FortiGuard Labs | FortiGuard Center - Threat Signal Report

What is the Vulnerability?Multiple zero-day vulnerabilities have been identified in VMware's ESXi, Workstation, and Fusion products. VMware has confirmed that these vulnerabilities are being actively exploited in the wild, and the Cybersecurity and Infrastructure Security Agency (CISA) has included them in its Known Exploited Vulnerabilities Catalog due to evidence of such exploitation.The vendor advisory indicates that these vulnerabilities were reported to VMware by the Microsoft Threat Intelligence Center.• CVE-2025-22225: Arbitrary Write Vulnerability in VMware ESXi • CVE-2025-22224: TOCTOU Race Condition Vulnerability in VMware ESXi and Workstation • CVE-2025-22226: Information Disclosure Vulnerability in VMware ESXi, Workstation, and FusionWhat is the recommended Mitigation?Updates are available to remediate the vulnerabilities affecting VMware products. Apply the patch listed in the vendor's advisory.What FortiGuard Coverage is available?• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor`s advisory.• FortiGuard Labs has Endpoint Vulnerability service to detect any vulnerable instances running on the network. Endpoint Vulnerability | FortiGuard Labs• FortiGuard Labs is reviewing IPS protections where applicable and will update this Threat Signal report with updates when available.• The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is Citrix NetScaler ADC and NetScaler Gateway?Citrix NetScaler ADC, previously known as Citrix ADC, is an Application Delivery Controller (ADC) designed to achieve secure and optimized network traffic. Citrix NetScaler Gateway, previously known as Citrix Gateway, is an SSL-VPN solution designed to provide secure and optimized remote access. What is the Attack?According to the advisory published by Citrix, CVE-2023-3519 is an unauthenticated remote code execution vulnerability that affects the unmitigated Citrix NetScaler ADC and NetScaler Gateway products. For these products to be vulnerable, they must be configured either as a gateway or as an authentication, authorization, and auditing (AAA) virtual server. The advisory also confirms that Citrix-managed servers have already been mitigated, so no action is needed on those.In early 2024, Microsoft began to observe Silk Typhoon compromising zero-day vulnerabilities within Citrix NetScaler ADC and NetScaler Gateways. Silk Typhoon targeting IT supply chain | Microsoft Security BlogWhy is this Significant?This is significant because the Citrix advisory acknowledged that CVE-2023-3519 was exploited in the wild. Also, CISA added the vulnerability to the Known Exploited Vulnerabilities Catalog on July 19th, 2023. CISA released an advisory on July 20th stating that the vulnerability was exploited as a zero-day in June affecting an unnamed critical infrastructure organization. What is the Vendor Solution? Citrix released relevant updates on July 18th, 2023. What FortiGuard Coverage is available?FortiGuard Labs has an IPS signature "Citrix.NetScaler.ADC.Gateway.Remote.Code.Execution in place for CVE-2023-3519. FortiGuard Labs advises users to install the relevant updated version of NetScaler ADC and NetScaler as soon as possible.

