Blog – Page 2 – PwnDefend

Fortiweb – CVE-2025-58034

‘CVE-2025-58034 is an OS command injection vulnerability (CWE-78) in Fortinet FortiWeb, allowing an authenticated attacker to execute unauthorized code on the system through crafted HTTP requests or CLI commands. It affects versions including FortiWeb 8.0.0-8.0.1, 7.6.0-7.6.5, 7.4.0-7.4.10, 7.2.0-7.2.11, and 7.0.0-7.0.11. The vulnerability has a CVSSv3 score of 6.7 (medium severity) and has been observed exploited in the wild, prompting its addition to CISA’s Known Exploited Vulnerabilities catalog.’

Threat Intel

Fortiweb – CVE-2025-64446

Another day another exploit in the wild it seems! (ok I’m a bit slow to this one). Using Defused Cyber’s Honeypots we have another packet to analyse:

Defense

A brief history of AI being used for Defensive…

There’s lots of talk from some people about how AI is going to destroy the world and needs to be regulated, like some kind of SkyNet has been created… Well I thought, aside from this being largely not reality, I would look into a history of ‘AI’ being used in cyber defence.

Vulnerabilities

Fortiweb Vulnerabilities 2025

Given the recent discovery of a critical vulnerability (CVE-2025-64446) in the Fortiweb appliances (exploitable via the management interfaces) I thought I would have a look at what other vulnerabilities have been discovered/published and what Proof of Concept (PoC) exploits exist in 2025.

Threat Intel

Rhadamanthys – Over 44 Million Credentials Stolen

Off the back of Operation Endgame (great work everyone involved!) we have some more data to show what many of us in the cyber industry know but isn’t so easy to show people. So I figured this might help explain part of how and why infostealers are a problem but also I look at how we might be able to use this takedown to help feed into a risk modelling process.

Threat Intel

Analysing 1 Million Honeypot events with Defused Cyber Deception

A common perimeter firewall in organisations is the CISCO ASA. Back when I started in the industry we used to have CISCO PIX firewalls, the ASA was the next generation of these! Why is this important? Well its important to understand how common threat actors work, you will see from a while ago I wrote a review of the manual 2.0 by Bassterlord (a known cybercriminal), this is to help understand how attackers work, what real world cybercrime looks like so that we can enable people to help defend against these threats.

Defense

Suspected Fortinet Zero Day Exploited in the Wild

This weeks been an interesting one, I’ve been doing quite a bit of research recently with my friend Simo from Defused defusedcyber.com. Simo has built a new emulated honeypot platform, and anyone that know’s me knows I love honeypots, deception and intel sharing to help defenders and to impose cost on the baddies! (technical terms here ok!)

Guides

Suspected Zero Day – What to do if you…

What do you do if someone says, there might be a zero day being used against your make/model of internet facing device (such as a VPN server)?

There’s always a challenge subject to the level of intelligence available about the specific scenario, the device and the way they function and the telemetry/capabilities you have.

Education

Detecting ‘Dark Tunnels’ with Microsoft Defender using KQL

Detecting ‘Dark Tunnels’ is an important element to corporate security, much like detecting unauthorised RMM usage. But what is a dark tunnel?

according to GROK:

A dark tunnel (sometimes called a “dark pool tunnel” or simply a secure reverse tunnel in networking contexts) refers to a type of secure, outbound-only tunneling technology that allows private access to internal services, devices, or networks without exposing them to the public internet. The “dark” aspect emphasizes that the tunnel is hidden or invisible from external scanners—there’s no inbound port forwarding, firewall holes, or public IP exposure required. Instead, it relies on encrypted outbound connections from the internal resource to a cloud-based relay or peer-to-peer mesh, enabling zero-trust access (e.g., via authentication tokens or keys).
This approach is popular in DevOps, IoT, remote work, and cybersecurity for bridging on-premises or edge devices to the cloud securely, often bypassing NAT traversal issues or legacy VPN complexities.

Education

Windows Defender at my tunnel

I was doing some testing with Cloudflare tunnels this weekend and I woke up this morning to see if funny honeypot messages I had, I quickly checked if the site was online and found a cloudflare error message. This is a just an IIS instance running on a windows 11 PC (with no WIFI or Bluetooth) plugged into a test network (so if it gets pwn3d, it’s not going to impact anything important).