Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.

Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. 

Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.

Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.

“Virtually every time we see large scale spikes in reconnaissance and inventory activity looking for a certain device, it’s because somebody knows about a vulnerability,” Andrew Morris, founder and chief architect at GreyNoise, told CyberScoop.

“Within a few days or weeks — usually within the responsible disclosure timeline — a new very bad vulnerability comes out,” he added.

GreyNoise insists that every day of advance notice matters, giving defenders an opportunity to defend against and thwart potential attacks before they occur. 

The real-time network edge scanning platform spotted 104 distinct activity surges across 18 vendors during its study period. These embedded systems, including routers, VPNs, firewalls and other security systems, consistently account for the most commonly exploited vulnerabilities.

“Attackers love hacking security devices like security appliances. The irony of that is just not lost on me at all,” Morris said.

“It hasn’t gotten bad enough for us to start taking the security of these devices seriously,” he added. “It’s not bad enough for us to take it seriously enough to start ripping these things out and replacing them with new devices or new vendors.”

GreyNoise linked traffic surges to a swarm of vulnerabilities disclosed by vendors across the market, including Cisco, Palo Alto Networks, Fortinet, Ivanti, HPE, MicroTik, TP-Link, VMware, Juniper, F5, Netgear and others.

“It’s becoming scientifically empirical, and it’s becoming more like meteorology than mysticism,” Morris said. “This is like clockwork now.”

GreyNoise breaks these traffic surges down to measure intensity and breadth. Session counts indicate how hard existing sources are hammering a specific vendor and unique source IP counts demonstrate how widely new infrastructure is joining the activity, researchers wrote in the report.

“When both the intensity and breadth of targeting increase simultaneously, it signals a coordinated escalation,” the report said. 

“When you see a session spike against one of your vendors and new source IPs joining at the same time, treat it as a high-confidence reason to look harder. When you see only an IP spike, do not assume a vulnerability is coming,” researchers added. 

The study bolsters other research from Verizon, Google Threat Intelligence Group and Mandiant — landing during what GreyNoise calls “the most aggressive period of edge device exploitation on record.”

This activity doesn’t happen in a vacuum and threat groups aren’t flooding edge devices with traffic for free or for fun, according to Morris.

“People tend to treat internet background noise like it’s this unexplainable phenomenon,” he said. “They’re clearly trying to test the existence of a vulnerability in order to compromise the systems.”

The post Network ‘background noise’ may predict the next big edge-device vulnerability appeared first on CyberScoop.

The improper access control bug in FortiClient EMS allows unauthenticated attackers to execute arbitrary code remotely.

The post Fortinet Rushes Emergency Fixes for Exploited Zero-Day appeared first on SecurityWeek.

Fortinet released an emergency software update over the weekend to address an actively exploited vulnerability in FortiClient EMS, an endpoint management tool for customer devices.

The zero-day vulnerability — CVE-2026-35616 — has a CVSS rating of 9.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerability catalog Monday. 

Fortinet said in a Saturday security advisory that it has seen the vulnerability being actively exploited in the wild.  The company issued a hotfix and plans to release a more comprehensive software update later, though that update is not yet available.

The security vendor did not say when the earliest known exploit occurred nor how many instances have already been impacted. 

Unknown attackers were first observed attempting to exploit the vulnerability March 31, Benjamin Harris, founder and CEO at watchTowr, told CyberScoop. 

“Exploitation attempts and probes were initially limited, reflecting typical attacker desire to try and keep usage of a zero-day from discovery and observation,” he added. “As of April 6, given attention and Fortinet issuing a hotfix, exploitation has ramped up, indicating growing attacker interest and likely broader targeting.”

Shadowserver scans found nearly 2,000 publicly exposed instances of FortiClient EMS on Sunday. It’s unclear how many of those instances are running vulnerable versions of the software.

The recently discovered zero-day shares similarities with CVE-2026-21643, another unauthenticated FortiClient EMS defect that Fortinet disclosed Feb. 6. The vendor and cyber authorities last week warned that CVE-2026-21643 has been exploited in the wild. 

Researchers have yet to find any significant link between the vulnerabilities or attribute the attacks to known threat actors, but both defects were actively exploited in a short timeframe and both allow attackers to execute code remotely. 

“Fortinet solutions are popular targets for threat actors generally, so exploitation isn’t necessarily surprising,” said Caitlin Condon, vice president of security research at VulnCheck.

CISA has added 10 Fortinet defects to its known exploited vulnerabilities catalog since early 2025. 

