SENTINEL INTELLIGENCE PROTOCOL  ·  TLP:WHITE  ·  AUTHORIZED DISTRIBUTION ONLY

BREAKING
CRITICAL · CVE-2025-7731 actively exploited in Fortinet FortiGate — CISA Emergency Directive 25-04 issued — patch immediatelyAPT28 attributed to coordinated attacks on European energy grid infrastructure — NATO cyber alliance emergency session convenedNew Windows CLFS kernel zero-day exploited in targeted campaigns against defense contractors — patch in KB5040528FBI: $4.73B lost to cybercrime in FY2024 — ransomware primary vector for critical infrastructure attacks for third consecutive yearJoint FBI-Europol operation dismantles 403,000-node HYDRUS botnet across 47 countries — three arrests confirmedCloudflare reports 412% surge in DDoS amplification attacks targeting financial services sector Q1 2025Salt Typhoon remains active in U.S. telecommunications networks — Senate Intelligence Committee briefed on scopeCRITICAL · CVE-2025-7731 actively exploited in Fortinet FortiGate — CISA Emergency Directive 25-04 issued — patch immediatelyAPT28 attributed to coordinated attacks on European energy grid infrastructure — NATO cyber alliance emergency session convenedNew Windows CLFS kernel zero-day exploited in targeted campaigns against defense contractors — patch in KB5040528FBI: $4.73B lost to cybercrime in FY2024 — ransomware primary vector for critical infrastructure attacks for third consecutive yearJoint FBI-Europol operation dismantles 403,000-node HYDRUS botnet across 47 countries — three arrests confirmedCloudflare reports 412% surge in DDoS amplification attacks targeting financial services sector Q1 2025Salt Typhoon remains active in U.S. telecommunications networks — Senate Intelligence Committee briefed on scope
HOME/VULNERABILITIES/CISA Issues Emergency Directive Following Confirme
VULNERABILITIES · FEDERAL · NETWORK SECURITY·CRITICAL

CISA Issues Emergency Directive Following Confirmed FortiGate Zero-Day Exploitation

Emergency Directive 25-04 mandates federal agencies apply critical patches to Fortinet FortiGate SSL-VPN appliances within 48 hours after confirmation of active exploitation by a nation-state adversary.

BYDevon Marchetti
2025-06-11
4 MIN READ
VERIFIED INTELLIGENCE

Directive Issued

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-04 at 16:47 UTC on June 11, 2025, requiring all Federal Civilian Executive Branch (FCEB) agencies to immediately apply mitigations for CVE-2025-7731, a critical authentication bypass vulnerability affecting Fortinet FortiGate SSL-VPN appliances.

The directive marks the third Emergency Directive issued by CISA in 2025 and the second targeting network perimeter infrastructure in as many months.

Scope of the Directive

ED 25-04 applies to all Fortinet FortiGate appliances running FortiOS versions 7.0.0 through 7.0.15, 7.2.0 through 7.2.8, and 7.4.0 through 7.4.3. Agencies are required to:

  1. Apply FortiOS patches 7.0.16, 7.2.9, or 7.4.4 within 48 hours
  2. Where patching is not feasible, disable SSL-VPN interfaces and implement compensating controls
  3. Conduct forensic review of FortiGate logs for the period March 1–June 11, 2025
  4. Report status and findings to CISA via the agency reporting portal by June 15, 2025

Exploitation Confirmed

CISA confirmed exploitation of CVE-2025-7731 in federal government networks, though it has not disclosed which agencies were affected or the extent of any breaches. The agency noted that successful exploitation gives adversaries the ability to "establish persistent access and move laterally to connected systems."

Fortinet's own advisory, published simultaneously, confirmed that the vulnerability involves a stack-based buffer overflow in the SSL-VPN web management interface, exploitable by sending a specially crafted HTTP request without authentication.

Industry Response

As of publication time, Fortinet has released patches for all affected versions. The company estimates approximately 87,000 internet-facing FortiGate appliances remain unpatched globally, based on Shodan query analysis conducted by the Sentinel Intelligence Protocol research team.

Private sector organizations with Fortinet infrastructure are strongly urged to apply patches immediately, even absent a specific government mandate.

VULNERABILITIESFEDERALNETWORK SECURITY
← RETURN TO INTELLIGENCE FEED