FortiGuard Labs | FortiGuard Center - Threat Signal Report

What is the Vulnerability?A recent authentication bypass vulnerability (CVE-2025-0108) in the Palo Alto Networks PAN-OS software is under active exploitation as has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog. Successful exploitation of CVE-2025-0108 enables an unauthenticated attacker with network access to the management web interface to bypass the authentication required by the PAN-OS management web interface and invoke certain PHP scripts that can impact its integrity and confidentiality. According to the vendor advisory, Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. A detailed Outbreak report including the attack using CVE-2024-9474 was released in Nov 2024. See more details: Palo Alto Networks Management Interface Attack | Outbreak Alert | FortiGuard Labs-CVE-2024-9474 is an older OS command injection flaw that allows attackers to escalate their privileges and perform actions on the PAN firewall with root privileges. -CVE-2025-0111 is an authenticated file read vulnerability that allows attackers to read files on the PAN-OS filesystem that are readable by the “nobody” user.What is the recommended Mitigation?Palo Alto has released a fix and has provided recommended mitigation. Please review the provided links below. CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface CVE-2025-0111 PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management InterfaceWhat FortiGuard Coverage is available?• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor`s advisory. • FortiGuard Labs has available IPS protection for CVE-2024-9474 and CVE-2025-0108.• FortiGuard Labs is reviewing IPS protections for CVE-2025-0111 and will update this Threat Signal report with updates when available. • FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) noted on the campaign. • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?Threat Actors are targeting a Microsoft .NET Framework information disclosure vulnerability (CVE-2024-29059) that exposes the ObjRef URI to an attacker, ultimately enabling remote code execution. The security vulnerability tracked as CVE-2024-29059, has also been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on February 4, 2025.What is the recommended Mitigation?FortiGuard recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory. [CVE-2024-29059 - Security Update Guide - Microsoft - .NET Framework Information Disclosure Vulnerability]What FortiGuard Coverage is available?FortiGuard IPS protection is available, and Fortinet customers remain protected through it. Intrusion Prevention | FortiGuard LabsFortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface.FortiClient Vulnerability | FortiGuard LabsThe FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server, potentially resulting in downtime and potential loss of service. According to Trimble Cityworks website, it provides a Geographic Information System (GIS)-centric solution for local governments, utilities, airports, and public works agencies to manage and maintain infrastructure across the full lifecycle. Trimble has investigated customer reports of hackers exploiting the vulnerability to gain unauthorized access to networks, confirming that active exploitation is occurring. CISA has added CVE-2025-0994 to its Known Exploited Vulnerabilities Catalog on February 7, 2025, based on the evidence of active exploitation.What is the recommended Mitigation?•The CVE-2025-0994 flaw impacts Cityworks versions prior to 15.8.9 and Cityworks with office companion versions before 23.10. •Trimble has released updates addressing this deserialization flaw. Ensure these updates are applied to your systems.What FortiGuard Coverage is available?• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor’s advisory. • FortiGuard Labs has blocked all the known malware and related Indicators of Compromise (IOCs) noted on the campaign. • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the attack?A significant ransomware attack has struck Pusat Data Nasional (PDN), one of Indonesia's government-owned national data centers. This incident involved threat actors encrypting government data, which disrupted digital services for immigration, airport checks, and several public services. This ransomware attack represents a new variant of the LockBit 3.0 ransomware. In 2023, the LockBit hacker group also severely disrupted the Bank Syariah Indonesia (BSI) systems.What is the recommended Mitigation?Ensure that all systems are up to date with robust cybersecurity measures. Also, maintain general awareness and training about the risk of phishing and social engineering attacks in the organization. What FortiGuard Coverage is available?FortiGuard Labs has AV signatures to block all the known malware variants used by the Ransomware group.Behavior-based detection through FortiSandbox detects new and unknown ransomware malware samples.FortiEDR can mitigate the risk associated with the execution and subsequent behavior of Brain Cypher ransomware. For more information, please see the link to the Fortinet community site added to the Appendix.The Web filtering service blocks all the known IoCs related to the campaign.These IOCs are available for threat hunting through FortiAnalyzer, FortiSIEM, and FortiSOAR.

