<h1>This Week's Cyber Pulse: Brain Cipher Active, CISA KEV Escalation, Fortinet Critical Patch</h1>
<p>This week's Pulse has a clear theme: <strong>the attackers are not waiting, and neither should you.</strong> Brain Cipher/World Leaks ransomware is confirmed active into June. Two May CISA KEV entries remain unpatched and actively exploited. And Fortinet just dropped a critical RCE that has a PoC expected within weeks. If you manage any SMB infrastructure, this is your action list.</p>
<h2>1. Brain Cipher + World Leaks: Ransomware Still Active in June</h2>
<p>Brain Cipher and World Leaks β the RaaS groups that dominated May threat intelligence β are confirmed still active through June 2026, per BleepingComputer and SANS Internet Storm Center reporting. The double-extortion model is in full swing: attackers exfiltrate data first, then encrypt. Paying the ransom doesn't get your data back β they already have it.</p>
<p><strong>SMB impact:</strong> 88% of ransomware attacks target SMBs. With AI-accelerated exploit chains compressing breach timelines, the window between initial access and encryption is measured in hours, not days.</p>
<ul>
<li><strong>Action:</strong> Verify offline backups exist and restoration time is under 4 hours. Test it β not just existence.</li>
<li><strong>Action:</strong> Patch all internet-facing services by end of this week. Automated patching is the goal.</li>
<li><strong>Action:</strong> Ensure your incident response plan is documented and accessible offline. <a href="/tools/incident-response-plan">Use our free IRP generator β</a></li>
</ul>
<h2>2. CVE-2026-42208 (LiteLLM) + CVE-2026-6973 (Ivanti EPMM): Still Actively Exploited</h2>
<p>These two CISA KEV entries from May are not going away. Both are confirmed actively exploited. LiteLLM proxies (used by many SMBs to build internal AI tools) and Ivanti EPMM (widely used in enterprise MDM environments) are still being targeted in June.</p>
<p><strong>SMB impact:</strong> If you run a LiteLLM instance for internal AI tooling, it may already be compromised. Assume breach posture and audit logs. Ivanti EPMM is typically an enterprise tool, but any vendor you work with who uses it is a potential supply chain risk.</p>
<ul>
<li><strong>Action:</strong> Check LiteLLM version against CVE-2026-42208. Upgrade immediately.</li>
<li><strong>Action:</strong> Audit API keys and proxy logs for unauthorized access to LiteLLM instances.</li>
<li><strong>Action:</strong> Upgrade Ivanti EPMM to 11.12 or later, or isolate the management interface from external networks.</li>
<li><strong>Action:</strong> Run our free <a href="/tools/vulnerability-scanner">Vulnerability Scanner β</a> to check your external attack surface for these CVEs.</li>
</ul>
<h2>3. AI-Assisted Credential Stuffing: VPN and RDP Targets</h2>
<p>SANS Internet Storm Center reports a significant uptick in AI-assisted credential stuffing attacks targeting SMB infrastructure β specifically Fortinet VPNs, Palo Alto, Cisco, and exposed RDP (port 3389). The AI component is generating context-aware phishing lures that bypass traditional email filters, making the initial credential theft much harder to detect.</p>
<p><strong>SMB impact:</strong> If you have any remote access (VPN, RDP, jump boxes) without MFA enforced, assume those credentials have been or will be attempted. This is not theoretical β it's in active targeting of SMBs.</p>
<ul>
<li><strong>Action:</strong> Enforce MFA on all remote access immediately. Not optional.</li>
<li><strong>Action:</strong> Audit all exposed services: VPN, RDP, SSH. Close anything that doesn't need to be internet-facing.</li>
<li><strong>Action:</strong> Review authentication logs for brute-force patterns β look for repeated login failures from unusual geographies.</li>
</ul>
<h2>4. CVE-2026-50123: Fortinet FortiOS SSL-VPN Heap Overflow β Critical RCE</h2>
<p>Fortinet patched CVE-2026-50123 this week β a heap overflow in FortiOS SSL-VPN that allows unauthenticated remote code execution. This is as bad as it sounds. Affected versions: FortiOS 7.x and 8.x. A public PoC is expected within weeks.</p>
<p><strong>SMB impact:</strong> If you run Fortinet FortiGate with SSL-VPN enabled, this is your highest priority patch this week. It requires no credentials to exploit β attackers who find your public IP can take complete control.</p>
<ul>
<li><strong>Action:</strong> Upgrade to FortiOS 7.6.3+ or 8.0.12+ immediately.</li>
<li><strong>Action:</strong> If patching is not immediately possible, disable SSL-VPN until you can patch.</li>
<li><strong>Action:</strong> Use our <a href="/tools/vulnerability-scanner">Vulnerability Scanner β</a> to confirm your Fortinet deployments are not exposed to CVE-2026-50123.</li>
</ul>
<h2>Your Action Items This Week</h2>
<ol>
<li><strong>Patch Fortinet FortiOS</strong> β CVE-2026-50123, heap overflow RCE. Highest priority.</li>
<li><strong>Patch LiteLLM</strong> β CVE-2026-42208. Assume compromise, audit logs.</li>
<li><strong>Patch or isolate Ivanti EPMM</strong> β CVE-2026-6973, unauthenticated RCE.</li>
<li><strong>Enforce MFA on all remote access</strong> β VPN, RDP, jump boxes. No exceptions.</li>
<li><strong>Test backup restoration</strong> β not just existence. Time it.</li>
<li><strong>Document your incident response plan</strong> β <a href="/tools/incident-response-plan">Use our free IRP generator β</a></li>
</ol>
<h2>Run Your Free Assessment</h2>
<p>If you don't know your exposure across these vulnerabilities, run our free Security Audit. It checks your external attack surface and gives you a concrete risk score β no credit card required.</p>
<p><em>Cyber Pulse is published weekly. Subscribe to get the briefing delivered to your inbox every Monday morning.</em></p>
β‘ Run The Cyber Pulse Stack
Get a personalized security brief covering your specific threats, compliance gaps, and insurance readiness β emailed, texted, or as a PDF.