Challenges in Vulnerability Management and the Rise of Network Device Exploits

Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software.

The UNC5221 activity cluster, attributed to suspected Chinese hackers, has been using the BRICKSTORM malware in long-term espionage operations against U.S. organizations in the technology, legal, SaaS, and BPO sectors. The malware, a Go-based backdoor, has been active for over a year, with an average dwell time of 393 days. It has been used to steal data from various sectors, including SaaS providers and BPOs. The attackers exploit vulnerabilities in edge devices and use anti-forensics techniques to avoid detection. The malware serves multiple functions, including web server, file manipulation, dropper, SOCKS relay, and shell command execution. It targets appliances without EDR support, such as VMware vCenter/ESXi, and uses legitimate traffic to mask its C2 communications. The attackers aim to exfiltrate emails and maintain stealth through various tactics, including removing the malware post-operation to hinder forensic investigations. The attackers use a malicious Java Servlet Filter (BRICKSTEAL) on vCenter to capture credentials, and clone Windows Server VMs to extract secrets. The stolen credentials are used for lateral movement and persistence, including enabling SSH on ESXi and modifying startup scripts. The malware exfiltrates emails via Microsoft Entra ID Enterprise Apps, utilizing its SOCKS proxy to tunnel into internal systems and code repositories. UNC5221 focuses on developers, administrators, and individuals tied to China's economic and security interests. Mandiant has released a free scanner script to help defenders detect BRICKSTORM. The BRICKSTORM backdoor is under active development, with a variant featuring a delay timer for C2 communication. The attackers have exploited Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887) for initial access. The attackers have used a custom dropper to install a malicious Java Servlet filter (BRICKSTEAL) in memory, avoiding detection. The attackers have modified init.d, rc.local, or systemd files to ensure persistence on appliances. The attackers have targeted Windows environments in Europe since at least November 2022. The attackers have been linked to other related Chinese threat actors besides UNC5221. The campaign has been monitored by Mandiant since March 2025. The attackers have targeted downstream customers of compromised SaaS providers. The attackers are believed to be analyzing stolen source code to identify zero-day vulnerabilities in enterprise technologies. The attackers use a delay timer to lie dormant on infected systems until a hard-coded date. The malware employs Garble, an open-source tool, for code obfuscation to hide function names, structures, and logic. Brickstorm has been found on VMware vCenter and ESXi hosts, often deployed prior to pivoting to these systems. The attackers use legitimate cloud services like Cloudflare Workers or Heroku for C2 communications. The attackers use dynamic domains like sslip.io or nip.io that point directly to the C2 server’s IP. The attackers favor appliance and management-plane compromise, per-victim obfuscated Go binaries, delayed-start implants, and Web/DoH C2 to preserve stealth. The attackers harvest and use valid high-privilege credentials to appear as routine administrator tasks. The attackers deploy in-memory servlet filters, remove installer artifacts, and embed delayed-start logic to limit forensic traces. The attackers abuse virtualization management capabilities, such as cloning VMs to extract credential stores offline. The attackers deploy an in-memory Java Servlet filter on vCenter to intercept and decode web authentication to harvest high-privilege credentials. The attackers use a SOCKS proxy on compromised appliances to tunnel into internal networks for interactive access and file retrieval.

Microsoft's September 2025 Patch Tuesday addresses 80 vulnerabilities, including one publicly disclosed flaw and eight critical vulnerabilities. The updates fix a range of issues, including privilege escalation, remote code execution, information disclosure, and denial-of-service vulnerabilities. The patches also cover a critical flaw in Azure Networking and address a new lateral movement technique dubbed BitLockMove. Additionally, security updates have been released by multiple vendors, including Adobe, Cisco, Google, and others. The September 2025 update includes 38 elevation of privilege (EoP) vulnerabilities. The two zero-day vulnerabilities are CVE-2025-55234 in Windows SMB Server and CVE-2024-21907 in Microsoft SQL Server. The SMB vulnerability is exploited through relay attacks, while the SQL Server flaw involves improper handling of exceptional conditions in Newtonsoft.Json. The updates also include hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing to assess compatibility issues. The KB5065429 cumulative update for Windows 10 22H2 and 21H2 includes fourteen fixes or changes, addressing unexpected UAC prompts and severe lag and stuttering issues with NDI streaming software. The update enables auditing SMB client compatibility for SMB Server signing and SMB Server EPA, and includes an opt-in feature for administrators to allow outbound network traffic from Windows 10 devices. The September 2025 update includes 38 elevation of privilege (EoP) vulnerabilities. CVE-2025-55234 is an elevation of privilege vulnerability with a CVSS score of 8.8. CVE-2025-54918 in Windows NT LAN Manager (NTLM) is marked as critical and has a CVSS score of 8.8. CVE-2025-54111 and CVE-2025-54913 are EoP vulnerabilities in Windows UI XAML. CVE-2025-55232 in the Microsoft High Performance Compute (HPC) Pack has a CVSS score of 9.8. CVE-2025-54916 in Windows NTFS has a CVSS score of 7.8 and can be exploited through SMB or local parsing routines. Microsoft has released the final non-security preview update for Windows 10, version 22H2, which includes fixes for the out-of-box experience and SMBv1 protocol connectivity. The update improves the servicing stack, updating Windows 10 22H2 systems to build 19045.6396. The update includes fixes and quality improvements from the KB5065429 cumulative update, enabling support for IT administrators to deploy hardening measures for SMB. The update addresses an issue causing non-admin users to receive unexpected User Account Control (UAC) prompts and fixes delays or uneven audio and video performance issues with Network Device Interface (NDI) streaming. Microsoft will stop providing security updates for Windows 10 after October 14, 2025, and the Extended Security Updates (ESU) program is available for Windows 10 users to delay the switch to Windows 11. Individual customers in the European Economic Area (EEA) can enroll in the ESU program for free.

The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are the most active ransomware-as-a-service (RaaS) groups, targeting manufacturing, technology, and the US. The RaaS model enables lower-skilled actors to launch attacks, contributing to the surge. New tactics include pure extortion, AI-assisted phishing, and exploitation of SonicWall SSL VPN vulnerabilities. Akira has targeted SonicWall devices, exploiting a year-old security flaw (CVE-2024-40766) and misconfigurations, leading to increased threat activity and unauthorized access. The Australian Cyber Security Centre (ACSC) has acknowledged Akira's targeting of vulnerable Australian organizations through SonicWall devices. The recent increase in exploitation of CVE-2024-40766 has been linked to incomplete remediation and misconfigurations, with SonicWall advising immediate patching and security measures. Over the past three months, Akira ransomware attacks have led to a surge in the exploitation of CVE-2024-40766, an improper access control issue in SonicWall firewalls. Akira operators are targeting SSL VPN accounts that use a one-time password (OTP) as the multi-factor authentication (MFA) option. Arctic Wolf observed dozens of incidents tied to VPN client logins from VPS hosting providers, network scanning, Impacket SMB activity, and Active Directory discovery. Akira's dwell times are among the shortest recorded for ransomware, measured in hours. Akira affiliates leveraged pre-installed and legitimate utilities to evade detection, using the Datto RMM tool on a domain controller to execute a PowerShell script and gain full control over the server. The attackers modified registries to evade detection, turned off security features, and dropped various files, including scripts that modified firewall rules.