What caught our attention this month
Several of June’s biggest security stories involved technologies that organisations depend on every day, including firewalls, communications platforms, network infrastructure and third-party integrations.
Our SOC team have carefully selected the stories below as they perfectly illustrate the live issues facing security teams today, along with our recommended actions to stay protected.
FortiBleed exposes thousands of firewall and VPN credentials
One of the most significant security stories of June was FortiBleed, a credential exposure campaign affecting Fortinet firewall and VPN devices globally. The campaign does not rely on a newly discovered software vulnerability. Instead, threat actors obtained valid administrative and VPN credentials, creating opportunities for unauthorised access to exposed infrastructure.
The UK’s NCSC issued guidance urging organisations using Fortinet firewalls and VPN gateways to investigate for signs of compromise and review exposed systems. The concern is that attackers may gain legitimate access to critical infrastructure using trusted credentials rather than malware or exploits.
What are the risks?
- Administrative access to firewalls and VPN gateways
- Credential theft leading to wider network compromise
- Increased risk of ransomware deployment and lateral movement
Recommended actions:
Cisco infrastructure vulnerabilities move into active exploitation
Several Cisco vulnerabilities attracted attention during June following reports of active exploitation. Most notably, Cisco Unified Communications Manager vulnerability CVE-2026-20230 was added to CISA’s Known Exploited Vulnerabilities catalogue following evidence of attacks in the wild.
Researchers also reported exploitation activity linked to Cisco SD-WAN environments, highlighting the ongoing focus attackers place on network management and communications platforms that often sit at the heart of enterprise infrastructure.
What are the risks?
- Compromise of high-value communications systems
- Privileged access to network infrastructure
- Increased opportunities for persistence and lateral movement
Recommended actions:
Ubiquiti and Lantronix flaws added to CISA’s actively exploited list
Network devices can be easy to overlook despite their role in providing access to core infrastructure.
CISA added multiple vulnerabilities affecting Ubiquiti UniFi OS and Lantronix devices to its Known Exploited Vulnerabilities catalogue following evidence of active exploitation.
What are the risks?
- Unauthorised access to network infrastructure
- Remote code execution on exposed systems
- Credential theft and system manipulation
Recommended actions:
Klue breach highlights third-party integration risk
A breach involving market intelligence platform Klue is a reminder that third-party applications, integrations and service accounts deserve the same scrutiny as user identities.
Attackers reportedly gained access through a compromised credential associated with an integration tool, resulting in exposure of customer data belonging to multiple organisations.
What are the risks?
- Exposure of customer and operational data
- Abuse of trusted third-party relationships
- Expanded attack surface through integrations
Recommended actions:
NCSC warns of continued pressure from hostile state actors
The NCSC used several June announcements to highlight the growing cyber threats facing UK organisations. NCSC CEO Richard Horne warned that hostile state actors are linked to a significant proportion of serious incidents affecting UK critical systems and infrastructure.
Its recommendations continue to emphasise practical measures including vulnerability management, identity security and cyber resilience planning.
What are the risks?
- Increased targeting of UK organisations
- Exploitation of exposed and unpatched systems
- Credential compromise driving wider breaches
Recommended actions:
Final thought
Which external services, integrations and privileged accounts currently have access into your environment, and when were those permissions last reviewed?
This month’s stories covered firewalls, network infrastructure, SaaS integrations and communications platforms. The common thread is access. Understanding who, what and which services can reach critical systems is often the first step in reducing exposure.
Recommended reading
Inside an identity attack: How attackers get in and stay hidden
FortiBleed, the Klue breach and the NCSC’s latest guidance all point to the same reality: attackers increasingly rely on compromised identities and trusted access paths.
In this Q&A, Security Solutions Architect, David Guest, explores how attackers build a profile from public information, exploit service desk processes and move into non-human identities that many organisations struggle to govern.
The article follows the attack path from reconnaissance through to persistence and examines the controls that can help reduce exposure.
References and Resources
With thanks to the Kocho Security Operations Centre (SOC) team.
Stay safe. Stay informed.
Get cyber confident
Real partnership. Microsoft expertise. Complete transparency.
Request a call back today.
- AI-powered rapid protection, from day one
- Dedicated Microsoft experts, by your side
- Powerful, intuitive reporting tools
- Collaboration and transparency as standard
Don't Miss
Great security & compliance resources
Got a question? Need more information?
Our expert team is here to help.