nGuard

Call us p. 704.583.4088
Client PortalSpeak to An Expert

ArcaneDoor campaign

Amazon Confirms Zero-Days Exploited in Cisco and Citrix Systems

What Happened

Recent Amazon threat intelligence confirms that at least two critical zero-day vulnerabilities have been actively exploited in products from Cisco and Citrix. Specifically:

  • CVE‑2025‑20337: This critical Cisco Identity Services Engine (ISE) zero-day is being exploited to achieve pre-authentication remote code execution, giving attackers root-level access without credentials. Beyond Amazon, several other outlets have confirmed active exploitation in the wild.
  • CVE‑2025‑5777: Citrix’s memory-overread vulnerability, widely referred to as “CitrixBleed 2”, is being used in real-world attacks against NetScaler ADC and Gateway devices. nGuard covered this back in July when it was first discovered that threat actors were exploiting this flaw before patches were available, mirroring the original CitrixBleed pattern.
  • Intelligence from Amazon Web Services and other observers indicates these exploits were used by an advanced persistent threat (APT) actor with custom tooling and significant capabilities.
  • The campaign underscores a classic patch-gap exploitation scenario where adversaries weaponize vulnerabilities before full remediations are deployed.

Why It Matters

Infrastructure such as enterprise identity platforms (Cisco ISE) and remote-access gateways (Citrix NetScaler) sits at the core of network trust. When these are compromised:

  • Attackers can bypass authentication, escalate privileges, and deploy stealthy web shells specially crafted for these appliances.
  • Custom malware operating in-memory, using sophisticated evasion (Java reflection, DES encryption, tailored HTTP headers) has been documented.
  • Because these systems control access to networks, compromise of them can serve as a “gateway” into broader enterprise infrastructure, affecting both SMBs and large enterprises.

What You Should Do (Now)

  1. Patch Immediately: Apply the latest firmware or software updates from Cisco and Citrix. If updates are not yet feasible, isolate or restrict public-access interfaces on affected devices.
  2. Validate Controls & Hardening: Conduct Firewall & Security Device Audits to confirm devices are configured securely, management interfaces are locked down, and edge-perimeter segmentation is enforced.
  3. Monitor & Detect: Deploy anomaly detection and behavior-based monitoring. With Managed SIEM, you can surface unusual patterns, unauthorized sessions, or payload-injection attempts.
  4. Build Incident Readiness: Use Incident Response tabletop exercises to walk teams through core dump analysis, firmware integrity checks, credential resets, and containment decisions before a real compromise occurs.
  5. Review Identity & Access Controls: Ensure least-privilege access, MFA everywhere, and rotate credentials on legacy or exposed appliances. Pair with Risk Assessments which align your security posture with NIST, CIS and other trusted frameworks.

Takeaway

These zero-day exploits are not just isolated software defects, as they expose a harsh reality: identity and network-access infrastructure are high-value targets. A vulnerability in an appliance trusted to enforce access controls can become the ticket into your enterprise.

Securing those gateways must be a priority. Deploy patching fast, enforce hardening, monitor edge-devices continuously and lean on experts when gaps or resource constraints exist.

This Week in Cybersecurity (TWiC): Source Code Thefts, Massive Credential Dumps & Emergency Patches

The past 2 weeks in cybersecurity delivered a series of critical developments that highlight persistent weaknesses across the software supply chain, identity management, and core infrastructure. From the continued fallout of a high-profile breach at F5 to conflicting reports about a massive Gmail password leak, security professionals are being tested across multiple fronts. Add to that a critical Windows server vulnerability prompting an emergency patch, and the picture becomes clear: attackers are exploiting cracks wherever they appear, be it in vendor ecosystems, identity systems, or update infrastructure. Here’s a quick rundown of what you need to know.

F5 Breach Deepens: Source Code and Undisclosed Vulnerabilities Exposed

In a follow-up to our earlier advisory on the F5 breach, new revelations confirm the situation is worse than initially understood. A sophisticated, likely nation-state threat actor infiltrated F5’s internal systems, stealing portions of the BIG-IP source code and accessing data on yet-to-be-disclosed vulnerabilities. F5 has stated that its build systems were not modified, but the theft of proprietary code and vulnerability research significantly raises the threat level for organizations relying on their products.

Given the exposure of over 266,000 BIG-IP instances to the internet, this development underscores the critical need for proactive patch management, device segmentation, and hardening of public-facing infrastructure. Ongoing threat-hunting efforts and vendor risk monitoring are essential here, especially as attackers may now have an edge in weaponizing these vulnerabilities.

