Major Incidents or Breaches

  • Citrix NetScaler ADC Vulnerability (CVE-2025-6543): Citrix released emergency patches for a critical vulnerability in NetScaler ADC appliances, which has been actively exploited in the wild for denial of service and session hijacking attacks. The flaw, dubbed “CitrixBleed 2,” allows unauthenticated attackers to steal authentication tokens and disrupt services.
  • SonicWall NetExtender Trojan: Unknown threat actors have distributed a trojanized version of SonicWall’s NetExtender SSL VPN client, enabling credential theft from users who install the compromised application.
  • Pro-Iranian Hacktivist Data Leak: The Cyber Fattah group, aligned with Iranian interests, leaked thousands of personal records related to athletes and visitors of the 2024 Saudi Games.
  • BreachForums Operator Arrests: French authorities reportedly arrested five operators of the BreachForums cybercrime forum, which facilitated the trade and exposure of stolen data.
  • ‘IntelBroker’ Charged: A British national known as “IntelBroker” has been charged in the US for stealing and selling sensitive data from global victims, causing $25 million in damages.

Newly Discovered Vulnerabilities

  • Citrix NetScaler ADC (CVE-2025-6543, “CitrixBleed 2”): Critical vulnerability allowing token theft, session hijacking, and denial of service. Actively exploited prior to patch release.
  • SAP GUI for Windows and Java: Two vulnerabilities, now patched, could have allowed attackers to access sensitive user data via exploitation of the input history feature.
  • WinRAR (CVE-2025-6218): Directory traversal vulnerability allowing malware execution from specially crafted archives upon extraction.
  • Brother Printers: Multiple vulnerabilities, including a critical unpatchable flaw (CVSS 9.8) that enables attackers to generate default admin passwords on hundreds of models.
  • Microsoft Entra ID (nOAuth): A known vulnerability in Entra ID still affects 9% of SaaS apps two years after discovery, risking account takeovers. Additional research highlights risks related to guest user invitation and access control gaps.

Notable Threat Actor Activity

  • North Korean Supply Chain Attacks: The “Contagious Interview” campaign linked to North Korea continues, with 35 new malicious npm packages targeting developers and job seekers. Packages deliver infostealers and backdoors.
  • Charming Kitten (Iran): This Iran-sponsored APT has targeted Israeli cybersecurity experts with spear-phishing campaigns.
  • Dire Wolf Ransomware: An emerging ransomware group has compromised 16 organizations in technology and manufacturing sectors across 11 countries since May, employing double extortion tactics.
  • Abuse of ConnectWise ScreenConnect: Threat actors are modifying the Authenticode signature of ScreenConnect installers to create signed remote access malware.
  • OneClik Campaign: Attackers are leveraging Microsoft’s ClickOnce deployment tool and AWS infrastructure to deliver custom Golang backdoors, targeting the energy sector.

Trends, Tools, or Tactics of Interest

  • Social Engineering: Europol reports that social engineering remains a leading initial access vector for cybercriminals.
  • AI and Collaboration Tool Abuse: Kaspersky’s SMB threat report highlights increasing targeting of small and medium businesses through AI-powered scams, phishing, and malware, particularly via collaboration platforms.
  • Generative AI in Supply Chain Attacks: Malicious actors are leveraging AI-generated software components to compromise software supply chains.
  • Remote Access Tool Abuse: Both SonicWall NetExtender and ConnectWise ScreenConnect have been abused for distributing malware and credential theft.
  • AI Evasion Tactics: Researchers identified a rudimentary malware (“Skynet”) that attempts to instruct AI-based security tools to ignore it, suggesting early stages of adversarial AI evasion.
  • Open MCP Servers: Hundreds of MCP servers exposing AI models are vulnerable to abuse and remote code execution.
  • Security Features in Consumer Products: Avast has integrated AI-powered scam detection into its antivirus products; WhatsApp and Ring have added AI features for message and video summarization; Android 16 introduces new security features requiring user activation.

Regulatory or Policy Developments

  • CISA Downsizing: Reports note reductions in staffing and resources at the US Cybersecurity and Infrastructure Security Agency (CISA), with potential implications for the broader cybersecurity landscape.