Attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks’ customers’ firewalls, the security vendor said in an advisory Tuesday.

The critical memory corruption vulnerability — CVE-2026-0300 — affects the authentication portal of PAN-OS, and allows unauthenticated attackers to run  code with root privileges on the vendor’s PA-Series and VM-Series firewalls, the company said.

Palo Alto Networks did not say when or how it became aware of active exploitation, nor when the earliest known exploitation occurred. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Wednesday.

The company hasn’t released a patch for the vulnerability or described the scope and objective of confirmed attacks.

“This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses. We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13,” a Palo Alto Networks spokesperson told CyberScoop.

The company said firewalls exposed to the buffer-overflow vulnerability, which has a CVSS rating of 9.3, are broadly exposed in real-world deployments, and it described the attack complexity as low.

Shadowserver scans found more than 5,800 publicly exposed VM-Series firewalls running PAN-OS as of Tuesday, yet it’s unknown how many of those instances have restricted authentication access to trusted internal IP addresses or disabled the feature altogether.

“We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base,” Palo Alto Networks’ spokesperson added.

Benjamin Harris, CEO and founder of watchTowr, noted that Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances. 

“In a bad situation, that is the best they can do immediately. However, that also alerts everyone to the existence of a vulnerability,” he told CyberScoop.

Despite the risk, Harris said watchTowr expects attacks linked to the zero-day exploit to be “very limited.” 

Palo Alto Networks and its impacted customers remain the only parties to have observed exploitation in the wild, but researchers warn that will likely change soon. 

“It’s likely rules will also start to fire in third-party organizations and honeypots shortly,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. 

“Management interfaces, login pages, and authentication portals have been common adversary targets for both opportunistic and targeted campaigns in recent years,” she added. “With researcher and community eyes on the vulnerability, it’s likely that we’ll see public exploits and broader exploitation quickly, provided the issue isn’t prohibitively difficult to exploit.”

Palo Alto Networks has yet to attribute the attacks to any known threat group, publish indicators or compromise, nor disclose the type of organizations that have been targeted and impacted. 

Researchers are hunting for malicious activity and advise customers to apply patches upon release.

The post A critical Palo Alto PAN-OS zero-day is being exploited in the wild appeared first on CyberScoop.

A severe authentication bypass vulnerability in cPanel, one of the most widely deployed web hosting control panel platforms on the internet, is being actively exploited in the wild, according to security researchers and hosting providers.

The vulnerability, tracked as CVE-2026-41940, affects all supported versions of cPanel and WebHost Manager (WHM) released after version 11.40, as well as WP Squared, a WordPress hosting management panel built on the cPanel platform. Internet scans conducted by security firm Rapid7 using the Shodan search engine identified approximately 1.5 million cPanel instances exposed online, though the precise number of vulnerable systems remains unknown.

cPanel released a patch Tuesday. By that point, exploitation had already been underway. KnownHost, a hosting provider that relies on cPanel, said earlier this week that successful exploits had been observed in the wild prior to any fix being made available. 

The Cybersecurity and Infrastructure Security Agency added the CVE to its Known Exploited Vulnerabilities (KEV) list Thursday. 

Cybersecurity firm watchTowr provided technical details in a blog posted Wednesday: The flaw stems from improper handling of user input during the login process. When a user attempts to log in, cPanel writes data from the request into a server-side session file before verifying the user’s identity. An attacker can exploit this by embedding hidden line breaks into the password field of a login request — characters cPanel fails to strip out — allowing arbitrary data to be injected directly into that file.

Through a secondary step, also involving a deliberately malformed request, the injected data gets promoted into the session’s active cache, where cPanel reads it as legitimate. Once that happens, the system sees the session as already authenticated and skips password verification entirely, granting access without ever checking the user’s actual credentials.

cPanel has published a detection script designed to scan session files for indicators of compromise, including sessions that contain injected authentication timestamps, pre-authentication sessions with authenticated attributes, and password fields containing embedded newlines. WatchTowr separately released a “Detection Artifact Generator” that administrators can use to verify whether their instances remain vulnerable.

