TL;DR
FortiBleed has compromised approximately 74,000 Fortinet devices globally across 194 countries, making credential resets and MFA enforcement the single most urgent task this weekend. CISA added at least a dozen new entries to its Known Exploited Vulnerabilities catalog this week, including critical flaws in Splunk Enterprise and Joomla. If you run Fortinet firewalls, Splunk, or any Joomla-based site, block out Saturday morning for patches — Monday is too late.
1. FortiBleed: 74,000 Fortinet Devices Compromised — Are Yours Among Them?
CISA issued an alert on June 18 urging all Fortinet customers to immediately harden FortiGate firewalls and SSL VPN gateways after reports emerged that malicious actors have been targeting internet-accessible Fortinet devices using leaked credentials. The campaign, dubbed "FortiBleed" by researchers, has exposed credentials for approximately 74,000 devices — roughly half of all internet-facing Fortinet firewalls globally, spanning 194 countries.
Why it matters to Australian SMBs: Fortinet FortiGate firewalls are one of the most common perimeter devices used by Australian small and mid-size businesses. If your organisation has a Fortinet firewall with an internet-facing management interface or SSL VPN portal, you should assume your credentials may be in the leaked dataset. This is not a theoretical risk — attackers are actively using these credentials to log in.
Do this today:
- Terminate all active SSL VPN and admin sessions on every FortiGate device
- Reset all Fortinet VPN and administrative passwords — especially on internet-facing systems
- Enforce PBKDF2 password hashing and remove legacy weak hashes (per Fortinet's guidance for FortiOS v7.2.11+)
- Enable phishing-resistant MFA on all remote access and admin accounts
- Restrict management interfaces to trusted internal networks only — never expose admin to the public internet
- Review firewall, VPN, authentication, and domain controller logs for lateral movement, unusual access, or unauthorised config changes
2. New CVEs Added to CISA's Known Exploited Vulnerabilities Catalog
CISA added multiple new entries to its Known Exploited Vulnerabilities (KEV) catalog this week — these are vulnerabilities confirmed to be actively exploited in the wild, not theoretical risks. The catalog now stands at 1,623 entries total.
Top entries added this week:
CVE-2026-20253 (Splunk Enterprise) — Missing authentication for a critical function allows unauthenticated users to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. Date added: June 18. CISA remediation due date: June 21 (this Sunday). If you run Splunk Enterprise, this is a same-day fix.
CVE-2026-48907 (Widget Factory Joomla Content Editor) — Improper access control allows unauthenticated users to upload and execute arbitrary PHP code via creation of new editor profiles. Date added: June 16. CISA due date was June 19 — if you haven't patched yet, you're already past the deadline. Any Joomla site using the Widget Factory Content Editor plugin needs immediate patching or removal of the plugin.
Multiple additional KEV additions throughout the week — CISA posted at least 10 separate "Adds Known Exploited Vulnerability" alerts, indicating sustained threat actor activity across diverse vendor ecosystems.
Why it matters: The KEV catalog is the gold standard for patch prioritisation. If a CVE is on this list, attackers are already using it. Australian SMBs should subscribe to KEV catalog updates and treat any matching software in their environment as an emergency patch — not a scheduled maintenance item.
3. Google Chrome: Batch of High-Severity Vulnerabilities
The National Vulnerability Database published a cluster of high-severity Chrome CVEs (CVE-2026-9990 through CVE-2026-9999) affecting versions prior to 148.0.7778.216. These include:
- Sandbox escape vulnerabilities via use-after-free bugs in Input, Core, Views, and Network components
- Out-of-bounds read in WebRTC allowing information disclosure from process memory
- Integer overflow in Skia enabling potential sandbox escape from a compromised renderer
- Use-after-free in WebXR and WebAppInstalls enabling code execution
Why it matters: Chrome is the dominant browser in Australian workplaces. While many of these require a compromised renderer process as a prerequisite, the chain from a malicious web page to full sandbox escape is shorter than most assume. Ensure all Chrome installations are updated to 148.0.7778.216 or later across every device — including personal devices used for work.
