Active CISA Known Exploited Vulnerabilities (KEV) — June 2026

FortiBleed note: Not a CVE — exploits default and unrotated credentials, not a software vulnerability. Remediation requires credential rotation and account hygiene, not patching. Treat as a separate, urgent remediation track.

Prioritization guidance: Prioritize (1) CVE-2026-20253 Splunk (KEV deadline today), (2) TanStack/Nx Console supply chain (actively exploited, developer environment impact), (3) FortiBleed credential remediation (no CVE, but CISA emergency advisory). Chrome auto-update and NGINX patching can follow on a 48-72 hour track for most organizations.

Most significant shift: AI infrastructure — agents, API keys, and developer toolchains — has transitioned from an emerging target to a confirmed, actively exploited attack surface. Three concurrent developments in this cycle (AutoJack, JetBrains plugin theft, sovereign AI restrictions) indicate that threat actors, researchers, and governments have all reached the same conclusion: AI systems are high-value targets worth dedicated effort.

State-sponsored activity: The FortiBleed campaign, attributed to Russian-linked threat actors, demonstrates continued focus on enterprise network perimeter compromise at industrial scale. The use of default credentials rather than novel exploits suggests a deliberate choice of low-cost, high-yield techniques against poorly maintained infrastructure.

TeamPCP threat actor: Active and expanding. Campaign progression from npm package registries to IDE plugin marketplaces demonstrates adaptive tradecraft and a strategic focus on AI developer credential theft. The progression from TanStack to Nx Console to JetBrains plugins suggests systematic enumeration of developer trust surfaces.

Ransomware context: Organizations with confirmed FortiGate credential exposure should elevate ransomware readiness posture. Historical patterns associate Russian-linked initial access brokers with ransomware-as-a-service operations. Validate backup integrity and incident response readiness regardless of whether internal exposure is confirmed.

Automation and AI in attacks: AutoJack introduces an attack category that is inherently automated — the attack requires no ongoing attacker interaction after delivering the malicious web page. AI-accelerated attack automation is no longer a future risk; it is the threat model for AI agent deployments today.

Perimeter identity (FortiBleed): Compromised VPN credentials are identity credentials. Once obtained, they enable authenticated access to enterprise networks, bypassing perimeter controls and enabling lateral movement to cloud-connected and SaaS-connected systems. Organizations using FortiGate for remote access should audit conditional access policies and MFA enforcement even after rotating credentials.

Non-human identity — AI API keys (JetBrains/TeamPCP): AI API keys are NHIs with broad permissions and typically no MFA. Stolen AI API keys function as persistent access credentials to AI platform accounts, including any data, fine-tuned models, or integrations stored within those accounts. The JetBrains plugin campaign specifically targets developer machines where API keys are often stored in plaintext configuration files or environment variables.

CI/CD and developer environment risk: Developer machine compromise via IDE plugins provides attackers with access to the software delivery pipeline. Compromised developer environments expose repository credentials, cloud service tokens, and build system secrets — all of which are NHIs with production-level access.

AI agent identity (AutoJack): AI agents operating in enterprise environments are effectively service accounts with broad web access and, in the AutoJack case, local system access. Organizations should inventory AI agent identities, apply least-privilege principles to agent permissions, and restrict agent network access using the same rigor applied to service accounts.

Key question for CISOs: Does your NHI program include AI API keys, AI agent identities, and developer-environment service accounts? If not, FortiBleed and the TeamPCP campaign represent the class of risk that gap creates.

AutoJack — a new attack category: AutoJack is not a variant of an existing attack class. It represents the first documented instance of a complete exploit chain from web-delivered prompt injection through privileged local service access to host-level code execution via an AI agent. The implications extend beyond AutoGen Studio: any agentic framework that allows web browsing and has access to local services or privileged ports is architecturally susceptible to the same pattern.

AI API key theft — targeted and systematic: The TeamPCP campaign demonstrates that threat actors have identified AI API keys as high-value, persistently exploitable credentials. Unlike traditional credential theft, AI API key abuse is difficult to detect without platform-level monitoring. Key rotation after confirmed theft is insufficient; organizations should assume a window of unauthorized access has occurred and audit platform logs for unusual usage patterns.

Sovereign AI — geopolitical AI risk: The reported U.S. restriction on Anthropic Fable 5 and Mythos 5 access for foreign nationals introduces a new enterprise risk category: geopolitically conditioned AI access. Organizations that have integrated frontier AI into core business workflows face potential disruption if access is restricted for non-U.S. employees or operations. This risk is distinct from traditional vendor lock-in and requires different mitigation strategies — including multi-provider AI architecture and geographic access mapping.

Federal AI governance compliance: CISA BOD 26-04 and the NIST mathematical proof together define a federal AI security posture that prioritizes continuous monitoring over periodic assessment. Organizations operating AI systems in regulated environments should assess whether their AI security programs meet this new baseline.

Defensive AI opportunity: The same AI-acceleration dynamic that enables faster attacks enables faster detection and response. Organizations should assess whether their threat detection programs can operate at the cadence BOD 26-04 envisions. Machine-speed defense is not optional under the new federal framework — it is the stated requirement.

JetBrains Marketplace: Confirmed compromised distribution channel for AI API key theft. Unlike production dependency registries (npm, PyPI), IDE plugin marketplaces have historically had weaker vetting processes and less active security monitoring. Organizations should treat JetBrains Marketplace plugins as a high-risk third-party dependency requiring explicit vetting and allowlisting.

npm supply chain (TanStack, Nx Console): TanStack Router and Nx Console are both CISA KEV-listed supply chain compromises. Both are widely used in JavaScript/TypeScript development ecosystems. Organizations should audit dependency trees for these packages and related TeamPCP-linked packages. The Wiz research on the TeamPCP campaign provides additional context on related packages.