Namecheap, a major domain registrar and hosting provider, took the step of temporarily blocking connections to cPanel and WHM ports 2083 and 2087 ahead of patch availability, citing the need to protect customers while an official fix was pending. The company began applying the patch after cPanel’s release earlier this week.

cPanel’s patched releases address the issue across seven version branches, from 11.110.0 through 11.136.0, as well as WP Squared version 11.136.1. The company’s advisory notes that the fix ensures potentially dangerous input is scrubbed automatically within the core session-saving process, rather than depending on each individual part of the codebase to do so separately. The patch also adds handling for cases where a per-session encryption key is missing, a condition the original code failed to account for and that attackers were able to exploit to bypass password encoding entirely.

The CVE has been given a 9.8 on the CVSS scale. 

The post cPanel’s authentication bypass bug is being exploited in the wild, CISA warns appeared first on CyberScoop.

Fortinet released an emergency software update over the weekend to address an actively exploited vulnerability in FortiClient EMS, an endpoint management tool for customer devices.

The zero-day vulnerability — CVE-2026-35616 — has a CVSS rating of 9.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerability catalog Monday. 

Fortinet said in a Saturday security advisory that it has seen the vulnerability being actively exploited in the wild.  The company issued a hotfix and plans to release a more comprehensive software update later, though that update is not yet available.

The security vendor did not say when the earliest known exploit occurred nor how many instances have already been impacted. 

Unknown attackers were first observed attempting to exploit the vulnerability March 31, Benjamin Harris, founder and CEO at watchTowr, told CyberScoop. 

“Exploitation attempts and probes were initially limited, reflecting typical attacker desire to try and keep usage of a zero-day from discovery and observation,” he added. “As of April 6, given attention and Fortinet issuing a hotfix, exploitation has ramped up, indicating growing attacker interest and likely broader targeting.”

Shadowserver scans found nearly 2,000 publicly exposed instances of FortiClient EMS on Sunday. It’s unclear how many of those instances are running vulnerable versions of the software.

The recently discovered zero-day shares similarities with CVE-2026-21643, another unauthenticated FortiClient EMS defect that Fortinet disclosed Feb. 6. The vendor and cyber authorities last week warned that CVE-2026-21643 has been exploited in the wild. 

Researchers have yet to find any significant link between the vulnerabilities or attribute the attacks to known threat actors, but both defects were actively exploited in a short timeframe and both allow attackers to execute code remotely. 

“Fortinet solutions are popular targets for threat actors generally, so exploitation isn’t necessarily surprising,” said Caitlin Condon, vice president of security research at VulnCheck.

CISA has added 10 Fortinet defects to its known exploited vulnerabilities catalog since early 2025. 

While there is no full patch for CVE-2026-35616, Harris credited Fortinet for rushing out a hotfix over a holiday weekend, adding that it reflects how urgently the company is treating the matter. 

“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” he said. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”

A Fortinet spokesperson said response and remediation efforts are ongoing and the company is communicating directly with customers to advise on necessary actions.

“The best time to apply the hotfix was yesterday,” Harris said. “The second-best time is right now.”

The post Fortinet customers confront actively exploited zero-day, with a full patch still pending appeared first on CyberScoop.

Attackers are again focusing on a familiar target in the network edge space, actively exploiting two critical zero-day vulnerabilities in Ivanti software that allows administrators to set mobile device and application controls. 

The vulnerabilities — CVE-2026-1281 and CVE-2026-1340 — each carry a CVSS rating of 9.8 and allow unauthenticated users to execute code remotely in Ivanti Endpoint Manager Mobile (EPMM). Ivanti did not say when the earliest known date of exploitation occurred but warned that a “very limited number of customers” were attacked before it disclosed and addressed the defects Thursday.

Ivanti’s post-attack warning marks a frequent occurrence for its customers, involving yet again highly destructive defects in its code that attackers exploited before the vendor caught or fixed the errors. 

The Cybersecurity and Infrastructure Security Agency has flagged 31 Ivanti defects on its known exploited vulnerabilities catalog since late 2021. At least 19 defects across Ivanti products have been exploited in the past two years. 

