Vulnerabilities & Exploits

Cisco ASA & FTD Zero-Day Exploitation: CISA Emergency Directive

Cisco has confirmed two actively exploited zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) platforms. One flaw (CVE-2025-20333, CVSS 9.9) allows remote code execution, while the other (CVE-2025-20362, CVSS 6.5) enables unauthenticated access to restricted URLs. Together, these issues provide attackers with a pathway from authentication bypass to full device compromise.

Cisco has published an event response to the continued attacks which includes detailed recommended actions. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded with Emergency Directive 25-03, giving federal agencies just 24 hours to identify and mitigate affected devices. The urgency reflects the severity: these vulnerabilities strike at the gateways to enterprise and government networks.

What’s at Risk

Cisco’s ASA and FTD appliances often serve as the first line of defense with handling VPN access, firewall rules, and traffic inspection. Compromise at this layer allows adversaries to:

Deploy custom malware and webshells.
Escalate privileges to root and persist across reboots by tampering with read-only memory (ROM).
Intercept or manipulate traffic flowing into the network.

Threat intelligence links this activity to ArcaneDoor, a sophisticated campaign previously observed targeting perimeter infrastructure. Recent reports confirm attackers chaining vulnerabilities, disabling logging, and even corrupting diagnostics to evade detection.

Penetration testing and Vulnerability Management services can help organizations proactively search for indicators of compromise (IoCs) within ASA/FTD appliances and ensure persistence mechanisms like ROM tampering are identified quickly.

Scale of Exposure

Despite repeated warnings, more than 48,000 internet-facing ASA/FTD instances remain unpatched, according to Shadowserver scans. The majority are located in the U.S., followed by the U.K., Japan, Germany, and Canada.

The delay in patching exposes organizations to real-time scanning campaigns already observed by the threat intel community. In many cases, scans preceded Cisco’s public disclosure, indicating adversaries had early knowledge of these flaws.

Required Actions & Mitigations

Cisco continues to release updates and detailed guidance. For organizations unable to patch immediately, temporary mitigations include restricting VPN web interface exposure and monitoring for crafted HTTP requests or suspicious logins.

Focus on these immediate steps:

Patch & Harden: Apply Cisco’s fixes where available; otherwise, restrict HTTP(S) access to the VPN component. Ensure devices are properly managed and hardened through a configuration audit.
Firmware Integrity: Verify ROM and firmware integrity, leveraging Secure Boot if supported.
Network Monitoring: Deploy anomaly detection and behavioral monitoring on VPN traffic. Managed SIEM with User Entity and Behavior Analytics (UEBA) can detect abnormal logins, unusual session activity, and persistence attempts in real-time on edge devices.
Credential Security: Replace local passwords, certificates, and keys on potentially impacted devices. A comprehensive risk assessment evaluates identity and access management controls against best practice frameworks like NIST and CIS.

Why This Matters

Zero-days in perimeter appliances are uniquely dangerous: they sit in trusted positions, often unmonitored, and provide attackers with deep footholds when compromised. For SMBs and enterprises alike, compromise of a firewall or VPN gateway can mean attackers control the gate into your environment.

As one analyst noted, “When a firewall is compromised at root level, defending becomes almost impossibly reactive. The best time to act is before compromise.”

Conclusion

The Cisco ASA and FTD vulnerabilities highlight a critical reality: perimeter devices are some of the most attractive targets for threat actors. A single exploited flaw in a firewall or VPN gateway can provide attackers with direct access to internal networks, persistence mechanisms, and even the ability to wipe forensic evidence.

Organizations cannot treat these devices as “set-and-forget” infrastructure. They demand continuous attention by patching on short timelines, hardening configurations, and validating controls against real-world attacks.

