CCTR.48.NOV.25
A critical Fortinet FortiWeb vulnerability (CVE-2025-64446) is being exploited in the wild leading to full FortiWeb takeover. The flaw is a relative path-traversal bug that lets unauthenticated attackers send crafted HTTP/HTTPS requests and execute admin-level commands, leading to full FortiWeb takeover.
Importantly, CISA has now added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalogue, a clear signal that exploitation is widespread, serious and requires immediate action. KEV inclusion means U.S. federal agencies must patch within days and private organisations should treat this with the same level of urgency.
Fortinet silently patched the issue in 8.0.2 on 28 October but didn’t disclose or assign a CVE for 17 days. By the time defenders understood the risk, attackers were already abusing it at scale to create rogue admin accounts and gain persistent privileged access.
Review logs for suspicious management-path requests and any unexpected configuration changes.Assume compromise if unpatched since early October.
Collect forensic data and validate system integrity.
Implement strict IP whitelisting for all management access going forward.
Seriously, there’s no good reason for anyone to expose admin or management interfaces to the internet.
Trend identified five S3 ransomware variants and highlighted how attackers select buckets without versioning, object lock, or MFA Delete, the perfect conditions for irreversible data loss. Misconfigured IAM policies and exposed access keys continue to be the primary entry points.
Ransomware is shifting from traditional on-premises systems to cloud platforms. I mean, same threat but new techniques. This S3 focused ransomware doesn’t rely on encryption malware it uses legitimate AWS APIs to overwrite, delete or lock organisations out of their own data.
Monitor for suspicious S3 API activity using native logging.
For more granular hardening recommendations, refer to the detailed guidance in the blog link below.
https://www.trendmicro.com/en_us/research/25/k/s3-ransomware.html
ShinyHunters has claimed responsibility for a breach affecting Gainsight and potentially 200+ Salesforce customer environments, enabled by stolen OAuth tokens originally taken during the Salesloft Drift GitHub compromise earlier this year. According to the group, they maintained access for nearly three months, using the stolen OAuth tokens to quietly access Salesforce connected apps and extract large volumes of customer data.
Salesforce says it has revoked all active and refresh tokens linked to Gainsight published applications while investigating this new wave of attacks targeting customers.
Conduct a targeted compromise assessment across Salesforce integrations.
Assume exposure if Drift or Gainsight tokens were active in the last 90 days.
CrowdStrike confirmed a malicious insider shared internal screenshots with the Scattered Lapsus$ Hunters group. No systems were breached, no customer data was exposed and the insider was quickly identified and removed.
Insider threats remain one of the hardest attack vectors to detect.
Do you have the capability to identify and remediate insider activity before it becomes a breach?
Last updated