4. Regulatory Watch: Australian Privacy Act and Notifiable Data Breach Obligations
With FortiBleed affecting organisations across 194 countries, Australian businesses need to be thinking about their obligations under the Notifiable Data Breach (NDB) scheme. If a Fortinet credential leak leads to unauthorised access to personal information held by your organisation, and that access is likely to result in serious harm to individuals, you have a legal obligation to assess and notify.
Key obligations under the Privacy Act:
- Assess within 30 days of becoming aware of a suspected breach
- Notify the OAIC and affected individuals if the breach is likely to result in serious harm
- Document every step of your assessment — failure to assess is itself a compliance failure
- Apply the Essential Eight — the ACSC's baseline mitigation strategies remain the most cited control set in Australian breach investigations
Practical step this weekend: If you run Fortinet devices, document your credential reset and log review process now. If you later discover unauthorised access occurred, having a timestamped record of your response actions strengthens your position with the OAIC.
5. Threat Actor Activity: Active Exploitation Pace Remains High
The volume of KEV catalog additions this week — at least 10 separate alerts — signals sustained, broad-spectrum exploitation by threat actors. The FortiBleed campaign alone demonstrates that credential leak databases are being operationalised at scale. Threat actors are not waiting for zero-days; they are weaponising known vulnerabilities and leaked credentials faster than organisations can patch.
Key indicators this week:
- Credential-based attacks on network edge devices (FortiBleed)
- Web application plugin exploitation (Joomla Content Editor)
- Enterprise SIEM platform targeting (Splunk Enterprise)
- Browser-based exploit chains (Chrome sandbox escapes)
The pattern is clear: attackers are hitting every layer — perimeter, application, SIEM, endpoint. No single control is sufficient.
ISO 27001 SMB Starter Pack — $147
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Patches to Apply This Weekend
| Priority | CVE / Issue | Software | Deadline |
|---|---|---|---|
| Critical | FortiBleed credential leak | Fortinet FortiGate / FortiOS | Immediately |
| Critical | CVE-2026-20253 | Splunk Enterprise | June 21 (Sunday) |
| Critical | CVE-2026-48907 | Joomla Widget Factory Content Editor | Past due — patch now |
| High | CVE-2026-9990–9999 | Google Chrome < 148.0.7778.216 | Update all devices |
| High | All June 2026 KEV additions | Check CISA KEV catalog | Per due dates |
Threat Level This Week: ELEVATED
Active exploitation of Fortinet credentials plus 10+ new KEV entries in a single week indicates a high-tempo threat environment. Australian SMBs with Fortinet perimeter devices are at direct risk. Treat this weekend as an active maintenance window, not a break.
What to Watch Next Week
- FortiBleed fallout: Expect follow-on advisories as researchers analyse which organisations were actively breached using leaked credentials. Australian-specific impact assessments may emerge from the ACSC.
- Additional KEV additions: The pace of 10+ additions per week suggests more are coming. Monitor the CISA KEV catalog RSS feed.
- Privacy Act reform: Watch for any movement on the Australian Government's Privacy Act review — proposed changes to penalties and the small business exemption could shift SMB obligations significantly.
- Chrome exploit chains: Researchers may publish proof-of-concept code for the Chrome sandbox escape cluster, raising the risk of in-the-wild exploitation.
FAQ
Q: How do I know if my Fortinet device is affected by FortiBleed? Check whether your FortiGate firewall or SSL VPN gateway has an internet-facing management interface or VPN portal. If it does, assume exposure. CISA's alert recommends checking the credential leak databases referenced in their advisory (SOCRadar, Hudson Rock, Arctic Wolf) to determine if your device is listed. Regardless of whether you find your device, reset all credentials and enable MFA.
Q: We're a small business — do we really need to worry about Splunk and Joomla CVEs? Yes. Splunk Enterprise is used by many mid-size Australian organisations for log management and security monitoring. If compromised, attackers can blind your security visibility. Joomla remains one of the most common CMS platforms for Australian small business websites. The Widget Factory plugin vulnerability allows unauthenticated PHP code execution — which means full website takeover. If you're not sure whether you use these, audit your software inventory this weekend.
