This week saw a sharp uptick in active exploitation, with major vulnerabilities surfacing across backup systems, firewalls, AI platforms, and messaging apps. From remote code execution flaws in Veeam and Fortinet to an SSRF bug in ChatGPT and a WhatsApp zero-day abused by spyware, attackers are leveraging both old and new tactics to gain footholds. Here’s what you need to know.
Veeam Backup Flaw Enables Domain-Wide Remote Code Execution
A critical remote code execution vulnerability (CVE-2025-23120) in Veeam Backup & Replication has been patched, but domain-joined environments remain at serious risk. This deserialization flaw allows any domain user to execute code on vulnerable servers. The vulnerability can allow attackers to bypass existing blacklist-based protections to gain full control of backup infrastructure. All are encouraged to upgrade to Veeam version 12.3.1 immediately.
Risks Identified:
- Remote execution of arbitrary code by low-privilege domain users
- Compromised backup servers enabling data exfiltration and deletion
- Potential full-network compromise via lateral movement
Security Recommendations:
- Penetration Testing: Simulate real-world attacks to identify risks like these before adversaries do.
- Managed Vulnerability Scanning: Alert your team to new high-risk CVEs and misconfigurations in your backup environment.
- Security Configuration Audits: Ensure your backup systems follow vendor and industry best practices.
Fortinet Firewalls Under Active Exploitation by Ransomware Groups
CISA has added CVE-2025-24472 and CVE-2024-55591, two authentication bypass flaws in Fortinet’s FortiOS and FortiProxy, to its Known Exploited Vulnerabilities catalog. These bugs allow unauthenticated attackers to gain super-admin access via exposed management interfaces. Ransomware actor Mora_001 has been seen exploiting these vulnerabilities to deploy malware, create persistent access, and conduct full attack chains including data theft and encryption.
Risks Identified:
- Exploitation of Internet-exposed FortiGate consoles
- Privilege escalation using crafted proxy requests and WebSocket attacks
- Deployment of custom ransomware (“SuperBlack”)
Security Recommendations:
- Immediately apply Fortinet’s patches and restrict access to management interfaces
- Firewall & Network Device Audits: Uncover vulnerabilities in edge infrastructure and enforce segmentation and access controls. Monitor for suspicious admin account creation and unauthorized script scheduling.
- Log Management & SIEM Solutions: Allow for real-time detection of post-exploitation activity like unauthorized account creation or lateral movement.
ChatGPT SSRF Bug Under Active Attack by Threat Actors
A newly discovered server-side request forgery (SSRF) vulnerability (CVE-2024-27564) in ChatGPT has become a popular exploit path for attackers. The bug allows malicious actors to inject URLs into ChatGPT inputs, tricking the application into making unauthorized requests. Though rated as medium severity, it has already been weaponized in over 10,000 attack attempts, with financial services and government organizations most heavily targeted.
Risks Identified:
- Injection of malicious URLs into ChatGPT requests
- Access to internal services or sensitive resources via SSRF
- Misconfigured IPS, WAF, and firewalls increase exposure
Security Recommendations:
- Validate IPS and WAF rules to detect and block SSRF behavior
- Monitor traffic from known malicious IP addresses
- Web Application Security Assessments: Simulate attacks like SSRF and reveal weaknesses in your application defenses.
- Configuration Assessments: Help ensure your WAF, firewall, and intrusion prevention systems are properly tuned to defend against modern web-based threats.
Paragon Spyware Leveraged WhatsApp Zero-Day
Citizen Lab and Meta have confirmed that the Graphite spyware from surveillance firm Paragon exploited a WhatsApp zero-day to carry out zero-click attacks against mobile users in over two dozen countries. Despite Paragon’s claims of ethical use, the spyware has targeted journalists, activists, and government critics, suggesting potential misuse of its capabilities.
Risks Identified:
- Exploits required no user interaction (zero-click)
- Attacks affected both Android and iOS users
Security Recommendations:
- Encourage regular updates for all messaging and mobile apps
- Limit sensitive communications over third-party messaging platforms
- Social Engineering Testing: Phishing campaigns that emulate realistic adversary tactics, helping you train staff to avoid common pitfalls.
Wrap
This week’s advisory highlights the continued pressure placed on backup platforms, firewalls, AI systems, and messaging apps. As attackers evolve their strategies from exploiting overlooked bugs to chaining zero-days into spyware campaigns organizations must strengthen their defenses with timely patching, rigorous access control, and continuous monitoring. Stay ahead of the threats by combining proactive assessments, intelligent detection, and user-focused training.