The agency added CVE-2026-1281 to the catalog Thursday, but not CVE-2026-1340. Both defects have been exploited, according to watchTowr. Yet, a spokesperson for Ivanti said the vulnerabilities have not been chained together for exploitation.

The latest code-injection vulnerabilities demonstrate attackers are focusing on EPMM in particular of late. Ivanti disclosed a separate pair of vulnerabilities in the same product in May 2025. 

Ivanti declined to say how many customers have been impacted by the recent zero-day attacks, but researchers warn a recurring pattern is emerging with mass exploitation observed shortly after public disclosure and the release of exploit code.

“This started as tightly scoped zero-day exploitation,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told CyberScoop. “It has since devolved into global mass exploitation by a wide mix of opportunistic actors. That arc is depressingly predictable.”

Shadowserver said it observed a spike in CVE-2026-1281 exploitation attempts from at least 13 source IPs by Saturday. More than 1,400 instances of Ivanti EPMM are still exposed to the internet, according to Shadowserver scans, but it’s unknown how many of those are vulnerable or already compromised. 

“It’s important to remember that exposure does not equal exploitation,” Dewhurst said. “But any organization exposing vulnerable instances to the internet must consider them compromised, tear down infrastructure and instigate incident response processes.”

Ivanti advised all on-premises EPMM customers to apply patches, but warned that the script is temporary and will be overridden when customers upgrade software to a new version. The software packages that address the defects “takes only seconds to apply, does not cause downtime and significantly increases adoption and protection rates for customers,” a company spokesperson said. 

Ivanti said it will issue a permanent fix for the vulnerability in a future update that it plans to release by April.

The new Ivanti zero-days share many similarities to previous EPMM vulnerabilities, said Ryan Emmons, staff security researcher at Rapid7. “The line between attacker input and trusted code is blurred, resulting in the ability to execute malicious payloads.”

Remotely exploitable vulnerabilities in network edge devices are an appealing and effective attack vector for hackers looking to break into targeted networks. Multiple threat groups last year, including some linked to China, exploited another zero-day defect in Ivanti EPMM — CVE-2025-4428 — and a string of vulnerabilities in other Ivanti products.

“State-sponsored adversaries have generally made strong use of remotely exploitable vulnerabilities in Ivanti kit, which isn’t surprising,” said Caitlin Condon, vice president of security research at VulnCheck.

The latest actively exploited defects affecting Ivanti products reflect a continuation of a years-long battle between the vendor and threat groups that poses a consistent risk for customers. 

Some security researchers are more inclined to pin the blame for this sustained security problem on Ivanti itself, yet there is broad agreement these vulnerabilities were not easy for the company to discover prior to exploitation. 

Emmons described the defects as nuanced with an odd path to code injection. “With these vulnerable code patterns now known, the vendor’s security teams can more effectively hunt for these sorts of bugs in the future,” he added.

Dewhurst concurred the vulnerabilities were not easy to spot, but said that does not excuse the outcome. “Defensive engineering needs to assume attackers will find the non-obvious paths eventually, because they always do,” he said. 

Ivanti’s spokesperson said these types of vulnerabilities are difficult to find, and insisted the company’s security and engineering teams acted quickly to address the defects once they were identified.

The post Ivanti’s EPMM is under active attack, thanks to two critical zero-days appeared first on CyberScoop.

Fortinet customers are confronting another actively exploited zero-day vulnerability that allows attackers to bypass authentication in the single sign-on flow for FortiCloud and gain privileged access to multiple Fortinet firewall products and related services.

The vendor issued a security advisory for the vulnerability — CVE-2026-24858 — warning that some instances of exploitation already occurred earlier this month. Fortinet has yet to release patches to address the critical vulnerability across multiple versions of its products, including FortiAnalyzer, FortiManager, FortiOS, FortiProxy and FortiWeb.

Defects in Fortinet products are a recurring problem for the vendor’s customers and defenders, making 24 appearances on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. One-third of those vulnerabilities made the list last year and 13 are known to be used in ransomware campaigns.

