{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/fortisiem/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["FortiSIEM"],"_cs_severities":["high"],"_cs_tags":["fortinet","fortisiem","vulnerability","xss","rce"],"_cs_type":"advisory","_cs_vendors":["Fortinet"],"content_html":"\u003cp\u003eThe German Federal Office for Information Security (BSI), through its CERT-Bund advisory, has highlighted multiple critical vulnerabilities within Fortinet FortiSIEM, a security information and event management solution. These flaws could be exploited by an attacker to conduct Cross-Site Scripting (XSS) attacks or achieve arbitrary code execution on affected systems. Such exploitation could lead to various severe consequences, including unauthorized access to user sessions, data exfiltration, or complete compromise of the FortiSIEM instance and potentially its monitored environments. This advisory serves as a warning to organizations using FortiSIEM to address these security weaknesses promptly to prevent potential attacker control over their SIEM infrastructure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: An attacker identifies internet-facing or internal FortiSIEM instances vulnerable to the described Cross-Site Scripting (XSS) or remote code execution (RCE) flaws.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Payload Crafting\u003c/strong\u003e: The attacker develops a specific payload, either a malicious JavaScript snippet for XSS or a command string for RCE, tailored to the identified vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation Attempt (XSS)\u003c/strong\u003e: The attacker injects the XSS payload into a user-controlled input field or parameter within the FortiSIEM web interface, aiming to have it rendered without proper sanitization.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation Attempt (RCE)\u003c/strong\u003e: Alternatively, the attacker sends a specially crafted request that triggers the arbitrary code execution vulnerability on the FortiSIEM server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful XSS Execution (Client-Side)\u003c/strong\u003e: If the XSS attack is successful, the injected malicious script executes within the browser of a legitimate FortiSIEM user viewing the compromised web page.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSuccessful RCE Execution (Server-Side)\u003c/strong\u003e: If the RCE attack is successful, the FortiSIEM server executes the arbitrary commands supplied by the attacker, potentially under the privileges of the running application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePost-Exploitation\u003c/strong\u003e: Upon successful exploitation, the attacker gains unauthorized access to user sessions via XSS or achieves system control over the FortiSIEM instance via RCE, allowing further reconnaissance, data theft, or lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to significant compromise of an organization's security posture. Cross-Site Scripting (XSS) attacks can result in session hijacking, credential theft, or the redirection of users to malicious sites, undermining the integrity of user interactions with the FortiSIEM platform. Arbitrary code execution (RCE) is particularly severe, granting attackers full control over the FortiSIEM appliance. This could enable attackers to manipulate security logs, disable alerts, exfiltrate sensitive data from monitored systems, or use the SIEM as a pivot point for further attacks into the network, severely impacting incident response capabilities and overall network security.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately apply all available security patches and updates for Fortinet FortiSIEM to mitigate the reported Cross-Site Scripting (XSS) and code execution vulnerabilities.\u003c/li\u003e\n\u003cli\u003eReview network segmentation and access controls for FortiSIEM deployments to ensure only authorized personnel and necessary services can access the management interface.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive logging on FortiSIEM and surrounding infrastructure to detect unusual login attempts, process creations, or outbound connections that could indicate post-exploitation activity.\u003c/li\u003e\n\u003cli\u003eConduct regular security audits and penetration testing of FortiSIEM instances to identify and address potential vulnerabilities proactively.