Krista Lyons@OpenVPN Blog
//
References:
Blog
, OpenVPN Blog
Multiple security vulnerabilities are currently being exploited in Fortinet and SonicWall products, posing a significant risk to organizations using these devices. The Cybersecurity and Infrastructure Security Agency (CISA) has taken notice, adding the SonicWall SMA100 Appliance flaw (CVE-2021-20035) to its Known Exploited Vulnerabilities catalog, urging federal agencies to apply mitigations by May 7, 2025. This vulnerability, which impacts SonicWall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices, allows remote authenticated attackers to inject arbitrary operating system commands.
Attackers have been actively exploiting the SonicWall SMA100 vulnerability (CVE-2021-20035) since January 2025. SonicWall has updated its security advisory to reflect the current active exploitation of the flaw which can lead to code execution, as opposed to a denial-of-service. While the vulnerability affects SMA100 devices running older firmware, customers are urged to upgrade to the latest firmware. In addition to the SonicWall vulnerability, threat actors are employing new techniques to exploit a 2023 FortiOS flaw (CVE-2023-27997). This involves manipulating symbolic links during the device’s boot process, allowing attackers with prior access to maintain control even after firmware updates. Fortinet has released security updates for FortiOS and FortiGate. Organizations using Fortinet products should apply the latest patches. Similarly, SonicWall users are advised to upgrade to the fixed versions of firmware, specifically 10.2.1.1-19sv and higher, 10.2.0.8-37sv and higher, or 9.0.0.11-31sv and higher. With both SonicWall and CISA confirming the CVE-2021-20035 exploit, details about the attacks remain scarce. Recommended read:
References :
@hackread.com
//
A significant cybersecurity incident has come to light involving Fortinet devices. Reports indicate that over 16,000 internet-exposed Fortinet devices have been compromised using a symlink backdoor. This backdoor grants attackers read-only access to sensitive files, even after security patches are applied. The Shadowserver Foundation, a threat monitoring platform, has been tracking the situation and has reported the growing number of affected devices. This active exploitation underscores the critical need for organizations to implement security updates promptly and rigorously monitor their systems for any signs of suspicious activity.
Fortinet has acknowledged the attacks and has taken steps to address the issue. The company has released multiple updates across various FortiOS versions, including versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, and 6.4.16. These updates not only remove the established backdoor but also modify the SSL-VPN interface to prevent similar occurrences in the future. Furthermore, Fortinet has launched an internal investigation and is collaborating with third-party experts to fully understand and mitigate the scope of the breach. An AV/IPS signature has also been developed to automatically detect and remove the malicious symlink. Concerns about espionage have also arisen after the exposure of a KeyPlug server. This server exposed Fortinet exploits and webshell activity, specifically targeting a major Japanese company, Shiseido. A recently exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server was observed to be live for less than a day, highlighting the need for organizations to monitor for short-lived operational infrastructure. This discovery reveals the potential for advanced adversaries to maintain persistent access through sophisticated methods, making detection and remediation increasingly challenging. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Since January 2025, threat actors have been actively exploiting a remote code execution vulnerability, CVE-2021-20035, in SonicWall Secure Mobile Access (SMA) appliances. This exploitation campaign targets the SMA100 management interface, allowing for OS command injection. Arctic Wolf researchers have been tracking this campaign, highlighting the significant risk it poses to organizations utilizing these affected devices due to the potential for credential access.
This vulnerability has now been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity and ongoing nature of the threat. CISA urges prompt remediation by affected organizations. In addition to CVE-2021-20035, CISA has flagged another critical vulnerability, CVE-2024-53704, which compromises the SSL VPN authentication mechanism in SonicOS. This flaw, with a CVSS score of 9.3, enables attackers to hijack VPN sessions by sending crafted session cookies, bypassing multi-factor authentication and exposing private network routes. CISA has issued a critical security alert urging federal agencies and network defenders to prioritize patching both CVE-2021-20035 and CVE-2024-53704 to prevent potential breach attempts. The Binding Operational Directive (BOD) 22-01 mandates that Federal Civilian Executive Branch (FCEB) agencies secure their networks against ongoing attacks within a specified timeframe. While this directive specifically targets U.S. federal agencies, CISA advises all network defenders to take immediate action to mitigate these risks. Recommended read:
References :
@securityonline.info
//
GreyNoise has observed a significant surge, approximately three times the typical level, in exploitation attempts targeting TVT NVMS9000 DVRs. The peak of this activity occurred on April 3, 2025, with over 2,500 unique IP addresses involved in scanning for vulnerable devices. This vulnerability is an information disclosure flaw that allows attackers to gain administrative control over affected systems, essentially bypassing authentication and executing commands without restriction. Countless prior reports have identified the TVT NVMS9000 DVR as a target for botnet recruitment, including a GreyNoise update in early March 2025.
