DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

I Wrote About The Breach That Keeps Breaching in September. It's April and It's Still Breaching.

Patrick Duggan
6 days ago
4 min read

In September 2025, I wrote a blog post called "UNC6395: The Breach That Keeps On Breaching." It was about a Chinese-linked threat actor who compromised Salesloft's Drift OAuth integration and used it to pillage Salesforce instances across dozens of enterprises. They weren't after the data in Salesforce. They were harvesting credentials — AWS keys, Snowflake tokens, passwords — stored inside Salesforce records by companies who treated their CRM like a password manager.

I wrote a follow-up predicting the breach would cascade like Snowflake's did. Then another follow-up when it did.

The thesis was simple: the management plane is the new perimeter. Stop thinking about endpoints. The thing that manages your endpoints is the thing getting owned.

Seven months later, Fortinet is proving me right twice in two weeks.

The Timeline

February 2026 — CVE-2026-21643 is disclosed. Critical SQL injection in FortiClient Endpoint Management Server. CVSS 9.8. A single HTTP request with a crafted header is enough to execute arbitrary SQL against the backing PostgreSQL database. You get admin credentials, endpoint inventory, security policies, certificates for every managed device.

One request. Every endpoint you manage is now compromised.

March 30 — Active exploitation confirmed. Defused Cyber warns that CVE-2026-21643 has been exploited for at least four days. Roughly 1,000 FortiClient EMS deployments are exposed to the internet. Fortinet issues an advisory months after disclosure.

March 31 — While defenders are still patching CVE-2026-21643, watchTowr's honeypots catch exploitation attempts for a completely new vulnerability. CVE-2026-35616. Same product. FortiClient EMS. This time it's a pre-authentication API bypass. CVSS 9.1. No credentials needed. Send crafted API requests, bypass all authentication and authorization, gain full control over endpoint management.

April 4 — Fortinet confirms CVE-2026-35616 is being actively exploited in the wild. Emergency hotfix released for versions 7.4.5 and 7.4.6.

Two critical zero-days in the same endpoint management product. Both actively exploited. Both pre-authentication. Both give you the keys to every endpoint the server manages. Fourteen days apart.

The Pattern

This is the same pattern UNC6395 exploited in August 2025. Different product, identical logic:

Attack	Target	What They Got
UNC6395 (Aug 2025)	Salesloft Drift OAuth → Salesforce	AWS keys, Snowflake tokens, passwords from CRM records
CVE-2026-21643 (Feb 2026)	FortiClient EMS → PostgreSQL	Admin creds, endpoint inventory, security policies, device certificates
CVE-2026-35616 (Apr 2026)	FortiClient EMS → API layer	Full endpoint management control, no auth required

Every one of these attacks targets the management plane — the system that sits above your endpoints and controls them. Not the firewall. Not the endpoint agent. The thing that tells the firewall what to block and tells the endpoint agent what to allow.

When you own the management plane, you own everything it manages. UNC6395 understood this with OAuth tokens. Whoever is exploiting FortiClient EMS understands it with SQL injection and API bypass.

Why This Keeps Happening

Endpoint management servers are enterprise software from 2008 with a web UI bolted on in 2018. They were designed to sit behind a VPN on a management VLAN that only three people had access to. Then COVID happened, and somebody opened port 443 so the remote IT team could manage laptops from home. Then nobody closed it.

Now there are 1,000 FortiClient EMS instances directly exposed to the internet. Each one is a SQL-injectable, API-bypassable door to every endpoint in the organization.

Fortinet isn't uniquely bad here. Ivanti had CVE-2026-1603 — an EPM auth bypass that leaked credentials, added to CISA KEV in March. Cisco's Integrated Management Controller had CVE-2026-20093 — CVSS 9.8, auth bypass, full admin takeover, patched this week. The management console is the target across every vendor.

The attackers figured out what I wrote in September: you don't need to hack 10,000 endpoints if you can hack the one server that manages all 10,000.

What We're Doing About It

When I wrote the UNC6395 posts, I didn't have the infrastructure to do anything about it beyond writing. Now I do.

Our exploit harvester searches GitHub every 6 hours for new CVE proof-of-concept code. When the PoC for CVE-2026-35616 drops — and it will, within 48 hours — the harvester will pull it, extract the attack pattern (the API endpoints, the bypass headers, the request structure), classify it, and convert it to a STIX 2.1 detection rule. That rule flows to 275+ organizations through our feed before most defenders have finished reading the advisory.

We already have 0xBlackash's PoC for CVE-2026-21643 indexed — the SQL injection patterns, the target endpoints (/api/v1/init_consts), the injectable headers. Those detection rules are live in our STIX feed right now.

Our edge honeypots — Cloudflare Workers running on 300+ points of presence — catch the same kind of scanning that watchTowr's honeypots caught. When someone probes for FortiClient EMS endpoints on our infrastructure, we capture their fingerprint and index their IP into the same STIX feed. Their reconnaissance becomes our detection rule.

The 6 million autonomous decisions our platform has made aren't just blocking known-bad IPs. They're building behavioral profiles of how management-plane attackers operate — what they scan for, how they stage, when they escalate.

The Point

I told you in September that management plane attacks would cascade. They cascaded. I told you the breach would keep breaching. It kept breaching. Now Fortinet has two actively exploited zero-days in the same management product in two weeks, and the pattern I identified seven months ago is the pattern that's owning enterprises today.

The management plane is the perimeter. The endpoint management server is the highest-value target in your network. And the vendors who build these products keep shipping pre-auth SQL injection and API bypass vulnerabilities like it's 2006.

Your threat feed should be watching for this. Ours is. Has been since September.

Previously:

UNC6395: The Breach That Keeps On Breaching (https://www.dugganusa.com/post/unc6395-the-breach-the-keeps-on-breaching) (September 2025)

UNC6395: I Told You So (https://www.dugganusa.com/post/unc6395-i-told-you-so-the-breach-that-won-t-stop-breaching)

Why The UNC6395 Breach Is Likely To Cascade Just Like Snowflake's Did (https://www.dugganusa.com/post/why-the-unc6395-breach-is-likely-to-cascade-just-like-snowflake-s-did)

Another Day, Another Management Console Owned. Fortinet EMS Makes It Five CVSS 9.8+ in Two Weeks. (https://www.dugganusa.com/post/another-day-another-management-console-owned-fortinet-ems-makes-it-five-cvss-9-8-in-two-weeks)

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.