Reading view

There are new articles available, click to refresh the page.
↗️

Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April

✇CyberScoop
By: Matt Kapko

Attackers are actively exploiting a pair of critical Fortinet vulnerabilities in FortiSandbox, a security product customers use to identify and defend against emerging threats across their network, according to researchers.

Fortinet disclosed and patched the vulnerabilities — CVE-2026-39808 and CVE-2026-39813 — in April, but it hasn’t confirmed exploitation. The company did not respond to a request for comment. 

VulnCheck said it first observed exploitation of CVE-2026-39808, an OS-command injection vulnerability, on June 9. Researchers at threat intelligence firm Defused confirmed exploitation of the same defect June 11, and CVE-2026-39813, a path-traversal vulnerability, on June 15. 

Simo Kohonen, founder and CEO of Defused, said the firm observed 49 exploitation events from 11 distinct IPs against the pair of defects over a six-day period. Attackers are also attempting to exploit a third FortiSandox vulnerability, CVE-2026-25089, which Fortinet disclosed and patched June 9, he added.

Researchers haven’t determined how many Fortinet customers are directly impacted, yet post-exploitation activity thus far, which includes verification and reconnaissance, usually precedes a heavier wave of attacks, Kohonen said. 

Defused traced the malicious activity to 13 sources originating from nine countries, including China, South Korea, Taiwan, India, Singapore, Germany, the Netherlands, Canada and Bulgaria. 

“The spread and the share proof-of-concepts point to multiple independent operators on commodity infrastructure, not one campaign,” Kohonen told CyberScoop.

Researchers said they haven’t observed evidence attackers are chaining the vulnerabilities together, but the exploits are functioning with one another by bypassing authentication, escalating privileges and allowing attackers to execute arbitrary commands.

The exploits, which multiple research firms have observed in honeypots, mark the early stages of another potential wave of attacks targeting Fortinet customers.

The Cybersecurity and Infrastructure Security Agency has flagged 26 Fortinet vulnerabilities in its known exploited vulnerabilities catalog since 2021. As of Wednesday, the agency hasn’t added any of the new Fortinet defects to its catalog.

Researchers warn that the vulnerabilities affect a significant device in enterprise security architecture. 

“Sandbox appliances are typically trusted systems used to analyze suspicious content and support broader detection workflows, which means a compromise could provide attackers with elevated access within a security sensitive environment,” Chris Doyle, head of security and compliance at JupiterOne, said in an email. 

Kohonen added: “FortiSandbox is high-value because it ingests from and connects to other Fortinet devices.”

The post Attackers hit pair of critical Fortinet vulnerabilities the vendor disclosed in April appeared first on CyberScoop.

↗️

Network ‘background noise’ may predict the next big edge-device vulnerability

✇CyberScoop
By: Matt Kapko

Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.

Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release. 

Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.

Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.

“Virtually every time we see large scale spikes in reconnaissance and inventory activity looking for a certain device, it’s because somebody knows about a vulnerability,” Andrew Morris, founder and chief architect at GreyNoise, told CyberScoop.

“Within a few days or weeks — usually within the responsible disclosure timeline — a new very bad vulnerability comes out,” he added.

GreyNoise insists that every day of advance notice matters, giving defenders an opportunity to defend against and thwart potential attacks before they occur. 

The real-time network edge scanning platform spotted 104 distinct activity surges across 18 vendors during its study period. These embedded systems, including routers, VPNs, firewalls and other security systems, consistently account for the most commonly exploited vulnerabilities.

“Attackers love hacking security devices like security appliances. The irony of that is just not lost on me at all,” Morris said.

“It hasn’t gotten bad enough for us to start taking the security of these devices seriously,” he added. “It’s not bad enough for us to take it seriously enough to start ripping these things out and replacing them with new devices or new vendors.”

GreyNoise linked traffic surges to a swarm of vulnerabilities disclosed by vendors across the market, including Cisco, Palo Alto Networks, Fortinet, Ivanti, HPE, MicroTik, TP-Link, VMware, Juniper, F5, Netgear and others.

