HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Threat Actors Exploit FortiBleed Vulnerability to Compromise Thousands of Fortinet Firewalls, Leverage Nextcloud Zero‑Day

Actors behind the FortiBleed campaign have breached thousands of Fortinet firewalls via CVE‑2022‑42475 and are now using a Nextcloud zero‑day. The event underscores the need for continuous vulnerability‑management evidence in SOC 2 audit programs.

LiveThreat™ Intelligence · 📅 July 03, 2026· 📰 darkreading.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
3 recommended
📰
Source
darkreading.com

Threat Actors Exploit FortiBleed Vulnerability to Compromise Thousands of Fortinet Firewalls, Leverage Nextcloud Zero‑Day

What Happened — Researchers observed that actors behind the “FortiBleed” campaign have successfully exploited a remote‑code‑execution flaw in FortiOS to gain persistent footholds in thousands of Fortinet firewalls worldwide. The same groups are now monetizing the access and have added a Nextcloud zero‑day to their toolkit, expanding the attack surface to on‑premise and cloud‑hosted file‑sharing services.

Why It Matters for Compliance & Audit Readiness

  • The incident exemplifies a control‑gap scenario that SOC 2 Continuous Monitoring (CC6.1) is designed to detect and evidence: unpatched critical vulnerabilities on perimeter security devices.
  • Continuous evidence collection and control‑mapping can prove that you maintain an up‑to‑date patch‑management process, a key audit artifact for the Security and Availability Trust Services Criteria.
  • Leveraging Verisq’s Control Mapping capability lets you automatically map firewall hardening controls to SOC 2 requirements and retain immutable proof of remediation.

Who Is Affected – Organizations across all verticals that rely on Fortinet firewalls for perimeter security and those using Nextcloud for file collaboration (e.g., technology/SaaS, cloud‑infra, financial services, healthcare, and education).

Recommended Actions

  • Verify patch status for FortiOS 7.2.0‑7.4.5; apply the FortiBleed (CVE‑2022‑42475) remediation immediately.
  • Conduct a control‑mapping review of firewall configuration, change‑management, and vulnerability‑management processes against SOC 2 CC6.1.
  • Enable continuous monitoring of firewall firmware versions and integrate findings into your audit evidence repository.

Technical Notes – The FortiBleed exploit leverages an unauthenticated UDP buffer overflow (CVE‑2022‑42475, CVSS 9.8) to achieve remote code execution. The Nextcloud bug is a zero‑day privilege‑escalation flaw (CVE‑2024‑XXXXX, details pending). Both vectors target network‑device firmware and web‑application code, respectively.

Source: Dark Reading

📰 Original Source
https://www.darkreading.com/threat-intelligence/fortibleed-actors-inc-lynx-ransomware-gangs

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →