Fortinet FortiOS SSL-VPN out-of-bounds write RCE — StrikeShark/SharkLoader initial-access vector
cve · CVE-2024-21762
Coverage timeline
1
first 2026-06-27 → last 2026-06-27
Briefs
1
1 distinct
Sources cited
75
39 hosts
Sections touched
0
—
Co-occurring entities
0
no co-occurrence
Story timeline
- 2026-06-27CTI Daily Brief — 2026-06-27
Source distribution
- attack.mitre.org15 (20%)
- bleepingcomputer.com6 (8%)
- thehackernews.com6 (8%)
- securityweek.com4 (5%)
- fortiguard.fortinet.com3 (4%)
- fortinet.com3 (4%)
- arcticwolf.com2 (3%)
- cisa.gov2 (3%)
- other34 (45%)
External references
All cited sources (75)
- securelist.comprimaryinlineKaspersky Securelist, 2026-06-24https://securelist.com/strikeshark-campaign/120326/
- advisories.ncsc.nlinlineNCSC-NL 2026-0189https://advisories.ncsc.nl/advisory?id=NCSC-2026-0189
- advisory.splunk.cominlineSplunk PSIRT SVD-2026-0603https://advisory.splunk.com/advisories/SVD-2026-0603
- arcticwolf.cominlineArctic Wolf, 2026-06-17https://arcticwolf.com/resources/blog/active-fortibleed-campaign-impacting-fortinet-devices-across-194-countries/
- arcticwolf.cominlineArctic Wolfhttps://arcticwolf.com/resources/blog/forticlient-ems-exploited-via-cve-2026-35616-to-deliver-ekz-infostealer-disguised-as-a-fortinet-patch/
- attack.mitre.orginlineT1021.001 Remote Services: Remote Desktop Protocolhttps://attack.mitre.org/techniques/T1021/001/
- attack.mitre.orginlineT1021.002https://attack.mitre.org/techniques/T1021/002/
- attack.mitre.orginlineT1041https://attack.mitre.org/techniques/T1041/
- attack.mitre.orginlineT1047 Windows Management Instrumentationhttps://attack.mitre.org/techniques/T1047/
- attack.mitre.orginlineT1053.005https://attack.mitre.org/techniques/T1053/005/
- attack.mitre.orginlineT1071.001https://attack.mitre.org/techniques/T1071/001/
- attack.mitre.orginlineT1078 Valid Accountshttps://attack.mitre.org/techniques/T1078/
- attack.mitre.orginlineT1133 External Remote Serviceshttps://attack.mitre.org/techniques/T1133/
- attack.mitre.orginlineT1190https://attack.mitre.org/techniques/T1190/
- attack.mitre.orginlineT1195.002https://attack.mitre.org/techniques/T1195/002/
- attack.mitre.orginlineT1218https://attack.mitre.org/techniques/T1218/
- attack.mitre.orginlineT1486 Data Encrypted for Impacthttps://attack.mitre.org/techniques/T1486/
- attack.mitre.orginline`nss3.dll`https://attack.mitre.org/techniques/T1555/003/
- attack.mitre.orginlineT1562.001https://attack.mitre.org/techniques/T1562/001/
- attack.mitre.orginlineT1567 Exfiltration Over Web Servicehttps://attack.mitre.org/techniques/T1567/
- bleepingcomputer.cominlineBleepingComputer, 2026-06-07https://www.bleepingcomputer.com/news/security/c0xmo-botnet-spreads-via-dd-wrt-router-flaw-kills-rival-malware/
- bleepingcomputer.cominlineBleepingComputer, 2026-06-08https://www.bleepingcomputer.com/news/security/check-point-links-vpn-zero-day-attacks-to-qilin-ransomware-gang/
- bleepingcomputer.cominlineBleepingComputer, 2026-06-19https://www.bleepingcomputer.com/news/security/cisa-warns-fortinet-users-to-secure-devices-after-fortibleed-leak/
- bleepingcomputer.cominlineBleepingComputer, 2026-06-22https://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/
- bleepingcomputer.cominlineBleepingComputer, 2026-06-17https://www.bleepingcomputer.com/news/security/fortibleed-leak-exposes-fortinet-vpn-credentials-for-73-000-devices/
