What happened
Threat actors exploited unpatched FortiWeb web application firewall appliances to deploy the Sliver command-and-control framework. The attackers leveraged exposed management interfaces to gain initial access, establish persistence, and execute malicious commands. Compromised appliances were then used as footholds for further network access.
Who is affected
Organizations running exposed or unpatched FortiWeb appliances are vulnerable to compromise.
Why CISOs should care
Security appliances provide privileged access and are attractive targets for attackers seeking stealthy persistence.
3 practical actions
1. Patch immediately: Apply all Fortinet security updates without delay.
2. Restrict management access: Limit administrative interfaces to trusted networks only.
3. Monitor appliance logs: Watch for unexpected configuration changes or outbound connections.