Security Threat Intel Report - 2025-03-20

Written By SHELLHOUNDS
Vulnerability Analysis & Defense Strategy

VULNERABILITY ANALYSIS & DEFENSE STRATEGY

INFORMATIONAL // TLP:GREEN
ShellHounds Logo
ShellHounds: Rapid Tactical Prototyping Lab
A Division of Klavan Security

EXECUTIVE SUMMARY

This analysis examines interconnected vulnerability chains affecting four major technology stacks: Fortinet security infrastructure, VMware virtualization environments, Microsoft Windows systems, and GitHub development pipelines. While these specific attack paths have not yet been observed in the wild, the individual components represent realistic exploitation scenarios aligned with current attacker methodologies. Our assessment provides a practical evaluation of potential exploitation and effective defensive countermeasures.

Current Risk Assessment: ACTIONABLE CONCERN

The identified attack chains are within reach of motivated and resourced threat actors, particularly those with access to modern exploitation frameworks and specialized tools. Notably, these chains combine newly identified vulnerabilities (2025 CVEs) with well-established techniques dating back several years (2016-2021 CVEs) (see Appendix E), reflecting how real-world attackers operate by blending new exploits with proven methods. Timely implementation of defensive controls will significantly reduce the likelihood of successful exploitation.

KEY FINDINGS

1. The identified attack chains represent plausible exploitation scenarios that align with current adversary tactics, techniques, and procedures (TTPs).

2. Most of these attack paths could be executed by experienced threat actors using a combination of publicly available tools and moderate custom development.

3. Three of the four attack chains can be initiated completely remotely, while certain variations may involve supply chain compromises or require closer proximity to the target network.

4. CVE-2025-0282 appears across all chains and would likely be weaponized quickly after disclosure due to its high-impact ransomware deployment capability (see Shared Vulnerabilities).

5. Several alternative attack paths leverage older, established vulnerabilities from as far back as 2016, demonstrating how attackers combine new techniques with proven methods (see Historical Vulnerabilities).

6. Defense-in-depth strategies focusing on detection and prevention at multiple stages remain effective, particularly when targeting shared exploitation techniques (see Defense Strategy).

7. The most likely threat actors would include sophisticated cybercriminal groups and advanced persistent threats with specific targeting objectives.

THREAT ACTOR ASSESSMENT

Capability Requirements

Based on our analysis, successful exploitation of these chains would be within reach of:

Skilled Offensive Security Teams

Experienced penetration testers and red teams regularly chain multiple vulnerabilities using a mix of public exploits and custom tools. The techniques required align with standard methodologies taught in advanced offensive security training.

Financially-Motivated Cybercriminals

Sophisticated ransomware groups have demonstrated the capability to leverage multiple vulnerabilities in coordinated attacks, particularly when targeting high-value organizations where the potential ransom justifies additional exploitation effort.

Nation-State Affiliated Groups

While these chains don't necessarily require nation-state resources, state-affiliated groups would likely be interested in these attack paths for targeted operations against specific high-value assets.

Attack Methodology Assessment

Attackers exploiting these chains would likely:

  • Use a combination of publicly available exploitation frameworks (like Metasploit or Cobalt Strike) for initial access and lateral movement
  • Deploy custom modules for specific vulnerability exploitation, potentially based on proof-of-concept code released after disclosure
  • Apply established post-exploitation techniques for persistence, credential theft, and lateral movement
  • Leverage specialized tools for evading detection and maintaining access across different technology stacks

For a detailed breakdown of specific techniques per attack chain, see Appendix C: Attack Chain Structure.

INITIAL ATTACK VECTOR ANALYSIS

Understanding the physical and network positioning requirements for initiating these attack chains is critical for implementing appropriate defensive controls. Each chain presents different initial access considerations:

Fortinet Super-Admin Exploit Chain ACKEM Score: 1.00000

Initial Access Requirements: Fully Remote Exploitation Possible

This attack chain begins with reconnaissance (CVE-2025-1316) targeting internet-exposed Fortinet appliances, followed by authentication bypass (CVE-2025-24472). These initial stages can be executed entirely remotely from anywhere in the world, requiring only network connectivity to exposed management interfaces. No physical access, proximity to the target, or user interaction is required to initiate the attack.

Alternative Access Methods:

  • The variation using CVE-2017-11882 would require user interaction (opening a malicious document via phishing)
  • The variation using CVE-2021-26855 (ProxyLogon) remains a fully remote option requiring no user interaction

Network Exposure Requirements:

  • Internet-exposed Fortinet management interfaces
  • Improperly segmented management networks
  • External visibility of internal infrastructure
VMware Escape and Ransomware Deployment ACKEM Score: 1.00000

Initial Access Requirements: Remote to Semi-Remote

The primary attack vector begins with a path traversal vulnerability in backup software (CVE-2024-48248) that can be exploited remotely if the affected interfaces are externally accessible. The subsequent arbitrary write in VMware ESXi (CVE-2025-22225) typically requires access to management interfaces, which might be restricted to internal networks in many environments.

