Adobe AEM flaw added to CISA KEV (CVSS 10.0) CISA added CVE-2025-54253 to its KEV catalogue, citing active exploitation. The bug impacts Adobe Experience Manager (AEM) Forms on JEE ≤ 6.5.23.0 and was fixed in 6.5.0-0108 (August 2025). Researchers describe it as an authentication bypass to RCE chain via an exposed /adminui/debug servlet evaluating OGNL […]

“Zero Disco” — Linux rootkits via Cisco SNMP flaw Trend Micro detailed Operation Zero Disco, where attackers exploited Cisco CVE-2025-20352 (SNMP stack overflow; patched) to deploy Linux rootkits on certain IOS/IOS XE devices (e.g., 9400/9300/3750G). The intruders set a universal password (containing “disco”) and hooked IOSd memory to persist, bypassing AAA and concealing config changes. […]

LinkPro Linux rootkit (eBPF “magic packet” backdoor) Synacktiv uncovered LinkPro, a stealthy Linux rootkit used in an AWS compromise. Attackers reportedly exploited a Jenkins CVE-2024-23897 instance, then pushed a malicious Docker image that dropped several payloads, including LinkPro. The rootkit hides itself using eBPF (tracepoint/kretprobe) and user-space tricks via /etc/ld.so.preload, and can be remotely “woken […]

Non-human identities & AI agents – The users you never see: taming service accounts and AI agents. A primer on controlling non-human identities (NHIs)—service accounts, API tokens, AI agents—which can outnumber humans 80:1. Challenges: poor ownership, over-permissioning, no lifecycle. Guidance: discover/inventory NHIs, assign owners, automate lifecycle, and enforce guardrails under an identity security fabric. Your […]

SolarWinds Web Help Desk RCE – Third time lucky? Patch Web Help Desk—again. SolarWinds issued hotfix 12.8.7 HF1 for CVE-2025-26399 (CVSS 9.8)—an unauthenticated AjaxProxy deserialisation RCE in Web Help Desk. It’s a patch-bypass of prior CVEs (2024-28986/28988). No known exploitation yet; history suggests urgency as earlier bugs hit CISA KEV. Upgrade immediately. Another critical RCE […]

From document converter to cloud key-nicker. Pandoc CVE-2025-51591 → AWS IMDS. Researchers report in-the-wild abuse of Pandoc SSRF (CVE-2025-51591, CVSS 6.5) to query AWS Instance Metadata Service, stealing EC2 IAM credentials. Root cause: Pandoc renders <iframe> in HTML; mitigations include sandbox flags or sanitising input. Shows continued IMDS targeting via “quiet” dependencies. A flaw in […]

Cisco ASA zero-days: RayInitiator / LINE VIPER. Old firewalls, new tricks The UK NCSC and Cisco detail zero-day exploits against ASA 5500-X firewalls (often EoS), deploying a persistent GRUB bootkit (RayInitiator) and user-mode loader LINE VIPER. Flaws include CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (6.5); a separate CVE-2025-20363 is patched. Tactics: disable logging, intercept CLI, crash […]

SVG → CountLoader / PureRAT – From picture to problem. Phishing emails impersonating Ukrainian authorities deliver SVG attachments that start a chain: SVG → ZIP → CHM → CountLoader → payloads like Amatera Stealer and PureMiner; related campaigns evolve to PureRAT backdoors. Fileless techniques (AOT, process hollowing) and credential theft feature heavily. Those harmless-looking SVGs […]

AI meets phishing: SVGs with a suit and tie. Microsoft warns of a phishing campaign using LLM-generated, business-themed SVG files to hide malicious JavaScript and evade filters. The attack used self-addressed emails (BCC targets) and fake file-share lures; the SVG redirected via CAPTCHA to credential harvest pages. Microsoft’s analysis notes verbose, over-engineered code and business […]