- bleepingcomputer.cominlineBleepingComputer, 2026-05-13https://www.bleepingcomputer.com/news/security/fortinet-warns-of-critical-rce-flaws-in-fortisandbox-and-fortiauthenticator/
- blick.chinlineBlick.ch, 2026-05-07https://www.blick.ch/fr/suisse/romande/cyberattaque-le-groupe-romand-3r-de-radiologie-cible-id21930477.html
- blog.checkpoint.cominlineCheck Point, 2026-06-08https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/
- ccb.belgium.beinlineCCB Belgium, 2026-06-11https://ccb.belgium.be/advisories/warning-fortinet-addresses-critical-command-injection-vulnerability-fortisandbox-patch
- cert.ssi.gouv.frinlineCERTFR-2026-AVI-0576, 2026-05-13https://www.cert.ssi.gouv.fr/avis/CERTFR-2026-AVI-0576/
- cisa.govinlineCISA KEV cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog
- cisa.govinlineCISA, 2026-06-18https://www.cisa.gov/news-events/alerts/2026/06/18/cisa-urges-hardening-fortinet-devices-after-reports-credential-exposure
- comparitech.cominlineComparitech Q1 2026 Healthcare, 2026-04-29https://www.comparitech.com/news/healthcare-ransomware-roundup-q1-2026-stats-on-attacks-ransoms-and-data-breaches/
- crowdstrike.cominlineCrowdStrike bloghttps://www.crowdstrike.com/en-us/blog/crowdstrike-2026-financial-services-threat-landscape-report/
- crowdstrike.cominlineCrowdStrike press releasehttps://www.crowdstrike.com/en-us/press-releases/crowdstrike-2026-financial-services-threat-landscape-report/
- cyber.gc.cainlineCCCS, 2026-06-03https://www.cyber.gc.ca/en/guidance/cyber-threat-bulletin-fifa-world-cup-2026tm
- cybermaxx.cominlineCyberMaxx Q1 2026https://www.cybermaxx.com/resources/ransomware-research-report-q1-2026-audio-blog-interview/
- fortiguard.fortinet.cominlineFortinet PSIRT FG-IR-26-099https://fortiguard.fortinet.com/psirt/FG-IR-26-099
- fortiguard.fortinet.cominlineFortinet PSIRT FG-IR-26-128https://fortiguard.fortinet.com/psirt/FG-IR-26-128
- fortiguard.fortinet.cominlineFortinet PSIRT FG-IR-26-136https://fortiguard.fortinet.com/psirt/FG-IR-26-136
- fortinet.cominlineFortinet PSIRT, 2026-06-19https://www.fortinet.com/blog/psirt-blogs/analysis-of-reported-credential-compromise-of-fortigate-devices
- fortinet.cominlineFortiGuard Labs, 2026-06-04https://www.fortinet.com/blog/threat-research/cybercriminals-are-targeting-the-fifa-world-cup-2026
- fortinet.cominlineFortiGuard Labs, 2026-06-03https://www.fortinet.com/blog/threat-research/inside-cross-platform-propagation-of-new-gafgyt-variant-c0xmo
- github.cominlineBedrock Safeguard decryptorhttps://github.com/Bedrock-Safeguard/gentlemen-decryptor
- github.cominlinen8n GHSA-q5f4-99jv-pgg5, 2026-05-18https://github.com/n8n-io/n8n/security/advisories/GHSA-q5f4-99jv-pgg5
- groupe3r.chinlineGroupe 3R victim statement, 2026-04-30https://www.groupe3r.ch/fr/information-importante-perturbation-de-nos-services-7268/
- helpnetsecurity.cominlineHelp Net Securityhttps://www.helpnetsecurity.com/2026/06/16/fortisandbox-vulnerabilities-cve-2026-39813-cve-2026-39808-cve-2026-25089/
- helpnetsecurity.cominlineHelp Net Security, 2026-06-26https://www.helpnetsecurity.com/2026/06/26/sharkloader-dropper-governments-software-developers/
- ictjournal.chinlineICTjournal.ch, 2026-05-06https://www.ictjournal.ch/news/2026-05-06/le-reseau-radiologique-romand-a-nouveau-victime-dune-cyberattaque-ses-systemes
