CISA & NSA Urgent Guidance to Secure WSUS and Microsoft Exchange CISA and NSA, with partners, issued hardening guidance for on-prem Exchange: restrict admin access, enforce MFA, apply baselines, enable security features (AMSI/ASR/EDR), and harden TLS/HSTS, EPA, Kerberos/SMB over NTLM. They also updated an alert for CVE-2025-59287 (WSUS) exploited days after Microsoft’s patch—threat actors used […]

Cybercriminals Exploit Remote Monitoring Tools to Infiltrate Logistics and Freight Networks Proofpoint reports a campaign targeting trucking and logistics firms to steal physical cargo, focusing on food and beverages. Attackers hijack email threads and post bogus load listings; victims who click receive signed installers that deploy legitimate RMM tools (e.g., ScreenConnect, SimpleHelp, PDQ Connect, N-able). […]

Velociraptor abused in LockBit/Warlock ops Sophos and others observed Storm-2603 (aka Gold Salem) abusing Velociraptor, an open-source DFIR tool, in ransomware campaigns delivering Warlock, LockBit, and Babuk. Initial access came via SharePoint ToolShell exploits; the actors installed an old Velociraptor (0.73.4.0) with CVE-2025-6264 privilege-escalation to run arbitrary commands and take over endpoints. They created domain […]

F5 breach — BIG-IP source code and vuln info stolen F5 disclosed a breach in which a nation-state actor stole portions of BIG-IP source code and data about undisclosed vulnerabilities. F5 says access persisted long-term; disclosure was delayed at the DoJ’s request. Customer config data for a small subset may have been exposed; impacted customers […]

Adobe AEM flaw added to CISA KEV (CVSS 10.0) CISA added CVE-2025-54253 to its KEV catalogue, citing active exploitation. The bug impacts Adobe Experience Manager (AEM) Forms on JEE ≤ 6.5.23.0 and was fixed in 6.5.0-0108 (August 2025). Researchers describe it as an authentication bypass to RCE chain via an exposed /adminui/debug servlet evaluating OGNL […]

“Zero Disco” — Linux rootkits via Cisco SNMP flaw Trend Micro detailed Operation Zero Disco, where attackers exploited Cisco CVE-2025-20352 (SNMP stack overflow; patched) to deploy Linux rootkits on certain IOS/IOS XE devices (e.g., 9400/9300/3750G). The intruders set a universal password (containing “disco”) and hooked IOSd memory to persist, bypassing AAA and concealing config changes. […]

LinkPro Linux rootkit (eBPF “magic packet” backdoor) Synacktiv uncovered LinkPro, a stealthy Linux rootkit used in an AWS compromise. Attackers reportedly exploited a Jenkins CVE-2024-23897 instance, then pushed a malicious Docker image that dropped several payloads, including LinkPro. The rootkit hides itself using eBPF (tracepoint/kretprobe) and user-space tricks via /etc/ld.so.preload, and can be remotely “woken […]

Non-human identities & AI agents – The users you never see: taming service accounts and AI agents. A primer on controlling non-human identities (NHIs)—service accounts, API tokens, AI agents—which can outnumber humans 80:1. Challenges: poor ownership, over-permissioning, no lifecycle. Guidance: discover/inventory NHIs, assign owners, automate lifecycle, and enforce guardrails under an identity security fabric. Your […]

SolarWinds Web Help Desk RCE – Third time lucky? Patch Web Help Desk—again. SolarWinds issued hotfix 12.8.7 HF1 for CVE-2025-26399 (CVSS 9.8)—an unauthenticated AjaxProxy deserialisation RCE in Web Help Desk. It’s a patch-bypass of prior CVEs (2024-28986/28988). No known exploitation yet; history suggests urgency as earlier bugs hit CISA KEV. Upgrade immediately. Another critical RCE […]