CyberSecurity news

FlagThis - #cisco

@sec.cloudapps.cisco.com //

Cisco Unified CM Flaw Enables Remote Root Access - A critical vulnerability, CVE-2025-20309, exists in Cisco’s Unified Communications Manager allowing remote attackers to gain root-level access due to hardcoded SSH root credentials.
Cisco is urging immediate action following the discovery of a critical vulnerability, CVE-2025-20309, in its Unified Communications Manager (Unified CM) and Unified Communications Manager Session Management Edition (Unified CM SME). The flaw stems from hardcoded SSH root credentials that cannot be modified or removed, potentially allowing remote attackers to gain root-level access to affected systems. This vulnerability has a maximum severity rating with a CVSS score of 10.0, indicating it can be easily exploited with devastating consequences.

Cisco's security advisory specifies that all Engineering Special (ES) releases from 15.0.1.13010-1 through 15.0.1.13017-1 are vulnerable, regardless of optional features in use. An unauthenticated remote attacker can exploit this vulnerability by utilizing the static root account credentials to establish SSH connections to vulnerable systems. Once authenticated, the attacker gains complete administrative control over the affected device, enabling the execution of arbitrary commands with root privileges.

There are no temporary workarounds to mitigate this risk. To remediate the vulnerability, administrators are advised to upgrade to version 15SU3 or apply the CSCwp27755 patch. Although Cisco discovered the flaw through internal testing and has not found evidence of active exploitation in the wild, the extreme severity necessitates immediate action to safeguard enterprise communications. The company has issued emergency fixes for the critical root credential flaw in Unified CM.

Recommended read:
References :
  • MeatMutts: Cisco Urges Immediate Action After Discovering Backdoor in Unified Communications Manager
  • infosec.exchange: : Unified Communications Manager systems could allow remote attackers to gain root-level access. The vulnerability CVE-2025-20309 with a maximum CVSS 10.0, stems from hardcoded SSH root credentials that cannot be modified or removed: 👇
  • Rescana: Critical Cisco Unified CM Vulnerability: Root Access via Static Credentials – Technical Analysis & Mitigation Strategies
  • cybersecuritynews.com: Unified Communications Manager systems could allow remote attackers to gain root-level access. The vulnerability CVE-2025-20309 with a maximum CVSS 10.0, stems from hardcoded SSH root credentials that cannot be modified or removed:
  • hackread.com: Cisco Issues Emergency Fix for Critical Root Credential Flaw in Unified CM
  • thecyberexpress.com: Cisco Issues Urgent Patch for Critical Unified CM Vulnerability (CVE-2025-20309)
  • Arctic Wolf: CVE-2025-20309: Cisco Unified Communications Manager Static SSH Credentials Maximum Severity Vulnerability
  • arcticwolf.com: CVE-2025-20309: Cisco Unified Communications Manager Static SSH Credentials Maximum Severity Vulnerability
  • sec.cloudapps.cisco.com: Security advisory from Cisco addressing the vulnerability.
  • The Register - Security: Cisco scores a perfect 10 - sadly for a critical flaw in its comms platform
  • nvd.nist.gov: Details of the Cisco vulnerability CVE-2025-20309.
sjvn01@Practical Technology //

Cisco Enhances Networking and Data Centers with AI - Cisco is enhancing its data center and networking capabilities by integrating AI and expanding partnerships, focusing on AI-driven smart policies and stopping rogue AI agents.
Cisco is making significant strides in integrating artificial intelligence into its networking and data center solutions. They are releasing a range of new products and updates that leverage AI to enhance security and automate network tasks, with a focus on supporting AI adoption for enterprise IT. These new "AgenticOps" tools will enable the orchestration of AI agents with a high degree of autonomy within enterprise environments, aiming to streamline complex system management. Cisco's strategy includes a focus on secure network architectures and AI-driven policies to combat emerging threats, including rogue AI agents.

The networking giant is also strengthening its data center strategy through an expanded partnership with NVIDIA. This collaboration is designed to establish a new standard for secure, scalable, and high-performance enterprise AI. The Cisco AI Defense and Hypershield security solutions utilize NVIDIA AI to deliver enhanced visibility, validation, and runtime protection across AI workflows. This partnership builds upon the Cisco Secure AI Factory with NVIDIA, aiming to provide continuous monitoring and protection throughout the AI lifecycle, from data ingestion to model deployment.

Furthermore, Cisco is enhancing AI networking performance to meet the demands of data-intensive AI workloads. This includes Cisco Intelligent Packet Flow, which dynamically steers traffic using real-time telemetry, and NVIDIA Spectrum-X, an AI-optimized Ethernet platform that delivers high-throughput and low-latency connectivity. By offering end-to-end visibility and unified monitoring across networks and GPUs, Cisco and NVIDIA are enabling enterprises to maintain zero-trust security across distributed AI environments, regardless of where data and workloads are located.

