Vulnerability Intelligence Report — July 5, 2026
New CISA KEV: 0 | KEV calendar clear for the first time this week | FortiBleed: 74K Fortinet credentials leaked, 12+ orgs hit with ransomware | Oracle EBS Payments CVE-2026-46817 (CVSS 9.8) active exploitation attempts | FortiSandbox two CVSS 9.8 vulns under active exploitation | CitrixBleed CVE-2026-8451 exploited within 24 hours | WinRAR code execution flaw disclosed
Previous reports: July 4, 2026 | July 3, 2026
Sunday, July 5, 2026 — for the first time this week, the CISA KEV calendar carries zero active deadlines. The final active deadline, Microsoft SharePoint CVE-2026-45659, passed yesterday. But the security landscape remains anything but quiet. The weekend’s biggest story is FortiBleed: a sustained campaign in which compromised Fortinet firewalls are being systematically used to deploy ransomware across multiple organisations, with 74,000 stolen credentials circulating and at least 12 confirmed ransomware infections. Oracle disclosed two critical E-Business Suite vulnerabilities now facing active exploitation attempts — CVE-2026-46817 (Oracle Payments, CVSS 9.8) is the most urgent, with Defused researchers confirming exploitation on honeypots. Fortinet itself faces a double crisis: its FortiSandbox product is being actively exploited via two CVSS 9.8 vulnerabilities (CVE-2026-25089 and CVE-2026-26083) while its firewall customers are being victimised in a separate but related credential-thieving campaign. Citrix NetScaler’s “CitrixBleed” vulnerability CVE-2026-8451 was exploited within 24 hours of its June 30 disclosure, according to Lupovis. WinRAR users should update to version 7.23 immediately to close a code execution vector via malformed recovery volumes.
Quick Reference — Most Important Items Today
Fortinet FortiBleed: 74K stolen firewall/VPN credentials — 12+ orgs hit with ransomware via compromised FortiGate appliances — ongoing campaign
Oracle EBS CVE-2026-46817: Oracle Payments flaw (CVSS 9.8, unauthenticated) — Defused confirms active exploitation attempts on honeypots
FortiSandbox: CVE-2026-25089 + CVE-2026-26083 (both CVSS 9.8, OS command injection + missing auth) — both under active exploitation
CitrixBleed CVE-2026-8451: NetScaler ADC/Gateway memory overread — exploited within 24 hours of June 30 disclosure — Lupovis confirmation
Oracle PeopleSoft CVE-2026-35273: 20 days past KEV deadline — ShinyHunters ransomware exploitation ongoing — CISA BOD 26-04 holdover
SimpleHelp CVE-2026-48558: 3 days overdue KEV — exploited to deploy new stealer malware
WinRAR: Code execution via recovery volume parsing — patched in v7.23 — no auto-update capability
Cisco Unified CM CVE-2026-20230: SSRF vulnerability — now confirmed actively exploited — KEV overdue +7 days
Microsoft SharePoint CVE-2026-45659: 1 day overdue KEV — deserialization RCE — active attacks confirmed
Overdue KEV: SharePoint +1 | SimpleHelp +3 | Cisco Unified CM +7 | PTC Windchill +7 | Cisco SD-WAN +6 | Ubiquiti +9 | Oracle PeopleSoft +20 | Ivanti Sentry +21 | Check Point +24 (ransomware) | Mirasvit +29 | PAN-OS +34
Fortinet — FortiBleed Campaign: Compromised Firewalls Deploying Ransomware
Software affected: Fortinet FortiGate firewalls and VPN gateways — all models — compromised via stolen credentials and brute force.
CVE: No single CVE — this is a multi-vector credential campaign. SOCRadar reports a group of approximately 20 individuals operating under the “FortiBleed” banner, using previously stolen credentials, brute force attacks, and configuration dumping to crack password hashes. 74,000 stolen credentials were advertised for sale in June.
Status: At least twelve organisations have been hit with ransomware via compromised Fortinet firewalls affecting hundreds of systems total. The attackers appear to have specialised roles — intrusion, support, and post-exploitation. The scale of the credential leak (74,000 devices’ worth) means this is a systemic risk to any organisation running internet-exposed FortiGate appliances without strict credential hygiene and multi-factor authentication. Organisations should assume their FortiGate credentials may be compromised and rotate all administrative passwords immediately.
Recommended action: Immediately rotate all FortiGate administrative credentials. Enforce multi-factor authentication on all firewall and VPN administrative interfaces. Ensure firewalls are patched to latest firmware. Restrict administrative access to trusted IPs only. Audit VPN and firewall logs for signs of unauthorised access.
Official source: Cybersecurity Dive: CISA Device Hardening | Security.nl: Gehackte Fortinet-firewalls
Oracle E-Business Suite — CVE-2026-46817 (Oracle Payments, CVSS 9.8, Active Exploitation)
Software affected: Oracle E-Business Suite — Oracle Payments component (File Transmission). Supported versions 12.2.3 through 12.2.15.
