CyberSecurity news

FlagThis - #Cisco

Divya@gbhackers.com //
Cisco has issued critical security patches to address vulnerabilities in its ClamAV software and Meeting Management platform. A denial-of-service flaw, identified as CVE-2025-20128, affects ClamAV and can be exploited by submitting a crafted file that terminates the scanning process. Proof-of-concept exploit code is available, although there's no indication it has been used in the wild. This ClamAV vulnerability is due to a heap-based buffer overflow bug within the OLE2 file parser, impacting Cisco Secure Endpoint Connectors for Windows, Linux, and macOS. Cisco advises users to immediately update to ClamAV versions 1.4.2 or 1.0.8 to remediate this threat, since a successful attack could disrupt security workflows by stopping the malware scanning function.

Additionally, a critical privilege escalation vulnerability, CVE-2025-20156, has been discovered in the Cisco Meeting Management REST API. This flaw allows remote authenticated attackers with low privileges to elevate their access to administrator level on affected devices. It stems from improper authorization enforcement within the REST API, enabling attackers to gain control of edge nodes managed by Cisco Meeting Management. The vulnerability impacts versions 3.9 and earlier, but not 3.10. Upgrading to version 3.9.1 or 3.10 is essential as there are no workarounds available. Cisco has released software updates to address this vulnerability, also impacting the Broadworks platform.

Recommended read:
References :
  • gbhackers.com: Cisco has issued a critical advisory regarding a privilege escalation vulnerability in its Meeting Management REST API.
  • securityaffairs.com: Cisco addressed a critical flaw in its Meeting Management that could allow it to gain administrator privileges on vulnerable instances.
  • The Hacker News: Cisco has released software updates to address a critical security flaw impacting Meeting Management that could permit a remote, authenticated attacker with low level access
  • Pyrzout :vm:: Cisco Meeting Management REST API Privilege Escalation Vulnerability
  • ciso2ciso.com: Cisco Meeting Management REST API Privilege Escalation Vulnerability – Source:sec.cloudapps.cisco.com #'Cyber
  • www.helpnetsecurity.com: Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw 'tmiss
  • The Register - Security: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management
  • www.heise.de: Cisco: Critical security vulnerability in Meeting Management Cisco warns of a critical vulnerability in Meeting Management as well as vulnerabilities in Broadworks and ClamAV.
  • ciso2ciso.com: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management
  • Pyrzout :vm:: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com
  • ciso2ciso.com: The article highlights a critical vulnerability in Cisco's Meeting Management tool.
  • jbz: Patch now: Cisco fixes critical Meeting Management flaw —The Register
  • The Register: The story focuses on a 9.9-rated vulnerability in Cisco Meeting Management, highlighting potential remote code execution risks.
  • heise online English: This discusses the vulnerability in Cisco's Meeting Management software.
  • www.theregister.com: Patch now: Cisco fixes critical Meeting Management flaw —The Register
  • jbz: Patch now: Cisco fixes critical Meeting Management flaw —The Register ï½¢ "An attacker could exploit this vulnerability by sending API requests to a specific endpoint," and this could allow admin-level access over edge nodes, which are components of Cisco's video conferencing infrastructure managed by this tool, the biz warned in a Wednesday security alert ï½£
  • The Register - Security: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com

@cyberscoop.com //
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.

Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.

Recommended read:
References :
  • cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
  • Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
  • techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
  • www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
  • Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
  • CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
  • Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
  • industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
  • Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
  • Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
  • cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers

Sergiu Gatlan@BleepingComputer //
Cisco has addressed a critical denial-of-service (DoS) vulnerability, CVE-2025-20115, found in the Border Gateway Protocol (BGP) confederation implementation of its IOS XR Software. The vulnerability arises from a memory corruption flaw, specifically the improper handling of the AS_CONFED_SEQUENCE attribute within BGP update messages. An attacker can exploit this by injecting a crafted message containing 255 or more autonomous system numbers, leading to process instability and a potential BGP process restart.

Successful exploitation of this flaw allows unauthenticated attackers to crash the BGP process, disrupting network routing and potentially causing significant service outages. This is particularly concerning for large-scale networks using BGP confederation. The affected software versions include Cisco IOS XR Release 7.11 and earlier, Release 24.1 and earlier, Release 24.2 until version 24.2.21, and Release 24.3, which has been patched in version 24.3.1. The primary mitigation strategy is to apply the latest software update provided by Cisco.

