Search results for fortinet controller | Breaking Cybersecurity News | The Hacker News

The China-nexus cyber espionage actor linked to the zero-day exploitation of security flaws in Fortinet , Ivanti , and VMware devices has been observed utilizing multiple persistence mechanisms in order to maintain unfettered access to compromised environments. "Persistence mechanisms encompassed network devices, hypervisors, and virtual machines, ensuring alternative channels remain available even if the primary layer is detected and eliminated," Mandiant researchers said in a new report. The threat actor in question is UNC3886 , which the Google-owned threat intelligence company branded as "sophisticated, cautious, and evasive." Attacks orchestrated by the adversary have leveraged zero-day flaws such as CVE-2022-41328 (Fortinet FortiOS), CVE-2022-22948 (VMware vCenter), and CVE-2023-20867 (VMware Tools) to perform various malicious actions, ranging from deploying backdoors to obtaining credentials for deeper access. It has also been observed exploiting ...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Fortinet products to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, tracked as CVE-2024-23113 (CVSS score: 9.8), relates to a case of remote code execution that affects FortiOS, FortiPAM, FortiProxy, and FortiWeb. "A use of externally-controlled format string vulnerability [CWE-134] in FortiOS fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests," Fortinet noted in an advisory for the flaw back in February 2024. As is typically the case, the bulletin is sparse on details related to how the shortcoming is being exploited in the wild, or who is weaponizing it and against whom. In light of active exploitation, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the vendor-provided mitigations by Oc...

The U.S. National Security Agency (NSA) on Tuesday  said  a threat actor tracked as APT5 has been actively exploiting a zero-day flaw in Citrix Application Delivery Controller (ADC) and Gateway to take over affected systems. The critical remote code execution vulnerability, identified as  CVE-2022-27518 , could allow an unauthenticated attacker to execute commands remotely on vulnerable devices and seize control. Successful exploitation, however, requires that the Citrix ADC or Citrix Gateway appliance is configured as a SAML service provider (SP) or a SAML identity provider (IdP). The following supported versions of Citrix ADC and Citrix Gateway are affected by the vulnerability - Citrix ADC and Citrix Gateway 13.0 before 13.0-58.32 Citrix ADC and Citrix Gateway 12.1 before 12.1-65.25 Citrix ADC 12.1-FIPS before 12.1-55.291 Citrix ADC 12.1-NDcPP before 12.1-55.291 Citrix ADC and Citrix Gateway versions 13.1 are not impacted. The company also said there are no...

Fortinet has warned of a high-severity flaw affecting multiple versions of FortiADC application delivery controller that could lead to the execution of arbitrary code. "An improper neutralization of special elements used in an OS command vulnerability in FortiADC may allow an authenticated attacker with access to the web GUI to execute unauthorized code or commands via specifically crafted HTTP requests," the company  said  in an advisory. The vulnerability, tracked as CVE-2022-39947 (CVSS score: 8.6) and internally discovered by its product security team, impacts the following versions - FortiADC version 7.0.0 through 7.0.2 FortiADC version 6.2.0 through 6.2.3 FortiADC version 6.1.0 through 6.1.6 FortiADC version 6.0.0 through 6.0.4 FortiADC version 5.4.0 through 5.4.5 Users are recommended to upgrade to FortiADC versions 6.2.4 and 7.0.2 as and when they become available. The  January 2023 patches  also address a number of command injection vulnerabilit...

Intelligence agencies in Australia, the U.K., and the U.S. issued a joint advisory on Wednesday detailing the most exploited vulnerabilities in 2020 and 2021, once again demonstrating how threat actors are able to swiftly weaponize publicly disclosed flaws to their advantage. "Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide," the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI)  noted . "However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system." The top 30 vulnerabilities span a wide range of software, including remote work, virtual pri...

Microsoft has released patches to fix 67 security flaws , including one zero-day bug in Web Distributed Authoring and Versioning (WebDAV) that it said has come under active exploitation in the wild. Of the 67 vulnerabilities, 11 are rated Critical and 56 are rated Important in severity. This includes 26 remote code execution flaws, 17 information disclosure flaws, and 14 privilege escalation flaws. The patches are in addition to 13 shortcomings addressed by the company in its Chromium-based Edge browser since the release of last month's Patch Tuesday update . The vulnerability that has been weaponized in real-world attacks concerns a remote code execution in WebDAV ( CVE-2025-33053 , CVSS score: 8.8) that can be triggered by deceiving users into clicking on a specially crafted URL. The tech giant credited Check Point researchers Alexandra Gofman and David Driker for discovering and reporting the bug. It's worth mentioning that CVE-2025-33053 is the first zero-day vulnerab...

