CVE-2022-42475
published 2023-01-02CVE-2022-42475: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2023-01-03
Exploited in the wild
EPSS
99.47%
99.9th percentile
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Affected
49 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fortinet | fim-7901e | — | — |
| fortinet | fim-7904e | — | — |
| fortinet | fim-7910e | — | — |
| fortinet | fim-7920e | — | — |
| fortinet | fim-7921f | — | — |
| fortinet | fim-7941f | — | — |
| fortinet | fortigate-6300f | — | — |
| fortinet | fortigate-6300f-dc | — | — |
| fortinet | fortigate-6500f | — | — |
| fortinet | fortigate-6500f-dc | — | — |
| fortinet | fortigate-6501f | — | — |
| fortinet | fortigate-6501f-dc | — | — |
| fortinet | fortigate-6601f | — | — |
| fortinet | fortigate-6601f-dc | — | — |
| fortinet | fortigate-7030e | — | — |
| fortinet | fortigate-7040e | — | — |
| fortinet | fortigate-7060e | — | — |
| fortinet | fortigate-7121f | — | — |
| fortinet | fortios | — | — |
| fortinet | fortios | 5.0.0 – 5.0.14 | — |
| fortinet | fortios | 5.2.0 – 5.2.15 | — |
| fortinet | fortios | 5.4.0 – 5.4.13 | — |
| fortinet | fortios | 5.6.0 – 5.6.14 | — |
| fortinet | fortios | >= 6.0.0 < 6.0.16 | 6.0.16 |
| fortinet | fortios | >= 6.0.0 < 6.0.15 | 6.0.15 |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for symbolic links in the SSL-VPN language files folder pointing to the root filesystem — a post-exploitation persistence mechanism used after CVE-2022-42475 exploitation ↗
- →Coathanger RAT persists through reboots and firmware upgrades by injecting a backup of itself into the process responsible for rebooting; even fully patched FortiGate devices may be infected if compromised before patching ↗
- →Coathanger hides itself by intercepting system calls — look for anomalous syscall hooking or hidden processes on FortiGate appliances ↗
- →Threat actors chained CVE-2022-42475 with CVE-2022-47966 (Zoho ManageEngine RCE) in the same intrusion; look for correlated exploitation of both vulnerabilities in network telemetry ↗
- →Post-exploitation activity includes downloading additional malicious payloads onto compromised FortiGate devices; monitor for unexpected outbound connections from FortiGate appliances ↗
- →CERT-FR confirmed a massive campaign using the symlink persistence technique going back to early 2023; scope incident response to cover this full timeframe on any SSL-VPN-enabled FortiGate ↗
- →Fortinet telemetry-based notification emails with subject 'Notification of device compromise - FortiGate / FortiOS - ** Urgent action required **' indicate confirmed compromise; treat receipt of such emails as a high-priority incident trigger ↗
- ·The symlink persistence mechanism only affects devices with SSL-VPN enabled; devices without SSL-VPN enabled are not exposed to this specific post-exploitation technique ↗
- ·Patching alone is insufficient if the device was compromised before patching — the symlink and Coathanger RAT survive firmware upgrades and must be explicitly remediated ↗
- ·The original CVE-2022-42475 patch was silently released on November 28 without disclosure of active exploitation; organizations that patched promptly after the silent fix may still have been compromised during the zero-day window ↗
- ·Network segmentation was a key factor limiting damage in the Dutch MOD breach; absence of segmentation significantly increases blast radius of a successful CVE-2022-42475 exploitation ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Fortinet
Heap-based buffer overflow in sslvpnd
vendor_fortinet·2023-01-02·CVSS 9.8
CVE-2022-42475 [CRITICAL] CWE-197 Heap-based buffer overflow in sslvpnd
FG-IR-22-398: Heap-based buffer overflow in sslvpnd
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
CVEs: CVE-2022-42475
CWEs: CWE-197, CWE-787
CVSS: 9.8 (critical)
Affected products: FortiGate-6300f, FortiGate-6300f-dc, FortiGate-6500f, FortiGate-6500f-dc, FortiGate-6501f, FortiGate-6501f-dc, FortiGate-6601f, FortiGate-6601f-dc, FortiGate-7030e, FortiGate-7040e, FortiGate-7060e, FortiGate-7121f, FortiOS, FortiProxy, fim-7901e, fim-7904e, fim-7910e, fim-7920e, fim-7921f, fim-7941f, fpm
CISA
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
cisa·2022-12-13·CVSS 9.8
CVE-2022-42475 [CRITICAL] CWE-197 Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Vulnerability: Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Affected: Fortinet FortiOS
Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary code or commands via specifically crafted requests.
Required Action: Apply updates per vendor instructions.
Notes: https://www.fortiguard.com/psirt/FG-IR-22-398; https://nvd.nist.gov/vuln/detail/CVE-2022-42475
Remediation Due Date: 2023-01-03
GHSA
GHSA-p3vq-4cxh-gfp9: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7
ghsa_unreviewed·2023-01-02
CVE-2022-42475 [CRITICAL] CWE-197 GHSA-p3vq-4cxh-gfp9: A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier and FortiProxy SSL-VPN 7.2.0 through 7.2.1, 7.0.7 and earlier may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
VulnCheck
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
vulncheck·2022·CVSS 9.8
CVE-2022-42475 [CRITICAL] CWE-197 Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Fortinet FortiOS Heap-Based Buffer Overflow Vulnerability
Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary code or commands via specifically crafted requests.