- ivanti.cominlineIvanti, 2026-05-12https://www.ivanti.com/blog/may-2026-security-update
- krebsonsecurity.cominlineKrebsOnSecurity, 2026-06-10https://krebsonsecurity.com/2026/06/who-runs-the-ransomware-group-the-gentlemen/
- lumen.cominlineLumen Black Lotus Labs, 2026-06-10https://www.lumen.com/blog/en-us/expanded-jdy-iot-and-soho-botnet-enables-rapid-vulnerability-exploitation
- microsoft.cominlineMicrosoft Threat Intelligence, 2026-05-28https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/
- msrc.microsoft.cominline`CVE-2026-45659`https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-45659
- nvd.nist.govinlineCISA KEV since 2026-04-06https://nvd.nist.gov/vuln/detail/CVE-2026-35616
- oracle.cominlineOracle CSPUhttps://www.oracle.com/security-alerts/cspujun2026.html
- ptc.cominlinePTC PSIRT advisoryhttps://www.ptc.com/en/about/trust-center/advisory-center/active-advisories/windchill-flexplm-rce-vulnerability
- research.checkpoint.cominlineCheck Pointhttps://research.checkpoint.com/2026/thus-spoke-the-gentlemen/
- research.jfrog.cominlineJFroghttps://research.jfrog.com/post/easy-day-js/
- security-hub.ncsc.admin.chinlineNCSC-CH Security Hub #12569, 2026-05-13https://security-hub.ncsc.admin.ch/#/posts/12569
- securityaffairs.cominlineSecurity Affairshttps://securityaffairs.com/193709/ai/fortinet-warned-as-three-critical-fortisandbox-bugs-come-under-attack.html
- securityweek.cominlineSecurityWeekhttps://www.securityweek.com/fortibleed-86000-fortinet-device-credentials-compromised/
- securityweek.cominline2026-05-13https://www.securityweek.com/fortinet-ivanti-patch-critical-vulnerabilities/
- securityweek.cominlineSecurityWeek, 2026-06-22https://www.securityweek.com/fortinet-responds-to-fortibleed-campaign/
- securityweek.cominlineSecurityWeek, 2026-06-23https://www.securityweek.com/russian-initial-access-broker-behind-fortibleed-campaign/
- socradar.ioinlineSOCRadar, 2026-06-16https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/
- spycloud.cominlineSpyCloud, 2026-06-19https://spycloud.com/blog/what-spycloud-found-inside-the-fortibleed-threat-actor-infrastructure/
- thehackernews.cominlineThe Hacker News, 2026-05-18https://thehackernews.com/2026/05/ivanti-fortinet-sap-vmware-n8n-patch.html
- thehackernews.cominlineThe Hacker News, 2026-05-28https://thehackernews.com/2026/05/threat-actors-exploit-critical.html
- thehackernews.cominlineThe Hacker News, 2026-06-10https://thehackernews.com/2026/06/china-linked-jdy-botnet-expands-to-1500.html
- thehackernews.cominlineThe Hacker News, 2026-06-05https://thehackernews.com/2026/06/fifa-world-cup-2026-scams-are-already.html
- thehackernews.cominlineThe Hacker News, 2026-06-23https://thehackernews.com/2026/06/fortibleed-targeted-fortigate-firewalls.html
- thehackernews.cominlineThe Hacker News, 2026-06-11https://thehackernews.com/2026/06/the-gentlemen-ransomware-claims-478.html
- threatfabric.cominlineThreatFabric, 2026-06-04https://www.threatfabric.com/blogs/own-goal-piracy-as-an-attack-vector-to-target-football-fans
- wid.cert-bund.deinlineBSI WID-SEC-2026-1583https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1583
Items in briefs about Fortinet FortiOS SSL-VPN out-of-bounds write RCE — StrikeShark/SharkLoader initial-access vector
No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.