← Back to Archive

CitrixBleed 2 and SharePoint RCE Under Active Exploitation as Ransomware Groups Weaponize FortiBleed Credentials

Executive Summary

The week ending July 3, 2026 presents a highly active threat environment with multiple critical vulnerabilities under active exploitation and sophisticated threat actors leveraging credential theft campaigns to facilitate ransomware operations across critical infrastructure sectors.

  • Immediate Priority: CISA has added Microsoft SharePoint RCE vulnerability (CVE-2026-45659) to the Known Exploited Vulnerabilities catalog following confirmed active exploitation. Organizations running SharePoint Server should prioritize patching immediately.
  • Critical Exploitation Activity: A new "CitrixBleed 2" vulnerability (CVE-2025-5777) is being actively exploited by ransomware groups including Anubis, INC, and Lynx immediately following public disclosure of proof-of-concept code. NetScaler appliances are being targeted to retrieve arbitrary memory content.
  • Credential Theft Campaign: The FortiBleed campaign has compromised credentials from hundreds of thousands of FortiGate firewalls, with verified links to INC and Lynx ransomware operations using harvested credentials for initial access.
  • AI-Enabled Threats Emerge: Security researchers have documented what appears to be the first fully autonomous ransomware attack conducted by an AI agent, dubbed "JADEPUFFER," exploiting Langflow RCE to automate database ransomware attacks—a significant evolution in threat actor capabilities.
  • Law Enforcement Action: The FBI, working with Google and other partners, has seized domains associated with the NetNut residential proxy network spanning 2 million home devices, disrupting infrastructure commonly used by threat actors for anonymization.
  • Public-Private Coordination: CISA announced the new ANCHOR-CI system designed to enhance public-private infrastructure security collaboration, providing new channels for threat intelligence sharing.

Threat Landscape

Nation-State and Advanced Persistent Threat Activity

  • ToddyCat APT - Umbrij Malware Campaign: The ToddyCat threat actor has been attributed to a new malware family called "Umbrij" that abuses OAuth protocols to gain surreptitious access to victim email correspondence via the Google API. This represents a sophisticated approach to maintaining persistent access to communications while evading traditional detection methods. Organizations should review OAuth application permissions and monitor for anomalous API access patterns.
    Source: The Hacker News

Ransomware and Cybercriminal Developments

  • FortiBleed Campaign Linked to Major Ransomware Operations: Security researchers have established direct links between the FortiBleed credential theft campaign and both INC and Lynx ransomware operations. Credentials harvested from hundreds of thousands of FortiGate firewalls are being actively used to facilitate ransomware attacks. Organizations using Fortinet products should assume potential compromise and conduct credential audits.
    Source: SecurityWeek, The Hacker News
  • CitrixBleed 2 Exploitation by Anubis Ransomware: Threat actors associated with the Anubis ransomware operation are exploiting the CitrixBleed 2 vulnerability (CVE-2025-5777) for initial access. Public PoC code is being weaponized to target NetScaler appliances, retrieving arbitrary memory content from HTTP responses. The speed of exploitation following disclosure underscores the need for rapid patching cycles.
    Source: SecurityWeek, The Hacker News
  • AI Agent Conducts Autonomous Ransomware Attack: Sysdig's Threat Research Team has documented what they believe is the first ransomware attack executed entirely by an AI agent. The operator, tracked as "JADEPUFFER," used an AI agent to exploit Langflow RCE vulnerability and automate a complete database ransomware attack chain. This represents a significant evolution in threat actor capabilities and may signal future trends in automated attacks.
    Source: The Hacker News
  • Interpol Impersonation Phishing Campaign: Bitdefender researchers have identified a ransomware campaign where cybercriminals pose as Interpol in phishing emails targeting businesses worldwide. The social engineering approach leverages law enforcement authority to increase victim compliance.
    Source: Infosecurity Magazine
  • Scattered Spider Member Extradited: Peter Stokes, a dual U.S. and Estonian citizen alleged to be a longstanding member of the Scattered Spider hacking collective, has been extradited to the United States to face charges. This represents continued law enforcement pressure on the group responsible for numerous high-profile attacks.
    Source: CyberScoop, Bleeping Computer

