“Zero Disco” — Linux rootkits via Cisco SNMP flaw Trend Micro detailed Operation Zero Disco, where attackers exploited Cisco CVE-2025-20352 (SNMP stack overflow; patched) to deploy Linux rootkits on certain IOS/IOS XE devices (e.g., 9400/9300/3750G). The intruders set a universal password (containing “disco”) and hooked IOSd memory to persist, bypassing AAA and concealing config changes. […]

LinkPro Linux rootkit (eBPF “magic packet” backdoor) Synacktiv uncovered LinkPro, a stealthy Linux rootkit used in an AWS compromise. Attackers reportedly exploited a Jenkins CVE-2024-23897 instance, then pushed a malicious Docker image that dropped several payloads, including LinkPro. The rootkit hides itself using eBPF (tracepoint/kretprobe) and user-space tricks via /etc/ld.so.preload, and can be remotely “woken […]

Non-human identities & AI agents – The users you never see: taming service accounts and AI agents. A primer on controlling non-human identities (NHIs)—service accounts, API tokens, AI agents—which can outnumber humans 80:1. Challenges: poor ownership, over-permissioning, no lifecycle. Guidance: discover/inventory NHIs, assign owners, automate lifecycle, and enforce guardrails under an identity security fabric. Your […]

SolarWinds Web Help Desk RCE – Third time lucky? Patch Web Help Desk—again. SolarWinds issued hotfix 12.8.7 HF1 for CVE-2025-26399 (CVSS 9.8)—an unauthenticated AjaxProxy deserialisation RCE in Web Help Desk. It’s a patch-bypass of prior CVEs (2024-28986/28988). No known exploitation yet; history suggests urgency as earlier bugs hit CISA KEV. Upgrade immediately. Another critical RCE […]

From document converter to cloud key-nicker. Pandoc CVE-2025-51591 → AWS IMDS. Researchers report in-the-wild abuse of Pandoc SSRF (CVE-2025-51591, CVSS 6.5) to query AWS Instance Metadata Service, stealing EC2 IAM credentials. Root cause: Pandoc renders <iframe> in HTML; mitigations include sandbox flags or sanitising input. Shows continued IMDS targeting via “quiet” dependencies. A flaw in […]

Cisco ASA zero-days: RayInitiator / LINE VIPER. Old firewalls, new tricks The UK NCSC and Cisco detail zero-day exploits against ASA 5500-X firewalls (often EoS), deploying a persistent GRUB bootkit (RayInitiator) and user-mode loader LINE VIPER. Flaws include CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (6.5); a separate CVE-2025-20363 is patched. Tactics: disable logging, intercept CLI, crash […]

SVG → CountLoader / PureRAT – From picture to problem. Phishing emails impersonating Ukrainian authorities deliver SVG attachments that start a chain: SVG → ZIP → CHM → CountLoader → payloads like Amatera Stealer and PureMiner; related campaigns evolve to PureRAT backdoors. Fileless techniques (AOT, process hollowing) and credential theft feature heavily. Those harmless-looking SVGs […]

AI meets phishing: SVGs with a suit and tie. Microsoft warns of a phishing campaign using LLM-generated, business-themed SVG files to hide malicious JavaScript and evade filters. The attack used self-addressed emails (BCC targets) and fake file-share lures; the SVG redirected via CAPTCHA to credential harvest pages. Microsoft’s analysis notes verbose, over-engineered code and business […]

SAP patches critical NetWeaver bugs (CVSS up to 10). Time to patch, not panic. SAP has released September patches addressing multiple flaws, including three critical issues in SAP NetWeaver (CVSS scores up to 10.0) that could allow code execution, arbitrary file upload, or unauthorised access—one via the RMI-P4 module. A high-severity bug in SAP S/4HANA […]