taskbuilder WordPress plugin)
• CVE-2026-52700 (WCMultiShipping WordPress plugin)
• CVE-2026-3326 (XStore WordPress theme)
• CVE-2026-2418 (Login with Salesforce WordPress plugin)
• CVE-2026-6379 (WP Photo Album Plus WordPress plugin)
• CVE-2026-2446 (PowerPack for LearnDash WordPress plugin)
• CVE-2025-15445 (Restaurant Cafeteria WordPress theme)
• CVE-2026-8443 (WP Review Slider Pro WordPress plugin)
• CVE-2026-6933 (Premmerce Dev Tools WordPress plugin)
• CVE-2026-9848 (WP Ticket Customer Service Software & Support Ticket System WordPress plugin)
• CVE-2026-52707 (Kastell WordPress theme)
• CVE-2026-52703 (FastDup WordPress plugin)
• CVE-2026-52706 (JetEngine WordPress plugin)
• CVE-2026-27429 (Nifty WordPress theme)
• CVE-2025-69129 (WordPress & WooCommerce Scraper WordPress plugin)
• CVE-2026-27400 (BookPro WordPress plugin)
• CVE-2026-8713 (Avada Builder WordPress plugin)
• CVE-2026-12437 through CVE-2026-12443 (Google Chrome)
• CVE-2026-12326, CVE-2026-12327, CVE-2026-12328 (Mozilla Firefox)
• CVE-2026-8049, CVE-2026-8050 (SignalRGB kernel driver)
• CVE-2026-20266 (Splunk AI Toolkit)
• CVE-2026-41293, CVE-2026-43512, CVE-2026-42579, CVE-2026-42584, CVE-2026-43515 (Atlassian Confluence Data Center and Server)
• CVE-2026-20181, CVE-2026-20190 (Cisco Identity Services Engine and ISE Passive Identity Connector)
• CVE-2026-48933, CVE-2026-48618 (Node.js)
• CVE-2026-9862 (Fortra Core Privileged Access Manager)
• Multiple vulnerabilities in Crawl4AI Docker API (no CVEs)

Cybersecurity Webinars

Your Company Is Using More AI Than You Can See. Here's How to Secure It - AI bots are actively accessing your company's sensitive data-often without a clear human owner to hold accountable. Join this webinar to learn how to uncover hidden AI tools, lock down their permissions, and safely take back control of your network before a blind spot becomes a massive data breach.

Machine-Speed Attacks are Here: How to Stop AI-Powered Hackers - Hackers are now using AI to launch lightning-fast, highly convincing attacks that easily slip past traditional security. If your defenses rely on old, 'human-speed' tools, you're already falling behind. Join this critical webinar to see exactly how AI-powered threats operate-and get a clear, practical blueprint to lock down your network and stop machine-speed attacks in their tracks.

Around the Cyber World

Flaws in SiderAI and MaxAI - Critical vulnerabilities have been disclosed in SiderAI (Spyder) and MaxAI (MaXSS) agentic side-panel Chrome extensions that can allow malicious websites to take screenshots of arbitrary websites or run arbitrary code by taking advantage of the add-ons' permissions.

"Abusing these vulnerabilities allows attackers to compromise all browser sessions across any website, leading to the leakage of sensitive information, the invocation of arbitrary commands, and even account takeover," Rebora said. "Furthermore, there was a potential risk of stealing files from the underlying operating system."

Both extensions have a "Featured" badge and have been collectively installed nearly 7 million times. Given that the issues remain unpatched, users are recommended to remove them until fixes are in place.

Israeli Company Linked to Popa Android TV Box Botnet - The Popa Android TV box botnet, which has been used for residential proxy traffic in ad fraud and website scraping, has been attributed to NetNut, operated by publicly traded Israeli company Alarum Technologies. Qurium, along with the Nokia Deepfield Emergency Response Team and Synthient, has found that Popa is a "residential proxy software family that turns consumer devices into internet relay nodes" by means of a software development kit.

It's worth noting that Popa was first flagged by QiAnXin XLab in March 2025 as an Android component of the Vo1d botnet.

"So Popa is not a traditional downloader or banking trojan, the ultimate goal of the code is just to implement a persistent communications layer capable of registering a device, maintaining long-lived encrypted connections, and opening tunnels on demand," according to the report. "Not differently from many other types of malware, Popa does not connect directly to a fixed command-and-control server. The compromised device starts by connecting a limited set of domain names to later learn where to register and tunnel the traffic."

The botnet has impacted millions of consumer TV boxes over the last four years.