Cyber Threat Intelligence Report

This week, we briefed our clients on several end-of-support deadlines for operating systems, applications, and services, and a Fortinet SSL-VPN Backdoor.

 KEY TAKEAWAYS 

• End of support dates are arriving for various operating systems and applications. Upgrade in time to unsure security and feature updates.

• Read-only backdoor access discovered in Fortinet SSL-VPN devices. Patch now!

• Critical vulnerabilities in Windows, Erlang/OTP SSH, Cisco Webex, FortiSwitch, Gladinet CentreStack. Patch now!

The End is Near!

Several major operating systems, applications, and services widely used by enterprises across the globe are reaching end of support. Once these support deadlines come to pass, vendors will no longer issue security updates, adding increased risk to security posture. Administrators need to be aware of these dates and create plans to update and upgrade systems to ensure their security.

Microsoft Windows 10

Per Microsoft Support, Windows 10 will reach the end of support on October 14, 2025. There are two ways to ensure continued support and security updates: Upgrade systems to Windows 11 or enroll in Microsoft's Extended Security Update program for Windows 10. Note that certain computer devices do not meet the hardware requirements for Windows 11, so replacing the device may be required.

Microsoft Exchange 2016 & 2019

Much like Windows 10, both Microsoft Exchange Server 2016 and Microsoft Exchange Server 2019 will reach end of support on October 14, 2025. This will mean Microsoft will no longer provide security updates for these services after this date. As Microsoft Exchange vulnerabilities are frequently targeted by threat actors, it is critically important to migrate off these systems before the deadline. Microsoft recommends fully migrating email services to either Exchange Online or Microsoft 365.

Ubuntu 20.04

Microsoft announced that Ubuntu 20.04 LTS will no longer be supported after May 31, 2025. Per the advisory, after this date, security, features, and maintenance updates will no longer be provided by Canonical. Microsoft recommends either upgrading to the next Ubuntu LTS release (Ubuntu 22.04 LTS or Ubuntu 24.04 LTS) or upgrading to Ubuntu Pro to access expanded security and maintenance from Canonical.

SSL/TLS Certificate Lifespans

Last week, the CA/Browser Forum voted to implement a major reduction in the lifespan of SSL/TLS certificates. The changes will be implemented incrementally over the next 4 years. Current lifespan for certificates is 398 days. By the end of the lifespan reduction in March 2029, certificates will expire after 47 days. The reduction schedule is as follows:

• From March 15, 2025, certificate lifespan and Domain Control Validation (DCV) will be reduced to 200 days
• From March 15, 2027, certificate lifespan and DCV will be reduced to 100 days
• From March 15, 2029, certificate lifespan will be reduced to 47 days and DCV reduced to 10 days

Edge Devices

A full listing of all device end-of-support dates is beyond the scope of this article. Administrators are encouraged to review support expirations on any internet-facing edge device, as vulnerabilities in these devices are heavily exploited by threat actors in order to gain initial access. Keeping these devices fully patched is only possible if the device is still supported.

Mitigation Guidance

• Perform regular vulnerability scans and compare the results with documented devices within the environment.
• Establish regular patching and equipment upgrade schedules to ensure devices stay up to date.
• Proactively update systems before documented end of support leaves them vulnerable.
• Establish network segmentation with firewall filtering for any network segments that require use of end-of-life devices.
  
  

Resources:

• https://support.microsoft.com/en-us/windows/windows-10-supports-ends-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281
  

• https://learn.microsoft.com/en-us/windows/whats-new/extended-security-updates
  

• https://www.bleepingcomputer.com/news/microsoft/microsoft-exchange-2016-and-2019-reach-end-of-support-in-six-months/
  

• https://techcommunity.microsoft.com/blog/exchange/t-6-months-exchange-server-2016-and-exchange-server-2019-end-of-support/4403017
  

• https://techcommunity.microsoft.com/blog/linuxandopensourceblog/canonical-ubuntu-20-04-lts-reaching-end-of-standard-support/4392463
  

• https://documentation.ubuntu.com/server/how-to/software/upgrade-your-release/index.html
  

• https://www.bleepingcomputer.com/news/security/ssl-tls-certificate-lifespans-reduced-to-47-days-by-2029/ 

Fortinet SSL-VPN SymLink Backdoor

Fortinet released an advisory disclosing a technique they discovered on certain Fortinet SSL-VPN devices allowing threat actors to maintain access to the device even after it had been patched for certain vulnerabilities. Per the advisory, this impacts devices that were previously exploited by CVE-2022-42475, CVE-2023-27997, or CVE-2024-21762. Each of these vulnerabilities are critical remote code execution flaws found in FortiOS devices running SSL-VPN. Fortinet discovered that after leveraging one of these vulnerabilities, threat actors were able to maintain read-only access to the devices by creating a symbolic link that connected the user filesystem to the root filesystem. This read-only access of the file system allows the threat actor to view configuration files on the device. It should be noted that if the device never had SSL-VPN enabled, it is not impacted by this issue. Fortinet says it sent emails to impacted customers.

To mitigate the issue and remove the symbolic link, Fortinet recommends upgrading devices to versions 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16 respectively. If the device is found to be impacted, Fortinet lists a full set of remediation steps here.

