“Sliver” in the Stack: Exposed Logs Reveal Targeted FortiWeb Exploitation Campaign (CVE-2025-55182)

Estimated Reading Time: 7 minutes

Key Takeaways:

  • Exploitation of CVE-2025-55182 (React2Shell) on FortiWeb appliances to achieve initial access.
  • Deployment of the Sliver C2 framework as a sophisticated alternative to Cobalt Strike.
  • Targeted geographic focus on Pakistan and Bangladesh, specifically government and financial sectors.
  • Advanced evasion through Fast Reverse Proxy (FRP) and masquerading malicious traffic as legacy print services (port 515).
  • Identification of a critical security blind spot in edge appliances that do not support traditional EDR agents.

Table of Contents:

Recent threat hunting activity has identified a targeted campaign against FortiWeb appliances, utilizing exposed logs and databases to track a series of intrusions. This operation, referred to as “Sliver” in the Stack: Exposed Logs Reveal Targeted FortiWeb Exploitation Campaign, involved the deployment of the Sliver Command and Control (C2) framework following the exploitation of CVE-2025-55182. Between December 22 and December 30, 2025, an unidentified threat actor successfully compromised at least 30 unique victims. The campaign targeted specific geographic regions, specifically Pakistan and Bangladesh, with a focus on government and financial sectors.

The use of a cyber threat intelligence platform is often the primary method for identifying these types of niche, targeted campaigns that focus on edge infrastructure. In this instance, the discovery originated from the analysis of open directories, which provided a window into the attacker’s backend operations and victim telemetry.

Detailed Analysis: “Sliver” in the Stack: Exposed Logs Reveal Targeted FortiWeb Exploitation Campaign

The campaign leveraged React2Shell (CVE-2025-55182) as the initial entry point. While the technical specifics of the proof-of-concept (PoC) were not fully recovered in the initial logs, the evidence confirms that the vulnerability allowed for the deployment of Sliver implants on victim hosts. FortiWeb appliances, which serve as Web Application Firewalls (WAF), are high-value targets for attackers because they sit at the edge of the network and often lack internal security instrumentation.

Exploitation and Initial Access

The threat actor exploited CVE-2025-55182 to gain execution capabilities on the FortiWeb devices. React2Shell vulnerabilities typically involve flaws in the handling of administrative interfaces or underlying system calls, leading to Remote Code Execution (RCE). Once access was established, the attacker prioritized the installation of the Sliver C2 framework.

Sliver is an open-source, cross-platform adversary emulation framework that has become a frequent alternative to Cobalt Strike for sophisticated threat actors. It provides a wide array of capabilities, including:

  • Dynamic code generation for implants.
  • Multiple transport protocols (mTLS, WireGuard, HTTP/S, DNS).
  • In-memory execution of tools and scripts.
  • Extensive post-exploitation modules for lateral movement and credential harvesting.

The choice of Sliver indicates a shift toward tools that can bypass traditional signature-based detection. Because Sliver allows for highly customized implants, standard breach detection tools often fail to identify the malicious traffic unless they are specifically tuned for Sliver’s communication patterns.

Persistence and Network Evasion Techniques

The attackers utilized several methods to ensure persistent access and to evade network monitoring. Two primary tools were identified: Fast Reverse Proxy (FRP) and microsocks.

Fast Reverse Proxy (FRP) Deployment
The actor deployed FRP to expose local services on the victim hosts to the remote C2 infrastructure. FRP is a high-performance reverse proxy that can penetrate firewalls and expose local ports to the internet. By using FRP, the attackers could maintain a stable connection to the internal network of the compromised organization without needing to re-exploit the FortiWeb device. This effectively turned the FortiWeb appliance into a permanent gateway for the threat actor.

Masquerading via microsocks
To further hide their presence, the group used a tool called microsocks, which is a lightweight SOCKS5 proxy. In a deliberate attempt at deception, the attackers renamed the microsocks binary to cups-lpd and bound it to port 515.

Port 515 is traditionally associated with the Line Printer Daemon (LPD) used by the Common Unix Printing System (CUPS). By masquerading as a printer service, the malicious traffic was designed to blend in with legitimate internal network traffic. This tactic exploits the fact that many security teams do not closely scrutinize traffic on ports dedicated to legacy services like printing. Monitoring for such anomalies requires a dark web monitoring service or advanced network telemetry to identify when a printer service is communicating with known malicious IP addresses.

Geopolitical Targeting and Decoy Infrastructure

The campaign demonstrated a clear focus on South Asian targets. The analysis of the C2 infrastructure revealed a domain, ns1.bafairforce[.]army, which hosted a decoy page. This page was designed to impersonate the official “Join Bangladesh Airforce” recruitment portal.

This level of localized impersonation suggests a targeted espionage operation rather than an opportunistic attack. The database logs showed victims within:

  • Bangladesh Government agencies.
  • Pakistan Financial institutions.
  • Critical infrastructure sectors in both nations.

