پارتیان ابتکار پایدار

runC Container Escape Vulnerabilities

What is the Vulnerability?	High-severity vulnerabilities in runc (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) were disclosed in early November 2025. A malicious or compromised container image can abuse how runc handles masked paths, bind-mounts, and special files to write to the host /proc filesystem and escape the container boundary - enabling remote code execution on the host, persistence, or cluster-wide denial-of-service. These issues affect virtually all Linux container stacks that use runc (Docker, containerd, CRI-O, Kubernetes, and managed services) CVE-2025-31133 - Incorrect handling of masked paths; attacker can replace container /dev/null with a symlink and possibly escape. CVE-2025-52565 - Incorrect handling of /dev/console bind-mounts; attacker can exploit build-mount symlink to escape. CVE-2025-52881 - Incomplete fix for earlier CVE-2019-16884 leading to possible DoS or escape.
What is the recommended Mitigation?	Patch runc/update node images: Apply vendor runc updates. AWS lists patched runc (package version runc-1.3.2-2 for Amazon Linux variants) and updated AMIs/Bottlerocket releases; AWS also automated Fargate/ECS updates where applicable. If using other distros, install the distribution-provided patched runc packages per vendor guidance. Audit & logging: Enable container runtime logs, containerd/dockerd debug for suspicious mount/bind events.
What FortiGuard Coverage is available?	FortiGuard Labs continues to monitor this vulnerability and associated exploit activity closely. Users are strongly advised to follow security best practices and apply the latest vendor patches immediately. FortiGuard Labs will update this Threat Signal with additional protective coverage and threat intelligence as the situation evolves. FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface. Endpoint Vulnerability \| FortiGuard Labs FortiCNAPP Cloud Team is actively investigating the impact on cloud workloads and will provide configuration and remediation guidance as new information becomes available. Incident Response Support: The FortiGuard Incident Response team is available to assist organizations with investigation, containment, and recovery in the event of suspected compromise.

WatchGuard Fireware OS IKEv2 Out-of-Bounds Vulnerability

What is the Vulnerability?	A critical Out-of-Bounds Write vulnerability (CVE-2025-9242) exists in the WatchGuard Fireware OS iked process, which handles IKEv2 VPN connections. The flaw allows a remote, unauthenticated attacker to execute arbitrary code on affected devices. The vulnerability impacts both: - Mobile user VPNs using IKEv2, and - Branch Office VPNs using IKEv2 when configured with a dynamic gateway peer. WatchGuard has confirmed the issue is resolved in patched releases and has reported evidence of active exploitation in the wild. Additionally, public technical analysis and proof-of-concept reproduction of the flaw are available, increasing the likelihood of broader attacks.
What is the recommended Mitigation?	Install vendor patches on all affected Firebox appliances. Rotate all locally stored secrets on vulnerable appliances (WatchGuard recommends rotating secrets due to evidence of exploitation) - passwords, shared keys, certificates stored on the Firebox,
What FortiGuard Coverage is available?	Intrusion Prevention System (IPS): FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-9242. Intrusion Prevention \| FortiGuard Labs Incident Response Service: The FortiGuard Incident Response team is available to assist with any suspected compromise.

Microsoft Windows Server Update Service Remote Code Execution Vulnerability

What is the Vulnerability?

CVE-2025-59287 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Windows Server Update Services (WSUS). The flaw stems from unsafe deserialization of untrusted data, allowing attackers to execute arbitrary code on vulnerable servers without authentication.

A public proof-of-concept exploit has been released, and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing active exploitation in the wild.

Organizations should prioritize immediate patching or isolation of any internet-facing or exposed WSUS servers to prevent compromise.

What is the recommended Mitigation?

The vulnerability impacts Windows Server installations with the WSUS role enabled, including Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025.

Apply Microsoft’s out-of-band security update released on October 23, 2025 (referenced in Microsoft’s official advisory and KB documentation).
Restrict network access to WSUS servers, ensuring they are not exposed to untrusted or external networks.
Review system logs for unusual activity or unauthorized WSUS access attempts.

What FortiGuard Coverage is available?

