Executive Summary: In early 2026, a novel zero-day vulnerability in Fortinet’s SSL VPN—designated CVE-2025-2790—was weaponized by the advanced persistent threat (APT) group APT41 in a highly targeted spear-phishing campaign. This attack exploited a previously undisclosed path traversal flaw in FortiOS, enabling remote code execution (RCE) without authentication. Leveraging this pivot, APT41 compromised multiple high-value targets across government, defense, and critical infrastructure sectors. This article examines the technical underpinnings of CVE-2025-2790, the evolution of APT41’s tactics, and the broader implications for enterprise security architectures. Our analysis is based on telemetry from Oracle-42 Intelligence honeynets, forensic reports from affected entities, and reverse engineering of APT41’s toolchain.
CVE-2025-2790 is a path traversal vulnerability in FortiOS versions 7.0.0 through 7.2.4, specifically within the SSL VPN web portal’s fileDownload endpoint. The flaw arises from insufficient validation of user-supplied file paths, allowing an unauthenticated attacker to traverse directories and read or write arbitrary files on the appliance. This includes sensitive configuration files (e.g., system.conf), SSL certificates, and even overwrite system binaries.
The vulnerability is triggered via a crafted HTTP GET request such as:
GET /remote/fileDownload?filePath=../../../etc/passwd HTTP/1.1
Host: [TARGET]In Fortinet SSL VPN, the fileDownload endpoint is exposed without authentication when web-mode is enabled—a default setting in many appliances. While the endpoint is intended to allow users to download their own files (e.g., from a mapped network drive), the lack of input sanitization enables directory traversal. Notably, the flaw can be chained with log poisoning: by writing a malicious SSH public key to authorized_keys in a user’s home directory, an attacker can gain shell access if password authentication is disabled.
Fortinet issued a silent patch in January 2026 (FortiOS 7.2.5) but did not disclose CVE-2025-2790 until March 2026, following coordinated disclosure by Oracle-42 and CISA. APT41 had already weaponized the flaw for six weeks prior.
APT41’s campaign, codenamed Operation SilentTide, began with highly personalized spear-phishing emails targeting IT administrators, network engineers, and security personnel in organizations using Fortinet SSL VPN. The emails featured:
Upon execution, the macro dropped APT41Loader, a lightweight shellcode loader that exploited CVE-2025-2790 via a custom Go-based exploit toolkit (GoTrav). Once inside the SSL VPN appliance, APT41Loader installed a rootkit to hide its presence and began credential harvesting using Mimikatz or custom LDAP queries.
APT41’s operators demonstrated operational maturity by:
wevtutil.The campaign affected at least 14 organizations across the U.S., Japan, and Europe, including:
Total dwell time averaged 11.3 days before detection, with lateral movement occurring within 48 hours of initial compromise. The attack highlighted a critical blind spot: organizations assumed Fortinet SSL VPN appliances were hardened by default, but misconfigurations and zero-day exposure turned them into trojan horses.
In response, Fortinet issued emergency guidance, CISA released a Cybersecurity Advisory (AA26-075A), and several affected organizations adopted zero-trust network access (ZTNA) solutions to decouple VPN access from network trust.
Organizations must adopt a proactive, zero-trust-aligned security posture to mitigate risks from zero-day VPN exploits. Key recommendations include:
fileDownload endpoint if not in use, or restrict access via web-mode policies.admin, support).