Entra ID Nightmare: Actor Tokens Exposed Global Admins

“This vulnerability could have allowed me to compromise every Entra ID tenant in the world.”
— Dirk-jan Mollema, Security Researcher

What Happened: A Silent Path to Global Admin in Any Tenant

In a high-stakes vulnerability disclosed by researcher Dirk-jan Mollema, attackers could impersonate any user in any Microsoft Entra ID tenant, including Global Admins, using a little-known and undocumented type of access called an actor token. This wasn’t a theoretical problem. It was a dangerous combo of:

Actor tokens, issued through a long-deprecated Microsoft legacy system (ACS), which allowed service-to-service impersonation.
A bug in the Azure AD Graph API (graph.windows.net), which failed to properly verify tenant boundaries when actor tokens were used.

By creating a valid actor token in their own tenant, an attacker could swap in a victim’s tenant ID and user identifier, then impersonate a Global Admin in the victim org with no MFA, no Conditional Access, and no logging on the victim side. It’s essentially like crafting a master key in your own house, then using it to unlock anyone else’s, while the alarm system remains silent.

Why This Was So Dangerous

Bypassed core defenses like MFA, Conditional Access, and device compliance checks.
No logs in the victim tenant, meaning most orgs wouldn’t even see the attack happening.
Used legacy APIs, which many orgs haven’t fully deprecated, even though Microsoft has warned about them for years.
Global Admin access, which opens up full control of users, apps, email, and cloud resources.

If exploited, this would have been a multi-tenant cloud compromise scenario, on par with some of the most severe identity-related vulnerabilities we’ve seen.

What Security Teams Should Do Right Now

Even though Microsoft has patched the issue (CVE-2025-55241), there are still critical steps every organization should take:

1. Audit API Usage

Identify and remove any use of the Azure AD Graph API (graph.windows.net).
Migrate to Microsoft Graph immediately.
Disable legacy auth protocols and deprecated token flows wherever possible.

2. Investigate for Signs of Abuse

Review privileged role assignments, especially any unusual changes to Global Admins or app role assignments.
Correlate logs across tenants, if applicable, attacker activity may only show up in non-obvious places.
Look for anomalous use of old service principals or unexpected API behavior.

3. Harden Identity Access

Reduce the number of permanent Global Admins; implement Just-in-Time (JIT) access and role-based delegation.
Enforce MFA, even on service accounts and break-glass accounts.
Use Conditional Access policies that include risk-based signals and device context.

4. Eliminate Legacy Dependencies

Scan for usage of legacy tokens, ACS integrations, or unmaintained identity flows in internal tools.
Kill off service-to-service connections that don’t use modern token validation and signing.

Final Thoughts

This vulnerability may be patched, but it reveals how much of your cloud identity security depends on what’s under the surface. If your monitoring, detection, or assessment strategy ignores identity and API-level threats, you’re not seeing the full picture.
You don’t need to wait for another “actor token” scenario to start addressing these risks. Focus now on:

Identity attack surface assessments
M365 Configuration Audits
Cloud penetration testing
Privilege escalation detection
Legacy API decommissioning
Logging & forensics visibility across Entra ID

And remember: it’s often the quiet, undocumented pieces of infrastructure, not the flashy zero-days, that give attackers the loudest victories.

Supply Chain Attack: Palo Alto, Zscaler, Salesforce & Cloudflare

What Happened
A widespread supply chain attack targeting Salesloft Drift has compromised data across hundreds of organizations, including major cybersecurity vendors such as Palo Alto Networks, Zscaler, and Cloudflare.

The threat actor, tracked as UNC6395, stole OAuth tokens from Drift’s Salesforce integrations between August 8 and August 18. These tokens allowed attackers to access Salesforce environments and exfiltrate data, including business contact information, sales account records, product licensing details, and in some cases, customer support case content. Cloudflare reported that API tokens and credentials shared in support tickets were among the compromised data.

Salesforce has since disabled all Salesloft Drift integrations, and Salesloft announced that the Drift platform will be taken offline while resiliency and security measures are rebuilt. Despite quick containment, the campaign has shown just how quickly a compromise of one SaaS platform can cascade across hundreds of organizations.

