Fortinet warns of active exploitation of 2FA Bypass flaw in FortiGate devices

Fortinet is warning of active exploitation of CVE-2020-12812, a critical 5-year-old authentication bypass vulnerability (CVSS 9.8) affecting FortiGate devices with LDAP authentication. The flaw allows attackers to bypass two-factor authentication by exploiting case sensitivity mismatches between FortiGate and LDAP username handling.

**If you are using FortiGate devices, check whether you are using LDAP authentication and whether the devices are patched. If you are using LDAP authentication and have not patched since 2020, immediately configure `username-sensitivity disable`. Then check your logs for suspicious logins with username case variations (like 'JSmith' vs 'jsmith'). Finally, patch your devices.**
#cybersecurity #infosec #attack #activeattack
https://beyondmachines.net/event_details/fortinet-warns-of-active-exploitation-of-2fa-bypass-flaw-in-fortigate-devices-5-l-e-z-a/gD2P6Ple2L

Exploitation campaign targets multiple older critical vulnerabilities in WordPress sites

Wordfence blocked over 8.7 million exploitation attempts on October 8-9, 2025, targeting three critical vulnerabilities from 2004 in WordPress plugins GutenKit and Hunk Companion. Approximately 48,000 WordPress sites with these plugins are online and thousands are still vulnerable.

**If you're using GutenKit or Hunk Companion plugins on WordPress, immediately update GutenKit to version 2.1.1 or later and Hunk Companion to version 1.9.0 or later - these are under massive attack with over 8 million exploitation attempts. Enable automatic updates for all WordPress plugins.**
#cybersecurity #infosec #attack #activeattack
https://beyondmachines.net/event_details/exploitation-campaign-targets-multiple-older-critical-vulnerabilities-in-wordpress-sites-1-9-r-p-a/gD2P6Ple2L

Scanning campaign targets critical Palo Alto GlobalProtect vulnerability

Security researchers detected a significant surge in exploitation attempts targeting CVE-2024-3400, a critical arbitrary file creation vulnerability in Palo Alto Networks PAN-OS GlobalProtect that allows unauthenticated attackers to execute arbitrary code with root privileges on firewalls running versions 10.2, 11.0, and 11.1. Thousands of automated scanning attempts have been observed since late September 2025.

**If you still haven't patched your Palo Alto Networks firewalls with GlobalProtect VPN since 2024, you are probably hacked. Nevertheless, make sure to update IMMEDIATELY. Also check for indicators of compromise and if you have any suspicion, make a full factory-reset per Palo Alto support instructions.**
#cybersecurity #infosec #attack #activeattack
https://beyondmachines.net/event_details/scanning-campaign-targets-critical-palo-alto-globalprotect-vulnerability-m-9-v-8-z/gD2P6Ple2L

FreePBX Servers under active zero-day attack

A zero-day vulnerability in Sangoma FreePBX's Endpoint Manager module is being actively exploited since August 21, 2025, allowing attackers to achieve remote code execution and complete system control when the Administrator Control Panel is internet-accessible.

**If you run FreePBX with the Endpoint Manager module, this is urgent! Immediately apply the emergency patches using the provided fwconsole commands and check for the compromise indicators. If you can't patch right away, restrict Administrator Control Panel access from the internet and to trusted IPs only. If you find any signs of compromise, isolate the system immediately and restore from backups prior to August 21, 2025.**
#cybersecurity #infosec #attack #activeattack
https://beyondmachines.net/event_details/freepbx-servers-under-active-zero-day-attack-e-q-l-p-c/gD2P6Ple2L

Hackers breach Salesforce instances of major corporations through voice phishing

ShinyHunters gang is conducting a sophisticated voice phishing campaign targeting Salesforce CRM instances and has breached major corporations including Cisco, Google, Chanel, Pandora, KLM, and Air France. The attack is tricking employees into authorizing malicious OAuth applications.

**Always verify any urgent call from "IT" or anyone representing authority. The urgent call technique paired with pressure tactics and abuse of the ability of most users to grant access to apps is extremely dangerous.**
#cybersecurity #infosec #attack #activeattack
https://beyondmachines.net/event_details/hackers-breach-salesforce-instances-of-major-corporations-through-voice-phishing-x-5-x-3-m/gD2P6Ple2L

SonicWall Gen 7 firewalls targeted with unknown SSL VPN Zero-Day vulnerability

Cybersecurity firms are warning about a suspected zero-day vulnerability in SonicWall Gen 7 firewalls' SSL VPN implementations that allows the Akira ransomware group to bypass authentication (including MFA) on fully patched devices and complete attacks in as little as 1.5-2 hours.

