Critical Cisco Vulnerability in Unified CM Grants Root Access via Static Credentials
Cisco has released security updates to address a maximum-severity security flaw in Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME) that could permit an attacker to login to a susceptible device as the root user, allowing them to gain elevated privileges.
The vulnerability, tracked as CVE-2025-20309, carries a CVSS score of 10.0.
„This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development,“ Cisco said in an advisory released Wednesday.
„An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.“
Hard-coded credentials like this usually come from testing or quick fixes during development, but they should never make it into live systems. In tools like Unified CM that handle voice calls and communication across a company, root access can let attackers move deeper into the network, listen in on calls, or change how users log in.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2025/07/critical-cisco-vulnerability-in-unified.html
Link: https://www.securityweek.com/cisco-warns-of-hardcoded-credentials-in-enterprise-software/
Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update
Google has released security updates to address a vulnerability in its Chrome browser for which an exploit exists in the wild.
The zero-day vulnerability, tracked as CVE-2025-6554 (CVSS score: N/A), has been described as a type confusing flaw in the V8 JavaScript and WebAssembly engine.
„Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page,“ according to a description of the bug on the NIST’s National Vulnerability Database (NVD).
Type confusion vulnerabilities can have severe consequences as they can be exploited to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.
Zero-day bugs like this are especially risky because attackers often start using them before a fix is available. In real-world attacks, these flaws can let hackers install spyware, launch drive-by downloads, or quietly run harmful code — sometimes just by getting someone to open a malicious website.
Source: The hacker news / Bleeping computer / Securityweek
Link: https://thehackernews.com/2025/07/google-patches-critical-zero-day-flaw.html
Link: https://www.securityweek.com/chrome-138-update-patches-zero-day-vulnerability/
Citrix warns of login issues after NetScaler auth bypass patch
Citrix warns that patching recently disclosed vulnerabilities that can be exploited to bypass authentication and launch denial-of-service attacks may also break login pages on NetScaler ADC and Gateway appliances.
This happens because starting with NetScaler 14.1.47.46 and 13.1.59.19, the Content Security Policy (CSP) header, which mitigates risks associated with cross-site scripting (XSS), code injection, and other client-side attacks, is enabled by default.
However, while it is designed to block unauthorized scripts and external content from executing in the browser, the policy also inadvertently restricts legitimate scripts or resources loaded by DUO configuration based on Radius authentication, integrations, custom SAML setups, or other IDP configurations not compliant with the strict CSP rules.
Source: Bleeping computer
Cybercriminal abuse of large language models
Generative AI and LLMs have taken the world by storm. With the ability to generate convincing text, solve problems, write computer code and more, LLMs are being integrated into almost every facet of society. According to Hugging Face (a platform that hosts models), there are currently over 1.8 million different models to choose from.
LLMs are usually built with key safety features, including alignment and guardrails. Alignment is a training process that LLMs undergo to minimize bias and ensure that the LLM generates outputs that are consistent with human values and ethics. Guardrails are additional real-time safety mechanisms that try to restrain the LLM from engaging in harmful or undesirable actions in response to user input. Many of the most advanced (or “frontier”) LLMs are protected in this manner. For example, asking ChatGPT to produce a phishing email will result in a denial, such as, “Sorry, I can’t assist with that.”
For cybercriminals who wish to utilize LLMs for conducting or improving their attacks, these safety mechanisms can present a significant obstacle. To achieve their goals, cybercriminals are increasingly gravitating towards uncensored LLMs, cybercriminal-designed LLMs and jailbreaking legitimate LLMs.
Source: CISCO Talos intelligence group
Link: https://blog.talosintelligence.com/cybercriminal-abuse-of-large-language-models/
NTLM relay attacks are back from the dead
NTLM relay attacks are the easiest way for an attacker to compromise domain-joined hosts. While many security practitioners think NTLM relay is a solved problem, it is not – and, in fact, it may be getting worse. Anecdotally, they are used in most attacks seen by my employer’s consulting arm and have gotten much more common in the last few years.
With most environments vulnerable, NTLM sets the stage for lateral movement and privilege escalation. These attacks originate from Authenticated Users and can often reach Tier Zero, resulting in a large exposure and a critical impact.
Here’s an introduction to how these attacks work, what they can target, and how to defend against them.
Source: Helpnet Security
Link: https://www.helpnetsecurity.com/2025/07/04/ntlm-relay-attacks/
Identifying and abusing Azure Arc for hybrid escalation and persistence
My research into Microsoft Azure Arc began during a recent red team operation where we stumbled across a PowerShell script containing a hardcoded Service Principal secret that was responsible for deploying Arc to on-premises systems. I didn’t know much about the service, so I started doing some research to determine what we could do with the recovered credentials. We ended up being able to use techniques documented in prior research on this topic to gain code execution on a domain controller and pivot back up into Microsoft Azure, but this got me thinking about some broader questions related to Arc: How do you identify it in environments? What (mis)configurations could exist that would allow for escalation? What other code execution vectors exist within it? Could it be used as an out-of-band persistence mechanism?
Source: IBM security intelligence
Link: https://www.ibm.com/think/x-force/identifying-abusing-azure-arc-for-hybrid-escalation-persistence