Threat Alerts

Fortinet has issued a warning about a newly discovered zero-day vulnerability, CVE-2025-24472 (CVSS score 8.1), which is being actively exploited by threat actors to compromise Fortinet firewalls running FortiOS and FortiProxy.

This vulnerability stems from an authentication bypass flaw that allows remote attackers to obtain super-admin privileges by sending specially crafted CSF proxy requests. Exploiting this flaw could enable attackers to gain unauthorized control over affected systems.

Microsoft has released patches addressing 55 vulnerabilities in its February 2025 security update, including four zero-day flaws, two of which are actively being exploited in attacks.

The four zero-day vulnerabilities impact Windows OS and related applications, posing significant security risks. These include CVE-2025-21391 (CVSS score 7.1), a Windows Storage Elevation of Privilege vulnerability, enables attackers to delete specific files. CVE-2025-21418 (CVSS score 7.8, an actively exploited flaw in the Windows Ancillary Function Driver for WinSock, allows an authenticated user to run a specially crafted program that executes code with SYSTEM privileges. CVE-2025-21376 (CVSS score 8.3), a Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution vulnerability, enables a remote, unauthenticated attacker to execute arbitrary code on a targeted system by sending a maliciously crafted request. Lastly, CVE-2025-21387 (CVSS score 8.3), a Microsoft Excel Remote Code Execution vulnerability, exploits the Excel Preview Pane as an attack vector, though it also requires user interaction.

Palo Alto Networks has patched a high-severity vulnerability in its PAN-OS software, CVE-2025-0108, which has a CVSS score of 7.8. The flaw, which has been actively exploited in the wild, allows unauthenticated attackers to bypass authentication on the management web interface, providing direct access to sensitive system functions. Exploiting this vulnerability could enable threat actors to extract system data, retrieve firewall configurations, or manipulate certain settings within PAN-OS, potentially compromising system integrity and confidentiality.

The issue stems from how Nginx and Apache components in the PAN-OS management interface process incoming requests, leading to a directory traversal flaw. Attackers with network access to the interface can exploit this vulnerability to invoke specific PHP scripts without authentication. While it does not grant remote code execution, it provides unauthorized access to critical system functions, increasing the risk of further exploitation.

Ivanti has rolled out security patches to fix multiple vulnerabilities affecting Connect Secure (ICS), Policy Secure (IPS), and Cloud Services Application (CSA), which could be exploited to execute arbitrary code.

The vulnerability CVE-2024-38657 (CVSS 9.1) is an external file name control flaw in Ivanti Connect Secure (ICS) (prior to version 22.7R2.4) and Ivanti Policy Secure (IPS) (prior to version 22.7R1.3) that allows a remote authenticated attacker with admin privileges to write arbitrary files. CVE-2025-22467 (CVSS 9.9) is a stack-based buffer overflow in Ivanti Connect Secure (prior to version 22.7R2.6) that enables a remote authenticated attacker to execute arbitrary code. Additionally, CVE-2024-10644 (CVSS 9.1) is a code injection vulnerability in Ivanti Connect Secure (prior to version 22.7R2.4) and Ivanti Policy Secure (prior to version 22.7R1.3) that allows a remote authenticated attacker with admin privileges to achieve remote code execution. Lastly, CVE-2024-47908 (CVSS 9.1) is an OS command injection flaw in the admin web console of Ivanti CSA (prior to version 5.0.5) that permits a remote authenticated attacker with admin privileges to execute remote commands. Organizations using affected versions are urged to apply the necessary security updates to prevent exploitation.

Kimsuky’s innovative use of a customized Remote Desktop Protocol (RDP) Wrapper has been highlighted in recent investigations as a key component of its spear-phishing campaigns. Delivered via malicious shortcut files (.LNK), the malware triggers PowerShell or Mshta scripts upon execution, leading to the download of backdoors like PebbleDash and the modified RDP utility, granting attackers remote control over compromised systems

Kimsuky’s customized RDP Wrapper is a key enabler of their remote access operations. Unlike standard implementations, this version modifies an open-source utility to activate remote desktop functionality, even on Windows machines where it is typically unavailable. This capability is further strengthened by proxy malware that bridges internal networks to external systems, bypassing network isolation and ensuring persistent access to the victim’s environment.

Beyond remote access, Kimsuky enhances their operations with complementary malware such as keyloggers and credential stealers. Keyloggers capture sensitive inputs, while credential-stealing tools like “forceCopy” extract browser-stored passwords. This multifaceted approach ensures that Kimsuky can maintain long-term surveillance and ongoing data exfiltration within targeted organizations, demonstrating their evolving capabilities in cyber espionage.

Recently, researchers observed limited malicious activity by an unattributed threat actor who exploited a publicly available, static ASP.NET machine key to inject malicious code and deliver the Godzilla post-exploitation framework. This incident highlights a dangerous trend in which developers inadvertently incorporate machine keys from public repositories and documentation into their applications. With over 3,000 such keys accessible across various public sources, threat actors can perform ViewState code injection attacks without the need for stolen or purchased credentials.

The attack leverages the ASP.NET ViewState mechanism, which is designed to preserve page and control state using encrypted and validated data. By reusing a known machine key, the attacker crafted a malicious ViewState payload that bypasses integrity checks when processed by the target server, resulting in code execution. In this instance, the payload reflectively loaded an assembly associated with the Godzilla framework, enabling functionalities such as executing malicious commands and injecting shellcode into processes, ultimately providing the attacker with remote code execution capabilities on the affected IIS web server.