Affected: Fortinet FortiOS
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.fortiguard.com/psirt/FG-IR-22-398; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.mandiant.com/resources/blog/chinese-actors-exploit-fortios-flaw; https://www.prio-n.com/a-year-in-review-2022-100-vulnerabilities-you-sh
No detection rules found.
Nuclei
Fortinet SSL-VPN - Heap-Based Buffer Overflow
nuclei·CVSS 9.8
CVE-2022-42475 [CRITICAL] Fortinet SSL-VPN - Heap-Based Buffer Overflow
Fortinet SSL-VPN - Heap-Based Buffer Overflow
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN (versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier) and FortiProxy SSL-VPN (versions 7.2.0 through 7.2.1, 7.0.7 and earlier) may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.
Template:
id: CVE-2022-42475
info:
name: Fortinet SSL-VPN - Heap-Based Buffer Overflow
author: 0xhaggis,pszyszkowski,pussycat0x
severity: critical
description: |
A heap-based buffer overflow vulnerability [CWE-122] in FortiOS SSL-VPN (versions 7.2.0 through 7.2.2, 7.0.0 through 7.0.8, 6.4.0 through 6.4.10, 6.2.0 through 6.2.11, 6.0.15 and earlier) and FortiProxy SSL-VPN
Tenable
CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild
blogs_tenable·2026-04-06·CVSS 9.8
[CRITICAL] CVE-2026-35616: Fortinet FortiClientEMS improper access control vulnerability exploited in the wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
blogs_greynoiseio·2026-02-02
The Noise in the Silence: Unmasking CISA's Hidden KEV Ransomware Updates
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Bleepingcomputer
Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
blogs_bleepingcomputer·2026-01-16·CVSS 9.8
CVE-2025-64155 [CRITICAL] Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
## Hackers now exploiting critical Fortinet FortiSIEM flaw in attacks
## Sergiu Gatlan
A critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code is now being abused in attacks.
According to security researcher Zach Hanley at penetration testing company Horizon3.ai, who reported the vulnerability ( CVE-2025-64155 ), it is a combination of two issues that allow arbitrary writes with admin permissions and privilege escalation to root access.
"An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests," Fortinet explained on Tuesday, when it released security updates to patch th
Tenable
CVE-2025-64155 PoC released Command Injection Vulnerability
blogs_tenable·2026-01-14·CVSS 9.8
[CRITICAL] CVE-2025-64155 PoC released Command Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
blogs_bleepingcomputer·2026-01-02·CVSS 9.8
CVE-2020-12812 [CRITICAL] Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
## Over 10K Fortinet firewalls exposed to actively exploited 2FA bypass
## Sergiu Gatlan
Over 10,000 Fortinet firewalls are still exposed online and vulnerable to ongoing attacks exploiting a five-year-old critical two-factor authentication (2FA) bypass vulnerability.
Fortinet released FortiOS versions 6.4.1, 6.2.4, and 6.0.10 in July 2020 to address this flaw (tracked as CVE-2020-12812 ) and advised admins who couldn't immediately patch to turn off username-case-sensitivity to block 2FA bypass attempts targeting their devices.
This improper authentication security flaw (rated 9.8/10 in severity) was found in FortiGate SSL VPN and allows attackers to log in to unpatched firewalls without being prompted for the second factor of authentication (FortiToken) when the username's case is cha
Bleepingcomputer
Over 25,000 FortiCloud SSO devices exposed to remote attacks
blogs_bleepingcomputer·2025-12-19·CVSS 9.8
CVE-2025-59718 [CRITICAL] Over 25,000 FortiCloud SSO devices exposed to remote attacks
## Over 25,000 FortiCloud SSO devices exposed to remote attacks
## Sergiu Gatlan
Internet security watchdog Shadowserver has found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled, amid ongoing attacks targeting a critical authentication bypass vulnerability.
Fortinet noted on December 9th, when it patched the security flaw tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb), that the vulnerable FortiCloud SSO login feature is not enabled until admins register the device with the company's FortiCare support service.
As cybersecurity company Arctic Wolf reported on Monday , the vulnerability is now actively exploited to compromise admin accounts via malicious single sign-on (SSO) logins.
Threat actors are abusing it i
Bleepingcomputer
Fortinet warns of critical FortiCloud SSO login auth bypass flaws
blogs_bleepingcomputer·2025-12-09·CVSS 9.8
CVE-2025-59718 [CRITICAL] Fortinet warns of critical FortiCloud SSO login auth bypass flaws
## Fortinet warns of critical FortiCloud SSO login auth bypass flaws
## Sergiu Gatlan
Fortinet has released security updates to address two critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that could allow attackers to bypass FortiCloud SSO authentication.