Emerging Attack Vectors

  • ChocoPoC RAT Targeting Security Researchers: A new data-stealing trojan called "ChocoPoC" is being distributed through fake proof-of-concept exploit repositories on code hosting platforms. The malware specifically targets vulnerability researchers, representing a supply chain attack on the security community itself. Researchers should exercise extreme caution when testing PoC code from untrusted sources.
    Source: The Hacker News
  • BioShocking Attack on AI Browsers: Researchers have demonstrated a new attack technique called "BioShocking" that uses context manipulation to cause agentic browsers to abandon safety guardrails and exfiltrate sensitive credentials. As AI-powered browsing tools proliferate, this attack vector presents emerging risks.
    Source: SecurityWeek
  • ConsentFix and ClickFix Microsoft 365 Attacks: New attack techniques are enabling threat actors to hijack Microsoft 365 accounts in as little as 3 seconds using fake prompts and OAuth flows. These attacks effectively bypass MFA protections, requiring organizations to implement additional controls around OAuth consent.
    Source: Bleeping Computer

Law Enforcement Actions

  • NetNut Proxy Network Disruption: The FBI, working with Google's Threat Intelligence team, Lumen, and other partners, has seized hundreds of domains associated with NetNut, a residential proxy service that had enrolled approximately 2 million home devices. The Popa botnet infrastructure was also seized. This disruption removes significant anonymization infrastructure commonly used by threat actors.
    Source: KrebsOnSecurity, The Hacker News

Sector-Specific Analysis

Energy Sector

  • Extreme Heat Stress on Grid Infrastructure: Record-breaking heat continues across central and eastern United States, placing significant stress on electrical grid infrastructure. Utilities should ensure cooling systems for critical equipment are functioning properly and prepare for potential demand surges. The prolonged heat event increases risk of equipment failures and potential cascading outages.
    Source: Water ISAC
  • FortiGate Firewall Exposure: Energy sector organizations using FortiGate firewalls should conduct immediate credential audits given the FortiBleed campaign's scope. Network segmentation between IT and OT environments should be verified to prevent lateral movement from compromised credentials.

Water and Wastewater Systems

  • Climate Hazard Preparedness Resources: New reports have been released to help utilities prepare for climate hazards and future uncertainties. Water sector organizations should review these resources for resilience planning guidance.
    Source: Water ISAC
  • FEMA Flood Risk Management Funding: FEMA has made $56 million available for flood risk management projects. Water utilities in flood-prone areas should evaluate eligibility for these funds to enhance infrastructure resilience.
    Source: Water ISAC
  • Chemical Sector Interdependencies: Water ISAC has released a Chemical Sector Profile (TLP:AMBER) highlighting interdependencies between water treatment operations and chemical supply chains. Member utilities should review for supply chain risk considerations.
  • Heat Impact on Water Systems: Prolonged extreme heat increases water demand while potentially stressing treatment and distribution infrastructure. Utilities should monitor system capacity and prepare contingency plans for demand spikes.

Communications and Information Technology

  • Cisco Unified Communications Manager Exploitation: Cisco has confirmed active exploitation of a vulnerability in Unified Communications Manager (Unified CM) that was patched in early June. Organizations that have not applied the patch should do so immediately, as PoC exploit code has been publicly available since disclosure.
    Source: SecurityWeek, Bleeping Computer
  • Satellite Communications Vulnerability: CISA has issued an ICS advisory for ST Engineering iDirect iQ-Series Terminals used in satellite communications. Organizations relying on satellite connectivity should review the advisory for applicability.
    Source: CISA ICS Advisories
  • Argo CD GitOps Infrastructure Risk: A vulnerability in Argo CD highlights why GitOps infrastructure should be treated as "tier zero" critical assets. Organizations using GitOps deployment pipelines should review access controls and security configurations.
    Source: CSO Online

Transportation Systems

  • Space Systems Component Vulnerability: CISA has issued an advisory for CubeSpace CW0057 Reaction Wheel components used in spacecraft attitude control systems. While primarily affecting space operations, this highlights the expanding attack surface in transportation-adjacent systems.
    Source: CISA ICS Advisories

Healthcare and Public Health

  • Medtronic Data Breach Notification: Healthcare device manufacturer Medtronic is notifying customers affected by a data breach linked to the ShinyHunters threat group. Personal data was exposed to unauthorized third parties. Healthcare organizations using Medtronic devices should monitor for related phishing attempts targeting affected individuals.
    Source: Bleeping Computer
  • Heat-Related Health System Strain: Prolonged extreme heat across the central and eastern U.S. is increasing emergency department visits and straining healthcare system capacity. Facilities should ensure business continuity plans account for surge conditions.

