Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 21-27 June
Citrix fixes critical vulnerability similar to CitrixBleed
Citrix has fixed a critical vulnerability, identified as CVE-2025-5777, affecting NetScaler ADC and NetScaler Gateway. With a CVSSv4 of 9.3 according to Citrix, the flaw is an out-of-bounds read caused by insufficient input validation. Like the known CitrixBleed (CVE-2023-4966, CVSSv3 9.4 according to vendor), it could allow attackers to steal valid session tokens from NetScaler devices exposed to the Internet via malformed requests.
CVE-2025-5349, an access control vulnerability with CVSSv4 8.7 by vendor, has also been fixed. Affected versions include 14.1, 13.1, 13.1-FIPS, 13.1-NDcPP and 12.1-FIPS branches prior to the latest updates. Versions 12.1 and 13.0 are already out of support and remain vulnerable.
Citrix recommends upgrading to fixed versions and running the kill icaconnection -all and kill pcoipConnection -all commands after upgrading to close active sessions and avoid potential compromises.
Prometei is back in business with new releases focused on Linux systems
Since March 2025, Unit 42 has detected new activity of the Prometei botnet, targeting Linux systems. It is distributed via HTTP requests from servers in Indonesia. It uses the UPX packer and an embedded JSON queue, which complicates static analysis.
The botnet maintains a modular design that allows for Monero mining, vulnerability exploitation, credential brute-force and data theft. Versions 3 and 4 include a backdoor to ensure persistence and upgradeability. It relies on DGA for its C2 infrastructure and can incorporate new modules without manual intervention. Statistics show an increase in samples between March and April 2025. In addition to mining, it deploys tools for monetization through data theft and propagation.
Unit 42 recommends using YARA rules that identify the combination of UPX and JSON, and monitoring anomalous DNS traffic for DGA activity.
Critical flaw in Performave Convoy could allow RCE attacks
A vulnerability has been detected by GitHub in the Performave Convoy KVM server management panel, widely used by hosting providers. The flaw, identified as CVE-2025-52562 (CVSSv3 of 10.0), resides in Convoy's LocaleController component, where incorrect input validation allows directory traversal attacks.
Attackers can craft malicious HTTP requests with manipulated namespace and locale parameters to traverse directories and include arbitrary PHP files. This can lead to remote code execution (RCE), theft of sensitive data and unauthenticated exploitation of vulnerable instances. In particular, attackers take advantage of insufficient sanitization of user-supplied entries in the HTTP locale and namespace parameters.
As mitigation measures, it is recommended to upgrade to Convoy version 4.4.1 or higher, apply strict input validation, restrict locale settings or limit the namespace to certain characters.
NetExtender spoofing steals VPN credentials from users
As of June 2025, SonicWall and Microsoft Threat Intelligence identified a campaign that distributes a modified version of the SonicWall SSL VPN client NetExtender, mimicking the official one and digitally signed by "CITYLIGHT MEDIA PRIVATE LIMITED" instead of the legitimate signature.
The malicious installer patches NeService.exe to bypass signature verification and modifies NetExtender.exe to capture VPN configurations - user, password, domain - and transmit them to the control server (132.196.198.163:8080). SonicWall and Microsoft blocked the malicious domains, revoked the certificate and detected it as "Fake-NetExtender" (SonicWall) and "TrojanSpy:Win32/SilentRoute.A" (Microsoft).
It is recommended to always download VPN clients from official sources and to have solutions such as SonicWall Capture ATP or Microsoft Defender to detect tampered versions.
SparkKitty steals cryptocurrency recovery keys from mobile gallery
Kaspersky researchers have identified a new malware called SparkKitty, present in both Google Play and the App Store. It is an evolution of SparkCat, a malware detected in January that used OCR to steal cryptocurrency wallet recovery phrases (known as seed phrases) from images. SparkKitty steals all photos from the infected device, primarily looking for seed phrases, but can also use them for blackmail if they contain sensitive information.
Malicious apps, such as 币coin (iOS) and SOEX (Android), have already been removed. In addition, TikTok clones and gambling apps distributed outside official channels have been detected.
On Android, SparkKitty hides in Java/Kotlin apps and uses Xposed modules; on iOS, it disguises itself as fake frameworks. Once installed, it requests permissions to access the gallery and uploads images to the attackers' server. On Android, some versions filter images containing text using Google ML Kit.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
