Three active ransomware attack campaigns are exploiting unpatched vulnerabilities in FortiGate firewalls, Microsoft SharePoint, and JetBrains development tools. Small business owners must patch these systems immediately and rotate credentials to stop breach exposure.
Today's cybersecurity update covers three critical threats demanding immediate action from small business owners:
The FortiBleed campaign has compromised over 430,000 FortiGate firewalls worldwide and is now directly linked to INC Ransom and Lynx ransomware operations, with at least 12 confirmed ransomware attacks already executed. Organizations using FortiGate devices must patch immediately, rotate credentials, and audit access logs.
CISA has added Microsoft SharePoint vulnerability CVE-2026-45659 to its Known Exploited Vulnerabilities catalog due to active exploitation. This remote code execution flaw affects on-premises SharePoint servers, and federal agencies face a July 4th deadline to remediate. All businesses running SharePoint on-prem should apply security updates immediately.
JetBrains released critical security patches for its development tool suite, including TeamCity, IntelliJ, YouTrack, and others. These vulnerabilities enable authentication bypass and remote code execution, putting development and CI/CD environments at risk.
The key takeaway: All three threats involve active exploitation of known vulnerabilities. Patching is no longer optional, it's essential for business survival. Organizations must prioritize security updates, credential rotation, and continuous monitoring to protect against these immediate threats.
What does ransomware attack response look like for your business right now?
The FortiBleed campaign has already triggered 12 confirmed ransomware attacks by INC Ransom and Lynx groups on compromised FortiGate firewalls. If your business uses FortiGate, SharePoint on-premises, or JetBrains tools, you are actively targeted. CISA has flagged CVE-2026-45659 as exploited in the wild. Your response: patch all three products today, rotate admin credentials and API keys, review firewall and SharePoint access logs for suspicious activity in the last 30 days, and enable multi-factor authentication on development environments. Waiting for 'convenient' patch windows means accepting ransomware risk. These patches block active attacks.
Key takeaways
- FortiBleed has compromised 430,000+ firewalls worldwide and directly funds INC Ransom and Lynx ransomware operations. Patch and rotate credentials immediately.
- Microsoft SharePoint on-premises CVE-2026-45659 is being actively exploited for remote code execution. Federal agencies have a July 4th deadline; all SMBs should patch now.
- JetBrains TeamCity, IntelliJ, and YouTrack patches block authentication bypass and RCE in CI/CD pipelines. Development environments are a direct path to production systems.
Frequently asked questions
If we patch our FortiGate firewall, are we safe from ransomware attack?
Patching closes the entry point FortiBleed uses, but it is not the complete response. Rotate all admin and API credentials on the firewall, then audit access logs from the past 30 days for suspicious logins or configuration changes. Change credentials first, patch second, so attackers cannot use stolen access during the patch window.
Do we need to patch SharePoint if it is not directly exposed to the internet?
Yes. CVE-2026-45659 affects on-premises SharePoint servers accessible from internal networks and VPNs. Attackers often move laterally from compromised workstations to SharePoint. Patch immediately regardless of network exposure.
What should we check in our access logs after a ransomware attack threat like this?
Look for failed login attempts (especially admin accounts), new user accounts created in the past month, credential usage from unusual IP addresses or times, and any API token generation. Export logs to a USB drive or email them to your managed IT provider for review while you patch.
How long does it take an attacker to weaponize a FortiGate breach?
FortiBleed evidence shows attacks executed within days or weeks of initial compromise. Do not assume you have time. Patch and rotate credentials within 24 hours, then monitor for the next 60 days for lateral movement attempts.
Sources
- https://securityaffairs.com/194645/security/430000-fortigate-devices-exposed-in-fortibleed-ransomware-link.html
- https://cybersecuritynews.com/sharepoint-server-code-execution-vulnerability-exploited/
- https://cybersecuritynews.com/jetbrains-vulnerabilities/