My information Resource (blog.mir.net)

NIST is pleased to announce the release of the Privacy Framework 1.1 Initial Public Draft (IPD)! The NIST Privacy Framework is a “living” tool meant to evolve to meet stakeholder needs, and the time has come to update to Version 1.1. This update builds on the success of Privacy Framework 1.0 by responding to current privacy risk management needs, realigning with NIST Cybersecurity Framework (CSF) 2.0, and enhancing usability.

The following resources are included with the Privacy Framework 1.1 IPD release:

• Privacy Framework 1.1 IPD Highlights video that summarizes the development process and reviews key updates.
• Mapping of Privacy Framework 1.0 Core to Privacy Framework 1.1 Core to help organizations trace changes to Core Categories and Subcategories between Framework versions.

NIST welcomes stakeholder feedback on the Privacy Framework 1.1 IPD by June 13, 2025. For more information, including a comment template and instructions for submitting feedback, please click the button below.

To receive periodic updates and hear about other opportunities to engage, subscribe to our Privacy Engineering mailing list. If you have questions, please contact us at [email protected].

Read More

Free Training

Adapt your skills and master the tools you’ll need to thrive in an AI-powered world at a free Microsoft Power Platform Virtual Training Day from Microsoft Learn. Join us at Create Agents in Microsoft Copilot Studio to design conversational apps using AI. Discover how to build custom agents, manage topics and trigger phrases, configure nodes, and control variables and entities. Additionally, you’ll learn how to work with generative AI and collect data from sources like Microsoft Dataverse to configure and publish agents across multiple channels, including Microsoft Teams. Plus, gain insights to enhance productivity and efficiency while building your own agent experiences using Copilot Studio. After completing this training, you’ll be eligible to take the Microsoft Power Platform Fundamentals certification at 50% off the exam price. You’ll have the opportunity to: Explore how to build intelligent, conversational apps based on generative AI and large language models (LLMs). Learn the basic principles of developing and customizing topics and trigger phrases to guide conversations. Find out how to create agents for Microsoft Copilot to address specific business needs. Discover how to pull data from multiple sources via Dataverse to boost agent performance. Explore how AI and LLMs help boost productivity and increase collaboration through solutions like Microsoft 365 and Microsoft Teams. Chat with Microsoft experts—ask questions and get answers to help you build agents. Join us at an upcoming Create Agents in Microsoft Copilot Studio event: April 28, 2025 11:00 AM – 1:30 PM | (GMT-05:00) Central Time US & Canada 12:00 PM – 2:30 PM | (GMT-04:00) Eastern Time US & Canada 10:00 AM – 12:30 PM | (GMT-06:00) Mountain Time US & Canada 9:00 AM – 11:30 AM | (GMT-07:00) Pacific Time US & Canada Delivery Language: English Closed Captioning Language(s): English

Register Here

et’s unlock the future together with 50 days of AI discovery and learning—and let’s attempt to set a world record at the same time!

*Updated as of March 28, 2025

The best way to learn something new is by taking it one step at a time. We know all this talk of AI can be overwhelming, so how about we take it one skill at a time? At Microsoft, our mission has always been to create technology that empowers others to innovate and solve real-world problems. And it’s no different with AI—we want to help you learn to use this powerful technology to make your life easier, especially as it becomes an integral part of our daily lives. Sometimes, starting is the hardest part, so we want to make that part simple for you. 

This is why we’re excited to announce the Microsoft AI Skills Fest, a global event this April and May, designed to bring learners across the globe together to build their AI skills, from beginner explorers to the technologically gifted. Together, we can learn a new AI skill and maybe even set a groundbreaking record at the same time! 

Everyone everywhere is invited 

The AI Skills Fest is designed with you in mind, offering a wide variety of AI training for everyone, regardless of background or expertise. Join us to build your AI skills and unlock new opportunities for productivity, innovation, and growth. 

• Tech professionals. Learn how to quickly build AI-powered solutions using Microsoft’s AI apps and services. Gain skills and experience working with agents, AI security, Azure AI Foundry, GitHub Copilot, Microsoft Fabric, and more. 
• Business professionals. Find out how much easier your work life can be when you use Microsoft Copilot to simplify tasks and let your creativity loose!
• Students. Explore technical skills to bring your ideas to life, with AI learning experiences for all skill levels and interests. 
• Business leaders. Empower your teams with AI skills for future success through curated upskilling opportunities.

