FortiGuard Labs | FortiGuard Center - Threat Signal Report

What is the Vulnerability?A series of critical vulnerabilities affecting leading zero trust platforms - Zscaler, Netskope, and Check Point (Perimeter 81) - have been disclosed following a seven-month research campaign by security researchers David Cash and Richard Warren. These flaws include authentication bypasses, privilege escalation, and hardcoded credentials, significantly weakening the core security assumptions of zero-trust environments.Zscaler (CVE-2025-54982): The most severe flaw is CVE-2025-54982, which affects Zscaler’s SAML authentication mechanism. The vulnerability arises from the improper verification of cryptographic signatures in Zscaler's SAML authentication mechanism, allowing attackers to craft forged SAML assertions and bypass authentication, thereby posing a significant risk to data integrity and confidentiality. Netskope: Multiple client-side vulnerabilities were discovered. CVE-2024-7401 allows unauthorized client enrollment by abusing static, non-rotatable “OrgKey” tokens. Additional pending CVEs describe: Cross-organization user impersonation using shared OrgKey values and a Privilege escalation issue.  Check Point (Perimeter 81): Check Point’s Perimeter 81 platform suffers from a critical vulnerability involving hard-coded SFTP credentials. These credentials grant unauthorized access to client log files and JWT authentication tokens across multiple tenants, violating zero-trust isolation principles. No CVE has been assigned at this time.What is the recommended Mitigation?There is currently no confirmed in-the-wild exploitation, but public disclosure and high-risk potential suggest that proof-of-concept (PoC) attacks are likely imminent. Due to the low attack complexity and high severity, exploitation in the wild is considered highly probable in the near term.Zscaler has released a patch for CVE-2025-54982, and it has been remediated in all Zscaler Clouds. Customers are strongly advised to update the SAML authentication module, enforce strict digital signature validation, and rotate credentials that may have been exposed. Zscaler TrustNetskope has issued an advisory for CVE-2024-7401. NSKPSA-2024-001 - NetskopeCheck Point has not yet issued a patch or advisory for the vulnerability in Perimeter 81. Until a fix is available, customers should rotate any hardcoded or shared SFTP credentials, restrict SFTP access, and monitor access logs for anomalous activity. What FortiGuard Coverage is available?FortiGuard Labs is currently analyzing the vulnerabilities and monitoring for indicators of compromise (IOCs). Signature detections and threat Signal will be updated as information becomes available.The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Vulnerability?CVE-2025-47812 is a recently disclosed Remote Code Execution (RCE) vulnerability impacting Wing FTP Server, a cross-platform file transfer solution. This critical flaw affects versions prior to 7.4.4, and, if successfully exploited, may allow remote attackers to execute arbitrary code within the context of the vulnerable application. The vulnerability stems from null byte handling issues and a Lua injection flaw, which can lead to root or SYSTEM-level code execution.CISA has added CVE-2025-47812 to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation on July 14, 2025.What is the recommended Mitigation?The vendor has released a patch addressing the issue. There are already reports of the vulnerability being actively exploited in the wild, which underscores the urgency for affected users to update their systems immediately.https://www.wftpserver.com/serverhistory.htmWhat FortiGuard Coverage is available?FortiGuard Endpoint Vulnerability Service offers a systematic and automated method for patching applications on endpoints, eliminating manual processes while reducing the attack surface. https://www.fortiguard.com/encyclopedia/endpoint-vuln/6173Indicators of Compromise (IOC) Service FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaigns targeting the Wing FTP Remote Code Execution Vulnerability (CVE-2025-47812).FortiGuard IPS coverage is released to protect against any attack attempts targeting the Wing FTP server (CVE-2025-47812). Intrusion Prevention | FortiGuard LabsThe FortiGuard Incident Response team can be engaged to help with any suspected compromise.

What is the Attack?A zero-day SAP vulnerability, CVE-2025-31324, with CVSS score of 10.0 is being actively exploited in the wild. This vulnerability affects SAP Visual Composer, allowing unauthenticated threat actors to upload arbitrary files, resulting in full compromise of the targeted system that could significantly affect the confidentiality, integrity, and availability of the targeted system.The vulnerability stems from the SAP NetWeaver Visual Composer Metadata Uploader lacking proper authorization protection, which allows unauthenticated agents to upload potentially malicious executable binaries.CISA has added the CVE to their Known Exploited Vulnerabilities Catalog on April 29, 2025.What is the recommended Mitigation?The vulnerability exists in the SAP Visual Composer component for SAP NetWeaver 7.1x (all SPS). Although the vulnerable component is not included in NetWeaver's default configuration, SAP security firm Onapsis highlights that it is commonly enabled in many installations. Onapsis BlogSAP has released an emergency patch for this issue on April 24, 2025 https://me.sap.com/notes/3594142What FortiGuard Coverage is available?Intrusion Prevention System (IPS): An IPS signature is available to detect and block exploit attempts targeting CVE-2025-31324.​Antimalware and Sandbox Service: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.Indicators of Compromise (IOC): FortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaigns targeting the SAP NetWeaver Vulnerability (CVE-2025-31324).Incident Response: The FortiGuard Incident Response team is available to assist with any suspected compromise. Experienced a Breach? Let the Fortinet Incident Response Team Help