Q: What are my obligations under the Notifiable Data Breach scheme if FortiBleed affected us? If unauthorised access to personal information occurred and is likely to cause serious harm, you must notify the OAIC and affected individuals as soon as practicable. The 30-day assessment clock starts when you become aware of the suspected breach — not when you confirm it. Document your credential reset, log review, and any indicators of unauthorised access immediately.
Q: We don't have a dedicated IT security team. What's the minimum we should do this weekend? Reset all Fortinet passwords, enable MFA on all VPN and admin accounts, restrict management interfaces to internal networks, update Chrome on all devices, and check the CISA KEV catalog against your software inventory. If you run Splunk or Joomla, patch or disable the affected components. That covers 80% of this week's risk.
Conclusion
This week's threat landscape demands action, not awareness. FortiBleed alone puts every Australian SMB with a Fortinet firewall at direct risk of credential-based compromise, and the cascade of new KEV catalog entries means threat actors have a widening toolkit to work with. Block out Saturday morning: reset your Fortinet credentials, patch Splunk and Joomla if you run them, update Chrome everywhere, and document every action you take in case you need to demonstrate compliance to the OAIC later.
Security is our religion, privacy is our drive. Don't let Monday morning be the first time you think about this week's threats.
Visit consult.lil.business for a free cybersecurity assessment.
References
- CISA Alert: CISA Urges Hardening Fortinet Devices After Reports of Credential Exposure
- CISA Known Exploited Vulnerabilities Catalog
- NIST National Vulnerability Database — Recent CVE Publications
- Office of the Australian Information Commissioner — Notifiable Data Breaches Scheme
- Australian Cyber Security Centre — Essential Eight Maturity Model
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →TL;DR
- A software company called TriZetto was hacked — and the hackers stayed hidden inside their systems for 10 months [1]
- 3.4 million people's Social Security numbers and health insurance records were stolen without anyone knowing [2]
- Your business uses vendors that hold your customers' data too — and when those vendors get hacked, it becomes your problem
- Three things you can check this week to know whether your vendors are protecting the data you've trusted them with
Imagine Someone Copying Your Spare Key
You gave a spare key to a software contractor years ago. They help run your systems, they do a good job, and you never really think about them.
Then one day you find out: someone broke into the contractor's office, found your spare key, and has been quietly letting themselves into your business every night for 10 months. They weren't stealing cash — they were photographing files. Customer records. Employee details. Insurance information.
You had no idea. The contractor had no idea. And every night, a little more of your data walked out the door.
That is essentially what happened to TriZetto Provider Solutions — a company that processes health insurance paperwork for thousands of doctors and clinics across the United States. Hackers broke in during November 2024. Nobody noticed until October 2025. By then, 3.4 million people's records had been exposed [1].
What Makes This Different From a Typical Hack?
Most people picture a cyberattack like a smash-and-grab robbery. Someone breaks in, grabs what they can, and runs before the alarm sounds.
This was more like a quiet, long-term spy operation. The hackers found a side door, made absolutely sure nobody could see them, and spent almost a year reading everything they could access.
The stolen information included names, home addresses, Social Security numbers, Medicare ID numbers, and health insurance details [2]. This is not the kind of data you can just replace, like cancelling a credit card. Social Security numbers, health records, and Medicare IDs can be used for identity theft for years — sometimes decades — after they are stolen.
The Part That Directly Affects Your Business
TriZetto is not a small startup. It is owned by Cognizant, one of the largest IT companies in the world [1]. And even they took 10 months to notice someone was inside their systems. According to IBM's 2024 Cost of a Data Breach Report, the average time to detect a breach in the healthcare sector is even longer than the global average — and the average healthcare breach costs $9.77 million [5].
Here is what this means for your business: you almost certainly have vendors who hold your customers' data too.
Think about your payroll software. Your customer database. Your email marketing tool. Your cloud file storage. Your accounting platform. Every single one of these holds personal information about real people — your customers, your employees, your business partners. According to Verizon's 2025 Data Breach Investigations Report, 15% of all confirmed data breaches now involve a third-party vendor [6].