Let’s earn a GUINNESS WORLD RECORDS™ title together on April 8, 2025! 

The Microsoft AI Skills Fest will begin with a spectacular Kickoff Celebration on April 8, 2025. Starting in Australia at 9 AM Australian Eastern Standard Time and wrapping up in the United States at 4 PM Pacific Daylight Time, this 24-hour, globe-spanning event will feature a variety of AI learning activities designed to engage and inspire learners of all experience levels.  

Together, we’ll have a once-in-a-lifetime opportunity to attempt a GUINNESS WORLD RECORDS™ title for most users to take an online multi-level artificial intelligence lesson in 24 hours. Don’t miss this unique chance to learn, compete, and celebrate your achievements—and to be part of these unprecedented and record-setting global festivities. 

Check out the learning experiences we’ve prepared for this day.

Mark your calendar and register now.

We’re excited to invite you to our upcoming Microsoft 365 Copilot QuickStart Training for nonprofits.  

This beginner-friendly session will help you start using Microsoft 365 Copilot as your own AI assistant and unleash the power of AI in your daily tasks. We’ll cover the basics of Copilot, the art of ‘Prompting’ for the best results, and provide hands-on demos to show how you can use Copilot.  

Select sessions are available in English, French, German, and Spanish.

Date: April 24, 2025  Time: 9:00 AM–11:30 AM PST  Register here    You can view the full calendar of sessions and register here. Even if you don’t have a Copilot license yet, you can still watch the demos and try the exercises once you receive your license.    Share this invitation with your colleagues and friends to invite them to join.

Threat actors can use phone numbers obtained from past data breaches and public records to randomly call or send messages claiming to be a member of a loan processing team and providing a loan offer that appears too good to be true. They may provide vague details, impose urgent demands, or require advanced fees of a purported loan offer with the intent of stealing personally identifiable information (PII) and financial information, including Social Security numbers and bank account numbers.

The NJCCIC received reports of an advanced fee loan scam in which threat actors posed as lenders, guaranteed the loan approval without official credit checks, offered low rates or fees, and asked for money upfront. The victims submitted a supposed loan application and paid a deposit via peer-to-peer money transfer platforms typically used with these scams. The deposits were nominal due to a false claim of a low credit score or based on a percentage of the fake loan amount. In one scam, the victim applied for a loan and paid a $1,350 deposit via Zelle. In another scam, the victim was offered a several million-dollar loan with a reasonable rate and a four percent deposit. Once the victims paid the deposits, the so-called lenders stole their information and funds and never responded to the victims’ subsequent inquiries. Threat actors can use this stolen information to impersonate victims, apply for loans or lines of credit, access bank accounts, and steal additional funds.

Threat actors typically initiate their cyberattacks by performing reconnaissance against an organization’s people, processes, and technology. They primarily seek to exploit vulnerabilities in people and software to gain initial access. The threat actors then attempt to access internal systems. VPNs and firewalls are often targeted by threat actors as they serve as primary gateways to these internal systems and networks and provide remote access to organizations. Successful cyberattacks can have cascading impacts, including operational disruptions, financial losses, and the loss of confidentiality, integrity, and availability of data and information systems.

Credentials (usernames and passwords) provide a way to authenticate users and control access to online accounts, email systems, network resources, and more. Threat actors attempt to harvest or steal these credentials and gain initial access primarily through phishing and other methods, such as keylogging malware, brute force attacks, man-in-the-middle (MITM) attacks, and credential stuffing attacks. The convenient practice of password reuse across multiple accounts is risky behavior that can result in account compromises. Credential harvesting and password reuse allow threat actors to easily compromise accounts, escalate privileges, exploit vulnerabilities, move laterally within a network, deploy malware, and access data. As highlighted by recent Medusa and Hellcat ransomware attacks, users are advised to activate MFA for all accounts and services, including email and VPNs.