Gmail Credentials in Massive 183 Million Account Leak — But Google Pushes Back

Reports emerged this week of a staggering 183 million compromised credentials hitting the dark web, with millions tied to Gmail accounts. According to researchers, the data likely comes from infostealer malware logs and reused credentials, not a direct breach of Google itself.

Google has strongly denied any compromise of its systems, attributing the leak to poor credential hygiene and third-party breaches. Regardless of the source, this incident reinforces the need for strong identity controls: unique passwords, multi-factor authentication, and regular credential exposure checks are now baseline expectations. Organizations should prioritize continuous identity monitoring and enforce secure credential policies to defend against the inevitable credential-stuffing attempts that follow such leaks.

Microsoft Pushes Emergency Patch for Critical WSUS Flaw

Microsoft issued an out-of-band patch for a critical remote code execution vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287. The original patch released during October’s Patch Tuesday was found to be incomplete, prompting this emergency update.

This vulnerability poses serious risks to organizations relying on WSUS for patch management, especially if default ports are exposed externally. Beyond just applying the patch, this incident is a reminder that attackers are targeting administrative infrastructure as much as user endpoints. Security teams should ensure that internal update mechanisms are locked down and monitored, as compromise of these systems can rapidly propagate malware or unauthorized updates across entire environments.

Wrap-Up

This week’s cybersecurity news highlights a sobering reality: no part of the modern IT stack is off-limits. Whether it’s vendor platforms like BIG-IP, user credentials floating on the dark web, or core infrastructure like WSUS, attackers are looking for any way in. It’s a critical time for organizations to re-evaluate their exposure across supply chains, authentication practices, and system update mechanisms. Proactive assessmentscontinuous monitoring, and incident response readiness are not just best practices, they’re survival strategies.

Nation-State Breach at F5 Exposes BIG-IP Source Code and Undisclosed Vulnerabilities

F5 Networks, a major provider of network traffic management and security solutions used by the vast majority of Fortune 500 organizations, confirmed that a sophisticated nation-state threat actor breached its internal systems this summer. The attackers gained long-term, persistent access to F5’s BIG-IP product development environment, exfiltrating source code and information about unpatched vulnerabilities.

The company disclosed the breach in an SEC filing and public advisory after receiving authorization from the U.S. Department of Justice to release details. According to F5, the intrusion impacted internal engineering and knowledge management systems but did not compromise customer-facing products, source code integrity, or cloud infrastructure. Investigations confirmed there was no evidence of tampering within F5’s build pipeline or software supply chain.

However, the attackers obtained highly sensitive data, including portions of BIG-IP source code and private vulnerability research, granting them a technical advantage to identify zero-days and develop targeted exploits against organizations that rely on F5 technology.

National and Global Impact
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded by issuing Emergency Directive 26-01, ordering all Federal Civilian Executive Branch agencies to inventory every F5 BIG-IP system, verify exposure of management interfaces, and apply the latest updates by October 22, 2025.

CISA warned that the threat actor’s access to F5’s proprietary data poses “an imminent threat” to networks running F5 software and hardware. This includes the potential for lateral movement, credential theft, API key compromise, and persistent access. Agencies and private enterprises were further urged to harden configurations, disconnect end-of-life systems, and validate F5 software checksums before deploying updates. Organizations are encouraged to engage qualified incident response services to assist with detecting, containing, and remediating potential compromises related to this or similar breaches.

Bloomberg and other sources have attributed the campaign to UNC5221, a China-nexus cyber espionage group previously linked to BRICKSTORM malware. Reports suggest the group maintained access to F5’s environment for up to 12 months before detection.

Why This Matters
F5’s BIG-IP technology is deeply embedded in enterprise and government networks, often serving as a reverse proxy, load balancer, and SSL termination point. Its position at the edge of critical infrastructure makes it a high-value target for adversaries. With source code and vulnerability data now in foreign hands, attackers may attempt to weaponize this intelligence to compromise F5 customers through supply-chain or configuration-based attacks.

This breach emphasizes the ongoing challenge of defending against nation-state adversaries who exploit the global technology supply chain to gain access to downstream targets. Conducting ongoing vulnerability scanning and regular external penetration testing can help identify exposed services, misconfigurations, and unpatched systems before threat actors can exploit them, reducing the likelihood and impact of similar attacks.