The agency added the latest Fortinet defect, which has a CVSS rating of 9.8, to its known exploited vulnerabilities catalog Tuesday and shared Fortinet’s guidance in a subsequent alert Wednesday.

The vulnerability, which allows attackers with a FortiCloud account and a registered device to log into devices registered to other accounts, was exploited by two malicious FortiCloud accounts that Fortinet said it blocked Jan. 22. Attackers have reconfigured firewall settings on FortiGate devices, created unauthorized accounts and changed virtual private network configurations to gain access to new accounts.

The vendor said it disabled FortiCloud SSO Monday and re-enabled the service Tuesday with controls in place to prevent logins to devices running vulnerable software versions.

Fortinet’s advisory brings some clarity and raises new questions for defenders and researchers that have encountered problems on Fortinet devices since December. The vendor disclosed a pair of similar critical authentication bypass vulnerabilities Dec. 9, including CVE-2025-59718, which has also been actively exploited.

Arctic Wolf said it observed a new cluster of unauthorized firewall configuration changes on FortiGate devices Jan. 15 that bore similarities to previous attacks linked to CVE-2025-59718 in December. Fortinet hasn’t explained the extent to which the defects are related or if the new flaw represents a bypass of the previous patches, but it has confirmed that customers running versions released in December are vulnerable to CVE-2026-24858.

Fortinet did not respond to a request for comment. Carl Windsor, the company’s chief information security officer, shared recommended mitigation steps and indicators of compromise in a blog post.

Researchers have yet to determine how many customers are impacted by CVE-2026-24858 exploits, but the scope of potential victims is broad and global. Shadowserver scans show nearly 10,000 Fortinet instances with FortiCloud SSO enabled with roughly one-fourth of those based in the United States.

Ben Harris, founder and CEO at watchTowr, said the company’s exposure management platform is observing active probing for devices with FortiCloud SSO enabled, but the broader impact is still unknown. 

“There are those that know they’re affected, and likely a number that are unaware,” he told CyberScoop. “Regardless, those that keep a bingo card for ‘yet another year of depressingly predictable vulnerabilities’ have likely crossed off ‘full authentication bypass against a management interface’ already in 2026.”

Arctic Wolf researchers said they haven’t seen evidence of new exploitation since Jan. 21, adding that attacks appear to be limited to instances where management interfaces of vulnerable devices were publicly exposed to the internet. 

Vulnerabilities in network devices from multiple vendors have been exploited for initial access at a high rate, especially in ransomware attacks, researchers at Arctic Wolf said. “While it is vitally important to keep up to date on firmware updates, security best practices should be followed to limit the potential impact of this vulnerability and similar flaws in the future.”

While defenders have grown accustomed to a steady amount of Fortinet vulnerabilities, that experience has fueled a mounting sense of frustration. 

Joe Toomey, vice president of underwriting security at Coalition took to LinkedIn Wednesday to criticize Fortinet’s inability to thwart or reduce the number of actively exploited vulnerabilities affecting its products.

Fortinet’s latest defect marks the 14th time Coalition has sent zero-day advisories about critical Fortinet vulnerabilities to its policyholders in less than four years. Fortinet products account for more than 7% of the collective 180 zero-day advisories Coalition sent to policyholders since 2023, Toomey said in his blog post.

“All of which makes one begin to wonder if Fortinet is really taking security seriously,” he added.

Harris commended Fortinet for its transparency, adding that the vendor has clearly outlined its response and actions taken to address the vulnerability, some of which remains unfinished. 

Yet, he added: “As we’ve seen now for years, Fortinet and the ‘Fast & Furious’ franchise are apparently competing for the amount of sagas we can fit into one year. It’s unclear who will win.”

The post Fortinet’s latest zero-day vulnerability carries frustrating familiarities for customers appeared first on CyberScoop.

Attackers of different origins and motivations swiftly exploited a critical vulnerability dubbed React2Shell, affecting React Server Components shortly after Meta and the React team publicly disclosed the flaw with a patch Wednesday. 

Multiple security firms are responding to active exploitation in the wild as a scrum of reports conclude the malicious activity is limited to scanning and attempts instead of actual attacks. Yet, official word from the Cybersecurity and Infrastructure Security Agency is clear — the agency added CVE-2025-55182 to its known exploited vulnerabilities catalog Friday. 