What is the Vulnerability?A zero-day vulnerability has recently been identified in the Common Log File System (CLFS) kernel driver. CLFS is a general-purpose logging subsystem within the Windows operating system that provides a high-performance way to store log data for various applications. If successfully exploited, an attacker operating under a standard user account can elevate their privileges.Furthermore, Microsoft has observed that the exploit has been utilized by PipeMagic malware and has attributed this exploitation activity to Storm-2460, which has also leveraged PipeMagic to distribute ransomware. Microsoft has published a blog that provides an in-depth analysis of Microsoft's findings regarding the CLFS exploit and the associated activities. Exploitation of CLFS zero-day leads to ransomware activity | Microsoft Security BlogWhat is the recommended Mitigation?Microsoft issued security updates to mitigate CVE 2025-29824 on April 8, 2025. FortiGuard Labs strongly advises organizations to prioritize the implementation of security updates.What FortiGuard Coverage is available?FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications, eliminating manual processes while reducing the attack surface. FortiClient Vulnerability | FortiGuard LabsFortiGuard Labs has blocked all the known Indicators of Compromise (IOCs) linked to the campaign targeting the Windows CLFS Driver Elevation of Privilege vulnerability (CVE 2025-29824).The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

FortiGuard Labs is aware that a Proof-of-Concept (POC) code for a newly patched Windows vulnerability (CVE-2022-21882) that is reported to have been exploited in the wild was released to a publicly available online repository. CVE-2022-21882 is a local privilege (LPE) escalation vulnerability which allows a local, authenticated attacker to gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver. The vulnerability is rated as Important by Microsoft and has CVSS score of 7.0.Why is this Significant?This is significant because now that the POC for CVE-2022-21882 has become available to the public attacks leveraging the vulnerability will likely increase. Because CVE-2022-21882 is a local privilege escalation the vulnerability will be used by an attacker that already has access to the network or will be chained with other vulnerabilities.What is CVE-2022-21882?CVE-2022-21882 is a local privilege (LPE) escalation vulnerability which allows a local, authenticated attacker to gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver.Is the Vulnerability Exploited in the Wild?According to the Microsoft advisory, the vulnerability is being exploited in the wild.Has Microsoft Released an Advisory for CVE-2022-21882?Yes. See the Appendix for a link to the advisory.Has Microsoft Released a fix for CVE-2022-21882?Yes. Microsoft has released a patch as part of regular MS Tuesday on January 11th, 2022.What is the Status of Coverage?FortiGuard Labs provide the following IPS coverage for CVE-2022-21882:MS.Windows.Win32k.CVE-2022-21882.Privilege.ElevationFortiGuard Labs has released the following AV coverage based on the available POC:W64/Agent.A93E!exploit.CVE202221882