Recommended read:
References :
  • The DefendOps Diaries: Understanding the Cisco IOS XR Vulnerability: CVE-2025-20115
  • BleepingComputer: Cisco vulnerability lets attackers crash BGP on IOS XR routers
  • www.cysecurity.news: Cisco Warns of Critical Security Flaw in IOS XR Software – Immediate Update Recommended
  • securityaffairs.com: Cisco IOS XR flaw allows attackers to crash BGP process on routers
  • securityonline.info: Cisco Alerts on Public Disclosure of CVE-2025-20115 – BGP Flaw Puts Networks at Risk
  • Rescana: The Cisco IOS XR Software Border Gateway Protocol (BGP) Confederation Denial of Service vulnerability , identified as...
  • gbhackers.com: Cisco has issued a security advisory warning of a vulnerability in its IOS XR Software that could allow attackers to launch denial-of-service (DoS) attacks.  The vulnerability, identified as CVE-2025-20115, affects the Border Gateway Protocol (BGP) confederation implementation. The CVE-2025-20115 vulnerability affects the Border Gateway Protocol (BGP) confederation implementation in Cisco IOS XR Software, potentially allowing
  • bsky.app: Cisco has patched a denial of service (DoS) vulnerability that lets attackers crash the Border Gateway Protocol (BGP) process on IOS XR routers with a single BGP update message.

Ameer Owda@socradar.io //
Cisco has released patches to address two critical remote code execution vulnerabilities in its Identity Services Engine (ISE). The flaws, tracked as CVE-2025-20124 (CVSS score 9.9) and CVE-2025-20125 (CVSS score 9.1), could allow a remote attacker with read-only administrative privileges to execute arbitrary commands on affected devices. The vulnerabilities could prevent privilege escalation and system configuration changes.

The first vulnerability, CVE-2025-20124, is due to insecure deserialization of user-supplied Java byte streams, allowing attackers to execute arbitrary commands and elevate privileges by sending a crafted serialized Java object to an affected API. The second, CVE-2025-20125, is an authorization bypass issue that could allow attackers to obtain sensitive information, modify system configurations, and restart the node by sending a crafted HTTP request to a specific API. Cisco warns that there are no workarounds, advising customers to migrate to a fixed software release as soon as possible.

Recommended read:
References :
  • securityaffairs.com: Cisco addressed critical flaws in Identity Services Engine, preventing privilege escalation and system configuration changes.
  • securityonline.info: CVE-2025-20124 (CVSS 9.9) & CVE-2025-20125 (CVSS 9.1): Cisco Patches Critical Flaws in Identity Services Engine
  • ciso2ciso.com: Cisco addressed two critical flaws in its Identity Services Engine (ISE) – Source: securityaffairs.com
  • ciso2ciso.com: Cisco addressed two critical flaws in its Identity Services Engine (ISE) – Source: securityaffairs.com
  • securityonline.info: Cisco has issued a security advisory addressing two critical vulnerabilities in its Identity Services Engine (ISE), a network
  • Pyrzout :vm:: Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities – Source:sec.cloudapps.cisco.com #'Cyber
  • BleepingComputer: Cisco has fixed two critical Identity Services Engine (ISE) vulnerabilities that can let attackers with read-only admin privileges bypass authorization and run commands as root.
  • socradar.io: Critical Cisco ISE Vulnerabilities Patched: CVE-2025-20124 & CVE-2025-20125
  • The Hacker News: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc
  • www.csoonline.com: Cisco’s ISE bugs could allow root-level command execution
  • www.bleepingcomputer.com: Cisco has fixed two critical Identity Services Engine (ISE) vulnerabilities that can let attackers with read-only admin privileges bypass authorization and run commands as root.
  • ciso2ciso.com: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc – Source:thehackernews.com
  • ciso2ciso.com: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc – Source:thehackernews.com
  • ciso2ciso.com: Cisco’s ISE bugs could allow root-level command execution – Source: www.csoonline.com

Matt Kapko@CyberScoop //
A new report from Cisco Talos reveals that identity-based attacks were the dominant form of cyber incident in 2024, accounting for 60% of all incidents. Cybercriminals are increasingly relying on compromised user accounts and credentials rather than sophisticated malware or zero-day exploits. This shift highlights a significant weakness in enterprise security, with attackers finding it easier and safer to log in using stolen credentials than to deploy more complex attack methods. These attacks targeted Active Directory in 44% of cases and leveraged cloud application programming interfaces in 20% of attacks.

This trend is further exacerbated by weaknesses in multi-factor authentication (MFA). Common MFA failures observed included the absence of MFA on virtual private networks, MFA exhaustion/push fatigue, and improper enrollment monitoring. The primary motivations behind these identity-based attacks were ransomware (50%), credential harvesting and resale (32%), espionage (10%), and financial fraud (8%). These incidents underscore the critical need for organizations to bolster their identity and access management strategies, including stronger password policies, robust MFA implementations, and enhanced monitoring of Active Directory environments.

