CyberSip™ — Issue 75 — June 30, 2026

Today’s picture

A public proof of concept was published today for CVE-2026-55200, a CVSS 9.2 memory corruption flaw in libssh2, the client-side SSH library embedded in curl, Git, PHP, backup agents, firmware updaters, and a long tail of network appliances. A malicious or compromised SSH server can trigger the flaw with no credentials and no user interaction, and there is still no official patched release. SpyCloud researchers published updated analysis today of the FortiBleed credential-harvesting dataset, revealing that FortiGate was the largest single target set the operators scanned but still accounted for less than a third of the internet-facing endpoints probed, and that a dedicated SQL Server credential checker ran roughly 2.1 billion login attempts against more than 163,000 database servers. An unverified post on a cybercrime forum claims a 310 million record breach of Chinese e-commerce platform Temu, including account information, contact details, and password hashes, though the scale of the claim has not been independently confirmed.

Threat snapshot

3 active items · 2 monitoring

libssh2 CVE-2026-55200 / CVSS 9.2 / public PoC / no patch yet FortiBleed / SpyCloud update / multi-vendor scope confirmed Temu / 310 million records claimed / unverified 3 items this issue

TodayPublic PoCNo Official Patch

libssh2 CVE-2026-55200: a malicious SSH server can corrupt memory on any connecting client with no credentials and no interaction. CVSS 9.2. Embedded in curl, Git, PHP, and countless statically linked appliances. Public PoC live, no tagged patched release yet.

An attacker-controlled packet_length field wraps a 32-bit calculation to a tiny number, causing a small heap allocation that later code overflows with the full oversized packet, a classic integer overflow to buffer overflow chain. The fix is merged upstream as commit 97acf3d but no official tagged release exists. Debian already has a backported build in testing. This is the same bug class as CVE-2019-3855 from seven years ago in the identical code path.

Updated TodayFortiBleed

SpyCloud: FortiGate was less than a third of FortiBleed's actual scanning targets. A dedicated SQL Server checker ran 2.1 billion login attempts against 163,650 database servers. Synology and Sophos portals also scanned.

The operation is confirmed as a broad credential-harvesting campaign against any internet-exposed remote-access or database service, not a Fortinet-specific operation. Two live SQL Server hits were confirmed using the default sa administrator account. Organizations running internet-facing MSSQL, Synology DSM, or Sophos firewalls should audit exposure regardless of Fortinet usage.

TodayTemuUnverified

A cybercrime forum post claims a 310 million record Temu breach including account data, contact details, and password hashes. Temu has not confirmed. Sample records appear to contain 2026 timestamps, suggesting relatively recent data.

Temu denied a similar 87 million record claim in 2025 after investigation found no matching internal data. The current claim's true scale has not been independently verified. Included here as a developing item to watch, not a confirmed breach. Temu users should remain alert without overreacting to an unconfirmed claim.

Detailed intelligence

Full analysis

01 Public PoC No Official Patch

libssh2 CVE-2026-55200: a public proof of concept is now available for a CVSS 9.2 memory corruption flaw with no official tagged release yet. Embedded in curl, Git, PHP, and a long tail of appliances. Malicious server, zero user interaction.

CVE-2026-55200 · CVSS 9.2 · CWE-680

A public proof-of-concept exploit was published today on GitHub, containing a verified local SSH trigger scaffold and a controlled local remote code execution harness. The flaw lives in ssh2_transport_read() in libssh2's transport.c, the function that parses incoming SSH packets during the handshake. No CISA exploitation has been reported as of today and the author of the PoC archive acknowledges some entries were generated with AI-assisted fuzzing without prior vendor reporting.

Executive Impact

libssh2 is a client-side library, meaning the danger comes from your own tools connecting outward to a malicious or compromised SSH server, not from an attacker reaching in. Inventory everything in your environment that links libssh2, including statically linked copies inside curl, Git, PHP runtimes, backup agents, firmware updaters, and network appliances, which a package manager update will not touch. Apply a build containing commit 97acf3d where available. Until a patched build is in place, restrict outbound SSH connections from any vulnerable client to trusted, verified servers only, and watch for oversized-packet anomalies or unexplained client crashes.

