Tag “Fortinet”

Fortinet Addresses CVE-2025-32756: Critical Zero-Day RCE Vulnerability in FortiVoice Systems

May 14, 2025
Vulnerability / Network Security

Fortinet has issued a fix for a severe security vulnerability exploited as a zero-day in attacks against FortiVoice enterprise phone systems. Identified as CVE-2025-32756, this flaw has a high CVSS score of 9.6 out of 10.0. According to the company’s advisory, “A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may enable a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests.” Fortinet has confirmed that the flaw has been actively exploited in the wild within FortiVoice systems, although details regarding the scope of the attacks and the identities of the attackers remain undisclosed. Notably, the attacker engaged in network scans of devices, deleted system crash logs, and enabled FCGI debugging to capture credentials from the system and SSH login attempts. The vulnerability impacts the following products and versions: FortiCamera 1.1, 2.0 (Update to a secure release recommended).

Fortinet Addresses Critical Zero-Day RCE Vulnerability in FortiVoice Systems On May 14, 2025, cybersecurity provider Fortinet announced the resolution of a significant security vulnerability identified as CVE-2025-32756. This flaw, which carries a critical CVSS score of 9.6, has reportedly been exploited in live attacks against FortiVoice enterprise phone systems. The…

Read More

Fortinet Addresses CVE-2025-32756: Critical Zero-Day RCE Vulnerability in FortiVoice Systems

May 14, 2025
Vulnerability / Network Security

Fortinet has issued a fix for a severe security vulnerability exploited as a zero-day in attacks against FortiVoice enterprise phone systems. Identified as CVE-2025-32756, this flaw has a high CVSS score of 9.6 out of 10.0. According to the company’s advisory, “A stack-based overflow vulnerability [CWE-121] in FortiVoice, FortiMail, FortiNDR, FortiRecorder, and FortiCamera may enable a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted HTTP requests.” Fortinet has confirmed that the flaw has been actively exploited in the wild within FortiVoice systems, although details regarding the scope of the attacks and the identities of the attackers remain undisclosed. Notably, the attacker engaged in network scans of devices, deleted system crash logs, and enabled FCGI debugging to capture credentials from the system and SSH login attempts. The vulnerability impacts the following products and versions: FortiCamera 1.1, 2.0 (Update to a secure release recommended).

Fortinet Alerts: Attackers Maintain Read-Only Access to FortiGate Devices After Patching Using SSL-VPN Symlink Exploit

April 11, 2025
Network Security / Vulnerability

Fortinet has disclosed that cybercriminals have discovered a method to preserve read-only access to compromised FortiGate devices, even after vulnerabilities exploited for initial breaches have been patched. The attackers reportedly utilized known security weaknesses, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. “A threat actor exploited a known vulnerability to establish read-only access to affected FortiGate devices,” the network security firm stated in an advisory released Thursday. “This was accomplished by creating a symbolic link that connects the user file system with the root file system in a directory used for SSL-VPN language files.” Fortinet noted that these alterations occurred within the user file system and were able to evade detection, leaving the symlink intact even after the original vulnerabilities were remedied. This situation has enabled the attackers to retain access…

Fortinet Warns of Persistent Access Threats to FortiGate Devices Post-Patching On April 11, 2025, Fortinet disclosed concerning information regarding a persistent security vulnerability affecting its FortiGate devices. The network security firm reported that cybercriminals have successfully established read-only access to affected devices, even after the vulnerabilities exploited to initially breach…

Read More

Fortinet Alerts: Attackers Maintain Read-Only Access to FortiGate Devices After Patching Using SSL-VPN Symlink Exploit

April 11, 2025
Network Security / Vulnerability

Fortinet has disclosed that cybercriminals have discovered a method to preserve read-only access to compromised FortiGate devices, even after vulnerabilities exploited for initial breaches have been patched. The attackers reportedly utilized known security weaknesses, including CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. “A threat actor exploited a known vulnerability to establish read-only access to affected FortiGate devices,” the network security firm stated in an advisory released Thursday. “This was accomplished by creating a symbolic link that connects the user file system with the root file system in a directory used for SSL-VPN language files.” Fortinet noted that these alterations occurred within the user file system and were able to evade detection, leaving the symlink intact even after the original vulnerabilities were remedied. This situation has enabled the attackers to retain access…