While there is no full patch for CVE-2026-35616, Harris credited Fortinet for rushing out a hotfix over a holiday weekend, adding that it reflects how urgently the company is treating the matter. 

“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” he said. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”

A Fortinet spokesperson said response and remediation efforts are ongoing and the company is communicating directly with customers to advise on necessary actions.

“The best time to apply the hotfix was yesterday,” Harris said. “The second-best time is right now.”

The post Fortinet customers confront actively exploited zero-day, with a full patch still pending appeared first on CyberScoop.

The SQL injection vulnerability allows unauthenticated attackers to execute arbitrary code remotely, via crafted HTTP requests.

The post Exploitation of Critical Fortinet FortiClient EMS Flaw Begins appeared first on SecurityWeek.

Would-be attackers spent 2025 swimming in a sea of more than 40,000 newly published vulnerabilities, VulnCheck said in a report released Wednesday, but only 1% of those defects, just 422, were exploited in the wild.

As the deluge of vulnerabilities grows every year, and CVSS ratings lose significance for vulnerability management prioritization, some defenders are turning to research on known exploited vulnerabilities to narrow their scope of work and place more emphasis on verified risks. 

“The growth in CVE volume is ludicrous, not necessarily unfounded, but it’s large. Defenders don’t know what to pay attention to,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. “Prioritization is still a huge problem.”

Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, Condon added. “The indicators of risk that used to be semi reliable, now no longer are.”

The technologies exploited by attackers are developed and sold by many repeat offenders. Some of the vendors on VulnCheck’s list of the most routinely targeted vulnerabilities enjoy large market shares.

Other vendors, especially those in network edge device space, have been inundated with malicious activity for years and remain the preferred intrusion point for all attacks.

Network edge devices were responsible for 191 of the 672 products impacted by new known exploited vulnerabilities last year, representing 28% of the top targeted technologies in 2025, according to VulnCheck. 

“Anything that’s in that position of being at the network edge, guarding access to corporate networks, often in a privileged place for secure communication,” is naturally a large target, Condon said. 

This problem is exacerbated by the fact many network devices are running on code bases that haven’t been radically changed in about a decade. Meanwhile, attackers have copies of that software and use fully automated analysis pipelines to quickly identify new vulnerabilities.

“Threat actors are much more organized presently than we all collectively are on defense,” Condon said. Defenders have to assume there’s going to be a new zero-day in any network edge device at any time, and patches will be reversed for exploit development in short order, she added.

Each of the top 50 vulnerabilities VulnCheck flagged in its report were exploited in the wild last year with at least 20 working public exploits, attacks originating from at least two state-sponsored or cybercrime threat groups. The top exploited vulnerabilities were also linked to least one ransomware variant and appeared in at least two instances of known botnet activity.

Four of the 10 most routinely targeted vulnerabilities last year — CVE-2025-53770 and CVE-2025-53771, which are variants of previously disclosed vulnerabilities CVE-2025-49706 and CVE-2025-49704 — were contained in Microsoft SharePoint. All four of the zero-day vulnerabilities were exploited en masse and initially compromised more than 400 organizations, including the Departments of Energy, Homeland Security and Health and Human Services.

VulnCheck confirmed a combined 69 known exploits for the quartet of SharePoint vulnerabilities. Researchers attributed the exploited vulnerabilities to a collective 29 threat groups and 18 ransomware variants, yet the attackers involved likely targeted more than one of the zero-days, resulting in some overlap.

Microsoft topped the list with nine of the 50 routinely targeted vulnerabilities appearing in its products last year. Ivanti was responsible for five, or 10% of the most targeted vulnerabilities last year. Fortinet ranked third on VulnCheck’s list with four vulnerabilities, followed by VMware with three, while SonicWall and Oracle each ranked high on the list with two exploited defects. 

The most targeted vulnerability of 2025 belongs to React2Shell, a maximum-severity defect in React Server Components that racked up 236 valid public exploits before the end of the year, less than a month after it was publicly disclosed by Meta and React. 

More than 200 of those public exploits were validated by VulnCheck by mid-December, as Palo Alto Networks Unit 42 confirmed more than 60 organizations were impacted by an initial wave of attacks.

VulnCheck’s research underscores that technology, ultimately in all of its forms, is the problem. 

“We are at a point here where we’re not talking about a single vendor or technology. We are talking about writ large, we are getting creamed. We’ve got to start assessing ruthlessly and immediately how technology needs to evolve to be more resilient to these attacks over the long term,” Condon said. 

“We need to start being much more realistic about the state of our tech and what that means for cybersecurity.”

The post Vulnerabilities grew like weeds in 2025, but only 1% were weaponized in attacks appeared first on CyberScoop.

