What is the Vulnerability?	FortiGuard Labs has detected active attack attempts targeting the Kunbus Revolution Pi Webstatus authentication bypass vulnerability (CVE-2025-41646), a flaw that allows remote attackers to log in without a password by exploiting improper credential handling. A public proof-of-concept is already available, increasing the likelihood of widespread exploitation. The vulnerability can be triggered over the network without user interaction, granting attackers full administrative control of affected devices. Since Revolution Pi systems are frequently deployed in industrial and operational technology environments, successful exploitation could lead to unauthorized system control, data manipulation, or disruption of critical processes. CISA has issued an ICS/OT advisory for this threat and urges organizations to update their systems immediately.
What is the recommended Mitigation?	• Upgrade affected systems to Revolution Pi Webstatus version 2.4.6, which addresses and corrects the authentication logic flaw. • Refer to the Kunbus PSIRT advisory (Kunbus-2025-0000003) for full details, including patch availability, installation instructions, and additional risk-reduction guidance
What FortiGuard Coverage is available?	• FortiGuard IPS protection is available to detect and block attacks related to (CVE-2025-41646) Kunbus RevPi Webstatus Authentication Bypass. Intrusion Prevention | FortiGuard Labs • FortiGuard IoT Device Detection service is available to detect the Kunbus RevPi in your network. IoT Device Detection | FortiGuard Labs • Antimalware and Sandbox Service delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats. • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?	Threat actors tracked as UNC6395 exploited the Salesloft Drift integration, an AI chatbot tool linked to Salesforce and other platforms, to steal access tokens. These tokens allowed them to bypass normal authentication controls and gain access to target environments without directly breaching Salesforce accounts. The attackers then systematically exported sensitive credentials from dozens, and potentially hundreds, of Salesforce customer instances. Exfiltrated data included AWS access keys, Snowflake authentication tokens, VPN credentials, passwords, and API keys. With these tokens, UNC6395 was able to infiltrate not only Salesforce but also Google Workspace, Cloudflare, Zscaler, Palo Alto Networks, and other connected systems. This expanded the impact well beyond CRM data, exposing a wide range of enterprise environments. While initial reports suggested the breach was limited to Salesforce integrations, subsequent investigations confirmed that all Salesloft Drift integrations should be considered compromised.
What is the recommended Mitigation?	• Review the Salesloft Advisory and any other advisories from partners affected by the breach. Salesloft Advisory • Revoke and Reissue Tokens: Immediately disconnect and regenerate all tokens associated with Salesloft Drift and any connected integrations. • Audit and Monitor Activity: Review logs in Salesforce, Google Workspace, and other integrated platforms for signs of unusual data exports, hidden jobs, or suspicious API calls. • Tighten Integration Permissions: Enforce least privilege, restrict API scopes, and apply IP-based access controls to reduce exposure. • Rotate All Exposed Secrets: Replace compromised or potentially exposed credentials, including AWS keys, Snowflake tokens, VPN accounts, and API tokens. • Defend Against Phishing and Impersonation: Monitor for social engineering attempts targeting employees or customers using leaked contact data.
What FortiGuard Coverage is available?	• FortiGuard Labs recommends users to follow best practices and enforce Zero-Trust Security to ensure minimal impact and sensitive data remains tightly restricted. • FortiGuard Labs Web-filtering Service blocks access to malicious domains, C2 servers, and or phishing sites associated with the campaign. • FortiGuard Labs has blocked all the known linked Indicators of Compromise (IOCs) and the team is continuously monitoring for new IOCs. • Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.

