sjvn01@Practical Technology
//
Cisco is making significant strides in integrating artificial intelligence into its networking and data center solutions. They are releasing a range of new products and updates that leverage AI to enhance security and automate network tasks, with a focus on supporting AI adoption for enterprise IT. These new "AgenticOps" tools will enable the orchestration of AI agents with a high degree of autonomy within enterprise environments, aiming to streamline complex system management. Cisco's strategy includes a focus on secure network architectures and AI-driven policies to combat emerging threats, including rogue AI agents.
The networking giant is also strengthening its data center strategy through an expanded partnership with NVIDIA. This collaboration is designed to establish a new standard for secure, scalable, and high-performance enterprise AI. The Cisco AI Defense and Hypershield security solutions utilize NVIDIA AI to deliver enhanced visibility, validation, and runtime protection across AI workflows. This partnership builds upon the Cisco Secure AI Factory with NVIDIA, aiming to provide continuous monitoring and protection throughout the AI lifecycle, from data ingestion to model deployment. Furthermore, Cisco is enhancing AI networking performance to meet the demands of data-intensive AI workloads. This includes Cisco Intelligent Packet Flow, which dynamically steers traffic using real-time telemetry, and NVIDIA Spectrum-X, an AI-optimized Ethernet platform that delivers high-throughput and low-latency connectivity. By offering end-to-end visibility and unified monitoring across networks and GPUs, Cisco and NVIDIA are enabling enterprises to maintain zero-trust security across distributed AI environments, regardless of where data and workloads are located. Recommended read:
References :
TIGR Threat@Security Risk Advisors
//
Cisco has issued a critical security advisory regarding a vulnerability, CVE-2025-20286, in its Identity Services Engine (ISE) when deployed on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). This static credential flaw enables unauthenticated remote attackers to potentially access sensitive data, perform limited administrative actions, modify system configurations, or disrupt services. The vulnerability stems from improperly generated credentials during cloud deployments, resulting in multiple ISE deployments sharing the same static credentials, provided they are on the same software release and cloud platform.
Exploitation of CVE-2025-20286 could allow attackers to extract user credentials from a compromised Cisco ISE cloud deployment and utilize them to access other ISE instances in different cloud environments via unsecured ports. This could lead to unauthorized access to sensitive data, execution of limited administrative operations, changes to system configurations, or service disruptions. Cisco's Product Security Incident Response Team (PSIRT) has confirmed the existence of a proof-of-concept (PoC) exploit for this vulnerability, though there is no evidence of active exploitation in the wild. The vulnerability impacts specific versions of Cisco ISE, affecting versions 3.1, 3.2, 3.3, and 3.4 on AWS, and versions 3.2, 3.3, and 3.4 on Azure and OCI. Cisco emphasizes that this vulnerability only affects deployments where the Primary Administration node is hosted in the cloud; on-premises deployments are not affected. While there are no official workarounds, Cisco recommends restricting traffic to authorized administrators or using the "application reset-config ise" command to reset user passwords. The company has released security patches to address the flaw and urges users to update their systems promptly. Recommended read:
References :
@industrialcyber.co
//
A Russian state-sponsored cyber espionage campaign, attributed to the GRU's APT28 (also known as Fancy Bear or Forest Blizzard), has been actively targeting Western logistics entities and technology companies since 2022. This campaign focuses on organizations involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The goal is to gain access to sensitive information and disrupt operations, presenting a serious risk to these targeted organizations and sectors across more than a dozen countries.
These Russian cyber actors have been using a mix of previously disclosed tactics, techniques, and procedures (TTPs), including credential brute force attacks, spear-phishing using multilingual lures, and malware delivery via malicious archives exploiting vulnerabilities. They've also been observed hacking into IP cameras at Ukrainian border crossings to monitor and track aid shipments. The GRU unit, known as military unit 26165, has been linked to compromising a wide array of entities, spanning air, sea, and rail transportation modes. To defend against these threats, organizations are urged to familiarize themselves with the identified TTPs and indicators of compromise (IOCs), increase monitoring and threat hunting, and strengthen their network defenses. The attacks have targeted companies and government organizations in numerous countries, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The advisory is co-signed by over 20 agencies from multiple countries, underscoring the global nature of this threat. Recommended read:
References :
@sec.cloudapps.cisco.com
//
Cisco has issued a critical security advisory to address CVE-2025-20188, a severe vulnerability affecting its IOS XE Wireless LAN Controllers (WLCs). This flaw, which has been assigned a CVSS score of 10.0, allows an unauthenticated, remote attacker to upload arbitrary files to a vulnerable system. The root cause of this vulnerability lies in a hard-coded JSON Web Token (JWT) present within the affected system, enabling attackers to potentially gain root privileges. The vulnerability impacts several products, including Catalyst 9800-CL Wireless Controllers for Cloud, Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches, Catalyst 9800 Series Wireless Controllers, and Embedded Wireless Controllers on Catalyst APs.
