TL;DR
FortiClient EMS and Gogs face active exploitation for RCE; FortiClient patch available. CISA contractor exposed AWS credentials and internal secrets publicly on GitHub. Simultaneous FIFA fraud campaign exploiting 4,300+ fake domains targeting World Cup attendees.
Executive Summary
- Two critical RCE vulnerabilities actively exploited: FortiClient EMS authentication bypass (CVE-2026-35616) delivering credential stealer malware; Gogs zero-day (CVSS 9.4) affecting self-hosted Git instances with no patch available.
- CISA contractor maintained public GitHub repository exposing AWS GovCloud credentials and privileged agency systems until this past weekend; Congressional oversight underway.
- Coordinated FIFA World Cup fraud campaign operating 4,300+ malicious domains impersonating FIFA since August 2025; targeting event attendees for ticket/hospitality scams.
- Carnival cruise operator confirms 6 million customer records compromised following employee account breach; personal information exfiltrated by end of April.
Top Threats Today
1. FortiClient EMS Authentication Bypass – Active Credential Stealer Deployment
Severity: CRITICAL Affected: government, technology, finance
Threat actors are actively exploiting CVE-2026-35616, an authentication bypass vulnerability in Fortinet FortiClient Endpoint Management Server (EMS), to deliver a credential-stealing malware variant called EKZ [1][2]. The flaw has been patched by Fortinet, with hotfixes released in April , but attackers continue weaponizing it against managed endpoint infrastructure [1]. The campaign leverages trusted endpoint management systems to distribute malware across victim networks, bypassing perimeter defenses that trust admin console communications [1].
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Apply Fortinet FortiClient EMS hotfix immediately if not already deployed; prioritize systems exposed to untrusted networks.
- Audit FortiClient EMS authentication logs for exploitation attempts; search for unexpected admin console access or policy deployments.
- Assume credential compromise on any EMS-managed endpoint; trigger password resets for accounts accessing sensitive systems.
- Isolate compromised endpoints and scan for EKZ malware using endpoint detection and response (EDR) tools.
2. Gogs Self-Hosted Git – Unpatched Remote Code Execution Zero-Day
Severity: CRITICAL Affected: technology, government
An unpatched zero-day vulnerability in Gogs, a widely-deployed self-hosted Git service, enables remote code execution on Internet-facing instances [2]. The vulnerability is rated 9.4 on the CVSS scale [1] and allows authenticated attackers to execute arbitrary code under certain conditions [1]. No CVE identifier has been assigned and no patch is currently available [1]. The flaw creates immediate risk for any organization running Gogs internally or in cloud environments with external access.
Sources:[1] The Hacker News[2] BleepingComputer
Recommended Action
- Identify all Gogs instances in your environment; prioritize those exposed to the Internet or untrusted networks for immediate isolation.
- Restrict network access to Gogs administration interfaces; require VPN or bastion host authentication.
- Monitor Gogs logs for suspicious repository access, branch creation, or webhook deployments indicating exploitation.
- Monitor Gogs project channels and security advisories for patch release; prepare rapid deployment procedures.
3. CISA Contractor GitHub Exposure – AWS GovCloud Credentials and Agency Secrets Leaked
Severity: HIGH Affected: government
A CISA contractor maintained a public GitHub repository exposing credentials to highly privileged AWS GovCloud accounts and a large number of internal CISA systems through this past weekend [1][2]. The repository contained live credentials to critical U.S. cybersecurity agency infrastructure, representing a significant insider-risk and supply-chain control failure [1]. Congressional lawmakers from both houses are demanding immediate answers regarding the leak, its scope, and containment [1].
Sources:[1] Krebs on Security[2] Krebs on Security
Recommended Action
- Assume all AWS GovCloud credentials exposed in the repository are compromised; rotate immediately and force new authentication for all services.
- Audit CloudTrail logs for all GovCloud accounts during the repository's public window; identify unauthorized API calls or privilege escalations.
- Revoke all third-party contractor GitHub repository access to agency infrastructure or secrets; implement secret scanning on all CISA-owned repositories.
- File insider-threat report; coordinate with Federal law enforcement if contractor access was intentional.
4. FIFA World Cup Fraud Campaign – 4,300+ Malicious Domains in Active Operation
Severity: HIGH Affected: finance, retail
The FBI and threat researchers have identified a Chinese-speaking fraud gang operating 4,300+ malicious domains impersonating FIFA's official web presence since August 2025 [2]. The campaign targets 2026 World Cup attendees with fake ticket sales, hospitality packages, and phishing lures designed to steal personal and financial information [1]. The scale and persistence of the operation suggests organized criminal infrastructure with sustained funding and technical capability [2].
Sources:[1] BleepingComputer[2] The Record
Recommended Action
- Alert employees and customers planning World Cup attendance to verify FIFA domain authenticity (official domain: fifa.com); bookmark legitimate site before travel.
- Brief finance and fraud teams on ticket/hospitality scam indicators; flag suspicious transactions to FIFA ticket vendors.
- Monitor for phishing emails and SMS impersonating FIFA; implement email authentication (SPF/DKIM/DMARC) to reduce spoofing.
- Review credit card fraud alerts during World Cup period; prioritize dispute resolution for affected cardholders.
5. Carnival Cruise Data Breach – 6 Million Customer Records Exposed
Severity: HIGH Affected: finance, retail
Carnival Corporation confirmed a data breach affecting nearly 6 million customer records [1][2]. The attacker gained access via a compromised employee account and exfiltrated personal information by end of April [1]. The breach represents one of the largest retail/hospitality incidents of the month and creates identity-theft risk for affected passengers.
Sources:[1] The Record[2] SecurityWeek
Recommended Action
- If a Carnival customer, enroll in offered credit monitoring; monitor bank and credit accounts for fraudulent activity.
- Review Carnival security advisory for list of compromised data elements; report suspicious transactions to card issuer immediately.
- Consider fraud-alert placement with credit bureaus (Equifax, Experian, TransUnion) to prevent unauthorized account opening.
Today’s Action Checklist
- ☐ URGENT: Patch or isolate Fortinet FortiClient EMS instances if not already running latest hotfix; audit admin logs for CVE-2026-35616 exploitation.
- ☐ URGENT: Identify and restrict network access to Gogs instances pending patch availability; monitor for RCE exploitation attempts.
- ☐ URGENT: Rotate all AWS GovCloud credentials; audit CloudTrail logs for unauthorized activity during GitHub exposure window.
- ☐ HIGH: Brief customer-facing teams on FIFA fraud scams; distribute legitimate FIFA domain to employees and customers.
- ☐ HIGH: If Carnival customer data holder, validate credit monitoring enrollment and review personal information exposure scope.