InfoSecBulletin Cybersecurity for mankind
Fortinet has issued security updates for several products, including FortiOS, to fix vulnerabilities that could allow cyber attackers to take control of affected systems.
CISA encourages users and administrators to review the following advisories and apply necessary updates.
CISA warns of increasing risk tied to Oracle legacy Cloud leak
CVE-2025-20236
Cisco Patches Unauthenticated RCE Flaw in Webex App
Apple released emergency security updates for 2 zero-day vulns
Oracle Released Patched for 378 flaws for April 2025
CVE-2025-24054
Hackers Exploiting NTLM Spoofing Windows Vuln the in Wild
Bengaluru firm got ransomware attack, Hacker demanded $70,000
MITRE warns: U.S. Govt. Funding for MITRE’s CVE Ends Today
PwC exits more than a dozen countries in push to avoid scandals: FT reports
Australian Cyber Security Centre Alert for Fortinet Products
Top 10 Malware Threats of the Week: Reports ANY.RUN
FG-IR-23-396 ReadOnly Users Could Run Some Sensitive Operations:
A client-side enforcement of server-side security vulnerability [CWE-602] in FortiAnalyzer may allow an authenticated attacker with at least read-only permission to execute sensitive operations via crafted requests.
FG-IR-23-475 FortiOS – SSLVPN Session Hijacking Using SAML Authentication:
A session fixation vulnerability [CWE-384] in FortiOS may allow an unauthenticated attacker to hijack user session via a phishing SAML authentication link.
FG-IR-24-144 Privilege Escalation via Lua Auto Patch Function:
A privilege context switching error vulnerability [CWE-270] in FortiClient Windows may allow an authenticated user to escalate their privileges via lua auto patch scripts.
FG-IR-24-199 Named Pipes Improper Access Control:
An authentication bypass using an alternate path or channel vulnerability (CWE-288) in FortiClient (Windows) may allow a low privilege attacker to execute arbitrary code with high privilege via spoofed named pipe messages.