Threat actors can exploit the two security flaws tracked as CVE-2025-59718 (FortiOS, FortiProxy, FortiSwitchManager) and CVE-2025-59719 (FortiWeb) by abusing improper verification of cryptographic signature weaknesses in vulnerable products via a maliciously crafted SAML message.
However, as Fortinet explained in an advisory published today, the vulnerable FortiCloud feature is not enabled by default when the device is not FortiCare-registered.
"Please note that the FortiCloud SSO login feature is no
Bleepingcomputer
Fortinet warns of new FortiWeb zero-day exploited in attacks
blogs_bleepingcomputer·2025-11-18·CVSS 7.2
CVE-2025-58034 [HIGH] Fortinet warns of new FortiWeb zero-day exploited in attacks
## Fortinet warns of new FortiWeb zero-day exploited in attacks
## Sergiu Gatlan
Today, Fortinet released security updates to patch a new FortiWeb zero-day vulnerability that threat actors are actively exploiting in attacks.
Tracked as CVE-2025-58034 , this web application firewall security flaw was reported by Jason McFadyen of Trend Micro's Trend Research team.
Authenticated threat actors can gain code execution by successfully exploiting this OS command injection vulnerability in low-complexity attacks that don't require user interaction.
"An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiWeb may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests o
Tenable
CVE-2025-64446 FortiWeb Zero-Day Exploited
blogs_tenable·2025-11-14·CVSS 9.8
[CRITICAL] CVE-2025-64446 FortiWeb Zero-Day Exploited
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection Vulnerability
blogs_tenable·2025-08-13·CVSS 9.8
[CRITICAL] CVE-2025-25256: Proof of Concept Released for Critical Fortinet FortiSIEM Command Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Trendmicro
Revisiting UNC3886 Tactics to Defend Against Present Risk
blogs_trendmicro·2025-07-28
Revisiting UNC3886 Tactics to Defend Against Present Risk
APT & Targeted Attacks
# Revisiting UNC3886 Tactics to Defend Against Present Risk
We examine the past tactics used by UNC3886 to gain insight on how to best strengthen defenses against the ongoing and emerging threats of this APT group.
By: Cj Arsley Mateo, Ieriz Nicolle Gonzalez, Jacob Santos, Paul John Bardon, Angelo Junio, Rayven Cervantes
2025/07/28
Read time: ( words)
Save to Folio
## Key Takeaways
- UNC3886 is an APT group that has historically targeted critical infrastructure, including telecommunications, government, technology, and defense, with a recent attack against Singapore.
- The group is known for rapidly exploiting zero-day and high-impact vulnerabilities in network and virtualization devices such as VMware vCenter/ESXi, Fortinet FortiOS, and Juniper Junos OS.
- UN
Tenable
Frequently Asked Questions About Iranian Cyber Operations
blogs_tenable·2025-06-27
Frequently Asked Questions About Iranian Cyber Operations
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Critical Fortinet flaws now exploited in Qilin ransomware attacks
blogs_bleepingcomputer·2025-06-06·CVSS 9.8
[CRITICAL] Critical Fortinet flaws now exploited in Qilin ransomware attacks
## Critical Fortinet flaws now exploited in Qilin ransomware attacks
## Sergiu Gatlan
The Qilin ransomware operation has recently joined attacks exploiting two Fortinet vulnerabilities that allow bypassing authentication on vulnerable devices and executing malicious code remotely.
Qilin (also tracked as Phantom Mantis) surfaced in August 2022 as a Ransomware-as-a-Service (RaaS) operation under the "Agenda" name and has since claimed responsibility for over 310 victims on its dark web leak site.
Its victim list also includes high-profile organizations, such as automotive giant Yangfeng , publishing giant Lee Enterprises , Australia's Court Services Victoria , and pathology services provider Synnovis . The Synnovis incident impacted several major NHS hospitals in London, which forced the
Tenable
CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
blogs_tenable·2025-05-14·CVSS 9.8
[CRITICAL] CVE-2025-32756: Zero-Day Vulnerability in Multiple Fortinet Products Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
blogs_bleepingcomputer·2025-04-11·CVSS 9.8
[CRITICAL] Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
## Fortinet: Hackers retain access to patched FortiGate VPNs using symlinks
## Sergiu Gatlan
Fortinet warns that threat actors use a post-exploitation technique that helps them maintain read-only access to previously compromised FortiGate VPN devices even after the original attack vector was patched.
Earlier this week, Fortinet began sending emails to customers warning that their FortiGate/FortiOS devices were compromised based on telemetry received from FortiGuard devices.
These emails were titled "Notification of device compromise - FortiGate / FortiOS - ** Urgent action required **," given a TLP:AMBER+STRICT designation.