Reaction to the deserialization vulnerability, which has a CVSS rating of 10 and allows unauthenticated attackers to achieve remote-code execution, has revealed a chasm in the cybersecurity research community. Threat analysts are mostly growing more concerned about downstream impacts, but some are urging defenders to respond with less urgency and restraint.

A debate over actual exploitation is muddying response efforts as some researchers say they’ve observed working proof of concepts and others assert legitimate PoCs are lacking. Nonetheless, real organizations have been impacted by attacks, according to multiple researchers investigating the fallout. 

Palo Alto Networks’ incident response firm Unit 42, watchTowr and Wiz told CyberScoop they’ve observed successful exploitation and follow-on malicious activity.

As of late Friday, Unit 42 has confirmed more than 30 organizations across various sectors are impacted. 

“Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015, also known as UNC5174, a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security,” said Justin Moore, senior manager of threat intel research at Unit 42. 

“In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015,” he added. 

More broadly, Moore said Unit 42 has “observed scanning for vulnerable remote-code execution, reconnaissance activity, attempted theft of Amazon Web Services configuration and credential files, as well installation of downloaders to retrieve payloads from attacker command and control infrastructure.”

Ben Harris, CEO and founder of watchTowr, said his team has observed indiscriminate exploitation, describing the malicious activity as rapid and prolific.

“Post-exploitation we’ve seen everything from basic extraction of credentials through to webshell deployments as a stepping stone to further activities,” Harris said. 

Multiple Wiz customer environments have been impacted by successful exploitation as well, according to Amitai Cohen, the company’s threat vector intel lead. 

“So far, we’ve observed deployments of cryptojacking malware and attempts to extract cloud credentials from compromised machines,” he said. “These early-stage activities are consistent with common post-exploitation objectives like resource hijacking and establishing further access.”

Researchers from multiple firms said attempted and successful exploitation has increased following the release of public PoCs. The potential scope of impact is significant, as 39% of cloud environments contain instances of React or Next.js, a separate open-source library that depends on React Server Components, running versions vulnerable to CVE-2025-55182, according to Wiz Research.

“The Next.js framework itself is present in 69% of environments, and 44% of all cloud environments have publicly exposed Next.js instances — regardless of the version running,” Cohen said.

Further complicating matters, Vercel, the company behind Next.js, disclosed and issued a patch Wednesday for its own maximum-severity vulnerability — CVE-2025-66478 — but the CVE was rejected because it’s a duplicate of the React defect, the root cause. 

Multiple threat groups are mobilizing resources to exploit the vulnerability for various objectives. 

“There are remote-code execution PoCs around now. It’s definitely already started, which means ransomware gangs follow. They don’t ignore opportunities for money,” Harris said.

Within hours of the public disclosure of the vulnerability, “Amazon threat intelligence teams observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda,” CJ Moses, chief information security officer of Amazon Integrated Security, said in a blog post Thursday.

Unit 42 said it, too, is tracking attempted exploitation from several possible China-linked threat actors and cybercriminals. 

Automated, opportunistic exploitation attempts based on a publicly released PoC have been widespread, said Noah Stone, head of content at GreyNoise Intelligence. The firm’s sensors have captured malicious traffic originating from infrastructure in China, Hong Kong, the United States, Japan and Singapore targeting services based in the United States, Pakistan, India, Singapore and the United Kingdom, he said. 

VulnCheck’s decoy systems, which act as an early warning sign of vulnerability exploitation, have also observed exploitative scanning, said Caitlin Condon, the company’s vice president of research. “VulnCheck has been looking at patch rates on exposed Next.js apps, and we didn’t see a lot of patched systems,” she added.

Patching and mitigating the vulnerability isn’t without risk, either. Cloudflare said it experienced a temporary outage that was triggered by changes it made to its body parsing logic to detect and mitigate the vulnerability Friday.

As security researchers debate the viability of PoCs for the React vulnerability and visibility into actual attacks differs across the community, there’s no doubt the defect, which affects one of the most extensively used application frameworks, has captured sweeping interest and attention.

