Perimeter Bypass, Sandbox Escapes, and Social Engineering at Scale

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Perimeter Controls Are Still the Fastest Way In

• Fortinet FortiGate (CVE-2020-12812) — A 5-year-old SSL VPN auth bypass remains widely exposed. If LDAP + case-sensitive usernames are in play, attackers can manipulate username casing to skip FortiToken 2FA once valid creds are known. Thousands of internet-facing devices are still unpatched—making this a repeatable entry point for ransomware and state-aligned intrusions.
• VMware ESXi chained CVEs (CVE-2025-22224/22226/22225) — Attackers entered via a compromised VPN appliance (SonicWall), then escalated from a guest VM into the ESXi host by chaining multiple flaws. The use of VSOCK-based backdoors is especially dangerous because it bypasses traditional network monitoring.
• Trend Micro Apex Central (CVE-2025-69258) — Unauthenticated RCE via unsafe DLL loading (LoadLibrary-style behavior) against MsgReceiver service (TCP 20001). Because it runs at SYSTEM, compromise can cascade into broad endpoint security tampering and lateral movement.

2. “Automation Platforms” Are Becoming RCE Platforms

n8n (CVE-2025-68668 / “N8scape”) — Authenticated users with workflow modification rights can escape the Python sandbox (Pyodide-based) and run OS-level commands with the same privileges as the n8n process. If you have many creators/editors, this becomes an insider-abuse and post-compromise accelerant.

3. Backup Infrastructure Keeps Getting Weaponized

Veeam Backup & Replication (CVE-2025-59470) — RCE risk tied to privileged operator roles (Backup/Tape Operator). Even when “privileged,” these roles are commonly targeted after initial compromise specifically to delete, corrupt, or encrypt backups before ransomware detonation.

4. Phishing Evolution: “User-Executed” Attacks That Bypass Controls

• ClickFix → Booking.com lure → DCRAT — High-fidelity cloning plus a fake Windows BSOD coerces victims into pasting and executing malicious PowerShell via clipboard tricks, then compiles payloads using trusted binaries (MSBuild) for stealth and persistence. This is social engineering designed to defeat “no exploit needed” defenses.
• Microsoft warns on routing misconfig abuse — Complex MX/connector routing and weak SPF/DMARC enforcement allow spoofed mail that looks internal (often “From” equals “To”). Large-scale campaigns increasingly pair this with phishing-as-a-service kits (notably Tycoon-style infrastructure) for credential theft and BEC.

5. Regional Espionage Tooling Is Getting Quieter and More Modular

MuddyWater → RustyWater RAT — Spear-phishing Word docs deliver macro-based droppers that reconstruct payloads to disk (ProgramData paths) and establish persistence via registry Run keys, with anti-analysis, AV/EDR discovery, and asynchronous C2 patterns. Tooling is shifting from noisy scripts to stealthier compiled implants.

Proactive Steps for the Week

• Patch/upgrade internet-facing appliances and management servers first (FortiGate SSL VPN, ESXi, Apex Central).
• Reduce exposure: restrict VPN/management interfaces to trusted IP ranges; segment admin networks; close unnecessary ports (e.g., Apex Central TCP 20001).
• Lock down automation platforms: upgrade n8n to 2.x, restrict workflow edit rights, and disable code execution features if not required.
• Treat backups as tier-0 assets: patch Veeam, tighten operator roles, isolate backup servers, alert on unusual config changes.
• Harden mail flow: enforce DMARC (reject), SPF hard fail, validate connectors, and simplify routing to reduce spoof gaps.
• Train for “fake error” execution traps: users should treat BSOD-style instructions, “paste this into Run,” and urgent refund/cancellation prompts as high-risk.