The presence of these victims, combined with the specific decoy themes, aligns with regional cyber-espionage interests. This type of activity highlights the importance of telegram threat monitoring and underground forum intelligence, as actors targeting specific regions often discuss infrastructure or share credentials in closed digital communities before and after an operation.

The Visibility Gap in Edge Appliances

A significant takeaway from this campaign is the inherent difficulty in securing edge appliances like FortiWeb. These devices are purpose-built for high-speed traffic filtering and often run stripped-down versions of Linux or proprietary operating systems. Consequently, they do not typically support third-party Endpoint Detection and Response (EDR) or Antivirus (AV) agents.

This creates a “blind spot” for security operations centers (SOC). If an attacker gains RCE on a WAF, they can operate with a high degree of stealth, as there are few internal logs that record the execution of unauthorized binaries like Sliver or FRP. Organizations must rely on external network monitoring and the correlation of logs from other sources to identify the breach. Utilizing a live ransomware API or a real-time ransomware intelligence feed can help identify if the infrastructure used in these campaigns is also associated with broader extortion groups, though this specific campaign appeared focused on persistence and espionage.

Technical Takeaways for Engineers

  1. Harden Edge Device Management: Administrative interfaces for FortiWeb and similar appliances should never be exposed to the public internet. Use a management VPN or a zero-trust access gateway to restrict access.
  2. Verify Binary Integrity: Regularly audit the file systems of edge devices for unauthorized binaries. Look for unusual filenames in /tmp, /var/tmp, and /usr/bin, such as the cups-lpd alias.
  3. Network Segmentation: Treat edge appliances as untrusted entities. Even though they provide security services, they should be segmented. A WAF should rarely initiate an outbound connection to an unknown IP on port 515.
  4. Log Exporting: Ensure that all system and web logs from FortiWeb are exported to a central, secure SIEM platform. This prevents an attacker from deleting local logs to hide their tracks.

Strategic Takeaways for Business Leaders

  1. Address the Appliance Blind Spot: Acknowledge that edge devices require specific monitoring strategies. Standard EDR coverage is insufficient for these assets.
  2. Invest in Threat Intelligence: Access to a cyber threat intelligence platform provides early warning signs of new exploits like CVE-2025-55182 before they are widely publicized.
  3. Supply Chain Awareness: Organizations should implement supply-chain risk monitoring to evaluate the security posture of hardware and software vendors.
  4. Proactive Monitoring: Implement brand leak alerting to identify if company-specific decoys are being used in attacker infrastructure.

PurpleOps Expertise in Edge Security

PurpleOps specializes in identifying and mitigating complex threats that target critical infrastructure. Our approach combines advanced technical analysis with real-world threat data to protect organizations from sophisticated actors.

  • Cyber Threat Intelligence: Our cyber threat intelligence services provide deep visibility into attacker methodologies, including the use of C2 frameworks like Sliver.
  • Dark Web Monitoring: We utilize our dark web monitoring capabilities to track the sale of access to compromised edge devices.
  • Penetration Testing: Our and red team operations simulate the tactics used in this campaign, allowing organizations to test their detection and response.
  • Supply Chain Security: We help organizations manage the risks associated with edge appliances through supply chain information security assessments.
  • Ransomware Protection: Our ransomware protection strategies are designed to break the kill chain at the initial access and persistence phases.

Conclusion of Findings

The “Sliver in the Stack” campaign illustrates the continued trend of threat actors moving away from standard malware toward flexible C2 frameworks and legitimate administrative tools. By exploiting CVE-2025-55182 on FortiWeb appliances, the actors secured a high-privilege position within victim networks while remaining largely invisible to traditional security tools.

The reliance on masquerading-renaming binaries and using legacy ports like 515-demonstrates a calculated effort to exploit the “expected” traffic patterns of a typical data center. For organizations, the primary defense against such operations is a combination of rigorous patch management, strict network segmentation, and the use of comprehensive threat intelligence to identify anomalous behavior on the network edge.

For more information on how to secure your infrastructure against targeted exploitation and C2 deployment, explore the PurpleOps platform or view our full range of PurpleOps Solutions.

Frequently Asked Questions

What is CVE-2025-55182?
CVE-2025-55182, also known as React2Shell, is a Remote Code Execution (RCE) vulnerability affecting FortiWeb appliances, allowing attackers to execute unauthorized commands with high privileges.

Why are FortiWeb appliances targeted by threat actors?
As Web Application Firewalls (WAF), FortiWeb devices sit at the network edge. They are high-value targets because they often lack EDR support and provide a gateway into the internal network if compromised.

How does the Sliver C2 framework differ from Cobalt Strike?
Sliver is an open-source, cross-platform alternative that offers dynamic code generation and multiple transport protocols, making it harder for traditional signature-based security tools to detect.

What is the significance of port 515 in this campaign?
The attackers masqueraded their malicious SOCKS5 proxy as a printer service (cups-lpd) on port 515 to blend in with legitimate internal network traffic and evade scrutiny.

How can organizations detect these “invisible” edge attacks?
Detection requires centralizing logs in a SIEM, monitoring for anomalous outbound traffic from edge devices, and utilizing external threat intelligence to identify known C2 infrastructure.