Threat Research

Threat actors are exploiting multiple FortiGate vulnerabilities including CVE-2025-59718, CVE-2025-59719, and the recently patched CVE-2026-24858. to bypass authentication and gain administrative access to firewall devices. After access, they download configuration files containing sensitive data, including service account credentials that can be easily decrypted....

A Potential CVE-2021-41379 Exploitation Attempt refers to the detection of attempts to exploit a local privilege escalation (LPE) vulnerability, CVE-2021-41379, known as InstallerFileTakeOver. In this vulnerability, an attacker triggers a cmd.exe process as a child of the Microsoft Edge elevation service, elevation_service, while inheriting LOCAL_SYSTEM rights....

Potential Pikabot Hollowing Activity refers to the detection of rundll32.exe being used to invoke legitimate Windows binaries as part of a malware attack. Specifically, the Pikabot malware utilizes this technique for process hollowing, where it injects malicious code into a legitimate Windows process....

CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process refers to a security vulnerability in WinRAR versions prior to 6.23, where attackers can exploit the software to execute arbitrary commands or binaries....

CVE-2024-50623 Exploitation Attempt - Cleo refers to a security vulnerability within the Cleo software suite that is being targeted by attackers. The exploitation attempt is identified by monitoring for a "cmd.exe" process launching from Cleo's software, which is often indicative of malicious activity....

The report "Fortinet Updates Guidance and Indicators of Compromise Following FortiManager Vulnerability Exploitation" addresses a critical vulnerability in the FortiManager fgfmd daemon, classified as a missing authentication issue (CWE-306). This flaw may allow remote unauthenticated attackers to execute arbitrary code or commands through specially crafted requests....

The "TEMU Work Platform" is a cryptocurrency investment scam that has been active since July 2024. It gained significant attention with a spike in traffic starting October 15, 2024. The scam involves multiple stockpiled domains that host visually identical mobile-friendly versions of the platform....

CVE-2023-22518 is a vulnerability in Confluence that allows for exploitation through the creation of a suspicious child process on Windows systems. Attackers may leverage this vulnerability to execute arbitrary code or escalate privileges within the application....

Identifies potential initial exploitation attempts targeting VMware Horizon deployments that are operating on vulnerable versions of Log4j....

The document "Protecting Against RCE Attacks Abusing WhatsUp Gold Vulnerabilities" addresses security measures for defending against Remote Code Execution (RCE) vulnerabilities in WhatsUp Gold, a network monitoring tool. It outlines the risks associated with these vulnerabilities, which could allow attackers to execute malicious code remotely and potentially compromise systems....