ReVault Attack Targets Dell ControlVault3 Firmware in Over 100 Laptop Models

Three new vulnerabilities in the Sitecore Experience Platform can be chained to achieve remote code execution (RCE). The flaws include HTML cache poisoning, RCE through insecure deserialization, and information disclosure via the ItemService API. Patches for these vulnerabilities were released in June and July 2025. The exploit chain leverages a combination of pre-authentication and post-authentication vulnerabilities to compromise fully-patched instances of the platform. Additionally, a zero-day vulnerability (CVE-2025-53690) has been exploited by threat actors to deliver malware, including WeepSteel, and perform extensive reconnaissance and lateral movement. The flaw is a ViewState deserialization vulnerability caused by the inclusion of a sample ASP.NET machine key in pre-2025 Sitecore guides. The attackers target the '/sitecore/blocked.aspx' endpoint, which contains an unauthenticated ViewState field, and achieve RCE under the IIS NETWORK SERVICE account by leveraging CVE-2025-53690. The malicious payload dropped by the attackers is WeepSteel, a reconnaissance backdoor that gathers system, process, disk, and network information. The attack observed by Mandiant stemmed from a documentation issue involving sample machine keys provided for customer use. Sitecore advised customers to rotate and secure ASP.NET machine keys, encrypt elements in web.config files, and restrict access to administrators only. CISA has ordered FCEB agencies to update their Sitecore instances by September 25, 2025.

Citrix has released patches for three vulnerabilities in NetScaler ADC and NetScaler Gateway. One of these vulnerabilities, CVE-2025-7775, is a zero-day flaw actively exploited in the wild. The flaws affect various configurations and can lead to remote code execution, denial-of-service, or improper access control. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-7775 to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate the flaw within 48 hours. The vulnerabilities were discovered by security researchers Jimi Sebree, Jonathan Hetzer, and François Hämmerli. Nearly 20% of NetScaler assets identified are on unsupported, end-of-life versions, primarily in North America and the APAC region.

The Russian state-sponsored cyber espionage group Static Tundra is exploiting a seven-year-old vulnerability (CVE-2018-0171) in Cisco IOS and Cisco IOS XE software to establish persistent access to target networks. The group, linked to the FSB's Center 16 unit, targets telecommunications, higher education, manufacturing, and critical infrastructure sectors across North America, Asia, Africa, and Europe, including increased attacks in Ukraine since the start of the war. The attacks involve exploiting the Smart Install feature to execute arbitrary code and collect configuration files from thousands of networking devices. The group uses custom tools like SYNful Knock for persistence and employs SNMP to gain unauthorized access. The primary goal is long-term intelligence gathering, with a focus on strategic interests of the Russian government. The FBI and Cisco have issued advisories warning about the ongoing exploitation of this vulnerability, urging organizations to patch or disable the Smart Install feature. End-of-life devices are particularly vulnerable, as they no longer receive security updates, creating persistent attack vectors. The FBI has detected the actors collecting configuration files for thousands of networking devices associated with US entities across critical infrastructure sectors. The actors used the unauthorized access to conduct reconnaissance in the victim networks, which revealed their interest in protocols and applications commonly associated with industrial control systems. The same hacking group has previously targeted the networks of US state, local, territorial, and tribal (SLTT) government organizations and aviation entities over the last decade. The U.S. Department of State has offered a $10 million reward for information on three FSB officers involved in these cyberattacks, highlighting the group's extensive targeting of critical infrastructure and energy companies globally. The three officers, Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov, targeted over 380 energy-sector companies in 135 countries. They were involved in the Dragonfly campaign, which included obtaining persistent access to victim networks and infecting them with the Havex malware through supply chain compromise.

Six major password managers have unpatched clickjacking vulnerabilities that could allow attackers to steal account credentials, 2FA codes, and credit card details. The flaws were demonstrated at DEF CON 33 by independent researcher Marek Tóth. Affected password managers include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce. The attack exploits browser-based autofill features, overlaying invisible HTML elements to trick users into leaking sensitive information. The vulnerabilities were disclosed to vendors in April 2025, with public disclosure planned for August 2025. Some vendors have acknowledged the issues but downplayed their severity. Bitwarden has released a patch, version 2025.8.0, to address the vulnerabilities. Users are advised to disable autofill and use copy/paste until fixes are available.

A critical security flaw, dubbed ReVault, has been discovered in the Control Vault firmware used in millions of Dell Latitude and Precision laptops. This vulnerability allows unauthorized access to secure peripherals, such as fingerprint and smart card readers, potentially enabling attackers to extract secret keys and bypass authentication mechanisms. The flaw affects the control board managing secure peripherals, allowing any user on the machine to send undocumented commands. This can lead to code execution, extraction of secret keys, and permanent modification of the firmware, persisting even after reinstalling the operating system. The ReVault vulnerability consists of five CVEs, three of which were combined to achieve code execution and firmware modification. Dell and Broadcom have released patches to address the vulnerability, emphasizing the importance of firmware security and thorough analysis of embedded systems.