The exploitation activity is strongly suspected to be associated with the Mirai botnet, a notorious threat known for targeting vulnerabilities in IoT devices. GreyNoise has identified sufficient overlap with Mirai to support this attribution. Manufactured by TVT Digital Technology Co., Ltd., based in Shenzhen, the NVMS9000 DVRs are used in security and surveillance systems for recording, storing, and managing video footage from security cameras. The company reports serving customers in over 120 countries. The majority of the malicious IP addresses involved in the exploitation attempts originate from the Asia-Pacific (APAC) region, specifically Taiwan, Japan, and South Korea. However, the top target countries are the United States, United Kingdom, and Germany. Organizations using the NVMS9000 DVR or similar systems are advised to take immediate action to secure their devices. Recommended mitigations include blocking known malicious IP addresses, applying all available patches, restricting public internet access to DVR interfaces, and closely monitoring network traffic for signs of unusual scanning or exploitation attempts. Recommended read:
References :
Sunny Yadav@eSecurity Planet
//
Cybersecurity experts are warning of a coordinated surge in Server-Side Request Forgery (SSRF) exploitation attempts across multiple platforms. Threat intelligence firm GreyNoise reported on March 9, 2025, that approximately 400 unique IP addresses were actively involved in exploiting multiple SSRF vulnerabilities simultaneously. These attacks span several countries, including the United States, Germany, Singapore, India, Japan, and Lithuania, targeting critical systems in cloud environments and enterprise infrastructures.
This alarming trend highlights the persistent risks organizations face from evolving attack methods. The SSRF vulnerabilities being exploited include critical flaws in widely used software platforms like Zimbra Collaboration Suite (CVE-2020-7796), VMware products (CVE-2021-21973 and CVE-2021-22054), and multiple CVEs in GitLab's CE/EE versions, along with targets in DotNetNuke and Ivanti Connect Secure. GreyNoise also observed Grafana path traversal attempts preceding the SSRF surge, indicating attackers may be using Grafana as a foothold for deeper exploitation. Defenders should identify and disrupt early-stage activity by monitoring for reconnaissance behaviors, such as path traversal attempts, which may provide early warning signs before full-scale exploitation occurs. Organizations should act now to patch vulnerable systems, restrict access where possible, and monitor for unexpected outbound requests that could indicate SSRF exploitation. The attacks reflect a shift from opportunistic scanning to more deliberate, coordinated campaigns that aim to breach internal systems and extract valuable data. Recommended read:
References :
Ashish Khaitan@The Cyber Express
//
References:
thecyberexpress.com
, research.kudelskisecurity.com
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include critical vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Linux kernel. These flaws are actively being exploited, posing a significant risk, particularly for federal government organizations. Rapid patching is essential to mitigate the active cyber threats associated with these vulnerabilities.
The identified VMware vulnerabilities, CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, allow for remote code execution (RCE) and privilege escalation. Specifically, CVE-2025-22224 is a Time-of-Check Time-of-Use (TOCTOU) vulnerability with a CVSSv3 score of 9.3, classified as Critical. The affected systems include various versions of VMware ESXi, Workstation, Fusion, Cloud Foundation, and Telco Cloud Platform, with updated versions available to address the flaws. Recommended read:
References :
@Talkback Resources
//
Cybersecurity researchers have unveiled advanced obfuscation tactics employed by APT28, a Russian state-sponsored threat actor, in their HTA Trojan. The investigation focuses on espionage campaigns targeting Central Asia and Kazakhstan diplomatic relations, revealing intricate multi-layer obfuscation strategies designed to evade detection. The analysis highlights the use of Microsoft’s VBE technique within HTA files as a core component of APT28’s malware delivery mechanism. This encoding method, facilitated by the Windows Script Encoder, transforms VBScript and JavaScript files into obfuscated formats that remain executable while concealing their true functionality.
The investigation uncovered that the malware leverages Windows’ vbscript.dll to generate embedded strings dynamically during execution. By analyzing these strings and their interaction with memory addresses, researchers were able to reconstruct the original VBScript payload hidden within the HTA file. Using publicly available tools like “vbe-decoder.py,” they successfully deobfuscated the encoded scripts, exposing the final malicious payload designed for espionage activities. This discovery underscores the need for robust malware analysis capabilities and proactive threat intelligence sharing within the cybersecurity community. Recommended read:
References :
@www.bleepingcomputer.com
//
Hackers are actively exploiting vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) software to compromise systems and potentially deploy ransomware. Cybersecurity firm Field Effect has confirmed these exploits and released a report detailing the post-exploitation activity. The vulnerabilities, tracked as CVE-2024-57726, CVE-2024-57727, and CVE-2024-57728, allow attackers to create administrator accounts and drop backdoors, laying the groundwork for further malicious activities.
Field Effect identified a breach where threat actors exploited these vulnerabilities in the SimpleHelp RMM client to infiltrate a targeted network. Following initial access, attackers execute discovery commands to gather system and network data. They then establish persistence by creating new administrator accounts and deploying the Sliver malware, a post-exploitation framework gaining popularity as a Cobalt Strike alternative. Once deployed, Sliver waits for further commands, enabling attackers to compromise the domain controller and potentially distribute malicious software. Recommended read:
References :
|