# When WAF Becomes a Backdoor: Inside the FortiWeb Campaign Compromised by Sliver C2 ## **Overview** For a long time in security architecture, the **FortiWeb Web Application Firewall (WAF)** has been considered a frontline defense layer. Here, the WAF is responsible for protecting against external scanning attacks on web applications. However, a recent campaign targeting this defense layer has shown that the line between defense and attack has never been so close. Recently, researchers discovered a stealthy infiltration campaign where attackers **exploited outdated FortiWeb devices to deploy Sliver C2**, a powerful post-exploitation framework often used in APT and red-team activities. Instead of just gaining temporary access, the attackers turned FortiWeb into a **long-term control infrastructure**, serving as both a persistence point and a proxy bridge into the internal network, as well as a springboard for further in-depth attacks. ## **Overview of Sliver C2** **Sliver** is an **open-source Command-and-Control (C2) framework** initially developed for **red team and adversary simulation activities**, but in recent years, it has been widely used by **real-world threat groups (in-the-wild)** in sophisticated infiltration campaigns. Unlike many traditional C2s, Sliver is designed with a **modern client-server architecture**, supporting multiple platforms (Linux, Windows, macOS) and allowing for highly customizable **implant (beacon)** deployment. ![](https://lh5.googleusercontent.com/qICT8zC4gywmYNlSr8nF4Rld-vHfNVLCWeEd4wKvv23n_yKHEdXblS-aOE4WqHzmf2mRJg2Ytt76jksdz-8xu426rP8Jgn1s8C0dBiJUbgXbyWJPsaKd-7kENDXntmVyG-UfsNLobOAdyJrEVfoqv314xXyjtYCHV3YQyuHJy6tkpflyZsYVPdqmkzt_2Q align="center") One of the standout features of Sliver is its ability to **remain stealthy and flexible in C2 communication**. This framework supports multiple protocols like **mTLS, HTTPS, DNS, WireGuard**, making control traffic hard to distinguish from legitimate traffic. Sliver also allows configuration of **sleep interval, jitter, and domain fronting** to minimize the chance of detection by network monitoring systems. ## **Affected Versions** This campaign primarily targets **FortiWeb devices running outdated firmware that is no longer fully supported**. The recorded versions include: * **FortiWeb 5.4.202 to FortiWeb 6.1.62** ## **Initial Context** From the initial analysis, cybersecurity experts noted that the attacker might have used multiple **public and unpatched vulnerabilities** to infiltrate. Notably, this includes **React2Shell (CVE-2025-55182)** - a shell exploit tool used as the initial infection step. Although the exact FortiWeb vulnerability exploited directly has not been identified, the common factor among all affected devices is that they have not been patched for a long time and have many unresolved security flaws. ## **Campaign Details** To better understand the impact and danger level of Silver C2 on this campaign, we will go through the exploitation process from the perspective of **Threat Intelligence.** Every cyber attack includes a reconnaissance phase and the selection of specific targets. During this phase, attackers perform **mass scanning** to identify FortiWeb devices: * **FortiWeb exposed directly to the Internet.** * **Old firmware versions that show signs of not being updated.** * **Administrative interface or web services that respond with FortiWeb-specific characteristics.** ![1](https://ctrlaltintel.com/assets/images/fortisliver/4.png align="center") After identifying the target, the attacker will exploit **unpatched vulnerabilities** on FortiWeb. Although there is currently no clear evidence of the CVE being exploited, it is highly likely that the attacker will take advantage of **n-day vulnerabilities not widely disclosed or a chain of logic exploits/misconfigurations.** By exploiting these, the attacker aims to gain command execution capabilities on the security device. Once they have access, the attacker will download and deploy the **Sliver Implant** through the C2 server: * **ns1.ubunutpackages\[.\]store​** * **ns1.bafairforce\[.\]army​** ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767853206765/bae0dd89-bcdd-4bcc-b620-df2a4f3cee11.png align="center") Both C2 servers belong to **Autonomous System 62005**, disguised behind fake websites like the **“Ubuntu Packages”** page or the **Bangladesh Air Force recruitment page.** ![1](https://ctrlaltintel.com/assets/images/fortisliver/1.png align="center") ![1](https://ctrlaltintel.com/assets/images/fortisliver/2.png align="center") To avoid detection, the Sliver file is renamed to `"system-updater"` and placed at the path `"/bin/.root/system-updater"`, disguising itself as a legitimate system component. Its task at this stage is to gather system information and establish a beacon connection back to the C2. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767853517045/aaa5d309-e61a-4536-8bfc-b8315612dac5.png align="center") Then the **Sliver implant** connects back to the C2 server through: * HTTPS or mTLS. * Periodic beacons with sleep + jitter. * Domain/IP configured to: * Return legitimate content when accessed via a browser. * Reduce the chance of detection during manual analysis. At this point, FortiWeb has unintentionally become a **remote-controlled node** in the Sliver infrastructure, turning it into a foothold for further attack steps in later stages. To ensure long-term access, the attacker will create a service that starts with the system: * Add the Sliver implant to the supervisord configuration. * Ensure the process is restarted if killed. ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1767853843831/855d62f0-8ab7-44b5-8ec5-aad09c366266.png align="center") After establishing a **stable C2 channel and persistence mechanism** on FortiWeb, the attacker moves to a **strategic** phase: turning this security device into a **pivot point** to gain deeper access into the organization's internal network. Here, they will install a lightweight **SOCKS proxy (microsocks)** directly on FortiWeb, with notable points being: * **Rename the process to** `cups-lpd`. * Run on **port 515** – the default port for the CUPS printing service. * Avoid creating clear logs. ![1](https://ctrlaltintel.com/assets/images/fortisliver/6.png align="center") Through the SOCKS proxy, the attacker can easily access: **internal web, SSH/RDP, or simply the backend API.** This can be seen as a "gateway" into the internal network without needing manual port-forwarding. ![1](https://ctrlaltintel.com/assets/images/fortisliver/7.png align="center") In addition to the SOCKS proxy, the campaign also uses **Fast Reverse Proxy (FRP)** to: * Create a tunnel from the Internet → FortiWeb → internal systems. * Expose internal services externally in a controlled manner. * Avoid opening ports directly on the firewall. Between December 22 and December 30, 2025, researchers recorded at least 30 victim IP addresses continuously beaconing to the Sliver server, from countries like Bangladesh, Pakistan, India, South Africa, and the United States.​ ![1](https://ctrlaltintel.com/assets/images/fortisliver/10.png align="center") The disguise and concealment of the campaign are also very clever, as the attacker configured malicious `systemd` and `supervisor` services, disguised under names like `"Updater Service"` and `"rootbinary."` These services automatically launch Sliver whenever the system reboots or when the process is stopped, corresponding to the **MITRE ATT&CK T1543.002 - Create or Modify System Process** technique. ## **Conclusion** The FortiWeb – Sliver C2 campaign highlights a concerning reality in today's cybersecurity landscape: **security devices are no longer a "default safe zone."** When frontline appliances like FortiWeb are exploited and controlled, the entire defense architecture behind them is at high risk without needing direct attacks on endpoints or internal servers. The successful deployment of Sliver C2 on FortiWeb not only reflects the **flexibility and danger of modern post-exploitation frameworks** but also exposes inherent gaps in how organizations manage network devices: slow patching, lack of operating system-level monitoring, and blind trust in devices considered "secure by default." The lesson is clear: *security is not just about deploying the right tools, but about how they are operated, updated, and continuously monitored*. If security devices are not properly protected, they can quickly become the **most dangerous weak point in the entire system**. ## **Recommendations** 1. **Check and update FortiWeb immediately (High Priority)** * **Identify the current firmware version** of all FortiWeb devices in the system. * **Upgrade to the latest FortiWeb version supported by Fortinet**, prioritizing recent security patches. * Do not maintain versions that are: * EOL (End-of-Life). * No longer receiving security patches. 2. **Monitor unusual network traffic** * Analyze outbound traffic from FortiWeb: * Periodic HTTPS/DNS connections to the Internet. * Domains unrelated to Fortinet. * Block and monitor: * Known C2 domains/IPs related to Sliver. * Set up **egress filtering**: * FortiWeb should only connect to necessary endpoints (update, logging). 3. **Control administrative access** * Restrict access to the FortiWeb management interface: * Allow only from trusted internal IPs. * Do not expose the management interface to the Internet. * Enable: * MFA for admin accounts. * Detailed logging of administrative actions. * Change all: * Admin passwords. * API keys/related credentials. 4. **Network segmentation and limit internal pivoting** * Place FortiWeb in a **clearly segmented network zone**. * Do not allow FortiWeb to: * Freely access sensitive subnets. * Directly connect to management systems, databases. * Apply: * Internal ACLs. * Zero-Trust Network Access (ZTNA). ## **ATT&CK Summary by each stage** **Initial Access – Exploit Internet-facing Device** * T1190 – Exploit Public-Facing Application **Execution & Persistence – Implant Deployment and Long-Term Persistence** * T1059 – Command Execution * T1543.002 – Systemd Service **Command & Control – Covert Control** * T1071 – Application Layer Protocol * T1573 – Encrypted Channel **Defense Evasion – Detection Avoidance** * T1036 – Masquerading * T1027 – Obfuscated Files **Pivoting & Lateral Movement – Most Dangerous** * T1090 – Proxy * T1572 – Protocol Tunneling ## **IOC** 1. **File Hash** * 4086057b9a0f9898c07318e093814ae9cfdaaf6ad71a45b2d0d4cd75e57f9354 * 964473ffbd593fc52a779b1d699c79cc66b459cf842c2e6221703e2e6a2322c0 * 172a9ee9601ef0eb6fbd2676742edfb201c10369712dbf721e5d105aa1320a32 * 3c24f30f2ca89d408d42293cab8fbb81cb9c2b0801074ef40f0a79770dac5956 * 2897ee24de4cca2a4c6a085cf6fdccb6a89c6c23978529d81b4f4e6db46b0b96 * dafc7517669e931de858464966af995c44c2e7c6bdf684d53c54d6503cd48a38 2. **Domain** * testing.caai\[.\]in * ns1.bafairforce\[.\]army * ns1.ubunutpackages\[.\]store 3. **IP** * 193.233.201\[.\]12 * 195.20.17\[.\]253 * 45.150.108\[.\]43 * 45.143.167\[.\]7 * 80.78.18\[.\]142 * 192.81.210\[.\]81 * 45.83.181\[.\]160 * 193.233.201\[.\]12 * 45.150.108\[.\]43 * 80.78.18\[.\]142 * 192.81.210\[.\]81 ## **Reference** 1. [Where is the EDR? Sliver C2 running from firewalls - Ctrl-Alt-Int3l](https://ctrlaltintel.com/threat%20research/FortiWeb-Sliver/) 2. [GitHub - fatedier/frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.](https://github.com/fatedier/frp)