CVE: CVE-2026-46817 | CVSS 9.8 | Unauthenticated remote compromise via HTTP | Actively exploited — Defused researchers confirmed exploitation attempts on honeypots. An unauthenticated attacker with network access via HTTP can completely compromise Oracle Payments. CVE-2026-46818 (CVSS 7.4, difficult to exploit) is a related but less severe vulnerability in the same component.
Status: Defused observed a threat actor exploiting this vulnerability on their Oracle E-Business honeypots. Oracle addressed this vulnerability in its July 2026 Critical Patch Update. This is a serious situation for any organisation running Oracle EBS with the Oracle Payments module: unauthenticated, network-based, CVSS 9.8. If Oracle Payments is internet-facing or reachable from untrusted networks, assume compromise and investigate immediately. The Oracle E-Business Suite ecosystem also faces a cluster of critical CVEs in the Enterprise Command Center Framework (CVE-2026-46895 through CVE-2026-46902, CVSS 8.1–9.9) that should be patched concurrently.
Recommended action: Apply Oracle’s July 2026 Critical Patch Update immediately. Prioritise Oracle Payments and Enterprise Command Center components. Restrict network access to Oracle EBS to trusted management networks only. Audit access logs for signs of pre-existing compromise.
Official source: Cybersecurity Dive Report | NVD: CVE-2026-46817 | Oracle Critical Patch Update July 2026
Fortinet FortiSandbox — CVE-2026-25089 + CVE-2026-26083 (Both CVSS 9.8, Under Active Exploitation)
Software affected: Fortinet FortiSandbox 5.0.0–5.0.5, 4.4.0–4.4.8, 4.2 (all versions), FortiSandbox Cloud 5.0.4–5.0.5, FortiSandbox PaaS 23.4–22.2.
CVE: CVE-2026-25089 — OS command injection (CVSS 9.8, patched June 9). CVE-2026-26083 — Missing authorization (CVSS 9.8). Both allow an unauthenticated attacker to execute arbitrary commands via specially crafted HTTP requests. A third path-traversal vulnerability was also disclosed. Defused confirmed all three are under active exploitation.
Status: Defused reported on Tuesday that three FortiSandbox vulnerabilities are being actively exploited. FortiSandbox is Fortinet’s AI-powered malware analysis appliance — it is designed to be internet-connected so it can receive samples for analysis, making it a high-value target. Successful exploitation gives attackers full control over the sandbox environment, which can then be used to pivot into internal networks or tamper with malware analysis results. Fortinet’s June 9 patch for CVE-2026-25089 is already two weeks old; the fact that exploitation continues suggests delayed patching across the install base.
Recommended action: Apply Fortinet’s June 9 FortiSandbox patches immediately. Audit FortiSandbox access logs for signs of exploitation. Restrict HTTP access to FortiSandbox to authorised management IPs only. Verify no unauthorised configuration changes have been made.
Official source: Cybersecurity Dive Report | NVD: CVE-2026-25089 | Fortinet PSIRT Advisory
Citrix NetScaler — CVE-2026-8451 “CitrixBleed” (Exploited Within 24 Hours)
Software affected: Citrix NetScaler ADC and NetScaler Gateway — patch released June 30, 2026.
CVE: CVE-2026-8451 | Memory overread in Citrix NetScaler ADC/Gateway | Unauthenticated attackers can read sensitive information from system memory, enabling access and further compromise. Lupovis confirmed active exploitation within 24 hours of the June 30 disclosure.
Status: Lupovis detected active exploitation of this vulnerability within one day of Citrix releasing patches. The NCSC-NL (Dutch cybersecurity authority) has advised organisations to install the Citrix security update urgently. This is consistent with the pattern of Citrix vulnerabilities attracting rapid attacker interest — NetScaler appliances are typically internet-facing and perform SSL termination, making memory-reading vulnerabilities particularly dangerous for credential and certificate theft.
Recommended action: Apply the Citrix NetScaler security update (June 30) immediately if not already done. Rotate all SSL/TLS certificates and credentials that may have been in memory of affected appliances. Review NetScaler access logs for signs of pre-existing exploitation.
Official source: Security.nl: Citrix NetScaler-lek dag na bekendmaking misbruikt | NVD: CVE-2026-8451
Oracle PeopleSoft — CVE-2026-35273 (20 Days Overdue, ShinyHunters Ransomware)
Software affected: Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62.
CVE: CVE-2026-35273 | CVSS 9.8 | Missing authentication for critical function enables complete PeopleSoft takeover via HTTP | CISA KEV deadline was June 15 — now 20 days overdue | Known ransomware campaign use by ShinyHunters.
Status: This vulnerability remains critically relevant 20 days past its KEV deadline. ShinyHunters continues to exploit unpatched PeopleSoft instances for data theft targeting HR, payroll, and financial records. An insurance body has confirmed that ShinyHunters posted Oracle PeopleSoft breach data, indicating active extortion operations. Organisations with internet-facing PeopleSoft instances that remain unpatched 20 days after a CISA KEV deadline are operating at extreme risk. BOD 26-04 applies to federal agencies; commercial organisations face the same threat landscape.