Indicators of Compromise (IOCs)
Cloudflare, among other victims, shared the following IOCs to aid detection and response efforts:

Suspicious IP Addresses:
- 208.68.36.90
- 44.215.108.109
- 154.41.95.2
- 176.65.149.100
- 179.43.159.198
- 185.130.47.58
- 185.207.107.130
- 185.220.101.133
- 185.220.101.185
- 185.220.101.33
- 192.42.116.179
- 192.42.116.20
- 194.15.36.117
- 195.47.238.178
- 195.47.238.83

Malicious User-Agent Signatures:
- Salesforce-Multi-Org-Fetcher/1.0
- Salesforce-CLI/1.0
- python-requests/2.32.4
- Python/3.11 aiohttp/3.12.15
- TruffleHog

These patterns should be queried within Salesforce logs, connected application logs, and identity provider (IdP) logs to identify potential exposure or abuse.

Why It Matters
Supply chain compromises have become a recurring theme in today’s interconnected enterprise environment. Even vendors dedicated to security found themselves at risk through integrations that extended their attack surface. By abusing OAuth tokens and Salesforce APIs, attackers were able to access data that could be used for highly targeted phishing, smishing, and impersonation campaigns.

Incidents like this show why organizations cannot rely solely on vendor assurances. Regular penetration testing can uncover weak integration points and help simulate how attackers might abuse connected applications. Vulnerability scanning programs provide ongoing checks for misconfigurations, insecure tokens, and unmonitored API endpoints. Managed SIEM services further strengthen defenses by detecting suspicious authentication activity and anomalous data queries across SaaS platforms.

In the aftermath of this attack, impacted organizations are being urged to rotate credentials, revoke unused OAuth tokens, and conduct thorough audits of Salesforce login histories, API access logs, and event monitoring data. These are standard best practices, but many companies do not have the internal resources to carry them out consistently. Partnering with a security provider for incident response and log review can make the difference between quickly detecting token misuse and letting an attacker operate undetected for weeks.

Takeaway
The Salesloft Drift incident reinforces a hard truth: SaaS platforms and third-party integrations are prime attack vectors. Threat actors understand that a single weak link in the supply chain can open doors to hundreds of organizations. By combining stolen tokens with social engineering, they increase the likelihood of success, using legitimate data to craft convincing lures.

Organizations need to adopt a zero trust mindset toward their SaaS ecosystem. Continuous assessment of vendor risk, proactive testing of integrations, and strong monitoring of authentication events are no longer optional. This is not just about one CRM tool being compromised, it’s about recognizing that every connection expands the attack surface.

FBI & CISA Sound Alarm: Cisco Actively Exploited

What Happened

The FBI and CISA have issued a joint advisory warning that attackers are actively exploiting a critical zero-day vulnerability in Cisco’s IOS and IOS XE software. The flaw, tracked as CVE-2018-0171, allows unauthenticated remote attackers to gain full administrative control of vulnerable Cisco devices.

Exploitation has already been observed in the wild, where adversaries are deploying webshells on compromised routers and switches to maintain persistence and issue arbitrary commands. Cisco Talos has confirmed hundreds of devices have been impacted globally.

Why It Matters

Both IOS and IOS XE software from Cisco powers core networking equipment for enterprises, service providers, government agencies, and critical infrastructure operators. These devices sit at the heart of IT environments, managing traffic flow, enforcing segmentation, and controlling access.

If attackers gain control of routers and switches, they gain control of the entire network’s trust foundation. This risk goes far beyond downtime, it directly impacts:

Confidentiality: Attackers can intercept or reroute sensitive data.
Integrity: Configuration changes allow malicious redirection, credential theft, or lateral movement.
Availability: Adversaries can disrupt routing and firewalling, leading to outages.

How the Exploit Works

Cisco has confirmed that attackers are:

Sending crafted HTTP requests to affected devices.
Creating unauthorized privileged admin accounts without authentication.
Deploying webshell backdoors, which allow persistent command execution even after device restarts.
Using these footholds to maintain covert long-term access.

In some cases, the attacker’s persistence has survived device reboots and firmware changes; making post-compromise cleanup extremely difficult without a full rebuild and credential reset.