FortiGuard Labs is aware of a recent report issued by the U.S. Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) that Russian state-sponsored cyber actors have gained network access to a non-governmental organization (NGO) through exploitation of default Multi-Factor Authentication (MFA) protocols and the "PrintNightmare" vulnerability (CVE-2021-34527). The attack resulted in data exfiltration from cloud and email accounts of the target organization.Why is this Significant?This is significant because the advisory describes how a target organization was compromised by Russian state-sponsored cyber actors. The advisory also provides mitigations.How did the Attack Occur?The advisory provides the following attack sequence:"Russian state-sponsored cyber actors gained initial access to the victim organization via compromised credentials and enrolling a new device in the organization's Duo MFA. The actors gained the credentials via brute-force password guessing attack, allowing them access to a victim account with a simple, predictable password. The victim account had been un-enrolled from Duo due to a long period of inactivity but was not disabled in the Active Directory. As Duo's default configuration settings allow for the re-enrollment of a new device for dormant accounts, the actors were able to enroll a new device for this account, complete the authentication requirements, and obtain access to the victim network.Using the compromised account, Russian state-sponsored cyber actors performed privilege escalation via exploitation of the "PrintNightmare" vulnerability (CVE-2021-34527) to obtain administrator privileges. The actors also modified a domain controller file, c:\windows\system32\drivers\etc\ hosts, redirecting Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate MFA login-this effectively disabled MFA for active domain accounts because the default policy of Duo for Windows is to "Fail open" if the MFA server is unreachable. Note: "fail open" can happen to any MFA implementation and is not exclusive to Duo.After effectively disabling MFA, Russian state-sponsored cyber actors were able to successfully authenticate to the victim's virtual private network (VPN) as non-administrator users and make Remote Desktop Protocol (RDP) connections to Windows domain controllers. The actors ran commands to obtain credentials for additional domain accounts; then using the method described in the previous paragraph, changed the MFA configuration file and bypassed MFA for these newly compromised accounts. The actors leveraged mostly internal Windows utilities already present within the victim network to perform this activity.Using these compromised accounts without MFA enforced, Russian state-sponsored cyber actors were able to move laterally to the victim's cloud storage and email accounts and access desired content."What is the "PrintNightmare" vulnerability (CVE-2021-34527)?The "PrintNightmare" vulnerability" was a critical vulnerability affecting Microsoft Windows Print Spooler. Microsoft released an out-of-bound advisory for the vulnerability on July 6th, 2021.Has Microsoft Released a Patch for the "PrintNightmare" vulnerability (CVE-2021-34527)?Yes, Microsoft released an out-of-bound patch for the "PrintNightmare" vulnerability in July, 2021.Due to its severity, Microsoft made the patches available for unsupported OS such as Windows 7 and Windows Server 2012.Successful exploitation of the vulnerability allows an attack to run arbitrary code with SYSTEM privileges.FortiGuard Labs released an Outbreak Alert and Threat Signal for PrintNightmare. See the Appendix for a link to "Fortinet Outbreak Alert: Microsoft PrintNightmare" and "#PrintNightmare Zero Day Remote Code Execution Vulnerability".What is the Status of Coverage?FortiGuard Labs has IPS coverage in place for the "PrintNightmare" vulnerability (CVE-2021-34527):MS.Windows.Print.Spooler.AddPrinterDriver.Privilege.EscalationAll known network IOC's are blocked by the FortiGuard WebFiltering client.Any Other Suggested Mitigation?The advisory recommends the following mitigations:Enforce MFA for all users, without exception. Before implementing, organizations should review configuration policies to protect against "fail open" and re-enrollment scenarios.Implement time-out and lock-out features in response to repeated failed login attempts.Ensure inactive accounts are disabled uniformly across the Active Directory, MFA systems etc.Update software, including operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment.Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passwords. Passwords should not be reused across multiple accounts or stored on the system where an adversary may have access.Continuously monitor network logs for suspicious activity and unauthorized or unusual login attempts.Implement security alerting policies for all changes to security-enabled accounts/groups, and alert on suspicious process creation events (ntdsutil, rar, regedit, etc.).

FortiGuard Labs is aware of a new attack on Apache Tomcat Servers dubbed "GhostCat." Discovered by Chaitin Tech, a vulnerability in Apache Tomcat exists where an attacker has the ability to read and write in the webapp directory of Apache Tomcat. It addition to this, an attacker has the ability to upload files to the host to ultimately perform remote code execution. Assigned CVE-2020-1938, this vulnerability affects every version of Tomcat released over the past 13 years.What are the specifics of the vulnerability?Due to a flaw in the Apache Tomcat JServ Protocol, or AJP, a file inclusion vulnerability exists where an attacker has the ability to read and write privileges in the webapp directory of Apache Tomcat. Also, if a web application has file upload function capability; an attacker may be able to perform remote code execution by exploiting file inclusion within the vulnerability itself. Essentially, an attacker can also upload malicious JSP (JavaServer Pages) to exploit this vulnerability and gain remote code execution.What versions of software are affected?This affects Apache Tomcat software only. The following software versions are affectedApache Tomcat 9.0.0.M1 to 9.0.30Apache Tomcat 8.5.0 to 8.5.50Apache Tomcat 7.0.0 to 7.0.99What is the severity of this issue?HIGH. The CVSS base score is 9.8 CRITICAL.Has the vendor issued a patch?Yes. The Apache Software Foundation has issued patches for versions 7/8/9 of Apache Tomcat. However, versions 6 and lower are no longer supported and have reached end of life status. Please refer to the APPENDIX section for links to patches.What is that status of AV or IPS coverage?Fortinet customers running the latest IPS definitions are protected against GhostCat with the following signature:Apache.Tomcat.AJP.Local.File.InclusionAV coverage is not feasible for this event.What mitigation is available if any?It is recommended to upgrade versions that have reached end of life to one of the versions that are supported. If this is not possible, if AJP support is not necessary, disabling the connector by commenting out the server.xml /conf/server.xml file in the following line:[Connector port = "8009" protocol = "AJP / 1.3" redirectPort = "8443" ]If AJP connector is a requirement and cannot be commented/deactivated, then, it is recommended to configure network firewall rules to prevent unauthorized access and to make sure that the connector listens on a non-public interface.MITRE ATT&CKExploit Public-Facing ApplicationID: T1190Tactic: Initial AccessExploitation for Client ExecutionID: T1203Tactic: Execution