Don’t Miss

This is the second time in seven years the exact same integer overflow class has appeared in the exact same code path. CVE-2019-3855 was a near-identical bug in libssh2's transport read function that also let a malicious server execute code on a connecting client, fixed in version 1.8.1. The bug class returning unchanged in the same function seven years later suggests the original fix addressed the specific instance rather than the underlying validation gap, or that a regression was introduced sometime since. Organizations that patched for CVE-2019-3855 and assumed the transport parsing code was hardened against this class of attack should treat that assumption as invalidated. The recurrence is also a caution against treating any single historical CVE fix as closing an entire vulnerability class permanently.

CyberSip Take

No official patched release, a public PoC, and a footprint that touches curl, Git, and PHP is a combination that should move this to the top of every patch queue, even though it requires connecting to a malicious server rather than being directly internet-exposed. The hard part is not patching what you know about. It is finding the static, bundled copies that nobody remembers shipping. Inventory before you patch, because you cannot fix what you have not found.

How the bug works

The vulnerability is a CWE-680 integer overflow leading to a buffer overflow in libssh2's packet parsing logic. When a client connects to an SSH server, libssh2's ssh2_transport_read() function reads a packet_length field from the incoming data and uses it in a size calculation involving 32-bit arithmetic. An attacker-controlled server can set this field to a value such as 0xffffffff, which causes the arithmetic to wrap around to a very small number. libssh2 allocates a heap buffer sized for that small, incorrect number. Subsequent code, still operating on the original oversized packet_length value, then writes the full attacker-supplied packet into the undersized buffer, producing an out-of-bounds heap write.

The flaw affects every libssh2 release up to and including 1.11.1. Security researcher Tristan Madani reported the issue, and VulnCheck published the CVE on June 17, 2026. The fix, which adds a missing check rejecting any packet_length value above LIBSSH2_PACKET_MAXPAYLOAD before the vulnerable arithmetic runs, was merged into the project's mainline source as commit 97acf3d on June 12, but no official tagged version release containing the fix has shipped as of today. Linux distributions including Debian have begun backporting the patch independently into their own builds ahead of an upstream release.

A second related flaw disclosed alongside it, CVE-2026-55199, rated CVSS 8.2, allows a malicious server to trap a connecting client in a CPU loop via a bogus extension count during the key exchange phase, causing denial of service rather than code execution. A third, CVE-2025-15661, rated CVSS 8.3, is an SFTP heap over-read disclosed in the same batch.

Recommended actions

Inventory every application, tool, and appliance in your environment that links libssh2, paying particular attention to statically linked or bundled copies inside curl, Git, PHP, backup software, and firmware that a standard package manager update will not detect.
Apply a build containing commit 97acf3d as soon as one is available from your distribution, whether through an official backport or by building from patched source directly.
Until patched, restrict outbound SSH connections from libssh2-linked clients to known, trusted servers, and verify host keys rigorously, particularly for any automated tooling that connects to external or third-party SSH endpoints.
Monitor for anomalous oversized SSH packets and unexplained crashes in client applications using libssh2, which may indicate exploitation attempts against the integer overflow.

Derived from The Hacker News, InfoSec Today, and PurpleOps reporting on CVE-2026-55200, June 29–30, 2026.

02 FortiBleed SpyCloud Update

FortiBleed was never just about Fortinet. SpyCloud's new analysis shows FortiGate was under a third of the operation's actual scanning targets, with database servers and other VPN vendors equally in scope.

FortiBleed · SpyCloud · June 29

SpyCloud researchers published a detailed breakdown today of the full dataset recovered from the FortiBleed operator's infrastructure. The analysis confirms that FortiGate, while the largest single target category and the source of the operation's name, represented less than a third of the internet-facing endpoints the threat actor actually scanned across its full campaign.

Executive Impact

Organizations that concluded they were unaffected by FortiBleed because they do not run Fortinet hardware should revisit that conclusion. The same operator ran a dedicated SQL Server credential checker against more than 163,000 database servers and scanned Synology DiskStation Manager and Sophos firewall login portals at scale. Any organization with internet-exposed Microsoft SQL Server, Synology NAS administrative interfaces, or Sophos SSL-VPN portals should treat this as the same operator and audit for the same risk: brute-force credential attempts against default and weak administrator accounts.