"This issue is not related to any new vulnerability. This file was left behind by a threat actor following exploitation of previous known vulnerabilities," the ema
Tenable
CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
blogs_tenable·2025-01-14·CVSS 9.8
[CRITICAL] CVE-2024-55591: Fortinet Authentication Bypass Zero-Day Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
blogs_tenable·2024-11-19
Volt Typhoon: U.S. Critical Infrastructure Targeted by State-Sponsored Actors
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Fortinet warns of new critical FortiManager flaw used in zero-day attacks
blogs_bleepingcomputer·2024-10-23·CVSS 9.8
CVE-2024-47575 [CRITICAL] Fortinet warns of new critical FortiManager flaw used in zero-day attacks
## Fortinet warns of new critical FortiManager flaw used in zero-day attacks
## Lawrence Abrams
Fortinet publicly disclosed today a critical FortiManager API vulnerability, tracked as CVE-2024-47575, that was exploited in zero-day attacks to steal sensitive files containing configurations, IP addresses, and credentials for managed devices.
The company privately warned FortiManager customers about the flaw starting October 13th in advanced notification emails seen by BleepingComputer that contained steps to mitigate the flaw until a security update was released.
However, news of the vulnerability began leaking online throughout the week by customers on Reddit and by cybersecurity researcher Kevin Beaumont on Mastodon, who calls this flaw "FortiJump."
Fortinet device admins have also sh
Bleepingcomputer
CISA says critical Fortinet RCE flaw now exploited in attacks
blogs_bleepingcomputer·2024-10-09·CVSS 9.8
CVE-2024-23113 [CRITICAL] CISA says critical Fortinet RCE flaw now exploited in attacks
## CISA says critical Fortinet RCE flaw now exploited in attacks
## Sergiu Gatlan
Today, CISA revealed that attackers actively exploit a critical FortiOS remote code execution (RCE) vulnerability in the wild.
The flaw (CVE-2024-23113) is caused by the fgfmd daemon accepting an externally controlled format string as an argument, which can let unauthenticated threat actors execute commands or arbitrary code on unpatched devices in low-complexity attacks that don't require user interaction.
As Fortinet explains, the vulnerable fgfmd daemon runs on FortiGate and FortiManager, handling all authentication requests and managing keep-alive messages between them (as well as all resulting actions like instructing other processes to update files or databases).
CVE-2024-23113 impacts FortiOS 7.0
Bleepingcomputer
NoName ransomware gang deploying RansomHub malware in recent attacks
blogs_bleepingcomputer·2024-09-10·CVSS 8.8
[HIGH] NoName ransomware gang deploying RansomHub malware in recent attacks
## NoName ransomware gang deploying RansomHub malware in recent attacks
## Bill Toulas
The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate.
The gang uses custom tools known as the Spacecolon malware family, and deploys them after gaining access to a network through brute-force methods as well as exploiting older vulnerabilities like EternalBlue (CVE-2017-0144) or ZeroLogon (CVE-2020-1472).
In more recent attacks NoName uses the ScRansom ransomware, which replaced the Scarab encryptor. Additionally, the threat actor tried to make a name by experimenting with the leaked LockBit 3.0 ransomware builder, creating a similar data leak
Talos
Tabletop exercises are headed to the next frontier: Space
blogs_talos·2024-06-20
Tabletop exercises are headed to the next frontier: Space
## Tabletop exercises are headed to the next frontier: Space
I think we can all agree that tabletop exercises are a good thing. They allow organizations of all sizes to test their incident response plans without the potentially devastating effects of a real-world cyber attack or intrusion.
As part of my role at Talos, I’ve read hundreds of tabletop exercises for Cisco Talos Incident Response customers, and the knowledge and recommendations contained in each of them are invaluable. No matter how strong your incident response plan seems on paper, there is always something that can be improved, and a tabletop exercise can help your organization identify potential holes or areas of improvement.
But as I was catching up on the news of the past week, I saw that these exercises may be flying t
Talos
Tabletop exercises are headed to the next frontier: Space
blogs_talos·2024-06-20
Tabletop exercises are headed to the next frontier: Space
I think we can all agree that tabletop exercises are a good thing. They allow organizations of all sizes to test their incident response plans without the potentially devastating effects of a real-world cyber attack or intrusion.
As part of my role at Talos, I’ve read hundreds of tabletop exercises for Cisco Talos Incident Response customers, and the knowledge and recommendations contained in each of them are invaluable. No matter how strong your incident response plan seems on paper, there is always something that can be improved, and a tabletop exercise can help your organization identify potential holes or areas of improvement.
But as I was catching up on the news of the past week, I saw that these exercises may be flying too close to the sun — literally.
The U.S. National Science Fo
Bleepingcomputer
Exploit released for maximum severity Fortinet RCE bug, patch now
blogs_bleepingcomputer·2024-05-28·CVSS 10.0
CVE-2024-23108 [CRITICAL] Exploit released for maximum severity Fortinet RCE bug, patch now
## Exploit released for maximum severity Fortinet RCE bug, patch now
## Sergiu Gatlan
Security researchers have released a proof-of-concept (PoC) exploit for a maximum-severity vulnerability in Fortinet's security information and event management (SIEM) solution, which was patched in February.
Tracked as CVE-2024-23108 , this security flaw is a command injection vulnerability discovered and reported by Horizon3 vulnerability expert Zach Hanley that enables remote command execution as root without requiring authentication.
