Threat Advisories

This is a high severity, actively exploited zero-day targeting Cisco AsyncOS appliances exposed to the internet. Immediate access restrictions, segmentation, threat monitoring, and preparation for incident response and patch deployment are critical defenses until an official fix is released. 

Following the critical “React2Shell” disclosure earlier this month, three additional vulnerabilities were identified in React Server Components (RSC). These new flaws, carry high severity and widespread impact, requiring immediate developer action. As these new flaws allow an attacker to cause Denial of Service (DoS) or leak server-side source code. 

Ivanti has released urgent patches for a critical code execution vulnerability in its Endpoint Manager (EPM) platform, tracked as CVE‑2025‑10573 (CVSS 9.6). The flaw allows unauthenticated, remote attackers to perform low-complexity cross-site scripting (XSS) attacks that require minimal user interaction, potentially compromising administrative sessions and leading to code execution. 

Fortinet has disclosed two critical authentication bypass vulnerabilities in its FortiCloud SSO feature—affecting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager. An attacker could gain unfettered administrative access using crafted SAML assertions when FortiCloud SSO is enabled. 

Two critical vulnerabilities have been disclosed in React Server Components (RSC) and Next.js App Router, enabling unauthenticated remote code execution (RCE). These flaws stem from unsafe deserialization of RSC payloads, allowing attackers to execute arbitrary JavaScript code on the server. 

Cyber security analysts from Group-IB and UKUK have identified a continuing and expanding cyber-espionage operation run by the threat actor known as Bloody Wolf. Active since at least late 2023, the group has steadily evolved its methods while extending its reach across Central Asia. Their activity demonstrates a shift toward low-cost, legitimate remote-administration tools delivered through carefully crafted social-engineering campaigns. 

Scattered Lapsus$ Hunters group appears to be targeting Zendesk users in a new phishing campaign. 

Sha1-Hulud 2.0 is an aggressive evolution of the September 2025 Shai-Hulud npm supply chain attack. This second wave introduces preinstall-phase execution, enabling malware to run automatically during dependency installation, bypassing traditional static code scans. The campaign leverages compromised maintainer accounts to publish trojanized npm packages, impacting major projects like Zapier, ENS Domains, PostHog, and Postman 

SolarWinds has issued updates to address three critical vulnerabilities in its Serv-U file transfer software. If left unpatched, these flaws could allow an attacker with administrator-level access to execute arbitrary code on the underlying server. 

Summary (TL;DR) 
A Fortinet FortiWeb vulnerability is being actively exploited in the wild to create administrative accounts and gain persistent access to Internet-exposed FortiWeb appliances. Public proof-of-concept / exploit activity and weaponized code have appeared, and multiple monitoring/honeypot teams report exploitation since early November 2025. Exploitation yields full administrative control of the appliance (persistence, config tampering, credential access, logging disruption). Treat exposed FortiWeb management interfaces as high priority (critical) until patched or isolated.