Caution: Big Head Ransomware on the Rise—Disguised as Phony Windows Updates

July 11, 2023
Ransomware / Windows Security

A newly emerging ransomware known as Big Head is spreading via a malvertising campaign that masquerades as fake Microsoft Windows updates and Word installers. Initially identified by Fortinet FortiGuard Labs last month, multiple variants of this ransomware have been found, all designed to encrypt files on victims’ devices in exchange for cryptocurrency payments. According to Fortinet researchers, “One variant of the Big Head ransomware presents a fake Windows Update, suggesting it may also be distributed as counterfeit updates.” Another variant features a Microsoft Word icon, indicating its distribution as fraudulent software. The majority of Big Head samples reported so far are from the U.S., Spain, France, and Turkey. Recent analysis by Trend Micro has further explored this .NET-based ransomware, highlighting its capability to deploy three encrypted binaries: 1.exe for propagation…

Warning: Big Head Ransomware on the Rise via Fake Windows Updates July 11, 2023 – BreachSpot.com A new strain of ransomware known as Big Head is gaining traction, being distributed through a targeted malvertising campaign that masquerades as counterfeit Microsoft Windows updates and Word installers. This ransomware was first identified…

Read More

Caution: Big Head Ransomware on the Rise—Disguised as Phony Windows Updates

July 11, 2023
Ransomware / Windows Security

A newly emerging ransomware known as Big Head is spreading via a malvertising campaign that masquerades as fake Microsoft Windows updates and Word installers. Initially identified by Fortinet FortiGuard Labs last month, multiple variants of this ransomware have been found, all designed to encrypt files on victims’ devices in exchange for cryptocurrency payments. According to Fortinet researchers, “One variant of the Big Head ransomware presents a fake Windows Update, suggesting it may also be distributed as counterfeit updates.” Another variant features a Microsoft Word icon, indicating its distribution as fraudulent software. The majority of Big Head samples reported so far are from the U.S., Spain, France, and Turkey. Recent analysis by Trend Micro has further explored this .NET-based ransomware, highlighting its capability to deploy three encrypted binaries: 1.exe for propagation…

CISA Updates KEV Catalog with 3 New Vulnerabilities Affecting AMI MegaRAC, D-Link, and Fortinet

On June 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, all of which are subject to active exploitation. These vulnerabilities affect AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. The details of the vulnerabilities are as follows:

  • CVE-2024-54085 (CVSS score: 10.0): An authentication bypass vulnerability in the Redfish Host Interface of AMI MegaRAC SPx, which could enable a remote attacker to gain control.
  • CVE-2024-0769 (CVSS score: 5.3): A path traversal vulnerability in D-Link DIR-859 routers that facilitates privilege escalation and unauthorized control (currently unpatched).
  • CVE-2019-6693 (CVSS score: 4.2): A hard-coded cryptographic key issue in FortiOS, FortiManager, and FortiAnalyzer used for encrypting password data in CLI configurations, potentially allowing an attacker with access to the CLI configuration or backup file to decrypt sensitive information.

CISA Updates KEV Catalog with Three Critical Vulnerabilities Affecting AMI MegaRAC, D-Link, and Fortinet On June 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog to include three significant security flaws. These vulnerabilities have been identified as actively exploited and are associated…

Read More

CISA Updates KEV Catalog with 3 New Vulnerabilities Affecting AMI MegaRAC, D-Link, and Fortinet

On June 26, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added three security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, all of which are subject to active exploitation. These vulnerabilities affect AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. The details of the vulnerabilities are as follows:

  • CVE-2024-54085 (CVSS score: 10.0): An authentication bypass vulnerability in the Redfish Host Interface of AMI MegaRAC SPx, which could enable a remote attacker to gain control.
  • CVE-2024-0769 (CVSS score: 5.3): A path traversal vulnerability in D-Link DIR-859 routers that facilitates privilege escalation and unauthorized control (currently unpatched).
  • CVE-2019-6693 (CVSS score: 4.2): A hard-coded cryptographic key issue in FortiOS, FortiManager, and FortiAnalyzer used for encrypting password data in CLI configurations, potentially allowing an attacker with access to the CLI configuration or backup file to decrypt sensitive information.

Coordinated Attack Launches New Brute-Force Campaign Targeting Fortinet SSL VPN

A notable increase in brute-force attacks targeting Fortinet products may indicate the emergence of a new vulnerability. Analysis reveals a significant correlation between attack incidents and reported security flaws. Experts are raising concerns over a recent escalation in cyberattacks directed at Fortinet’s security offerings. On August 3, 2025, cybersecurity firm…

Read MoreCoordinated Attack Launches New Brute-Force Campaign Targeting Fortinet SSL VPN

