InfoSecBulletin Cybersecurity for mankind
# “While many leaked security credentials belong to customers, some exposed sensitive accounts suggest that security vendors too have been hit by infostealers.” #
A Cyble report reveals that account credentials from multiple cybersecurity vendors are being sold on dark web marketplaces. While most of the exposed credentials belong to customers—likely captured by infostealers infecting their devices—there has also been a concerning number of internal vendor credentials leaked, granting access to sensitive enterprise, development, and security systems.
CVE-2025-2492
ASUS warns of critical auth bypass flaw in routers
16,000+ Fortinet devices compromised with symlink backdoor, Mostly in Asia
Patch now! Critical Erlang/OTP SSH Vuln Allows UCE
CISA warns of increasing risk tied to Oracle legacy Cloud leak
CVE-2025-20236
Cisco Patches Unauthenticated RCE Flaw in Webex App
Apple released emergency security updates for 2 zero-day vulns
Oracle Released Patched for 378 flaws for April 2025
CVE-2025-24054
Hackers Exploiting NTLM Spoofing Windows Vuln the in Wild
Bengaluru firm got ransomware attack, Hacker demanded $70,000
MITRE warns: U.S. Govt. Funding for MITRE’s CVE Ends Today
These credentials can be purchased for as little as $10, with many being harvested from infostealer logs and sold in bulk. Cyble focused on credentials leaked in 2025, finding that all 14 vendors examined had both customer and internal credentials exposed. These vendors primarily provide enterprise and cloud security services, though some consumer security providers were also affected.
The leaked credentials largely belonged to customers and protected access to security management and account interfaces. However, internal vendor credentials were also found, with exposure to systems .
Cyble said it didn’t test to see if the credentials were valid, but noted that many were for “easily accessible web console interfaces, SSO logins and other web-facing account access points.”
In one case, a large vendor had sensitive internal company accounts exposed, including email addresses and developer and product account interfaces, which could pose significant risks depending on the level of access granted to these accounts.
Even if all the exposed accounts were protected by other means, as ideally, they were, such leaks are concerning for one other reason: They can help threat actors conduct reconnaissance by giving them an idea of the systems that a potential target uses, including locations of sensitive data and potential vulnerabilities to exploit.
Other sensitive information exposed by info stealers could include URLs of management interfaces that are unknown to the public, which would give hackers further recon information.
Leaked credentials for security tools and other important systems are important to monitor not only to prevent breaches but also to keep hackers from learning important information about an organization’s systems and how to access them.
Cyble concluded that “If the largest security vendors can be hit by infostealers, so can any organization, making basic cybersecurity practices like MFA, zero trust, vulnerability management and network segmentation important for minimizing – and ideally preventing – data breaches, ransomware and other cyberattacks.”
To read the full in-depth report click here.
Source: Cyble
