Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 4 July
Cisco patches a critical vulnerability in Unified CM
Cisco has fixed a critical vulnerability named CVE-2025-20309 (CVSSv3 10.0 according to the vendor) in its Unified Communications Manager (Unified CM and Unified CM SME) systems, which allowed a remote, unauthenticated attacker to gain root privileges via static, non-modifiable credentials used during development.
The exploit would allow execution of arbitrary commands with full administrator permissions. The flaw affects Engineering Special versions 15.0.1.13010-1 through 15.0.1.13017-1. Cisco has not identified active exploits or proof-of-concept code, but has published methods to identify potential indicators of compromise associated with exploiting the flaw.
The only way to mitigate the flaw is to upgrade to version 15SU3 (July 2025) or apply patch CSCwp27755.
Vulnerability discovered in the new Chrome cookie encryption
Researchers at CyberArk have revealed a critical flaw in Google Chrome's AppBound Cookie Encryption protection, introduced in version 127 to mitigate cookie theft by malware. The attack, dubbed “C4 Bomb” (Chrome Cookie Cipher Cracker), allows low-privileged attackers to access encrypted cookies without requiring administrator permissions.
The method is based on an oracle padding attack that abuses the error handling of the Windows DPAPI encryption system and event logs to retrieve encrypted keys. Through thousands of requests to the Chrome elevation service, it is possible to decrypt protected cookies. This technique circumvents dual defenses that combined per-user and per-system encryption, and has been integrated into open source tools, making it easier for less sophisticated actors to use.
Google has acknowledged the flaw and is working with the community to strengthen defenses against these new threats.
RansomHub attack compromises network via RDP and legitimate tools
DFIR Labs has revealed a sophisticated attack chain executed by an actor using the RansomHub ransomware. Initial access was gained by password spraying on an exposed RDP server in November 2024. The attacker accessed multiple accounts, gaining elevated privileges and leading to a six-day operation that included credential theft, lateral movement and mass file encryption.
According to researchers, tools such as Mimikatz, Nirsoft and network scanners were employed, as well as legitimate binaries such as net and nltest. The use of remote software such as Atera and Splashtop allowed persistence to be maintained without arousing suspicion. Through Rclone, 2 GB of data was exfiltrated to an external server prior to the deployment of the ransomware via the amd64.exe file.
The attack also involved the deletion of shadow copies and logs, achieving a “Time to Ransomware” of 118 hours.
Signs of active exploitation of Citrix Bleed 2
ReliaQuest has observed evidence of active exploitation of vulnerability CVE‑2025‑5777 (CVSSv4 9.3), known as Citrix Bleed 2, to gain initial access, including hijacked web sessions, session reuse from multiple IPs, LDAP queries for Active Directory reconnaissance, and use of tools such as ADExplorer64.exe in compromised environments.
This vulnerability, which affects Citrix NetScaler ADC and Gateway devices, allows reading out-of-bounds memory and extracting session tokens, making it easier to bypass authentication, even with MFA active.
Citrix recommends applying the available patches - ADC/Gateway versions 14.1-43.56, 13.1-58.32, 12.1-55.328 and later - and closing all active sessions after the update to prevent persistent access.
Germany asks Google and Apple to remove DeepSeek from their stores
Berlin's Data Protection Commissioner has formally requested Google and Apple to remove the DeepSeek AI app from their stores for violations of the General Data Protection Regulation (GDPR). The Chinese company that owns it, Hangzhou DeepSeek AI, is accused of illegally collecting German user data and transferring it to servers in China, where adequate standards of protection are not guaranteed.
Despite a previous request to voluntarily remove the app, the company refused, prompting authorities to invoke Article 16 of the Digital Services Act (DSA) to report illegal content.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