Fortinet customers are confronting another actively exploited zero-day vulnerability that allows attackers to bypass authentication in the single sign-on flow for FortiCloud and gain privileged access to multiple Fortinet firewall products and related services.

The vendor issued a security advisory for the vulnerability — CVE-2026-24858 — warning that some instances of exploitation already occurred earlier this month. Fortinet has yet to release patches to address the critical vulnerability across multiple versions of its products, including FortiAnalyzer, FortiManager, FortiOS, FortiProxy and FortiWeb.

Defects in Fortinet products are a recurring problem for the vendor’s customers and defenders, making 24 appearances on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. One-third of those vulnerabilities made the list last year and 13 are known to be used in ransomware campaigns.

The agency added the latest Fortinet defect, which has a CVSS rating of 9.8, to its known exploited vulnerabilities catalog Tuesday and shared Fortinet’s guidance in a subsequent alert Wednesday.

The vulnerability, which allows attackers with a FortiCloud account and a registered device to log into devices registered to other accounts, was exploited by two malicious FortiCloud accounts that Fortinet said it blocked Jan. 22. Attackers have reconfigured firewall settings on FortiGate devices, created unauthorized accounts and changed virtual private network configurations to gain access to new accounts.

The vendor said it disabled FortiCloud SSO Monday and re-enabled the service Tuesday with controls in place to prevent logins to devices running vulnerable software versions.

Fortinet’s advisory brings some clarity and raises new questions for defenders and researchers that have encountered problems on Fortinet devices since December. The vendor disclosed a pair of similar critical authentication bypass vulnerabilities Dec. 9, including CVE-2025-59718, which has also been actively exploited.

Arctic Wolf said it observed a new cluster of unauthorized firewall configuration changes on FortiGate devices Jan. 15 that bore similarities to previous attacks linked to CVE-2025-59718 in December. Fortinet hasn’t explained the extent to which the defects are related or if the new flaw represents a bypass of the previous patches, but it has confirmed that customers running versions released in December are vulnerable to CVE-2026-24858.

Fortinet did not respond to a request for comment. Carl Windsor, the company’s chief information security officer, shared recommended mitigation steps and indicators of compromise in a blog post.

Researchers have yet to determine how many customers are impacted by CVE-2026-24858 exploits, but the scope of potential victims is broad and global. Shadowserver scans show nearly 10,000 Fortinet instances with FortiCloud SSO enabled with roughly one-fourth of those based in the United States.

Ben Harris, founder and CEO at watchTowr, said the company’s exposure management platform is observing active probing for devices with FortiCloud SSO enabled, but the broader impact is still unknown. 

“There are those that know they’re affected, and likely a number that are unaware,” he told CyberScoop. “Regardless, those that keep a bingo card for ‘yet another year of depressingly predictable vulnerabilities’ have likely crossed off ‘full authentication bypass against a management interface’ already in 2026.”

Arctic Wolf researchers said they haven’t seen evidence of new exploitation since Jan. 21, adding that attacks appear to be limited to instances where management interfaces of vulnerable devices were publicly exposed to the internet. 

Vulnerabilities in network devices from multiple vendors have been exploited for initial access at a high rate, especially in ransomware attacks, researchers at Arctic Wolf said. “While it is vitally important to keep up to date on firmware updates, security best practices should be followed to limit the potential impact of this vulnerability and similar flaws in the future.”

While defenders have grown accustomed to a steady amount of Fortinet vulnerabilities, that experience has fueled a mounting sense of frustration. 

Joe Toomey, vice president of underwriting security at Coalition took to LinkedIn Wednesday to criticize Fortinet’s inability to thwart or reduce the number of actively exploited vulnerabilities affecting its products.

Fortinet’s latest defect marks the 14th time Coalition has sent zero-day advisories about critical Fortinet vulnerabilities to its policyholders in less than four years. Fortinet products account for more than 7% of the collective 180 zero-day advisories Coalition sent to policyholders since 2023, Toomey said in his blog post.

“All of which makes one begin to wonder if Fortinet is really taking security seriously,” he added.

Harris commended Fortinet for its transparency, adding that the vendor has clearly outlined its response and actions taken to address the vulnerability, some of which remains unfinished. 

Yet, he added: “As we’ve seen now for years, Fortinet and the ‘Fast & Furious’ franchise are apparently competing for the amount of sagas we can fit into one year. It’s unclear who will win.”

The post Fortinet’s latest zero-day vulnerability carries frustrating familiarities for customers appeared first on CyberScoop.