FortiGuard Labs is aware of reports of active exploitation of CVE-2020-0688 - Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Active in the wild attacks were first observed by Twitter user Troy Mursch (@bad_packets). The vulnerability was disclosed by an anonymous researcher to the Zero Day Initiative. According to the original February Microsoft Security Advisory for CVE-2020-0688, a remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.Essentially, the proof of concept highlights that an attacker who has obtained the active credentials of a Microsoft Exchange user can obtain SYSTEM level privileges via an internet facing application, such as Outlook Web Access (OWA). Because of this vulnerability, the attacker can execute arbritary code remotely on an Exchange server at SYSTEM level; regardless of privileges assigned to the compromised Microsoft Exchange user.What are the specifics of the vulnerability?The vulnerability exists in the Exchange Control Panel (ECP) component. In the web.config file of Microsoft Exchange, keys that are installed during run time are static and not randomly generated and contain the same validationKey and decryptionKey across all installations of Microsoft Exchange. Because of the static keys, an attacker can compel the server into deserializing maliciously crafted data, specifically ViewState data; which is server side data that ASP.net applications store on the client machine. Using known open source deserialization tools to perform unsafe deserialization of objects will invoke and can cause .NET code to be executed on the host, in the context of ECP which runs as SYSTEM.What versions of software are affected?Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30Microsoft Exchange Server 2013 Cumulative Update 23Microsoft Exchange Server 2016 Cumulative Update 14Microsoft Exchange Server 2016 Cumulative Update 15Microsoft Exchange Server 2019 Cumulative Update 3Microsoft Exchange Server 2019 Cumulative Update 4Have there been reports of in the wild exploitation?Yes. Third party researchers have observed active in the wild attacks at this time. Microsoft has not commented publicly confirming this. Attribution is unknown at this time.Any suggestions or mitigations?Fortiguard Labs suggests that customers running Microsoft Exchange server apply this month's February 2020 updates as soon as possible. If not possible, it is recommended that external access to web facing applications such as Outlook Web Access is disabled. Administrators should require that all email users within a corporate facing network update their passwords immediately to ensure that potential credentials that may have been leaked elsewhere are no longer valid. It is also suggested that organizations ensure that two factor authentication (2FA) is enabled; as another layer of precaution.What is the status of AV and IPS coverage?IPS coverage has been created for CVE-2020-0688 as MS.Exchange.Validation.Key.ViewState.Remote.Code.Execution and was released in IPS definitions version 15.786.AV coverage is not feasible for this event.MITRE ATT&CKExploit Public-Facing ApplicationID: T1190Tactic: Initial AccessExploitation for Privilege EscalationD: T1068Tactic: Privilege Escalation