"Multiple improper neutralization of special elements used in an OS Command vulnerability [CWE-78] in FortiSIEM supervisor may allow a remote unauthenticated attacker to execute unauthorized commands via crafted API requests," Fortinet says .
CVE-2024-23108 impacts
Sentinelone
PinnacleOne ExecBrief | Aviation Cybersecurity
blogs_sentinelone·2024-04-22
PinnacleOne ExecBrief | Aviation Cybersecurity
Last week, PinnacleOne reviewed escalation dynamics in the Middle East.
This week, we turn our attention to domestic critical infrastructure with a look at recent developments in aviation cybersecurity.
Please subscribe to read future issues — and forward this newsletter to interested colleagues.
Contact us directly with any comments or questions: [email protected]
## Insight Focus | Aviation Cybersecurity
The aviation sector continues to face a complex and evolving cybersecurity threat landscape with nation-state actors, cybercriminal groups, and hacktivists targeting critical infrastructure. Last week, the FAA issued a ground stop order on Alaska Airlines for one hour due to an “ upgrade issue with flight software that calculates weight and balance.” This follows a similar hour-long
Sentinelone
PinnacleOne ExecBrief | Aviation Cybersecurity
blogs_sentinelone·2024-04-22
PinnacleOne ExecBrief | Aviation Cybersecurity
Last week, PinnacleOne reviewed escalation dynamics in the Middle East.
This week, we turn our attention to domestic critical infrastructure with a look at recent developments in aviation cybersecurity.
Please subscribe to read future issues — and forward this newsletter to interested colleagues.
Contact us directly with any comments or questions: [email protected]
## Insight Focus | Aviation Cybersecurity
The aviation sector continues to face a complex and evolving cybersecurity threat landscape with nation-state actors, cybercriminal groups, and hacktivists targeting critical infrastructure. Last week, the FAA issued a ground stop order on Alaska Airlines for one hour due to an “upgrade issue with flight software that calculates weight and balance.” This follows a similar hour-long
Tenable
CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability
blogs_tenable·2024-03-14·CVSS 9.8
[CRITICAL] CVE-2023-48788: Critical Fortinet FortiClientEMS SQL Injection Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Fortinet warns of critical RCE bug in endpoint management software
blogs_bleepingcomputer·2024-03-13·CVSS 8.1
CVE-2023-48788 [HIGH] Fortinet warns of critical RCE bug in endpoint management software
## Fortinet warns of critical RCE bug in endpoint management software
## Sergiu Gatlan
Fortinet patched a critical vulnerability in its FortiClient Enterprise Management Server (EMS) software that can allow attackers to gain remote code execution (RCE) on vulnerable servers.
FortiClient EMS enables admins to manage endpoints connected to an enterprise network, allowing them to deploy FortiClient software and assign security profiles on Windows devices.
The security flaw ( CVE-2023-48788 ) is an SQL injection in the DB2 Administration Server (DAS) component, which was discovered and reported by the UK's National Cyber Security Centre (NCSC) and Fortinet developer Thiago Santana.
It impacts FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2), and it allows
Checkpoint
12th February – Threat Intelligence Report
blogs_checkpoint·2024-02-12
CVE-2022-42475 12th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th February, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
One of the largest unions in California, Service Employees International Union (SEIU) Local 1000, has confirmed a ransomware attack that led to network disruption. The LockBit ransomware gang has assumed responsibility, claiming to have stolen 308GB of data including sensitive employee information such as Social Securit
Bleepingcomputer
New Fortinet RCE bug is actively exploited, CISA confirms
blogs_bleepingcomputer·2024-02-09·CVSS 10.0
CVE-2024-21762 [CRITICAL] New Fortinet RCE bug is actively exploited, CISA confirms
## New Fortinet RCE bug is actively exploited, CISA confirms
## Sergiu Gatlan
CISA confirmed today that attackers are actively exploiting a critical remote code execution (RCE) bug patched by Fortinet on Thursday.
The flaw (CVE-2024-21762) is due to an out-of-bounds write weakness in the FortiOS operating system and the FortiProxy secure web proxy that can let unauthenticated attackers execute arbitrary code remotely using maliciously crafted HTTP requests.
Admins who can't immediately deploy security updates to patch vulnerable appliances can remove the attack vector by disabling SSL VPN on the device.
CISA's announcement comes one day after Fortinet published a security advisory saying the flaw was "potentially being exploited in the wild."
While the company has yet to share more d
Tenable
CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability
blogs_tenable·2024-02-09·CVSS 9.8
[CRITICAL] CVE-2024-21762: Critical Fortinet FortiOS Out-of-Bound Write SSL VPN Vulnerability
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities | Fortinet Blog
blogs_fortinet·2024-02-07·CVSS 9.8
[CRITICAL] The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities | Fortinet Blog
PSIRT BLOGS
The Importance of Patching: An Analysis of the Exploitation of N-Day Vulnerabilities
By Carl Windsor, Guillaume Lovet, Wilfried Djettchou, Hongkei Chan and Alex Kong | February 07, 2024
Affected Platforms: FortiGate
Impacted Users: Government, service provider, consultancy, manufacturing, and large critical infrastructure organizations
Impact: Data loss and OS and file corruption
Severity Level: High
Executive Summary
The following supplementary research provides an analysis of the exploitation of resolved N-Day Fortinet vulnerabilities. "N-Day vulnerabilities" refer to known vulnerabilities for which a patch or fix is available but for which organizations have not yet resolved via patching.
