A newly surfaced dataset dubbed FortiBleed exposes what appear to be Fortinet and FortiGate VPN credentials tied to 73,932 firewall URLs at organizations around the world. Separately, researchers at SOCRadar report roughly 30,000 compromised Fortinet firewalls exposing networks to attack. Exposed VPN credentials are a direct route into corporate networks, letting attackers log in as legitimate users, bypass perimeter defenses, and stage ransomware or data theft. Fortinet gear is a perennial target, with many of these exposures stemming from past unpatched flaws and credential harvesting. Organizations cannot assume old Fortinet credentials are safe just because devices were later patched.
Check Point has rushed out a fix for a critical flaw in its Remote Access VPN, Mobile Access, and Spark firewall products that attackers have been exploiting since May 7. The bug (CVE-2026-50751, rated 9.3) is a logic error in how the software checks certificates, letting an unauthenticated attacker log into the VPN with no password, but only on gateways still using the old IKEv1 key-exchange protocol. So far a few dozen organizations have been hit, and at least one intrusion was tied to an affiliate of the Qilin ransomware gang, which used the access to steal data with Rclone before deploying ransomware. A second, unexploited flaw was also patched.
A joint operation between French, Dutch and 14 other authorities, coordinated by Europol and Eurojust, has taken down First VPN, a privacy-focused VPN service that was advertised on cybercrime forums as a no-logs option that ignored law enforcement requests. Authorities seized 33 servers across 27 countries, took down the 1vpns.com, 1vpns.net, 1vpns.org domains and the onion mirrors, and questioned a Ukrainian suspect. Investigators infiltrated the infrastructure before takedown and pulled the user database, sharing 506 user identifications and 83 intelligence packages internationally. Europol says the service name turned up in nearly every major cybercrime investigation it has supported in recent years.
ReliaQuest has documented active in-the-wild exploitation of CVE-2024-12802, a SonicWall Gen6 SSL-VPN MFA bypass that hits Gen6 devices even after they apply the firmware patch. SonicWall's advisory makes clear that on Gen6 hardware, the firmware update alone does not fix it - administrators must also delete the LDAP configuration that uses userPrincipalName, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, and rebuild the LDAP config without userPrincipalName. Gen7 and Gen8 devices are patched by firmware alone. Intrusions observed between February and March 2026 looked like ransomware initial-access broker activity with 30-60 minute Cobalt Strike and BYOVD attempts.