FortiGate as a supplier risk: The FortiBleed campaign exposes a structural issue with enterprise network perimeter suppliers: default credential persistence. Organizations should include default credential removal and credential rotation verification in supplier security assessments and integration playbooks for all network device vendors, not just Fortinet.

AI platform concentration risk: The sovereign AI developments highlight a supplier concentration risk unique to AI: a small number of frontier AI providers control access to capabilities that organizations have embedded in core workflows. Third-party risk programs should include AI platform providers and assess business continuity scenarios in which access is suspended — geopolitically or operationally.

Third-party risk review questions for this cycle: (1) Which suppliers use FortiGate for their VPN infrastructure — do their networks connect to ours? (2) Which development tools and plugins are approved and actively monitored in our developer environments? (3) Which AI platforms do we depend on for business-critical workflows, and what is our continuity plan if access is suspended?

U.S. Federal AI Security Governance Convergence

Three independent federal signals in June 2026 define a new AI security compliance baseline:

1. White House AI Executive Actions: Explicitly addresses cybersecurity as a core AI policy domain. Calls for machine-speed cyber defense capabilities. Signals that the executive branch views AI-era security as distinct from traditional cybersecurity and requiring dedicated policy treatment.

2. CISA BOD 26-04 (replaces BOD 22-01): CISA replaced BOD 22-01 with a new binding operational directive calibrated to AI-accelerated threat tempo. Federal agencies are now subject to patching timelines designed for a world where vulnerabilities are exploited faster. Federal contractors benchmarking against CISA frameworks should assess whether their patching SLAs meet the new standard.

3. NIST Mathematical Proof on AI Security Posture: NIST published a mathematical proof establishing the theoretical basis for continuous-monitor-and-update as the correct security posture for AI systems. This provides a formal basis for the continuous monitoring requirements that both CISA BOD 26-04 and the AI EO imply.

Compliance implications: Federal contractors, defense industrial base organizations, regulated financial institutions, and healthcare organizations benchmarking against NIST CSF or CISA frameworks should initiate gap assessments. The three signals together define what AI-era compliance will look like — organizations that get ahead of this are better positioned for upcoming audit and procurement requirements.

OMB M-26-14 (logging mandate): A new OMB logging mandate is also in effect, complementing the AI governance framework. Organizations with federal operations should assess logging completeness against the new requirements.

Cross-sector impact (FortiBleed): The 86,644 compromised device figure is sector-agnostic. FortiGate is deployed across healthcare, financial services, manufacturing, retail, government, and critical infrastructure. Any sector with significant FortiGate deployment is affected. ISACs across all sectors should be monitoring member exposure and may have additional indicators of compromise.

Technology and software sector (AI developer supply chain): Organizations in the technology sector — particularly those with large JavaScript/TypeScript development teams using JetBrains IDEs — face elevated exposure to the TeamPCP campaign. AI-first companies and teams with significant AI API key usage are priority targets for this threat actor.

Operation Endgame / SocGholish (no immediate action required): International law enforcement cleaned 14,971 WordPress sites infected with the SocGholish malware framework. This is a significant criminal infrastructure takedown demonstrating that cross-border law enforcement coordination against cybercriminal infrastructure is operational. Organizations running WordPress should validate patch status and plugin integrity.

Lessons from FortiBleed for peer benchmarking: The FortiBleed campaign exposes a default credential problem that almost certainly extends beyond FortiGate. Organizations should use this incident as a prompt to audit default credentials across all network devices, industrial control systems, and cloud infrastructure. The lesson is not “patch Fortinet” — it is “audit default credentials everywhere.”

Sovereign AI as geopolitical instrument: The reported U.S. restriction of Anthropic Fable 5 and Mythos 5 access for foreign nationals — if confirmed — represents the first direct application of AI export control logic to frontier AI systems. This is analogous to semiconductor export controls but applied to software access rather than hardware. The implications for global enterprise AI strategy are significant: organizations cannot assume that AI capabilities available today will be available globally tomorrow.

EU digital sovereignty push: The EU’s announced plan to reduce dependency on U.S. AI infrastructure reflects a broader geopolitical dynamic: the EU has concluded that reliance on U.S. technology providers creates strategic vulnerability. For multinational enterprises, this creates a compliance and operational planning challenge — EU operations may face regulatory pressure to use EU-based or EU-compliant AI providers, while U.S. operations continue with U.S. providers.

Russian-linked threat activity (FortiBleed): The FortiBleed campaign attribution to Russian-linked actors reflects continued state-adjacent cyber operations against Western enterprise infrastructure. The use of default credentials rather than novel exploits suggests a focus on scaling access rather than precision targeting. This is consistent with patterns observed in prior Russian-linked credential harvesting campaigns.

Geopolitical risk posture guidance: Organizations with operations in multiple geographies — particularly U.S., EU, and regions with U.S.-Russia or U.S.-China tensions — should assess their AI platform geography, data residency, and operational continuity plans against a scenario where AI access is geopolitically conditioned. This is no longer a theoretical risk.

Trend: Risk indicators worsened since yesterday. FortiBleed advisory (issued June 19) + AutoJack disclosure + JetBrains plugin confirmation (June 20) represent a rapid accumulation of actionable threat intelligence within 48 hours. The combination of perimeter credential compromise, AI agent attack surface, and developer supply chain activity is unusually concentrated for a single briefing cycle.