This Week in Cybersecurity: Critical Vulnerabilities & AI Impacts – June 22-28, 2026

CISA added two actively exploited critical vulnerabilities, CVE-2026-31431 and CVE-2026-41940, to its Known Exploited Vulnerabilities catalog. A massive "FortiBleed" campaign compromised nearly 87,000 FortiGate devices, according to The Hacker News, while Microsoft's June Patch Tuesday addressed almost 200 flaws, highlighting the escalating volume of required fixes. Reports also surfaced of AI coding assistants secretly sending developer code to China, raising significant data privacy concerns for 1.5 million developers.

1. CISA Warns of Actively Exploited Linux Privilege Escalation Flaw

CISA added CVE-2026-31431 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. This vulnerability, dubbed "Copy Fail" by researchers at The Hacker News, is a local privilege escalation (LPE) flaw with a CVSS score of 7.8. It allows unprivileged local users to gain root access on affected Linux systems by corrupting the kernel's in-memory page cache. This could permit a local attacker to execute arbitrary code with elevated privileges, effectively taking complete control over the compromised machine.

The "Copy Fail" vulnerability impacts Linux distributions shipped since 2017. CISA mandated that Federal Civilian Executive Branch (FCEB) agencies apply necessary fixes for CVE-2026-31431 by May 15, 2026. Patches are available in Linux kernel versions 6.18.22, 6.19.12, and 7.0. System administrators must prioritize updating to these, or newer, kernel versions to close this attack vector; ignoring the update could leave systems vulnerable to persistent and stealthy attacks that exploit system-level access.

2. FortiBleed Campaign Compromises Thousands of FortiGate Devices

CISA urged all Fortinet customers to immediately secure their FortiGate appliances against the "FortiBleed" campaign. As reported by The Hacker News, as of June 19, 2026, an alarming 86,644 FortiGate devices were confirmed to be compromised globally. This widespread breach, which CISA believes is orchestrated by sophisticated Russian-speaking threat actors, poses a significant threat to network security infrastructure.

The scale of the "FortiBleed" campaign suggests a well-resourced effort to gain access to corporate networks. Compromised FortiGate devices can serve as persistent beachheads for attackers, enabling them to exfiltrate sensitive data, deploy further malware, or disrupt critical operations. Fortinet advisories, echoed by CISA, emphasize immediate action to mitigate risks, particularly for any internet-accessible FortiGate devices. Organizations must conduct thorough forensic investigations to detect any signs of compromise, apply all available security patches, and enforce multi-factor authentication on all administrative interfaces. This requires immediate attention, as the problem will not resolve itself.

3. Microsoft's June 2026 Patch Tuesday Addresses Nearly 200 Flaws

Microsoft's June 2026 Patch Tuesday delivered an extensive package of updates, addressing nearly 200 security vulnerabilities across its Windows operating systems and various supported software. This release, detailed by Krebs on Security, included patches for 33 flaws rated as Critical, meaning they could allow for remote code execution or privilege escalation without user interaction. This high volume of fixes shows a significant shift, with a substantial number of issues requiring immediate attention from IT professionals.

The quantity of vulnerabilities patched by Microsoft reflects the increasing use of AI in both offensive and defensive cybersecurity. Researchers use AI tools to identify bugs more rapidly, while Microsoft deploys AI to enhance its secure development lifecycle. Organizations should expect a consistently high number of CVEs requiring attention with each monthly update cycle. Neglecting these updates could expose systems to widespread exploitation, as attackers quickly reverse-engineer patches to develop exploits. Organizations must allocate sufficient resources for regular and timely patching to maintain a secure posture.

4. AI Coding Assistants Suspected of Exfiltrating Developer Code to China

A report suggests two widely used AI coding assistants, collectively serving 1.5 million developers, are secretly transmitting ingested code copies to servers in China. This revelation, brought to light by NetSource One, raises critical questions about data privacy, intellectual property (IP), and national security with AI tool adoption. Developers using these popular tools may unknowingly be exposing their proprietary or sensitive codebases to unauthorized entities. Neither the report nor NetSource One named the specific AI assistants, and the claim has not been independently verified.

The implication for any organization relying on AI-powered development tools is clear and immediate. This incident could constitute a massive intellectual property theft campaign, with implications for competitive advantage and economic espionage. Organizations are strongly advised to investigate which AI coding assistants their development teams are using and, if necessary, to immediately cease their use. Establishing clear policies for AI tool usage, conducting rigorous vendor assessments, and implementing technical controls to prevent unauthorized data exfiltration are now paramount. This highlights how we integrate AI into our workflows.

