Daily Brief

Fortinet has issued a critical alert for a remote command injection flaw in FortiSIEM, urging immediate application of security updates to prevent exploitation. The vulnerability, CVE-2025-25256, affects FortiSIEM versions 5.4 to 7.3 and is rated with a CVSS score of 9.8, indicating severe risk. Exploit code for this flaw is already circulating, posing a significant threat to organizations using FortiSIEM in sectors like government, finance, and healthcare. Fortinet advises upgrading to supported versions to mitigate risk, as older versions will not receive patches for this vulnerability. The flaw allows unauthenticated attackers to execute arbitrary commands, but it does not produce clear indicators of compromise, complicating detection efforts. A temporary workaround involves restricting access to the phMonitor on port 7900, though this does not resolve the underlying issue. This disclosure follows a recent surge in brute-force attacks on Fortinet products, suggesting heightened threat activity around these systems.

Fortinet has disclosed a critical vulnerability in FortiSIEM, identified as CVE-2025-25256, which allows unauthenticated attackers to execute unauthorized commands, potentially leading to full system compromise. The vulnerability affects FortiSIEM versions 7.3.0-7.3.1, 7.2.0-7.2.5, 7.1.0-7.1.7, 7.0.0-7.0.3, and versions before 6.7.9, receiving a CVSS score of 9.8, indicating severe risk. Fortinet has advised customers to upgrade to patched versions and suggested limiting access to the phMonitor port (7900) as a temporary mitigation measure. Working exploit code for this vulnerability has been detected in the wild, raising concerns about potential exploitation if systems remain unpatched. GreyNoise reported a significant increase in brute-force attempts targeting Fortinet SSL VPNs, with over 780 unique IPs involved, possibly indicating an increased threat landscape. The surge in brute-force attempts coincided with the vulnerability disclosure, although a direct causal link has not been confirmed by GreyNoise. This situation underscores the importance of timely patch management and monitoring for unusual activity to mitigate potential threats effectively.

Security researchers from Proofpoint have identified a downgrade attack that can bypass FIDO authentication in Microsoft Entra ID, exposing users to phishing and session hijacking risks. The attack leverages the Evilginx adversary-in-the-middle framework to spoof a browser user agent, tricking users into using weaker authentication methods. This method exploits a gap in functionality, bypassing FIDO authentication by simulating an unsupported browser, prompting users to authenticate via less secure alternatives. Although no active exploitation has been observed, the potential for targeted attacks remains significant, especially against high-value targets. Organizations are advised to disable fallback authentication methods and implement additional security checks to mitigate this emerging threat. The attack does not indicate a flaw in FIDO itself but reveals vulnerabilities in its implementation, necessitating improved security measures. This development underscores the need for vigilance and proactive measures in environments increasingly reliant on FIDO-based authentication systems.

A significant increase in brute-force attacks on Fortinet SSL VPNs was observed, suggesting potential zero-day vulnerabilities may soon be disclosed. GreyNoise detected two attack waves on August 3 and August 5, with a notable shift from VPNs to FortiManager targets, indicating a strategic change in focus. Such attack patterns have historically preceded new vulnerability disclosures, with 80% correlation, signaling a need for heightened vigilance. The attacks utilized JA4+ fingerprinting, linking them to earlier activity from a FortiGate device, hinting at possible reuse of tools or environments. Security teams are advised to block identified IP addresses, enhance login protections, and restrict Fortinet device access to trusted networks. This activity is unlikely to be benign research scans, as it involves credential brute-forcing, which is typically indicative of intrusion attempts. Organizations should prepare for potential zero-day disclosures by reviewing and strengthening their security measures around Fortinet products.

The Pennsylvania Attorney General's Office experienced a cyberattack, disabling its email, website, and phone systems, significantly affecting its operational capabilities. Attorney General Dave Sunday announced that staff are collaborating with law enforcement to restore services and investigate the incident's origins. Although no group has claimed responsibility, the attack's characteristics suggest a possible ransomware incident, yet confirmation is pending. Cybersecurity expert Kevin Beaumont identified potential vulnerabilities in the office's network, specifically concerning Citrix NetScaler appliances, which may have been exploited. The Citrix vulnerability, CVE-2025-5777, has been actively targeted globally, prompting CISA to mandate immediate patching for federal agencies. The attack reflects broader cybersecurity challenges, as similar vulnerabilities have led to significant disruptions in other critical organizations worldwide. This incident underscores the importance of proactive vulnerability management and rapid response strategies to mitigate potential threats.