Risks to Organizations

The implications of this vulnerability are severe:

Network compromise: complete control of edge devices, allowing attackers to monitor and manipulate traffic.
Credential theft: harvesting of administrator credentials, enabling deeper intrusions.
Espionage & data exfiltration: covert long-term access to sensitive information.
Ransomware staging: compromised routers provide a launchpad for broader attacks.

Organizations that rely heavily on Cisco for perimeter and core routing are particularly vulnerable. This incident highlights the need for a proactive defense strategy around network infrastructure, rather than just focusing on endpoints and applications.

Next Steps

Security agencies and Cisco strongly recommend treating this threat as high priority. To get ahead of similar exploits, defenders should:

Apply Cisco’s latest security updates and mitigations without delay.
Audit for unauthorized accounts and unusual configuration changes that may indicate persistence.
Include routers and firewalls in penetration testing to close high-impact gaps.
Review logs and continuously monitor for anomalous activity tied to webshells or credential use.
Tighten access controls by rotating network administrator credentials to reduce the impact of compromise.
Stay up to date on advisories and white papers to track early warnings and emerging risks.
Validate incident response readiness to ensure quick reactions to infrastructure-level compromises.

By addressing this Cisco IOS and IOS XE flaw swiftly and adopting a layered security approach, organizations can reduce the risk of long-term infiltration and ensure their network infrastructure remains trustworthy.

Microsoft Project Ire: AI Agent Capable of Reverse Engineering Malware

What happened
Microsoft has announced a prototype AI agent, called Project Ire, that can autonomously detect, classify, and reverse engineer malware without human assistance. Designed to operate at scale, Project Ire dissects suspicious files, analyzes their code, and determines if they are hostile, even when encountering them for the first time. Microsoft says the tool has already been accurate enough in one case to justify an automatic block of an advanced persistent threat sample, a first for any AI system at the company.

Why it matters
Reverse engineering malware is considered the gold standard for threat classification. It requires highly skilled analysts and can take hours for a single file. Project Ire can perform this work autonomously, reducing analyst fatigue and allowing defenders to respond faster. By integrating into Microsoft Defender, the AI agent could help protect billions of devices, though Microsoft notes it still requires human oversight to mitigate errors and missed threats.

For organizations, this development is a reminder that advanced detection tools work best when combined with a broader security strategy. Even if Project Ire is eventually integrated into your environment, regular penetration testing remains critical for uncovering vulnerabilities that malware could exploit before it reaches detection.

How it works
Project Ire approaches malware analysis in layers, breaking down the process into stages rather than trying to do everything at once. It uses an arsenal of forensic tools, from sandboxes and Microsoft memory analysis to multiple decompilers and open-source utilities, to strip away obfuscation techniques and examine code for malicious behavior.

In testing, the results were strong:

In a controlled dataset of Windows drivers, Project Ire achieved 98% precision and 83% recall.
In a real-world run on 4,000 “hard target” files awaiting human review, it achieved 89% precision, 26% recall, and only a 4% false positive rate.

These capabilities could help organizations detect advanced threats earlier, but gaps will remain. Managed SIEM platforms can complement AI-driven tools by correlating alerts from multiple sources and flagging anomalies that a single detection engine might miss.

Risks and limitations
While highly accurate when it flags a file as malicious, Project Ire’s 26% recall in real-world conditions shows it can still miss the majority of threats. As with any AI model, there is also the potential for “hallucinations,” where the system misinterprets code and produces incorrect results. That is why a multi-layered defense is essential. Ongoing vulnerability management programs can continuously identify and remediate weaknesses in servers, applications, and endpoints, lowering the chance that undetected malware can gain a foothold.

The bigger picture
Cybercriminals are also using AI to develop stealthier malware. This arms race makes it essential to combine automated detection with human-led security exercises. For example, social engineering campaigns can reveal weaknesses in user awareness that malware authors often exploit. Similarly, incident response tabletop exercises ensure leadership and technical teams know how to act immediately when a threat is discovered whether by AI or human analysts.