5. CISA Orders Federal Agencies to Patch Critical cPanel & WHM Vulnerability

CISA issued a directive to all federal agencies, mandating they patch CVE-2026-41940, a high-severity vulnerability in cPanel & WHM, by May 3, 2026. This bug, with a near-perfect CVSS score of 9.8, grants an attacker complete control over the cPanel host system, including its configurations, databases, and all managed websites. According to Recorded Future News, exploitation evidence for this flaw has been observed since February, indicating active compromise attempts in the wild.

The impact of CVE-2026-41940 is catastrophic for any organization running vulnerable cPanel instances. Attackers could steal sensitive data, manipulate website content, deploy malicious code, or completely disrupt web services. Thousands of internet-exposed cPanel instances are potentially vulnerable, making this a high-priority target for threat actors. While the CVSS 9.8 score signals extreme risk, the vulnerability often requires authenticated access to exploit, meaning internal-only systems might have slightly more time if external attack surfaces are minimal. cPanel released patches and provided a tool for checking system compromise, which organizations should use immediately. Leaving this vulnerability unpatched will lead to compromise.

What to Watch Next Week

Next week, we're monitoring the continued fallout from the "FortiBleed" campaign; while the initial wave hit hard, the post-compromise activities by Russian-speaking threat actors will be a key indicator of their long-term objectives. Organizations need to understand if this was purely initial access or if it's escalating to lateral movement and data exfiltration within compromised networks. Expect further details on the specific vulnerabilities exploited in FortiGate devices, as researchers continue their analysis. We're also anticipating the next cycle of vendor security advisories, particularly from smaller software vendors who might follow Microsoft's lead in addressing a larger volume of vulnerabilities. Finally, keep a close eye on new reports concerning AI data privacy and IP risks; the "AI Coding Assistants" incident is unlikely to be isolated, and further revelations about similar tools could emerge, shaping immediate enterprise AI policy changes.

Data at a Glance

The CVEDaily Take

This week’s roundup clearly signals that a period of heightened cyber vigilance is required. Critical, actively exploited vulnerabilities in fundamental systems like Linux and cPanel demand immediate attention. The sheer scale of the "FortiBleed" campaign and Microsoft's record Patch Tuesday demonstrate that adversaries are relentless and well-equipped, often using AI to their advantage. We think organizations underestimate the operational risk of unpatched critical infrastructure. Patching quickly and implementing kernel-level telemetry are essential for basic operational continuity. Are your current AI policies sufficient to prevent exfiltration risks like those seen with AI coding assistants, or do you need to restrict specific tools?

FAQ

Q: What happened in cybersecurity this week?
A: This week in cybersecurity saw significant activity across multiple fronts: CISA added two critical, actively exploited vulnerabilities—one affecting Linux (CVE-2026-31431) and another in cPanel & WHM (CVE-2026-41940)—to its KEV catalog. A massive "FortiBleed" campaign compromised over 86,000 FortiGate devices, and Microsoft's June Patch Tuesday addressed nearly 200 flaws, including 33 critical ones. Furthermore, concerns escalated regarding AI coding assistants secretly exfiltrating developer code to China, impacting 1.5 million users. The claim about AI coding assistants has not been independently verified as of publication.

Q: What was the biggest cyber attack this week?
A: The most impactful cyber attack reported this week was the "FortiBleed" campaign, which compromised an estimated 86,644 FortiGate devices by June 19, 2026, according to The Hacker News. This widespread breach, attributed to Russian-speaking threat actors, poses a severe risk to organizational network perimeters globally, potentially leading to extensive data theft or service disruption. CISA has urged all Fortinet customers to secure their appliances immediately.

Q: What is the significance of CVE-2026-41940 for cPanel & WHM users?
A: CVE-2026-41940 is a critical high-severity vulnerability in cPanel & WHM with a CVSS score of 9.8. It allows an attacker to gain complete control over the host system, its configurations, databases, and managed websites. CISA mandated federal agencies patch this flaw by May 3, 2026, due to evidence of active exploitation since February. All organizations running cPanel instances must apply the available fixes immediately to prevent data theft, manipulation, and service disruptions.