Fortinet continues to monitor ongoing activity by threat actors targeting known,
Bleepingcomputer
Chinese hackers infect Dutch military network with malware
blogs_bleepingcomputer·2024-02-06
Chinese hackers infect Dutch military network with malware
## Chinese hackers infect Dutch military network with malware
## Sergiu Gatlan
A Chinese cyber-espionage group breached the Dutch Ministry of Defence last year and deployed malware on compromised devices, according to the Military Intelligence and Security Service (MIVD) of the Netherlands.
However, despite backdooring the hacked systems, the damage from the breach was limited due to network segmentation.
"The effects of the intrusion were limited because the victim network was segmented from the wider MOD networks," said MIVD and the General Intelligence and Security Service (AIVD) in a joint report.
"The victim network had fewer than 50 users. Its purpose was research and development (R&D) of unclassified projects and collaboration with two third-party research institutes. These org
Dfir Report
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
blogs_dfir_report·2023-12-18
Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Checkpoint
11th September – Threat Intelligence Report
blogs_checkpoint·2023-09-11·CVSS 9.8
CVE-2022-47966 [CRITICAL] 11th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th September, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Check Point warns of a recent Email phishing campaign abusing the data visualization tool – Google Looker Studio. Attackers use the tool to send slideshow emails to victims from official Google accounts, instructing them to visit 3 rd party websites to collect cryptocurrency. The websites will then prompt the victims
Tenable
Cybersecurity Snapshot: Cyber Pros Taxed by Overwork, Understaffing and Lack of Support, as Stress Takes a Toll
blogs_tenable·2023-09-08
Cybersecurity Snapshot: Cyber Pros Taxed by Overwork, Understaffing and Lack of Support, as Stress Takes a Toll
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Iranian hackers breach US aviation org via ManageEngine, Fortinet bugs
blogs_bleepingcomputer·2023-09-07·CVSS 9.8
[CRITICAL] Iranian hackers breach US aviation org via ManageEngine, Fortinet bugs
## Iranian hackers breach US aviation org via ManageEngine, Fortinet bugs
## Sergiu Gatlan
Image: Midjourney
State-backed hacking groups have breached a U.S. aeronautical organization using exploits targeting critical Zoho ManageEngine and Fortinet vulnerabilities, a joint advisory published by CISA, the FBI, and the United States Cyber Command (USCYBERCOM) revealed on Thursday.
The threat groups behind this breach are yet to be named, but while the joint advisory didn't connect the attackers to a specific state, USCYBERCOM's press release links the malicious actors to Iranian exploitation efforts.
CISA was part of the incident response between February and April and said the hacking groups had been in the compromised aviation organization's network since at least January after hackin
Tenable
AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
blogs_tenable·2023-09-07·CVSS 9.8
[CRITICAL] AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign | Fortinet Blog
blogs_fortinet·2023-06-12·CVSS 9.8
CVE-2023-27997 [CRITICAL] Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign | Fortinet Blog
PSIRT BLOGS
Analysis of CVE-2023-27997 and Clarifications on Volt Typhoon Campaign
By Carl Windsor | June 12, 2023
Affected Platforms: FortiOS
Impacted Users: Targeted at government, manufacturing, and critical infrastructure
Impact: Data loss and OS and file corruption
Severity Level: Critical
Today, Fortinet published a CVSS Critical PSIRT Advisory (FG-IR-23-097 / CVE-2023-27997) along with several other SSL-VPN related fixes. This blog adds context to that advisory, providing our customers with additional details to help them make informed, risk-based decisions, and provides our perspective relative to recent events involving malicious actor activity.
The following write-up details our initial investigation into the incident that led to the discovery of this vulnerability and additi
Tenable
CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)
blogs_tenable·2023-06-12·CVSS 9.8
[CRITICAL] CVE-2023-27997: Heap-Based Buffer Overflow in Fortinet FortiOS and FortiProxy SSL-VPN (XORtigate)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor
blogs_tenable·2023-05-25
Volt Typhoon: International Cybersecurity Authorities Detail Activity Linked to Chinese-State Sponsored Threat Actor
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
CVE-2023-25610 a critical RCE vulnerability in FortiOS: everything you need to know | Wiz Blog
blogs_wiz·2023-03-13·CVSS 9.8
CVE-2023-25610 [CRITICAL] CVE-2023-25610 a critical RCE vulnerability in FortiOS: everything you need to know | Wiz Blog
On March 7, Fortinet published an advisory for CVE-2023-25610, a critical remote code execution (RCE) vulnerability in FortiOS, Fortinet's operating system. This vulnerability is a buffer underwrite bug in the administrative interface which could allow a remote unauthenticated attacker to execute code using specially crafted requests.
It is highly recommended to upgrade FortiOS instances to the patched versions.