The exploitation requires the Out-of-Band AP Image Download feature to be enabled, which is not enabled by default. An attacker can exploit this vulnerability by sending crafted HTTPS requests to the AP image download interface. A successful exploit could enable the attacker to perform path traversal and execute arbitrary commands with root privileges, leading to a complete compromise of the affected system. Cisco advises administrators to check if the Out-of-Band AP Image Download feature is enabled by using the `show running-config | include ap upgrade` command. If the command returns `ap upgrade method https`, the feature is enabled, and the device is vulnerable. Currently, there are no direct workarounds available to address this vulnerability. However, as a mitigation measure, administrators can disable the Out-of-Band AP Image Download feature. This will cause AP image downloads to use the CAPWAP method. Cisco strongly recommends implementing this mitigation until an upgrade to a fixed software release can be performed. Cisco has released free software updates to address this vulnerability, advising customers with service contracts to obtain these security fixes through their usual update channels, urging them to upgrade to the fixed release as soon as possible. As of now, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of this vulnerability. Recommended read:
References :
Stu Sjouwerman@blog.knowbe4.com
//
A China-based cybercriminal gang known as the "Smishing Triad" is reportedly launching a wave of SMS phishing attacks, or "smishing," targeting users in both the US and the UK. These attacks are themed around road tolls, with victims receiving text messages that appear to be from toll road operators. The messages warn recipients of unpaid toll fees and potential fines if the fees are not promptly addressed. Cybersecurity researchers have issued warnings about this widespread and ongoing SMS phishing campaign, noting that it has been actively targeting toll road users since mid-October 2024, aiming to steal their financial information.
Researchers have linked the surge in these SMS scams to new features added to a popular commercial phishing kit sold in China. This kit simplifies the process of creating convincing lures that spoof toll road operators across multiple US states. The phishing pages are designed to closely mimic the websites of these operators as they appear on mobile devices, and in some cases, will not even load unless accessed from a mobile device. The goal of these kits is to obtain enough information from victims to add their payment cards to mobile wallets. These cards can then be used for fraudulent purchases in physical stores, online, or to launder money through shell companies. The phishing campaigns often impersonate U.S. electronic toll collection systems like E-ZPass, sending SMS messages and Apple iMessages to individuals across several states including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas. The texts prompt recipients to click on a fake link, often requiring them to reply with "Y" to activate the link, a tactic used in other phishing kits. Victims who click the link are directed to a fraudulent E-ZPass page where they are asked to enter personal and financial information, which is then stolen by the attackers. Recommended read:
References :
Sergiu Gatlan@BleepingComputer
//
A critical vulnerability, identified as CVE-2025-20236, has been discovered in the Cisco Webex App, posing a significant security risk to users. The vulnerability allows unauthenticated attackers to gain client-side remote code execution through maliciously crafted meeting invite links. The flaw stems from insufficient input validation within the app's custom URL parser, which processes these meeting invites. An attacker can exploit this weakness by tricking a user into clicking on a malicious link, which can then download arbitrary files and execute commands on the user's system with their privileges.
Cisco has acknowledged the vulnerability and released security updates to address the flaw. The affected versions include Webex App version 44.6, which has been fixed in version 44.6.2.30589. Users running version 44.7 are advised to migrate to a fixed release. Versions 44.5 and earlier, as well as 44.8 and later, are not vulnerable. The vulnerability has been assigned a high CVSS score of 8.8, reflecting its severe risk level. Users and administrators are strongly urged to immediately check their Webex App version and apply the necessary patches to mitigate the risk of exploitation. Organizations relying on Cisco Webex for communication and collaboration are particularly at risk, as successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, disruption of operations, and the potential spread of malware or ransomware within their networks. Cisco's Product Security Incident Response Team (PSIRT) has stated that, at the time of publication, they had not observed any malicious use or public exploitation of CVE-2025-20236. Recommended read:
References :
@The DefendOps Diaries
//
A critical vulnerability, identified as CVE-2024-20439, has been discovered in the Cisco Smart Licensing Utility (CSLU), a Windows application used for managing licenses. This flaw exposes a built-in backdoor admin account due to an undocumented static user credential. Unauthenticated attackers are now actively exploiting this vulnerability to gain remote administrative access to unpatched systems through the CSLU app's API. Cisco has urged administrators to immediately apply the necessary patches to prevent unauthorized access and mitigate the risk.
The exploitation of CVE-2024-20439 allows attackers to bypass normal authentication procedures and gain control over the CSLU API. This provides them with the ability to manage services, extract sensitive data, and potentially move laterally within affected networks. The U.S. CISA has added this Cisco Smart Licensing Utility flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and active exploitation of this vulnerability. The vulnerability was first disclosed by Cisco in September 2024 and has since been actively exploited in the wild, raising significant concerns about network security. Recommended read:
References :
Matt Kapko@CyberScoop
//
References:
Threats | CyberScoop
, SiliconANGLE
,
A new report from Cisco Talos reveals that identity-based attacks were the dominant form of cyber incident in 2024, accounting for 60% of all incidents. Cybercriminals are increasingly relying on compromised user accounts and credentials rather than sophisticated malware or zero-day exploits. This shift highlights a significant weakness in enterprise security, with attackers finding it easier and safer to log in using stolen credentials than to deploy more complex attack methods. These attacks targeted Active Directory in 44% of cases and leveraged cloud application programming interfaces in 20% of attacks.
This trend is further exacerbated by weaknesses in multi-factor authentication (MFA). Common MFA failures observed included the absence of MFA on virtual private networks, MFA exhaustion/push fatigue, and improper enrollment monitoring. The primary motivations behind these identity-based attacks were ransomware (50%), credential harvesting and resale (32%), espionage (10%), and financial fraud (8%). These incidents underscore the critical need for organizations to bolster their identity and access management strategies, including stronger password policies, robust MFA implementations, and enhanced monitoring of Active Directory environments. Recommended read:
References :
|