Cyber Threat Pulse
#13, April 2025
Fortinet vulnerabilities: attackers retain access after official patches
Fortinet has warned of an attack technique that allows attackers to maintain access to previously compromised FortiGate devices even after the vulnerabilities (including CVE-2022-42475, CVE-2023-27997, CVE-2024-21762) have been patched.
The attackers created a symbolic link (symlink) between the user and the root file system in the folder serving SSL-VPN language files. This artifact persisted after a FortiOS update, allowing read-only access to configurations and other data.
The issue affects devices with SSL-VPN enabled. Fortinet has released patches (7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16) that remove the symlink and modify the VPN interface to prevent such attacks.
CERT-FR reports massive attacks since the beginning of 2023. CISA recommends disabling SSL VPNs before applying updates, resetting credentials, and checking configurations.
Infostealers for MacOS: analyzing the Atomic Stealer attack
Despite macOS having the reputation of a more secure operating system, in 2024, it became the target of one of the most aggressive infostealers – Atomic Stealer (AMOS).
AMOS is a malicious program designed to steal data from macOS devices. It collects passwords from Keychain, system information, notes, files from the desktop and documents, browser data, and cryptocurrency wallets.
Attackers distribute AMOS through fake websites and fake installers of popular applications, disguising them as legitimate .dmg files. Once launched, the program requests a password through a fake AppleScript window, copies the data, and sends it to the management server.
A team of researchers from Picus Security conducted a detailed analysis of this threat. It is available at: https://www.picussecurity.com/resource/blog/atomic-stealer-amos-macos-threat-analysis
Leaked conversations of Black Basta, one of the Russian ransomware groups
In February 2025, conversations of the Black Basta hacker group members were leaked. The group, one of the largest ransomware operators since 2022, is behind attacks on more than 500 companies worldwide, including large corporations in the United States, Europe, and Japan. It has been linked to the Conti and FIN7 operations and Russian cybercriminal circles.
The leaked correspondence revealed ● Internal conflicts among the participants and the struggle for money ● Disagreements over attacks on companies from Russia (this was discussed as a "red line") ● Ties with other groups and hired developers ● Possible plans for rebranding and the group’s disbandment
The information was published by an unknown person under the nickname ExploitWhispers, presumably a former member or close insider. The leak severely damaged the group's reputation and caused a chain reaction in the darknet.
Screenshots of the correspondence and analytics of the published information can be found at: https://www.trellix.com/blogs/research/analysis-of-black-basta-ransomware-chat-leaks/
Major threats and vulnerabilities (April 2025)
Microsoft
This month, Microsoft patched 121 vulnerabilities, 11 of which were classified as critical, and one was classified as zero-day. At the time of publication, none of the vulnerabilities has a public PoC. The most notable ones are:
● Vulnerability in Windows CLFS (CVE-2025-29824).
A vulnerability with a CVSS rating of 7.8 allows a local attacker to escalate privileges to SYSTEM, the highest level of access in Windows. The bug is related to improper memory management when working with logs. Attempts to exploit it in real attacks have been noticed.
● Vulnerabilities in Microsoft Office
Several high-severity vulnerabilities (CVE-2025-29791, CVE-2025-27749, etc.) are related to memory errors. Opening a specially crafted document (e.g., an Excel file) can lead to the execution of malicious code.
● Remote Desktop Gateway (CVE-2025-27482 and CVE-2025-27480)
Two high-severity vulnerabilities in the remote access service. One of them is related to storing data in unlocked memory, and the other is a memory reuse error. Both require precise timing, but do not require user privileges or participation.
● Vulnerabilities in the Windows LDAP Client (CVE-2025-26670 and CVE-2025-26663)
The vulnerabilities allow an attacker to remotely execute code without authentication by using special network requests to a vulnerable LDAP server. The attacks require specific race conditions, but are dangerous due to the widespread use of LDAP in corporate infrastructure.
Google Chrome.
An active attack exploiting CVE-2025-2783, a zero-day vulnerability that allows to bypass the Chrome sandbox without user intervention, has been detected. The attack began with the distribution of phishing emails with a link to the malicious website Primakov Readings. The vulnerability was fixed on March 25.
Mozilla Firefox.
Firefox 137 fixes 14 vulnerabilities, 13 of which are of high severity. Some vulnerabilities allow malicious code to be executed via specially crafted web pages.
Apple.
Apple has released updates that address several vulnerabilities, including two actively exploited ones (CVE-2025-24200 and CVE-2025-24201). They have been used in attacks on iOS and iPadOS devices, allowing for effective circumvention of security mechanisms.
Linux.
Microsoft announced the discovery of 20 vulnerabilities in Linux bootloaders (GRUB2, U-Boot, Barebox). Some of them can be used to bypass Secure Boot and install malicious bootloaders. Most vulnerabilities require physical access.
WinRAR.
When opening a malicious archive, a critical vulnerability CVE-2025-31334 allows bypassing the Mark of the Web security mechanism and running malicious code. It is recommended to update WinRAR to version 7.11.
VMware.
Vulnerability CVE-2025-22230 in VMware Tools for Windows allows users without administrator access to perform elevated privilege actions within a virtual machine. An update to version 12.5.1 resolves the issue.
Cisco.
Attempts to exploit vulnerabilities CVE-2024-20439 and CVE-2024-20440 in Cisco Smart Licensing Utility have been detected. The former allows remote access via a built-in password, while the latter discloses sensitive data. Cisco has released a fix.
Apache Tomcat.
Vulnerability CVE-2025-24813 is already being used in attacks. It allows a server to be taken over via a PUT request and serialized data. Apache has released an update, and temporary protection measures are also available.