FortiGuard Labs | FortiGuard Center - Threat Signal Report

What is the Vulnerability? A critical SSH vulnerability has recently been identified in the Erlang/Open Telecom Platform (OTP). The vulnerability, tracked as CVE-2025-32433, has been assigned a CVSS score of 10.0. It is unauthenticated, remotely exploitable, and requires low complexity to execute.Erlang/OTP is commonly found in IoT devices and telecommunications platforms, and is prominently used by companies such as Ericsson, WhatsApp, and Cisco, among others.What is the recommended Mitigation?A security patch for OTP has been made available via GitHub. FortiGuard Labs strongly recommends that organizations prioritize applying the latest security updates.What FortiGuard Coverage is available?•  FortiGuard IPS coverage is being developed to detect and block exploitation attempts.•  The FortiGuard Incident Response team is available to assist with any suspected compromise.

What is the Vulnerability?FortiGuard Labs has observed in-the-wild attack attempts targeting CVE-2025-31161, an authentication bypass vulnerability in CrushFTP managed file transfer (MFT) software. Successful exploitation may grant attackers administrative access to the application, posing a serious threat to enterprise environments.The vulnerability is remotely exploitable, and a proof-of-concept (PoC) exploit is now publicly available. This increases the risk of rapid adoption by threat actors, including ransomware groups who have historically targeted MFT platforms like MOVEit Transfer and Cleo MFT.According to the Shadowserver Foundation, approximately 1,800 unpatched, internet-exposed CrushFTP instances remain vulnerable globally, heightening the urgency for immediate mitigation.What is the recommended Mitigation?FortiGuard Labs recommends users to apply the fix provided by the vendor and follow any instructions as mentioned on the vendor's advisory.Limit internet exposure of MFT services wherever possible, or use CrushFTP DMZ function, and further monitor for suspicious activity or unauthorized access attempts.Affected versions include 10.0.0 to 10.8.3 and 11.0.0 to 11.3.0. Users should immediately patch to 10.8.4 or 11.3.1 and later. https://www.crushftp.com/crush11wiki/Wiki.jsp?page=UpdateWhat FortiGuard Coverage is available?FortiGuard Labs has available IPS protection for CVE-2025-31161 which detects and block attack attempts targeting CrushFTP Authentication Bypass vulnerability. Intrusion Prevention | FortiGuard LabsFortiGuard Labs has available AV protection for W32/Loader_Lycaon.AM!tr used at post-exploitation. AV | FortiGuard LabsFortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface. FortiClient Vulnerability | FortiGuard LabsFortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaigns targeting the CrushFTP vulnerability (CVE-2025-31161).The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Vulnerability?A zero-day vulnerability has recently been identified in the Common Log File System (CLFS) kernel driver. CLFS is a general-purpose logging subsystem within the Windows operating system that provides a high-performance way to store log data for various applications. If successfully exploited, an attacker operating under a standard user account can elevate their privileges.Furthermore, Microsoft has observed that the exploit has been utilized by PipeMagic malware and has attributed this exploitation activity to Storm-2460, which has also leveraged PipeMagic to distribute ransomware. Microsoft has published a blog that provides an in-depth analysis of Microsoft's findings regarding the CLFS exploit and the associated activities. Exploitation of CLFS zero-day leads to ransomware activity | Microsoft Security BlogWhat is the recommended Mitigation?Microsoft issued security updates to mitigate CVE 2025-29824 on April 8, 2025. FortiGuard Labs strongly advises organizations to prioritize the implementation of security updates.What FortiGuard Coverage is available?FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications, eliminating manual processes while reducing the attack surface. FortiClient Vulnerability | FortiGuard LabsFortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaign targeting the Windows CLFS Driver Elevation of Privilege vulnerability (CVE 2025-29824).The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Vulnerability?On March 24, researchers disclosed a set of five vulnerabilities, collectively known as "IngressNightmare,” affecting Ingress-nginx, one