Windows Remote Access Connection Manager 0-Day Vulnerability Actively Exploited in Attacks

cyber security, Cyber Security News, Vulnerability News, Windows

Microsoft has confirmed active exploitation of a critical zero-day vulnerability in the Windows Remote Access Connection Manager (RasMan) service, allowing attackers to escalate privileges and potentially compromise entire systems.

Tracked as CVE-2025-59230, the flaw stems from improper access control, enabling low-privileged users to gain SYSTEM-level access.

Disclosed on October 14, 2025, the vulnerability affects multiple Windows versions and has already drawn attention from threat actors targeting enterprise environments.

The issue resides in RasMan, a core component handling remote access connections like VPNs and dial-up. An authorized local attacker can exploit weak permission checks to manipulate service configurations, bypassing standard privilege boundaries.

With a CVSS v3.1 base score of 7.8 (High severity), it requires only local access and low privileges, making it a prime target for post-compromise escalation in breaches.

Microsoft classifies it as “Exploitation Detected,” indicating real-world attacks, though specifics on affected victims remain undisclosed.

No public proof-of-concept (PoC) code has been released, but security researchers describe potential exploits involving registry manipulation or DLL injection into RasMan processes.

For instance, an attacker might leverage low-integrity processes to overwrite accessible files in the RasMan directory (e.g., C:\Windows\System32\ras), injecting malicious code that executes with elevated rights upon service restart.

This could chain with initial footholds from phishing or unpatched apps, amplifying damage in lateral movement scenarios.

Vulnerability Details

To aid rapid assessment, the following table summarizes key CVE-2025-59230 metrics:

Metric	Value	Description
CVSS v3.1 Base Score	7.8 (High)	Overall severity rating
Attack Vector	Local (AV:L)	Requires physical or logged-in access
Attack Complexity	Low (AC:L)	Straightforward exploitation
Privileges Required	Low (PR:L)	Basic user account suffices
User Interaction	None (UI:N)	No victim engagement needed
Confidentiality/Integrity/Availability Impact	High (C:H/I:H/A:H)	Full system compromise possible
Exploit Maturity	Functional (E:F)	Proof-of-exploits exist in wild

Affected systems include Windows 10 (versions 1809 and later), Windows 11, and Windows Server 2019-2025. Microsoft urges immediate patching via the October 2025 Patch Tuesday updates, emphasizing that unpatched machines face a high risk from nation-state actors or ransomware groups.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Windows Remote Access Connection Manager 0-Day Vulnerability Actively Exploited in Attacks appeared first on Cyber Security News.

¶¶¶¶¶

Dismount before contact: Learning to fight with the infantry squad vehicle

·

Defense Systems

The new infantry squad vehicle can haul troops through pretty much any terrain in any conditions, but there’s a couple big things it can’t do: protect soldiers from an ambush or allow someone to provide cover in the event of one.

So the Army is evolving its tactics around the idea that a reconnaissance unit will scan the battlefield for threats, and if they find one, they’ll radio the ISV occupants to hop out and seek cover.

“As we get into a tactical zone, that's where you alter your movement techniques and you dismount,” Col. David Lamborn, who commands the 2nd Mobile Brigade Combat Team in the 25th Infantry Division, told Defense One on Tuesday at the AUSA annual meeting in Washington, D.C.

It helps that the ISV was designed with tree cover in mind. When the Army came under attack driving thin-skinned Humvees around the deserts of Iraq 20 years ago, there was often no warning and nowhere to hide. Troops began adding makeshift armor to the vehicles, and eventually the Defense Department created the mine-resistent ambush protected vehicle, or MRAP.

“We made a choice to slap on more and more, which further and further and further restricted ourselves, right? It made it slower. We became more targetable, right?” Lamborn said. “We could only be on these very specific roads, because we could not get off over here. The ISV is meant to get away from that.”

[[Related Posts]]

An ISV full of soldiers traversing the jungle in the Philippines, for example, should never come into contact.

“So that means that you need to use your reconnaissance assets to better understand where the enemy is, and to take the right tempo and pace depending on the expected contact,” Lamborn said Tuesday during a panel at AUSA.

And if a threat is detected, troops will jump out and fight on foot.

“So for the infantry, our protection predominantly comes from our field craft and our survivability,” said Maj. Gen. Jay Bartholomees, commander of 25th ID. “ For jungle fighters, we need to put ourselves into the jungle and put ourselves in places where we are not found as easily. That's what's going to be our best protection asset.”