Threat actors also attempt to exploit software vulnerabilities, especially in VPNs and firewalls and other edge devices, to infiltrate systems and networks. Multiple security advisories were issued during the first quarter of 2025, including the Ivanti Connect Secure, Policy Secure, and ZTA Gateways remote code execution vulnerability, the Cisco Meraki MX and Z Series AnyConnect VPN denial of service vulnerability, the Fortinet unverified password change vulnerability, and the OpenVPN denial of service vulnerability. Additionally, at least five VPN services have been linked  to a sanctioned Chinese firm, inadvertently impacting millions of free VPN users in the United States. There was also a significant surge in Palo Alto Networks scanner activity, suggesting a coordinated effort to test network defenses and exploit vulnerable systems. Furthermore, threat actors exploited two Fortinet vulnerabilities in Fortigate firewall appliances that led to a series of intrusions deploying the SuperBlack ransomware variant.

The combination of weak credentials without MFA and unpatched or misconfigured systems creates a ticking timebomb for organizations to have threat actors compromise accounts and infiltrate perimeter security devices, resulting in cyber incidents such as ransomware and large-scale attacks.

Recommendations

Participate in security awareness training to help better understand cyber threats, provide a strong line of defense, and identify red flags in potentially malicious communications. Use strong, unique passwords and enable MFA where available, choosing authentication apps or hardware tokens over SMS text-based codes. Keep systems up to date and apply patches after appropriate testing. Utilize network segmentation to isolate valuable assets and help prevent the spread of ransomware and malware. Enforce the Principle of Least Privilege, disable unused ports and services, and use web application firewalls (WAFs). Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Encrypt sensitive data at rest and in transit. Establish a comprehensive data backup plan that includes performing scheduled backups regularly, keeping an updated copy offline in a separate and secure location, and testing regularly. Create and test continuity of operations plans (COOPs) and incident response plans. Review the Ransomware: Risk Mitigation Strategies Employ tools such as haveibeenpwned.com to determine if your PII has been exposed via a public data breach.

Free Training

Adapt your skills and master the tools you’ll need to thrive in an AI-powered world at a free Microsoft Azure Virtual Training Day from Microsoft Learn. Join us at Develop Your Own Custom Copilots with Azure AI to learn how to create a custom copilot. You’ll review and compare language models to select the best one for your endpoint and learn how to deploy these models into your chat applications. You’ll also explore using Azure AI prompt flow to fine-tune and enhance model performance. Discover optimization strategies, including prompt engineering and Retrieval Augmented Generation, to tailor your model using your data. After completing this training, you’ll be eligible to take the Microsoft Azure AI Fundamentals certification exam at 50% off the exam price. You’ll have the opportunity to: Learn how to configure language model deployments. Explore optimization strategies to improve model performance. Understand how to build a custom copilot using prompt flows and ground it with your data. Chat with Microsoft experts—ask questions and get answers on building your copilot. Join us at an upcoming two-part Develop Your Own Custom Copilots with Azure AI event: May 07, 2025 11:00 AM – 2:00 PM | (GMT-05:00) Central Time US & Canada 12:00 PM – 3:00 PM | (GMT-04:00) Eastern Time US & Canada 10:00 AM – 1:00 PM | (GMT-06:00) Mountain Time US & Canada 9:00 AM – 12:00 PM | (GMT-07:00) Pacific Time US & Canada May 08, 2025 11:00 AM – 1:45 PM | (GMT-05:00) Central Time US & Canada 12:00 PM – 2:45 PM | (GMT-04:00) Eastern Time US & Canada 10:00 AM – 12:45 PM | (GMT-06:00) Mountain Time US & Canada 9:00 AM – 11:45 AM | (GMT-07:00) Pacific Time US & Canada Delivery Language: English Closed Captioning Language(s): English Register here

A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLEGENCE:
There are currently no reports of this vulnerability being exploited in the wild. 