of the popular ingress controllers available for Kubernetes. Using Ingress-NGINX is one of the most common methods for exposing Kubernetes applications externally.CVE-2025-1974 is considered the most serious of the five and has been assigned a CVSS score of 9.8 (critical). When chained with one of the lower severity vulnerabilities, it allows for unauthenticated remote code execution. This exploitation could result in the exposure of sensitive information that the controller can access. Consequently, unauthenticated attackers have the potential to compromise the system by executing unauthorized code.What is the recommended Mitigation?Kubernetes has responded publicly to the disclosure of CVE-2025-1974, encouraging users to install patches released by the Ingress-nginx team that remediates CVE-2025-1974 including all five vulnerabilities listed: https://github.com/kubernetes/ingress-nginx/releasesUpgrade ingress-nginx to v1.11.5, v1.12.1, or any later version.FortiGuard Labs recommends users to follow instructions and mitigation steps as mentioned on the vendor’s advisory: Ingress-nginx CVE-2025-1974: What You Need to Know | KubernetesFirst, determine if your clusters are using ingress-nginx.Affected Versions: < v1.11.0, v1.11.0 - 1.11.4 and v1.12.0Enforce strict network policies so only the Kubernetes API Server can access the admission controller.Temporarily disable the admission controller component of Ingress-NGINX if you cannot upgrade right away.What FortiGuard Coverage is available?FortiGuard Labs has available IPS protection to detect and block any attack attempts targeting the CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974.Intrusion Prevention | FortiGuard LabsLacework FortiCNAPP has available Continuous Security and Posture Analysis: How does Lacework FortiCNAPP Protect from... - Fortinet Community-Behavior Anomaly Detection flags, such as unexplained container processes and suspicious user activities, aligning with CVE-2025-1974. -Posture analysis that detects high-risk Kubernetes settings, such as enabled snippet annotations, and identifies additional misconfigurations (e.g. privileged containers or open service ports).The FortiGuard Incident Response team can be engaged to help with any suspected compromise.FortiGuard Labs will provide updates as more information becomes available.

What are the Vulnerabilities?Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. CVE-2025-0282 is an unauthenticated stack-based buffer overflow affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Successful exploitation could result in unauthenticated remote code execution and CVE-2025-0283 is a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a local authenticated attacker to escalate their privileges.According to a blog released by Mandiant, it has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud BlogIn light of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) catalog on January 8, 2025. Microsoft Threat Intelligence Center reported In January 2025, Silk Typhoon was also observed exploiting a zero-day vulnerability in the public facing Ivanti Pulse Connect VPN (CVE-2025-0282).Silk Typhoon targeting IT supply chain | Microsoft Security BlogWhat is the recommended Mitigation?A patch is available; please refer to the Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283) The Integrity Checker Tool (ICT) provided by Ivanti to ensure the integrity and security of the entire network infrastructure can identify exploitation of CVE-2025-0282.CISA has also provided Mitigation Instructions for CVE-2025-0282: https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282What FortiGuard Coverage is available?FortiGuard Labs recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory.FortiGuard Labs has blocked all the known malware and related Indicators of Compromise (IOCs) noted on the campaign targeting the Ivanti vulnerability.FortiGuard Labs has available IPS protection to detect and block any attack attempts targeting the (CVE-2025-0282), Buffer Overflow vulnerability in Ivanti Connect Secure. Intrusion Prevention | FortiGuard Labs.