“This whole story is wild,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative. “This has been a real rollercoaster.”

The post Attackers hit React defect as researchers quibble over proof appeared first on CyberScoop.

Security researchers and code developers are scrambling to patch and investigate a critical vulnerability affecting React Server Components, an open-source library used widely across the internet and embedded into many essential software frameworks.

The rapid response underscores the potential consequences of exploitation. Although no attacks have been observed or reported, researchers expect them soon and are urgently mobilizing resources to address the defect.

The vulnerability – CVE-2025-55182 – was discovered by Lachlan Davidson, a developer and lead of security innovation at Carapace, and reported to Meta on Saturday. Meta and the React team created a patch and worked with affected hosting providers to address the defect Monday before the public disclosure on Wednesday.

“The reason there’s been such a measured response to this vulnerability is because exploitation is inevitable,” Ben Harris, CEO and founder of watchTowr, told CyberScoop. “We should be expecting attackers to start exploiting this vulnerability truly imminently.” 

React is one of the most extensively used application frameworks, putting large swaths of web applications at risk. “Our data shows that these libraries can be found in vulnerable versions in around 39% of cloud environments,” said Amitai Cohen, threat vector intel lead at Wiz.

Researchers warn that exploitation of the deserialization defect is trivial and allows unauthenticated attackers to achieve remote code execution in default configurations, resulting in elevating privileges or pivots into other parts of a network. “The impact on the resources stored on that system could be devastating should things like access keys or other secrets or sensitive information be present,” said Stephen Fewer, senior principal researcher at Rapid7.

Prior to public disclosure, security researchers from Meta, which initially created and maintained React before moving the open-source library to the React Foundation in October, worked behind the scenes to notify affected organizations of the defect and shared temporary steps for mitigation such as web application firewall rules.

“While we are actively investigating and have no evidence that this vulnerability has been exploited at this time, we want to make all developers aware of this issue so they can implement the appropriate mitigations quickly,” a Meta spokesperson said in a statement.

The vulnerability affects multiple React frameworks and bundlers, including Next.js, React Router, Waku, Parcel RSC plugin, Vite RSC plugin, RedwoodJS and likely others that haven’t been identified yet, according to researchers. Vercel, the company behind Next.js, disclosed and issued a patch for its own maximum-severity vulnerability — CVE-2025-66478 — due to its dependency on React Server Components. 

Researchers from Wiz, Rapid7, watchTowr and other security firms warned that ensuing fallout from other frameworks or libraries that depend on React Server Components is likely, and long-tail impacts will persist in environments that are less maintained or difficult to update.

It’s unclear why Vercel assigned a separate CVE for Next.js since the upstream defect in React, CVE-2025-55182, is the root cause, but the vendor could be tracking impact on its own product, Fewer said. “It should not be necessary to assign a new CVE for each React-dependent framework, so long as the root cause remains the same as the original CVE-2025-55182 issue,” he added.

Cale Black, senior researcher at VulnCheck, said upstream dependency vulnerabilities tend to be handled on a per-project basis. “Projects with more mature security processes will release their own remediation guidance, and potentially over CVEs,” he said.

Meanwhile, threat hunters are steeling themselves for active exploitation and expect technical details and exploit code to be publicly available shortly. 

“With the entire internet looking at a solution that’s used everywhere to understand this vulnerability, someone will figure it out,” Harris said. “I have no doubt that by tomorrow morning, when I wake up, there will be easily one, if not more ways to reproduce this vulnerability.”

The post Developers scramble as critical React flaw threatens major apps appeared first on CyberScoop.

Federal authorities and researchers alerted organizations Friday to a massively exploited vulnerability in Fortinet’s web application firewall. 

While the actively exploited critical defect poses significant risk to Fortinet’s customers, researchers are particularly agitated about the vendor’s delayed communications and, ultimately, post-exploitation warnings about the vulnerability.

Fortinet addressed CVE-2025-64446 in a software update pushed Oct. 28, but did not assign the flaw a CVE or publicly disclose its existence until last week — 17 days later — when the company also confirmed the vulnerability has been exploited in the wild.