Ever wonder what happens when attackers don't break the rules—they just follow them better than we do? When systems work exactly as they're built to, but that "by design" behavior quietly opens the door to risk? This week brings stories that make you stop and rethink what's truly under control. It's not always about a broken firewall or missed patch—it's about the small choices, default settings, and shortcuts that feel harmless until they're not. The real surprise? Sometimes the threat doesn't come from outside—it's baked right into how things are set up. Dive in to see what's quietly shaping today's security challenges. ⚡ Threat of the Week FBI Warns of Scattered Spider's on Airlines — The U.S. Federal Bureau of Investigation (FBI) has warned of a new set of attacks mounted by the notorious cybercrime group Scattered Spider targeting the airline sector using sophisticated social engineering techniques to obtain initial access. Cybersecurity vendors Palo Alto Networks Unit 4...

What do a source code editor, a smart billboard, and a web server have in common? They've all become launchpads for attacks—because cybercriminals are rethinking what counts as "infrastructure." Instead of chasing high-value targets directly, threat actors are now quietly taking over the overlooked: outdated software, unpatched IoT devices, and open-source packages. It's not just clever—it's reshaping how intrusion, persistence, and evasion happen at scale. ⚡ Threat of the Week 5Socks Proxy Using IoT, EoL Systems Dismantled in Law Enforcement Operation — A joint law enforcement operation undertaken by Dutch and U.S. authorities dismantled a criminal proxy network, known as anyproxy[.]net and 5socks[.]net, that was powered by thousands of infected Internet of Things (IoT) and end-of-life (EoL) devices, enlisting them into a botnet for providing anonymity to malicious actors. The illicit platform, active since 2004, advertised more than 7,000 online proxies daily, with infected ...

Cyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous public disclosures of their attack methods, according to a  new advisory  jointly published by intelligence agencies from the U.K. and U.S. Friday. "SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders," the National Cyber Security Centre (NCSC)  said . These include the deployment of an open-source tool called  Sliver  to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities. The development follows the  public attribution  of SVR-linked actors to the  SolarWinds  supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), t...

Cybersecurity researchers have taken the wraps off a previously undocumented ransomware strain called  Rorschach  that's both sophisticated and fast. "What makes Rorschach stand out from other ransomware strains is its high level of customization and its technically unique features that have not been seen before in ransomware," Check Point Research  said  in a new report. "In fact, Rorschach is one of the  fastest ransomware strains  ever observed, in terms of the speed of its encryption." The cybersecurity firm said it observed the ransomware deployed against an unnamed U.S.-based company, adding it found no branding or overlaps that connect it to any previously known ransomware actors. However, further analysis of Rorschach's source code reveals similarities to  Babuk ransomware , which suffered a leak in September 2021, and  LockBit 2.0 . On top of that, the ransom notes sent out to the victims appear to be inspired by that of  Yanluow...

The threat actors behind the  LockBit  ransomware-as-a-service (RaaS) scheme have extorted $91 million following hundreds of attacks against numerous U.S. organizations since 2020. That's according to a  joint bulletin  published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and other partner authorities from Australia, Canada, France, Germany, New Zealand, and the U.K. "The LockBit ransomware-as-a-service (RaaS) attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks," the agencies  said . LockBit, which first burst onto the scene in late 2019, has continued to be disruptive and prolific, targeting as many as 76 victims in May 2023 alone, per statistics shared by  Malwarebytes  last week. The Russia-linked cartel has...

From sophisticated nation-state campaigns to stealthy malware lurking in unexpected places, this week's cybersecurity landscape is a reminder that attackers are always evolving. Advanced threat groups are exploiting outdated hardware, abusing legitimate tools for financial fraud, and finding new ways to bypass security defenses. Meanwhile, supply chain threats are on the rise, with open-source repositories becoming a playground for credential theft and hidden backdoors. But it's not all bad news—law enforcement is tightening its grip on cybercriminal networks, with key ransomware figures facing extradition and the security community making strides in uncovering and dismantling active threats. Ethical hackers continue to expose critical flaws, and new decryptors offer a fighting chance against ransomware operators. In this week's recap, we dive into the latest attack techniques, emerging vulnerabilities, and defensive strategies to keep you ahead of the curve. Stay informed, stay sec...

The China-linked advanced persistent threat (APT) actor known as Salt Typhoon has continued its attacks targeting networks across the world, including organizations in the telecommunications, government, transportation, lodging, and military infrastructure sectors. "While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks," according to a joint cybersecurity advisory published Wednesday. "These actors often modify routers to maintain persistent, long-term access to networks." The bulletin , courtesy of authorities from 13 countries, said the malicious activity has been linked to three Chinese entities, Sichuan Juxinhe Network Technology Co., Ltd., Beijing Huanyu Tianqiong Information Technology Co., Ltd., and Sichuan Zhixin Ruijie Network Technology Co., Ltd. These companies,...