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Vulnerability?On March 10, 2025, Apache issued a security advisory regarding a critical vulnerability (CVE-2025-24813) affecting the Apache Tomcat web server. This flaw could allow attackers to view or inject arbitrary content into security-sensitive files and potentially achieve remote code execution.Exploit code for this vulnerability is publicly available, and no authentication is required to launch an attack, making prompt mitigation essential. According to Apache, successful exploitation requires specific conditions, which may allow attackers to manipulate and view sensitive files or execute remote code.What is the recommended Mitigation?Impacted users should implement the recommended mitigations provided by Apache and follow the instructions outlined in the vendor's advisory:https://lists.apache.org/thread/j5fkjv2k477os90nczf2v9l61fb0kkgq- Upgrade to Apache Tomcat 11.0.3 or later- Upgrade to Apache Tomcat 10.1.35 or later- Upgrade to Apache Tomcat 9.0.99 or laterWhat FortiGuard Coverage is available?FortiGuard Labs has available IPS protection to detect and block any attack attempts targeting the CVE-2025-24813 affecting the Apache Tomcat web server. https://www.fortiguard.com/encyclopedia/ips/57559FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface. https://www.fortiguard.com/encyclopedia/endpoint-vuln/84317The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?Recently, a popular third-party GitHub Action tj-actions/changed-files (CVE-2025-30066), used by over 23,000 repositories, was compromised, potentially exposing sensitive workflow secrets in any pipeline that integrated it.Subsequent investigation revealed that the compromise of tj-actions/changed-files may be linked to a similar breach of another GitHub Action, reviewdog/action-setup@v1 (CVE-2025-30154). Multiple Reviewdog actions were affected during a specific timeframe, raising further concerns about the scope of the attack. CVE-2025-30154 · GitHub Advisory DatabaseGitHub Actions, a widely used CI/CD platform, enables developers to automate software development pipelines with reusable workflow components. The supply chain compromise in this case poses a serious security risk, potentially exposing sensitive secrets such as valid access keys, GitHub Personal Access Tokens (PATs), npm tokens, and private RSA keys.Both vulnerabilities have been assigned CVEs (CVE-2025-30066 and CVE-2025-30154) and have been added to CISA’s Known Exploited Vulnerabilities Catalog. As the investigation is ongoing, we will continue to monitor the situation and provide updates as more information becomes available.What is the recommended Mitigation?Review Github Advisory posted at tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs. · CVE-2025-30066 · GitHub Advisory Database · GitHub and follow Mitigation steps as mentioned below:1. Identify usage: Search for the tj-actions/changed-files action and other actions mentioned above in your repositories to determine whether and where it has been used.2. Review workflow logs: Examine past workflow runs for evidence of secret exposure and update workflows referencing the compromised commit.3. Rotate potentially exposed secrets: As a precaution, rotate any secrets that may have been exposed during this timeframe to ensure the continued security of your workflows.4. Investigate malicious activity: If you encounter any signs that the compromised action has been executed, investigate further for any signs of malicious activity.See the following additional resource for further guidance:Security hardening for GitHub Actions - GitHub DocsWhat FortiGuard Coverage is available?FortiGuard Labs recommends users to follow instructions and mitigation steps as mentioned on the vendor’s advisory.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.FortiGuard IPS signature is added to detect and block any malicious activity related to CVE-2025-30066 and CVE-2025-30154. Intrusion Prevention | FortiGuard LabsLacework FortiCNAPP provides the following post-exploitation and CI/CD protection capabilities:- Anomalous Cloud Activity: Detects unusual access patterns, use of stolen credentials, and suspicious API behavior across AWS, Azure, and GCP.- CI/CD Integration: Enables detection of insecure infrastructure code and secrets during build workflows. FortiCNAPP scan results can be used to fail builds and prevent deployment of high-severity risks when integrated with CI/CD pipelines (e.g. GitHub Actions, GitLab CI) - Workload Threat Detection: Identifies runtime behaviors such as encoded exfiltration attempts, unexpected process activity, or behavior indicative of credential harvesting.- IaC and Secrets Scanning: Prevents misconfigurations and hardcoded secrets in Terraform, Kubernetes, and CI workflows.FortiGuard Labs will provide updates as more information becomes available.