Don’t Miss

SpyCloud confirmed that the dedicated MSSQL checker ran approximately 2.1 billion login attempts against 163,650 servers and surfaced two confirmed hits, both using the default sa administrator account on live SQL servers. Two successful breaches out of 2.1 billion attempts against 163,650 targets is a vanishingly small success rate by volume, but it confirms the operator achieved working access to at least two production database servers using nothing more sophisticated than the unrotated default administrator account. The story here is not the success rate. It is that an attacker running billions of automated login attempts against a category of target most security teams do not associate with the FortiBleed name found exactly the kind of unrotated default credential that has been the throughline of this entire campaign since it was first identified.

CyberSip Take

FortiBleed was always a credential brand name applied to a much broader operation. If your organization concluded it was safe from this campaign because it does not run FortiGate, that conclusion no longer holds. The operator's actual target list spans SQL Server, Synology, and Sophos infrastructure, and the underlying weakness it exploits everywhere is the same one this brief has documented since Issue 68: unrotated default credentials on internet-facing administrative interfaces.

What the new analysis shows

SpyCloud's analysis, published as an update to Help Net Security's ongoing FortiBleed coverage today, examined the full dataset recovered from the operator's exposed infrastructure rather than only the Fortinet-specific portion that drove the original headlines. The researchers confirmed that FortiGate firewalls and SSL VPN gateways were the largest single target category, consistent with earlier reporting, but represented less than one third of the total internet-facing endpoints the operator scanned across its full campaign.

Beyond Fortinet, the operators collected and targeted login portal URLs for Synology DiskStation Manager network-attached storage administration interfaces and Sophos firewall SSL-VPN and Remote Desktop Web Access portals. SpyCloud noted it remains unclear whether the attackers progressed past the initial scanning phase for these targets, in contrast to the confirmed compromise of tens of thousands of Fortinet devices. Separately, the operator ran a dedicated credential checker against Microsoft SQL Server instances, working through 163,650 servers across approximately 2.1 billion login attempts, which surfaced two confirmed working hits using the default sa administrator account on live production SQL servers.

This confirms the assessment other researchers offered earlier in the campaign that FortiBleed is best understood as one visible piece of a much broader, ongoing edge-device and remote-access credential harvesting effort by a Russian-speaking, financially motivated initial access broker, rather than a Fortinet-specific incident.

Recommended actions

If your organization runs internet-exposed Microsoft SQL Server, Synology DSM administrative interfaces, or Sophos SSL-VPN portals, audit for default or weak administrator account credentials, including the sa account on SQL Server, regardless of whether you use Fortinet products.
Rotate the sa account password on all SQL Server instances and disable it entirely where a dedicated administrative account can be used instead.
Continue the FortiGate remediation steps from Issues 68 through 71 if not already complete: patch, rotate credentials, invalidate active sessions, and audit for unauthorized accounts.

Derived from Help Net Security reporting on SpyCloud FortiBleed dataset analysis, June 29, 2026.

03 Temu Unverified

A cybercrime forum listing claims a 310 million record Temu breach including account data, contact details, and password hashes. Temu has not confirmed. Samples appear recent, but the scale of the claim cannot currently be verified.

Temu · Unverified Claim · June 29–30

An alleged attacker posted a listing on a cybercrime forum claiming to possess a database of approximately 310 million Temu user records. Temu reports roughly 416 million monthly active users globally, making the claimed figure a substantial portion of the platform's user base if accurate. Temu has not issued a public confirmation or denial as of this writing.

Executive Impact

No confirmed action is required at this stage given the unverified status of the claim. Temu users should remain alert to phishing attempts referencing account security or order issues in the coming days, since breach claims, whether confirmed or not, are reliably followed by opportunistic phishing campaigns that exploit public awareness of the story. Reviewing whether a Temu password is reused on any other service is reasonable precaution regardless of whether this specific claim is substantiated.

Don’t Miss

Temu has a documented history relevant to evaluating this claim. A similar listing in 2025 claimed 87 million stolen records, and Temu publicly denied the breach after stating it cross-checked the claimed data against internal records and found no matches. Researchers examining the current 310 million record sample noted that nearly all sample records contain account-creation or login timestamps from 2026, which suggests the data is relatively recent rather than recycled from an older, unrelated leak, a detail that distinguishes this claim somewhat from typical recycled-data forum listings. That said, recent timestamps alone do not confirm the data originated from a breach of Temu's own systems rather than a third-party vendor, a scraping operation, or a previously undisclosed incident at an unrelated party. The appropriate posture is continued monitoring rather than either dismissal or alarm.