A unit can also launch a recon drone to get a picture of the battlefield ahead, and the Army is specifically looking for some with long ranges.

Lamborn does want his troops to be able to kill drones that approach infantry squads, though.

“So the real protection problem that I see, for the mobile brigades, is the counter-UAS, because right now, most of the systems that exist, which some are fantastic, but they're very heavy, and they're really focused on fixed site security,” he said.

His soldiers need something lightweight that uses electronic warfare to jam enemy drones, rather than something that requires ammunition.

“We absolutely don't want to find ourselves in a situation where we're coming into contact and we're still in the ISV,” Lamborn said. “We just need to get away from that and use it just as a strict mobility platform.”
]]>

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
China is ‘pacing threat,’ Army Secretary says—while backing Trump’s homeland defense push

·

Threats

China is the “pacing threat,” Army Secretary Dan Driscoll said Tuesday, but homeland security and southern border operations are just as important as countering that threat.

"I think my understanding of the administration's priorities and the Secretary of War is China is the pacing threat,” Driscoll said on the sidelines of the annual Association of the U.S. Army’s conference in Washington, D.C. “We must, as a nation, be ready to provide security to Americans no matter where they are located in the world.”

But Driscoll stopped short of calling China the top priority, adding that “we are also, at the same time, in parallel, executing on providing security and maintaining what the president has done at the border.”

Strategic documents have detailed the shift in military focus from China to border enforcement, countering drug trafficking, and backing the Department of Homeland Security. The Army has invested significant manpower behind those missions. U.S. Northern Command has sent around 10,000 troops to the southern border, and the Trump administration has deployed thousands of National Guardsmen to American cities supporting ICE activities.

And, Driscoll said, he expects the southern border mission “to continue into the future for years to come.”

Other military officials have said ahead of the National Defense Strategy rollout that homeland defense is relevant to multiple theaters and missions. Air Force Secretary Troy Meink told reporters at the Air & Space Force Association’s conference last month that “homeland defense pretty much captures all threats.”

[[Related Posts]]

U.S. Indo-Pacific Command leader Adm. Samuel Paparo has reiterated the need to support the region amid strategy shifts, and said last month that “the homeland is in the Pacific.”

Driscoll’s comments on China followed a joint announcement between the Army and the Energy Secretary Chris Wright to build a microreactor at a stateside base by 2027. Those officials pointed to long diesel supply chains overseas, including the Pacific, as a threat to U.S. military operations.

“If you think of the Indo-Pacific, and the tyranny of distance between our homeland and that theater, it's 6,000 miles,” Driscoll said. “If it's going to be with contested logistics, you're not going to be able to ship our equipment and our energy sources on slow moving freight liners across the Pacific Ocean. We are going to have to be much more flexible as a nation, and we are focused on that. We are reorienting and continuing to strengthen the Army for that fight.”

It’s unclear what a strategic shift away from the Indo-Pacific would mean for troops stationed in the region. Lt. Gen. Hank Taylor, the commander of the 8th Army, told reporters at AUSA that the new strategic guidance has not reduced funding or training opportunities for soldiers in South Korea.
]]>

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Army wants to break ground for a microreactor on a US base by 2027

·

Science & Tech

Nearly a half-century since the Army last operated a nuclear power plant, the service is aiming to break ground on a micro-reactor on a U.S. base by 2027.

The joint Janus Program seeks to bring new reactor designs to fruition in a bid to add available power at military installations and to enable them to continue operating even if the wider grid goes down. It was announced on Tuesday by Army Secretary Dan Driscoll and Energy Secretary Chris Wright at the Association of the U.S. Army’s conference in Washington, D.C.

There are currently no microreactors operating in the United States. But speaking to reporters on the sidelines, the secretaries and an Army official said they expect to see a small nuclear reactor go critical by July 2026 and construction to start at a stateside base the following year.

“In terms of trying to actually build real, power-producing reactors on Army bases, probably construction will not begin until 2027,” said Jeff Waksman, principal deputy assistant Army secretary for installations, energy, and environment.

The announcement follows a May executive order from the Trump administration to invest in microreactors and establish them on a military installation. That push comes as the U.S. grapples with uranium enrichment supply issues; most domestic reactors are fueled with imported elements. Wright admitted it was an problem, but highlighted the Energy Department’s efforts to increase enrichment.

“It's not there today, but it will be,” Wright said of the U.S. uranium enrichment supply. “That is one of the things that needs to rise up, but we know how to solve that problem.”

