Cybersecurity Insights from Léargas: Threat Intel, XDR & OT Security

    Stay ahead of fast-moving threats with cybersecurity insights and industry news from Léargas Security. Our team delivers pragmatic analysis, expert perspectives, and step-by-step guidance informed by live telemetry in the Léargas Security XDR platform. We transform raw signals—from packet captures to cloud identity events—into clear actions security teams can take across IT and OT environments.

    Start Exploring

    Browse the latest cybersecurity insights below to turn complex data into confident decisions.

    AllArtificial IntelligenceCase StudiesCritical InfrastructureDaily TipsGeneralIT/OTMachine LearningSecurity InsightsSoftware ReleasesThreat IntelligenceUpcoming Events

    Fortinet Authentication Bypass Vulnerabilities Exploited

    March 10, 2026 | 5 minutes
    Executive Summary As of March 10, 2026, threat actors are actively exploiting Fortinet authentication-bypass vulnerabilities to compromise FortiGate and related Fortinet infrastructure, extract service account credentials, and move laterally across victim networks. Three CVEs are central to this campaign: CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858. All three have confirmed exploitation in the wild according to NVD and multiple industry sources [1][2][3]. Patches exist for most affected
    Read More
    Jordan RogersBy Jordan Rogers

    Critical Dell RecoverPoint Vulnerability (CVE‑2026‑22769): Active Exploitation and Patch Guidance

    February 20, 2026 | 6 minutes
    Critical Dell RecoverPoint Vulnerability CVE‑2026‑22769 exploited by UNC6201; review impact, affected versions, and patch guidance to secure virtualized environments.
    Read More
    Jordan RogersBy Jordan Rogers

    AI‑Driven Threat Intelligence: OSINT, XDR Integration, and Local LLM Processing

    January 8, 2026 | 1 minute
    This project at Leargas has been a six-year journey that evolved to match a rapidly shifting threat landscape. Here is an overview of our progression from standalone intelligence to local vLLM processing. Phase 1: Standalone CIRCL AIL — Discovery at Scale Six years ago, we deployed CIRCL AIL as a standalone engine to address a lack of visibility into external leaks. Our focus was
    Read More
    Patrick KelleyBy Patrick Kelley

    FortiOS SSL VPN Improper Authentication Vulnerability (CVE-2020-12812): Active Exploitation and Immediate Mitigation Guidance

    December 26, 2025 | 3 minutes
    Cybersecurity Advisory As of December 26, 2025, Fortinet confirms active exploitation of CVE‑2020‑12812, an improper authentication vulnerability in FortiOS SSL VPN that allows users to bypass two‑factor authentication (2FA) by altering the case of the username. The flaw affects several FortiOS branches and remains under active exploitation by multiple threat actors according to Fortinet’s December 24, 2025 advisory(thehackernews.com). The vulnerability is listed in CISA’s
    Read More
    Jordan RogersBy Jordan Rogers

    Critical WatchGuard Fireware OS Vulnerability (CVE‑2025‑14733): Active Exploitation and Emergency Patch Guidance

    December 19, 2025 | 2 minutes
    Cybersecurity Advisory As of December 19, 2025, WatchGuard Fireware OS is impacted by a critical out‑of‑bounds write vulnerability, CVE‑2025‑14733, actively exploited in the wild according to the vendor’s advisory [1]. The flaw affects IKEv2 Mobile User VPN and Branch Office VPN configurations involving dynamic gateway peers. Patch updates are available for supported versions, and exploitation attempts have been confirmed from multiple IPs. The vulnerability carries
    Read More
    Jordan RogersBy Jordan Rogers

    FortiCloud SSO Authentication Bypass in Fortinet FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager

    December 9, 2025 | 7 minutes
    Fortinet has released security fixes for four vulnerabilities that affect authentication and login flows across multiple products, including two critical FortiCloud SSO authentication bypass issues in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager (CVE‑2025‑59718 and CVE‑2025‑59719) and additional login weaknesses in FortiSOAR (CVE‑2025‑59808) and FortiWeb (CVE‑2025‑64471). As of December 9, 2025, patches are available, and administrators are urged to disable FortiCloud SSO login where in use
    Read More
    Brandon CummingsBy Brandon Cummings

    October 2025 Fortinet and Ivanti Security Patches: Timely, High‑Severity Fixes and Guidance

    October 15, 2025 | 10 minutes
    As of October 15, 2025, enterprise operators of Fortinet and Ivanti platforms should immediately review and apply October 2025 security patches and advisories. Fortinet published multiple PSIRTs, including issues in FortiOS/FortiProxy ZTNA, FortiOS CLI controls on specific appliances, FortiIsolator authentication/session handling, FortiClientMac LaunchDaemon permissions, and weak authentication affecting FortiPAM and FortiSwitchManager. Patches and fixed versions are available per PSIRT/NVD.
    Read More
    Cathy GaphtyBy Cathy Gaphty

    Red Hat Consulting GitLab Breach: What Was Taken, Who’s at Risk, and What to Do Now