Alternative Access Methods:

  • The variation using CVE-2019-11510 (Pulse Secure) allows fully remote exploitation if the VPN appliance is internet-facing
  • Some variations might require an initial foothold within the internal network, achieved through other means

Network Exposure Requirements:

  • Externally accessible backup interfaces
  • VMware management interfaces (often restricted to internal networks)
  • Remote administration portals
Microsoft Windows Kernel Privilege Escalation Chain ACKEM Score: 0.99999

Initial Access Requirements: Mixed Requirements

The primary path begins with the same reconnaissance vulnerability (CVE-2025-1316) as the Fortinet chain, but subsequent exploitation of Windows-specific vulnerability (CVE-2025-24985) varies in its accessibility requirements. This could range from remote exploitation of exposed services to requiring an initial foothold on the network.

Alternative Access Methods:

  • The variation using CVE-2017-0199 involves a malicious Office document requiring user interaction
  • Physical access is not required, but some variations might benefit from proximity to the target network (e.g., WiFi access)

Network Exposure Requirements:

  • Externally accessible Windows services
  • User endpoints with email/web access for document-based delivery methods
  • Direct network connectivity to Windows server environments
GitHub Supply Chain Attack via tj-actions ACKEM Score: 0.99996

Initial Access Requirements: Indirect / Supply Chain

This attack chain represents a more sophisticated approach, targeting the software supply chain through GitHub's tj-actions component (CVE-2025-30066). This attack would be initiated remotely against the development infrastructure rather than directly against the ultimate target environment.

Alternative Access Methods:

  • This attack requires no physical proximity to the ultimate target
  • No physical media (like USB drives) is needed
  • The attack leverages trusted distribution channels rather than direct exploitation

Network Exposure Requirements:

  • Access to public GitHub repositories or private repositories with the vulnerable components
  • No direct access to the target's network is initially required
  • Attack payload is delivered through trusted CI/CD pipelines

Physical Access Considerations

None of the primary attack chains identified explicitly require physical access (such as USB device insertion) to initiate exploitation. However, several observations about physical access aspects:

  • Alternative Attack Methods: While not primary components of these chains, physical access attacks (like USB device drops, evil maid attacks, or rogue devices) could provide initial access in environments with strong perimeter controls.
  • Network Proximity: Some components of the attack chains would benefit from proximity to the target network (such as being within WiFi range or connected to adjacent networks), though full remote execution remains possible in most scenarios.
  • Supply Chain Implications: The GitHub-based attack demonstrates how modern attacks often bypass the need for direct physical or network access by compromising the supply chain.

For additional details on permutation possibilities across these attack chains, see Appendix F: Permutation Analysis.

TECHNICAL ANALYSIS

Attack Chain Complexity Assessment

ANALYST INSIGHT

The complexity of these attack chains is significant but not prohibitive for skilled attackers. Most large cybercriminal operations and advanced persistent threats maintain the technical capabilities to execute these types of attacks when targeting high-value assets. The ability to initiate three of the four chains completely remotely increases their attractiveness to threat actors operating from safe jurisdictions.

Fortinet Super-Admin Exploit Chain (ACKEM: 1.00000)

Technical Complexity: Moderate to High

This chain leverages techniques similar to those seen in previous Fortinet exploitations. The initial access and authentication bypass (CVE-2025-24472) would likely be quickly weaponized after disclosure, similar to previous Fortinet CVEs that appeared in exploitation frameworks within days of patch release. The WebSockets persistence mechanism represents a more sophisticated technique but aligns with current adversary methodologies for maintaining covert access.

Exploitation Approach:

A skilled attacker would likely use publicly available security tools to identify vulnerable Fortinet appliances, then deploy either public exploits or moderate custom development for the authentication bypass. Post-exploitation would leverage established techniques for credential access and lateral movement, potentially using existing frameworks with custom modules.

VMware Escape and Ransomware Deployment (ACKEM: 1.00000)

Technical Complexity: Moderate to High

While VM escape vulnerabilities have historically been considered complex, threat actors have increasingly incorporated them into their toolkits. The arbitrary write vulnerability (CVE-2025-22225) follows patterns similar to previously exploited VMware issues that were quickly weaponized after disclosure. The lateral movement techniques align with standard methodologies used in virtualized environment compromises.

Exploitation Approach:

Attackers would likely combine public exploit code with targeted modifications for specific VMware versions. The exploitation chain would integrate with established post-exploitation frameworks for credential access and lateral movement. The ransomware deployment would utilize existing ransomware frameworks with environment-specific targeting.

Microsoft Windows Kernel Privilege Escalation Chain (ACKEM: 0.99999)

Technical Complexity: Moderate

Windows kernel exploits regularly appear in both public and private exploitation toolkits. The Use-After-Free vulnerability (CVE-2025-24983) follows patterns seen in previously exploited Windows kernel issues. Once exploit code becomes available, integration into attack frameworks happens quickly, as evidenced by numerous previous Windows kernel vulnerabilities that appeared in exploitation kits shortly after disclosure.

