Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: vpn (4 articles)Clear

FortiBleed leak exposes VPN credentials for nearly 74,000 Fortinet firewalls

A newly surfaced dataset dubbed FortiBleed exposes what appear to be Fortinet and FortiGate VPN credentials tied to 73,932 firewall URLs at organizations around the world. Separately, researchers at SOCRadar report roughly 30,000 compromised Fortinet firewalls exposing networks to attack. Exposed VPN credentials are a direct route into corporate networks, letting attackers log in as legitimate users, bypass perimeter defenses, and stage ransomware or data theft. Fortinet gear is a perennial target, with many of these exposures stemming from past unpatched flaws and credential harvesting. Organizations cannot assume old Fortinet credentials are safe just because devices were later patched.

Check
Check whether your Fortinet or FortiGate VPN appliances appear in the exposed dataset, review VPN authentication logs for logins from unfamiliar locations, and confirm whether previously exposed devices were fully remediated.
Affected
Organizations running internet-facing Fortinet and FortiGate VPNs whose credentials appear among the 73,932 exposed firewall URLs; reused or never-rotated VPN passwords are most at risk.
Fix
Force-reset all Fortinet VPN credentials, enable phishing-resistant MFA on VPN access, restrict management interfaces, and fully patch or replace appliances, treating any potentially exposed device as compromised until verified.

Check Point VPN zero-day exploited by Qilin ransomware, patch now

Check Point has rushed out a fix for a critical flaw in its Remote Access VPN, Mobile Access, and Spark firewall products that attackers have been exploiting since May 7. The bug (CVE-2026-50751, rated 9.3) is a logic error in how the software checks certificates, letting an unauthenticated attacker log into the VPN with no password, but only on gateways still using the old IKEv1 key-exchange protocol. So far a few dozen organizations have been hit, and at least one intrusion was tied to an affiliate of the Qilin ransomware gang, which used the access to steal data with Rclone before deploying ransomware. A second, unexploited flaw was also patched.

Check
Check whether your Check Point gateways accept IKEv1 remote-access connections, then audit VPN and authentication logs back to May 7 for logins lacking a matching certificate or password.
Affected
Check Point Remote Access VPN, Mobile Access, and Spark firewalls on versions R80.20.X through R82.10 configured for the deprecated IKEv1 protocol without mandatory machine certificates.
Fix
Apply the hotfix per Check Point advisory SK185033, or switch Remote Access to IKEv2 only, make machine-certificate authentication mandatory, drop legacy clients, and enable IPS signatures.

First VPN service taken offline by Europol - 33 servers in 27 countries seized, Ukrainian operator questioned, used in ransomware

A joint operation between French, Dutch and 14 other authorities, coordinated by Europol and Eurojust, has taken down First VPN, a privacy-focused VPN service that was advertised on cybercrime forums as a no-logs option that ignored law enforcement requests. Authorities seized 33 servers across 27 countries, took down the 1vpns.com, 1vpns.net, 1vpns.org domains and the onion mirrors, and questioned a Ukrainian suspect. Investigators infiltrated the infrastructure before takedown and pulled the user database, sharing 506 user identifications and 83 intelligence packages internationally. Europol says the service name turned up in nearly every major cybercrime investigation it has supported in recent years.

Check
Search VPN allowlists and detection alerts for users connecting from First VPN exit IPs in the last two years. Check 1vpns.com / 1vpns.net / 1vpns.org references in firewall and proxy logs.
Affected
Investigators or threat hunters whose historical IoC sets included First VPN exit IPs. 506 specific users have been internationally referred; affected parties should expect law-enforcement contact.
Fix
Refresh detection rules with seized First VPN exit IPs once Europol shares them. If your historical attacker IoCs included First VPN nodes, re-correlate against the freshly identified users.

SonicWall Gen6 SSL-VPN MFA bypass (CVE-2024-12802) actively exploited - firmware patch alone insufficient, LDAP reconfiguration required

ReliaQuest has documented active in-the-wild exploitation of CVE-2024-12802, a SonicWall Gen6 SSL-VPN MFA bypass that hits Gen6 devices even after they apply the firmware patch. SonicWall's advisory makes clear that on Gen6 hardware, the firmware update alone does not fix it - administrators must also delete the LDAP configuration that uses userPrincipalName, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, and rebuild the LDAP config without userPrincipalName. Gen7 and Gen8 devices are patched by firmware alone. Intrusions observed between February and March 2026 looked like ransomware initial-access broker activity with 30-60 minute Cobalt Strike and BYOVD attempts.

Check
Inventory SonicWall Gen6 SSL-VPN appliances and confirm the LDAP reconfiguration was done after the firmware patch. Search VPN logs for 30-60 minute logins from new IPs in the last 90 days.
Affected
SonicWall Gen6 SSL-VPN devices running patched firmware but with LDAP still configured to use userPrincipalName in the 'Qualified login name' field. Gen7 and Gen8 are patched by firmware alone.
Fix
On Gen6: delete the existing LDAP config, remove cached LDAP users, drop the SSL VPN User Domain back to LocalDomain, reboot, then rebuild LDAP without userPrincipalName per SonicWall's advisory.