“It’s becoming scientifically empirical, and it’s becoming more like meteorology than mysticism,” Morris said. “This is like clockwork now.”

GreyNoise breaks these traffic surges down to measure intensity and breadth. Session counts indicate how hard existing sources are hammering a specific vendor and unique source IP counts demonstrate how widely new infrastructure is joining the activity, researchers wrote in the report.

“When both the intensity and breadth of targeting increase simultaneously, it signals a coordinated escalation,” the report said. 

“When you see a session spike against one of your vendors and new source IPs joining at the same time, treat it as a high-confidence reason to look harder. When you see only an IP spike, do not assume a vulnerability is coming,” researchers added. 

The study bolsters other research from Verizon, Google Threat Intelligence Group and Mandiant — landing during what GreyNoise calls “the most aggressive period of edge device exploitation on record.”

This activity doesn’t happen in a vacuum and threat groups aren’t flooding edge devices with traffic for free or for fun, according to Morris.

“People tend to treat internet background noise like it’s this unexplainable phenomenon,” he said. “They’re clearly trying to test the existence of a vulnerability in order to compromise the systems.”

The post Network ‘background noise’ may predict the next big edge-device vulnerability appeared first on CyberScoop.

↗️

Fortinet customers confront actively exploited zero-day, with a full patch still pending

✇CyberScoop
By: Matt Kapko

Fortinet released an emergency software update over the weekend to address an actively exploited vulnerability in FortiClient EMS, an endpoint management tool for customer devices.

The zero-day vulnerability — CVE-2026-35616 — has a CVSS rating of 9.8 and was added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerability catalog Monday. 

Fortinet said in a Saturday security advisory that it has seen the vulnerability being actively exploited in the wild.  The company issued a hotfix and plans to release a more comprehensive software update later, though that update is not yet available.

The security vendor did not say when the earliest known exploit occurred nor how many instances have already been impacted. 

Unknown attackers were first observed attempting to exploit the vulnerability March 31, Benjamin Harris, founder and CEO at watchTowr, told CyberScoop. 

“Exploitation attempts and probes were initially limited, reflecting typical attacker desire to try and keep usage of a zero-day from discovery and observation,” he added. “As of April 6, given attention and Fortinet issuing a hotfix, exploitation has ramped up, indicating growing attacker interest and likely broader targeting.”

Shadowserver scans found nearly 2,000 publicly exposed instances of FortiClient EMS on Sunday. It’s unclear how many of those instances are running vulnerable versions of the software.

The recently discovered zero-day shares similarities with CVE-2026-21643, another unauthenticated FortiClient EMS defect that Fortinet disclosed Feb. 6. The vendor and cyber authorities last week warned that CVE-2026-21643 has been exploited in the wild. 

Researchers have yet to find any significant link between the vulnerabilities or attribute the attacks to known threat actors, but both defects were actively exploited in a short timeframe and both allow attackers to execute code remotely. 

“Fortinet solutions are popular targets for threat actors generally, so exploitation isn’t necessarily surprising,” said Caitlin Condon, vice president of security research at VulnCheck.

CISA has added 10 Fortinet defects to its known exploited vulnerabilities catalog since early 2025. 

While there is no full patch for CVE-2026-35616, Harris credited Fortinet for rushing out a hotfix over a holiday weekend, adding that it reflects how urgently the company is treating the matter. 

“The timing of the ramp-up of in-the-wild exploitation of this zero-day is likely not coincidental,” he said. “Attackers have shown repeatedly that holiday weekends are the best time to move. Security teams are at half strength, on-call engineers are distracted, and the window between compromise and detection stretches from hours to days. Easter, like any other holiday, represents opportunity.”

A Fortinet spokesperson said response and remediation efforts are ongoing and the company is communicating directly with customers to advise on necessary actions.

“The best time to apply the hotfix was yesterday,” Harris said. “The second-best time is right now.”

The post Fortinet customers confront actively exploited zero-day, with a full patch still pending appeared first on CyberScoop.

❌