Fortinet Firewalls Targeted as Attackers Bypass Patch for Critical FortiGate Flaw  Critical vulnerabilities in FortiGate systems continue to be exploited, even after fixes were deployed, users now confirm. Though updates arrived aiming to correct the problem labeled CVE-2025-59718, they appear incomplete. Authentication safeguards can still be sidestepped by threat actors taking advantage of the gap. This suggests earlier remedies failed to close every loophole tied to the flaw. Confidence in the patch process is weakening as real-world attacks persist.  Several admins report breaches on FortiGate units using FortiOS 7.4.9, along with systems updated to 7.4.10. While Fortinet claimed a fix arrived in December via version 7.4.9 - tied to CVE-2025-59718 - one user states internal confirmation showed the flaw persisted past that patch. Updates such as 7.4.11, 7.6.6, and 8.0.0 are said to be underway, aiming complete resolution.  One case involved an administrator spotting a suspicious single sign-on attempt on a FortiGate system with FortiOS version 7.4.9. A security alert appeared after detection of a freshly added local admin profile, behavior seen before during prior attacks exploiting this flaw. Activity records indicated the new account emerged right after an SSO entry tied to the email cloud-init@mail.io. That access came from the IP 104.28.244.114, marking another point in the timeline.  A few others using Fortinet noticed very similar incidents. Their firewall - running version 7.4.9 of FortiOS - logged an identical email and source IP during access attempts, followed by the addition of a privileged profile labeled “helpdesk.” Confirmation came afterward from Fortinet’s development group: the security flaw remained active even after update 7.4.10.  Unexpectedly, the behavior aligns with earlier observations from Arctic Wolf, a cybersecurity company. In late 2025, they identified exploitation of vulnerability CVE-2025-59718 through manipulated SAML data. Instead of standard procedures, hackers leveraged flaws in FortiGate's FortiCloud login mechanism. Through this weakness, unauthorized users gained access to privileged administrator credentials.  Nowhere in recent updates does Fortinet address the newest claims of system breaches, even after repeated outreach attempts. Without a complete fix available just yet, experts suggest pausing certain functions as a stopgap solution. Turning off the FortiCloud SSO capability stands out - especially when active - since attacks largely flow through that pathway. Earlier warnings from Fortinet pointed out that FortiCloud SSO stays inactive unless tied to a FortiCare registration - this setup naturally reduces exposure.  Despite that, findings shared by Shadowserver in mid-December revealed over 25,000 such devices already running the feature publicly. Though efforts have protected most of them, around 11,000 still appear accessible across the web. Their security status remains uncertain.  Faced with unpatched FortiOS versions, admins might consider revising login configurations while Fortinet works on fixes. Some could turn off unused single sign-on options as a precaution. Watching system records carefully may help spot odd behavior tied to admin access during this period.

Fortinet Firewalls Targeted as Attackers Bypass Patch for Critical FortiGate Flaw #CriticalVulnerability #CVE #CVEvulnerability

Hackers Exploit End-of-Life SonicWall Devices Using Overstep Malware and Possible Zero-Day  Cybersecurity experts from Google’s Threat Intelligence Group (GTIG) have uncovered a series of attacks targeting outdated SonicWall Secure Mobile Access (SMA) devices, which are widely used to manage secure remote access in enterprise environments.  These appliances, although no longer supported with updates, remain in operation at many organizations, making them attractive to cybercriminals. The hacking group behind these intrusions has been named UNC6148 by Google. Despite being end-of-life, the devices still sit on the edge of sensitive networks, and their continued use has led to increased risk exposure.  GTIG is urging all organizations that rely on these SMA appliances to examine them for signs of compromise. They recommend that firms collect complete disk images for forensic analysis, as the attackers are believed to be using rootkit-level tools to hide their tracks, potentially tampering with system logs. Assistance from SonicWall may be necessary for acquiring these disk images from physical devices. There is currently limited clarity around the technical specifics of these breaches.  The attackers are leveraging leaked administrator credentials to gain access, though it remains unknown how those credentials were originally obtained. It’s also unclear what software vulnerabilities are being exploited to establish deeper control. One major obstacle to understanding the attacks is a custom backdoor malware called Overstep, which is capable of selectively deleting system logs to obscure its presence and activity.  Security researchers believe the attackers might be using a zero-day vulnerability, or possibly exploiting known flaws like CVE-2021-20038 (a memory corruption bug enabling remote code execution), CVE-2024-38475 (a path traversal issue in Apache that exposes sensitive database files), or CVE-2021-20035 and CVE-2021-20039 (authenticated RCE vulnerabilities previously seen in the wild). There’s also mention of CVE-2025-32819, which could allow credential reset attacks through file deletion.  GTIG, along with Mandiant and SonicWall’s internal response team, has not confirmed exactly how the attackers managed to deploy a reverse shell—something that should not be technically possible under normal device configurations. This shell provides a web-based interface that facilitates the installation of Overstep and potentially gives attackers full control over the compromised appliance.  The motivations behind these breaches are still unclear. Since Overstep deletes key logs, detecting an infection is particularly difficult. However, Google has shared indicators of compromise to help organizations determine if they have been affected. Security teams are strongly advised to investigate the presence of these indicators and consider retiring unsupported hardware from critical infrastructure as part of a proactive defense strategy.