That timeline is ambitious but achievable, said Thomas Mancinelli, a former acting Navy undersecretary who now heads federal strategy for Antares Nuclear, which has an Energy Department contract to take a small reactor critical next year.

“We know what it takes to build these reactors. Now, it’s just a matter of getting a workforce for the industry, getting the fuel, getting the supply chain in place and trying to prove the technology and build it out at scale so that we can start selling it to the Department of Defense in 2028 and beyond,” Mancinelli said.

Driscoll said the sweeping nuclear project will “make the Army stronger and the country safer” by replacing old diesel fuel supply lines to bases with a more energy-efficient reactor that can run for years.

Army officials dismissed the concerns of groups like the Bulletin of Atomic Scientists who fear the microreactors “could become attractive targets for an adversary.”

“This is going to be in the 50 U.S. states. We are not deploying these to any sort of front,” Waksman said. “These are also small targets. There's very small amounts of fisable material in them. So these are very unattractive proliferation targets.”

The microreactors will be built through a milestone-based contracting model with the Defense Innovation Unit and will be commercially owned and operated, the Army said in a subsequent press release. In April, the DIU selected a group of companies eligible to build microreactors as the rise in AI capabilities fuels a need for more electrical power.

Army and Energy Department officials are taking inspiration from Project Pele, the Defense Department’s ongoing mobile reactor project, and will also base the contracting model off of NASA’s Commercial Orbital Transportation Services program.

The Army’s announcement follows a decision this year selecting Eielson Air Force Base, near Fairbanks, Alaska, as the preferred site for a nuclear microreactor under a Defense Department pilot program with plans to have it up and running by 2028.
]]>

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
PolarEdge With Custom TLS Server Uses Custom Binary Protocol for C2 Communication

·

cyber security, Cyber Security News, Threats

A sophisticated backdoor malware targeting Internet of Things devices has surfaced, employing advanced communication techniques to maintain persistent access to compromised systems.

The PolarEdge backdoor, first detected in January 2025, represents a significant evolution in IoT-focused threats, utilizing a custom TLS server implementation and proprietary binary protocol for command and control operations.

The malware initially emerged through exploitation of CVE-2023-20118, a vulnerability affecting Cisco routers that enables remote code execution.

Attackers leveraged this flaw to deploy web shells on target routers, establishing initial footholds for subsequent payload delivery.

The attack chain involves downloading and executing a shell script named “q” via FTP, which then retrieves and launches the PolarEdge backdoor on compromised systems.

PolarEdge demonstrates remarkable versatility in its target selection, with variants identified that specifically target Asus, QNAP, and Synology network devices.

The malware’s sophisticated design suggests careful development aimed at establishing long-term presence within network infrastructure components.

Its deployment pattern indicates coordinated campaigns originating from multiple IP addresses across different countries, all utilizing identical User-Agent HTTP headers during exploitation attempts.

Sekoia analysts identified the malware’s complex architecture during detailed reverse engineering analysis, revealing a 1.6 MB ELF 64-bit executable that employs multiple operational modes.

PolarEdge Backdoor configuration (Source – Sekoia)

The backdoor functions primarily as a TLS server listening for incoming commands while simultaneously maintaining communication with command and control infrastructure through daily fingerprinting operations.

Advanced TLS Implementation and Communication Protocol

The PolarEdge backdoor’s most distinctive feature lies in its custom TLS server implementation built using mbedTLS v2.8.0 library.

This approach represents a departure from conventional malware communication methods, providing encrypted channels that closely resemble legitimate network traffic.

The TLS implementation utilizes multiple certificates including leaf certificates and certificate authority chains, creating an authentic-looking encrypted communication infrastructure.

Section decryption algorithm (Source – Sekoia)

The malware implements a proprietary binary protocol operating over the TLS connection, utilizing hardcoded tokens embedded within the executable’s data sections.

This protocol requires specific magic values for request validation, including tokens stored in the malware’s configuration and others hardcoded within the binary.

Command execution occurs when incoming requests contain the ASCII character “1” in the HasCommand field, followed by a two-byte length indicator and the actual command string.

Fingerprinting operations run continuously in dedicated threads, collecting comprehensive system information including local IP addresses, MAC addresses, process identifiers, and device-specific details.

This data gets transmitted to command and control servers using HTTP GET requests with specific query string formats.

The malware constructs these requests using encrypted format strings that decode to reveal parameters such as device brand, module version, and collected system identifiers.