As the scope of this attack unfolds, organizations using F5 BIG-IP, F5OS, BIG-IQ, or APM should immediately apply vendor updates, restrict public access to management interfaces, and validate configurations against best practice hardening guides.

Final Thoughts
The F5 breach represents another example of how deeply intertwined software supply-chain security has become with national security and enterprise defense. Even the most trusted infrastructure providers can be compromised, proving the need for layered defense strategies, continuous monitoring, and independent validation.

nGuard remains committed to helping organizations strengthen their defenses through penetration testing, vulnerability management, device configuration hardening and best practices, and incident response services designed to detect, prevent, and contain threats before they disrupt operations.

Cisco ASA & FTD Zero-Day Exploitation: CISA Emergency Directive

Cisco has confirmed two actively exploited zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) platforms. One flaw (CVE-2025-20333, CVSS 9.9) allows remote code execution, while the other (CVE-2025-20362, CVSS 6.5) enables unauthenticated access to restricted URLs. Together, these issues provide attackers with a pathway from authentication bypass to full device compromise.

Cisco has published an event response to the continued attacks which includes detailed recommended actions. Additionally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded with Emergency Directive 25-03, giving federal agencies just 24 hours to identify and mitigate affected devices. The urgency reflects the severity: these vulnerabilities strike at the gateways to enterprise and government networks.

What’s at Risk

Cisco’s ASA and FTD appliances often serve as the first line of defense with handling VPN access, firewall rules, and traffic inspection. Compromise at this layer allows adversaries to:

  • Deploy custom malware and webshells.
  • Escalate privileges to root and persist across reboots by tampering with read-only memory (ROM).
  • Intercept or manipulate traffic flowing into the network.

Threat intelligence links this activity to ArcaneDoor, a sophisticated campaign previously observed targeting perimeter infrastructure. Recent reports confirm attackers chaining vulnerabilities, disabling logging, and even corrupting diagnostics to evade detection.

Penetration testing and Vulnerability Management services can help organizations proactively search for indicators of compromise (IoCs) within ASA/FTD appliances and ensure persistence mechanisms like ROM tampering are identified quickly.

Scale of Exposure

Despite repeated warnings, more than 48,000 internet-facing ASA/FTD instances remain unpatched, according to Shadowserver scans. The majority are located in the U.S., followed by the U.K., Japan, Germany, and Canada.

The delay in patching exposes organizations to real-time scanning campaigns already observed by the threat intel community. In many cases, scans preceded Cisco’s public disclosure, indicating adversaries had early knowledge of these flaws.

Required Actions & Mitigations

Cisco continues to release updates and detailed guidance. For organizations unable to patch immediately, temporary mitigations include restricting VPN web interface exposure and monitoring for crafted HTTP requests or suspicious logins.

Focus on these immediate steps:

  • Patch & Harden: Apply Cisco’s fixes where available; otherwise, restrict HTTP(S) access to the VPN component. Ensure devices are properly managed and hardened through a configuration audit.
  • Firmware Integrity: Verify ROM and firmware integrity, leveraging Secure Boot if supported.
  • Network Monitoring: Deploy anomaly detection and behavioral monitoring on VPN traffic. Managed SIEM with User Entity and Behavior Analytics (UEBA) can detect abnormal logins, unusual session activity, and persistence attempts in real-time on edge devices.
  • Credential Security: Replace local passwords, certificates, and keys on potentially impacted devices. A comprehensive risk assessment evaluates identity and access management controls against best practice frameworks like NIST and CIS.

Why This Matters

Zero-days in perimeter appliances are uniquely dangerous: they sit in trusted positions, often unmonitored, and provide attackers with deep footholds when compromised. For SMBs and enterprises alike, compromise of a firewall or VPN gateway can mean attackers control the gate into your environment.

As one analyst noted, “When a firewall is compromised at root level, defending becomes almost impossibly reactive. The best time to act is before compromise.”

Conclusion

The Cisco ASA and FTD vulnerabilities highlight a critical reality: perimeter devices are some of the most attractive targets for threat actors. A single exploited flaw in a firewall or VPN gateway can provide attackers with direct access to internal networks, persistence mechanisms, and even the ability to wipe forensic evidence.

Organizations cannot treat these devices as “set-and-forget” infrastructure. They demand continuous attention by patching on short timelines, hardening configurations, and validating controls against real-world attacks.

Chat Icon Chat Close

Learn how nGuard can secure your data

Ready to take the next step? Speak to an nGuard expert and get your questions answered today.

Chat Popup

No thanks, maybe later