By then, for some Fortinet customers, especially those that hadn’t updated to FortiWeb 8.0.2, it was too late. The path-traversal defect in FortiWeb, which has a CVSS rating of 9.8, allows attackers to execute administrative commands resulting in a complete takeover of the compromised device.

Threat researchers from multiple firms, computer emergency response teams and the Cybersecurity and Infrastructure Security Agency issued warnings, with some including details about extensive attacks linked to the defect Friday. CISA also issued an alert and added the flaw to its known exploited vulnerability catalog Friday, requiring federal agencies to address the vulnerability within a short deadline of seven days.

A Fortinet spokesperson said the vendor’s product security incident response team began addressing the vulnerability as soon as it learned of the defect, and those efforts remain underway. “Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency,” the spokesperson said in a statement. 

“With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions,” the spokesperson added.

Threat researchers at Defused first spotted the vulnerability and published a proof-of-concept exploit they detected Oct. 6. Researchers at watchTowr published technical analysis of the exploit and released a tool to help organizations hunt for potentially vulnerable hosts in their environments.

“Attacks have been widespread and indiscriminate according to shared evidence since at least early October — long before the industry was able to pull the fire alarm, and arguably exacerbated by the silence from Fortinet,” Ben Harris, founder and CEO at watchTowr, told CyberScoop.

Researchers haven’t identified or named victims yet, but attackers are exploiting the vulnerability to add new administrative accounts, likely achieving persistent privileged access on compromised devices. Threat hunters have not attributed the attacks to any cybercrime outfit, place of origin or motivation.

“Fortinet’s silent patching of the vulnerability — intentional or not — likely led many users not to apply the patch that actually fixed the vulnerability,” Harris said. “FortiWeb customers weren’t told about the critical, immediate risk of not applying these patches. Had they known, they would have likely updated right away. Now, anyone who didn’t patch is likely compromised.”

Information vacuum left researchers scrambling

The vulnerability falls under a gray area of definition — a less-important detail but one that underscores the difficulties third-party researchers confronted in mounting a proper and informed response. 

“Unless Fortinet is now fixing vulnerabilities by accident, by definition, it isn’t a zero-day, it’s a silently patched vulnerability and thus an n-day,” Harris said.

Yet, from a defender’s perspective this vulnerability functionally behaved as a zero-day, said Ryan Emmons, security researcher at Rapid7. “It was being exploited before customers had any formal awareness, guidance or patch information.”

Fortinet’s release notes for FortiWeb 8.0.2 don’t include any reference to specific vulnerabilities. 

“The challenge is that the security community builds its understanding through shared signals like public advisories, CVE assignments, behavioral descriptions, and clear remediation instructions. When those signals arrive late or in fragments, it slows the ability of researchers, vendors, and defenders to triangulate what’s actually happening,” Emmons said. 

“Attackers often have first-mover advantage, and defenders rely heavily on vendor transparency and cooperative industry coordination,” Emmons added. “When a vendor has knowledge of product flaws and a patch is published, it’s imperative that defenders are given a heads-up notice with as much actionable information as possible. Obscurity hurts defenders more than it impedes attackers.”

Researchers resoundingly criticized Fortinet for delaying its public disclosure of the vulnerability and a lack of urgency until active exploitation was already underway.

Fortinet’s belated CVE assignment compounded problems for defenders. “In the dark, information is scarce and delays are inherent, as defenders burn cycles trying to figure out what’s even going on,”  Emmons said. “This gives attackers a much stronger position.”

Security teams are already inundated with vulnerability patches. It’s not only unfeasible for them to address every defect and software update immediately, there’s also an operational impact risk to measure. Patches can break critical processes and integrations. 

“Many organizations, following standard change-control processes, understandably delayed patching. Meanwhile, it’s possible that Fortinet itself was unaware of the full severity of the issue and silently patched a flaw without realizing the risk it posed,” Harris said. “This combination left defenders at a disadvantage from the start.”

The post Fortinet’s delayed alert on actively exploited defect put defenders at a disadvantage appeared first on CyberScoop.