SYSTEMS AFFECTED:

• Chrome prior to 135.0.7049.84/.85 for Windows and Mac
• Chrome prior to 135.0.7049.84 for Linux 

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Details of the vulnerability are as follows:

Tactic: Initial Access (TA0001):

Technique: Drive-By Compromise (T1189):

• Use after free in Site Isolation (CVE-2025-3066)

Successful exploitation of this vulnerability could allow for arbitrary code execution in the context of the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 9.1: Ensure Use of Only Fully Supported Browsers and Email Clients: Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. 
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
• Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. (M1021: Restrict Web-Based Content)
  • Safeguard 9.2: Use DNS Filtering Services: Use DNS filtering services on all enterprise assets to block access to known malicious domains.
  • Safeguard 9.3: Maintain and Enforce Network-Based URL Filters: Enforce and update network-based URL filters to limit an enterprise asset from connecting to potentially malicious or unapproved websites. Example implementations include category-based filtering, reputation-based filtering, or through the use of block lists. Enforce filters for all enterprise assets.
  • Safeguard 9.6: Block Unnecessary File Types: Block unnecessary file types attempting to enter the enterprise’s email gateway. 
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

REFERENCES:

Google:
https://chromereleases.googleblog.com/2025/04/stable-channel-update-for-desktop_8.html
 
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3066

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• Visual Studio Code
• Windows Standards-Based Storage Management Service
• Windows Local Security Authority (LSA)
• Windows NTFS
• Windows Routing and Remote Access Service (RRAS)
• Windows Update Stack
• Windows Telephony Service
• Windows DWM Core Library
• Microsoft Edge (Chromium-based)
• Azure Local Cluster
• Windows Hello
• Windows BitLocker
• Windows USB Print Driver
• Windows Digital Media
• Windows Cryptographic Services
• Microsoft Office
• Windows Kerberos
• Windows Kernel
• Windows Secure Channel
• Windows Local Session Manager (LSM)
• Windows LDAP – Lightweight Directory Access Protocol
• Windows upnphost.dll
• Windows Media
• Windows Remote Desktop Services
• Windows Subsystem for Linux
• Windows Defender Application Control (WDAC)
• RPC Endpoint Mapper Service
• Windows Win32K – GRFX
• ASP.NET Core
• Windows TCP/IP
• Microsoft Virtual Hard Drive
• Microsoft Streaming Service
• Windows Mark of the Web (MOTW)
• Windows HTTP.sys
• Remote Desktop Gateway Service
• Windows Universal Plug and Play (UPnP) Device Host
• Remote Desktop Client
• Azure Local
• Windows Bluetooth Service
• Windows Hyper-V
• Windows Installer
• Windows Kernel-Mode Drivers
• Windows Shell
• OpenSSH for Windows
• Windows Virtualization-Based Security (VBS) Enclave
• Windows Power Dependency Coordinator
• Windows Security Zone Mapping
• Windows Resilient File System (ReFS)
• Windows Active Directory Certificate Services
• System Center
• Microsoft Office Word
• Microsoft Office Excel
• Microsoft Office SharePoint
• Microsoft Edge for iOS
• Microsoft AutoUpdate (MAU)
• Visual Studio
• Visual Studio Tools for Applications and SQL Server Management Studio
• Outlook for Android
• Active Directory Domain Services
• Windows Mobile Broadband
• Windows Kernel Memory
• Power Automate
• Azure Portal Windows Admin Center
• Dynamics Business Central
• Microsoft Office OneNote
• Windows Common Log File System Driver

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
• Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
• Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
  • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
  • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
  • Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Microsoft:
https://msrc.microsoft.com/update-guide/releaseNote/2025-Apr 
https://msrc.microsoft.com/update-guide

Multiple vulnerabilities have been discovered Fortinet Products, the most severe of which could allow for remote code execution. 

• FortiAnalyzer is a log management, analytics, and reporting platform that provides organizations with a single console to manage, automate, orchestrate, and respond, enabling simplified security operations, proactive identification and remediation of risks, and complete visibility of the entire attack landscape.
• FortiClient Endpoint Management Server (EMS) is a centralized platform for managing and deploying FortiClient software on endpoints, providing visibility, policy enforcement, and compliance management for organizations using FortiClient for endpoint security. 
• FortiIsolator is a browser isolation solution from Fortinet designed to protect users from zero-day malware and phishing threats delivered over the web and email by creating a visual “air gap” between the user’s browser and the web content.
• FortiManager is a comprehensive network management solution designed to streamline the administration, configuration, and monitoring of Fortinet devices across complex network environments.
• FortiOS is the Fortinet’s proprietary Operation System which is utilized across multiple product lines.
• FortiProxy is a secure web proxy solution that enhances network security by filtering web traffic and providing advanced threat protection.
• FortiSwitch Manager enables network administrators to cut through the complexities of non-FortiGate-managed FortiSwitch deployments.
• FortiVoice is a robust communication solution that integrates voice, conferencing, and messaging services to enhance business collaboration and productivity.
• FortiWeb is a web application firewall (WAF) that protects web applications and APIs from attacks that target known and unknown exploits and helps maintain compliance with regulations. 

