SmarterTools SmarterMail RCE
An actively targeted vulnerability has been identified in SmarterTools SmarterMail, tracked as CVE-2025-52691, with a CVSS score of 10.0 (Critical). The flaw allows unauthenticated attackers to upload arbitrary files to any location on the mail server, potentially resulting in remote code execution (RCE).
|
Cisco ASA and FTD Firewall RCE
Critical zero-day vulnerabilities affecting Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) software have been actively exploited in the wild. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks. |
React2Shell Remote Code Execution
React2Shell is a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components (RSC) and frameworks that implement the Flight protocol, including specific vulnerable versions of Next.js. A remote attacker can craft a malicious RSC request that triggers server-side deserialization, leading to arbitrary code execution without authentication or user interaction. |
UNC1549 Critical Infrastructure Espionage Attack
A suspected Iran-linked espionage group tracked as UNC1549 is actively targeting aerospace, defense, and telecommunications organizations across Europe and other regions. The threat actor employs a combination of highly tailored spear-phishing, credential theft from third-party services, and the abuse of virtual desktop infrastructure such as Citrix, VMware, and Azure VDI to gain initial access and move laterally within target networks. |
Akira Ransomware
FortiGuard Labs continue to observe detections in the wild related to the Akira ransomware group. According to the new report by CISA it has targeted over 250 organizations since the past year, affecting numerous businesses and critical infrastructure entities across North America, Europe, and Australia. The gang has made over $42 million from the attacks as ransom payments. |
Oracle E-Business Suite RCE Zero-day
Actively exploited as a zero-day in data theft and extortion campaigns, with activity linked to the Cl0p ransomware group. Successful exploitation enables complete takeover of Oracle Concurrent Processing, opening the door to lateral movement, sensitive data exfiltration, and potential ransomware deployment. |
Fortra GoAnywhere MFT Attack
A critical deserialization vulnerability in GoAnywhere MFT's License Servlet (CVSS 10.0) is actively being exploited in the wild. The flaw allows attackers with a forged license response signature to deserialize arbitrary objects, which can lead to command injection and remote code execution (RCE). FortiGuard telemetry shows sustained, high-volume exploitation attempts against GoAnywhere MFT instances. |
ShadowSilk Data Exfiltration Attack
FortiGuard Labs' network telemetry has observed active exploitation of known vulnerabilities in Drupal Core and the WP-Automatic WordPress plugin for initial access. Following compromise, attackers deploy multiple web shells and utilities to enable lateral movement, privilege escalation, and the installation of remote access trojans (RATs). |
Citrix Bleed 2
FortiGuard Labs has observed a sharp increase in exploitation attempts targeting the 'Citrix Bleed 2' vulnerability since July 28, 2025. Telemetry indicates activity has surged to over 6,000 detections across IPS sensors globally. The majority of observed attacks are concentrated in the United States, Australia, Germany, and the United Kingdom, with adversaries primarily focusing on high-value sectors such as technology, banking, healthcare, and education. |
Microsoft SharePoint Zero-day Attack
FortiGuard Labs has detected and successfully blocked hundreds of exploitation attempts targeting a newly discovered zero-day vulnerability chain in on-premises Microsoft SharePoint servers. This active campaign is being exploited by multiple threat actors and poses a significant risk to a wide range of sectors including government, education, healthcare, and large enterprises. |
SonicWall Secure Mobile Access Attack
A campaign targeting SonicWall SMA 100 series appliances is currently under active exploitation, leveraging both known vulnerabilities and potential zero-days to gain persistent access to enterprise networks. The threat actors deploy a custom Linux-based rootkit for stealth and long-term persistence. |
Langflow Unauth RCE Attack
FortiGuard Labs has observed a significant uptick in attacks targeting Langflow, leveraging a recently discovered authentication bypass vulnerability that allows unauthenticated remote attackers to fully compromise affected servers. |
TBK DVRs Botnet Attack
Threat Actors are actively exploiting CVE-2024-3721, a command injection vulnerability in TBK DVR devices (Digital Video Recorders). This flaw allows unauthenticated remote code execution (RCE) via crafted HTTP requests to the endpoint. The compromised devices are conscripted into a botnet capable of conducting DDoS attacks. |
SimpleHelp Support Software Attack
FortiGuard Labs continues to observe ongoing attack attempts targeting SimpleHelp, a Remote Monitoring and Management (RMM) software, due to a critical unauthenticated path traversal vulnerability (CVE-2024-57727) affecting versions 5.5.7 and earlier. |
Earth Lamia APT Attack
FortiGuard's global sensor network report consistently high levels of attack attempts targeting vulnerabilities associated with Earth Lamia APT campaigns. According to Trend Research, the hacking group known as Earth Lamia has been actively targeting a range of sectors- including finance, government, IT, logistics, retail, and education- shifting its focus based on evolving objectives and time periods. The group is known for its high level of activity and primarily exploits known vulnerabilities in public-facing systems and web applications to gain access. |
CrushFTP Authentication Bypass Attack
FortiGuard Labs has identified ongoing and persistent attack attempts in the wild that are aimed at exploiting CVE-2025-31161, which is an authentication bypass vulnerability found in CrushFTP file transfer server. If successfully exploited, this vulnerability could allow attackers to gain administrative access to the application, representing a significant risk to enterprise environments. |
Commvault Command Center Path Traversal Vulnerability
FortiGuard Labs has detected persistent attempts to exploit the Commvault Command Center path traversal vulnerability, identified as CVE-2025-34028. If attacks succeed, they could achieve full system compromise. FortiGuard telemetry shows exploitation attempts in the United States, Brazil, Turkey, the United Kingdom and Italy. |
Apache Tomcat RCE
FortiGuard Labs has identified ongoing attack attempts aimed at exploiting the recently discovered Apache Tomcat remote code execution vulnerability, CVE-2025-24813. If successful, attackers could gain access to sensitive security files, allowing them to view or inject arbitrary content and potentially execute code remotely on target systems. |
Outbreak Alert- Annual Report 2024
In 2024, FortiGuard blocked 3.1 trillion vulnerability exploits and stopped 2.5 billion malware deliveries-fortifying businesses against relentless cyber threats. Stay ahead with the latest insights from our industry-leading threat intelligence! |
Microsoft .NET Framework Information Disclosure
Threat Actors are targeting and actively exploiting a Microsoft .NET Framework information disclosure vulnerability (CVE-2024-29059) that exposes the ObjRef URI to an attacker, ultimately enabling remote code execution. |
|