What is the Attack?	Nearly three dozen organizations across Central Asia and the Asia-Pacific region, predominantly government agencies, have been compromised in data exfiltration campaigns attributed to the Russian and Chinese-speaking threat group known as ShadowSilk, according to Group-IB. Group-IB’s investigation confirmed numerous victims within the Central Asian government sector. The findings underscore ShadowSilk’s heavy reliance on publicly available exploits, penetration-testing frameworks, and dark web–acquired infrastructure to carry out large-scale intrusions against strategic government targets. ShadowSilk has been observed exploiting vulnerabilities in both Drupal Core and the WP-Automatic WordPress plugin to establish initial access. FortiGuard Labs’ network telemetry indicates ongoing threat actor activity and heightened interest in these attack vectors. Compromised networks are then implanted with multiple web shells and utilities to enable lateral movement, privilege escalation, and the deployment of remote access trojans (RATs).
What is the recommended Mitigation?	The organizations using affected products are strongly recommended to: Review the official security bulletins and apply the latest security patches for CMS platforms such as Drupal and WordPress (including plugins like WP-Automatic). Monitor for any suspicious activity, Telegram bot traffic, and other C2 channels.
What FortiGuard Coverage is available?	FortiGuard IPS protection is available to detect and block attacks related to CVE-2024-27956, CVE-2018-7600, and CVE-2018-7602. Intrusion Prevention | FortiGuard Labs Intrusion Prevention | FortiGuard Labs Intrusion Prevention | FortiGuard Labs FortiGuard Labs has blocked all the known linked Indicators of Compromise (IOCs). Antimalware and Sandbox Service delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats. The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Vulnerability?	A series of critical vulnerabilities affecting leading zero trust platforms - Zscaler, Netskope, and Check Point (Perimeter 81) - have been disclosed following a seven-month research campaign by security researchers David Cash and Richard Warren. These flaws include authentication bypasses, privilege escalation, and hardcoded credentials, significantly weakening the core security assumptions of zero-trust environments. Zscaler (CVE-2025-54982): The most severe flaw is CVE-2025-54982, which affects Zscaler’s SAML authentication mechanism. The vulnerability arises from the improper verification of cryptographic signatures in Zscaler's SAML authentication mechanism, allowing attackers to craft forged SAML assertions and bypass authentication, thereby posing a significant risk to data integrity and confidentiality. Netskope: Multiple client-side vulnerabilities were discovered. CVE-2024-7401 allows unauthorized client enrollment by abusing static, non-rotatable “OrgKey” tokens. Additional pending CVEs describe: Cross-organization user impersonation using shared OrgKey values and a Privilege escalation issue. Check Point (Perimeter 81): Check Point’s Perimeter 81 platform suffers from a critical vulnerability involving hard-coded SFTP credentials. These credentials grant unauthorized access to client log files and JWT authentication tokens across multiple tenants, violating zero-trust isolation principles. No CVE has been assigned at this time.
What is the recommended Mitigation?	There is currently no confirmed in-the-wild exploitation, but public disclosure and high-risk potential suggest that proof-of-concept (PoC) attacks are likely imminent. Due to the low attack complexity and high severity, exploitation in the wild is considered highly probable in the near term. Zscaler has released a patch for CVE-2025-54982, and it has been remediated in all Zscaler Clouds. Customers are strongly advised to update the SAML authentication module, enforce strict digital signature validation, and rotate credentials that may have been exposed. Zscaler Trust Netskope has issued an advisory for CVE-2024-7401. NSKPSA-2024-001 - Netskope Check Point has not yet issued a patch or advisory for the vulnerability in Perimeter 81. Until a fix is available, customers should rotate any hardcoded or shared SFTP credentials, restrict SFTP access, and monitor access logs for anomalous activity.
What FortiGuard Coverage is available?	FortiGuard Labs is currently analyzing the vulnerabilities and monitoring for indicators of compromise (IOCs). Signature detections and threat Signal will be updated as information becomes available. The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Vulnerability?	CVE-2025-47812 is a recently disclosed Remote Code Execution (RCE) vulnerability impacting Wing FTP Server, a cross-platform file transfer solution. This critical flaw affects versions prior to 7.4.4, and, if successfully exploited, may allow remote attackers to execute arbitrary code within the context of the vulnerable application. The vulnerability stems from null byte handling issues and a Lua injection flaw, which can lead to root or SYSTEM-level code execution. CISA has added CVE-2025-47812 to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation on July 14, 2025.
What is the recommended Mitigation?	The vendor has released a patch addressing the issue. There are already reports of the vulnerability being actively exploited in the wild, which underscores the urgency for affected users to update their systems immediately. https://www.wftpserver.com/serverhistory.htm
What FortiGuard Coverage is available?	FortiGuard Endpoint Vulnerability Service offers a systematic and automated method for patching applications on endpoints, eliminating manual processes while reducing the attack surface. https://www.fortiguard.com/encyclopedia/endpoint-vuln/6173 Indicators of Compromise (IOC) Service FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaigns targeting the Wing FTP Remote Code Execution Vulnerability (CVE-2025-47812). FortiGuard IPS coverage is released to protect against any attack attempts targeting the Wing FTP server (CVE-2025-47812). Intrusion Prevention | FortiGuard Labs The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?	A zero-day SAP vulnerability, CVE-2025-31324, with CVSS score of 10.0 is being actively exploited in the wild. This vulnerability affects SAP Visual Composer, allowing unauthenticated threat actors to upload arbitrary files, resulting in full compromise of the targeted system that could significantly affect the confidentiality, integrity, and availability of the targeted system. The vulnerability stems from the SAP NetWeaver Visual Composer Metadata Uploader lacking proper authorization protection, which allows unauthenticated agents to upload potentially malicious executable binaries. CISA has added the CVE to their Known Exploited Vulnerabilities Catalog on April 29, 2025.
What is the recommended Mitigation?	The vulnerability exists in the SAP Visual Composer component for SAP NetWeaver 7.1x (all SPS). Although the vulnerable component is not included in NetWeaver's default configuration, SAP security firm Onapsis highlights that it is commonly enabled in many installations. Onapsis Blog SAP has released an emergency patch for this issue on April 24, 2025 https://me.sap.com/notes/3594142
What FortiGuard Coverage is available?	Intrusion Prevention System (IPS): An IPS signature is available to detect and block exploit attempts targeting CVE-2025-31324.​ Antimalware and Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats. Indicators of Compromise (IOC): FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaigns targeting the SAP NetWeaver Vulnerability (CVE-2025-31324). Incident Response : The FortiGuard Incident Response team is available to assist with any suspected compromise. Experienced a Breach? Let the Fortinet Incident Response Team Help