What are the Vulnerabilities?Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, impacting Ivanti Connect Secure (“ICS”) VPN appliances. CVE-2025-0282 is an unauthenticated stack-based buffer overflow affecting Ivanti Connect Secure, Policy Secure, and ZTA Gateways. Successful exploitation could result in unauthenticated remote code execution and CVE-2025-0283 is a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 that allows a local authenticated attacker to escalate their privileges.According to a blog released by Mandiant, it has identified zero-day exploitation of CVE-2025-0282 in the wild beginning mid-December 2024. Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | Google Cloud BlogIn light of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-0282 to the Known Exploited Vulnerabilities (KEV) catalog on January 8, 2025. Microsoft Threat Intelligence Center reported In January 2025, Silk Typhoon was also observed exploiting a zero-day vulnerability in the public facing Ivanti Pulse Connect VPN (CVE-2025-0282).Silk Typhoon targeting IT supply chain | Microsoft Security BlogWhat is the recommended Mitigation?A patch is available; please refer to the Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-0282, CVE-2025-0283) The Integrity Checker Tool (ICT) provided by Ivanti to ensure the integrity and security of the entire network infrastructure can identify exploitation of CVE-2025-0282.CISA has also provided Mitigation Instructions for CVE-2025-0282: https://www.cisa.gov/cisa-mitigation-instructions-cve-2025-0282What FortiGuard Coverage is available?FortiGuard Labs recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory.FortiGuard Labs has blocked all the known malware and related Indicators of Compromise (IOCs) noted on the campaign targeting the Ivanti vulnerability.FortiGuard Labs has available IPS protection to detect and block any attack attempts targeting the (CVE-2025-0282), Buffer Overflow vulnerability in Ivanti Connect Secure. Intrusion Prevention | FortiGuard Labs.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Vulnerability?Threat actors are actively exploiting vulnerabilities in the Hitachi Vantara Pentaho Business Analytics Server. FortiGuard network sensors have detected attack attempts on over 500 devices, and CISA has added these vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation.The Pentaho Business Analytics Server is widely used, trusted by 73% of Fortune 100 companies, and plays a crucial role in data analysis and business intelligence.Affected VulnerabilitiesCVE-2022-43939: Hitachi Vantara Pentaho BA Server Authorization Bypass VulnerabilityCVE-2022-43769: Hitachi Vantara Pentaho BA Server Special Element Injection VulnerabilityWhat is the recommended Mitigation?Apply the latest patch or update from the vendor. [CVE-2022-43769 and CVE-2022-43939]What FortiGuard Coverage is available?Patch Immediately – FortiGuard Labs strongly recommends applying vendor fixes as soon as they are available. Follow all guidance from the official vendor advisory.Intrusion Prevention System (IPS) Protection – FortiGuard Labs provides IPS signatures to detect and block exploitation attempts for CVE-2022-43769 and CVE-2022-43939. Intrusion Prevention | FortiGuard LabsIncident Response Support – If a compromise is suspected, the FortiGuard Incident Response team is available for assistance.

What is the Vulnerability?A recent authentication bypass vulnerability (CVE-2025-0108) in the Palo Alto Networks PAN-OS software is under active exploitation as has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog. Successful exploitation of CVE-2025-0108 enables an unauthenticated attacker with network access to the management web interface to bypass the authentication required by the PAN-OS management web interface and invoke certain PHP scripts that can impact its integrity and confidentiality. According to the vendor advisory, Palo Alto Networks has observed exploit attempts chaining CVE-2025-0108 with CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. A detailed Outbreak report including the attack using CVE-2024-9474 was released in Nov 2024. See more details: Palo Alto Networks Management Interface Attack | Outbreak Alert | FortiGuard Labs-CVE-2024-9474 is an older OS command injection flaw that allows attackers to escalate their privileges and perform actions on the PAN firewall with root privileges. -CVE-2025-0111 is an authenticated file read vulnerability that allows attackers to read files on the PAN-OS filesystem that are readable by the “nobody” user.What is the recommended Mitigation?Palo Alto has released a fix and has provided recommended mitigation. Please review the provided links below. CVE-2025-0108 PAN-OS: Authentication Bypass in the Management Web Interface CVE-2025-0111 PAN-OS: Authenticated File Read Vulnerability in the Management Web Interface CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management InterfaceWhat FortiGuard Coverage is available?• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor`s advisory. • FortiGuard Labs has available IPS protection for CVE-2024-9474 and CVE-2025-0108.• FortiGuard Labs is reviewing IPS protections for CVE-2025-0111 and will update this Threat Signal report with updates when available. • FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) noted on the campaign. • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?Threat Actors are targeting a Microsoft .NET Framework information disclosure vulnerability (CVE-2024-29059) that exposes the ObjRef URI to an attacker, ultimately enabling remote code execution. The security vulnerability tracked as CVE-2024-29059, has also been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on February 4, 2025.What is the recommended Mitigation?FortiGuard recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory. [CVE-2024-29059 - Security Update Guide - Microsoft - .NET Framework Information Disclosure Vulnerability]What FortiGuard Coverage is available?FortiGuard IPS protection is available, and Fortinet customers remain protected through it. Intrusion Prevention | FortiGuard LabsFortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface.FortiClient Vulnerability | FortiGuard LabsThe FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?Trimble Cityworks contains a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server, potentially resulting in downtime and potential loss of service. According to Trimble Cityworks website, it provides a Geographic Information System (GIS)-centric solution for local governments, utilities, airports, and public works agencies to manage and maintain infrastructure across the full lifecycle. Trimble has investigated customer reports of hackers exploiting the vulnerability to gain unauthorized access to networks, confirming that active exploitation is occurring. CISA has added CVE-2025-0994 to its Known Exploited Vulnerabilities Catalog on February 7, 2025, based on the evidence of active exploitation.What is the recommended Mitigation?•The CVE-2025-0994 flaw impacts Cityworks versions prior to 15.8.9 and Cityworks with office companion versions before 23.10. •Trimble has released updates addressing this deserialization flaw. Ensure these updates are applied to your systems.What FortiGuard Coverage is available?• FortiGuard Labs recommends users to apply the fix when provided by the vendor and follow any instructions as mentioned on the vendor’s advisory. • FortiGuard Labs has blocked all the known malware and related Indicators of Compromise (IOCs) noted on the campaign. • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the attack?A significant ransomware attack has struck Pusat Data Nasional (PDN), one of Indonesia's government-owned national data centers. This incident involved threat actors encrypting government data, which disrupted digital services for immigration, airport checks, and several public services. This ransomware attack represents a new variant of the LockBit 3.0 ransomware. In 2023, the LockBit hacker group also severely disrupted the Bank Syariah Indonesia (BSI) systems.What is the recommended Mitigation?Ensure that all systems are up to date with robust cybersecurity measures. Also, maintain general awareness and training about the risk of phishing and social engineering attacks in the organization. What FortiGuard Coverage is available?FortiGuard Labs has AV signatures to block all the known malware variants used by the Ransomware group.Behavior-based detection through FortiSandbox detects new and unknown ransomware malware samples.FortiEDR can mitigate the risk associated with the execution and subsequent behavior of Brain Cypher ransomware. For more information, please see the link to the Fortinet community site added to the Appendix.The Web filtering service blocks all the known IoCs related to the campaign.These IOCs are available for threat hunting through FortiAnalyzer, FortiSIEM, and FortiSOAR.