CyberSip Take

This brief includes unverified claims like this one specifically so readers can track developing stories from the earliest credible signal, not to amplify unconfirmed allegations as fact. The honest summary today is that a large, specific claim exists, the sample data examined looks plausible rather than obviously fabricated, and the company has not confirmed or denied it. Treat it as a story to watch, not a conclusion to act on, until either Temu or independent forensic researchers provide further confirmation.

What is known

A post appeared on a cybercrime forum claiming the seller possesses a database of approximately 310 million Temu user records, including account information, contact details, password hashes, and device metadata. To support the claim, the seller published 99 sample records. Researchers who reviewed the sample data found it contained a broad range of account information consistent with what a genuine internal database export would include, and noted that nearly all sample records carried account-creation or login timestamps from 2026.

Temu has not issued a public statement confirming or denying the claim as of this writing. The company has a prior pattern of denying similar claims: in a 2025 incident, an attacker claimed to have stolen 87 million lines of personal data from Temu users, and the company subsequently stated it had cross-checked the data internally and found no matching records, characterizing the claim as unsubstantiated.

The scale of the current 310 million record claim, against Temu's reported approximately 416 million monthly active users, would represent a substantial majority of the platform's active user base if fully accurate. Independent verification of the claim's scope and authenticity has not been completed as of today.

Recommended actions

Temu users should change their account password if it is reused on any other service, as a general precaution independent of whether this specific claim is verified.
Be alert to phishing emails or messages referencing Temu account security, order problems, or password resets in the coming days. Breach claims, confirmed or not, reliably trigger opportunistic phishing campaigns.
Treat this as a developing story. This brief will provide an update if Temu confirms, denies, or if independent researchers substantiate the scope of the claim.

Derived from Cybernews reporting on the alleged Temu data breach claim, June 29–30, 2026.

Still watching

Aging items · days 2–4

Items here remain operationally relevant but have no significant new developments. They drop off after 7 days.

Amazon Q Developer CVE-2026-12957 (Issue 74). MCP auto-execution exposed AWS credentials. Patched in Language Servers for AWS 1.69.0. Confirm running version is current via IDE reload. Day 2

KDDI breach (Issue 74). Up to 14.2 million email credentials exposed across six Japanese ISPs. Rotate passwords on STNet, JCOM, Chubu Telecommunications, Nifty, BIGLOBE, or KDDI Web Communications email accounts. Day 2

Cross-source standouts

A patched bug class is not a closed bug class, even seven years later

CVE-2019-3855 fixed an integer overflow in libssh2's transport read function in 2019. Seven years later, CVE-2026-55200 is a near-identical integer overflow in the exact same function. The same researchers, the same general code path, the same fundamental class of unchecked arithmetic on attacker-controlled length fields. This brief has documented this exact pattern multiple times this year: DirtyClone bypassing the DirtyFrag patch in Issue 73, Fragnesia bypassing the original DirtyFrag fix before that. A historical CVE fix closes the specific instance that was reported. It does not retroactively prove the surrounding code is now hardened against the entire class of bug. Security teams that treat old CVE fixes as permanent closure on an attack surface, rather than as one instance addressed within a broader pattern that may recur, are working from an assumption this brief keeps finding evidence against.

FortiBleed's real lesson was never about Fortinet specifically

From Issue 68 through today, this brief has covered FortiBleed as it grew from 86,644 devices to 110 million credentials to a confirmed Russian initial access broker operation. Today's SpyCloud analysis completes the picture: Fortinet was the largest but still minority share of a much broader campaign against SQL Server, Synology, and Sophos infrastructure. The consistent thread across every stage of this story has been the same weakness exploited everywhere: internet-facing administrative interfaces with default or unrotated credentials. The vendor name in the campaign's branding was never the point. The point was that billions of automated login attempts against unrotated defaults will eventually find the small fraction of targets that never changed them, regardless of which vendor's logo is on the box.