    October 7, 2025 | 5 minutes
    Red Hat disclosed on October 2, 2025 that a third party accessed a GitLab instance used for internal collaboration by Red Hat Consulting in select engagements; Red Hat removed access, isolated the instance, involved authorities, and is continuing the investigation. The company emphasized the incident is confined specifically to that Consulting GitLab environment. [1][2]. (redhat.com) Who claims what A group calling itself Crimson Collective
    Read More
    Cathy GaphtyBy Cathy Gaphty

    Why OT Operators Must Have a Living, Accurate Inventory — and How Leargas Can Help

    September 30, 2025 | 4 minutes
    In August 2025, a coalition of cybersecurity agencies from the U.S., Canada, Australia, New Zealand, the Netherlands, Germany—and later joined by the U.K.—issued new guidance calling on OT/ICS operators to develop and maintain a definitive, continually updated system inventory. This isn’t just bureaucratic advice. It addresses a core pain point: if you don’t reliably know what’s in your environment and how it connects, you
    Read More
    Cathy GaphtyBy Cathy Gaphty

    CISA ED 25‑03 Cisco ASA: Emergency Zero‑Day Mitigation, Detection, and ROMMON Persistence Guidance

    September 26, 2025 | 5 minutes
    As of September 26, 2025, CISA’s ED 25‑03 mandates immediate action to identify and mitigate potential compromise of Cisco ASA and Firepower devices amid an active campaign chaining CVE‑2025‑20362 (missing authorization) with CVE‑2025‑20333 (RCE). Cisco also disclosed CVE‑2025‑20363 (web services RCE) across ASA/FTD and IOS families. Patching is available. CISA set aggressive deadlines: core dump submissions and urgent upgrades by September 26, 2025, and
    Read More
    Cathy GaphtyBy Cathy Gaphty

    MySonicWall Breach: Firewall Config Backups Exposed — Reset Passwords Now

    September 18, 2025 | 6 minutes
    As of September 18, 2025, SonicWall advises impacted customers to perform a MySonicWall breach password reset and rotate other secrets after threat actors accessed some cloud‑stored firewall configuration backups. SonicWall reports fewer than 5% of firewalls had backup preference files accessed; credentials in those files were encrypted; no leak evidence is known and this was not a ransomware event, but brute-force activity against the
    Read More
    Cathy GaphtyBy Cathy Gaphty

    Shai‑Hulud npm worm: self‑replicating supply chain attack, secret theft, and repo exposure

    September 18, 2025 | 6 minutes
    As of September 18, 2025, organizations that build or run JavaScript software face a high‑risk supply chain incident: the Shai‑Hulud npm worm is actively compromising maintainer accounts, inserting a malicious postinstall bundle.js into popular packages, harvesting tokens and secrets, and mass‑migrating private GitHub repositories to public. Evidence shows large‑scale propagation and data exposure; no CVE/KEV entry applies because this is a campaign, not a
    Read More
    Cathy GaphtyBy Cathy Gaphty
    Load More

    What You’ll Find: Cybersecurity Insights You Can Use

    Our mission is to help you make informed decisions with content that blends research, tooling, and daily operations. Specifically, every article distills cybersecurity insights grounded in real-world data:

    • Threat intelligence briefings: Indicators, adversary behaviors, dark web exposure trends, and takedown-ready context you can apply immediately.
    • XDR best practices: Detection engineering with Zeek and Suricata, noise-cutting alert triage, and correlation strategies that surface what matters.
    • OT/ICS security: Industrial network visibility, lateral movement discovery, and asset criticality insights to safeguard plants and substations.
    • Cloud and identity defense: Hygiene for Microsoft 365, Google, AWS, and others, to prevent account takeover, privilege abuse, and email compromise.
    • Vulnerability and exposure management: CVE prioritization, attack surface mapping, and remediation workflows that reduce risk faster.
    • AI in the SOC: How large language models accelerate investigations, summarize incidents, and help close staffing and skills gaps.
    • Compliance and governance: Actionable guidance for NIST, PCI, PIPEDA, and SOC 2, plus audit-friendly reporting you can trust.

    Who Benefits from Our Cybersecurity Insights

    In particular, this blog serves CISOs, SOC leaders, incident responders, detection engineers, and MSSPs—especially teams safeguarding critical infrastructure, energy cooperatives, municipalities, and resource-constrained organizations. Moreover, whether you manage multiple tenants, uphold strict SLAs, or protect mixed IT/OT environments, our cybersecurity insights tailored to your operating reality.

    Our Research Lens: From Packets to Posture

    Firstly, Léargas analyzes network flows from a strategic vantage point at the core switch via SPAN ports—capturing inbound, outbound, and east–west traffic to expose lateral movement.

    Secondly, we correlate Zeek and Suricata IDS telemetry with logs from Microsoft, Google, Amazon, Okta, Duo, and other sources, and enrich them with curated threat intelligence, geolocation data, known malicious sources, and file hashes. We capture suspicious files at the packet level and detonate them in a sandbox for malware analysis.

    Finally, we continuously scan the clear and dark web (including undisclosed TOR paths) to detect leaked credentials and sensitive data. Routine network vulnerability scans highlight misconfigurations and missing patches so you can remediate issues before they’re weaponized.

    To conclude, these cybersecurity insights are powered by the same evidence-driven workflows our analysts use every day.