What is the Vulnerability?	A zero-day vulnerability has recently been identified in the Common Log File System (CLFS) kernel driver. CLFS is a general-purpose logging subsystem within the Windows operating system that provides a high-performance way to store log data for various applications. If successfully exploited, an attacker operating under a standard user account can elevate their privileges. Furthermore, Microsoft has observed that the exploit has been utilized by PipeMagic malware and has attributed this exploitation activity to Storm-2460, which has also leveraged PipeMagic to distribute ransomware. Microsoft has published a blog that provides an in-depth analysis of Microsoft's findings regarding the CLFS exploit and the associated activities. Exploitation of CLFS zero-day leads to ransomware activity | Microsoft Security Blog
What is the recommended Mitigation?	Microsoft issued security updates to mitigate CVE 2025-29824 on April 8, 2025. FortiGuard Labs strongly advises organizations to prioritize the implementation of security updates.
What FortiGuard Coverage is available?	FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications, eliminating manual processes while reducing the attack surface. FortiClient Vulnerability | FortiGuard Labs FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaign targeting the Windows CLFS Driver Elevation of Privilege vulnerability (CVE 2025-29824). The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

FortiGuard Labs is aware that a Proof-of-Concept (POC) code for a newly patched Windows vulnerability (CVE-2022-21882) that is reported to have been exploited in the wild was released to a publicly available online repository. CVE-2022-21882 is a local privilege (LPE) escalation vulnerability which allows a local, authenticated attacker to gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver. The vulnerability is rated as Important by Microsoft and has CVSS score of 7.0.

Why is this Significant?

This is significant because now that the POC for CVE-2022-21882 has become available to the public attacks leveraging the vulnerability will likely increase. Because CVE-2022-21882 is a local privilege escalation the vulnerability will be used by an attacker that already has access to the network or will be chained with other vulnerabilities.

What is CVE-2022-21882?

CVE-2022-21882 is a local privilege (LPE) escalation vulnerability which allows a local, authenticated attacker to gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.

Is the Vulnerability Exploited in the Wild?

According to the Microsoft advisory, the vulnerability is being exploited in the wild.

Has Microsoft Released an Advisory for CVE-2022-21882?

Yes. See the Appendix for a link to the advisory.

Has Microsoft Released a fix for CVE-2022-21882?

Yes. Microsoft has released a patch as part of regular MS Tuesday on January 11th, 2022.

What is the Status of Coverage?

FortiGuard Labs provide the following IPS coverage for CVE-2022-21882:

MS.Windows.Win32k.CVE-2022-21882.Privilege.Elevation

FortiGuard Labs has released the following AV coverage based on the available POC:

W64/Agent.A93E!exploit.CVE202221882

FortiGuard Labs is aware of a recent report issued by the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) that Russian state-sponsored cyber actors have gained network access to a non-governmental organization (NGO) through exploitation of default Multi-Factor Authentication (MFA) protocols and the "PrintNightmare" vulnerability (CVE-2021-34527). The attack resulted in data exfiltration from cloud and email accounts of the target organization.

Why is this Significant?