Malicious Game Optimization Apps Spread Winos 4.0 Malware to Gamers

Cybersecurity experts are raising alarms about a command-and-control (C&C) framework known as Winos, which is being propagated through gaming-related apps, including installation tools, speed boosters, and optimization utilities. According to a report from Fortinet FortiGuard Labs shared with The Hacker News, “Winos 4.0 is a sophisticated malicious framework designed for extensive functionality, stable architecture, and efficient control over various online endpoints for further actions.” This framework, rebuilt from Gh0st RAT, features several modular components, each assigned distinct tasks. Campaigns distributing Winos 4.0 were initially noted in June by Trend Micro and the KnownSec 404 Team, which are monitoring the activity under the names Void Arachne and Silver Fox. These attacks primarily target Chinese-speaking users, utilizing black hat Search Engine Optimization (SEO) methods, along with social media and messaging platforms like Te…

Winos 4.0 Malware Targets Gamers via Malicious Game Optimization Software Cybersecurity experts have issued an alert regarding a sophisticated malware framework known as Winos 4.0, which is infiltrating the gaming community through seemingly legitimate applications. These applications, including game installation tools, speed boosters, and optimization utilities, serve as vectors for…

Read More

Malicious Game Optimization Apps Spread Winos 4.0 Malware to Gamers

Cybersecurity experts are raising alarms about a command-and-control (C&C) framework known as Winos, which is being propagated through gaming-related apps, including installation tools, speed boosters, and optimization utilities. According to a report from Fortinet FortiGuard Labs shared with The Hacker News, “Winos 4.0 is a sophisticated malicious framework designed for extensive functionality, stable architecture, and efficient control over various online endpoints for further actions.” This framework, rebuilt from Gh0st RAT, features several modular components, each assigned distinct tasks. Campaigns distributing Winos 4.0 were initially noted in June by Trend Micro and the KnownSec 404 Team, which are monitoring the activity under the names Void Arachne and Silver Fox. These attacks primarily target Chinese-speaking users, utilizing black hat Search Engine Optimization (SEO) methods, along with social media and messaging platforms like Te…

GLOBAL GROUP RaaS Launches Operations with AI-Powered Negotiation Tools

July 15, 2025
Cybercrime / Ransomware

Cybersecurity researchers have uncovered a new ransomware-as-a-service (RaaS) operation called GLOBAL GROUP, which has been targeting various sectors across Australia, Brazil, Europe, and the United States since its debut in early June 2025. According to EclecticIQ researcher Arda Büyükkaya, GLOBAL GROUP was “advertised on the Ramp4u forum by the threat actor known as ‘$$$.'” This same individual is associated with the BlackLock RaaS and has previously overseen the Mamona ransomware operations. It is believed that GLOBAL GROUP represents a rebranding of BlackLock, following the defacement of its data leak site by the DragonForce ransomware cartel in March. Notably, BlackLock itself was a rebranding of an earlier RaaS scheme called Eldorado. This financially motivated group is known for relying heavily on initial access brokers (IABs) to deploy ransomware, utilizing vulnerable edge appliances from Cisco, Fortinet, and Palo Alto Networks.

GLOBAL GROUP RaaS Expands Operations with Advanced AI Negotiation Tools July 15, 2025 Cybercrime / Ransomware A newly identified ransomware-as-a-service (RaaS) entity, referred to as GLOBAL GROUP, has rapidly gained traction, targeting various sectors across Australia, Brazil, Europe, and the United States since its inception in early June 2025. Researchers…

Read More

GLOBAL GROUP RaaS Launches Operations with AI-Powered Negotiation Tools

July 15, 2025
Cybercrime / Ransomware

Cybersecurity researchers have uncovered a new ransomware-as-a-service (RaaS) operation called GLOBAL GROUP, which has been targeting various sectors across Australia, Brazil, Europe, and the United States since its debut in early June 2025. According to EclecticIQ researcher Arda Büyükkaya, GLOBAL GROUP was “advertised on the Ramp4u forum by the threat actor known as ‘$$$.'” This same individual is associated with the BlackLock RaaS and has previously overseen the Mamona ransomware operations. It is believed that GLOBAL GROUP represents a rebranding of BlackLock, following the defacement of its data leak site by the DragonForce ransomware cartel in March. Notably, BlackLock itself was a rebranding of an earlier RaaS scheme called Eldorado. This financially motivated group is known for relying heavily on initial access brokers (IABs) to deploy ransomware, utilizing vulnerable edge appliances from Cisco, Fortinet, and Palo Alto Networks.

Cybercriminals Leverage Excel Vulnerability to Distribute Fileless Remcos RAT Malware

Nov 11, 2024
Vulnerability / Network Security

Cybersecurity experts have uncovered a new phishing campaign that disseminates a fileless variant of the well-known Remcos RAT malware. According to Fortinet FortiGuard Labs researcher Xiaopeng Zhang, “Remcos RAT offers a comprehensive suite of advanced features for remotely controlling computers purchased by buyers.” However, cybercriminals have exploited Remcos to gather sensitive information and execute further malicious actions on victims’ systems.