**If you have SonicWall Gen 7 firewalls with SSL VPN enabled, be aware that even fully patched devices are under attack. Immediately disable the SSL VPN service until SonicWall releases a patch for this zero-day vulnerability. If you absolutely must keep VPN access, restrict SSL VPN connections to only trusted IP addresses and monitor closely for any suspicious activity.**
#cybersecurity #infosec #attack #activeattack
https://beyondmachines.net/event_details/sonicwall-gen-7-firewalls-targeted-with-unknown-ssl-vpn-zero-day-vulnerability-b-z-0-e-2/gD2P6Ple2L

Mozilla warns of active phishing campaign targeting Firefox Add-on developers

Mozilla is warning about an active phishing campaign targeting Firefox extension developers through fraudulent emails that impersonate the AMO team and use fake domains (like "mozila" instead of "mozilla") to steal developer credentials. The attackers' goal is to compromise legitimate developer accounts to distribute malicious extensions through Mozilla's trusted platform.

**If you're a Firefox extension developer, be aware that you are targeted. Don't click links in emails claiming to be from Mozilla about account updates - these are phishing attempts using fake domains like "mozila" instead of "mozilla". Always navigate directly to addons.mozilla.org or mozilla.org instead of following email links.**
#cybersecurity #infosec #attack #activeattack
https://beyondmachines.net/event_details/mozilla-warns-of-active-phishing-campaign-targeting-firefox-add-on-developers-b-h-c-p-c/gD2P6Ple2L

CISA warns of active attacks on Signal clone TeleMessage

CISA has issued a warning about two actively exploited vulnerabilities in TeleMessage TM SGNL, a Signal clone used by national security staffers and government officials, including a Spring Boot Actuator misconfiguration (CVE-2025-48927) that exposes memory dumps and a local access vulnerability (CVE-2025-48928) enabling password extraction.

**If you're using TeleMessage TM SGNL, start patching it today, because it's being actively exploited. Alternatively, stop using the software entirely. Switch back to standard Signal or another approved properly encrypted messaging app since TM SGNL has already been breached and continues to be attacked.**
#cybersecurity #infosec #attack #activeattack
https://beyondmachines.net/event_details/cisa-warns-of-active-attacks-on-signal-clone-telemessage-6-j-0-0-k/gD2P6Ple2L

Citrix releases emergency patches for actively exploited vulnerability in NetScaler Products

Citrix has patched a critical actively exploited vulnerability (CVE-2025-6543) in NetScaler ADC and Gateway products that security experts suspect enables code execution despite being characterized as denial-of-service. Citrix has also patched two other critical flaws including one compared to the infamous 2023 CitrixBleed vulnerability. Organizations are urged to immediately patch affected systems and terminate all active sessions.

**This is now important and URGENT. Your Citrix NetScaler ADC or Gateway, exposed on the internet, they are actively attacked and exploited. Also, there seems to be some indisclosed severity in the three latest critical flaws and possibility of a repeat of the CitrixBleed incident from 2023. Immediately update to the latest patched versions (14.1-47.46, 13.1-59.19, or 13.1-37.236-FIPS). After patching, you must also terminate all active ICA and PCoIP sessions to prevent attackers from using stolen session tokens. If you have end-of-life devices, shut them down NOW - they will be hacked.**
#cybersecurity #infosec #attack #activeattack
https://beyondmachines.net/event_details/citrix-releases-emergency-patches-for-actively-exploited-vulnerability-in-netscaler-products-m-f-5-f-y/gD2P6Ple2L

NPM supply chain attack compromises 17 popular React Native packages

A supply chain attack compromised 17 widely-used GlueStack NPM packages under @react-native-aria between June 6-7, 2025, affecting packages with over a million weekly downloads by injecting heavily obfuscated remote access trojan (RAT) malware through compromised automation tokens lacking two-factor authentication.

**If you're using any GlueStack @react-native-aria packages, check your package.json files and update to the latest safe versions. Then scan your systems for signs of compromise and review firewall logs for any suspicious outbound connections to unknown command-and-control servers. If you are a code publisher, make sure all your NPM publishing tokens are secure and have MFA enforced.**
#cybersecurity #infosec #attack #activeattack
https://beyondmachines.net/event_details/npm-supply-chain-attack-compromises-17-popular-react-native-packages-d-0-p-1-w/gD2P6Ple2L