The US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory on September 8, 2023, warning that multiple nation-state actors are exploiting security flaws in Fortinet FortiOS SSL-VPN and Zoho ManageEngine ServiceDesk Plus to gain unauthorized access and establish persistence on compromised systems.

The advisory was based on an incident response engagement conducted by CISA at an unnamed aeronautical sector organization from February to April 2023. There is evidence to suggest that the malicious activity commenced as early as January 18, 2023.

The vulnerabilities exploited by the threat actors are:

The advisory also revealed that the threat actors compromised and used disabled administrative account credentials from a previously hired contractor—of which the organization confirmed the user had been disabled prior to the observed activity.

Attack Chain

According to CISA, the following steps were taken by the threat actors after gaining initial access:

  1. The attackers obtained root-level access to the web server and downloaded additional malware.
  2. The attackers enumerated the network and collected administrative user credentials.
  3. The attackers moved laterally through the network using multiple Transport Layer Security (TLS)-encrypted sessions to multiple IP addresses.
  4. The attackers deployed web shells for backdoor access on several critical servers in the environment.
  5. The attackers disabled administrative account credentials and deleted logs from several critical servers in an attempt to erase the forensic trail of their activities.


The breach could have potentially exposed sensitive data such as flight plans, weather forecasts, air traffic control information, aviation safety data, and other aviation-related information. It could also have disrupted or compromised flight operations or safety.

CISA advised affected organizations to apply patches as soon as possible, disable or remove any untrusted software or devices, monitor network activity for any signs of compromise or intrusion attempts, and report any suspicious incidents or indicators of compromise.


¹: CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities
²: Update Regarding CVE-2022-40684 | Fortinet Blog
³: What Is Vulnerability Assessment? How is it Conducted? | Fortinet
⁴: Fortinet’s security appliances hit by remote code execution vulnerability
⁵: 336,000 servers remain unpatched against critical Fortigate vulnerability
⁶: Red Cross traces hack back to unpatched Zoho vulnerability
⁷: Update now! Proof of concept code to be released for Zoho ManageEngine …
⁸: Hackers exploiting vulnerability affecting Zoho ManageEngine products …
⁹: [Oh No, Zoho: Active Exploitation of CVE-2021-44077 Allowing … – Rapid7]