Final thoughts
Project Ire represents a significant leap forward in AI-driven threat detection. When deployed alongside proactive measures such as penetration testing, managed SIEM, vulnerability management, and employee awareness training, it can be part of a formidable security posture. As Microsoft refines this technology, organizations that pair advanced detection with comprehensive, layered defenses will be best positioned to counter the next generation of cyber threats.

Five Federal Agencies Breached: What the Microsoft SharePoint Hack Reveals About Patch Gaps

What happened

A fresh zero-day in on-prem Microsoft SharePoint (initially disclosed July 19, 2025) is being exploited by at least three China-aligned actors, Violet Typhoon, Linen Typhoon and the newly named Storm-2603, to drop Warlock and LockBit ransomware. The attackers chain CVE-2025-49704/49706 with two patch bypasses (CVE-2025-53770/53771) to run code without authentication, steal ASP.NET machine keys and pivot deeper into the network, and researchers have counted about 9 000 publicly reachable SharePoint servers that would be vulnerable if left unpatched.

Who’s affected so far

Department of Homeland Security – CISA has warned “more than a dozen” federal entities after DHS servers were hit.
National Nuclear Security Administration, parts of the Dept. of Energy and Education Dept. were also breached; no classified data loss confirmed yet.
Politico reports up to five U.S. agencies and roughly 100 global organizations are now in scope.

Given how widely SharePoint underpins intranets, project sites and file workflows, any self-hosted instance that missed the July cumulative update, or applied it without the post-patch mitigations, should be considered high-risk.

The attack chain in plain English

Initial access – Malicious HTTP request exploits a deserialization flaw, granting SYSTEM-level Remote Code Execution (RCE).
Credential & key theft – Attackers dump MachineKey values and NTLM hashes, letting them forge cookies or replay credentials across SharePoint web-front ends.
Privilege escalation & lateral movement – PowerShell payloads add admin users, open RDP, and harvest tokens.
Payload delivery – A lightweight loader contacts C2, then detonates Warlock ransomware; some victims see a web-shell for hands-on-keyboard data theft instead.

Business impact

Operational downtime – Agencies temporarily severed internal portals while integrity checks ran.
Sensitive data exposure – Meeting minutes, procurement docs and environment diagrams often live on SharePoint, giving nation-state actors a goldmine for future campaigns.
Patch-lag questions – Lawmakers are asking why critical infrastructure still runs legacy, on-prem SharePoint when cloud tenants were unaffected.

Immediate actions we recommend

Prioritize patch validation – Confirm July KBs are installed and verify the new CVE-2025-53770/71 mitigations.
Rotate machine keys & restart IIS after patching, per Microsoft’s guidance.
Hunt for indicators: web-shells in /layouts/, anomalous w3wp.exe spawn of cmd.exe, outbound traffic to .warlockcrypt[.]ru.
Deploy or tighten an EDR with AMSI full-mode scanning on each SharePoint server.
Run an external + internal penetration testing program to validate there are no alternate paths into the farm.
Launch frequent vulnerability assessments that cover SharePoint, SQL and domain controllers as a single ecosystem.
Pair technical hardening with recurring social engineering drills. Storm-2603 is known to blend phishing for initial footholds when exploits fail.
Rehearse an incident with tabletop exercises so legal, PR and exec teams can pull the trigger on backups, comms and insurance without hesitation.

Looking ahead

Microsoft has already barred China-based engineers from DoD projects and is investigating whether an early-access vulnerability disclosure channel tipped off threat actors. Expect tighter vetting of developer NDAs, renewed calls for Software Bill of Materials (SBOMs) in federal procurement, and finally, budget to migrate those aging on-prem farms to M365 GCC High. Meanwhile, security teams can slash risk by enforcing Zero Trust for all internal web apps: conditional access, token-binding, and micro-segmented server VLANs make post-exploit movement dramatically harder.

The SharePoint zero-day storm shows that even “internal-only” collaboration tools are now front-line targets. Harden the perimeter, but verify the inside, because ransomware groups (and nation-states) certainly will.