FortiGuard IPS Service detects and blocks exploit attempts targeting CVE-2025-59287. Intrusion Prevention | FortiGuard Labs
FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface. Endpoint Vulnerability | FortiGuard Labs
The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

Microsoft Patch Tuesday Fixed Vulnerability More Likely To Be Exploited

Microsoft has released 63 security patches for this month's September 2022 release. One of the fixes is for CVE-2022-34718 (Windows TCP/IP Remote Code Execution Vulnerability). Rated critical and deemed "exploitation more likely" by Microsoft, successful exploitation of the vulnerability allows a remote unauthenticated attacker o run code on the vulnerable machine. This has a CVSS score of 9.8.

Why is this Significant?

This is significant because CVE-2022-34718 ((Windows TCP/IP Remote Code Execution Vulnerability) is a remote code execution vulnerability that is considered "exploitation more likely" by Microsoft as such a fix should be applied as soon as possible. This has a CVSS score of 9.8 out of 10 and is rated critical by Microsoft.

Systems with the IPSec service is running are vulnerable to CVE-2022-34718. Systems with IPv6 disabled are not affected.

Is CVE-2022-34718 being Exploited in the Wild?

No, the vulnerability has not been observed nor reported as being exploited in the wild.

Is there Any Other Vulnerability in the September Patch Tuesday that Requires Attention?

Microsoft also released a patch for a local privilege escalation vulnerability that affects Windows Common Log File System Driver (CVE-2022-37969). Exploitation of this vulnerability does not require any user interaction; however an attacker needs to have access to the target's system to carry out the attack. This has a CVSS score of 7.8 and is rated important.

Is CVE-2022-37969 being Exploited in the Wild?

According to the advisory released by Microsoft, CVE-2022-37969 was exploited as a zero-day as such a fix should be applied as soon as possible.

Has Microsoft Released a Patch for CVE-2022-34718 and CVE-2022-37969?

Yes, Microsoft has released a patch for CVE-2022-34718 and CVE-2022-37969 on September 13th, 2022 as part of regular MS Tuesday for the month.

What is the Status of Coverage?

FortiGuard Labs has released the following IPS signature in response to CVE-2022-34718 (available from version 22.393):

MS.Windows.TCP.IP.CVE-2022-34718.Remote.Code.Execution (default action set to "pass")

Currently there is no sufficient information available for CVE-2022-37969 that allows FortiGuard Labs to develop coverage. We are monitoring the situation and will investigate coverage when information becomes available.

Mitel MiCollab Unauthorized Access

What is the attack?	Security flaws in Mitel MiCollab, CVE-2024–35286 and CVE-2024–41713, have been found, putting many organizations at risk. These vulnerabilities allow attackers bypass authentication and access files on affected servers, revealing sensitive information that could expose organizations to serious security risks. Mitel MiCollab is a popular solution that combines voice calling, video calling, chat, file sharing, screen sharing, and more into one platform for enterprise communications.
What is the recommended Mitigation?	Mitel has released fixes for the vulnerabilities. Organizations that have not implemented the latest patch are advised to do so immediately and monitor vendor advisories for further patch releases and information.
What FortiGuard Coverage is available?	FortiGuard recommends users to apply the patch and follow any mitigation steps provided by the vendor if not done already. The FortiGuard Incident Response team can be engaged to help with any suspected compromise. The FortiGuard Endpoint Vulnerability Service is available to detect vulnerable systems related to " Mitel MiCollab CVE-2024-35286 Access Control Bypass Vulnerability " FortiClient Vulnerability \| FortiGuard Labs FortiGuard IPS protection is added for CVE-2024–35286, CVE-2024–41713, plus a no-CVE, Zero-day (Arbitrary File Read) vulnerability. https://www.fortiguard.com/updates/ips?version=29.919

F5 Data Breach Attack

What is the Attack?	A sophisticated nation-state actor gained long-term access to F5’s corporate networks and exfiltrated files from BIG-IP product development and engineering knowledge-management systems, including portions of BIG-IP source code and information about previously undisclosed vulnerabilities. F5 has released security updates and advisories covering affected products. The stolen data could accelerate exploit development and raise the risk of targeted attacks due to the following factors: • High exposure: BIG-IP devices are widely deployed and often internet-facing. • Increased risk: Stolen source code shortens the time needed to develop exploits. • Critical role: Compromise of BIG-IP can lead to credential theft, lateral movement, and data exfiltration. In response to F5's disclosure, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive ED 26-01: Mitigate Vulnerabilities in F5 Devices \| CISA.
What is the recommended Mitigation?	Patch immediately - Apply the latest F5 updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients as soon as possible, as mentioned on the advisory. Quarterly Security Notification (October 2025) Restrict access: Limit BIG-IP management interfaces to trusted networks only. Monitor for anomalies: Watch for unusual admin logins, large data transfers, or new repositories. Hunt proactively: Check for suspicious activity involving F5 appliances or related infrastructure.
What FortiGuard Coverage is available?	Active tracking: FortiGuard Labs is monitoring this campaign and will release IPS, WAF, and threat intelligence updates as exploit activity evolves. IoT Device Detection: FortiGuard’s IoT Device Detection Service helps identify F5 devices across your network. IoT Device Detection \| FortiGuard Labs Incident Response: Organizations suspecting compromise can contact the FortiGuard Incident Response team for rapid containment and remediation support.