If any of those vendors get hacked, your customers' information is at risk. And under Australian privacy law, you have legal responsibilities even when the breach happens at a vendor's end, not your own [3].
Three Things You Can Check This Week
You do not need to become a cybersecurity expert to protect your business here. These three checks are practical, free, and take less than an afternoon.
1. List every vendor that holds your data. Start with payroll, customer databases, accounting software, and email tools. Write them down. Most business owners are surprised — once you count carefully, the average is 20 to 50 vendors.
2. Ask each vendor: "Do you have a SOC 2 or ISO 27001 certification?" These are independent security audits conducted by external experts. A vendor with this certification has had their security independently verified. A vendor without it has not. If they handle sensitive data for your business, the answer to this question matters [4].
3. Check your contracts for breach notification clauses. How quickly does your vendor have to tell you if they get hacked? TriZetto waited 14 months to notify some customers [1]. Make sure your contracts do not allow that kind of delay.
FAQ
TriZetto is a US healthcare IT company that processes insurance eligibility data for doctors and clinics. The reason it matters is the pattern it represents: a software vendor was trusted with millions of sensitive records, failed to detect a breach for nearly a year, and notified affected parties more than 14 months after the intrusion began. The same risk exists with any vendor that processes data for your business [1].
If your data was affected, TriZetto and their notification partner Kroll will send a physical letter explaining what happened and offering 12 months of free credit monitoring and identity protection services. Accept the offer — it is genuinely useful [2].
Yes. Under Australian Privacy Principle 11 and equivalent laws in the UK, EU, and US, you are responsible for taking reasonable steps to protect the personal information you hold — including data that is stored or processed by third-party vendors on your behalf [3]. "My vendor got hacked" is not a complete defence.
SOC 2 stands for System and Organisation Controls 2. It is an independent audit that verifies a company's security actually works in practice — not just on paper. A SOC 2 Type II certification means the audit covered a full year of real operations, not a one-day snapshot. When a vendor tells you they are SOC 2 Type II certified, it means a qualified external auditor has confirmed their security controls operate consistently [4].
References
[1] B. Toulas, "Cognizant TriZetto breach exposes health data of 3.4 million patients," BleepingComputer, Mar. 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/cognizant-trizetto-breach-exposes-health-data-of-34-million-patients/
[2] Maine Attorney General, "TriZetto Provider Solutions Data Breach Notification Filing," Maine AG Office, Feb. 2026. [Online]. Available: https://www.maine.gov/agviewer/content/ag/985235c7-cb95-4be2-8792-a1252b4f8318/e2c4cc45-dc81-498d-89f0-28c887808b41.html
[3] Office of the Australian Information Commissioner, "Australian Privacy Principle 11 — Security of Personal Information," OAIC, 2024. [Online]. Available: https://www.oaic.gov.au/privacy/australian-privacy-principles/australian-privacy-principles-guidelines/chapter-11-app-11-security-of-personal-information
[4] AICPA, "SOC 2 — SOC for Service Organizations: Trust Services Criteria," AICPA, 2024. [Online]. Available: https://www.aicpa-cima.com/resources/download/soc-2-trust-services-criteria-including-the-2022-points-of-focus
[5] IBM Security, "Cost of a Data Breach Report 2024," IBM, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach
[6] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025. [Online]. Available: https://www.verizon.com/business/resources/reports/dbir/
[7] COE Security, "Healthcare Supply Chain Under Cyber Siege," COE Security, Mar. 2026. [Online]. Available: https://coesecurity.com/healthcare-supply-chain-under-cyber-siege/
[8] CISA, "Guidance for Addressing Cybersecurity Risk in Third-Party Relationships," CISA, Nov. 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/guidance-addressing-cybersecurity-risks-third-party-relationships
Not sure which of your vendors are handling your data responsibly? Most SMBs have 3 to 5 high-risk vendors they have never audited. lil.business can help you identify them and fix the gaps — without needing a full-time security team. Book a free call to find out what your vendor risk actually looks like.
