FortiBleed (`key: fortibleed`)

The W25 top story continued without a scale revision — the device count holds at the 86,644 figure the dailies reported — but the in-window development is the clearest state-interest signal yet: CISA updated its hardening alert on 06-22 to link Fortinet's revised guidance, and reporting now confirms that on in mid-June the Russian-speaking operator completed offline Kerberos-hash cracking from captured FortiGate configs and immediately exfiltrated DFS backup data from a NATO-aligned defence contractor — a full AD domain takeover (Security Affairs). Outstanding for defenders: treat any FortiGate admin/VPN credential active May–June 2026 as compromised, rotate, then hunt AD for pass-the-hash, DCSync and DFS-backup exfiltration (Kerberos ticket anomalies, LSASS access, ntdsutil/impacket artefacts). Patch level is irrelevant — this is credential reuse, not a new CVE.