In this blog CERT.at's employees can post research and thoughts. This is done with least possible oversight, so opinions in blogposts are not necessary opinions of CERT.at
Alternatively you can receive CERT.at's blog as a feed.
Threat actors use FortiCloud SSO bypass to collect LDAP connection passwords
CERT.at gained access to a toolkit of an unknown threat actor targeting FortiCloud SSO bypass in Fortinet appliances (CVE-2025-59718/CVE-2025-59719). We are releasing under TLP:CLEAR key findings about likely post-exploitation goals of the attacker.
Look at FortiCloud SSO Bypass Exploitation (CVE-2025-59718/59719)
In December last year, Fortinet disclosed a vulnerability in SAML processing, which allowed full bypass of authentication to management interfaces with FortiCloud SSO enabled. According to new, still not officially confirmed reports, the vulnerability may not have been fully patched. As affected devices are represented in my small high-interactive honeypots network, we have an opportunity to take a look at what the attackers do.
A patch for the NIS2 Directive
Who says that only software needs regular updates? Laws are similar, the process is just much more complicated.
Don't say "Jehova" to an LLM
What can Monty Python's "Life of Brian" tell us about LLM security?
How typosquatting tricked me (a bit)
Typosquatting is a popular method using similarly looking names to draw people into malicious content – such as phishing websites or fake software packages. It leverages our “brain optimization” that matches what we see with what we already know – even if it’s not exactly the same. I haven’t installed any shady software, but it’s still a good example how easily our brain could be used against us by utilizing our biases.
A review of the “Concluding report of the High-Level Group on access to data for effective law enforcement”
As I’ve written here, the EU unveiled a roadmap for addressing the encryption woes of law enforcement agencies in June 2025. As a preparation for this push, a “High-Level Group on access to data for effective law enforcement” has summarized the problems for law enforcement and developed a list of recommendations. Let’s have a look at this report.
Encryption vs. Lawful Interception: EU policy news
There are some new developments in the EU policy sphere. Here are the main points.
CRA Vulnerability Reports: why would we not share them with other CSIRTs?
We will get reports under the Cyber Resilience Act concerning actively exploited vulnerabilities of products with digital elements. When should a national CSIRT delay the dissemination of such reports to other CSIRTs in the CSIRTs Network?
Multiple FortiGate devices compromised with a persistent read-only access
On Friday, April 10th, Fortinet released information about a worldwide compromise of FortiGate devices, giving the attacker persistent read-only access. Threat actors seemingly used three known vulnerabilities in the SSL VPN feature to gain initial access to the devices and a symbolic link in the file system to survive patching of FortiOS.
A Revision of the EU Cybersecurity Blueprint
The EU is revising the 2017 Cybersecurity blueprint. Here is my take on the proposal.