Sign up for this weekly newsletter
SubscribeIvanti's silent patch has been reversed
A week after reports of active exploitations of an Ivanti vulnerability (CVE-2025-22457) by the Chinese state actor UNC5221, it now appears that the attacker has been able to reverse engineer the vendor’s patch to initiate exploitation. Moreover, it seems that via carefully crafted HTTP headers, UNC5221 has been able to gain full RCE capabilities on compromised devices – rather than Denial-of-Service as previously understood. Ivanti, which assessed the flaw as “unexploitable”, has been criticized for silent patching and for addressing the issue as a product bug rather than a security vulnerability.
Persistent access to Fortinet devices resists patches
Fortinet disclosed a massive exploitation campaign in which 14K devices were compromised . An unidentified threat actor has maintained long term persistent read-only access to FortiOS and FortiProxy devices. While it initially infiltrated the devices by exploiting FortiGate vulnerabilities (CVE-2024-21762, CVE-2023-27997, CVE-2022-42475), access was maintained even after a patch was applied. The attacker created “a symbolic link connecting the user filesystem and the root filesystem in a folder used to serve language files for the SSL-VPN,” consequently evading detection. The three vulnerabilities are well-known flaws which have been widely exploited by various threat groups over the past few years. In a possibly related development, a hacker put on sale a Fortinet RCE zero-day allegedly enabling “total control of vulnerable devices without requiring credentials”.
Mitigate it
Reset all credentials related to SSL-VPN functionality, affected devices, user accounts, LDAP bind credentials, and pre-shared keys
Decade old flaw used by a provocative new ransomware for kernel-level access
A new ransomware group naming itself “DOGE Big Balls” is exploiting a decade old Intel Ethernet driver vulnerability (CVE-2015-2291) in a BYOVD tactic used in post compromise stage to elevate kernel-level privileges, manipulate memory or disable security logs. Initial access has been gained through a finance-themed ZIP file sent by email. The group, utilizing a modified Fog ransomware’s payload, uses techniques of psychological manipulations and intimidations, also including conspirative political comments while communicating with its victims.
Large data breach in Morocco's Social Security
A North African hacker nicknamed Jabaroot has used a vulnerability to exfiltrate 53K PDF files from Morocco’s National Social Security Fund (CNSS), including information about 500K companies and 2 million individuals – even though some of the data has been assessed by Moroccan authorities as false, inaccurate, or incomplete. It is unclear whether the exploited vulnerability was a zero-day or an Oracle flaw in a third party.
Lemonade's customers exposed
The exploitation of a web vulnerability led to data breach in the digital AI-based insurance firm Lemonade, as the details of 20K customers’ driving licenses have been exposed. The flaw, now fixed, laid in the online application platform for insurance policies.
Microsoft Defender will isolate undiscovered endpoints
Microsoft Defender will release a new feature with the purpose of isolating endpoints from IP addresses of devices yet to be discovered or onboarded to Defender for Endpoint. The new capability, applied through Defender’s “Automatic Attack Disruption”, is aimed at disrupting lateral movement efforts of threat actors.
Vulnerability exploitation shifts from endpoints to routers
A new report shows that enterprise risk is shifting from traditional endpoints to routers. While half of known vulnerabilities still lay within computers (versus 10% for routers), 50% of critical and likely exploitable vulnerabilities lay in routers (versus 26% in computers).
Will MITRE stop its CVE program?
After the MITRE organization warned that its CVE program is about to expire (on April 16) and might not be renewed, CISA agreed to extend its contract. The program lets certified organizations report new vulnerabilities, assign them a CVE ID, classify them and enrich them with additional information. Behind this announcement is DOGE’s decision to cut $28 million in MITRE contracts, forcing the non-profit organization to lay off 442 staff.
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Mitigate it
Sources