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

• FortiAnalyzer 6.2.0 through 6.2.13
• FortiAnalyzer 6.4.0 through 6.4.14
• FortiAnalyzer 7.0.0 through 7.0.11
• FortiAnalyzer 7.0.0 through 7.0.13
• FortiAnalyzer 7.2.0 through 7.2.4
• FortiAnalyzer 7.2.0 through 7.2.8
• FortiAnalyzer 7.4.0 through 7.4.2
• FortiAnalyzer 7.4.0 through 7.4.5
• FortiAnalyzer 7.6.0 through 7.6.1
• FortiClientEMS 7.2.1 through 7.2.8
• FortiClientEMS 7.4.0 through 7.4.1
• FortiIsolator 2.4.3 through 2.4.6
• FortiManager 6.2.0 through 6.2.13
• FortiManager 6.4.0 through 6.4.14
• FortiManager 7.0.0 through 7.0.11
• FortiManager 7.0.0 through 7.0.13
• FortiManager 7.2.0 through 7.2.4
• FortiManager 7.2.0 through 7.2.8
• FortiManager 7.4.0 through 7.4.2
• FortiManager 7.4.0 through 7.4.5
• FortiManager 7.6.0 through 7.6.1
• FortiOS 6.2.0 through 6.2.16
• FortiOS 6.4 all versions
• FortiOS 7.0 all versions
• FortiOS 7.0.0 through 7.0.15
• FortiOS 7.0.1 through 7.0.12
• FortiOS 7.2 all versions
• FortiOS 7.4 all versions
• FortiProxy 2.0 all versions
• FortiSwitch
• FortiSwitch 6.4.0 through 6.4.14
• FortiSwitch 7.0.0 through 7.0.10
• FortiSwitch 7.2.0 through 7.2.8
• FortiSwitch 7.4.0 through 7.4.4
• FortiSwitch 7.6.0
• FortiVoice 6.0 all versions
• FortiVoice 6.4.0 through 6.4.8
• FortiVoice 7.0.0 through 7.0.2
• FortiWeb 7.0 all versions
• FortiWeb 7.2 all versions
• FortiWeb 7.4.0 through 7.4.2
• FortiWeb 7.4.0 through 7.4.6
• FortiWeb 7.6.0 through 7.6.2 

RISK:
Government:

• Large and medium government entities: High
• Small government entities: Medium

Businesses:

• Large and medium business entities: High
• Small business entities: Medium

Home users: Low 

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Fortinet products, the most severe of which could allow for remote code execution. Details of the vulnerabilities are as follows: 

Tactic: Initial Access (TA0001):

Technique: Exploit Public-Facing Application (T1190): 

• An unverified password change vulnerability [CWE-620] in FortiSwitch GUI may allow a remote unauthenticated attacker to modify admin passwords via a specially crafted request. (CVE-2024-48887)
• An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiIsolator may allow a privileged attacker with super-admin profile and CLI access to execute unauthorized code via specifically crafted HTTP requests. (CVE-2024-54024)
• A improper restriction of communication channel to intended endpoints vulnerability [CWE-923] in FortiOS, FortiProxy, FortiManager, FortiAnalyzer, FortiVoice and FortiWeb may allow an unauthenticated attacker in a man-in-the-middle position to impersonate the management device (FortiCloud server or/and in certain conditions, FortiManager), via intercepting the FGFM authentication request between the management device and the managed device (CVE-2024-26013, CVE-2024-50565) 

Details of lower severity vulnerabilities:

