FortiGuard Labs | FortiGuard Center - Threat Signal Report

What is the Vulnerability?On March 10, 2025, Apache issued a security advisory regarding a critical vulnerability (CVE-2025-24813) affecting the Apache Tomcat web server. This flaw could allow attackers to view or inject arbitrary content into security-sensitive files and potentially achieve remote code execution.Exploit code for this vulnerability is publicly available, and no authentication is required to launch an attack, making prompt mitigation essential. According to Apache, successful exploitation requires specific conditions, which may allow attackers to manipulate and view sensitive files or execute remote code.What is the recommended Mitigation?Impacted users should implement the recommended mitigations provided by Apache and follow the instructions outlined in the vendor's advisory:https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq- Upgrade to Apache Tomcat 11.0.3 or later- Upgrade to Apache Tomcat 10.1.35 or later- Upgrade to Apache Tomcat 9.0.99 or laterWhat FortiGuard Coverage is available?FortiGuard Labs has available IPS protection to detect and block any attack attempts targeting the CVE-2025-24813 affecting the Apache Tomcat web server. https://www.fortiguard.com/encyclopedia/ips/57559FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface. https://www.fortiguard.com/encyclopedia/endpoint-vuln/84317The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?Recently, a popular third-party GitHub Action tj-actions/changed-files (CVE-2025-30066), used by over 23,000 repositories, was compromised, potentially exposing sensitive workflow secrets in any pipeline that integrated it.Subsequent investigation revealed that the compromise of tj-actions/changed-files may be linked to a similar breach of another GitHub Action, reviewdog/action-setup@v1 (CVE-2025-30154). Multiple Reviewdog actions were affected during a specific timeframe, raising further concerns about the scope of the attack. CVE-2025-30154 · GitHub Advisory DatabaseGitHub Actions, a widely used CI/CD platform, enables developers to automate software development pipelines with reusable workflow components. The supply chain compromise in this case poses a serious security risk, potentially exposing sensitive secrets such as valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys.Both vulnerabilities have been assigned CVEs (CVE-2025-30066 and CVE-2025-30154) and have been added to CISA’s Known Exploited Vulnerabilities Catalog. As the investigation is ongoing, we will continue to monitor the situation and provide updates as more information becomes available.What is the recommended Mitigation?Review Github Advisory posted at tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs. · CVE-2025-30066 · GitHub Advisory Database · GitHub and follow Mitigation steps as mentioned below:1. Identify usage: Search for the tj-actions/changed-files action and other actions mentioned above in your repositories to determine whether and where it has been used.2. Review workflow logs: Examine past workflow runs for evidence of secret exposure and update workflows referencing the compromised commit.3. Rotate potentially exposed secrets: As a precaution, rotate any secrets that may have been exposed during this timeframe to ensure the continued security of your workflows.4. Investigate malicious activity: If you encounter any signs that the compromised action has been executed, investigate further for any signs of malicious activity.See the following additional resource for further guidance:Security hardening for GitHub Actions - GitHub DocsWhat FortiGuard Coverage is available?FortiGuard Labs recommends users to follow instructions and mitigation steps as mentioned on the vendor’s advisory.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.FortiGuard IPS signature is added to detect and block any malicious activity related to CVE-2025-30066 and CVE-2025-30154. Intrusion Prevention | FortiGuard LabsLacework FortiCNAPP provides the following post-exploitation and CI/CD protection capabilities:- Anomalous Cloud Activity: Detects unusual access patterns, use of stolen credentials, and suspicious API behavior across AWS, Azure, and GCP.- CI/CD Integration: Enables detection of insecure infrastructure code and secrets during build workflows. FortiCNAPP scan results can be used to fail builds and prevent deployment of high-severity risks when integrated with CI/CD pipelines (e.g. GitHub Actions, GitLab CI) - Workload Threat Detection: Identifies runtime behaviors such as encoded exfiltration attempts, unexpected process activity, or behavior indicative of credential harvesting.- IaC and Secrets Scanning: Prevents misconfigurations and hardcoded secrets in Terraform, Kubernetes, and CI workflows.FortiGuard Labs will provide updates as more information becomes available.