Cybercriminals continue exploiting CVE-2017-11882, a vulnerability in Microsoft Office's discontinued Equation Editor, despite its patch release eight years ago. The vulnerability allows remote code execution through malicious documents, impacting systems running outdated Microsoft Office or WordPad versions. Attackers leverage this flaw by distributing specially crafted files via email or compromised websites, targeting users who open these files. The vulnerability was patched in 2017, and Microsoft removed the Equation Editor in 2018, yet attackers persist in exploiting unpatched systems. Recent campaigns involve XLAM files masquerading as purchase orders, which deploy keyloggers when executed on vulnerable software. Organizations are advised to ensure all systems are updated to eliminate exposure to this and similar legacy vulnerabilities. This ongoing exploitation highlights the critical importance of maintaining up-to-date software to prevent attacks leveraging outdated vulnerabilities.

Cisco Talos researchers uncovered a malvertising campaign deploying PS1Bot, a multi-stage malware framework designed for stealthy in-memory execution and persistent system access. PS1Bot features a modular design, enabling information theft, keylogging, and reconnaissance, while minimizing persistent artifacts on infected systems. Active since early 2025, the campaign uses malvertising and SEO poisoning to distribute a JavaScript payload that initiates the infection chain. The malware shares technical similarities with AHK Bot and overlaps with ransomware-related campaigns involving Skitnet, aiming to steal data and control compromised hosts. Initial infection begins with a compressed archive delivered via malvertising, containing a JavaScript downloader that executes a PowerShell script to contact a command-and-control server. Google's AI-powered systems are being leveraged to combat invalid traffic, improving ad placement reviews and reducing deceptive practices by 40%. The modular nature of PS1Bot allows rapid deployment of updates, enhancing its adaptability and threat potential against targeted systems.

Microsoft will remove PowerShell 2.0 from Windows 11 and Windows Server starting August 2025, as part of efforts to eliminate legacy code and bolster security. The removal impacts users with legacy scripts or software relying on PowerShell 2.0, necessitating updates or workarounds to avoid operational disruptions. PowerShell 5.1 and 7.x remain available, offering backward compatibility for most commands, reducing the risk of script failures during the transition. Organizations using older Microsoft server products like Exchange, SharePoint, and SQL Server are advised to migrate to newer PowerShell versions. This initiative aims to simplify system complexity and improve security, aligning with Microsoft's broader strategy to modernize Windows infrastructure. Customers are encouraged to update their systems and replace outdated software to ensure compatibility with future Windows releases. Microsoft emphasizes the importance of using supported PowerShell versions to enhance script safety and system reliability.

Zoom has released a patch for a critical vulnerability in Zoom Clients for Windows, identified as CVE-2025-49457, with a CVSS score of 9.6, addressing privilege escalation risks. The flaw, stemming from an untrusted search path, could allow unauthenticated users to escalate privileges via network access, posing significant security threats to organizations. Xerox has also patched vulnerabilities in FreeFlow Core, with the most severe allowing potential remote code execution, addressed in the latest version 8.0.4 update. Exploiting these vulnerabilities could enable attackers to execute arbitrary commands, steal sensitive data, or facilitate lateral movement within corporate networks. Both companies have issued security bulletins urging users to apply the updates promptly to mitigate potential exploitation risks. The swift response by Zoom and Xerox highlights the importance of proactive vulnerability management to protect critical systems and data from cyber threats. Organizations are advised to review their patch management processes to ensure timely deployment of security updates across their IT environments.

Fortinet has issued a warning about a critical vulnerability in FortiSIEM, identified as CVE-2025-25256, with an exploit currently active in the wild. The vulnerability, with a severe CVSS score of 9.8, allows unauthenticated attackers to execute unauthorized code via crafted CLI requests. Affected versions of FortiSIEM are vulnerable to OS command injection, which could lead to significant security breaches if not addressed promptly. Fortinet has not disclosed specific details about the exploit's nature or its geographical origin but confirmed the presence of practical exploit code. Organizations are advised to limit access to the phMonitor port (7900) as a temporary workaround to mitigate potential exploitation risks. The advisory follows GreyNoise's report of increased brute-force traffic targeting Fortinet SSL VPN devices, indicating heightened threat activity. Businesses relying on FortiSIEM should prioritize patching and implement recommended security measures to prevent unauthorized access and potential data breaches.