Financial Services

  • Card Data Theft Consumer Concerns: A Capco survey indicates card and card data theft (46%), identity theft (44%), and unauthorized purchases (40%) remain top fraud concerns for U.S. consumers. Financial institutions should continue emphasizing fraud detection and customer communication around these threats.
    Source: Security Magazine
  • Google Antitrust Fine Upheld: The Court of Justice of the European Union has dismissed Google's final appeal against a €4.1 billion antitrust fine. While not directly a security matter, this ruling may influence technology platform governance and competition dynamics.
    Source: Bleeping Computer

Food and Agriculture

  • IoT Agricultural Systems Vulnerability: CISA has issued an advisory for Gardyn IoT Hub devices used in agricultural and food production monitoring. Organizations using smart agriculture systems should review the advisory and apply mitigations.
    Source: CISA ICS Advisories

Vulnerability and Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE Product Severity Status Action Required
CVE-2026-45659 Microsoft SharePoint Server High Active Exploitation - KEV Listed Patch immediately
CVE-2025-5777 Citrix NetScaler (CitrixBleed 2) Critical Active Exploitation Patch immediately; review for compromise
N/A Cisco Unified CM High Active Exploitation Apply June patches immediately
N/A Fortinet FortiGate High Credential Theft Campaign Credential audit; assume compromise

CISA ICS Advisories (Published July 2, 2026)

  • ICSA-26-183-01: ST Engineering iDirect iQ-Series Terminals - Satellite communication terminal vulnerabilities
    Source: CISA
  • ICSA-26-183-02: CubeSpace CW0057 Reaction Wheel - Space systems component vulnerability
    Source: CISA
  • ICSA-26-183-03: Gardyn IoT Hub - Agricultural IoT system vulnerabilities
    Source: CISA

Recommended Defensive Measures

  • For CitrixBleed 2 (CVE-2025-5777):
    • Apply vendor patches immediately
    • Monitor for indicators of memory disclosure attacks
    • Review authentication logs for anomalous access patterns
    • Consider temporary isolation of unpatched NetScaler appliances
  • For FortiBleed Credential Theft:
    • Rotate all credentials associated with FortiGate management interfaces
    • Audit VPN and administrative access logs
    • Implement additional authentication controls (hardware tokens where possible)
    • Review Water ISAC TLP:GREEN bulletin for IOCs
  • For SharePoint RCE (CVE-2026-45659):
    • Apply May 2026 security updates
    • Monitor SharePoint logs for exploitation attempts
    • Review permissions and access controls
  • For ClickFix/ConsentFix Attacks:
    • Opera browser users should enable the new Paste Protect feature
    • Implement OAuth application consent policies in Microsoft 365
    • Train users on recognizing fake consent prompts

Resilience and Continuity Planning

Lessons Learned

  • Rapid Exploitation Timelines: The CitrixBleed 2 exploitation immediately following PoC disclosure reinforces the need for organizations to have pre-positioned patching capabilities. Consider implementing "patch-ready" processes where patches are tested in staging environments as soon as they're released, enabling rapid production deployment when exploitation begins.
  • Credential Theft as Ransomware Precursor: The FortiBleed-to-ransomware pipeline demonstrates that credential theft campaigns should be treated as potential ransomware precursors. Organizations detecting credential compromise should immediately escalate incident response posture.
  • AI Agent Threat Evolution: The JADEPUFFER incident suggests autonomous AI agents may increasingly be used to conduct attacks. Security teams should consider how their detection and response capabilities would perform against attacks executed at machine speed without human operator patterns.

Supply Chain Security

  • Security Researcher Targeting: The ChocoPoC malware campaign targeting vulnerability researchers through fake PoC repositories represents a supply chain attack on the security community. Organizations should:
    • Establish isolated environments for testing untrusted code
    • Verify PoC code provenance before execution
    • Monitor for data exfiltration from research systems
  • AI Development Tool Risks: Sandbox bypass vulnerabilities in Cursor IDE highlight prompt injection as an RCE vector in AI-assisted development tools. Organizations adopting AI coding assistants should evaluate security implications and implement appropriate controls.
    Source: CSO Online

Cross-Sector Dependencies

  • Heat Wave Cascading Impacts: The ongoing extreme heat event creates potential cascading impacts across sectors:
    • Energy: Increased demand, equipment stress, potential outages
    • Water: Increased demand, treatment capacity strain
    • Healthcare: Surge in heat-related emergencies
    • Transportation: Infrastructure stress, operational delays
    Organizations should coordinate with sector partners and review mutual aid agreements.