Recommended read:
References :
  • Threats | CyberScoop: Cisco Talos observed identity-based attacks in 60% of the incidents it responded to last year.
  • SiliconANGLE: A new report out today from Cisco Talos, a cybersecurity company that’s part of Cisco Systems Inc., found that in 2024, cybercriminals didn’t need zero-days or custom malware to wreak havoc: They just logged in, with identity-based attacks,”
  • www.scworld.com: Sixty percent of cybersecurity incidents around the world last year were identity-based intrusions, with identity targeting being prominent across all attack stages, SiliconAngle reports.

drewt@secureworldexpo.com (Drew Todd)@SecureWorld News //
The Chinese state-sponsored hacking group Salt Typhoon is expanding its espionage campaign, targeting U.S. telecommunication providers and other networks globally. The group, active since at least 2019, has been breaching major companies like AT&T, Verizon, and Lumen Technologies. Between December 2024 and January 2025, Salt Typhoon compromised additional telecom networks across the globe. The attacks involve a custom utility called JumbledPath, used to stealthily monitor network traffic and potentially capture sensitive data.

Salt Typhoon gains initial access through stolen credentials and exploiting vulnerabilities in Cisco routers. Specifically, they target internet-exposed Cisco network routers, leveraging CVE-2023-20198 and CVE-2023-20273 to escalate privileges and gain root access. Once inside, they extract credentials by intercepting authentication traffic, modify network configurations, and create hidden accounts to maintain persistent access. The group's objectives include intercepting sensitive communications, tracking political activists, and stealing research from academic institutions.

Recommended read:
References :
  • bsky.app: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
  • www.bleepingcomputer.com: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Anonymous ???????? :af:: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Carly Page: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Blog: New Details: Salt Typhoon Used Leaked Creds in Telecom Attack
  • SecureWorld News: Chinese cyber espionage group Salt Typhoon has made headlines in the last year, breaching major , including AT&T, Verizon, and Lumen Technologies.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • www.bleepingcomputer.com: Chinese hackers breach more U.S. telecoms via unpatched Cisco routers
  • gbhackers.com: Gbhackers news on Salt Typhoon Hackers Exploit Cisco Vulnerability
  • www.the420.in: The 420 news on Chinese Hackers Target US Telecom Giants

@The DefendOps Diaries //
A critical vulnerability, identified as CVE-2024-20439, has been discovered in the Cisco Smart Licensing Utility (CSLU), a Windows application used for managing licenses. This flaw exposes a built-in backdoor admin account due to an undocumented static user credential. Unauthenticated attackers are now actively exploiting this vulnerability to gain remote administrative access to unpatched systems through the CSLU app's API. Cisco has urged administrators to immediately apply the necessary patches to prevent unauthorized access and mitigate the risk.

The exploitation of CVE-2024-20439 allows attackers to bypass normal authentication procedures and gain control over the CSLU API. This provides them with the ability to manage services, extract sensitive data, and potentially move laterally within affected networks. The U.S. CISA has added this Cisco Smart Licensing Utility flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and active exploitation of this vulnerability. The vulnerability was first disclosed by Cisco in September 2024 and has since been actively exploited in the wild, raising significant concerns about network security.

Recommended read:
References :
  • bsky.app: CISA adds a Cisco Smart Licensing Utility Static Credential flaw tracked as CVE-2024-20439 to the KEV database. This flaw allows unauthenticated attackers to log in using the hardcoded credential.
  • BleepingComputer: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.
  • The DefendOps Diaries: Explore the critical Cisco Smart Licensing Utility vulnerability and learn mitigation strategies to protect your network.
  • BleepingComputer: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks.

Divya@gbhackers.com //
Cisco has released a critical patch for a high-severity vulnerability in its Meeting Management tool, which has been given a rating of 9.9. The vulnerability, identified as CVE-2025-20156, could allow a remote attacker with low privileges to gain admin-level access to affected devices. This exploit is achieved by sending specific API requests to a designated endpoint, thus bypassing access control protocols on the system. This flaw primarily affects edge nodes, which are critical components of Cisco's video conferencing infrastructure managed by the tool. Cisco has acknowledged the vulnerability and issued an alert, urging customers to apply the patch immediately.

The vulnerability impacts most versions of Cisco Meeting Management, with the exception of version 3.10. Users with earlier releases, 3.8 and below, will need to migrate to a supported version. Specifically, release 3.9 should be upgraded to version 3.9.1. Although there have been no confirmed reports of the exploit being used in the wild yet, Cisco encourages all users to update as soon as possible, as a Proof-of-Concept (PoC) exploit could surface at any time. The discovery of this flaw was credited to Modux bug hunter Ben Leonard-Lagarde.

Recommended read:
References :
  • ciso2ciso.com: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com
  • The Register: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug No in-the-wild exploits … yet Cisco has pushed a patch for a critical, 9.9-rated vulnerability in its Meeting Management tool that could allow a remote, authenticated attacker with low privileges to escalate to administrator on affected devices.…
  • jbz: Patch now: Cisco fixes critical Meeting Management flaw —The Register ï½¢ "An attacker could exploit this vulnerability by sending API requests to a specific endpoint," and this could allow admin-level access over edge nodes, which are components of Cisco's video conferencing infrastructure managed by this tool, the biz warned in a Wednesday security alert ï½£
  • Pyrzout :vm:: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com
  • ciso2ciso.com: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management
  • www.theregister.com: Patch now: Cisco fixes critical Meeting Management flaw —The Register