Cisco, Fortinet Face Active Exploitation of Critical CVEs

Two major network security vendors are grappling with actively exploited vulnerabilities as threat actors rapidly weaponize newly disclosed flaws in enterprise infrastructure.

Cisco Appliances Targeted by Chinese APT

Cisco has released patches for a vulnerability that Chinese threat actor UAT-9686 exploited to deploy the AquaShell backdoor on vulnerable appliances. The attack specifically targeted Cisco devices with certain ports exposed to the internet, highlighting the persistent threat posed by state-sponsored groups against critical network infrastructure.

The AquaShell backdoor deployment represents a sophisticated supply chain attack vector, allowing persistent access to compromised network environments. Organizations running affected Cisco appliances should immediately assess their exposure and apply available patches to prevent further compromise.

FortiSIEM Under Active Attack

Meanwhile, Fortinet faces a more immediate crisis with CVE-2025-64155, a critical command injection vulnerability in FortiSIEM that came under widespread exploitation shortly after disclosure. The flaw enables remote code execution through malicious command injection, providing attackers with significant control over affected security information and event management (SIEM) systems.

Security researchers report attack attempts originating from multiple IP addresses, indicating both opportunistic scanning and coordinated exploitation efforts. The rapid weaponization timeline—occurring within days of disclosure—demonstrates the critical importance of emergency patching for internet-facing security appliances.

Threat Analysis and Attack Vectors

Both vulnerabilities share common characteristics that make them attractive targets for threat actors:

Internet-facing exposure: Vulnerable systems are directly accessible from the internet
Critical infrastructure impact: Compromised devices provide network-level access
Privileged execution context: Successful exploitation grants administrative-level access

The command injection nature of CVE-2025-64155 is particularly concerning, as it allows attackers to execute arbitrary system commands through crafted input validation bypasses. This attack vector can lead to complete system compromise, data exfiltration, and lateral movement within enterprise networks.

Defense Strategies and Mitigation

Organizations should implement the following security measures immediately:

Immediate Actions:

Apply vendor patches for both Cisco and FortiSIEM vulnerabilities
Conduct comprehensive asset inventory to identify affected systems
Implement network segmentation to limit blast radius
Monitor for indicators of compromise associated with AquaShell backdoor

Long-term Security Posture:

Establish vulnerability management programs with defined SLAs for critical patches
Deploy network-based intrusion detection systems (IDS) to identify exploitation attempts
Implement zero-trust architecture principles for network access control
Conduct regular penetration testing of internet-facing infrastructure

Risk Assessment and Business Impact

The exploitation of security appliances presents elevated risk due to their privileged network position and access to sensitive security telemetry. Compromised SIEM systems can provide attackers with comprehensive visibility into organizational security posture while simultaneously blinding defenders to ongoing threats.

For the Cisco vulnerability, the involvement of Chinese APT groups suggests potential espionage motivations, requiring enhanced monitoring for data exfiltration and intellectual property theft. Organizations in critical infrastructure sectors should prioritize these patches given the geopolitical implications.

Conclusion

The rapid exploitation of these vulnerabilities underscores the evolving threat landscape where attackers increasingly target security infrastructure itself. Organizations must maintain aggressive patch management practices and assume breach posture when dealing with internet-facing security appliances. The convergence of state-sponsored and opportunistic threats against the same vulnerability classes demands heightened vigilance and coordinated defense strategies.