The backdoor supports multiple operational modes beyond its default server functionality. Connect-back mode enables the malware to function as a TLS client for file download operations, while debug mode provides configuration update capabilities for command and control server addresses.

These operational modes demonstrate the malware’s flexibility and the developers’ consideration for various deployment scenarios and maintenance requirements.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post PolarEdge With Custom TLS Server Uses Custom Binary Protocol for C2 Communication appeared first on Cyber Security News.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
New Cyberattack Leverages NPM Ecosystem to Infect Developers While Installing Packages

·

cyber security, Cyber Security News, Threats
Cybersecurity researchers have uncovered a sophisticated phishing campaign that weaponizes the NPM ecosystem through an unprecedented attack vector.

Unlike traditional malicious package installations, this operation leverages the trusted unpkg.com CDN to deliver phishing scripts directly through browsers, targeting enterprise employees across 135+ organizations primarily in Europe’s industrial, technology, and energy sectors.

The campaign, discovered in October 2025, represents a dangerous evolution in supply chain attack methodologies.

Threat actors automated the creation of over 175 throwaway NPM packages, each serving as disposable hosting infrastructure for JavaScript code that automatically redirects victims to credential-harvesting websites.

These packages follow specific naming patterns, including the “redirect-[a-z0-9]{6}” scheme and “mad-x.x.x.x.x.x” variants, making them appear legitimate within the NPM registry.

Rather than compromising developers during traditional package installation processes, attackers distribute crafted HTML files disguised as business documents, invoices, and project files.

When victims open these seemingly innocuous files, they trigger a chain reaction that loads malicious scripts from the unpkg.com CDN, exploiting the platform’s automatic availability feature for published packages.

This approach transforms legitimate open-source hosting infrastructure into a phishing mechanism while bypassing conventional security measures.

Snyk analysts identified additional package clusters beyond those initially reported by Socket, revealing the campaign’s extensive scope.

The researchers noted that this attack demonstrates how threat actors are actively exploring new methods to weaponize the open-source ecosystem beyond conventional package-based exploits, representing a significant shift in supply chain compromise strategies.

The malware exhibits sophisticated behavioral characteristics that enhance its stealth and effectiveness.

Security check (Source – Snyk)

Upon execution, the script presents victims with a fake “Cloudflare Security Check” interface, complete with anti-analysis countermeasures designed to evade detection and inspection.

Advanced Evasion and Persistence Mechanisms

The malicious payload incorporates multiple layers of protection against security analysis and detection.

The code implements comprehensive anti-debugging measures through periodic developer tools detection, automatically blanking pages or redirecting when development consoles are accessed.

This functionality operates through size threshold monitoring and console object manipulation:-
```
const CHECK_INTERVAL = 600; 
const SIZE_THRESHOLD = 160; 
const REACTION = 'blank';

function sizeCheck() {
    return (dw > SIZE_THRESHOLD) || (dh > SIZE_THRESHOLD);
}

function consoleCheck() {
    Object.defineProperty(obj, 'id', {
        get: function() {
            open = true;
            return '1';
        }
    });
    console.log(obj);
    return open;
}
```
Additionally, the malware disables standard browser inspection capabilities by intercepting keyboard shortcuts and context menu events.

It prevents access to F12 developer tools, Ctrl+Shift+I inspector shortcuts, and Ctrl+U view source functionality through comprehensive event listener implementations.

The script also employs frame-busting techniques, attempting to redirect the top-level window after victims interact with the fake verification checkbox, ensuring maximum impact regardless of the browsing context.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Cyberattack Leverages NPM Ecosystem to Infect Developers While Installing Packages appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Microsoft Patch Tuesday October 2025 – 172 Vulnerabilities Fixed Along with 4 Zero-days

·

Cyber Security News, Security Update, Security Updates, vulnerability, Zero-Day

In its October 2025 Patch Tuesday release, Microsoft addressed a staggering 172 security vulnerabilities across its vast ecosystem, with four zero-day flaws stealing the spotlight, two of which are already being exploited in the wild. This massive security update targets a wide range of products, from Windows operating systems and Microsoft Office to Azure cloud […]

The post Microsoft Patch Tuesday October 2025 – 172 Vulnerabilities Fixed Along with 4 Zero-days appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
Hackers Leverage Judicial Notifications to Deploy Info-Stealer Malware

·

cyber security, Cyber Security News, Threats
Cybercriminals have developed a sophisticated phishing campaign targeting Colombian users through fake judicial notifications, deploying a complex multi-stage malware delivery system that culminates in AsyncRAT infection.