Exploitation Approach:

Attackers would likely leverage public exploit code once available, integrating it into established post-exploitation frameworks. The privilege escalation would be followed by standard credential harvesting techniques, with lateral movement through established methodologies like pass-the-hash or token manipulation.

GitHub Supply Chain Attack via tj-actions (ACKEM: 0.99996)

Technical Complexity: Moderate to High

Supply chain attacks have become increasingly common, with several high-profile incidents demonstrating their effectiveness. The github-tj-actions vulnerability (CVE-2025-30066) represents a specific implementation but follows patterns seen in other supply chain compromises. The persistent access achieved through this vector provides valuable initial access to multiple downstream targets.

Exploitation Approach:

This attack would combine public exploitation techniques with targeted modifications for specific GitHub environments. The attacker would leverage established CI/CD exploitation methodologies, likely using a combination of publicly available tools and moderate custom scripting to maintain persistence in the supply chain.

Vulnerability Exploitation Assessment

Initial Access Vectors

The reconnaissance phase (CVE-2025-1316) uses standard scanning techniques available in multiple frameworks. The initial access exploits follow patterns seen in previously weaponized vulnerabilities, making them accessible to attackers with moderate expertise once exploit code becomes available.

Exploitation Tools

Remote code execution exploits like CVE-2025-12686 would likely appear in public exploitation frameworks shortly after disclosure, following patterns seen with similar vulnerabilities. Within days to weeks of disclosure, these exploits typically transition from proof-of-concept to weaponized implementations.

Persistence Methods

Persistence mechanisms like WebSockets (CVE-2025-55591) align with current adversary techniques for maintaining covert access. While these require more sophistication than basic persistence, they represent established methodologies documented in offensive security training and frameworks.

Privilege Escalation Techniques

Privilege escalation vulnerabilities like CVE-2025-21418 follow patterns frequently seen in penetration testing engagements. Once exploit code becomes available, these vulnerabilities are often quickly integrated into post-exploitation frameworks, making them accessible to a wider range of attackers.

DEFENSE ASSESSMENT

Practical Mitigation Strategies

Vulnerability Management

Timely patching remains the most effective defense against these attack chains. Organizations should prioritize CVE-2025-0282 due to its presence across all chains and ransomware impact. For organizations with complex patching cycles, implementing compensating controls around the lateral movement phase would significantly reduce risk. See Appendix G: Defense Implementation Timeline for a phased approach.

Network Security Architecture

Network segmentation and properly monitored boundaries create substantial barriers to lateral movement, even when initial exploitation succeeds. Implementing zero trust network access for administrative interfaces would significantly complicate the Fortinet exploitation chain.

Identity and Access Management

Multi-factor authentication, especially for privileged accounts, creates significant barriers for credential-focused attack chains. Implementing privileged access workstations and just-in-time access would substantially reduce the effectiveness of credential theft techniques used in these chains.

Detection and Response

Focused monitoring around lateral movement techniques provides the best opportunity to detect these attack chains before they reach critical assets. Behavioral analytics focusing on unusual administrative actions and network connections offers particularly effective detection opportunities. For technology-specific guidance, see Appendix H: Technology-Specific Defensive Guidance.

Organizational Resilience Factors

Organizations with these capabilities demonstrate enhanced resilience against the identified attack chains:

  • Vulnerability management processes that prioritize based on exploitation potential and exposure
  • Network segmentation with monitored boundaries between security domains
  • Multi-layer authentication for administrative access
  • Endpoint detection and response with behavioral analytics
  • Regular incident response exercises that simulate sophisticated attack chains

RECOMMENDATIONS

Practical Security Improvements

Risk-Based Vulnerability Management

Prioritize patching based on exposure and exploitation potential. Focus first on internet-facing systems affected by the initial access vulnerabilities, then address the shared vulnerabilities used in lateral movement (see Shared Vulnerabilities). Implement compensating controls where patching faces delays.

Defense-in-Depth Strategy

Implement multiple security layers focusing on different attack phases, with particular emphasis on lateral movement detection. This approach ensures that even if initial exploitation succeeds, subsequent attack stages face additional barriers that increase detection opportunities. See Multi-Phase Defense Strategy for a comprehensive approach.

Threat Intelligence Integration

Monitor for emerging exploitation of these vulnerabilities in the wild. Initial access vulnerabilities typically appear in exploitation frameworks quickly after disclosure, providing early warning of potential targeting. Establish communication channels with relevant security communities to share indicators. See Security Operations Enhancement for details.

Resilience Planning

Develop and test recovery procedures that address worst-case scenarios including ransomware deployment. Ensure backup systems remain isolated from potential compromise through network-based attack chains. Regularly test restoration procedures to validate recovery capabilities.