## What is CVE-2023-25610?
The administrative interface for FortiOS and FortiProxy is vulnerable to a buffer underwrite (also known as a "buffer underflow") exploit. A buffer underwrite vulnerability occurs when a program writes data to a buffer (a temporary storage area) with a size that is smaller than the data being written. This can result in the data overwriting adjacent me
Wiz
CVE-2023-25610 a critical RCE vulnerability in FortiOS: everything you need to know | Wiz Blog
blogs_wiz·2023-03-13·CVSS 9.8
CVE-2023-25610 [CRITICAL] CVE-2023-25610 a critical RCE vulnerability in FortiOS: everything you need to know | Wiz Blog
On March 7, Fortinet published an advisory for CVE-2023-25610, a critical remote code execution (RCE) vulnerability in FortiOS, Fortinet's operating system. This vulnerability is a buffer underwrite bug in the administrative interface which could allow a remote unauthenticated attacker to execute code using specially crafted requests.
It is highly recommended to upgrade FortiOS instances to the patched versions.
## What is CVE-2023-25610?
The administrative interface for FortiOS and FortiProxy is vulnerable to a buffer underwrite (also known as a "buffer underflow") exploit. A buffer underwrite vulnerability occurs when a program writes data to a buffer (a temporary storage area) with a size that is smaller than the data being written. This can result in the data overwriting adjacent me
Checkpoint
23rd January – Threat Intelligence Report
blogs_checkpoint·2023-01-23·CVSS 9.8
CVE-2022-42475 [CRITICAL] 23rd January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 23rd January – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 23rd January, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
The fast food brand ‘Yum! Brands’, operator of leading fast food restaurants including KFC, Pizza Hut and Taco Bell, has been targeted by a ransomware attack. The attack lead to the temporary closure of almost 300 breaches in the United Kingdom. No group has taken claim at this point.
Vice Society ransomware gang has claim
Fortinet
Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd | Fortinet Blog
blogs_fortinet·2023-01-11·CVSS 9.8
CVE-2022-42475 [CRITICAL] Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd | Fortinet Blog
PSIRT BLOGS
Analysis of FG-IR-22-398 – FortiOS - heap-based buffer overflow in SSLVPNd
By Carl Windsor, Guillaume Lovet, Hongkei Chan, and Alex Kong | January 11, 2023
Affected Platforms: FortiOS
Impacted Users: Government & large organizations
Impact: Data loss and OS and file corruption
Severity Level: High
Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis.
Executive Summary
Multiple additional IoCs have been uncovered related to the incident FG-IR-22-398 / CVE-2022-42475
The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets.
Incid
Checkpoint
19th December – Threat Intelligence Report
blogs_checkpoint·2022-12-20
CVE-2022-44673 19th December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 19th December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 20th December, please download our Threat_Intelligence Bulletin
TOP ATTACKS AND BREACHES
Information of more than 80,000 security professionals and law enforcement officers is being offered for sale online, after the FBI’s information sharing portal InfraGard has been breached. The attacker has gained access to InfraGard after applying to join the platform impersonating a financial corporation’s CEO, then usi
Tenable
Cybersecurity Snapshot: Phishing Scams, Salary Trends, Metaverse Risks, Log4J Poll
blogs_tenable·2022-12-16
Cybersecurity Snapshot: Phishing Scams, Salary Trends, Metaverse Risks, Log4J Poll
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNs
blogs_tenable·2022-12-12·CVSS 9.8
[CRITICAL] CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNs
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Recorded Future
CVE-2022-42475: Fortinet Pre-authentication Code-execution Vulnerability | Recorded Future
blogs_recorded_future·CVSS 9.8
CVE-2022-42475 [CRITICAL] CVE-2022-42475: Fortinet Pre-authentication Code-execution Vulnerability | Recorded Future
## CVE-2022-42475: Fortinet Pre-authentication Code-execution Vulnerability
Fortinet continues to garner and release information to address a recently-discovered heap-based buffer overflow vulnerability impacting several versions of FortiOS (FOS), the operating system behind an entire series of FortiGate next-generation firewalls and security appliances.
This new vulnerability comes on the heels of a very recent one whereby an alternate path or channel could allow threat actors to perform authentication bypasses and subsequent administrative operations on a handful of FOS, FortiProxy, and FortiSwitchManager endpoints.
In its latest PSIRT advisory , the company further provides a set of various indicators of compromise—these include the presence of file system artifacts and similar log e
Huntress
CVE-2022-42475 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 9.8
CVE-2022-42475 [CRITICAL] CVE-2022-42475 Vulnerability: Analysis, Impact, Mitigation | Huntress
## CVE-2022-42475 Vulnerability
Published: 11/21/2025
Written by: Lizzie Danielson
## What is CVE-2022-42475 vulnerability?
The CVE-2022-42475 vulnerability is a critical heap-based buffer overflow flaw in the SSL-VPN module of Fortinet’s FortiOS . It allows remote attackers to execute arbitrary code on vulnerable systems without authentication, providing a potential entry point for fileless malware attacks. Classified as a Remote Code Execution (RCE) vulnerability, it poses significant risks by enabling complete system compromise when exploited.