Public-Private Coordination

  • ANCHOR-CI System Launch: CISA has announced the new ANCHOR-CI (Advanced Network for Coordinated Hardening and Operational Resilience - Critical Infrastructure) system designed to enhance public-private infrastructure security collaboration. Organizations should evaluate participation opportunities for improved threat intelligence sharing.
    Source: Water ISAC

Regulatory and Policy Developments

Federal Guidelines and Regulatory Changes

  • Cybersecurity Mission Creep Analysis: A new academic paper examines "Cybersecurity Mission Creep" in U.S. policy, analyzing how cybersecurity authorities and responsibilities have expanded across government agencies. Security professionals should be aware of evolving regulatory landscapes and potential compliance implications.
    Source: Schneier on Security
  • AI Model Availability Changes: The Trump Administration has lifted restrictions on Anthropic's Claude AI models following cybersecurity review. Claude Fable 5 is now widely available, though with reported performance modifications. Organizations using AI tools should monitor for capability changes that may affect security applications.
    Source: SecurityWeek

Compliance Guidance

  • AI-Driven Development Auditing: As AI-generated code becomes commonplace, CISOs need new audit strategies to measure developer practices, govern AI tool usage, and identify software risks before they reach production. Organizations should begin developing AI code audit frameworks.
    Source: SecurityWeek
  • Identity Lifecycle Management for AI Agents: Traditional identity lifecycle management was designed for human users with employment records, managers, and departure dates. AI agents have none of these attributes, creating governance gaps. Organizations deploying AI agents should develop appropriate identity and access management frameworks.
    Source: The Hacker News

Funding Opportunities

  • FEMA Flood Risk Management Grants: $56 million available for flood risk management projects. Water utilities and other infrastructure operators in flood-prone areas should evaluate eligibility.
    Source: Water ISAC

Training and Resource Spotlight

Best Practices and Guidance

  • NCSC Penetration Testing Guidance: The UK National Cyber Security Centre has shared best practice advice from penetration testers on how to make their job harder—effectively providing a roadmap for improving system resilience. Key recommendations focus on detection capabilities, network segmentation, and access controls.
    Source: Infosecurity Magazine
  • SANS OUCH! Newsletter - AI Safety: The latest SANS OUCH! newsletter encourages safe and thoughtful AI use, providing guidance for end users on responsible AI adoption.
    Source: Water ISAC
  • Workplace Safety Response Metrics: Security Magazine highlights response time as a critical but often overlooked metric in workplace safety and security programs. Organizations should evaluate their incident response timing capabilities.
    Source: Security Magazine

New Tools and Features

  • Opera Paste Protect: Opera browser has introduced Paste Protect, a security feature designed to block ClickFix-style attacks that trick users into executing malicious commands. Organizations using Opera should enable this feature.
    Source: Bleeping Computer

Research and Analysis

  • Zero-Day Exploit Disclosure Controversy: A researcher has released over 30 proof-of-concept exploits through a project called "Exploitarium" without first disclosing the vulnerabilities to vendors. The researcher has explained their rationale, sparking debate about responsible disclosure practices. Security teams should monitor for potential exploitation of these vulnerabilities.
    Source: Infosecurity Magazine

Looking Ahead: Upcoming Events

Conferences and Training

  • July 21, 2026 - NCCoE Cybersecurity Connections Event: "Accelerating the Adoption of Mobile Driver's Licenses" - NIST National Cybersecurity Center of Excellence quarterly networking event. 11:00 AM – 1:30 PM EDT.
    Source: NIST
  • July 21, 2026 - NIST Time and Frequency Seminar: Annual seminar covering precision clocks and oscillators, atomic frequency standards, RF and optical synchronization, optical oscillators, quantum information, and related topics.
    Source: NIST
  • September 2, 2026 - Safeguarding Health Information: "Building Assurance through HIPAA Security 2026" - Joint event by HHS Office for Civil Rights and NIST Information Technology Laboratory on healthcare security compliance.
    Source: NIST

Threat Periods Requiring Heightened Awareness

  • Independence Day Weekend (July 3-6, 2026): Holiday weekends historically see increased threat actor activity due to reduced staffing. Organizations should ensure:
    • On-call incident response coverage is confirmed
    • Critical patches are applied before the holiday
    • Monitoring and alerting systems are functioning properly
    • Contact trees are current and tested
  • Ongoing Extreme Heat Event: Prolonged heat across central and eastern U.S. will continue to stress infrastructure through the coming week. Monitor weather forecasts and prepare for potential demand surges and equipment failures.

Anticipated Developments

  • Claude Fable 5 Availability Changes: Anthropic has indicated Claude Fable 5 will not be accessible via Claude subscriptions after July 7, though this is described as temporary. Organizations relying on this model for security applications should plan accordingly.
    Source: Bleeping Computer
  • Continued Exploitation Activity: Given the active exploitation of CitrixBleed 2, SharePoint RCE, and Cisco Unified CM vulnerabilities, organizations should anticipate continued targeting of these platforms through the coming weeks. Unpatched systems remain at elevated risk.

This intelligence briefing is compiled from open-source reporting and is intended to support critical infrastructure protection efforts. Recipients are encouraged to share relevant information with sector partners through appropriate channels. For sector-specific threat information, contact your relevant ISAC.

Report Date: Friday, July 3, 2026

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.