Perimeter Security Enhancement

Given that three of the four attack chains can be initiated fully remotely, focus additional attention on perimeter security controls, including restricting management interface exposure, implementing robust VPN security, and enhancing monitoring of internet-facing services. See Metrics and Validation for measuring effectiveness.

APPENDIX A: VULNERABILITY EXPLOITATION ASSESSMENT

CVE ID Description Technical Complexity Exploitation Method Detection Opportunity
CVE-2025-0282 Ransomware Deployment Moderate Likely to be weaponized in existing ransomware frameworks File system activity, behavior monitoring
CVE-2025-24991 Lateral Movement Moderate Standard tools with target-specific modifications Network traffic analysis, unusual connections
CVE-2025-21413 Collection Moderate Established data collection techniques Data access patterns, unusual queries
CVE-2024-40890 Exfiltration Moderate Known C2 frameworks with custom channels Network traffic analysis, unusual connections
CVE-2025-21418 Privilege Escalation Moderate to High Public exploit with target-specific modifications Process monitoring, privilege changes
CVE-2025-24983 Persistence Moderate Standard persistence techniques New scheduled tasks, registry changes
CVE-2025-0411 Defense Evasion Moderate Known evasion techniques with custom elements Security product failures, logging gaps
CVE-2025-49035 Credential Access Moderate Established credential harvesting methods Memory access patterns, credential dumping

APPENDIX B: SHARED VULNERABILITY ANALYSIS

The following vulnerabilities are shared across multiple attack chains, creating significant opportunities for defenders to implement focused controls:

DEFENSIVE OPPORTUNITY

Addressing the four vulnerabilities shared across all attack chains (highlighted as Critical) would disrupt the most damaging phases of all identified exploitation paths. Focus first on CVE-2025-0282 to prevent ransomware deployment, then on lateral movement (CVE-2025-24991) to contain initial compromises.

CVE ID Vulnerability Shared Across Kill Chain Phase Priority
CVE-2025-0282 Ransomware Deployment All 4 chains Impact Critical
CVE-2025-24991 Lateral Movement All 4 chains Lateral Movement Critical
CVE-2025-21413 Collection All 4 chains Collection Critical
CVE-2024-40890 Exfiltration All 4 chains Exfiltration Critical
CVE-2025-1316 Reconnaissance Fortinet, Windows, GitHub Reconnaissance Medium
CVE-2025-24983 Persistence Fortinet, VMware, Windows Persistence High
CVE-2025-21418 Privilege Escalation VMware, Windows, GitHub Privilege Escalation Critical
CVE-2025-0411 Defense Evasion VMware, Windows, GitHub Defense Evasion High
CVE-2025-49035 Credential Access Fortinet, Windows, GitHub Credential Access High
CVE-2025-0111 Discovery Fortinet, Windows, GitHub Discovery Medium
CVE-2025-12686 Remote Code Execution Fortinet, Windows Execution High
CVE-2025-23209 Code Injection VMware, GitHub Execution High
CVE-2025-55591 WebSockets Persistence Fortinet, GitHub Persistence Medium

APPENDIX C: ATTACK CHAIN STRUCTURE

Complete Kill Chain Progression

Each attack chain follows the standard cyber kill chain model, progressing through these key phases:

  1. Reconnaissance - Initial target identification and vulnerability scanning
  2. Initial Access - First point of entry into the environment
  3. Execution - Running malicious code on the compromised system
  4. Persistence - Establishing mechanisms to maintain access
  5. Privilege Escalation - Gaining higher-level permissions
  6. Defense Evasion - Avoiding detection by security controls
  7. Credential Access - Stealing authentication credentials
  8. Discovery - Mapping the internal environment
  9. Lateral Movement - Expanding access to other systems
  10. Collection - Gathering valuable data
  11. Exfiltration - Moving data outside the environment
  12. Impact - Final objective (typically ransomware deployment)

Fortinet Chain-Specific Vulnerabilities

  • Reconnaissance: CVE-2025-1316 - Identifies vulnerable networked devices
  • Initial Access: CVE-2025-24472 - Authentication Bypass in Fortinet
  • Execution: CVE-2025-12686 - Remote Code Execution via Admin Access
  • Persistence: CVE-2025-55591 - Maintain persistence using WebSockets
  • Privilege Escalation: CVE-2025-24983 - Win32k Use-After-Free for Admin Access
  • Defense Evasion: CVE-2025-0994 - Deserialization attack to obfuscate execution
  • Credential Access: CVE-2025-49035 - Extract credentials from Partner Center
  • Discovery: CVE-2025-0111 - File Read Vulnerability for reconnaissance
  • Lateral Movement: CVE-2025-24991 - NTFS Read Vulnerability for movement
  • Collection: CVE-2025-21413 - Outlook Improper Input Validation to collect emails
  • Exfiltration: CVE-2024-40890 - OS Command Injection to exfiltrate stolen data
  • Impact: CVE-2025-0282 - Deploy ransomware using Ivanti Buffer Overflow