• An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiIsolator CLI may allow a privileged attacker to execute unauthorized code or commands via crafted CLI requests. (CVE-2024-54025)
• An Improper Output Neutralization for Logs vulnerability [CWE-117] in FortiManager and FortiAnalyzer may allow an unauthenticated remote attacker to pollute the logs via crafted login requests. (CVE-2024-52962)
• An insufficiently protected credentials [CWE-522] vulnerability in FortiOS may allow a privileged authenticated attacker to retrieve LDAP credentials via modifying the LDAP server IP address in the FortiOS configuration to point to a malicious attacker-controlled server. (CVE-2024-32122)
• An Incorrect User Management vulnerability [CWE-286] in FortiWeb widgets dashboard may allow an authenticated attacker with at least read-only admin permission to perform operations on the dashboard of other administrators via crafted requests. (CVE-2024-46671)
• An improper neutralization of input during web page generation (‘Cross-site Scripting’) [CWE-79] vulnerability in FortiClient may allow the EMS administrator to send messages containing javascript code. (CVE-2025-22855)
• An Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability [CWE-22] in FortiWeb endpoint may allow an authenticated admin to access and modify the filesystem via crafted requests. (CVE-2025-25254)
• Multiple potential issues, including the use of uninitialized resources [CWE-908] and excessive iteration [CWE-834] in FortiOS & FortiProxy SSLVPN webmode may allow a VPN user to corrupt memory, potentially leading to code or commands execution via specifically crafted requests. (CVE-2023-37930) 

Successful exploitation of these vulnerabilities could allow an attacker to execute remote code in the context of the system. Depending on the privileges associated with the system, an attacker could then install programs; view, change, or delete data. 

RECOMMENDATIONS:
We recommend the following actions be taken: 

• Apply appropriate updates provided by Fortinet to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
  • Safeguard 7.1 : Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
  • Safeguard 7.2: Establish and Maintain a Remediation Process: Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews.
  • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Safeguard 7.5 : Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
  • Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
  • Safeguard 12.1: Ensure Network Infrastructure is Up-to-Date: Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
  • Safeguard 18.1: Establish and Maintain a Penetration Testing Program: Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements.
  • Safeguard 18.2: Perform Periodic External Penetration Tests: Perform periodic external penetration tests based on program requirements, no less than annually. External penetration testing must include enterprise and environmental reconnaissance to detect exploitable information. Penetration testing requires specialized skills and experience and must be conducted through a qualified party. The testing may be clear box or opaque box.
  • Safeguard 18.3: Remediate Penetration Test Findings: Remediate penetration test findings based on the enterprise’s policy for remediation scope and prioritization. 
     
• Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
  • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
  • Safeguard 5.5: Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. 
     
• Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them. (M1016: Vulnerability Scanning)
  • Safeguard 16.13: Conduct Application Penetration Testing: Conduct application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code scanning and automated security testing. Penetration testing relies on the skill of the tester to manually manipulate an application as an authenticated and unauthenticated user. 
     
• Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. (M1030: Network Segmentation)
  • Safeguard 12.2: Establish and Maintain a Secure Network Architecture: Establish and maintain a secure network architecture. A secure network architecture must address segmentation, least privilege, and availability, at a minimum. 
     
• Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
  • Safeguard 10.5:  Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Microsoft® Data Execution Prevention (DEP), Windows® Defender Exploit Guard (WDEG), or Apple® System Integrity Protection (SIP) and Gatekeeper™.
     

REFERENCES:

Fortinet:
https://www.fortiguard.com/psirt/FG-IR-24-474
https://www.fortiguard.com/psirt/FG-IR-23-344
https://www.fortiguard.com/psirt/FG-IR-24-184
https://www.fortiguard.com/psirt/FG-IR-24-111
https://www.fortiguard.com/psirt/FG-IR-24-453
https://www.fortiguard.com/psirt/FG-IR-24-046
https://www.fortiguard.com/psirt/FG-IR-24-397
https://www.fortiguard.com/psirt/FG-IR-24-392
https://www.fortiguard.com/psirt/FG-IR-24-435
https://www.fortiguard.com/psirt/FG-IR-23-165

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-37930
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46671
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-48887
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50565
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52962
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54024
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54025
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22855
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25254