What is the Vulnerability?On Jan 16, 2024, Atlassian released an advisory for a template injection vulnerability on Confluence Data Center and Server. That can allow an unauthenticated attacker to remotely execute malicious code on affected versions. This vulnerability is rated with a severity level of 10.0 (Critical). What is the Vendor Solution?Atlassian highly recommend applying the latest version available as listed on their advisory. CVE-2023-22527 - Atlassian Support | Atlassian DocumentationWhat FortiGuard Coverage is available?FortiGuard Labs has an IPS signature "Atlassian.Confluence.CVE-2023-22527.Remote.Code.Execution" in place for CVE-2023-22527. The FortiGuard is seeing active exploitation attempts on this vulnerability.

What is the Vulnerability? The critical flaws allow attackers to exploit unrestricted file uploads and downloads, leading to Remote Code Execution affecting multiple Cleo products is being actively exploited in the wild. The vulnerability affects the following Cleo products (versions before and including 5.8.0.21)-Cleo Harmony -Cleo VLTrader -Cleo LexiCom Cleo is a software company focused on Managed File Transfer (MFT) solutions. Its products-Cleo VLTrader, Cleo Harmony, and Cleo LexiCom facilitates secure file transfers, B2B integration, and streamlines data exchange and integration.On December 13, 2024, CISA confirmed that the CVE-2024-50623, is being actively exploited, including in Ransomware campaigns and has been added to the Known Exploited Vulnerabilities (KEV) catalog.What is the recommended Mitigation?FortiGuard Labs strongly advises all Cleo customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch as released and follow: Cleo Product Security Advisory - CVE-2024-50623 – Cleo | Cleo Product Security Update - CVE-2024-55956 – CleoWhat FortiGuard Coverage is available?FortiGuard recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory. FortiGuard Endpoint Vulnerability Protection service is available to detect vulnerable systems. Endpoint Vulnerability | FortiGuard LabsFortiGuard Web Filtering service blocks all the known Indicators of Compromise (IoCs) related to the campaigns targeting the Cleo Vulnerability.FortiGuard IPS Protection is available to detect and block attack attempts targeting the Cleo vulnerability (CVE-2024-50623, CVE-2024-55956). See more at: Intrusion Prevention | FortiGuard LabsThe FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?Attackers are actively exploiting multiple zero-day vulnerabilities affecting Ivanti CSA (Cloud Services Appliance) that could lead an attacker to gain admin access, bypass security measures, run arbitrary SQL commands, and execute code remotely.In a recent incident response engagement, FortiGuard Incident Response (FGIR) services were engaged where an advanced adversary was observed exploiting vulnerabilities affecting the Ivanti Cloud Services Appliance (CSA). To read more visit: Burning Zero Days: Suspected Nation-State Adversary Targets Ivanti CSA | FortiGuard Labs (fortinet.com)CVE-2024-9379: SQL injection in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.CVE-2024-9380: An OS command injection vulnerability in the admin web console of Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to obtain remote code execution.CVE-2024-9381: Path traversal in Ivanti CSA before version 5.0.2 allows a remote authenticated attacker with admin privileges to bypass restrictions.CVE-2024-8963: Path Traversal in the Ivanti CSA before 4.6 Patch 519 allows a remote unauthenticated attacker to access restricted functionality.CVE-2024-8190: An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. What is the recommended Mitigation?Ivanti has released updates for Ivanti CSA (Cloud Services Appliance) which addresses these vulnerabilities. Security Advisory Ivanti CSA (Cloud Services Appliance)In the advisory, Ivanti has mentioned that they have observed limited exploitation of CSA 4.6 when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963.What FortiGuard Coverage is available?FortiGuard recommends users apply the vendor's fixes as mentioned in the advisory. FortiGuard Web Filtering service has blocked all the known Indicators of Compromise (IoCs) captured during the IR engagement.FortiGuard Antivirus service has blocked all the known malware used by the threat actor in the related campaign.FortiGuard IPS protection is available for CVE-2024-8963 "Ivanti.Cloud.Service.Appliance.datetime.Command.Injection", and CVE-2024-9380 "Ivanti.Cloud.Service.Appliance.reports.php.OS.Command.Injection" to defend against the attacks targeting the vulnerable Ivanti CSA systems.