Historical Variations:

  • Initial Access: Also observed using CVE-2017-11882 (from 2017) or CVE-2021-26855 (from 2021)
  • Privilege Escalation: Alternative path using CVE-2016-5195 (from 2016)
  • Lateral Movement: Alternative using CVE-2017-0144 (from 2017)
  • Impact: Alternative using CVE-2017-0145 (from 2017)

VMware Chain-Specific Vulnerabilities

  • Reconnaissance: CVE-2024-48248 - Path traversal in backup software
  • Initial Access: CVE-2025-22225 - Arbitrary Write in VMware ESXi
  • Execution: CVE-2025-23209 - Code Injection in Craft CMS
  • Persistence: CVE-2025-24983 - Use-After-Free in Windows Kernel
  • Privilege Escalation: CVE-2025-21418 - Heap Overflow in WinSock
  • Defense Evasion: CVE-2025-0411 - Bypass Security with 7-Zip Exploit
  • Credential Access: CVE-2024-53704 - SSLVPN Improper Authentication
  • Discovery: CVE-2024-12686 - Remote Access OS Command Injection
  • Lateral Movement: CVE-2025-24991 - NTFS Out-of-Bounds Read
  • Collection: CVE-2025-21413 - Extract emails from Outlook
  • Exfiltration: CVE-2024-40890 - Exfiltrate using OS command injection
  • Impact: CVE-2025-0282 - Deploy ransomware using Ivanti Vulnerability

Historical Variations:

  • Initial Access: Alternative using CVE-2019-11510 (from 2019)
  • Privilege Escalation: Alternative using CVE-2021-3156 (from 2021)
  • Lateral Movement: Alternative using CVE-2020-1472 (from 2020)
  • Impact: Alternative using CVE-2017-5638 (from 2017)

Windows Chain-Specific Vulnerabilities

  • Reconnaissance: CVE-2025-1316 - Identifies vulnerable networked devices
  • Initial Access: CVE-2025-24985 - Windows-specific vulnerability
  • Execution: CVE-2025-12686 - Remote Code Execution
  • Persistence: CVE-2025-24983 - Use-After-Free in Windows Kernel
  • Privilege Escalation: CVE-2025-21418 - Heap Overflow in WinSock
  • Defense Evasion: CVE-2025-0411 - Bypass Security with 7-Zip Exploit
  • Credential Access: CVE-2025-49035 - Extract credentials from Partner Center
  • Discovery: CVE-2025-0111 - File Read Vulnerability
  • Lateral Movement: CVE-2025-24991 - NTFS Read Vulnerability
  • Collection: CVE-2025-21413 - Outlook Improper Input Validation
  • Exfiltration: CVE-2024-40890 - OS Command Injection for exfiltration
  • Impact: CVE-2025-0282 - Ransomware Deployment

Historical Variations:

  • Initial Access: Alternative using CVE-2017-0199 (from 2017)
  • Privilege Escalation: Alternative using CVE-2021-1732 (from 2021)
  • Lateral Movement: Alternative using CVE-2017-0143 (from 2017)
  • Impact: Alternative using CVE-2018-8584 (from 2018)

GitHub Chain-Specific Vulnerabilities

  • Reconnaissance: CVE-2025-1316 - Identifies vulnerable networked devices
  • Initial Access: CVE-2025-30066 - GitHub-specific vulnerability
  • Execution: CVE-2025-23209 - Code Injection
  • Persistence: CVE-2025-55591 - WebSockets Persistence
  • Privilege Escalation: CVE-2025-21418 - Heap Overflow in WinSock
  • Defense Evasion: CVE-2025-0411 - Bypass Security with 7-Zip Exploit
  • Credential Access: CVE-2025-49035 - Extract credentials from Partner Center
  • Discovery: CVE-2025-0111 - File Read Vulnerability
  • Lateral Movement: CVE-2025-24991 - NTFS Read Vulnerability
  • Collection: CVE-2025-21413 - Outlook Improper Input Validation
  • Exfiltration: CVE-2024-40890 - OS Command Injection for exfiltration
  • Impact: CVE-2025-0282 - Ransomware Deployment

Historical Variations:

  • Initial Access: Alternative using CVE-2020-0601 (from 2020)
  • Privilege Escalation: Alternative using CVE-2018-8611 (from 2018)
  • Lateral Movement: Alternative using CVE-2017-8759 (from 2017)
  • Impact: Alternative using CVE-2021-34527 (from 2021)

APPENDIX D: MULTI-PHASE DEFENSE STRATEGY

The following security controls provide practical protection against the identified attack chains:

1. Vulnerability Management
  • Prioritize externally exposed systems and shared vulnerabilities
  • Implement compensating controls while awaiting patches
  • Verify patch effectiveness through vulnerability scanning
2. Network Security
  • Segment critical systems and management interfaces
  • Monitor lateral movement with network traffic analysis
  • Implement zero trust access for administrative interfaces
3. Endpoint Protection
  • Deploy application control on critical systems
  • Implement behavioral monitoring for unusual activity
  • Enable memory protection features where available
4. Access Control
  • Require multi-factor authentication for privileged access
  • Implement time-limited privileged access
  • Separate administrative credentials from regular user accounts
5. Perimeter Defense Enhancement
  • Restrict management interface exposure to the internet
  • Implement strict network filtering for exposed services
  • Deploy advanced inspection of all inbound traffic
DEFENSE-IN-DEPTH STRATEGY

These complementary defenses create multiple barriers that significantly increase both the difficulty of successful exploitation and the likelihood of detection during attack progression. Even when complete patching isn't immediately feasible, implementing these controls provides substantial risk reduction.