The campaign demonstrates an alarming evolution in social engineering tactics, leveraging legitimate-looking governmental communications to bypass traditional security measures and successfully compromise unsuspecting victims.

The attack campaign employs carefully crafted Spanish-language emails impersonating official correspondence from “Juzgado 17 Civil Municipal del Circuito de Bogotá” (17th Municipal Civil Court of the Bogotá Circuit).

These deceptive messages inform recipients of purported lawsuits filed against them, creating urgency and authenticity through formal legal language and institutional naming conventions.

The malicious emails contain SVG (Scalable Vector Graphics) file attachments named “Fiscalia General De La Nacion Juzgado Civil 17.svg,” which translates to “Attorney General’s Office Civil Court 17.svg” in English.

Upon execution, the SVG file presents victims with a sophisticated fake webpage masquerading as the Attorney General’s Office and Citizen’s Consultation Portal.

The fraudulent interface includes fabricated elements such as judicial information systems and fake consultation registration numbers, enhancing the illusion of legitimacy.

When users attempt to download what appears to be an official document, the system initiates a complex infection chain involving multiple file stages and encoding techniques.

Seqrite analysts identified this malware campaign during their ongoing threat intelligence monitoring activities, detecting the sophisticated attack methodology that employs SVG files as initial attack vectors.

The researchers noted that SVG files have become increasingly popular among cybercriminals due to their ability to embed malicious scripts within XML code structures, often evading detection by traditional security solutions that may not thoroughly scan these file types for harmful content.

Infection Chain and Technical Implementation

The malware’s infection mechanism demonstrates advanced technical sophistication through its multi-stage delivery process.

Infection Chain of Campaign (Source – Seqrite)

Once the victim clicks on the malicious SVG file, embedded JavaScript code executes the OpenDocument() function, which performs several critical operations to initiate the attack sequence.
```
function OpenDocument() {
    // Accept base64 encoded embedded data
    // Decode it to attacker controlled "HTML" blob
    // Create a temporary URL object for that blob
    // Open that URL in new tab
}
```
The SVG file contains embedded base64-encoded data that, when decoded, creates an HTML blob displayed in a new browser tab.

This secondary page presents a fake progress bar interface, convincing victims that a legitimate document download is occurring while simultaneously triggering the download of a malicious HTA file named “DOCUMENTO_OFICIAL_JUZGADO.HTA.”

The HTA file serves as the next stage in the infection chain, containing heavily obfuscated code with large blocks of base64-encoded content.

When executed, it decodes and drops a Visual Basic script file called “actualiza.vbs” onto the victim’s system.

This VBS file, after removing extensive junk code designed to evade analysis, executes a PowerShell script contained within an obfuscated variable named “GftsOTSaty.”

The PowerShell component (“veooZ.ps1”) connects to a dpaste domain URL to download an encoded text file called “Ysemg.txt.”

This file undergoes multiple decoding processes, replacing specific character patterns before base64 decoding to produce “classlibrary3.dll,” a .NET assembly that functions as a module loader.

The loader incorporates anti-virtual machine techniques, checking for VirtualBox and VMware-related processes to avoid detection in analysis environments.

The final payload, AsyncRAT, gets injected into the legitimate MSBuild.exe process through sophisticated in-memory injection techniques.

This approach allows the malware to operate within a trusted Windows process, effectively evading detection while maintaining persistence on the infected system.

The AsyncRAT payload provides comprehensive remote access capabilities, including keystroke logging, system information gathering, webcam surveillance, and command-and-control communications through encrypted TLS connections using MessagePack serialization.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Hackers Leverage Judicial Notifications to Deploy Info-Stealer Malware appeared first on Cyber Security News.
¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶
It took 45 days to rush drone defenses to CENTCOM. That’s no longer good enough: Army vice chief

·

Policy

In the days after Hamas’s October 2023 attack on Israel, U.S. troops in the Middle East began to endure near-daily drone attacks. It took six weeks to get upgraded counter-drone weapons to those far-flung outposts, the Army’s vice chief of staff said Tuesday—and the service’s procurement folks thought that was a win.

To make it happen, Gen. James Mingus said, the service had to reprogram funds destined for the Raytheon Coyote Block 2+ to the Block C variant because each of those variants was a different line of funding in the defense budget.

“It took 45 days, and everybody was patting themselves on the back…because normally that's a multi-month kind of process,” Mingus told an audience at the AUSA annual meeting in Washington, D.C. “If you're a kid at Tower 22, you're looking at your watch. Back here, we're looking at calendars.”

