Insights

Organizations leveraging Fortinet FortiGate or Citrix Netscaler technologies should be aware of active exploitation attempts originating from the IP range 178.22.24.0/24, attributed to AS209290 (GALEON-AS), a network registered to Galeon LLC, based in Moscow, Russia. Security analysts have observed sustained malicious activity from this range, with evidence suggesting an automated campaign aimed at vulnerable perimeter systems. Indicators of Compromise (IOCs) Sample IP addresses involved in the attack activity: CopyEdit178.22.24.11 178.22.24.12 178.22.24.13 178.22.24.14 178.22.24.15 178.22.24.17 178.22.24.18 178.22.24.20 178.22.24.21 178.22.24.23 178.22.24.24 All of the above belong to the subnet 178.22.24.0/24, which should be treated as hostile and blocked where appropriate. Associated Vulnerabilities This threat activity aligns with known exploit patterns targeting the following critical vulnerabilities: Fortinet CVE-2023-27997 — FortiOS & FortiProxy SSL-VPN RCE ("XORtigate")[Unauthenticated RCE via heap-based buffer overflow][CVSS: 9.8] CVE-2022-40684 — FortiOS & FortiProxy Authentication Bypass[Enables attacker to modify system configurations via crafted requests][CVSS: 9.6] Citrix Netscaler CVE-2023-3519 — Citrix ADC…

SonicWall has issued a security advisory addressing a critical vulnerability in its SMA 100 series VPN appliances that could allow authenticated attackers to execute arbitrary code on affected devices. The flaw, tracked as CVE-2025-40599, affects firmware versions 10.2.1.15-81sv and earlier. The vulnerability is located in the web management interface and permits an authenticated administrator to upload malicious files, which can lead to remote code execution (RCE). SonicWall has released an updated firmware version-10.2.2.1-90sv-to mitigate this risk and urges all customers to update immediately. While SonicWall states there is no evidence of active exploitation, the company also confirmed that threat actors are actively targeting these systems, particularly those with previously stolen administrative credentials. The urgency is compounded by Google's Threat Intelligence team, which uncovered a backdoor campaign linked to threat group UNC6148. This campaign used the OVERSTEP malware to maintain persistent access-even on patched systems-and steal credentials over extended periods. In…

Researchers have identified a new phishing technique that leverages Microsoft 365's Direct Send feature. This method allows attackers to send internal-looking emails-without account compromise-bypassing traditional email defenses and appearing legitimate to unsuspecting users. What is Direct Send? Direct Send is a legitimate feature in Microsoft 365 that allows devices like printers and scanners to send emails directly through Microsoft infrastructure without authentication. Emails are routed via a tenant-specific smart host URL (e.g., tenantname.mail.protection.outlook.com). Originally designed for internal communications, this feature allows unauthenticated devices to send mail to internal recipients. Unfortunately, this same capability can be abused. With basic information about a target organization's domain and email structure, attackers can spoof internal addresses and deliver phishing emails that appear trusted. How Attackers are Exploiting It Starting in May 2025, attackers have been using Direct Send to distribute phishing emails that closely mimic internal communications. These emails often contain PDF attachments with…

Summary Microsoft has confirmed active exploitation of a critical on-premises SharePoint vulnerability, CVE‑2025‑53770-a variant of the previously identified CVE‑2025‑49706. This vulnerability allows unauthenticated remote code execution (RCE) on SharePoint servers. While SharePoint Online (Microsoft 365) is not affected, organizations using SharePoint Server 2016, 2019, and Subscription Edition are at immediate risk. At the time of this post, no official patch is available. Microsoft has issued interim mitigation guidance. What You Need to Know The vulnerability has been assigned a CVSS score of 9.8 (Critical). Exploits are being observed in the wild. Victims include public sector, education, and private industry servers globally. The exploit method, named "ToolShell" by researchers, involves a chain of vulnerabilities that allow attackers to gain full control of servers without authentication. Attackers exploit public-facing SharePoint servers using crafted requests that trigger deserialization flaws, ultimately installing web shells such as spinstall0.aspx to maintain persistent access. Microsoft's Guidance Microsoft…