Fortinet

A Russian-speaking threat group utilized a large dataset of administrative and VPN credentials, likely sourced from exposed FortiGate configuration files and active credential harvesting, to access government, critical infrastructure, and multinational corporate networks, resulting in widespread data exfiltration.

Multiple critical vulnerabilities (CVE-2025-67862, CVE-2026-25089, CVE-2026-49938) have been discovered across Fortinet products including FortiOS, FortiPortal, FortiProxy, and FortiSandbox, enabling unauthenticated attackers to achieve remote arbitrary code execution and compromise data confidentiality.

A user with the Administrator role has successfully logged in to the FortiGate management interface for the first time within the last 5 days, potentially indicating unauthorized access or misconfiguration.

A remote, authenticated attacker can exploit a vulnerability in Fortinet FortiAnalyzer and FortiManager to perform a denial-of-service attack, disrupting normal operations.

A remote, anonymous attacker can exploit a vulnerability in Fortinet FortiSandbox to execute arbitrary program code, potentially leading to system compromise.

An authenticated remote attacker can exploit a vulnerability in Fortinet FortiOS to escalate their privileges.

Multiple vulnerabilities in Fortinet's FortiAuthenticator and FortiSandbox products could lead to remote code execution, potentially allowing attackers to install programs, modify data, or create new accounts.

Fortinet released security advisories on May 12, 2026, addressing critical vulnerabilities including improper access control, incorrect global authorization, and out-of-bounds access across FortiAuthenticator, FortiOS, and FortiSandbox product lines, urging users to apply necessary updates.

Adversaries may add malicious Windows Filtering Platform (WFP) rules to prevent endpoint security solutions from sending telemetry data, impairing defenses, which this rule detects by identifying multiple WFP block events where the process name is associated with endpoint security software.

Threat actors are abusing the Komari monitoring agent, a project hosted on GitHub, as a SYSTEM-level backdoor following initial access through compromised VPN credentials and lateral movement via Impacket.

Detection of unsigned or untrusted DLLs being loaded into the LSASS process, which is indicative of credential access attempts by adversaries aiming to steal sensitive information such as user passwords.

Attackers modify the Windows Filtering Platform (WFP) policy to block the communication of endpoint detection and response (EDR) processes, impairing their functionality and hindering detection of malicious activities.

Detection of 'netsh' command execution to enable network discovery in the firewall, a technique commonly used by ransomware such as REvil and RedDot to discover and compromise additional machines on the network.

This analytic detects the modification of Windows Firewall settings to enable file and printer sharing, a common technique used by ransomware to facilitate lateral movement and broader network encryption.

Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.

The creation of MSC files within a 'C:\Windows \System32' directory can be exploited to execute malicious files due to path parsing vulnerabilities in Windows, potentially leading to privilege escalation, persistence, and defense evasion.