What is the Vulnerability?Multiple zero-day vulnerabilities have been identified in VMware's ESXi, Workstation, and Fusion products. VMware has confirmed that these vulnerabilities are being actively exploited in the wild, and the Cybersecurity and Infrastructure Security Agency (CISA) has included them in its Known Exploited Vulnerabilities Catalog due to evidence of such exploitation.The vendor advisory indicates that these vulnerabilities were reported to VMware by the Microsoft Threat Intelligence Center.• CVE-2025-22225: Arbitrary Write Vulnerability in VMware ESXi • CVE-2025-22224: TOCTOU Race Condition Vulnerability in VMware ESXi and Workstation • CVE-2025-22226: Information Disclosure Vulnerability in VMware ESXi, Workstation, and FusionWhat is the recommended Mitigation?Updates are available to remediate the vulnerabilities affecting VMware products. Apply the patch listed in the vendor's advisory.What FortiGuard Coverage is available?• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor`s advisory.• FortiGuard Labs has Endpoint Vulnerability service to detect any vulnerable instances running on the network. Endpoint Vulnerability | FortiGuard Labs• FortiGuard Labs is reviewing IPS protections where applicable and will update this Threat Signal report with updates when available.• The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is Citrix NetScaler ADC and NetScaler Gateway?Citrix NetScaler ADC, previously known as Citrix ADC, is an Application Delivery Controller (ADC) designed to achieve secure and optimized network traffic. Citrix NetScaler Gateway, previously known as Citrix Gateway, is an SSL-VPN solution designed to provide secure and optimized remote access. What is the Attack?According to the advisory published by Citrix, CVE-2023-3519 is an unauthenticated remote code execution vulnerability that affects the unmitigated Citrix NetScaler ADC and NetScaler Gateway products. For these products to be vulnerable, they must be configured either as a gateway or as an authentication, authorization, and auditing (AAA) virtual server. The advisory also confirms that Citrix-managed servers have already been mitigated, so no action is needed on those.In early 2024, Microsoft began to observe Silk Typhoon compromising zero-day vulnerabilities within Citrix NetScaler ADC and NetScaler Gateways. Silk Typhoon targeting IT supply chain | Microsoft Security BlogWhy is this Significant?This is significant because the Citrix advisory acknowledged that CVE-2023-3519 was exploited in the wild. Also, CISA added the vulnerability to the Known Exploited Vulnerabilities Catalog on July 19th, 2023. CISA released an advisory on July 20th stating that the vulnerability was exploited as a zero-day in June affecting an unnamed critical infrastructure organization. What is the Vendor Solution? Citrix released relevant updates on July 18th, 2023. What FortiGuard Coverage is available?FortiGuard Labs has an IPS signature "Citrix.NetScaler.ADC.Gateway.Remote.Code.Execution in place for CVE-2023-3519. FortiGuard Labs advises users to install the relevant updated version of NetScaler ADC and NetScaler as soon as possible.

What is the Vulnerability?Threat actors are actively exploiting vulnerabilities in the Hitachi Vantara Pentaho Business Analytics Server. FortiGuard network sensors have detected attack attempts on over 500 devices, and CISA has added these vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation.The Pentaho Business Analytics Server is widely used, trusted by 73% of Fortune 100 companies, and plays a crucial role in data analysis and business intelligence.Affected VulnerabilitiesCVE-2022-43939: Hitachi Vantara Pentaho BA Server Authorization Bypass VulnerabilityCVE-2022-43769: Hitachi Vantara Pentaho BA Server Special Element Injection VulnerabilityWhat is the recommended Mitigation?Apply the latest patch or update from the vendor. [CVE-2022-43769 and CVE-2022-43939]What FortiGuard Coverage is available?Patch Immediately – FortiGuard Labs strongly recommends applying vendor fixes as soon as they are available. Follow all guidance from the official vendor advisory.Intrusion Prevention System (IPS) Protection – FortiGuard Labs provides IPS signatures to detect and block exploitation attempts for CVE-2022-43769 and CVE-2022-43939. Intrusion Prevention | FortiGuard LabsIncident Response Support – If a compromise is suspected, the FortiGuard Incident Response team is available for assistance.