Critical Zero-Day Attacks: Ivanti and Fortinet Under Active Exploitation

Executive Summary

October 2025 has seen a surge in sophisticated attacks targeting critical enterprise infrastructure. Two zero-day vulnerabilities have emerged as immediate threats to Australian organisations:

• CVE-2025-10678 - Ivanti Connect Secure authentication bypass (CVSS 9.8)
• CVE-2025-10512 - Fortinet FortiManager authorization bypass (CVSS 9.6)

These vulnerabilities represent a fundamental failure in access control mechanisms that protect some of Australia's most critical infrastructure. With both under active exploitation by advanced persistent threat (APT) groups, the window for defensive action is rapidly closing.

CVE-2025-10678: Ivanti Connect Secure Authentication Bypass

Technical Analysis

The vulnerability exists in Ivanti Connect Secure's web authentication component. Attackers can craft specially formatted HTTP requests that bypass authentication checks entirely, gaining administrative access without credentials.

What makes this particularly dangerous is the complete absence of authentication requirements. Unlike traditional privilege escalation vulnerabilities that require initial access, CVE-2025-10678 allows direct administrative compromise from the internet.

Australian Impact Assessment

Preliminary scanning indicates approximately 340 Australian organisations running vulnerable Ivanti Connect Secure instances exposed to the internet. Critical sectors affected include:

• Healthcare providers using Ivanti for remote access to patient systems
• Financial services institutions with hybrid work VPN infrastructure
• Government agencies at state and federal levels
• Manufacturing and critical infrastructure operators

Observed Attack Patterns

Security researchers have identified coordinated exploitation campaigns beginning October 19, 2025. Attack characteristics include:

• Rapid scanning of IPv4 space targeting Ivanti default ports
• Immediate deployment of web shells for persistent access
• Credential harvesting from Active Directory integration
• Lateral movement to internal systems within hours of initial compromise

CVE-2025-10512: Fortinet FortiManager Authorization Bypass

Technical Analysis

FortiManager's API contains a critical flaw where certain administrative endpoints lack proper authentication checks. This allows remote attackers to execute privileged commands without providing credentials.

The severity is amplified by FortiManager's role as a centralised management platform. A single compromised FortiManager instance can provide attackers with access to dozens or hundreds of managed FortiGate firewalls.

Attack Chain

Successful exploitation follows a predictable pattern:

1. Initial Access: Attacker identifies exposed FortiManager instance
2. API Exploitation: Unauthenticated API calls executed to add administrative user
3. Configuration Extraction: Download complete configurations of all managed devices
4. Lateral Movement: Use extracted credentials to compromise managed FortiGate devices
5. Persistence: Modify firewall rules to maintain access

Australian Exposure

Fortinet FortiManager is extensively deployed across Australian enterprise environments. Affected organisations include:

• Managed service providers managing client security infrastructure
• Large enterprises with distributed branch offices
• Cloud service providers using Fortinet for tenant segmentation
• Education institutions managing campus network security

Threat Actor Attribution

While formal attribution is ongoing, the sophistication and coordination of these attacks suggest state-sponsored threat actors. Key indicators include:

• Zero-day weaponization within hours of patch availability
• Coordinated global scanning infrastructure
• Custom post-exploitation frameworks designed for these specific vulnerabilities
• Strategic targeting of critical infrastructure and government networks

Intelligence suggests possible involvement of APT groups previously linked to infrastructure reconnaissance and long-term strategic positioning operations.

Immediate Remediation Actions

Detection and Forensics

Indicators of Compromise

Organisations should search for the following indicators:

Strategic Implications for Australian Organisations

These vulnerabilities represent more than isolated technical flaws. They highlight systemic challenges in securing critical infrastructure:

The Authentication Crisis

Both vulnerabilities bypass authentication entirely. This is not privilege escalation or exploitation of authenticated users – this is complete authentication bypass. The fundamental security control that every system depends on has failed.

Supply Chain Risk

Organisations trust these vendors to protect their most sensitive access points. When security vendors themselves become the vulnerability, it undermines trust in the entire supply chain.

The Patch Management Challenge

With exploitation beginning before patches are widely available, traditional patch management timelines are insufficient. Organisations need:

• 24-hour patch deployment capabilities for critical infrastructure
• Compensating controls that activate immediately upon threat disclosure
• Network segmentation that limits blast radius of compromised systems
• Continuous monitoring that can detect zero-day exploitation

Long-Term Recommendations

Architecture Review

Organisations should fundamentally reassess their VPN and management infrastructure architecture:

• Implement zero-trust network access (ZTNA) as replacement for traditional VPNs
• Deploy multi-vendor strategies to avoid single points of failure
• Require multi-factor authentication for all administrative interfaces
• Implement network segmentation with microsegmentation for critical systems

Vendor Management

Security vendor relationships need stronger accountability:

• Demand contractual SLAs for security patch delivery
• Require third-party security audits of critical infrastructure products
• Establish vendor communication channels for security incidents
• Include security posture in vendor selection criteria

Detection and Response Maturity

Traditional prevention has failed. Focus must shift to rapid detection and response:

• Deploy SIEM solutions with real-time alerting for authentication anomalies
• Implement EDR on all critical infrastructure systems
• Establish 24/7 SOC capabilities for critical systems
• Conduct regular incident response tabletop exercises

Conclusion

The October 2025 zero-day campaign targeting Ivanti and Fortinet products represents a critical moment for Australian cybersecurity. These are not theoretical vulnerabilities – they are actively exploited attack vectors providing direct administrative access to critical infrastructure.

Organisations have a narrow window to act. Those who have not patched by the time this analysis is published are likely already compromised. The question is not if attackers have found your vulnerable systems, but whether you can detect and respond before they achieve their objectives.

Australian organisations must move beyond reactive patching to proactive security architecture. Zero-day vulnerabilities will continue to emerge. The organisations that survive and thrive will be those that assume breach, architect for resilience, and maintain the capability to detect and respond within hours, not days or weeks.