What is the Vulnerability?Multiple zero-day vulnerabilities have been identified in VMware's ESXi, Workstation, and Fusion products. VMware has confirmed that these vulnerabilities are being actively exploited in the wild, and the Cybersecurity and Infrastructure Security Agency (CISA) has included them in its Known Exploited Vulnerabilities Catalog due to evidence of such exploitation.The vendor advisory indicates that these vulnerabilities were reported to VMware by the Microsoft Threat Intelligence Center.• CVE-2025-22225: Arbitrary Write Vulnerability in VMware ESXi • CVE-2025-22224: TOCTOU Race Condition Vulnerability in VMware ESXi and Workstation • CVE-2025-22226: Information Disclosure Vulnerability in VMware ESXi, Workstation, and FusionWhat is the recommended Mitigation?Updates are available to remediate the vulnerabilities affecting VMware products. Apply the patch listed in the vendor's advisory.What FortiGuard Coverage is available?• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor`s advisory.• FortiGuard Labs has Endpoint Vulnerability service to detect any vulnerable instances running on the network. Endpoint Vulnerability | FortiGuard Labs• FortiGuard Labs is reviewing IPS protections where applicable and will update this Threat Signal report with updates when available.• The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is Citrix NetScaler ADC and NetScaler Gateway?Citrix NetScaler ADC, previously known as Citrix ADC, is an Application Delivery Controller (ADC) designed to achieve secure and optimized network traffic. Citrix NetScaler Gateway, previously known as Citrix Gateway, is an SSL-VPN solution designed to provide secure and optimized remote access. What is the Attack?According to the advisory published by Citrix, CVE-2023-3519 is an unauthenticated remote code execution vulnerability that affects the unmitigated Citrix NetScaler ADC and NetScaler Gateway products. For these products to be vulnerable, they must be configured either as a gateway or as an authentication, authorization, and auditing (AAA) virtual server. The advisory also confirms that Citrix-managed servers have already been mitigated, so no action is needed on those.In early 2024, Microsoft began to observe Silk Typhoon compromising zero-day vulnerabilities within Citrix NetScaler ADC and NetScaler Gateways. Silk Typhoon targeting IT supply chain | Microsoft Security BlogWhy is this Significant?This is significant because the Citrix advisory acknowledged that CVE-2023-3519 was exploited in the wild. Also, CISA added the vulnerability to the Known Exploited Vulnerabilities Catalog on July 19th, 2023. CISA released an advisory on July 20th stating that the vulnerability was exploited as a zero-day in June affecting an unnamed critical infrastructure organization. What is the Vendor Solution? Citrix released relevant updates on July 18th, 2023. What FortiGuard Coverage is available?FortiGuard Labs has an IPS signature "Citrix.NetScaler.ADC.Gateway.Remote.Code.Execution in place for CVE-2023-3519. FortiGuard Labs advises users to install the relevant updated version of NetScaler ADC and NetScaler as soon as possible.

What are the Vulnerabilities?Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. CVE-2025-0282 is an unauthenticated stack-based buffer overflow affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Successful exploitation could result in unauthenticated remote code execution and CVE-2025-0283 is a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a local authenticated attacker to escalate their privileges.According to a blog released by Mandiant, it has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud BlogIn light of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) catalog on January 8, 2025. Microsoft Threat Intelligence Center reported In January 2025, Silk Typhoon was also observed exploiting a zero-day vulnerability in the public facing Ivanti Pulse Connect VPN (CVE-2025-0282).Silk Typhoon targeting IT supply chain | Microsoft Security BlogWhat is the recommended Mitigation?A patch is available; please refer to the Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283) The Integrity Checker Tool (ICT) provided by Ivanti to ensure the integrity and security of the entire network infrastructure can identify exploitation of CVE-2025-0282.CISA has also provided Mitigation Instructions for CVE-2025-0282: https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282What FortiGuard Coverage is available?FortiGuard Labs recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory.FortiGuard Labs has blocked all the known malware and related Indicators of Compromise (IOCs) noted on the campaign targeting the Ivanti vulnerability.FortiGuard Labs has available IPS protection to detect and block any attack attempts targeting the (CVE-2025-0282), Buffer Overflow vulnerability in Ivanti Connect Secure. Intrusion Prevention | FortiGuard Labs.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Vulnerability?Threat actors are actively exploiting vulnerabilities in the Hitachi Vantara Pentaho Business Analytics Server. FortiGuard network sensors have detected attack attempts on over 500 devices, and CISA has added these vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation.The Pentaho Business Analytics Server is widely used, trusted by 73% of Fortune 100 companies, and plays a crucial role in data analysis and business intelligence.Affected VulnerabilitiesCVE-2022-43939: Hitachi Vantara Pentaho BA Server Authorization Bypass VulnerabilityCVE-2022-43769: Hitachi Vantara Pentaho BA Server Special Element Injection VulnerabilityWhat is the recommended Mitigation?Apply the latest patch or update from the vendor. [CVE-2022-43769 and CVE-2022-43939]What FortiGuard Coverage is available?Patch Immediately – FortiGuard Labs strongly recommends applying vendor fixes as soon as they are available. Follow all guidance from the official vendor advisory.Intrusion Prevention System (IPS) Protection – FortiGuard Labs provides IPS signatures to detect and block exploitation attempts for CVE-2022-43769 and CVE-2022-43939. Intrusion Prevention | FortiGuard LabsIncident Response Support – If a compromise is suspected, the FortiGuard Incident Response team is available for assistance.

What is the Vulnerability?A recent authentication bypass vulnerability (CVE-2025-0108) in the Palo Alto Networks PAN-OS software is under active exploitation as has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog. Successful exploitation of CVE-2025-0108 enables an unauthenticated attacker with network access to the management web interface to bypass the authentication required by the PAN-OS management web interface and invoke certain PHP scripts that can impact its integrity and confidentiality. According to the vendor advisory, Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. A detailed Outbreak report including the attack using CVE-2024-9474 was released in Nov 2024. See more details: Palo Alto Networks Management Interface Attack | Outbreak Alert | FortiGuard Labs-CVE-2024-9474 is an older OS command injection flaw that allows attackers to escalate their privileges and perform actions on the PAN firewall with root privileges. -CVE-2025-0111 is an authenticated file read vulnerability that allows attackers to read files on the PAN-OS filesystem that are readable by the “nobody” user.What is the recommended Mitigation?Palo Alto has released a fix and has provided recommended mitigation. Please review the provided links below. CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface CVE-2025-0111 PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management InterfaceWhat FortiGuard Coverage is available?• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor`s advisory. • FortiGuard Labs has available IPS protection for CVE-2024-9474 and CVE-2025-0108.• FortiGuard Labs is reviewing IPS protections for CVE-2025-0111 and will update this Threat Signal report with updates when available. • FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) noted on the campaign. • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?Threat Actors are targeting a Microsoft .NET Framework information disclosure vulnerability (CVE-2024-29059) that exposes the ObjRef URI to an attacker, ultimately enabling remote code execution. The security vulnerability tracked as CVE-2024-29059, has also been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on February 4, 2025.What is the recommended Mitigation?FortiGuard recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory. [CVE-2024-29059 - Security Update Guide - Microsoft - .NET Framework Information Disclosure Vulnerability]What FortiGuard Coverage is available?FortiGuard IPS protection is available, and Fortinet customers remain protected through it. Intrusion Prevention | FortiGuard LabsFortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface.FortiClient Vulnerability | FortiGuard LabsThe FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server, potentially resulting in downtime and potential loss of service. According to Trimble Cityworks website, it provides a Geographic Information System (GIS)-centric solution for local governments, utilities, airports, and public works agencies to manage and maintain infrastructure across the full lifecycle. Trimble has investigated customer reports of hackers exploiting the vulnerability to gain unauthorized access to networks, confirming that active exploitation is occurring. CISA has added CVE-2025-0994 to its Known Exploited Vulnerabilities Catalog on February 7, 2025, based on the evidence of active exploitation.What is the recommended Mitigation?•The CVE-2025-0994 flaw impacts Cityworks versions prior to 15.8.9 and Cityworks with office companion versions before 23.10. •Trimble has released updates addressing this deserialization flaw. Ensure these updates are applied to your systems.What FortiGuard Coverage is available?• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor’s advisory. • FortiGuard Labs has blocked all the known malware and related Indicators of Compromise (IOCs) noted on the campaign. • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the attack?A significant ransomware attack has struck Pusat Data Nasional (PDN), one of Indonesia's government-owned national data centers. This incident involved threat actors encrypting government data, which disrupted digital services for immigration, airport checks, and several public services. This ransomware attack represents a new variant of the LockBit 3.0 ransomware. In 2023, the LockBit hacker group also severely disrupted the Bank Syariah Indonesia (BSI) systems.What is the recommended Mitigation?Ensure that all systems are up to date with robust cybersecurity measures. Also, maintain general awareness and training about the risk of phishing and social engineering attacks in the organization. What FortiGuard Coverage is available?FortiGuard Labs has AV signatures to block all the known malware variants used by the Ransomware group.Behavior-based detection through FortiSandbox detects new and unknown ransomware malware samples.FortiEDR can mitigate the risk associated with the execution and subsequent behavior of Brain Cypher ransomware. For more information, please see the link to the Fortinet community site added to the Appendix.The Web filtering service blocks all the known IoCs related to the campaign.These IOCs are available for threat hunting through FortiAnalyzer, FortiSIEM, and FortiSOAR.