Multiple Exploits Target FortiGate RaaS, Citrix, MCP, and LiveChat Phishing Campaigns
What Happened — The ThreatsDay bulletin revealed a surge of active threats: a Ransomware‑as‑a‑Service (RaaS) kit exploiting FortiGate firewalls, newly‑published Citrix vulnerabilities being weaponized, credential‑stealing abuse of Microsoft Cloud Platform (MCP) services, and a large‑scale LiveChat phishing campaign.
Why It Matters for TPRM —
- Third‑party network and application vendors are being weaponized, expanding the attack surface of any organization that relies on them.
- Unpatched or mis‑configured security appliances can lead to lateral movement and data exfiltration across supply‑chain boundaries.
- Phishing vectors that impersonate SaaS support channels increase credential compromise risk for downstream partners.
Who Is Affected — Enterprises using Fortinet FortiGate firewalls, Citrix virtualization/remote‑access solutions, Microsoft Cloud services, and LiveChat customer‑engagement platforms across finance, technology, and healthcare sectors.
Recommended Actions —
- Verify that all FortiGate devices are patched to the latest firmware and disable any exposed management interfaces.
- Apply Citrix security advisories immediately; monitor for exploitation attempts.
- Enforce MFA and review privileged access logs for MCP accounts.
- Deploy anti‑phishing controls and user training focused on LiveChat impersonation tactics.
Technical Notes —
- FortiGate RaaS leverages CVE‑2025‑XXXX (remote code execution) combined with default credentials.
- Citrix exploits target CVE‑2025‑YYYY (privilege escalation) and CVE‑2025‑ZZZZ (information disclosure).
- MCP abuse involves stolen OAuth tokens and API key leakage.
- LiveChat phishing uses cloned login portals to harvest credentials. Source: The Hacker News