The UK government is deploying ten new mobile units equipped with Live Facial Recognition (LFR) technology across seven additional regions, enhancing police capabilities in Greater Manchester, West Yorkshire, and more. The Home Office asserts that LFR is a targeted, intelligence-led tool, aiding in the arrest of 580 offenders, including serious criminals, over the past year in London and South Wales. Privacy advocates, including Big Brother Watch, express concerns over potential misidentifications and the expansion's implications for privacy and democratic rights, citing previous wrongful stops. The College of Policing mandates public notification for LFR use, except in critical situations, and ensures compliance with guidelines to maintain lawful and proportionate deployment. The National Physical Laboratory has independently tested the LFR algorithm, confirming its accuracy and lack of bias related to age, gender, or ethnicity. A government consultation is underway to establish a new legal framework for LFR, with findings from deployments contributing to this process. Privacy groups criticize the use of passport and immigration databases for facial recognition, claiming a significant increase in police scans, raising privacy concerns. The Home Office clarifies that these databases are accessed only for Retrospective Facial Recognition (RFR) in specific criminal investigations, requiring prior approval for use.

AI-driven SOC capabilities are addressing inefficiencies in security operations, enabling faster threat detection and response while reducing false positives and manual workload for analysts. The recent Gartner Hype Cycle for Security Operations 2025 identifies AI SOC Agents as a key innovation, signaling a shift towards automation in security processes. AI systems prioritize alerts swiftly, allowing true threats to be identified quickly and reducing time wasted on false positives, enhancing overall SOC efficiency. By integrating data from various platforms, AI SOC tools significantly reduce mean time to investigate and respond, limiting threat spread and improving security posture. AI capabilities in SOCs provide insights into detection engineering, identifying coverage gaps and recommending rule adjustments for improved threat detection. The hybrid model of AI and human expertise allows analysts to focus on advanced threat hunting and strategic tasks, improving security outcomes and analyst retention. Prophet Security's AI SOC platform automates triage and investigations, enhancing analyst efficiency and delivering consistent security results across organizations.

Marc Andreessen, co-founder of Netscape, criticized the UK's Online Safety Act, claiming his input was misrepresented by the UK government. The Online Safety Act mandates platforms like Google and Reddit to block certain content unless users verify their age through photo ID or credit card checks. The introduction of the Act has led to increased use of Virtual Private Networks (VPNs) to bypass content restrictions, raising concerns about its effectiveness. Free speech and privacy advocates, including Andreessen, argue the Act could lead to censorship and overreach by the government. The UK government faces pressure to balance the prevention of unsavoury content access with maintaining free speech rights. Platforms not complying with the Act risk fines up to £18 million or 10 percent of their global turnover, highlighting the significant regulatory impact. Andreessen's public comments reflect ongoing debate and dissatisfaction with the legislation's approach and potential consequences.

The UK government spends approximately £1.9 billion annually on Microsoft software licenses, raising questions about the cost-effectiveness of this investment. Despite the high expenditure, the UK public sector struggles to find viable open-source alternatives due to hidden costs and compatibility issues. Historical challenges with systems like NHSmail highlight difficulties in managing upgrades and ensuring compatibility without major tech brands. The Crown Commercial Service's recent five-year agreement with Microsoft includes access to AI technologies, aiming to boost digital progress and economic growth. Effective procurement requires consistent negotiation strategies across government bodies to maximize value and streamline software acquisition. While open-source solutions offer potential savings, they often lead to unforeseen risks, such as system lock-in and integration challenges. The debate continues on balancing proprietary software benefits versus open-source flexibility, with a focus on accountability and transparent contract management.

The rise of AI technologies is reshaping both business operations and cyberattack strategies, introducing sophisticated threats like deepfake scams and synthetic identities. Traditional security models are proving inadequate against AI-driven threats, which exploit faster, unpredictable attack patterns. Identity verification has emerged as a critical defense mechanism, acting as the final barrier against unauthorized access in AI-enhanced environments. Okta's upcoming webinar, led by Karl Henrik Smith, will provide insights into adapting security strategies to counter AI-powered cyber threats. The session aims to equip developers, security architects, and tech leaders with actionable plans to integrate identity at the core of security frameworks. As AI continues to evolve, organizations must prioritize adaptive security measures to safeguard against increasingly rapid and sophisticated cyberattacks.