Weekly Recap: FortiBleed, Splunk RCE, GentleKiller EDR Suite, and More
This week's security roundup covers the FortiBleed campaign targeting 80K+ FortiGate devices, active exploitation of a critical Splunk Enterprise RCE flaw, and the Gentlemen RaaS operation's new EDR-killer framework.
This week's threat landscape is dominated by a familiar mix of abused integrations, fake tools, and ransomware crews developing new ways to disable security products. The FortiBleed campaign has compromised over 80,000 Fortinet FortiGate devices worldwide, while a critical unauthenticated remote code execution vulnerability in Splunk Enterprise is being actively exploited. Meanwhile, the Gentlemen ransomware-as-a-service operation has developed a sophisticated EDR-killer framework called GentleKiller, and Salesforce disabled the Klue app integration after a data breach.
The FortiBleed campaign, tracked by SOCRadar since at least February 2026, has systematically targeted Fortinet FortiGate firewall and SSL VPN gateway devices. Threat actors, believed to be Russian-speaking, have been using automated tools to test stolen credentials against over 80,000 devices. CISA has urged Fortinet customers to secure their appliances, noting that the attackers are reusing credentials from previous incidents involving CVE-2026-24858, CVE-2025-59718, and CVE-2025-59719, along with brute-force attacks against devices lacking multi-factor authentication.
Splunk disclosed CVE-2026-20253, a critical flaw in Splunk Enterprise versions below 10.2.4 and 10.0.7 that allows unauthenticated attackers to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability is particularly dangerous because it can be exploited remotely without authentication or user interaction, potentially leading to remote code execution. Resecurity noted that chaining multiple weaknesses could allow attackers to progress from unauthenticated access to full system compromise, exposing sensitive logs, credentials, and operational data.
The Gentlemen ransomware-as-a-service operation has developed GentleKiller, an in-house EDR-disabling framework that comes in eight variants, each impersonating a different legitimate product and abusing a vulnerable or malicious kernel driver. The framework targets over 400 processes belonging to 48 security products, including CrowdStrike, SentinelOne, Microsoft Defender, Sophos, Kaspersky, and ESET. This development highlights the ongoing arms race between ransomware groups and endpoint security vendors.
Salesforce disabled the Klue Battlecards app integration after detecting unusual activity that may have resulted in unauthorized access to customer data. The incident, which occurred on June 11, 2026, involved the Icarus extortion group compromising Klue's systems through a compromised legacy credential associated with an integration service. Salesforce emphasized that the issue is limited to Klue's app connection and does not stem from a vulnerability within the Salesforce platform itself.
Other notable stories this week include the takedown of SocGholish infrastructure as part of Operation Endgame, with 106 servers taken down and nearly 15,000 infected WordPress websites cleaned. Researchers also disclosed an unpatchable exploit called usbliter8 targeting Apple A12 and A13 chips, though it requires physical access to the device. Additionally, a malicious campaign was discovered faking popularity to deliver a cryptocurrency-stealing clipper malware.
This week's events underscore the persistent and evolving nature of cyber threats. From large-scale credential reuse campaigns to sophisticated EDR-killer frameworks and supply-chain attacks via third-party integrations, organizations face a complex threat landscape that requires continuous vigilance, timely patching, and robust security practices.