RediShell RCE Vulnerability

What is the Vulnerability?	A Use-After-Free (UAF) bug in Redis’s Lua scripting subsystem (tracked as CVE-2025-49844, “RediShell”) allows an authenticated attacker who can run Lua scripts to escape the Lua sandbox and achieve arbitrary native code execution on the Redis host. This is a critical (CVSS 10.0), high-impact vulnerability because Lua scripting is enabled by default and many deployments lack proper authentication or are internet-exposed, leading to theft of credentials, deployment of malware/miners, lateral movement, exfiltration, and loss of availability.
What is the recommended Mitigation?	Patches were released on October 3, 2025. Redis Cloud was automatically patched, but self-managed instances must be upgraded immediately. Upgrade all self-managed Redis instances to one of the fixed versions listed in the Redis advisory. Redis Cloud customers were auto-patched. If you cannot patch immediately, apply temporary mitigations: Disable Lua scripting where it’s not required for application functionality. If Lua is required, restrict which identities can run scripts and monitor their usage.
What FortiGuard Coverage is available?	Lacework FortiCNAPP automatically detects this vulnerability via the Vulnerability Management module when Redis is installed via a package manager on a host or container. How does Lacework FortiCNAPP Protect from... - Fortinet Community FortiCNAPP also detects usage of the official Redis Docker image via alerts and will escalate the alert severity to 'Critical' when this exploit is detected to be actively in use. Cloud Vulnerability and Threat Detection \| FortiGuard Labs Intrusion Prevention System (IPS): FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-49844. Intrusion Prevention \| FortiGuard Labs FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface. Endpoint Vulnerability \| FortiGuard Labs The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

npm Supply Chain Attack

What is the Attack?	On September 8, 2025, attackers phished the npm maintainer “qix” and stole their two-factor authentication (2FA) credentials. With that access, they published malicious versions of some very popular npm packages (including debug, chalk, and ansi-styles). The impact is considered high risk for applications that serve frontend JavaScript, especially those handling payments, cryptocurrency, or wallet flows. Reports indicate that these compromised versions were live for about two hours before removal. According to the CISA Alert on this incident, the campaign also involved a self-replicating worm publicly known as “Shai-Hulud,” which compromised over 500 packages. After gaining initial access, the malicious actor deployed malware that scanned environments for sensitive credentials. The attacker specifically targeted GitHub Personal Access Tokens (PATs) and API keys for major cloud platforms, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.
What is the recommended Mitigation?	Dependency Controls - Pin dependencies to known-safe versions. - Blocklist malicious versions in private registries/proxies. - Rebuild from a clean state and invalidate CDN caches. Credential Hygiene - Rotate npm, GitHub, and cloud tokens. - Enforce phishing-resistant MFA (e.g., hardware keys). CI/CD Hardening - Audit secrets, webhooks, and GitHub Actions. - Enable secret scanning and branch protections. - Add guardrails to detect tampered dependencies before production build. Network & Runtime Defense - Block outbound traffic to known exfiltration domains. - Continuously monitor for new IoCs related to npm compromise.
What FortiGuard Coverage is available?	FortiCNAPP Cloud-Native Application Protection Platform can help protect and detect related threats using the following services and features: How does Lacework FortiCNAPP Protect from... - Fortinet Community Vulnerability Management & SCA: Detects the presence of compromised NPM Packages. SAST: Detects malicious scripts present if compromised NPM packages are downloaded. Runtime Threat Detection: If a compromise occurs, runtime threat detection will detect associated actions with this attack through Composite Alerts. Web Filtering: Blocks access to domains controlled by attackers. Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known linked Indicators of Compromise (IOCs), and the team is continuously monitoring for emerging threats and new IOCs. FortiGuard Antivirus & Behavior Detection: Detects malicious JS/HTML payloads (Shai-Hulud) from poisoned npm packages and advanced behavioral analysis to detect and block unknown threats. FortiEDR / FortiClient: Detects suspicious script execution and unauthorized Git/token harvesting on endpoints. Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Salesloft Drift Supply Chain Attack