Hackers Exploit End-of-Life SonicWall Devices Using Overstep Malware and Possible Zero-Day #CVE #CVEexploits #CVEvulnerability

Zero-Day Flaw in Chrome and Chromium Puts Windows and Linux Users at Data Risk  A newly revealed zero-day vulnerability identified as CVE-2025-4664 has triggered serious concerns for billions of Google Chrome and Chromium users. Security experts have warned that this flaw, which affects both Windows and Linux platforms, could be exploited to leak sensitive cross-origin data such as OAuth tokens and session identifiers—all without requiring any user action.   The vulnerability has been discovered within the Loader component of Chrome and Chromium browsers. It is linked to how these browsers interpret the Link HTTP header for sub-resource requests such as images or scripts. While most mainstream browsers follow strict guidelines for handling such requests, Chrome’s unique behavior stands out. It continues to respect the referrer-policy directive even when loading sub-resources, which can unintentionally expose sensitive information.  This default behavior can be manipulated by attackers. A malicious site could inject a loose policy like “unsafe-url,” which then forces the browser to reveal complete URLs—including potentially sensitive credentials or session data—to third-party servers. This results in a severe breach of user privacy and circumvents traditional browser security measures. Cybersecurity firm Wazuh has stated that their Vulnerability Detection module can identify and address this specific flaw.  The module leverages information from their Cyber Threat Intelligence (CTI) service to monitor browser versions and trigger alerts when vulnerable builds are detected. In controlled testing using Wazuh OVA 4.12.0, researchers were able to scan systems running Windows 11 and Debian 11 to determine if they were running affected versions of Chrome or Chromium. According to Wazuh’s platform, users can search for the vulnerability by querying CVE-2025-4664. If vulnerable software is found, the module changes the system status from “Active” to “Solved” after the necessary fixes are applied, helping administrators track progress in real time.  In response to the discovery, Google has issued an emergency patch for Chrome users on Windows and Gentoo Linux. It is strongly recommended that users on these operating systems update their browsers immediately to avoid exposure. However, users on Debian 11 who rely on Chromium remain at risk, as no updated version has been released for that platform. All Chromium builds up to version 120.0.6099.224 are still considered vulnerable. Until a patch is available, security professionals advise uninstalling Chromium on affected Debian systems as a precautionary measure.  While these immediate actions are important, experts caution that relying solely on browser updates is not a comprehensive defense. The broader cybersecurity strategy must include the use of endpoint protection platforms, anti-malware systems, and modern antivirus tools. These security layers can help detect and neutralize threats that slip past browser-based defenses and provide a stronger safety net for users and enterprises alike.  As browser-based zero-day threats continue to emerge, users must remain vigilant. Rapid patching combined with proactive cybersecurity tools offers the best chance of mitigating risks and maintaining a secure browsing environment.

Zero-Day Flaw in Chrome and Chromium Puts Windows and Linux Users at Data Risk #ChromiumBrowser #CVE #CVEvulnerability

Hackers Exploit ThinkPHP and ownCloud Vulnerabilities from 2022 and 2023  Hackers are increasingly exploiting outdated security flaws in poorly maintained systems, with vulnerabilities from 2022 and 2023 seeing a surge in attacks. According to threat intelligence platform GreyNoise, malicious actors are actively targeting…

Hackers Exploit ThinkPHP and ownCloud Vulnerabilities from 2022 and 2023 #CVE #CVEexploits #CVEvulnerability