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T08:39:43Z","date_published":"2026-07-15T08:39:43Z","id":"https://feed.craftedsignal.io/briefs/2026-07-fortinet-fortisiem-vulnerabilities/","summary":"Multiple vulnerabilities have been identified in Fortinet FortiSIEM that could allow an attacker to perform Cross-Site Scripting (XSS) attacks or achieve arbitrary code execution, enabling unauthorized script injection into web pages or direct execution of attacker-controlled code within the system.","title":"Multiple Vulnerabilities in Fortinet FortiSIEM","url":"https://feed.craftedsignal.io/briefs/2026-07-fortinet-fortisiem-vulnerabilities/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-6875"},{"cvss":4,"id":"CVE-2026-14902"},{"cvss":7.7,"id":"CVE-2026-14903"}],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Brazil (prior to Brazil EA)","Brazil (prior to Brazil GA)","Australia (prior to Australia Patch 2)","Zurich (prior to Zurich Patch 7b)","Zurich (prior to Zurich Patch 9)","Yokohama (prior to Yokohama Patch 12 Hot Fix 1b)","Yokohama (prior to Yokohama Patch 13)","ServiceNow AI platform","Xtraction","FortiOS","FortiProxy","FortiSASE","FortiSIEM","FortiClient EMS","FortiAuthenticator","FortiPAM","FortiSwitch Manager","FortiSwitch-Manager Agentless SSL-VPN","FortiSandbox"],"_cs_severities":["high"],"_cs_tags":["vulnerability","servicenow","cloud"],"_cs_type":"threat","_cs_vendors":["ServiceNow","Ivanti","Fortinet"],"content_html":"\u003cp\u003eOn July 13, 2026, ServiceNow issued a security advisory (AV26-693) detailing a critical sandbox escape vulnerability, identified as CVE-2026-6875, within its AI Platform. This vulnerability affects several versions across multiple product lines, specifically Brazil (prior to EA and GA releases), Australia (prior to Patch 2), Zurich (prior to Patch 7b and Patch 9), and Yokohama (prior to Patch 12 Hot Fix 1b and Patch 13). A sandbox escape allows an attacker to break out of a restricted execution environment, potentially gaining unauthorized access to underlying systems or sensitive data with higher privileges. While the advisory does not specify observed exploitation in the wild, the critical nature of a sandbox escape warrants immediate attention for organizations utilizing these ServiceNow products to prevent potential data compromise, system disruption, or further network infiltration.\u003c/p\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6875 could allow an attacker to bypass the security restrictions of the ServiceNow AI Platform's sandbox environment. This could lead to unauthorized access to sensitive data, execution of arbitrary code outside the sandbox, or escalation of privileges on the affected ServiceNow instance. While no specific victims or attack campaigns have been detailed in the advisory, any organization using the vulnerable versions of ServiceNow Brazil, Australia, Zurich, or Yokohama platforms is at risk of severe impact, including data breaches, system integrity compromise, and operational disruption if the vulnerability is exploited by a malicious actor.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eReview the ServiceNow Security Advisory (KB3137947) linked in this brief immediately to understand the specific affected versions and apply the necessary patches for CVE-2026-6875.\u003c/li\u003e\n\u003cli\u003eApply the recommended updates to your ServiceNow Brazil instances (prior to Brazil EA and Brazil GA), Australia instances (prior to Australia Patch 2), Zurich instances (prior to Zurich Patch 7b and Zurich Patch 9), and Yokohama instances (prior to Yokohama Patch 12 Hot Fix 1b and Yokohama Patch 13).\u003c/li\u003e\n\u003cli\u003eEnsure that all ServiceNow platforms are kept up-to-date with the latest security patches to mitigate known vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T11:05:50Z","date_published":"2026-07-14T14:38:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-servicenow-sandbox-escape/","summary":"ServiceNow has released a security advisory addressing CVE-2026-6875, a critical sandbox escape vulnerability affecting multiple product versions including Brazil, Australia, Zurich, and Yokohama, which could allow an attacker to bypass security boundaries and execute arbitrary code with elevated privileges.","title":"ServiceNow Critical Sandbox Escape Vulnerability (CVE-2026-6875)","url":"https://feed.craftedsignal.io/briefs/2026-07-servicenow-sandbox-escape/"}],"language":"en","title":"CraftedSignal Threat Feed - FortiSIEM","version":"https://jsonfeed.org/version/1.1"}