Federal authorities and researchers alerted organizations Friday to a massively exploited vulnerability in Fortinet’s web application firewall. 

While the actively exploited critical defect poses significant risk to Fortinet’s customers, researchers are particularly agitated about the vendor’s delayed communications and, ultimately, post-exploitation warnings about the vulnerability.

Fortinet addressed CVE-2025-64446 in a software update pushed Oct. 28, but did not assign the flaw a CVE or publicly disclose its existence until last week — 17 days later — when the company also confirmed the vulnerability has been exploited in the wild.

By then, for some Fortinet customers, especially those that hadn’t updated to FortiWeb 8.0.2, it was too late. The path-traversal defect in FortiWeb, which has a CVSS rating of 9.8, allows attackers to execute administrative commands resulting in a complete takeover of the compromised device.

Threat researchers from multiple firms, computer emergency response teams and the Cybersecurity and Infrastructure Security Agency issued warnings, with some including details about extensive attacks linked to the defect Friday. CISA also issued an alert and added the flaw to its known exploited vulnerability catalog Friday, requiring federal agencies to address the vulnerability within a short deadline of seven days.

A Fortinet spokesperson said the vendor’s product security incident response team began addressing the vulnerability as soon as it learned of the defect, and those efforts remain underway. “Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency,” the spokesperson said in a statement. 

“With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions,” the spokesperson added.

Threat researchers at Defused first spotted the vulnerability and published a proof-of-concept exploit they detected Oct. 6. Researchers at watchTowr published technical analysis of the exploit and released a tool to help organizations hunt for potentially vulnerable hosts in their environments.

“Attacks have been widespread and indiscriminate according to shared evidence since at least early October — long before the industry was able to pull the fire alarm, and arguably exacerbated by the silence from Fortinet,” Ben Harris, founder and CEO at watchTowr, told CyberScoop.

Researchers haven’t identified or named victims yet, but attackers are exploiting the vulnerability to add new administrative accounts, likely achieving persistent privileged access on compromised devices. Threat hunters have not attributed the attacks to any cybercrime outfit, place of origin or motivation.

“Fortinet’s silent patching of the vulnerability — intentional or not — likely led many users not to apply the patch that actually fixed the vulnerability,” Harris said. “FortiWeb customers weren’t told about the critical, immediate risk of not applying these patches. Had they known, they would have likely updated right away. Now, anyone who didn’t patch is likely compromised.”

Information vacuum left researchers scrambling

The vulnerability falls under a gray area of definition — a less-important detail but one that underscores the difficulties third-party researchers confronted in mounting a proper and informed response. 

“Unless Fortinet is now fixing vulnerabilities by accident, by definition, it isn’t a zero-day, it’s a silently patched vulnerability and thus an n-day,” Harris said.

Yet, from a defender’s perspective this vulnerability functionally behaved as a zero-day, said Ryan Emmons, security researcher at Rapid7. “It was being exploited before customers had any formal awareness, guidance or patch information.”

Fortinet’s release notes for FortiWeb 8.0.2 don’t include any reference to specific vulnerabilities. 

“The challenge is that the security community builds its understanding through shared signals like public advisories, CVE assignments, behavioral descriptions, and clear remediation instructions. When those signals arrive late or in fragments, it slows the ability of researchers, vendors, and defenders to triangulate what’s actually happening,” Emmons said. 

“Attackers often have first-mover advantage, and defenders rely heavily on vendor transparency and cooperative industry coordination,” Emmons added. “When a vendor has knowledge of product flaws and a patch is published, it’s imperative that defenders are given a heads-up notice with as much actionable information as possible. Obscurity hurts defenders more than it impedes attackers.”

Researchers resoundingly criticized Fortinet for delaying its public disclosure of the vulnerability and a lack of urgency until active exploitation was already underway.

Fortinet’s belated CVE assignment compounded problems for defenders. “In the dark, information is scarce and delays are inherent, as defenders burn cycles trying to figure out what’s even going on,”  Emmons said. “This gives attackers a much stronger position.”

Security teams are already inundated with vulnerability patches. It’s not only unfeasible for them to address every defect and software update immediately, there’s also an operational impact risk to measure. Patches can break critical processes and integrations. 

“Many organizations, following standard change-control processes, understandably delayed patching. Meanwhile, it’s possible that Fortinet itself was unaware of the full severity of the issue and silently patched a flaw without realizing the risk it posed,” Harris said. “This combination left defenders at a disadvantage from the start.”

The post Fortinet’s delayed alert on actively exploited defect put defenders at a disadvantage appeared first on CyberScoop.