Storm-0249 Expands Tradecraft Through EDR Abuse and Stealthy Post-Exploitation Methods
Storm-0249, a long-standing initial access broker supporting multiple ransomware-as-a-service ecosystems, has shifted from broad phishing operations to precision post-exploitation techniques that weaponize trusted security software. Recent intrusions analyzed by ReliaQuest show the actor abusing Windows LOLBins, spoofed Microsoft domains, and fileless PowerShell execution initiated through ClickFix social engineering to establish privileged access with minimal forensic traces. After delivering a malicious MSI that installs a trojanized DLL, the group leverages DLL sideloading against SentinelOne's signed SentinelAgentWorker[.]exe process to execute attacker code under the guise of legitimate EDR activity. This allows Storm-0249 to achieve persistence, conceal reconnaissance activity, and route encrypted command-and-control traffic from within a trusted process, bypassing traditional monitoring. The same techniques can be adapted to other EDR products, making this a broader supply-chain and defensive-evasion concern. Storm-0249 further exploits the implicit trust placed in EDR telemetry by using the compromised SentinelOne component to run registry queries, capture system identifiers such as MachineGuid, and profile victim hosts for downstream ransomware affiliates. By blending malicious execution with normal EDR noise, the group conceals reconnaissance and pre-encryption staging that typically signals imminent ransomware deployment. Their adoption of domain rotation, newly registered infrastructure, and TLS-encrypted C2 traffic limits detection opportunities for perimeter defenses and reputation-based controls. Persistent footholds created via SYSTEM-level MSI installers complicate remediation and enable Storm-0249 to deliver high-value access to affiliates with minimal delay. Organizations should enforce behavioral monitoring to detect DLL sideloading in trusted processes, restrict the misuse of curl and PowerShell, and implement DNS controls to block outbound connections to newly registered or suspicious domains.
Ivanti EPM: Critical Client-Side RCE Exposure and High-Severity File Manipulation Flaws Pose Elevated Risk
Ivanti has disclosed a critical vulnerability, CVE-2025-10573, affecting Endpoint Manager (EPM) versions prior to 2024 SU4 SR1, allowing unauthenticated attackers to inject stored JavaScript that executes within an administrator's browser session. The flaw has not been actively exploited in the wild. The vulnerability enables adversaries to "poison" the EPM dashboard by registering fake managed endpoints, leading to client-side session hijacking and full administrative compromise once a legitimate admin views the tampered interface. Although Ivanti stresses that EPM is not intended to be internet-facing, Shadowserver currently identifies hundreds of exposed instances, dramatically increasing the likelihood of real-world exploitation. Historically, Ivanti EPM vulnerabilities have been rapidly adopted by threat actors, with multiple CVEs in 2024 added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Ivanti has released EPM 2024 SU4 SR1 to remediate the issue, and organizations are strongly advised to patch immediately and ensure no EPM console is exposed externally. Ivanti also addressed three additional high-severity vulnerabilities—CVE-2025-13659, CVE-2025-13661, and CVE-2025-13662—spanning improper code resource control, path traversal, and cryptographic signature bypass in the patching subsystem. Collectively, these flaws enable unauthenticated or low-privilege attackers to write arbitrary files, escape intended directories, or execute unverified code, creating viable paths to remote code execution under specific interaction scenarios. While exploitation requires user actions—such as connecting to untrusted core servers or importing malicious configuration files—these conditions are often met in real enterprise workflows, making them attractive for social-engineering-based attacks. Given Ivanti's repeated inclusion in ransomware, espionage, and access-broker workflows, defenders should assume these weaknesses will be operationalized quickly. Immediate upgrade to 2024 SU4 SR1, removal of any internet exposure, and strict validation of trusted servers and configuration files are essential mitigation steps.
Fortinet SSO Signature-Bypass Flaws Enable Full Administrative Compromise
Fortinet has released patches for two critical authentication-bypass vulnerabilities—CVE-2025-59718 and CVE-2025-59719—impacting FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager deployments that use FortiCloud SSO. The flaws stem from improper verification of cryptographic signatures in SAML messages, allowing unauthenticated attackers to forge SSO assertions and gain administrative access. Although FortiCloud SSO is disabled by default, it becomes automatically enabled when devices are registered to FortiCare unless administrators intentionally opt out. This configuration detail significantly broadens the attack surface, given how frequently FortiCare registration occurs during deployment workflows. The vulnerabilities are especially concerning in light of Fortinet's history of being targeted in advanced intrusion campaigns, such as the Volt Typhoon campaign that used FortiOS VPN zero-days for persistent access, but they are not actively exploited. Organizations must assume these issues will be rapidly incorporated into ransomware, espionage, and access-broker tooling. Beyond the SSO bypasses, Fortinet also patched secondary vulnerabilities in this patch, which reduce the friction for attackers who have already obtained limited user access, enabling rapid credential compromise without full account control. Fortinet's advisory highlights the systemic risks posed by internet-exposed appliances, noting that hundreds of FortiOS and FortiWeb instances are already visible through scanning platforms such as Shadowserver. Given the frequency with which Fortinet vulnerabilities are exploited as zero-days, defenders should treat these disclosures as high-priority even in the absence of confirmed exploitation. Upgrading to the fixed releases and immediately disabling FortiCloud SSO until patched remain the primary mitigation steps, supplemented by removing all Fortinet management interfaces from public exposure.
December 2025: Patch Tuesday Update
Patch Tuesday – Microsoft has released its latest Patch Tuesday updates addressing multiple security vulnerabilities across Windows, Microsoft Office, and other supported products. These updates include fixes for both critical and important severity issues that could allow remote code execution, privilege escalation, or information disclosure if left unpatched.