APPENDIX E: HISTORICAL VULNERABILITY INTEGRATION

The integration of historical vulnerabilities within modern attack chains reveals several strategic patterns:

Age Distribution Analysis

The distribution of historical vulnerability ages reveals insight into exploitation longevity:

  • 2016-2017 Era (5-9 years old): 8 vulnerabilities
  • 2018-2019 Era (3-4 years old): 3 vulnerabilities
  • 2020-2021 Era (1-2 years old): 5 vulnerabilities

The concentration of vulnerabilities from 2016-2017 demonstrates the remarkable longevity of certain exploit techniques, with the 5-9 year window showing particular persistence.

Technology Focus Patterns

Historical vulnerabilities target specific technologies that show persistent vulnerability patterns:

  • Microsoft Office/Document-based: 3 vulnerabilities (CVE-2017-11882, CVE-2017-0199, CVE-2017-8759)
  • Windows SMB/Network Services: 4 vulnerabilities (CVE-2017-0144, CVE-2017-0145, CVE-2017-0143, CVE-2020-1472)
  • Local Privilege Escalation: 4 vulnerabilities (CVE-2016-5195, CVE-2021-3156, CVE-2021-1732, CVE-2018-8611)
  • Web/Application Services: 2 vulnerabilities (CVE-2017-5638, CVE-2019-11510)
  • Certificate/Cryptographic: 1 vulnerability (CVE-2020-0601)
  • Print Services: 1 vulnerability (CVE-2021-34527)

This distribution highlights specific technology areas that continue to present exploitable vulnerabilities even years after disclosure.

Attacker Methodology Insights

The integration of historical vulnerabilities provides valuable insight into attacker methodology:

  • Reliability Prioritization: Historical vulnerabilities often have more reliable, battle-tested exploit code
  • Operational Efficiency: Reusing established techniques reduces development overhead
  • Detection Evasion: Older techniques may evade detection systems focused on newer threats
  • Defense Bypass: Historical vulnerabilities often bypass security controls added after more recent disclosures

This approach maximizes operational success while minimizing development effort, reflecting real-world attacker economics.

APPENDIX F: PERMUTATION ANALYSIS

The shared vulnerabilities create numerous permutation possibilities that significantly complicate detection and response:

Within-Chain Permutations

Each chain contains alternative paths at different stages, creating multiple permutation options:

  • Fortinet: 24 permutations (3×2×2×2 variations)
  • VMware: 16 permutations (2×2×2×2 variations)
  • Windows: 16 permutations (2×2×2×2 variations)
  • GitHub: 16 permutations (2×2×2×2 variations)

Total: 72 distinct within-chain permutations

Cross-Chain Permutations

The shared vulnerabilities create additional cross-chain pivoting opportunities:

  • Reconnaissance: 3 shared chains × multiple subsequent paths
  • Persistence: 3 shared chains × multiple subsequent paths
  • Privilege Escalation: 3 shared chains × multiple subsequent paths
  • Lateral Movement: 4 shared chains × multiple subsequent paths

Cross-chain permutation possibilities: Hundreds of theoretical variations

Attack Chain Engineering Insights

The pattern of shared vulnerabilities reveals deliberate attack chain engineering to maximize success rates:

  • Common Initial Access: Shared reconnaissance techniques simplify initial targeting
  • Diverse Mid-Chain Options: Multiple mid-chain approaches provide flexibility
  • Unified Final Stages: Common techniques for the highest-impact activities
  • Fallback Options: Alternative paths if primary exploitation fails

This approach demonstrates sophisticated attack methodology that prioritizes operational success through redundancy and flexibility.

APPENDIX G: DEFENSE IMPLEMENTATION TIMELINE

To translate strategic recommendations into practical action, we provide a phased implementation approach:

Phase 1: Immediate Risk Reduction (0-30 Days)

Focus: Critical vulnerabilities and exposed services

  1. Emergency Patching:
    • Patch CVE-2025-0282 across all environments
    • Address CVE-2025-24991 on critical systems
    • Implement temporary mitigations where immediate patching isn't feasible
  2. Exposure Reduction:
    • Audit and restrict external exposure of management interfaces
    • Implement enhanced filtering for remote access solutions
    • Deploy emergency network filtering rules to block known exploitation patterns
  3. Detection Enhancement:
    • Implement monitoring for lateral movement indicators
    • Deploy ransomware-specific detection rules
    • Enable enhanced logging for privileged account usage

Expected Outcome: Immediate reduction in the most critical attack surface and enhanced visibility into potential compromise indicators.