The attack typically begins with a phishing email that employs purchase order themes to entice recipients into opening a malicious Microsoft Excel attachment. This Excel document exploits a known remote code execution vulnerability in Office (CVE-2017-0199, CVSS score: 7.8), allowing it to download an HTML Application (HTA) file (“cookienetbookinetcahce.hta”) from a remote server (“192.3.220[.]22”) and execute it using mshta.exe.

Cybercriminals Leverage Excel Vulnerability to Deploy Remcos RAT Malware November 11, 2024 Vulnerability / Network Security Recent cybersecurity investigations have unearthed a phishing campaign that propagates a new fileless variant of the notorious Remcos RAT (Remote Control Software). Fortinet FortiGuard Labs, through researcher Xiaopeng Zhang, provided an in-depth analysis, revealing…

Read More

Cybercriminals Leverage Excel Vulnerability to Distribute Fileless Remcos RAT Malware

Nov 11, 2024
Vulnerability / Network Security

Cybersecurity experts have uncovered a new phishing campaign that disseminates a fileless variant of the well-known Remcos RAT malware. According to Fortinet FortiGuard Labs researcher Xiaopeng Zhang, “Remcos RAT offers a comprehensive suite of advanced features for remotely controlling computers purchased by buyers.” However, cybercriminals have exploited Remcos to gather sensitive information and execute further malicious actions on victims’ systems.

The attack typically begins with a phishing email that employs purchase order themes to entice recipients into opening a malicious Microsoft Excel attachment. This Excel document exploits a known remote code execution vulnerability in Office (CVE-2017-0199, CVSS score: 7.8), allowing it to download an HTML Application (HTA) file (“cookienetbookinetcahce.hta”) from a remote server (“192.3.220[.]22”) and execute it using mshta.exe.

Fortinet Issues Critical Patch for SQL Injection Vulnerability in FortiWeb (CVE-2025-25257)

July 11, 2025, United States

Fortinet has unveiled a patch addressing a severe security vulnerability in FortiWeb, which could allow unauthenticated attackers to execute arbitrary database commands on affected systems. Designated as CVE-2025-25257, this flaw has a CVSS score of 9.6 out of 10. According to Fortinet’s advisory, the vulnerability stems from “improper neutralization of special elements used in an SQL command (SQL Injection) [CWE-89],” enabling unauthorized SQL code execution through specially crafted HTTP or HTTPS requests.

The vulnerability affects the following FortiWeb versions:

  • FortiWeb 7.6.0 to 7.6.3 (Upgrade to 7.6.4 or higher)
  • FortiWeb 7.4.0 to 7.4.7 (Upgrade to 7.4.8 or higher)
  • FortiWeb 7.2.0 to 7.2.10 (Upgrade to 7.2.11 or higher)
  • FortiWeb 7.0.0 to 7.0.10 (Upgrade to 7.0.11 or higher)

Kentaro Kawane from GMO Cybersecurity is credited with reporting this significant vulnerability, as well as several critical issues in Cisco systems.

Fortinet Issues Critical Patch for SQL Injection Vulnerability in FortiWeb On July 11, 2025, Fortinet announced the release of urgent patches for a significant security vulnerability in FortiWeb, a web application firewall. This flaw, designated CVE-2025-25257, poses a serious risk, allowing unauthorized attackers the potential to execute arbitrary SQL commands…

Read More

Fortinet Issues Critical Patch for SQL Injection Vulnerability in FortiWeb (CVE-2025-25257)

July 11, 2025, United States

Fortinet has unveiled a patch addressing a severe security vulnerability in FortiWeb, which could allow unauthenticated attackers to execute arbitrary database commands on affected systems. Designated as CVE-2025-25257, this flaw has a CVSS score of 9.6 out of 10. According to Fortinet’s advisory, the vulnerability stems from “improper neutralization of special elements used in an SQL command (SQL Injection) [CWE-89],” enabling unauthorized SQL code execution through specially crafted HTTP or HTTPS requests.

The vulnerability affects the following FortiWeb versions:

  • FortiWeb 7.6.0 to 7.6.3 (Upgrade to 7.6.4 or higher)
  • FortiWeb 7.4.0 to 7.4.7 (Upgrade to 7.4.8 or higher)
  • FortiWeb 7.2.0 to 7.2.10 (Upgrade to 7.2.11 or higher)
  • FortiWeb 7.0.0 to 7.0.10 (Upgrade to 7.0.11 or higher)

Kentaro Kawane from GMO Cybersecurity is credited with reporting this significant vulnerability, as well as several critical issues in Cisco systems.