Recent security findings indicate a converging risk around the management plane—the administrative interfaces that control edge firewalls, cloud identity accounts, and mobile endpoints. For security teams, protecting these control surfaces is the current priority, as unauthorized actors increasingly focus on bypassing authentication mechanisms to gain administrative access.
Critical Authentication Risks in Fortinet Platforms
Network administrators should prioritize the remediation of two authentication bypass vulnerabilities affecting Fortinet platforms, identified as CVE-2025-59718 and CVE-2025-59719. With a CVSS score of 9.1, these issues impact core infrastructure components including FortiOS, FortiWeb, and FortiProxy. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these entries to its Known Exploited Vulnerabilities catalog, confirming active utilization by threat actors.
The technical root cause involves improper verification of cryptographic signatures within the FortiCloud Single Sign-On (SSO) mechanism. Analysis shows that devices fail to correctly validate specially crafted SAML messages, allowing unauthorized users to assume administrative privileges without valid credentials.
A specific configuration behavior increases the likelihood of exposure. When administrators register a device using the FortiCare graphical user interface, the setting "Allow administrative login using FortiCloud SSO" often enables automatically. This creates an access path even if the team did not intend to use the feature. Security researchers have tracked unauthorized access attempts dating back to December 12, often followed by the exfiltration of configuration files containing network topology and hashed credentials.
Remediation and Recovery
We recommend the following immediate actions:
Upgrade Firmware: Update to patched versions of FortiOS: 7.6.4, 7.4.9, 7.2.12, or 7.0.18.
Verify Configuration: If an update is not immediately feasible, disable the FortiCloud login feature in the system settings.
Credential Reset: If a device ran a vulnerable version with the SSO feature enabled, teams should proceed as though the device was accessed. Initiate a full reset of all administrative passwords.
Tactical Shifts in AWS Cloud Security
Credential security remains equally vital in cloud environments. AWS security researchers have documented a cryptomining campaign that utilizes compromised AWS Identity and Access Management (IAM) credentials to deploy workloads rapidly.
The campaign demonstrates a distinct pattern of "tactical patience" during reconnaissance. Before deploying resources, the actors utilize the GetServiceQuota and RunInstances APIs with the DryRun flag. This technique allows them to verify permissions and capacity limits without generating costs or triggering standard billing alerts.
To maintain access, these actors employ a persistence mechanism that complicates standard incident response. They use the ModifyInstanceAttribute API to enable "disable API termination." This setting prevents automated scripts and standard API calls including terminating the unauthorized instances. Security teams responding to such incidents must manually toggle this attribute off before they can remove the resources.
Detection Guidance:
Monitor AWS CloudTrail for unusual
DryRunAPI calls.Alert on unexpected changes to instance termination attributes.
Enforce multifactor authentication (MFA) on all IAM users to reduce the risk of initial credential theft.
Mobile Endpoint and Application Security
The focus on administrative control extends and mobile devices through a new tool known as Cellik. This malware-as-a-service offering employs "app wrapping," a technique where malicious code is embedded into legitimate Android applications downloaded from the Google Play Store.
Cellik relies on users sideloading these modified applications. Once installed, the tool provides the operator with extensive access, including screen streaming and the interception of one-time passcodes from notifications. Because this method depends on user trust rather than technical exploits, the primary defense is policy-based. We advise organizations to enforce strict restrictions against sideloading and to deploy mobile endpoint detection tools capable of identifying unauthorized background processes.
AI Safety and Model Robustness
As organizations evaluate artificial intelligence integrations, data from the PHARE LLM benchmark indicates that safety performance varies significantly across the industry. The benchmark reveals that larger models, while more capable of reasoning, can sometimes be manipulated into bypassing their own safety protocols through complex, multi-step prompts.
The data suggests that model size does not guarantee security. The benchmark noted that Anthropic’s Claude models currently demonstrate strong resistance to jailbreaks, attributed to an "intrinsic alignment" strategy where safety training is integrated early in the development process rather than applied as a final filter. Security teams selecting models should evaluate vendors based on specific safety performance metrics rather than general capability claims.
International Cooperation on Digital Evidence
Efforts to mitigate transnational threats are benefiting including improved regional collaboration. Law enforcement representatives from over 40 African nations convened under Afripol this week to standardize digital evidence procedures. This initiative aims to close jurisdictional gaps that threat actors often utilize and evade prosecution. By harmonizing legal frameworks, these nations are establishing a mechanism where evidence collected in one jurisdiction is admissible in another, strengthening the collective response to campaigns like the cryptomining and malware operations described above.
Conclusion
While patches and configuration changes address the immediate technical flaws in Fortinet and AWS environments, the full extent of credential exposure requires ongoing vigilance. We advise security teams to monitor for lateral movement and to operate under the assumption that credentials from exposed edge devices may be analyzed offline for future access attempts.