Week in review: 74k Fortinet firewall credentials stolen, Splunk Enterprise RCE under active attack
A weekly roundup highlights two major security incidents: 74,000 Fortinet firewall credentials were stolen, and a remote code execution vulnerability in Splunk Enterprise is under active attack.
A weekly roundup of the most significant cybersecurity news from the past week has spotlighted two major incidents: the theft of 74,000 Fortinet firewall credentials and active exploitation of a remote code execution vulnerability in Splunk Enterprise. The roundup, published by Help Net Security, also covers a novel hardware neural network backdoor attack that evades detection by splitting malicious functionality between hardware and software.
The credential theft, dubbed 'FortiBleed,' exposed VPN credentials for 73,932 Fortinet and FortiGate firewall URLs globally, posing an immediate risk of unauthorized network access. This incident follows a separate credential-harvesting campaign that compromised over 30,000 Fortinet devices across 194 countries, attributed to a Russian-speaking threat actor. The stolen credentials can be used to gain initial access to corporate networks, potentially leading to data breaches, ransomware deployment, or further lateral movement.
Separately, a critical pre-authentication remote code execution vulnerability in Splunk Enterprise's PostgreSQL Sidecar service, tracked as CVE-2026-20253, is under active attack. The flaw, which ships enabled by default in Splunk Enterprise on AWS, allows attackers to execute arbitrary code without authentication. WatchTowr Labs disclosed the vulnerability, and Splunk has released patches. Organizations using Splunk Enterprise on AWS are urged to apply updates immediately to prevent compromise.
In addition to these incidents, researchers from the University of Tennessee and the University of Florida unveiled HAMLOCK, a hardware neural network backdoor that splits malicious functionality between hardware and software to evade detection. This attack targets deep learning systems on edge devices that rely on third-party-designed FPGAs and ASICs, posing a supply chain risk for edge AI devices. The backdoor can be triggered by specific inputs, causing the model to misbehave while appearing benign during testing.
The roundup also includes other notable stories, such as a supply chain attack on 1.2 million WordPress sites via the OptinMonster plugin, a decade-long stealth operation by China-linked Velvet Ant, and Apple's patch for a Beats microphone flaw. These incidents underscore the diverse and evolving threat landscape, from credential theft and software vulnerabilities to hardware-level attacks and supply chain compromises.
Organizations are advised to review their security postures, apply patches for Splunk Enterprise and Fortinet devices, and monitor for signs of credential abuse. The disclosure of HAMLOCK also highlights the need for rigorous supply chain security for AI hardware components, as attackers increasingly target the intersection of hardware and software to bypass traditional defenses.