What is the Attack?	Threat actors tracked as UNC6395 exploited the Salesloft Drift integration, a SaaS AI chatbot tool linked to Salesforce and other platforms, to steal OAuth and refresh tokens. These tokens allowed them to bypass normal authentication controls and gain access to target environments without directly breaching Salesforce accounts. The attackers then systematically exported sensitive credentials from dozens, and potentially hundreds, of Salesforce customer instances. Exfiltrated data included AWS access keys, Snowflake authentication tokens, VPN credentials, passwords, and API keys. With these tokens, UNC6395 was able to infiltrate not only Salesforce but also Google Workspace, Cloudflare, Zscaler, Palo Alto Networks, and other connected systems. This expanded the impact well beyond CRM data, exposing a wide range of enterprise environments. While initial reports suggested the breach was limited to Salesforce integrations, subsequent investigations confirmed that all Salesloft Drift integrations should be considered compromised.
What is the recommended Mitigation?	• Review Salesloft Advisory and any other partner advisory affected by the breach. Salesloft Trust Portal \| Widespread Data Theft Targets Salesforce Instances via Salesloft Drift \| Google Cloud Blog • Revoke and Reissue Tokens Immediately disconnect and regenerate all tokens associated with Salesloft Drift and any connected integrations. • Audit and Monitor Activity Review logs in Salesforce, Google Workspace, and other integrated platforms for signs of unusual data exports, hidden jobs, or suspicious API calls. • Tighten Integration Permissions Enforce least privilege, restrict API scopes, and apply IP-based access controls to reduce exposure. • Rotate All Exposed Secrets Replace compromised or potentially exposed credentials, including AWS keys, Snowflake tokens, VPN accounts, and API tokens. • Defend Against Phishing and Impersonation Monitor for social engineering attempts targeting employees or customers using leaked contact data.
What FortiGuard Coverage is available?	• FortiGuard Labs recommends users to follow best practices and enforce Zero-Trust Security to ensure minimal impact and sensitive data remains tightly restricted. • FortiGuard Labs blocks access to malicious domains, C2 servers, or phishing sites associated with the campaign. • FortiGuard Labs has blocked all the known linked Indicators of Compromise (IOCs) and the team is continuously monitoring for new IOCs. • Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

Oracle E-Business Suite RCE Vulnerability

What is the Vulnerability?	CVE-2025-61882 is a critical (CVSS 9.8) unauthenticated remote code execution vulnerability in the BI Publisher integration of Oracle E-Business Suite’s Concurrent Processing component. The flaw is remotely exploitable over HTTP without authentication, allowing attackers to execute arbitrary code and fully compromise affected systems. This vulnerability has been actively exploited as a zero-day in data theft and extortion campaigns, with activity linked to the Cl0p ransomware group. Successful exploitation enables complete takeover of Oracle Concurrent Processing, opening the door to lateral movement, sensitive data exfiltration, and potential ransomware deployment. Oracle has released an out-of-band security patch and IoCs to address the issue. Immediate patching or compensating controls are strongly recommended for all vulnerable EBS deployments.
What is the recommended Mitigation?	Apply Oracle’s emergency patch immediately for CVE-2025-61882. Oracle Security Alerts CVE-2025-61882 Block known malicious IPs / connections identified in Oracle’s IoC list and vendor threat feeds. Hunt for compromise by scanning EBS servers for signs of web shells, unexpected cron jobs, suspicious processes, or new users.
What FortiGuard Coverage is available?	Intrusion Prevention System (IPS): FortiGuard IPS Service is available to detect and block exploit attempts targeting CVE-2025-61882. Intrusion Prevention \| FortiGuard Labs Indicators of Compromise (IOC) and Web Filtering Service: Implemented protections against malicious traffic and C2 infrastructure, and known Indicators of Compromise (IoCs) related to this campaign, and is currently investigating for further protections. FortiGuard Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats. FortiGuard Incident Response: Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

FortiGuard Labs | FortiGuard Center - Threat Signal Report