Even top security platforms can be vulnerable if patching is delayed or access controls are weak. Critical flaws in FortiOS, FortiProxy, and FortiManager are currently being exploited in ransomware campaigns, while vulnerabilities in FortiSwitch could be leveraged if management interfaces remain exposed.
Take a closer look at the standout vulnerabilities driving current threat activity.
CVE-2025-24472: Super-admin via CSF authentication bypass
Affected: FortiOS & FortiProxy
Status: Exploited in the wild – used by Mora_001 to deploy SuperBlack ransomware
A crafted CSF proxy request allows attackers to bypass authentication and gain full super-admin access. Added to CISA’s KEV catalogue in March, this vulnerability is being actively used in targeted ransomware campaigns. Exposure of management interfaces dramatically increases risk.
MITRE Techniques:
Exploit Public-Facing Application (T1190)
Exploitation for Privilege Escalation (T1068)
Valid Accounts (T1078)
CVE-2024-47575: Unauthenticated RCE in FortiManager’s fgfmd daemon
Affected: FortiManager
Status: Confirmed exploitation since June 2024 – linked to over 50 compromised systems
This flaw allows attackers to execute arbitrary commands via the fgfmd management service, without authentication. Once exploited, it enables full control over FortiManager and can be used to exfiltrate data or deploy additional payloads.
It is worth noting that this vulnerability has a critical CVSS score of 9.8) and was added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue on October 23, 2024, underscoring its severity and active exploitation
MITRE Techniques:
Exploitation for client execution (T1203)
Command and Scripting Interpreter (T1059)
Exfiltration Over Web Service (T1041)
CVE-2024-48887: Password reset in FortiSwitch web GUI
Affected: FortiSwitch
Status: No confirmed exploitation
This vulnerability allows unauthenticated password resets via the switch’s web interface. While there are no confirmed cases yet, the low complexity and ease of discovery make this a likely target for opportunistic attacks, especially in flat networks.
The vulnerability does not require authentication, making it a high-risk target for attackers seeking privilege escalation. Fortinet has advised users to disable HTTP/HTTPS access from administrative interfaces and restrict access to trusted hosts as a workaround
MITRE Techniques:
Valid Accounts (T1078)
Exploitation for Privilege Escalation (T1068)
CVE-2023-37936: Hard-coded crypto key enabling RCE
Affected: FortiSwitch
Status: No confirmed exploitation; opportunistic scanning observed
Older FortiSwitch builds contain a hard-coded cryptographic key that can be abused to execute commands remotely. While Fortinet has not confirmed exploitation, the presence of scanning activity suggests attackers are actively probing for this flaw.
MITRE Techniques:
Valid Accounts via Embedded Credentials (T1078.004)
Remote Command Execution via Exploit (T1203)
What to do now
Attackers move quickly, often outpacing organisations’ patching efforts. You can stay ahead by promptly updating firmware, securing access with strong controls, and keeping a close eye on your systems. Fortinet gear remains a formidable defence when governed by disciplined security hygiene. The bottom line? Patching is crucial, but it’s your overall security approach that keeps attackers out. Flat networks, exposed interfaces, and weak credentials are an attacker’s playground. Don’t just fix these issues – wipe them out for good.
References:
CVE-2024-47575 | FortiGuard Labs (fortiguard.com)
PSIRT Advisories | FortiGuard Labs (fortiguard.com)
Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks (rapid7.com)
New Lockbit-linked ransomware group targets Fortinet vulnerabilities (scworld.com)
Critical Fortinet Vulnerability (CVE-2024-48887) Puts FortiSwitch Admin Credentials at Risk (socradar.io)
Cyber criminals have increasingly adopted Telegram bots as tools for data exfiltration in phishing campaigns. These bots facilitate the collection and transmission of stolen credentials, enabling attackers to bypass traditional security measures and operate with greater anonymity. Telegram is a widely used messaging platform which offers features that appeal to cyber criminals, including encryption, ease of use, and a large user base. These attributes make it an attractive medium for orchestrating phishing attacks and exfiltrating stolen data.
Phishing kits, such as Telekopye, leverage Telegram bots to automate the creation of fraudulent websites and the collection of user credentials. Once a victim enters their information on a phishing site, the data is sent to a Telegram bot controlled by the attacker. This process allows for real-time data exfiltration and facilitates rapid exploitation of stolen credentials.
Cyber criminals deploy phishing kits that generate counterfeit websites mimicking legitimate services. Victims are the lured to these fraudulent sites through deceptive emails, messages, or ads. Upon entering their credentials, the information is captured by the phishing kit. The captured data is the transmitted to a Telegram bot, which acts as a conduit for the attacker to receive the stolen information. Attackers can then use the exfiltrated credentials to access victim accounts, conduct fraudulent transactions, or sell the information on illicit marketplaces.
Advantages of Using Telegram Bots for Data Exfiltration
The use of Telegram bots for data exfiltration in phishing campaigns underscores the evolving tactics of cyber criminals. Their ability to exploit legitimate platforms for malicious purposes highlights the need for enhanced cyber security measures. Organisations and individuals must remain vigilant, employ robust security practices, and stay informed about emerging threats to mitigate the risks associated with such attacks.
The Human Risk Management module from Norm can educate users on how to spot a likely malicious link. With this education, not only would users be more aware of the tactics used by attackers but also the content will enable them to exercise caution when clicking on suspicious links. It is also recommended to take a minute to assess a link before clicking and never give any remote access to your device.
References:
Cybercriminals Use Telegram Bots to Exfiltrate Data In Phishing Kit Campaign (knowbe4.com)
In May 2025, cyber security researchers at G DATA uncovered a sophisticated infostealer dubbed “Chihuahua Stealer.” This .NET-based malware employs advanced evasion techniques and a multi-stage infection chain, making it a notable threat in the cyber security landscape.
The infection begins when a victim is tricked into executing an obfuscated PowerShell script, often delivered through a malicious Google Drive document. This script initiates a multi-stage payload chain, utilising Base64 encoding, hex-string obfuscation, and scheduled tasks to establish persistence. The second-stage script reconstructs a large, obfuscated hex payload, strips custom delimiters, converts the hex into ASCII characters, and dynamically builds the third-stage script. This runtime reconstruction technique evades static detection and sandbox analysis.
The deobfuscated script creates a scheduled job named “f90g30g82” that runs every minute. It checks the user’s Recent folder for files with the “.normaldaki” extension, used as infection markers. If such a file is found, the script queries a command-and-control (C2) server (cdn.findfakesnake.xyz) for further instructions. If the response contains a “Comm” trigger, the payload is decoded and executed. If the primary server is unreachable, the script falls back to a second domain (cat-watches-site.xyz).
The main payload, written in .NET, targets browser data and crypto wallet extensions. It collects sensitive information such as saved passwords, session cookies, and wallet credentials. The stolen data is compressed into an archive with the file extension “.chihuahua” and encrypted using AES-GCM via Windows CNG APIs. This encrypted archive is exfiltrated over HTTPS, and all local traces are wiped, demonstrating the malware’s stealth techniques.
Chihuahua Stealer exemplifies the evolving sophistication of infostealer malware. Its use of multi-stage payloads, advanced evasion techniques, and encrypted data exfiltration underscores the need for robust cyber security measures. Users are advised to exercise caution when interacting with unsolicited documents and to maintain up-to-date security software to defend against such threats.
References:
Chihuahua Stealer: A new Breed of Infostealer (gdatasoftware.com)
Norm tracks and monitors the latest security trends and cyber threats and collates these into a fortnightly threat bulletin.
You can receive this bulletin for free, every fortnight, by entering your business email address below:
