Researchers have identified a threat actor who had exposed Sliver C2 databases and logs and successfully exploited multiple FortiWeb devices to deploy Sliver. This group also leveraged React2Shell (CVE-2025-55182) in order to deploy Sliver and leveraged the tool fast reverse proxy (FRP) to expose local services on victim hosts remotely.
More details here: https://ctrlaltintel.com/threat%20research/FortiWeb-Sliver/
Ensar Seker, CISO at threat intelligence company SOCRadar, commented:
“This is a textbook case of adversaries exploiting the weakest link in the network, outdated edge appliances. FortiWeb devices running unpatched firmware have become prime targets for initial access, and the deployment of the Sliver C2 framework shows how mature and stealthy these operations have become. Sliver, being an open-source post-exploitation tool, is now favored by both red teams and threat actors alike for its modularity and evasiveness.
What’s especially concerning is the use of Fast Reverse Proxy (FRP) to create persistent tunnels from within internal networks to attacker-controlled infrastructure. This is a clear attempt to sidestep traditional perimeter defenses and EDR visibility. It raises serious questions about visibility on network edge devices, which are often poorly monitored compared to endpoint systems.
This incident underscores the importance of aggressive patch management, zero-trust architecture, and strong monitoring of ingress/egress traffic from non-endpoint infrastructure like WAFs and VPN gateways. Simply deploying EDR is no longer enough if attackers can establish a persistent beachhead on devices outside its scope.”
This should be a wakeup call to get this sort of tech out of networks as soon as possible so that networks become more secure by default.
Like this:
Like Loading...
Related
This entry was posted on January 5, 2026 at 2:23 pm and is filed under Commentary with tags Fortinet. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Hackers Exploit FortiWeb Devices to Deploy Sliver C2 for Persistent Access
Researchers have identified a threat actor who had exposed Sliver C2 databases and logs and successfully exploited multiple FortiWeb devices to deploy Sliver. This group also leveraged React2Shell (CVE-2025-55182) in order to deploy Sliver and leveraged the tool fast reverse proxy (FRP) to expose local services on victim hosts remotely.
More details here: https://ctrlaltintel.com/threat%20research/FortiWeb-Sliver/
Ensar Seker, CISO at threat intelligence company SOCRadar, commented:
“This is a textbook case of adversaries exploiting the weakest link in the network, outdated edge appliances. FortiWeb devices running unpatched firmware have become prime targets for initial access, and the deployment of the Sliver C2 framework shows how mature and stealthy these operations have become. Sliver, being an open-source post-exploitation tool, is now favored by both red teams and threat actors alike for its modularity and evasiveness.
What’s especially concerning is the use of Fast Reverse Proxy (FRP) to create persistent tunnels from within internal networks to attacker-controlled infrastructure. This is a clear attempt to sidestep traditional perimeter defenses and EDR visibility. It raises serious questions about visibility on network edge devices, which are often poorly monitored compared to endpoint systems.
This incident underscores the importance of aggressive patch management, zero-trust architecture, and strong monitoring of ingress/egress traffic from non-endpoint infrastructure like WAFs and VPN gateways. Simply deploying EDR is no longer enough if attackers can establish a persistent beachhead on devices outside its scope.”
This should be a wakeup call to get this sort of tech out of networks as soon as possible so that networks become more secure by default.
Share this:
Like this:
Related
This entry was posted on January 5, 2026 at 2:23 pm and is filed under Commentary with tags Fortinet. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.