What is the Vulnerability?On Jan 16, 2024, Atlassian released an advisory for a template injection vulnerability on Confluence Data Center and Server. That can allow an unauthenticated attacker to remotely execute malicious code on affected versions. This vulnerability is rated with a severity level of 10.0 (Critical). What is the Vendor Solution?Atlassian highly recommend applying the latest version available as listed on their advisory. CVE-2023-22527 - Atlassian Support | Atlassian DocumentationWhat FortiGuard Coverage is available?FortiGuard Labs has an IPS signature "Atlassian.Confluence.CVE-2023-22527.Remote.Code.Execution" in place for CVE-2023-22527. The FortiGuard is seeing active exploitation attempts on this vulnerability.

What is the Vulnerability? The critical flaws allow attackers to exploit unrestricted file uploads and downloads, leading to Remote Code Execution affecting multiple Cleo products is being actively exploited in the wild. The vulnerability affects the following Cleo products (versions before and including 5.8.0.21)-Cleo Harmony -Cleo VLTrader -Cleo LexiCom Cleo is a software company focused on Managed File Transfer (MFT) solutions. Its products-Cleo VLTrader, Cleo Harmony, and Cleo LexiCom facilitates secure file transfers, B2B integration, and streamlines data exchange and integration.On December 13, 2024, CISA confirmed that the CVE-2024-50623, is being actively exploited, including in Ransomware campaigns and has been added to the Known Exploited Vulnerabilities (KEV) catalog.What is the recommended Mitigation?FortiGuard Labs strongly advises all Cleo customers to immediately upgrade instances of Harmony, VLTrader, and LexiCom to the latest released patch as released and follow: Cleo Product Security Advisory - CVE-2024-50623 – Cleo | Cleo Product Security Update - CVE-2024-55956 – CleoWhat FortiGuard Coverage is available?FortiGuard recommends users to apply the fix provided by the vendor and follow instructions as mentioned on the vendor’s advisory. FortiGuard Endpoint Vulnerability Protection service is available to detect vulnerable systems. Endpoint Vulnerability | FortiGuard LabsFortiGuard Web Filtering service blocks all the known Indicators of Compromise (IoCs) related to the campaigns targeting the Cleo Vulnerability.FortiGuard IPS Protection is available to detect and block attack attempts targeting the Cleo vulnerability (CVE-2024-50623, CVE-2024-55956). See more at: Intrusion Prevention | FortiGuard LabsThe FortiGuard Incident Response team can be engaged to help with any suspected compromise.