Recommended action: If your PeopleSoft environment is still unpatched: patch today. Review access logs for indicators of ShinyHunters compromise. Restrict HTTP access to PeopleSoft to trusted networks. Consult the June 13 report for full details.
Official source: Cybersecurity Dive: Insurance body confirms breach | NVD: CVE-2026-35273 | CISA KEV Catalog
WinRAR — Code Execution via Malformed Recovery Volumes (Patch to 7.23)
Software affected: WinRAR — all versions prior to 7.23.
CVE: WinRAR vulnerability in recovery volume (REV) parsing — code execution when a user opens a malformed RAR archive. The flaw was previously addressed for RAR3 format but also affects RAR5 format. No CVE ID has been confirmed in public reports.
Status: A vulnerability in WinRAR’s handling of recovery volumes allows attackers to execute arbitrary code on the user’s system simply by having them open a crafted RAR archive. WinRAR lacks automatic update functionality, meaning most users will remain vulnerable until they manually download version 7.23. The European Vulnerability Database notes that WinRAR is notoriously difficult to patch in enterprise environments due to the lack of Group Policy support and auto-update. This is a high-risk vulnerability in enterprise contexts given WinRAR’s widespread deployment.
Recommended action: Update WinRAR to version 7.23 manually on all systems. For enterprise environments, use patch management tools (Zoho Patch Manager, PatchMyPC) to deploy. Consider replacing WinRAR with an alternative that supports automatic updates.
Official source: Security.nl: WinRAR-lek | WinRAR 7.23 changelog
KEV Deadline Watch
NO ACTIVE KEV DEADLINES: The CISA KEV calendar is fully clear for the first time since July 1. The last active deadline (Microsoft SharePoint CVE-2026-45659) passed yesterday, July 4.
Overdue — July 4 (+1 day): Microsoft SharePoint CVE-2026-45659 — deserialization RCE, actively attacked. BOD 26-04 holdover. Dedicated advisory.
Overdue — July 2 (+3 days): SimpleHelp CVE-2026-48558 — authentication bypass in RMM software, exploited to deploy stealer malware. Dedicated advisory.
Overdue — June 28 (+7 days): PTC Windchill CVE-2026-12569. Cisco Unified CM CVE-2026-20230 — SSRF, now confirmed actively exploited.
Overdue — June 26 (+9 days): Ubiquiti UniFi OS CVE-2026-34908/909/910 — CISA warning, active exploitation.
Overdue — June 15 (+20 days): Oracle PeopleSoft CVE-2026-35273 — ransomware, ShinyHunters — breach data confirmed posted.
Overdue — June 14 (+21 days): Ivanti Sentry CVE-2026-10520 — OS command injection, actively exploited.
Overdue — June 11 (+24 days): Check Point CVE-2026-50751 — known ransomware use.
Overdue — June 6 (+29 days): Mirasvit Full Page Cache Warmer CVE-2026-45247.
Overdue — June 1 (+34 days): PAN-OS CVE-2026-0257.
Updates on Items from Previous Reports
SharePoint CVE-2026-45659: Deadline passed yesterday — 1 day overdue. Active attacks confirmed by security.nl. Dedicated advisory.
CitrixBleed CVE-2026-8451: Lupovis confirmed exploitation within 24 hours of June 30 disclosure. Dedicated advisory.
SimpleHelp CVE-2026-48558: Now 3 days overdue KEV. Exploited to deploy new stealer malware. Dedicated advisory.
Bad Epoll CVE-2026-46242: Linux kernel 0-Day — root LPE affecting servers, desktops, and Android. No mass exploitation reported yet. Dedicated advisory.
Exchange Online CVE-2026-54998 + 365 Copilot CVE-2026-41106: Cloud-side patched by Microsoft. Critical privilege escalation — no customer action required.
FBI TeamPCP Warning: Developer tool supply chain attacks targeting cloud tokens, SSH keys, K8s secrets — ongoing campaign.
AI Agent Poisoning: New adversarial technique using SEO + hidden HTML prompt injection to trick AI agents — no vendor mitigation available yet.
FatFs: 7 CVEs in ubiquitous embedded filesystem — millions of IoT devices affected. No upstream fix available for memory-corruption bugs.
Adobe ColdFusion: 6 CVSS 10.0 vulnerabilities — patch window expired.
Microsoft Defender: BlueHammer ransomware campaign continues + RoguePlanet pending + disable-Defender campaign active.
Medtronic/ShinyHunters: Pacemaker manufacturer data breach affects 3.8 million patients — ShinyHunters claimed responsibility.
Cisco Unified CM CVE-2026-20230: Cisco finally confirmed active exploitation of this SSRF vulnerability. KEV now 7 days overdue.
Fortinet FortiSandbox: CVE-2026-25089 + CVE-2026-26083 — both CVSS 9.8, confirmed exploited by Defused. Also: FortiBleed campaign using compromised FortiGate credentials for ransomware deployment.
This report is compiled from official vendor advisories, the CISA KEV catalog, the NVD, and primary security research sources including BleepingComputer, The Hacker News, Security.nl, CybersecurityNews.com, Cybersecurity Dive, and Tenable CVE feeds.