The story illustrated a larger point the Army leaders have been trying to make in their acquisition-reform push: so-called “agile funding” would allow them not only to more rapidly buy new technologies, but immediately get them downrange to protect troops in imminent danger.

“Had that been a single line of accounting, a single program element, we could have immediately…had those Coyote Block 2C’s in the hands of those soldiers in days, instead of a multi-month period,” Mingus said.

As it stands now, if the Defense Department wants to shift more than $10 million slated to procure one weapon to buy another one, it needs approval from Congress. What the Army would like is a big pot of general counter-UAS money that it can use to buy new technology as it’s developed.

It’s up to the Army, then, to assure Congress that they won’t be recklessly spending that pot of money without oversight.

The challenge “is getting them to understand that they will maintain the visibility on this, because at the end of the day, that's a big concern,” Army Undersecretary Mike Obadal said. “They're responsible for overseeing the budget, and we can't ignore that.”

Every new weapon fielded is going to have a tactical response from the enemy, Obadal said, often requiring yet another new piece of technology for the Army to keep an advantage.

“With exquisite weapon systems, that cycle may take years. With other things that may take months,” he said. “But with some of the things that our soldiers are going to face on the battlefield, it has to be days, or—to the vice’s point—even hours.”
]]>

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

¶¶¶¶¶

FortiPAM and FortiSwitch Manager Vulnerability Let Attackers Bypass Authentication Process

cyber security, Cyber Security News, vulnerability, Vulnerability News

Fortinet has issued an urgent advisory revealing a critical weakness in its FortiPAM and FortiSwitch Manager products that could allow attackers to sidestep authentication entirely through brute-force methods.

Tracked as CVE-2025-49201, the flaw stems from a weak authentication mechanism in the Web Application Delivery (WAD) and Graphical User Interface (GUI) components, classified under CWE-1390.

With a CVSS v3.1 score of 7.4, rated as high severity, the vulnerability poses risks of unauthorized code execution or command injection, potentially granting remote attackers full control over affected systems.

The issue affects multiple versions of FortiPAM, Fortinet’s privileged access management solution, and select releases of FortiSwitch Manager, which handles network switch configurations.

Specifically, FortiPAM versions 1.5.0, 1.4.0 through 1.4.2, and all versions of 1.3, 1.2, 1.1, and 1.0 are vulnerable. For FortiSwitch Manager, versions 7.2.0 through 7.2.4 in the 7.2 series are impacted, while the 7.0 series remains unaffected.

Product	Affected Versions	Solution
FortiPAM 1.7	Not affected	Not Applicable
FortiPAM 1.6	Not affected	Not Applicable
FortiPAM 1.5	1.5.0	Upgrade to 1.5.1 or above
FortiPAM 1.4	1.4.0 through 1.4.2	Upgrade to 1.4.3 or above
FortiPAM 1.3	1.3 all versions	Migrate to a fixed release
FortiPAM 1.2	1.2 all versions	Migrate to a fixed release
FortiPAM 1.1	1.1 all versions	Migrate to a fixed release
FortiPAM 1.0	1.0 all versions	Migrate to a fixed release
FortiSwitchManager 7.2	7.2.0 through 7.2.4	Upgrade to 7.2.5 or above
FortiSwitchManager 7.0	Not affected	Not Applicable

Attackers require network access and could exploit this over time with persistent brute-force attempts, though no public exploits have surfaced yet.

Fortinet urges immediate patching to mitigate threats. Users on vulnerable FortiPAM 1.5 should upgrade to 1.5.1 or later, while those on 1.4 need version 1.4.3 or above. For older branches like 1.3 and below, migration to a fixed release is essential.

FortiSwitch Manager 7.2 users must update to 7.2.5 or higher. The company emphasizes monitoring for unusual login attempts and implementing multi-factor authentication as interim defenses.

Discovered internally by Gwendal Guégniaud from Fortinet’s Product Security team, the vulnerability was published on October 14, 2025, under internal reference FG-IR-25-010.

This disclosure comes amid rising concerns over supply chain attacks targeting network management tools, underscoring the need for swift updates in enterprise environments.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post FortiPAM and FortiSwitch Manager Vulnerability Let Attackers Bypass Authentication Process appeared first on Cyber Security News.

¶¶¶¶¶

Vulnerability Details

Advanced TLS Implementation and Communication Protocol

Advanced Evasion and Persistence Mechanisms

Infection Chain and Technical Implementation