VMware Tools + Aria Ops: a small toggle, a big problem CISA added CVE-2025-41244 to its KEV list: a Broadcom VMware Tools/Aria Operations vulnerability enabling local privilege escalation to root on VMs where Tools is managed by Aria Operations with SDMP enabled. NVISO says the bug was exploited as a zero-day from mid-October 2024; Mandiant […]
CISA & NSA Urgent Guidance to Secure WSUS and Microsoft Exchange CISA and NSA, with partners, issued hardening guidance for on-prem Exchange: restrict admin access, enforce MFA, apply baselines, enable security features (AMSI/ASR/EDR), and harden TLS/HSTS, EPA, Kerberos/SMB over NTLM. They also updated an alert for CVE-2025-59287 (WSUS) exploited days after Microsoft’s patch—threat actors used […]
Cybercriminals Exploit Remote Monitoring Tools to Infiltrate Logistics and Freight Networks Proofpoint reports a campaign targeting trucking and logistics firms to steal physical cargo, focusing on food and beverages. Attackers hijack email threads and post bogus load listings; victims who click receive signed installers that deploy legitimate RMM tools (e.g., ScreenConnect, SimpleHelp, PDQ Connect, N-able). […]
Velociraptor abused in LockBit/Warlock ops Sophos and others observed Storm-2603 (aka Gold Salem) abusing Velociraptor, an open-source DFIR tool, in ransomware campaigns delivering Warlock, LockBit, and Babuk. Initial access came via SharePoint ToolShell exploits; the actors installed an old Velociraptor (0.73.4.0) with CVE-2025-6264 privilege-escalation to run arbitrary commands and take over endpoints. They created domain […]
F5 breach — BIG-IP source code and vuln info stolen F5 disclosed a breach in which a nation-state actor stole portions of BIG-IP source code and data about undisclosed vulnerabilities. F5 says access persisted long-term; disclosure was delayed at the DoJ’s request. Customer config data for a small subset may have been exposed; impacted customers […]
Adobe AEM flaw added to CISA KEV (CVSS 10.0) CISA added CVE-2025-54253 to its KEV catalogue, citing active exploitation. The bug impacts Adobe Experience Manager (AEM) Forms on JEE ≤ 6.5.23.0 and was fixed in 6.5.0-0108 (August 2025). Researchers describe it as an authentication bypass to RCE chain via an exposed /adminui/debug servlet evaluating OGNL […]
“Zero Disco” — Linux rootkits via Cisco SNMP flaw Trend Micro detailed Operation Zero Disco, where attackers exploited Cisco CVE-2025-20352 (SNMP stack overflow; patched) to deploy Linux rootkits on certain IOS/IOS XE devices (e.g., 9400/9300/3750G). The intruders set a universal password (containing “disco”) and hooked IOSd memory to persist, bypassing AAA and concealing config changes. […]
LinkPro Linux rootkit (eBPF “magic packet” backdoor) Synacktiv uncovered LinkPro, a stealthy Linux rootkit used in an AWS compromise. Attackers reportedly exploited a Jenkins CVE-2024-23897 instance, then pushed a malicious Docker image that dropped several payloads, including LinkPro. The rootkit hides itself using eBPF (tracepoint/kretprobe) and user-space tricks via /etc/ld.so.preload, and can be remotely “woken […]
Non-human identities & AI agents – The users you never see: taming service accounts and AI agents. A primer on controlling non-human identities (NHIs)—service accounts, API tokens, AI agents—which can outnumber humans 80:1. Challenges: poor ownership, over-permissioning, no lifecycle. Guidance: discover/inventory NHIs, assign owners, automate lifecycle, and enforce guardrails under an identity security fabric. Your […]
