Max severity Cisco ISE bug allows pre-auth command execution, patch now
A critical vulnerability (CVE-2025-20337) in Cisco’s Identity Services Engine (ISE) could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.
The security issue received the maximum severity rating, 10 out of 10, and is caused by insufficient user-supplied input validation checks.
It was discovered by Kentaro Kawane, a researcher at the Japanese cybersecurity service GMO Cybersecurity by Ierae, and reported Trend Micro’s Zero Day Initiative (ZDI).
A remote unauthenticated attacker could leverage it by submitting a specially crafted API request. The vulnerability was added via an update to the security bulletin for CVE-2025-20281 and CVE-2025-20282, two similar RCE vulnerabilities that also received the maximum severity score, that impact ISE and ISE-PIC versions 3.4 and 3.3.
Source: Bleeping computer / Securityweek
Link: https://www.securityweek.com/cisco-patches-another-critical-ise-vulnerability/
Fortinet Releases Patch for Critical SQL Injection Flaw in FortiWeb (CVE-2025-25257)
Fortinet has released fixes for a critical security flaw impacting FortiWeb that could enable an unauthenticated attacker to run arbitrary database commands on susceptible instances. Tracked as CVE-2025-25257, the vulnerability carries a CVSS score of 9.6 out of a maximum of 10.0.
„An improper neutralization of special elements used in an SQL command (‚SQL Injection‘) vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests,“ Fortinet said in an advisory released this week.
The shortcoming impacts the following versions –
- FortiWeb 7.6.0 through 7.6.3 (Upgrade to 7.6.4 or above)
- FortiWeb 7.4.0 through 7.4.7 (Upgrade to 7.4.8 or above)
- FortiWeb 7.2.0 through 7.2.10 (Upgrade to 7.2.11 or above)
- FortiWeb 7.0.0 through 7.0.10 (Upgrade to 7.0.11 or above)
Kentaro Kawane from GMO Cybersecurity, who was recently credited with reporting a set of critical flaws in Cisco Identity Services and ISE Passive Identity Connector (CVE-2025-20286, CVE-2025-20281, and CVE-2025-20282), has been acknowledged for discovering the issue.
Source: The hacker news
Link: https://thehackernews.com/2025/07/fortinet-releases-patch-for-critical.html
CISA Adds Citrix NetScaler CVE-2025-5777 to KEV Catalog as Active Exploits Target Enterprises
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a critical security flaw impacting Citrix NetScaler ADC and Gateway to its Known Exploited Vulnerabilities (KEV) catalog, officially confirming the vulnerability has been weaponized in the wild.
The shortcoming in question is CVE-2025-5777 (CVSS score: 9.3), an instance of insufficient input validation that could be exploited by an attacker to bypass authentication when the appliance is configured as a Gateway or AAA virtual server. It’s also called Citrix Bleed 2 owing to its similarities with Citrix Bleed (CVE-2023-4966).
„Citrix NetScaler ADC and Gateway contain an out-of-bounds read vulnerability due to insufficient input validation,“ the agency said. „This vulnerability can lead to memory overread when the NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server.“
CISA pointed out that flaws like CVE-2025-5777 are frequent attack vectors for malicious cyber actors and pose significant risk to federal enterprises. To that end, Federal Civilian Executive Branch (FCEB) agencies are required to implement mitigations by the end of today, July 11.
Source: The hacker news / Securityweek / Bleeping computer
Link: https://thehackernews.com/2025/07/cisa-adds-citrix-netscaler-cve-2025.html
Link: https://www.securityweek.com/citrixbleed-2-flaw-poses-unacceptable-risk-cisa/
Critical Wing FTP Server Vulnerability (CVE-2025-47812) Actively Being Exploited in the Wild
A recently disclosed maximum-severity security flaw impacting the Wing FTP Server has come under active exploitation in the wild, according to Huntress.
The vulnerability, tracked as CVE-2025-47812 (CVSS score: 10.0), is a case of improper handling of null (‚\0‘) bytes in the server’s web interface, which allows for remote code execution. It has been addressed in version 7.4.4.
„The user and admin web interfaces mishandle ‚\0‘ bytes, ultimately allowing injection of arbitrary Lua code into user session files,“ according to an advisory for the flaw on CVE.org. „This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default).“
Source: The hacker news / Huntress blog
Link: https://thehackernews.com/2025/07/critical-wing-ftp-server-vulnerability.html
Link: https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild
Fully Patched SonicWall Gear Under Likely Zero-Day Attack
A threat actor linked to the Abyss ransomware campaign appears to be exploiting a zero-day flaw to plant a stealthy new backdoor on fully patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series devices.
What makes this campaign especially dangerous is the attackers‘ use of stolen local administrator credentials and one-time password seeds from previous intrusions, leaving organizations vulnerable to repeat attacks.
Researchers at Google’s Threat Intelligence Group (GTIG) are still piecing together how the attackers are harvesting those credentials, but they suspect the criminals are exploiting other known SonicWall flaws to get initial access.
The ultimate goal of the campaign appears to be data theft, extortion, and ransomware deployment. GTIG is tracking the threat cluster as UNC6148, a format it uses to designate uncategorized intrusion activity on which it is still gathering information. Available telemetry suggests that malicious activity related to the ongoing campaign may have started as early as October 2024.
Source: Dark reading / Securityweek
Link: https://www.darkreading.com/remote-workforce/fully-patched-sonicwall-gear-zero-day-attack
Link: https://www.securityweek.com/sonicwall-sma-appliances-targeted-with-new-overstep-malware/
Talos IR ransomware engagements and the significance of timeliness in incident response
As ransomware threat actors continuously decrease their dwell time — here defined as the duration between initial access and encryption — it is increasingly imperative to be mindful of timeliness in incident response engagements (Infosecurity Magazine, CyberScoop, Orca, ThreatDown). Early intervention and remediation can significantly mitigate or even wholly prevent repercussions of ransomware attacks, such as financial loss, reputational damage and legal repercussions, as exemplified by a comparison of two recent Talos IR engagements.
Source: CISCO Talos intelligence group