Threat Analysis: FortiSandbox Under Active Exploit, LegacyHive Zero-Day, and ClickFix Everywhere
Hello, Mauven here.
This is your Daily Threat Analysis for 17th July 2026.
Three stories today. Two require immediate action. One has no fix available yet, which means your response is procedural rather than technical. Let us get into it.
FortiSandbox: Active Exploitation, CISA Patch Order, and What the Advisory Is Not Saying
CISA added critical command injection vulnerabilities in Fortinet’s FortiSandbox to its Known Exploited Vulnerabilities catalogue today, with a patch deadline of this Sunday for US federal agencies. The Register confirmed that researchers have observed active abuse attempts in the wild.
What the advisory says: patch FortiSandbox. Apply the available fixes. Done.
What it does not say: Fortinet appliances have been a consistent target for threat actors since at least 2021. The NCSC published guidance on securing Fortinet devices after significant exploitation campaigns. The fact we are still seeing Fortinet products on KEV lists tells you something about how seriously the sector has taken that guidance, and how reliably these products appear in the network perimeters of organisations that consider themselves too small to worry about nation-state targeting.
FortiSandbox is not the firewall or the VPN concentrator, those are the Fortinet products that tend to get more attention. FortiSandbox is a threat analysis sandbox, the box that is supposed to catch malicious files before they reach your users. The irony of your sandboxing appliance becoming the attack surface is not lost on me.
What UK SMBs need to do:
- If you run FortiSandbox, check your version against Fortinet’s advisory and patch immediately. Do not wait until Monday.
- If your managed service provider manages your Fortinet estate, contact them today and ask specifically whether FortiSandbox is in scope and whether it has been patched.
- If you do not know what Fortinet products are on your network, that is the more pressing problem and you need an asset inventory conversation with your IT provider before the week is out.
LegacyHive: A Windows Zero-Day With No Patch and a Public Exploit
A researcher using the handle Nightmare Eclipse published a proof-of-concept exploit today for a Windows local privilege escalation vulnerability being called LegacyHive. BleepingComputer confirmed it works on fully up-to-date Windows systems. There is no patch.
Local privilege escalation on its own is not the whole story. LPE is almost never the entry point, it is the second step. An attacker gains initial access through phishing, a compromised credential, or a malicious download. They land in a low-privilege context. They then use something like LegacyHive to elevate to administrator. At that point, they own the machine.
The advisory and the research coverage are focused, understandably, on the technical detail of the vulnerability. What they are not saying loudly enough is the combination risk. Look at today’s threat intelligence alongside this: ClickFix campaigns are actively delivering infostealers and remote access tools. UAT-11795, a Russian-speaking financially motivated actor, has been targeting European users since June 2025 with trojanised software installers that drop a Python-based RAT called Starland RAT. ACR Stealer, operating as malware-as-a-service, has been running heightened activity through ClickFix lures since late April.
Any one of those payloads landing on a Windows machine creates the exact initial foothold that LegacyHive then leverages into full administrative control.
What UK SMBs need to do:
- There is no patch, so the mitigation is defence-in-depth: focus on preventing initial access rather than assuming you can stop LPE after the fact.
- Enforce application allow-listing where possible. If only approved applications can run, the ClickFix-delivered payload that feeds LegacyHive never executes.
- Ensure endpoint detection and response tooling is deployed and alerting on suspicious privilege changes. If you do not have EDR, this is the week to have that conversation with your IT provider.
- Brief staff on ClickFix-style lures specifically. The attack prompts users to open a Run dialog (Win+R) or PowerShell and paste in a command. No legitimate website, software installer, or IT support process asks users to do this.
ClickFix: Now the Standard Delivery Mechanism for Half the Threat Landscape
I want to spend a moment on ClickFix because the volume of distinct malware families now using this technique is significant enough to treat it as a category rather than a campaign.
In today’s threat intelligence alone, ClickFix is the delivery mechanism for: ACR Stealer (Microsoft confirmed, enterprise environments targeted), Starland RAT and WLDR agent (UAT-11795, financially motivated, targeting Europe), TELEPUZ modular malware-as-a-service (first detected April 2026, spreading via ClickFix-Vidar chains), Potemkin Loader leading to RMMProject RAT (a Huntress case study where one compromised endpoint spread across eleven hosts), and the TTF campaign delivering Agent Tesla, Remcos, and XWorm through a Lua-based loader.
The Huntress analysis of the Potemkin case is worth reading in detail if you manage IT for an SMB. One unmonitored endpoint, one ClickFix lure, and eleven hosts were affected before anyone noticed. The initial payload was an HTA file. The final payload was a Lua-scriptable RAT with browser credential theft targeting Chrome’s App-Bound Encryption.
The pattern is consistent across all of these campaigns. A user is presented with a fake error message, a fake software verification prompt, or a fake support instruction. They are told to press a keyboard shortcut and paste a command. They comply. The machine is compromised.
The NCSC has published guidance on social engineering. The fact this technique is now being used across a dozen concurrent campaigns tells you everything about the gap between guidance being published and guidance being acted upon.
What UK SMBs need to do:
- Send a briefing to all staff today. One paragraph. ‘If any website, pop-up, or message asks you to press Win+R or open PowerShell and paste something in, stop, do not do it, and report it.’ That is the whole message.
- Review whether your users have the permissions to execute arbitrary scripts. Many do not need them. Remove that capability where you can.
- If you use managed detection and response, verify that your provider’s detection rules cover HTA execution, PowerShell spawning from browser processes, and MSI installs from user-writable directories. These are the observable behaviours across the Potemkin, TELEPUZ, and ACR Stealer chains.
The Wider Picture
These three stories are not coincidental. The ClickFix technique is mature enough to be offered as infrastructure by multiple malware-as-a-service operations. The tools it delivers are increasingly capable. LegacyHive landing today means that capable initial access tools now have an immediately available privilege escalation path on every Windows machine in the country. And Fortinet exploitation continues precisely because patching cycles in SMBs and MSPs remain slower than threat actor weaponisation cycles.
None of this is new in pattern. The specific tools are new. The underlying dynamic, attackers exploiting the gap between guidance and implementation, is not.
Sources
Before tomorrow’s briefing: if this analysis is useful to you, follow the show wherever you listen so it lands automatically each morning. And if someone in your network needs the heads-up on what is actually happening out there, rather than what the vendor press releases are saying, pass it along.