Threat Advisories

Top Middle East Cyber Threats – 23 June 2026

By Help AG

Help AG’s Managed Security Services (MSS) team delivers 24x7x365 monitoring across complex enterprise environments, providing continuous visibility into emerging cybersecurity threats across the region.

Large-Scale Exposure of Firewall Configuration Data

Researchers have identified a large-scale exposure of configuration data from approximately 75,000 internet-facing Fortinet FortiGate firewalls worldwide, including UAE.

The exposed information may include device configuration files, administrative credentials, and security settings. If active credentials have been compromised, threat actors could potentially gain unauthorised access to management interfaces, modify security policies, create privileged accounts, or use affected devices as a foothold into broader enterprise environments. Researchers have linked exposure to a broader campaign involving credential theft and attempts to access exposed systems. Investigations into the source and scope of the exposure remain ongoing.

Analysis suggests that older Secure Hash Algorithm 256 (SHA-256) password hashes stored on some devices may have facilitated offline password recovery once the configuration files were obtained, potentially increasing the risk of unauthorised access to affected devices.

Organisations are advised to change credentials, enable Multi-Factor Authentication (MFA), update to the latest FortiOS release, restrict exposure to management interfaces, and review systems for signs of unauthorised activity.

Recommendations

Reset all Fortinet administrative and Virtual Private Network (VPN) passwords immediately.

Enforce MFA (already mentioned above) for all Fortinet administrative and remote access accounts.

Review login logs for suspicious authentication activity and unauthorised access attempts.

Restrict management interface access to trusted internal networks or approved Internet Protocol (IP) addresses only.

Update FortiGate devices to the latest FortiOS release and apply all relevant security updates.

Inspect devices for unauthorised accounts or unexpected configuration changes.

Disable unnecessary internet exposure for FortiGate management services.

Monitor VPN services for signs of credential misuse or suspicious activity.

Investigate affected environments for Indicators of Compromise (IoCs) and potential lateral movement.

Treat exposed devices as potentially affected until their integrity has been verified.

Fraudulent Maritime Network Uses Impersonation to Establish Trust

Researchers identified a network of fraudulent maritime websites impersonating ship registries, maritime administrations, classification societies, seafarer certification providers, and Protection and Indemnity (P&I) organisations.

The infrastructure was organised into 3 clusters (Alpha, Bravo, and Charlie) and leveraged techniques including typo squatting, identity spoofing, automated document generation, fraudulent vessel certifications, to create a convincing maritime compliance ecosystem.

Analysis indicates that the websites were interconnected through fabricated trust relationships, enabling operators to establish credibility and support the issuance of fraudulent maritime documentation.

Researchers have linked this activity to sanctioned vessel networks and associated support infrastructure. Investigations into the operators and supporting ecosystem remain ongoing.

Recommendations

Verify vessel registrations and maritime certificates through trusted official authorities.

Monitor for fraudulent maritime domains and websites impersonating legitimate organisations.

Block access to identified malicious domains where appropriate.

Conduct due diligence on ship registries and classification societies.

Validate maritime documentation before accepting compliance claims.

Monitor changes in vessel ownership or registration details.

Review beneficial ownership and corporate registration records.

Strengthen Know Your Customer (KYC) and compliance checks for maritime partners and third parties.

Monitor for lookalike domains targeting maritime organisations.

Microsoft Releases Security Updates for Cloud and Copilot Services

Microsoft has released security updates addressing 7 vulnerabilities across Exchange Online, Azure services, Microsoft Edge, GitHub Copilot Chat, and Microsoft 365 Copilot.

The vulnerabilities could allow privilege of escalation, information disclosure, spoofing, or unauthorised actions if left unpatched.

CVE-2026-48582 (Critical) – Missing authorisation in Microsoft Exchange Online allows privilege escalation.

CVE-2026-48584 (Critical) – Execution with unnecessary privileges in Azure Synapse could allow privilege escalation.

CVE-2026-45480 (Critical) – Improper authentication in Microsoft Entra ID could allow privilege escalation.

CVE-2026-32208 (High) – A Cross-Site Scripting (XSS) vulnerability in Microsoft Edge could enable spoofing attacks.

CVE-2026-47645 (High) – An open redirect vulnerability in Microsoft 365 Copilot Business Chat could allow privilege escalation.

CVE-2026-50519 (Medium) – An insecure default configuration in GitHub Copilot Chat and Visual Studio Code could lead to information disclosure.

CVE-2026-42895 (Medium) – A command of injection vulnerability in Microsoft 365 Copilot could allow unauthorised actions.

Recommendations

Ensure that all systems are patched and updated.

Google Chrome Releases Security Updates Addressing Multiple Vulnerabilities

Google Chrome has released five security updates rated Medium Severity.

[Medium] CVE-2026-12463 – Chrome
An issue affecting the Views component in Google Chrome on Linux prior to version 149.0.7827.155 could allow a remote attacker who has already compromised the renderer process to inject arbitrary scripts or Hypertext Markup Language (HTML) content through a specially crafted webpage. (Chromium severity: High).
[Medium] CVE-2026-12461 – Chrome
An out-of-bounds read vulnerability in Web Real-Time Communication (WebRTC) on Windows prior to version 149.0.7827.155 could allow a remote attacker to access potentially sensitive information from process memory through a specially crafted webpage. (Chromium severity: High)
[Medium] CVE-2026-12469 – Chrome
An uninitialised use of vulnerability in the Graphics Processing Unit (GPU) component on Android prior to version 149.0.7827.155 could allow a remote attacker to expose cross-origin data through a specially crafted webpage. (Chromium severity: High)
[Medium] CVE-2026-12446 – Chrome
An issue affecting password-related functionality in Google Chrome prior to version 149.0.7827.155 could allow a remote attacker to expose cross-origin data through a specially crafted webpage. (Chromium severity: High)
[Medium] CVE-2026-12444 – Chrome
An out-of-bounds read vulnerability in Chrome Remote Desktop (Chromoting) on Windows prior to version 149.0.7827.155 could allow a local attacker to access potentially sensitive information from process memory through a malicious file. (Chromium severity: High).

Recommendations

Ensure that all systems are patched and updated.

Splunk Releases Security Updates for AI Toolkit Vulnerabilities

Splunk has addressed 2 vulnerabilities affecting Splunk AI Toolkit versions prior to 5.7.4.

The first vulnerability, CVE-2026-20265 (CVSS 4.3), stems from a weakness in the toolkit’s default domain allowlist configuration that could allow a low-privileged user to direct outbound Hypertext Transfer Protocol (HTTP) requests to unapproved external domains, potentially resulting in the unauthorised disclosure of information.

The second vulnerability, CVE-2026-20266 (CVSS 9.1), is a critical operating system command injection vulnerability in the ‘btool’ configuration helper. The flaw could allow a user with administrative privileges to execute unauthorised operating system commands on the underlying Splunk Enterprise host. According to Splunk, the issue arises from unsafe shell command construction using dynamic parameters.