## When was it discovered?
The CVE-2022-42475 vulnerability was disclosed publicly on December 12, 2022, by Fortinet following observations of in-the-wild exploitation. FortiGuard Labs credited their internal team with discovering this vulne
Recorded Future
CVE-2022-42475: Fortinet Pre-authentication Code-execution Vulnerability
blogs_recorded_future·CVSS 9.8
CVE-2022-42475 [CRITICAL] CVE-2022-42475: Fortinet Pre-authentication Code-execution Vulnerability
# CVE-2022-42475: Fortinet Pre-authentication Code-execution Vulnerability
Fortinet continues to garner and release information to address a recently-discovered heap-based buffer overflow vulnerability impacting several versions of FortiOS (FOS), the operating system behind an entire series of FortiGate next-generation firewalls and security appliances.
This new vulnerability comes on the heels of a very recent one whereby an alternate path or channel could allow threat actors to perform authentication bypasses and subsequent administrative operations on a handful of FOS, FortiProxy, and FortiSwitchManager endpoints.
In its latest PSIRT advisory, the company further provides a set of various indicators of compromise—these include the presence of file system artifacts and similar log ent
Greynoiseio
NoiseLetter
blogs_greynoiseio
NoiseLetter
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Threat Intel
UNC3886 (UNC3886)
threat_intel
UNC3886 (UNC3886)
# Threat Actor Profile: UNC3886
ATT&CK ID: G1048
Also known as: UNC3886
Suspected origin: China
## Overview
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.(Citation: Mandiant Fortinet Zero Day)(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)
## Campaigns
- **RedPenguin** (C0056) [2024-07-01T04:00:00.000Z to 2025-03-01T05:00:00.000Z]
The RedPenguin project was launched by Juniper in July 2024 to inv
Greynoiseio
The Ninth Day Of Tagsmas (2023): Critical Vulnerabilities in ManageEngine Products Put Organizations at Risk (CVE-2022-28810 / CVE-2022-47966)
blogs_greynoiseio·CVSS 6.8
[MEDIUM] The Ninth Day Of Tagsmas (2023): Critical Vulnerabilities in ManageEngine Products Put Organizations at Risk (CVE-2022-28810 / CVE-2022-47966)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
EventHunter: Dynamic Clustering and Ranking of Security Events from Hacker Forum Discussions
arxiv_fulltext·2025-07-13
EventHunter: Dynamic Clustering and Ranking of Security Events from Hacker Forum Discussions
: Dynamic Clustering and Ranking of Security Events from Hacker Forum Discussions
Yasir ECH-CHAMMAKHY12,
Anas Motii1,
Anass Rabii2,
Jaafar Chbili3
1College of Computing, Mohammed VI Polytechnic University (UM6P), Ben Guerir, Morocco
2Deloitte Morocco Cyber Center, Casablanca, Morocco
3Deloitte Conseil, Paris, France
Emails: 1\Yasir.ECH-CHAMMAKHY, Anas.MOTII\@um6p.ma;
[email protected];
[email protected]
## Abstract
Hacker forums provide critical early warning signals for emerging cybersecurity threats, but extracting actionable intelligence from their unstructured and noisy content remains a significant challenge. This paper presents an unsupervised framework that automatically detects, clusters, and prioritizes security events discussed across hacker forum posts. Our approach
ATT&CK
BOLDMOVE
mitre_attack·CVSS 9.8
CVE-2022-42475 [CRITICAL] BOLDMOVE
BOLDMOVE
[BOLDMOVE](https://attack.mitre.org/software/S1184) is a type of backdoor malware written in C linked to People’s Republic of China operations from 2022 through 2023. [BOLDMOVE](https://attack.mitre.org/software/S1184) includes both Windows and Linux variants, with some Linux variants specifically designed for FortiGate Firewall devices. [BOLDMOVE](https://attack.mitre.org/software/S1184) is linked to zero-day exploitation of CVE-2022-42475 in FortiOSS SSL-VPNs.(Citation: Google Cloud BOLDMOVE 2023) The record for [BOLDMOVE](https://attack.mitre.org/software/S1184) only covers known Linux variants.
ATT&CK
COATHANGER
mitre_attack·CVSS 9.8
[CRITICAL] COATHANGER
COATHANGER
[COATHANGER](https://attack.mitre.org/software/S1105) is a remote access tool (RAT) targeting FortiGate networking appliances. First used in 2023 in targeted intrusions against military and government entities in the Netherlands along with other victims, [COATHANGER](https://attack.mitre.org/software/S1105) was disclosed in early 2024, with a high confidence assessment linking this malware to a state-sponsored entity in the People's Republic of China. [COATHANGER](https://attack.mitre.org/software/S1105) is delivered after gaining access to a FortiGate device, with in-the-wild observations linked to exploitation of CVE-2022-42475. The name [COATHANGER](https://attack.mitre.org/software/S1105) is based on a unique string in the malware used to encrypt configuration files on disk
2023-01-02
Published
2022-12-13
Added to CISA KEV
Exploited in the wild