Cybersecurity Roundup: June 2026 | Kocho
Skip to content
Funnel overlay image

Cybersecurity Roundup June 2026

arrow icon arrow icon

From Kocho’s Security Operations Centre (SOC)

Published: 01 July 2026

What caught our attention this month

Several of June’s biggest security stories involved technologies that organisations depend on every day, including firewalls, communications platforms, network infrastructure and third-party integrations.

Our SOC team have carefully selected the stories below as they perfectly illustrate the live issues facing security teams today, along with our recommended actions to stay protected.

FortiBleed exposes thousands of firewall and VPN credentials

One of the most significant security stories of June was FortiBleed, a credential exposure campaign affecting Fortinet firewall and VPN devices globally. The campaign does not rely on a newly discovered software vulnerability. Instead, threat actors obtained valid administrative and VPN credentials, creating opportunities for unauthorised access to exposed infrastructure.

The UK’s NCSC issued guidance urging organisations using Fortinet firewalls and VPN gateways to investigate for signs of compromise and review exposed systems. The concern is that attackers may gain legitimate access to critical infrastructure using trusted credentials rather than malware or exploits.

What are the risks?

  • Administrative access to firewalls and VPN gateways
  • Credential theft leading to wider network compromise
  • Increased risk of ransomware deployment and lateral movement

Recommended actions:

Reset firewall and VPN administrative credentials.

Ebony and green gavel and tick icon on transparent background

Enforce multi-factor authentication on privileged accounts.

Ebony and green monitor and settings icon on transparent background

Restrict management interfaces from public internet access.

Review authentication and VPN access logs for suspicious activity.

Cisco infrastructure vulnerabilities move into active exploitation

Several Cisco vulnerabilities attracted attention during June following reports of active exploitation. Most notably, Cisco Unified Communications Manager vulnerability CVE-2026-20230 was added to CISA’s Known Exploited Vulnerabilities catalogue following evidence of attacks in the wild.

Researchers also reported exploitation activity linked to Cisco SD-WAN environments, highlighting the ongoing focus attackers place on network management and communications platforms that often sit at the heart of enterprise infrastructure.

What are the risks?

  • Compromise of high-value communications systems
  • Privileged access to network infrastructure
  • Increased opportunities for persistence and lateral movement

Recommended actions:

Ebony and green tickets on transparent background

Prioritise patching externally accessible Cisco systems.

Review privileged access assignments.

Ebony and green ticklist icon on transparent background

Audit exposed management interfaces.

Ebony and green eye in brackets icon on transparent background

Monitor infrastructure for unexpected configuration changes.

Ubiquiti and Lantronix flaws added to CISA’s actively exploited list

Network devices can be easy to overlook despite their role in providing access to core infrastructure.

CISA added multiple vulnerabilities affecting Ubiquiti UniFi OS and Lantronix devices to its Known Exploited Vulnerabilities catalogue following evidence of active exploitation.

What are the risks?

  • Unauthorised access to network infrastructure
  • Remote code execution on exposed systems
  • Credential theft and system manipulation

Recommended actions:

Review CISA KEV advisories regularly.

Ebony and green target crosshairs icon on transparent background

Prioritise remediation of actively exploited vulnerabilities.

Green and ebony thumbs up icon on transparent background

Ensure network device inventories are up to date.

Ebony and green PC monitor document icon on transparent background

Remove unnecessary internet exposure wherever possible.

Klue breach highlights third-party integration risk

A breach involving market intelligence platform Klue is a reminder that third-party applications, integrations and service accounts deserve the same scrutiny as user identities.

Attackers reportedly gained access through a compromised credential associated with an integration tool, resulting in exposure of customer data belonging to multiple organisations.

What are the risks?

  • Exposure of customer and operational data
  • Abuse of trusted third-party relationships
  • Expanded attack surface through integrations

Recommended actions:

Review legacy service accounts and credentials.

Ebony and green tick shield and globe icon on transparent background

Audit third-party integrations regularly.

Ebony and green mobile phone padlock icon on transparent background

Apply least-privilege access principles.

Ebony and green open eye icon on transparent background

Monitor application consent and OAuth permissions.

NCSC warns of continued pressure from hostile state actors

The NCSC used several June announcements to highlight the growing cyber threats facing UK organisations. NCSC CEO Richard Horne warned that hostile state actors are linked to a significant proportion of serious incidents affecting UK critical systems and infrastructure.

Its recommendations continue to emphasise practical measures including vulnerability management, identity security and cyber resilience planning.

What are the risks?

  • Increased targeting of UK organisations
  • Exploitation of exposed and unpatched systems
  • Credential compromise driving wider breaches

Recommended actions:

Ebony and green circled eye icon on transparent background

Improve visibility of internet-facing assets.

Review incident response and recovery plans.

Strengthen identity and access management controls.

Ebony and green hacker breach icon on transparent background

Prioritise vulnerabilities linked to active exploitation.

Final thought

Which external services, integrations and privileged accounts currently have access into your environment, and when were those permissions last reviewed?

This month’s stories covered firewalls, network infrastructure, SaaS integrations and communications platforms. The common thread is access. Understanding who, what and which services can reach critical systems is often the first step in reducing exposure.

inside an identity attack
tag icon

Recommended reading

Inside an identity attack: How attackers get in and stay hidden

FortiBleed, the Klue breach and the NCSC’s latest guidance all point to the same reality: attackers increasingly rely on compromised identities and trusted access paths.

In this Q&A, Security Solutions Architect, David Guest, explores how attackers build a profile from public information, exploit service desk processes and move into non-human identities that many organisations struggle to govern.

The article follows the attack path from reconnaissance through to persistence and examines the controls that can help reduce exposure.

With thanks to the Kocho Security Operations Centre (SOC) team.

Stay safe. Stay informed.

tag icon

Get cyber confident

Real partnership. Microsoft expertise. Complete transparency.

Request a call back today.

  • AI-powered rapid protection, from day one
  • Dedicated Microsoft experts, by your side
  • Powerful, intuitive reporting tools
  • Collaboration and transparency as standard

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.