Velociraptor abused in LockBit/Warlock ops Sophos and others observed Storm-2603 (aka Gold Salem) abusing Velociraptor, an open-source DFIR tool, in ransomware campaigns delivering Warlock, LockBit, and Babuk. Initial access came via SharePoint ToolShell exploits; the actors installed an old Velociraptor (0.73.4.0) with CVE-2025-6264 privilege-escalation to run arbitrary commands and take over endpoints. They created domain […]
F5 breach — BIG-IP source code and vuln info stolen F5 disclosed a breach in which a nation-state actor stole portions of BIG-IP source code and data about undisclosed vulnerabilities. F5 says access persisted long-term; disclosure was delayed at the DoJ’s request. Customer config data for a small subset may have been exposed; impacted customers […]
Adobe AEM flaw added to CISA KEV (CVSS 10.0) CISA added CVE-2025-54253 to its KEV catalogue, citing active exploitation. The bug impacts Adobe Experience Manager (AEM) Forms on JEE ≤ 6.5.23.0 and was fixed in 6.5.0-0108 (August 2025). Researchers describe it as an authentication bypass to RCE chain via an exposed /adminui/debug servlet evaluating OGNL […]
“Zero Disco” — Linux rootkits via Cisco SNMP flaw Trend Micro detailed Operation Zero Disco, where attackers exploited Cisco CVE-2025-20352 (SNMP stack overflow; patched) to deploy Linux rootkits on certain IOS/IOS XE devices (e.g., 9400/9300/3750G). The intruders set a universal password (containing “disco”) and hooked IOSd memory to persist, bypassing AAA and concealing config changes. […]
LinkPro Linux rootkit (eBPF “magic packet” backdoor) Synacktiv uncovered LinkPro, a stealthy Linux rootkit used in an AWS compromise. Attackers reportedly exploited a Jenkins CVE-2024-23897 instance, then pushed a malicious Docker image that dropped several payloads, including LinkPro. The rootkit hides itself using eBPF (tracepoint/kretprobe) and user-space tricks via /etc/ld.so.preload, and can be remotely “woken […]
Non-human identities & AI agents – The users you never see: taming service accounts and AI agents. A primer on controlling non-human identities (NHIs)—service accounts, API tokens, AI agents—which can outnumber humans 80:1. Challenges: poor ownership, over-permissioning, no lifecycle. Guidance: discover/inventory NHIs, assign owners, automate lifecycle, and enforce guardrails under an identity security fabric. Your […]
SolarWinds Web Help Desk RCE – Third time lucky? Patch Web Help Desk—again. SolarWinds issued hotfix 12.8.7 HF1 for CVE-2025-26399 (CVSS 9.8)—an unauthenticated AjaxProxy deserialisation RCE in Web Help Desk. It’s a patch-bypass of prior CVEs (2024-28986/28988). No known exploitation yet; history suggests urgency as earlier bugs hit CISA KEV. Upgrade immediately. Another critical RCE […]
From document converter to cloud key-nicker. Pandoc CVE-2025-51591 → AWS IMDS. Researchers report in-the-wild abuse of Pandoc SSRF (CVE-2025-51591, CVSS 6.5) to query AWS Instance Metadata Service, stealing EC2 IAM credentials. Root cause: Pandoc renders <iframe> in HTML; mitigations include sandbox flags or sanitising input. Shows continued IMDS targeting via “quiet” dependencies. A flaw in […]
Cisco ASA zero-days: RayInitiator / LINE VIPER. Old firewalls, new tricks The UK NCSC and Cisco detail zero-day exploits against ASA 5500-X firewalls (often EoS), deploying a persistent GRUB bootkit (RayInitiator) and user-mode loader LINE VIPER. Flaws include CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (6.5); a separate CVE-2025-20363 is patched. Tactics: disable logging, intercept CLI, crash […]