Phase 2: Structural Improvements (30-90 Days)

Focus: Architecture and systemic controls

  1. Network Segmentation Implementation:
    • Define security zones based on data sensitivity and system function
    • Implement initial network segments with strict filtering
    • Deploy enhanced monitoring at segment boundaries
  2. Identity and Access Restructuring:
    • Implement privileged access management for administrative functions
    • Deploy multi-factor authentication for sensitive access
    • Begin privileged account isolation and just-in-time access
  3. Endpoint Hardening:
    • Deploy application control policies on critical systems
    • Implement enhanced endpoint protection with behavioral monitoring
    • Enable operating system security features

Expected Outcome: Structural improvements that systematically disrupt attack chains regardless of initial vector or specific vulnerabilities.

Phase 3: Comprehensive Defense Maturity (90-180 Days)

Focus: Advanced controls and integration

  1. Zero Trust Implementation:
    • Deploy context-based access controls
    • Implement continuous authentication and authorization
    • Establish comprehensive device trust evaluation
  2. Security Analytics Enhancement:
    • Integrate security telemetry across control points
    • Implement advanced behavioral analytics
    • Deploy automated response capabilities for common attack patterns
  3. Supply Chain Security:
    • Establish software component analysis
    • Implement integrity verification for trusted sources
    • Deploy enhanced monitoring for software deployment pipelines

Expected Outcome: Mature, integrated security controls that provide defense-in-depth against sophisticated attack chains with automated detection and response capabilities.

APPENDIX H: TECHNOLOGY-SPECIFIC DEFENSIVE GUIDANCE

Each attack chain targets specific technologies that require tailored defensive strategies:

Fortinet Infrastructure Defense

Critical Focus Areas:

  • Restrict management interface exposure to authorized networks only
  • Implement enhanced logging and monitoring for administrative actions
  • Deploy multi-factor authentication for all administrative access
  • Establish configuration baseline and compliance monitoring
  • Conduct regular security posture assessments

Specific CVE Mitigations:

  • CVE-2025-24472: Implement network filtering and authentication restrictions
  • CVE-2025-55591: Monitor for unusual WebSocket connections and establish baseline patterns
VMware Environment Protection

Critical Focus Areas:

  • Isolate virtualization management networks from production systems
  • Implement strict access controls for virtualization infrastructure
  • Deploy enhanced monitoring for VM escape attempts
  • Establish secure configuration baselines
  • Implement backup and recovery capabilities with integrity verification

Specific CVE Mitigations:

  • CVE-2025-22225: Restrict access to management interfaces and implement enhanced monitoring
  • CVE-2025-23209: Deploy application control to prevent unauthorized code execution
Windows Infrastructure Security

Critical Focus Areas:

  • Implement comprehensive patch management with verification
  • Deploy privilege management and application control
  • Establish enhanced monitoring for privilege escalation attempts
  • Implement credential theft protection mechanisms
  • Deploy ransomware-specific protection controls

Specific CVE Mitigations:

  • CVE-2025-24983: Monitor for unusual kernel operations and implement application control
  • CVE-2025-21418: Deploy memory protection features and monitor for exploitation patterns
Software Supply Chain Protection

Critical Focus Areas:

  • Implement integrity verification for development pipelines
  • Establish code signing and verification requirements
  • Deploy monitoring for unusual CI/CD activity
  • Conduct regular security assessments of development infrastructure
  • Implement software composition analysis

Specific CVE Mitigations:

  • CVE-2025-30066: Audit GitHub Actions workflows and implement integrity checks
  • CVE-2025-55591: Monitor for unusual WebSocket connections in development environments

APPENDIX I: SECURITY OPERATIONS ENHANCEMENT

Effective defense requires enhanced security operations focused on the identified attack patterns:

Detection Strategy Optimization

Align detection capabilities with the identified attack chains:

  • Reconnaissance Detection: Implement enhanced monitoring for scanning and enumeration activities
  • Initial Access Alerting: Deploy targeted detection for the identified initial access vectors
  • Lateral Movement Focus: Establish comprehensive monitoring for the shared lateral movement techniques
  • Data Theft Detection: Implement behavior-based analytics for identifying collection and exfiltration activities
Threat Intelligence Integration

Enhance threat intelligence capabilities:

  • Vulnerability Exploitation Monitoring: Track actual exploitation trends rather than just disclosure timing
  • Attack Chain Analysis: Develop intelligence on how vulnerabilities are chained together in real-world attacks
  • Attacker Methodology Tracking: Monitor for evolution in attacker techniques related to the identified chains
  • Cross-Technology Correlation: Establish correlation across different technology stacks
Incident Response Enhancement

