India's manufacturing sector suffered two confirmed incidents in a single week — one ransomware, one extortion — while government-deployed Fortinet gateways appear at the top of the FortiBleed exposure list and three more perimeter products face active exploitation. This issue covers verified developments from 8–26 June 2026.
1
FortiBleed: Up to 86,644 FortiGate Credentials Compromised — India Government Sector Leads All Nations
India exposureSOCRadar research published 16 June identified up to 86,644 compromised FortiGate administrator and VPN credentials across 194 countries. India and the US together account for roughly one-third of all entries; India specifically represents over 60% of government-sector entries in the dataset. The campaign — active since February 2026 and attributed to Russian-speaking threat actors — is not a new vulnerability. It exploits SHA-256 password hashes that persist on FortiOS devices upgraded from versions earlier than 7.2.11, 7.4.8, or 7.6.1, combined with credential reuse from earlier FortiOS exploitation. CISA issued a hardening advisory on 18 June. There is no firmware patch that cancels credentials already in attacker possession.
ActionRotate all FortiGate administrator and SSL-VPN credentials immediately. Enable MFA on every remote-access account. Restrict management interfaces to internal networks. Upgrade firmware to FortiOS 7.2.11, 7.4.8, or 7.6.1 or later — the upgrade alone does not convert existing password hashes; every administrator must log in post-upgrade to force PBKDF2 migration.
SourceSOCRadar (16 Jun 2026); Arctic Wolf (16 Jun 2026); CISA Alert (18 Jun 2026) Treat this as an active credential-compromise incident rather than a patching advisory.
2
Tata Electronics Confirms Cyberattack; World Leaks Claims 630 GB of Apple and Tesla Supply-Chain Files
No CVE | Data extortion — no encryption
India exposureTata Electronics — a Tata Group subsidiary assembling approximately one-third of Apple's iPhone production in India — confirmed a cyberattack on 22 June. World Leaks, considered a rebrand of the Hunters International ransomware group, claims 204,300 files totalling over 630 GB, including Apple supplier quality-inspection specifications, Tesla manufacturing schematics, employee passport copies, and multi-year SAP event logs. Unlike encryption-based ransomware, World Leaks operates as a pure extortion operation: it exfiltrates data and threatens publication without disrupting systems.
ActionIndian electronics manufacturers and their tier-2 suppliers should segment engineering repositories from corporate IT environments, review third-party data-sharing arrangements, and confirm incident-notification obligations with OEM customers. Any organisation that has shared engineering specifications with Tata Electronics should assess its own supply-chain confidentiality exposure and alert relevant OEM security contacts.
SourceTechCrunch (22 Jun 2026); BleepingComputer (23 Jun 2026) The breach's blast radius extends to every organisation whose proprietary specifications are stored in Tata Electronics systems.
3
Bajaj Auto Hit by Ransomware; CERT-In and SEBI Notified on 23 June
No CVE | Ransomware — no public attribution
India exposureBajaj Auto, India's largest two-wheeler manufacturer, detected a ransomware attack at 8:00 AM IST on 23 June affecting systems at the parent company and its wholly owned technology subsidiary, Bajaj Auto Technology Ltd. The company notified CERT-In under the Information Technology Act 2000 and SEBI under Regulation 30 of LODR. Bajaj Auto stated that containment protocols were initiated and that operations are continuing. No threat-actor group has been publicly attributed, and data impact details have not been disclosed.
ActionIndian automotive and industrial organisations should confirm ransomware playbooks are current, verify that offline backup copies are intact and tested, and review EDR coverage on engineering endpoints and OT-adjacent systems. The mandatory six-hour CERT-In notification requirement under the IT Act applies to any sector facing a comparable intrusion.
SourceMedianama (23 Jun 2026); Economic Times (23 Jun 2026); BusinessToday (24 Jun 2026) The Bajaj Auto incident and the Tata Electronics extortion case in the same week reflect sustained ransomware pressure on India's manufacturing and technology sectors.
4CriticalCVSS 9.3
Check Point VPN Authentication Bypass Linked to Qilin Ransomware Affiliate — CISA KEV June 8
CVE-2026-50751 | CVSS 9.3
India exposureCVE-2026-50751 is an authentication bypass in the IKEv1 key-exchange implementation on Check Point Security Gateways. A remote, unauthenticated attacker can establish a full VPN session by exploiting a logic flaw in certificate validation — no valid password is required. Exploitation was first observed on 7 May; Check Point published its advisory on 8 June; CISA added the CVE to KEV the same day with a federal remediation deadline of 11 June. Post-exploitation activity linked to a Qilin ransomware affiliate has been confirmed in at least one case globally. Check Point gateways are deployed across Indian banking, insurance, and government-sector networks.
ActionApply the Check Point hotfix for affected releases (R80.40 through R82.10, Spark R80.20.X–R82.00.X). If the patch is not yet deployed, disable IKEv1 remote-access and mobile-access VPN, or enforce mandatory machine-certificate requirements to close the bypass. Review VPN session logs from 7 May onward for anomalous initiations.
SourceCheck Point Security Advisory (8 Jun 2026); Rapid7 ETR (8 Jun 2026); Help Net Security (8 Jun 2026) Qilin ransomware has disrupted healthcare and critical-infrastructure targets internationally; any Check Point gateway still accepting IKEv1 connections warrants immediate remediation.
5
Ubiquiti UniFi OS Three-Vulnerability Chain Enables Unauthenticated Root Access — CISA Deadline Passes Today
CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 | CISA KEV 23 Jun 2026
India exposureThree vulnerabilities in Ubiquiti UniFi OS — improper access control (CVE-2026-34908), path traversal (CVE-2026-34909), and command injection (CVE-2026-34910) — form a chain that delivers unauthenticated root-level code execution against the management interface of UniFi OS Server 5.0.6 and earlier. CISA added all three to its KEV catalogue on 23 June with a federal remediation deadline of today, 26 June. Bishop Fox validated the full exploit chain; PwnDefend observed live attacks within days of Ubiquiti's advisory, with Mirai-family botnet malware deployed on compromised devices. Ubiquiti UniFi OS devices are widely used in Indian SME, campus, and hospitality network environments.
ActionUpdate UniFi OS Server to version 5.0.7 or later immediately. Disable remote management access if it is not operationally required. Review connected devices and network traffic for Mirai botnet indicators: unexpected outbound connections, scanning behaviour, or abnormal CPU utilisation on network appliances.
SourceCISA KEV (23 Jun 2026); BleepingComputer; SecurityWeek; Bishop Fox; PwnDefend This is a publicly confirmed, actively weaponised exploit chain; the CISA federal deadline passes today.
Takeaway
Two direct India incidents — Tata Electronics and Bajaj Auto — alongside India's outsized exposure in the FortiBleed government dataset make this week's brief unusual in its concentration of India-specific risk. The connecting thread across all five items is the same: network perimeters with legacy protocol configurations, delayed firmware updates, or unchanged default credentials are the consistent attacker entry point. Patch management note: Microsoft's June 2026 Patch Tuesday (10 Jun) addressed 200 CVEs including six zero-days; prioritise CVE-2026-45586 (Windows privilege escalation to System) on internet-facing servers and privileged workstations where the June update cycle has not yet been completed.
Nirad Threat Research