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Vulnerability?Aviatrix Controllers contain an OS command injection vulnerability that could allow an unauthenticated attacker to execute arbitrary code. The security vulnerability tracked as CVE-2024-50603, which rates 10 out of 10 on the CVSS scale, has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on January 16, 2025. A proof-of-concept exploit has been published, and Wiz Research has observed exploitation in the wild resulting in cryptojacking and backdoor deployment. Wiz | BlogWhat is the recommended Mitigation?This vulnerability impacts Aviatrix Controller in versions before 7.1.4191 and versions 7.2.x before 7.2.4996. FortiGuard recommends applying the security patch provided by Aviatrix and following any guideline mentioned on the advisory. Aviatrix PSIRT Advisories: DocumentationWhat FortiGuard Coverage is available?FortiGuard recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory. FortiGuard Labs has blocked all the known Indicators of Compromised (IOCs) including the Malware related to the campaign targeting CVE-2024-50603. Virus | FortiGuard LabsVirus | FortiGuard LabsThe FortiGuard Incident Response team can be engaged to help with any suspected compromise.FortiGuard IPS protection is available to detect and block any attack attempts. Intrusion Prevention | FortiGuard Labs

What are the Vulnerabilities?Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. CVE-2025-0282 is an unauthenticated stack-based buffer overflow affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Successful exploitation could result in unauthenticated remote code execution and CVE-2025-0283 is a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a local authenticated attacker to escalate their privileges.According to a blog released by Mandiant, it has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud BlogIn light of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) catalog on January 8, 2025.What is the recommended Mitigation?A patch is available; please refer to the Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283) The Integrity Checker Tool (ICT) provided by Ivanti to ensure the integrity and security of the entire network infrastructure can identify exploitation of CVE-2025-0282.CISA has also provided Mitigation Instructions for CVE-2025-0282: https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282What FortiGuard Coverage is available?FortiGuard Labs recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory.FortiGuard Labs has blocked all the known malware and related Indicators of Compromise (IOCs) noted on the campaign targeting the Ivanti vulnerability.FortiGuard Labs has available IPS protection to detect and block any attack attempts targeting the (CVE-2025-0282), Buffer Overflow vulnerability in Ivanti Connect Secure. Intrusion Prevention | FortiGuard Labs.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What are the Vulnerabilities?Six security vulnerabilities have been disclosed in the popular Rsync tool, an open-source file synchronization and data transferring tool utilized for its ability to perform incremental transfers, reducing data transfer times and bandwidth usage. Several popular backup software such as Rclone, DeltaCopy, and ChronoSync use Rsync for file synchronization. The vulnerabilities are present within versions 3.3.0 and below and includes heap-buffer overflow, information disclosure, file leak, external directory file-write, and symbolic-link race condition. CVE-2024-12084- Heap-buffer overflow in Rsync due to improper checksum length handling CVE-2024-12085- Information leak via uninitialized stack contents CVE-2024-12086- Rsync server leaks arbitrary client files CVE-2024-12087- Path traversal vulnerability in Rsync CVE-2024-12088- Safe-links option bypass that leads to path traversal CVE-2024-12747- Race condition in Rsync when handling symbolic linksCERT/CC also mentioned that an attacker could combine CVE-2024-12084 and CVE-2024-12085 to achieve arbitrary code execution on a client that has a Rsync server running. Read more at VU#952657What is the recommended Mitigation?Users are advised to apply the latest patches available at GitHub - RsyncProjectWhat FortiGuard Coverage is available?FortiGuard recommends users to apply the fix provided by the vendor and follow any mitigation as mentioned on VU#952657FortiGuard Endpoint Vulnerability Service is available to automatically detect vulnerable software installations of the Rsync Tool.-Endpoint Vulnerability | FortiGuard LabsFortiGuard IPS protection is being reviewed, and this Threat Signal will be updated accordingly as it becomes available.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.