FortiGuard Labs is aware of a newly disclosed vulnerability in Zyxel network attached storage (NAS) devices in an advisory published today by CERT/CC. Multiple Zyxel devices contain a pre authentication command injection vulnerability, which may allow a remote unauthenticated attacker to execute arbitrary code on the device. The vulnerability was reported by security journalist Brian Krebs (Krebs on Security) who learned about the flaw from a researcher who had obtained the exploit code from a reseller on the underground forums. This vulnerability has been assigned CVE-2020-9054.What are the details of this vulnerability exactly?The vulnerability is in (weblogin.cgi), which is a cgi script used by Zyxel NAS devices to perform authentication. The script fails to properly sanitize the username parameter. if the parameter contains a specific subset of characters it can allow for command injection with elevated privileges on the webserver. Although the webserver does not run at root; Zyxel devices contain a setuid utility that can be leveraged to run commands with root privileges. Remote code execution via OS command injection can occur due to the program missing authentication. By sending a specially crafted HTTP POST or GET request, an attacker can leverage this technique to perform unauthenticated arbitrary code execution on the device.What is the severity of this vulnerability?Due to an attacker who can perform code execution with root privileges without authentication, this vulnerability is deemed HIGH. CERT/CC has assigned this vulnerability a CVSS base score of 10.What products are affected?Zyxel products only, specifically model numbers NAS326/NAS520/NAS540/NAS542. Others not on this list are no longer supported.Is proof of concept code publicly available?According to CERT/CC exploit code is publicly available. CERT/CC has also created a POC for companies to investigate signature feasibility.Is there a vendor patch or firmware update available?Yes. Zyxel has published descriptions of devices affected along with firmware updates available and they are:Models Firmware versions availableNAS326 March 2020. Firmware V5.21(AAZF.7)C0NAS520 March 2020. Firmware V5.21(AASZ.3)C0NAS540 March 2020. Firmware V5.21(AATB.4)C0NAS542 March 2020. Firmware V5.21(ABAG.4)C0According to the vendor page - products not listed here or products that have reached end of life are no longer supported.Any other recommendations and/or suggested mitigation?For products that are no longer supported it is suggested that devices affected by CVE-2020-9054 are not internet facing and or placed behind a firewall to prevent unauthenticated access. Also, FortiGuard labs recommends that system administrators perform an audit of their network to ensure that machines affected by this vulnerability and any other services that were not meant to be exposed externally, be firewalled as soon as time permits and that authentication be enabled to ensure additional mitigation from external access.What is the status of AV/IPS coverage?Customers running the latest definitions (15.784) are protected by the following IPS signature:ZyXEL.NAS.Pre-authentication.OS.Command.InjectionAV was deemed not feasible at this time.MITRE ATT&CKID: T1068Tactic: Privilege EscalationPlatform: Linux, macOS, WindowsSystem Requirements: In the case of privilege escalation, the adversary likely already has user permissions on the target system.Permissions Required: UserEffective Permissions: UserData Sources: Windows Error Reporting, Process monitoring, Application logsVersion: 1.1

UPDATE February 17: Added reference to CVE-2022-24087, which Adobe disclosed and issues an out-of-band patch for on February 17th, 2022.FortiGuard Labs is aware of reports that Magento Open Source and Adobe Commerce are actively being targeted and exploited through CVE-2022-24086. This vulnerability can lead to remote code execution (RCE) on an exploited server which means an attacker will be able to execute arbitrary commands remotely. The vulnerability is rated as Critical by Adobe and has CVSS score of 9.8 out of 10.On February 17th, Adobe released an out-of-band security fix for CVE-2022-24087. This vulnerability can also lead to remote code execution (RCE) on an exploited server which means an attacker will be able to execute arbitrary commands remotely. The vulnerability is rated as Critical by Adobe and has CVSS score of 9.8 out of 10.Why is this Significant?Since Magento and Adobe Commerce are very popular E-commerce platform across the globe, this can potentially impact a high number of online shoppers. Moreover, the attack complexity needed to carry out a successful attack has been deemed relatively low/easy and no extra privileges/permissions are required to execute this attack. A successful attack can result in the total loss of confidentiality, integrity and availability of the information and resources stored in the exploited server.In addition, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2022-24086 to the Known Exploited Vulnerabilities to Catalog, which lists vulnerabilities that "are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise."What are CVE-2022-24086 and CVE-2022-24087? (updated on February 17th)Adobe classifies CVE-2022-24086 and CVE-2022-24087 as a vulnerability that stems from "improper input validation." Without properly sanitizing input from a user, the input can be modified so that it executes arbitrary commands on the exploited server.What Versions of Adobe Commerce and Magento are Prone to CVE-2022-24086 and CVE-2022-24087? (updated on February 17th)The vulnerabilities exist for Adobe Commerce 2.4.3-p1 and earlier versions, as well as 2.3.7-p2 and earlier versions. For Adobe Commerce 2.3.3 and below, this vulnerabilities do not exist. The vulnerabilities exist for both Adobe Commerce and Magento Open Source versions 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.Are the Vulnerabilities Exploited in the Wild?FortiGuard Labs has been made aware of exploits being used in the wild for CVE-2022-24086.Has the Vendor Released a Fix?Yes. Adobe has released patches for all versions from 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.To be fully protected, Adobe advisory states that two patches must be applied: MDVA-43395 patch first, and then MDVA-43443 on top of it.What is the Status of Coverage? (updated on February 17th)Proof-of-Concept (POC) code is not available for both CVE-2022-24086 and CVE-2022-24087at the time of this writing and as such, no coverage is available.FortiGuard Labs is actively looking for additional information and will update this Threat Signal when protection becomes available.