Fortinet releases updates to fix critical FortiSIEM security flaw 

Fortinet has released security updates to address a critical vulnerability affecting FortiSIEM, tracked as CVE-2025-64155 and rated 9.4 on the CVSS scale. 

The flaw is an operating system command injection issue that allows an unauthenticated attacker to achieve remote code execution on vulnerable Super and Worker nodes. Researchers showed how exposed backend services listening on TCP port 7900 could be abused to write malicious files and ultimately escalate privileges to full root access, resulting in complete appliance compromise. 

Multiple FortiSIEM versions are affected, with fixes available through upgrades or migration to patched releases. FortiSIEM Cloud is not impacted. 

Fortinet has also patched a separate critical issue in FortiFone (CVE-2025-47855) that could allow unauthenticated access to device configuration data. 

Organisations are strongly advised to apply updates immediately and restrict access to exposed management ports to reduce risk. 

Microsoft disrupts major cybercrime platform RedVDs 

Microsoft has announced the takedown of RedVDS, a large-scale cybercrime-as-a-service platform linked to more than $40 million in reported losses in the United States since March 2025. Through coordinated civil action in the US and UK, Microsoft seized key infrastructure, taking RedVDS’s marketplace and customer portal offline in partnership with Europol and German authorities. 

RedVDS sold access to disposable Windows-based virtual servers for as little as $24 a month, enabling phishing, business email compromise, credential theft and payment diversion scams at scale. Investigators linked the service to multiple threat groups and identified a shared technical fingerprint across thousands of malicious servers. 

Microsoft revealed that attackers used RedVDS to send up to one million phishing emails per day, compromising nearly 200,000 accounts in recent months. Many campaigns also leveraged generative AI tools, including ChatGPT, to create more convincing lures. Earlier disruptions, including action against RaccoonO365 with Cloudflare, highlight growing efforts to dismantle criminal infrastructure at its source. 

CNIL fines Free Mobile and Free €42m over data protection failures 

France’s data protection authority, CNIL, has issued cumulative fines of €42 million against Free Mobile and its parent company, Free, following a major data breach in October 2024. The incident exposed personal data linked to almost 23 million mobile and fixed-line subscribers, making it one of the most significant telecom breaches in France. 

Attackers compromised an internal management tool and stole customer information, some of which was later offered for sale on a hacker forum. CNIL’s investigation found that the companies failed to meet multiple GDPR obligations, including inadequate security controls, poor breach communication to customers, and excessive retention of former subscriber data. 

Despite improvements made after the incident, CNIL ruled that earlier negligence enabled the attack. The regulator has ordered further remediation within strict deadlines. 

The case follows a broader trend of telecom breaches in France, including incidents affecting Orange France and Bouygues Telecom, underscoring persistent sector-wide cyber risk. 

South Korean conglomerate Kyowon hit by ransomware attack 

Kyowon Group has confirmed it suffered a ransomware attack that disrupted operations and led to the theft of data from its internal systems. The incident occurred in January and affected a significant portion of Kyowon’s server estate, with Korean media reporting that around 600 of its 800 servers were impacted. 

Kyowon stated that attackers exfiltrated data during the intrusion, though it has not yet confirmed whether customer information was included. The company, which operates across education, publishing, digital learning and consumer services, has more than 9.6 million registered accounts linked to approximately 5.5 million individuals. Kyowon has notified Korea Internet & Security Agency and says service restoration is nearing completion. 

The breach adds to a growing list of high-profile cyber incidents in South Korea, following recent disclosures from Coupang, Korean Air, SK Telecom, and Dior Korea, highlighting persistent risks across major sectors. 

Reprompt attack exposes risks in copilot personal sessions 

Security researchers have disclosed a novel attack technique dubbed Reprompt that could allow attackers to hijack a user’s Microsoft Copilot session and silently exfiltrate sensitive data. The method was uncovered by Varonis, which demonstrated how a malicious prompt could be hidden inside a legitimate Copilot URL and executed after a single user click. 

Reprompt abuses the way Copilot processes the “q” parameter in URLs, allowing injected instructions to run automatically. By chaining follow-up requests and exploiting gaps in Copilot’s guardrails, attackers could maintain ongoing access to an authenticated session even after the Copilot tab is closed. Researchers showed how this could bypass data leak protections and extract information invisibly. 

The issue affected Copilot Personal only and did not impact Microsoft 365 Copilot. Microsoft was notified responsibly and released a fix as part of January 2026 Patch Tuesday. Users are strongly advised to apply the latest Windows updates promptly. 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.