Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 15-21 February
Critical vulnerability in Juniper routers allowing unauthorized access fixed
Juniper Networks has issued an alert regarding the critical vulnerability CVE-2025-21589 affecting Session Smart Router, Session Smart Conductor, and WAN Assurance Managed Routers. This flaw, rated 9.8 on the CVSS scale by the vendor, allows attackers to bypass authentication and gain full administrative control over affected devices. While no active exploitation or proof-of-concept exploits have been detected, immediate application of security patches is strongly recommended.
In environments managed by a Conductor, updating only the Conductor nodes is sufficient, as connected routers will receive the patch automatically. Additionally, WAN Assurance devices connected to Mist Cloud have been patched automatically. However, individual routers should also be updated.
Juniper Networks further advises organizations to enhance monitoring to detect suspicious activity and mitigate potential intrusions.
Ghost ransomware attacks critical infrastructure in more than 70 countries
CISA and the FBI have warned in a joint report about the Ghost ransomware threat actor, which has reportedly carried out attacks on multiple sectors in more than 70 countries, including critical infrastructure organizations. During these incidents, attackers exploit vulnerabilities in outdated software, such as Fortinet, ColdFusion and Exchange, to gain access to their victims' systems.
Since 2021 the group behind Ghost ransomware, also known as Cring or Phantom, has employed tactics such as rotating executables and modifying ransom notes to make identification more difficult. In addition, the use of tools such as Mimikatz and CobaltStrike to evade defenses and deploy the ransomware has been detected.
To mitigate risks associated with this threat, CISA recommends performing offline backups, applying security patches, segmenting networks and enabling multi-factor authentication.
Critical vulnerability in Apache Ignite patched
Apache has fixed a vulnerability affecting Apache Ignite in its versions prior to 2.17.0 up to version 2.6.0. The flaw, identified as CVE-2024-52577 (CVSSv4 of 9.5 according to vendor), allows remote attackers to execute arbitrary code on vulnerable servers with the same privileges as the Ignite process, exploiting insecure deserialization mechanisms in specific configurations thanks to incomplete validation of incoming data streams. Ignite server nodes process incoming messages using the Java serialization/deserialization framework.
In the affected versions, class serialization filters are bypassed for certain network endpoints, which attackers exploit to create messages containing malicious objects and bypass those filters. Apache Ignite has fixed the bug in version 2.17.0 by applying class filters on all endpoints.
In case the update cannot be applied, it is recommended to restrict access to Ignite nodes, deploy intrusion detection systems and enable the JVM's native deserialization filter (jdk.serialFilter) to block high-risk packets.
New XCSSET variant detected for macOS
A new variant of the XCSSET malware has been detected in attacks targeting macOS users, specifically to steal sensitive information such as digital wallets and Notes app data. This variant, which improves on previous versions, has been identified by Microsoft and features advanced code obfuscation, greater persistence, new infection strategies and is distributed mainly through infected Xcode projects.
Among the improvements, the obfuscation using techniques such as Base64 and xxd (hexdump) stands out, making it difficult to analyze the code. In addition, it implements persistence methods using the zshrc and dock files. In the first case, the payload is executed every time a new shell session is started. In the second case, the malware manages the dock elements to execute a malicious application together with the legitimate one.
XCSSET also uses new infection techniques in Xcode projects, taking advantage of settings such as TARGET, RULE or FORCED_STRATEGY to insert its payload. Through its module, it collects confidential data from applications, digital wallets, browsers and more. Microsoft recommends that users check Xcode projects and unofficial repositories to avoid this type of malware.
Google patches critical bugs in Chrome that allow code execution
Google has released an urgent update for Chrome, fixing three critical vulnerabilities that could allow attackers to execute arbitrary code and take control of the system. Two of the flaws are buffer overflows in the V8 JavaScript engine, CVE-2025-0999, unassigned CVSSv3 as of this writing, and in the GPU subsystem, denoted CVE-2025-1426, also unassigned CVSSv3.
Both would have been classified as high severity according to Google and could facilitate malicious code execution and sandbox evasion. The third flaw CVE-2025-1006, without CVSSv3 but of medium severity according to the vendor, is a use-after-free flaw in the network stack and could lead to code execution or browser crashes.
Google has restricted technical details to prevent exploitation. The vendor has also urged to immediately upgrade Chrome to version 133.0.6943.126/.127, as these bugs could facilitate targeted attacks and the silent installation of malware.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