Resources:

• https://www.fortinet.com/blog/psirt-blogs/analysis-of-threat-actor-activity
  

• https://community.fortinet.com/t5/FortiGate/Technical-Tip-Recommended-steps-to-execute-in-case-of-a/ta-p/230694
  

• https://www.bleepingcomputer.com/news/security/fortinet-hackers-retain-access-to-patched-fortigate-vpns-using-symlinks/
  

• https://www.fortiguard.com/psirt/FG-IR-22-398
  

• https://www.fortiguard.com/psirt/FG-IR-23-097
  

• https://fortiguard.fortinet.com/psirt/FG-IR-24-015

Vulnerability Roundup

Windows NTLM Hash Leak Actively Exploited

A vulnerability fixed in the March 2025 Patch Tuesday, tracked as CVE-2025-24054 is now under active exploitation. Successful exploitation of this vulnerability leads to NTLM hash disclosure. Per a research blog from Checkpoint, threat actors are exploiting this by emailing users malicious .library-ms files. This file type is used by Microsoft Windows as "virtual containers for users' content". They can contain files and folders stored on the local computer or in a remote storage location. By simply placing a path to the attacker's remote SMB server in this file, Windows will attempt to connect back to that server with NTLM authentication, allowing the attacker to capture the NTLM hash. It should also be noted that minimal interaction with the malicious .library-ms file is enough to trigger the exploit, including selecting (single-clicking), inspecting (right-clicking), or downloading the attachment from the phishing email. Mitigations include applying the March 2025 Windows Security updates, disabling NTLM authentication if possible, and blocking outbound SMB traffic at the firewall.

• https://research.checkpoint.com/2025/cve-2025-24054-ntlm-exploit-in-the-wild/
  
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054
  
• https://learn.microsoft.com/en-us/windows/client-management/client-tools/windows-libraries
  
• https://www.bleepingcomputer.com/news/security/windows-ntlm-hash-leak-flaw-exploited-in-phishing-attacks-on-governments/

Erlang/OTP SSH Maximum Severity Unauthenticated RCE

A maximum-severity vulnerability was recently disclosed in the Erlang/Open Telecom Platform (OTP) SSH implementation. The vulnerability, tracked as CVE-2025-32433, allows for an unauthenticated attacker with network access to the SSH server to execute arbitrary code which can lead to complete device takeover. Mayuresh Dani, manager of security research at Qualys was quoted in The Hacker News stating "Erlang is frequently found installed on high-availability systems" and "a majority of Cisco and Ericsson devices run Erlang."  All SSH servers leveraging the Erlang/OTP SSH library are affected. Administrators are urged to upgrade to versions OTP-27.3.3, OTP-26.2.5.11, or OTP-25.3.2.20 as soon as possible, as proof-of-concept exploit code is now public. If unsure about which SSH library devices are running, it is recommended to restrict SSH access via firewall to only trusted addresses until the patches are applied.

• https://www.openwall.com/lists/oss-security/2025/04/16/2
  

• https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
  

• https://github.com/erlang/otp/releases/tag/OTP-27.3.3
  

• https://thehackernews.com/2025/04/critical-erlangotp-ssh-vulnerability.html
  

• https://platformsecurity.com/blog/CVE-2025-32433-poc
  

• https://www.tenable.com/blog/cve-2025-32433-erlangotp-ssh-unauthenticated-remote-code-execution-vulnerability

Cisco Webex High-severity Vulnerability

Cisco issued a security advisory for their Webex App, tracked as CVE-2025-20236. The vulnerability is a flaw in the Webex custom URL parser and can allow for threat actors to trick users into downloading arbitrary files, leading to potential command or code execution on the target system. Administrators are urged to patch as soon as possible. Vulnerable versions and their fixed releases are below:

Fig. 1 - Cisco Webex Vulnerable Versions | Source: Cisco

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-app-client-rce-ufyMMYLC
  
• https://www.bleepingcomputer.com/news/security/cisco-webex-bug-lets-hackers-gain-code-execution-via-meeting-links/

Critical Vulnerability in FortiSwitch Devices

A critical vulnerability in the FortiSwitch Web UI was disclosed by Fortinet. Tracked as CVE-2024-48887, the flaw allows for unauthenticated attackers to change credentials via specially crafted requests to the 'set_password' endpoint. FortiSwitch versions 6.4.0 thru 7.6.0 are affected. Administrators are urged to upgrade to FortiSwitch versions 6.4.15, 7.0.11, 7.2.9, 7.4.5, and 7.6.1 respectively. Per Fortinet, an additional workaround is to disable HTTP/HTTPS access from administrative access.

• https://www.fortiguard.com/psirt/FG-IR-24-435
  
• https://nvd.nist.gov/vuln/detail/CVE-2024-48887
  
• https://www.bleepingcomputer.com/news/security/critical-fortiswitch-flaw-lets-hackers-change-admin-passwords-remotely/

Hard-coded Keys in Gladinet CentreStack Allows RCE

A critical severity vulnerability in Gladinet CentreStack (enterprise file sharing software), tracked as CVE-2025-30406, was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog. The vulnerability is due to hard-coded cryptographic keys. Per CISA, "successful exploitation allows an attacker to forge ViewState payloads for server-side deserialization, allowing for remote code execution". Administrators are urged to upgrade to version 16.4.10315.56368 or higher. If upgrading is not possible, Gladinet recommends rotating the 'machineKey' value as a temporary mitigation.

• https://www.centrestack.com/p/gce_latest_release.html
  
• https://thehackernews.com/2025/04/cisa-warns-of-centrestacks-hard-coded.html

This report is provided FREE to the cybersecurity community.

Visit our Cyber Threat Intelligence Blog for additional reports.

Subscribe to be notified of future Reports:

NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.

DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.