Optimize incident response for the identified attack patterns:

  • Attack Chain-Specific Playbooks: Develop response procedures aligned with the identified chains
  • Cross-Technology Response: Establish coordinated response across different technology teams
  • Recovery Optimization: Implement ransomware-specific recovery procedures
  • Tabletop Exercises: Conduct regular exercises based on the identified attack scenarios

APPENDIX J: METRICS AND VALIDATION

Establish metrics to validate defensive effectiveness:

Key Performance Indicators
  1. Vulnerability Coverage: Percentage of identified critical shared vulnerabilities patched
  2. Control Implementation: Progress on implementing the recommended defensive controls
  3. Detection Capability: Validation of detection effectiveness through red team exercises
  4. Response Readiness: Time to respond to simulated attacks using the identified chains
  5. Architecture Maturity: Progress on implementing structural improvements

Regular validation through penetration testing and red team exercises provides assurance that defensive measures effectively disrupt the identified attack chains.

Continuous Improvement Process
  1. Quarterly Security Posture Review: Comprehensive evaluation of defense effectiveness
  2. Monthly Control Validation: Testing of specific defensive controls against relevant attack techniques
  3. Weekly Threat Intelligence Review: Monitoring for emerging exploitation of identified vulnerabilities
  4. Annual Full-Scale Red Team Exercise: Complete validation of defenses against realistic attack scenarios

APPENDIX K: ADAPTIVE KILL CHAIN EXPLOITABILITY METRIC (ACKEM)

Overview

The Adaptive Kill Chain Exploitability Metric (ACKEM) is a probability-based model developed to assess the real-world likelihood of a multi-stage attack chain being successfully executed. It incorporates:

  • EPSS scores (Exploit Prediction Scoring System) to quantify exploitation likelihood for each CVE.
  • MITRE ATT&CK Kill Chain phases to structure the progression of an attack.
  • Historical and modern variation paths, allowing for attacker flexibility per phase.

This model provides a more realistic representation than traditional summative scores by accounting for branching logic, redundancy in exploit stages, and operational variation.

How It Was Calculated

Step 1: Group Vulnerabilities by Kill Chain Phase

Each kill chain (Fortinet, VMware, Windows, GitHub) was broken into the following phases:

Reconnaissance → Initial Access → Execution → Persistence → Privilege Escalation → Defense Evasion → Credential Access → Discovery → Lateral Movement → Collection → Exfiltration → Impact

Each phase contained one or more CVEs, including historical variations, that could serve as alternate paths for an attacker.

Step 2: Extract EPSS Scores

All CVEs were matched to their most recent EPSS score from the official CISA dataset (epss_scores-2025-03-19.csv.gz). For CVEs with no available score, the phase was excluded from probability modeling.

Step 3: Apply Maximum EPSS per Phase

For each phase with multiple CVEs:
ACKEM uses the maximum EPSS score per phase to simulate an attacker choosing the most reliable path forward.
Example:

Privilege Escalation → max(EPSS for CVE-2025-21418, CVE-2016-5195) → used in chain

Step 4: Calculate Cumulative Exploitation Probability

Assuming independent exploitation events:

P(chain success) = 1 - ∏ (1 - max(EPSS_phase_i))

This reflects the probability that at least one path per phase works, allowing the attacker to move forward and complete the chain.

ACKEM Results
Kill Chain Phases Counted ACKEM Score (P_success)
Fortinet Super-Admin Exploit Chain 9 1.00000
VMware Escape and Ransomware Deployment 12 1.00000
Windows Kernel Privilege Escalation Chain 10 0.99999
GitHub tj-actions Supply Chain Attack 10 0.99996
Nuances and Limitations
  • High EPSS bias: Some legacy CVEs (e.g., EternalBlue) have EPSS scores >0.94, which can heavily skew chain probability upward.
  • Independence assumption: This model assumes exploit attempts at each stage are statistically independent, which may not always hold true.
  • Operational realism: Attackers may not always choose the mathematically "best" CVE, depending on target environment or tooling limitations.
  • Partial visibility: Not all CVEs in the chain had EPSS scores available. Chains were computed using available data only.
Why Not Use Summed Scores?

Summed EPSS scores do not reflect conditional success logic or redundant exploit paths. ACKEM better models the real-world attacker decision tree, where multiple variations per phase create resilient attack opportunities.

Use Case

ACKEM is ideal for:

  • Prioritizing threat mitigation based on full-chain viability
  • Modeling APT-level threats
  • Red team simulation planning
  • Executive risk reporting in operational terms

INFORMATIONAL // TLP:GREEN

© 2025 ShellHounds: Rapid Tactical Prototyping Lab

Klavan Security

Sharing encouraged within security community to enhance collective defense

SHELLHOUNDS
Previous

Privacy in the Age of Surveillance Capitalism: Lessons from Meredith Whittaker
Next

Why 'VPNs Are Worthless (But You Should Use One)' Is Terrible Advice