This is significant because the advisory describes how a target organization was compromised by Russian state-sponsored cyber actors. The advisory also provides mitigations.

How did the Attack Occur?

The advisory provides the following attack sequence:

"Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization's Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.

Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the "PrintNightmare" vulnerability (CVE-2021-34527) to obtain administrator privileges. The actors also modified a domain controller file, c:\windows\system32\drivers\etc\ hosts, redirecting Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate MFA login-this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to "Fail open" if the MFA server is unreachable. Note: "fail open" can happen to any MFA implementation and is not exclusive to Duo.

After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim's virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity.

Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim's cloud storage and email accounts and access desired content."

What is the "PrintNightmare" vulnerability (CVE-2021-34527)?

The "PrintNightmare" vulnerability" was a critical vulnerability affecting Microsoft Windows Print Spooler. Microsoft released an out-of-bound advisory for the vulnerability on July 6th, 2021.

Has Microsoft Released a Patch for the "PrintNightmare" vulnerability (CVE-2021-34527)?

Yes, Microsoft released an out-of-bound patch for the "PrintNightmare" vulnerability in July, 2021.Due to its severity, Microsoft made the patches available for unsupported OS such as Windows 7 and Windows Server 2012.

Successful exploitation of the vulnerability allows an attack to run arbitrary code with SYSTEM privileges.

FortiGuard Labs released an Outbreak Alert and Threat Signal for PrintNightmare. See the Appendix for a link to "Fortinet Outbreak Alert: Microsoft PrintNightmare" and "#PrintNightmare Zero Day Remote Code Execution Vulnerability".

What is the Status of Coverage?

FortiGuard Labs has IPS coverage in place for the "PrintNightmare" vulnerability (CVE-2021-34527):

MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.Escalation

All known network IOC's are blocked by the FortiGuard WebFiltering client.

Any Other Suggested Mitigation?

The advisory recommends the following mitigations:

• Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against "fail open" and re-enrollment scenarios.

• Implement time-out and lock-out features in response to repeated failed login attempts.

• Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.

• Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.

• Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.

• Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.

• Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).

FortiGuard Labs is aware of a new attack on Apache Tomcat Servers dubbed "GhostCat." Discovered by Chaitin Tech, a vulnerability in Apache Tomcat exists where an attacker has the ability to read and write in the webapp directory of Apache Tomcat. It addition to this, an attacker has the ability to upload files to the host to ultimately perform remote code execution. Assigned CVE-2020-1938, this vulnerability affects every version of Tomcat released over the past 13 years.

What are the specifics of the vulnerability?

Due to a flaw in the Apache Tomcat JServ Protocol, or AJP, a file inclusion vulnerability exists where an attacker has the ability to read and write privileges in the webapp directory of Apache Tomcat. Also, if a web application has file upload function capability; an attacker may be able to perform remote code execution by exploiting file inclusion within the vulnerability itself. Essentially, an attacker can also upload malicious JSP (JavaServer Pages) to exploit this vulnerability and gain remote code execution.

What versions of software are affected?

This affects Apache Tomcat software only. The following software versions are affected

Apache Tomcat 9.0.0.M1 to 9.0.30

Apache Tomcat 8.5.0 to 8.5.50

Apache Tomcat 7.0.0 to 7.0.99

What is the severity of this issue?

HIGH. The CVSS base score is 9.8 CRITICAL.

Has the vendor issued a patch?

Yes. The Apache Software Foundation has issued patches for versions 7/8/9 of Apache Tomcat. However, versions 6 and lower are no longer supported and have reached end of life status. Please refer to the APPENDIX section for links to patches.

What is that status of AV or IPS coverage?

Fortinet customers running the latest IPS definitions are protected against GhostCat with the following signature:

Apache.Tomcat.AJP.Local.File.Inclusion

AV coverage is not feasible for this event.

What mitigation is available if any?

It is recommended to upgrade versions that have reached end of life to one of the versions that are supported. If this is not possible, if AJP support is not necessary, disabling the connector by commenting out the server.xml /conf/server.xml file in the following line:

[Connector port = "8009" protocol = "AJP / 1.3" redirectPort = "8443" ]

If AJP connector is a requirement and cannot be commented/deactivated, then, it is recommended to configure network firewall rules to prevent unauthorized access and to make sure that the connector listens on a non-public interface.

MITRE ATT&CK

Exploit Public-Facing Application

ID: T1190

Tactic: Initial Access

Exploitation for Client Execution

ID: T1203

Tactic: Execution