<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>FortiSIEM - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/fortisiem/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 08:39:43 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/fortisiem/feed.xml" rel="self" type="application/rss+xml"/><item><title>Multiple Vulnerabilities in Fortinet FortiSIEM</title><link>https://feed.craftedsignal.io/briefs/2026-07-fortinet-fortisiem-vulnerabilities/</link><pubDate>Wed, 15 Jul 2026 08:39:43 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-fortinet-fortisiem-vulnerabilities/</guid><description>Multiple vulnerabilities have been identified in Fortinet FortiSIEM that could allow an attacker to perform Cross-Site Scripting (XSS) attacks or achieve arbitrary code execution, enabling unauthorized script injection into web pages or direct execution of attacker-controlled code within the system.</description><content:encoded><![CDATA[<p>The German Federal Office for Information Security (BSI), through its CERT-Bund advisory, has highlighted multiple critical vulnerabilities within Fortinet FortiSIEM, a security information and event management solution. These flaws could be exploited by an attacker to conduct Cross-Site Scripting (XSS) attacks or achieve arbitrary code execution on affected systems. Such exploitation could lead to various severe consequences, including unauthorized access to user sessions, data exfiltration, or complete compromise of the FortiSIEM instance and potentially its monitored environments. This advisory serves as a warning to organizations using FortiSIEM to address these security weaknesses promptly to prevent potential attacker control over their SIEM infrastructure.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Vulnerability Identification</strong>: An attacker identifies internet-facing or internal FortiSIEM instances vulnerable to the described Cross-Site Scripting (XSS) or remote code execution (RCE) flaws.</li>
<li><strong>Malicious Payload Crafting</strong>: The attacker develops a specific payload, either a malicious JavaScript snippet for XSS or a command string for RCE, tailored to the identified vulnerability.</li>
<li><strong>Exploitation Attempt (XSS)</strong>: The attacker injects the XSS payload into a user-controlled input field or parameter within the FortiSIEM web interface, aiming to have it rendered without proper sanitization.</li>
<li><strong>Exploitation Attempt (RCE)</strong>: Alternatively, the attacker sends a specially crafted request that triggers the arbitrary code execution vulnerability on the FortiSIEM server.</li>
<li><strong>Successful XSS Execution (Client-Side)</strong>: If the XSS attack is successful, the injected malicious script executes within the browser of a legitimate FortiSIEM user viewing the compromised web page.</li>
<li><strong>Successful RCE Execution (Server-Side)</strong>: If the RCE attack is successful, the FortiSIEM server executes the arbitrary commands supplied by the attacker, potentially under the privileges of the running application.</li>
<li><strong>Post-Exploitation</strong>: Upon successful exploitation, the attacker gains unauthorized access to user sessions via XSS or achieves system control over the FortiSIEM instance via RCE, allowing further reconnaissance, data theft, or lateral movement.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of these vulnerabilities can lead to significant compromise of an organization's security posture. Cross-Site Scripting (XSS) attacks can result in session hijacking, credential theft, or the redirection of users to malicious sites, undermining the integrity of user interactions with the FortiSIEM platform. Arbitrary code execution (RCE) is particularly severe, granting attackers full control over the FortiSIEM appliance. This could enable attackers to manipulate security logs, disable alerts, exfiltrate sensitive data from monitored systems, or use the SIEM as a pivot point for further attacks into the network, severely impacting incident response capabilities and overall network security.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately apply all available security patches and updates for Fortinet FortiSIEM to mitigate the reported Cross-Site Scripting (XSS) and code execution vulnerabilities.</li>
<li>Review network segmentation and access controls for FortiSIEM deployments to ensure only authorized personnel and necessary services can access the management interface.</li>
<li>Enable comprehensive logging on FortiSIEM and surrounding infrastructure to detect unusual login attempts, process creations, or outbound connections that could indicate post-exploitation activity.</li>
<li>Conduct regular security audits and penetration testing of FortiSIEM instances to identify and address potential vulnerabilities proactively.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>fortinet</category><category>fortisiem</category><category>vulnerability</category><category>xss</category><category>rce</category></item><item><title>ServiceNow Critical Sandbox Escape Vulnerability (CVE-2026-6875)</title><link>https://feed.craftedsignal.io/briefs/2026-07-servicenow-sandbox-escape/</link><pubDate>Tue, 14 Jul 2026 14:38:44 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-servicenow-sandbox-escape/</guid><description>ServiceNow has released a security advisory addressing CVE-2026-6875, a critical sandbox escape vulnerability affecting multiple product versions including Brazil, Australia, Zurich, and Yokohama, which could allow an attacker to bypass security boundaries and execute arbitrary code with elevated privileges.</description><content:encoded><![CDATA[<p>On July 13, 2026, ServiceNow issued a security advisory (AV26-693) detailing a critical sandbox escape vulnerability, identified as CVE-2026-6875, within its AI Platform. This vulnerability affects several versions across multiple product lines, specifically Brazil (prior to EA and GA releases), Australia (prior to Patch 2), Zurich (prior to Patch 7b and Patch 9), and Yokohama (prior to Patch 12 Hot Fix 1b and Patch 13). A sandbox escape allows an attacker to break out of a restricted execution environment, potentially gaining unauthorized access to underlying systems or sensitive data with higher privileges. While the advisory does not specify observed exploitation in the wild, the critical nature of a sandbox escape warrants immediate attention for organizations utilizing these ServiceNow products to prevent potential data compromise, system disruption, or further network infiltration.</p>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-6875 could allow an attacker to bypass the security restrictions of the ServiceNow AI Platform's sandbox environment. This could lead to unauthorized access to sensitive data, execution of arbitrary code outside the sandbox, or escalation of privileges on the affected ServiceNow instance. While no specific victims or attack campaigns have been detailed in the advisory, any organization using the vulnerable versions of ServiceNow Brazil, Australia, Zurich, or Yokohama platforms is at risk of severe impact, including data breaches, system integrity compromise, and operational disruption if the vulnerability is exploited by a malicious actor.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Review the ServiceNow Security Advisory (KB3137947) linked in this brief immediately to understand the specific affected versions and apply the necessary patches for CVE-2026-6875.</li>
<li>Apply the recommended updates to your ServiceNow Brazil instances (prior to Brazil EA and Brazil GA), Australia instances (prior to Australia Patch 2), Zurich instances (prior to Zurich Patch 7b and Zurich Patch 9), and Yokohama instances (prior to Yokohama Patch 12 Hot Fix 1b and Yokohama Patch 13).</li>
<li>Ensure that all ServiceNow platforms are kept up-to-date with the latest security patches to mitigate known vulnerabilities.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">threat</category><category>vulnerability</category><category>servicenow</category><category>cloud</category></item></channel></rss>