Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 16-22 August
Critical vulnerability patched in Cisco FMC
Cisco has warned of a critical remote code execution (RCE) vulnerability registered as CVE-2025-20265 (CVSSv3 10.0 according to Cisco) in the RADIUS subsystem of its Secure Firewall Management Center (FMC) software, affecting versions 7.0.7 and 7.7.0 with RADIUS authentication enabled for the web interface or SSH.
Discovered internally by researcher Brandon Sakai, the flaw is due to improper handling of user input during the authentication phase, allowing an unauthenticated attacker to inject shell commands with elevated privileges.
Cisco has released free updates through its usual channels for customers with a valid service contract; as an alternative mitigation, it is recommended to disable RADIUS authentication and use local accounts, external LDAP, or SAML SSO.
To date, there are no known PoCs, public exploits, or evidence of active exploitation of the flaw in real-world environments.
Warlock Ransomware exploits SharePoint vulnerabilities
Trend Micro researchers have revealed that the Warlock ransomware group is exploiting critical vulnerabilities in Microsoft SharePoint on-premises. Warlock, which debuted in June on the Russian RAMP forum and is suspected to be a derivative of Black Basta, has been behind attacks against public and private organizations in several countries.
Specifically, the observed campaign exploits flaws such as CVE-2025-49704 (CVSSv3 8.8 according to vendor) and CVE-2025-49706 (CVSSv3 6.5 according to vendor). The attackers achieve remote code execution on SharePoint servers and, once inside, escalate privileges by creating GPOs, enable guest accounts as local administrators and use tools such as Mimikatz to steal credentials. They then distribute the ransomware via SMB and establish persistence through Cloudflare tunnels.
Trend Micro noted that Warlock shares code with LockBit 3.0 following the 2022 builder leak, which has facilitated the proliferation of variants. The group also employs a malware called Trojan.Win64.KILLLAV.I to attempt to disable security products.
Critical vulnerability discovered in FortiSIEM already exploited in attacks
Researchers at watchTowr Labs have discovered a critical pre-authentication command injection vulnerability in Fortinet FortiSIEM, identified as CVE-2025-25256 (CVSSv3 9.8 according to vendor). The flaw resides in the phMonitor component, which is responsible for monitoring platform processes, and affects all versions between 5.4 and 7.3.1. The vulnerability allows attackers to execute arbitrary commands without credentials by sending specially crafted XML payloads.
Fortinet has confirmed that the vulnerability is already being exploited in the real world, increasing its severity. Fixed versions include 7.3.2, 7.2.6, 7.1.8, 7.0.4 and 6.7.10, while 6.6 and earlier require full migration to newer releases. Given the critical nature of FortiSIEM as a core system in security operations centers (SOCs), exploitation could blind organizations to active attacks.
Security teams are advised to urgently inventory their deployments and apply appropriate upgrades or migrations, as well as monitor for possible exploitation attempts.
New variant of Noodlophile distributed through spear-phishing campaigns
Researchers at Morphisec have warned of a new variant of the Noodlophile Stealer infostealer distributed through spear-phishing campaigns that allege copyright infringements on specific Facebook pages.
This malware is capable of exfiltrating credentials and browser data, collecting system information, and executing dynamic payloads in memory by sideloading malicious DLLs using legitimate binaries such as Haihaisoft PDF Reader. The operation, which has been active for over a year and is linked to unidentified threat actors, uses Dropbox links, evasion techniques such as LOLBins and Base64-encoded files, and Telegram group descriptions as dead-drop resolvers to hinder detection.
It has also targeted companies in the US, Europe, the Baltic countries, and the Asia-Pacific region. It is recommended to strengthen email filters, deploy multi-factor authentication, raise user awareness, and adopt EDR and application control solutions to block dynamic payload uploads.
New 0-day vulnerability in Apple exploited in targeted attacks
Apple has released emergency updates to fix critical vulnerability CVE-2025-43300, with no CVSS assigned at this time, an out-of-bounds write flaw in the Image I/O framework that would allow remote code execution when processing malicious images. According to the company, the vulnerability has already been exploited in highly sophisticated attacks against specific individuals.
The issue has been fixed through an enhancement to bounds checks, included in iOS 18.6.2, iPadOS 18.6.2 and 17.7.10, as well as macOS Sequoia 15.6.1, Sonoma 14.7.8 and Ventura 13.7.8. The bug affects a wide range of devices, from iPhone XS onwards, multiple generations of iPad, and Macs running the aforementioned versions of macOS.
While Apple has not disclosed details about the attacks or attributed their discovery to a specific researcher, it recommends updating immediately.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