Recommended read:
References :
  • Practical Technology: Serious about running your own AI infrastructure? Consider Cisco’s latest offerings.
  • WhatIs: The networking giant released a slew of products leveraging the capabilities of last year's Splunk acquisition and touting a focus on AI adoption support.
  • Latest news: AgenticOps tools are a way to 'orchestrate' agents that will have a high degree of autonomy in the enterprise campus.
  • blogs.nvidia.com: Cisco and NVIDIA are helping set a new standard for secure, scalable and high-performance enterprise AI.
TIGR Threat@Security Risk Advisors //

Critical Flaw in Cisco ISE Impacts Cloud Deployments - Cisco addressed a critical vulnerability in its Identity Services Engine (ISE) impacting cloud deployments on AWS, Azure, and Oracle Cloud Infrastructure, allowing unauthenticated remote attackers access.
Cisco has issued a critical security advisory regarding a vulnerability, CVE-2025-20286, in its Identity Services Engine (ISE) when deployed on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). This static credential flaw enables unauthenticated remote attackers to potentially access sensitive data, perform limited administrative actions, modify system configurations, or disrupt services. The vulnerability stems from improperly generated credentials during cloud deployments, resulting in multiple ISE deployments sharing the same static credentials, provided they are on the same software release and cloud platform.

Exploitation of CVE-2025-20286 could allow attackers to extract user credentials from a compromised Cisco ISE cloud deployment and utilize them to access other ISE instances in different cloud environments via unsecured ports. This could lead to unauthorized access to sensitive data, execution of limited administrative operations, changes to system configurations, or service disruptions. Cisco's Product Security Incident Response Team (PSIRT) has confirmed the existence of a proof-of-concept (PoC) exploit for this vulnerability, though there is no evidence of active exploitation in the wild.

The vulnerability impacts specific versions of Cisco ISE, affecting versions 3.1, 3.2, 3.3, and 3.4 on AWS, and versions 3.2, 3.3, and 3.4 on Azure and OCI. Cisco emphasizes that this vulnerability only affects deployments where the Primary Administration node is hosted in the cloud; on-premises deployments are not affected. While there are no official workarounds, Cisco recommends restricting traffic to authorized administrators or using the "application reset-config ise" command to reset user passwords. The company has released security patches to address the flaw and urges users to update their systems promptly.

Recommended read:
References :
  • Cyber Security News: Cisco Alerts on ISE Vulnerability Exposing Sensitive Data with Available PoC Exploit
  • Security Affairs: Cisco fixed a critical flaw in the Identity Services Engine (ISE) that could allow unauthenticated attackers to conduct malicious actions.
  • The Hacker News: Cisco has released security patches to address a critical security flaw impacting the Identity Services Engine (ISE) that, if successfully exploited, could allow unauthenticated actors to carry out malicious actions on susceptible systems.
  • Security Risk Advisors: Static credential flaw (CVE-2025-20286) in #Cisco ISE cloud deployments enables unauthorized access across AWS, Azure, and OCI.
  • SOC Prime Blog: A critical vulnerability in Cisco’s Identity Services Engine (ISE) enables unauthenticated remote attackers to retrieve sensitive information and perform administrative actions across various cloud environments upon exploitation.
  • Arctic Wolf: CVE-2025-20286: PoC Available for Critical Cisco Identity Services Engine Static Credential Vulnerability
  • arcticwolf.com: On 4 June 2025, Cisco released fixes for multiple vulnerabilities, several of which were noted to have publicly available proof-of-concept (PoC) exploit code. The most severe issue, CVE-2025-20286, affects cloud deployments of Cisco Identity Services Engine (ISE) on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI).
  • sec.cloudapps.cisco.com: Static credential flaw (CVE-2025-20286) in #Cisco ISE cloud deployments enables unauthorized access across AWS, Azure, and OCI.
  • socprime.com: A critical vulnerability in Cisco’s Identity Services Engine (ISE) enables unauthenticated remote attackers to retrieve sensitive information and perform administrative actions across various cloud environments upon exploitation.
  • www.techradar.com: Cisco warns over worrying security flaws in ISE affecting AWS, Azure cloud deployments - here's what you need to know
  • arcticwolf.com: CVE-2025-20286: PoC Available for Critical Cisco Identity Services Engine Static Credential Vulnerability
  • www.itpro.com: Cisco patches critical flaw affecting Identity Services Engine
  • Arctic Wolf: CVE-2025-20286: PoC Available for Critical Cisco Identity Services Engine Static Credential Vulnerability
  • Blog: How to find Cisco Identity Services Engine (ISE) installations
  • www.scworld.com: Cisco patches Identity Services Engine flaw affecting AWS, Azure, OCI
@industrialcyber.co //

Russian GRU Targets Western Logistics Companies - A Russian state-sponsored cyber espionage campaign targets Western logistics entities and tech companies involved in coordinating aid to Ukraine, aiming to access sensitive information and disrupt operations.
A Russian state-sponsored cyber espionage campaign, attributed to the GRU's APT28 (also known as Fancy Bear or Forest Blizzard), has been actively targeting Western logistics entities and technology companies since 2022. This campaign focuses on organizations involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The goal is to gain access to sensitive information and disrupt operations, presenting a serious risk to these targeted organizations and sectors across more than a dozen countries.

These Russian cyber actors have been using a mix of previously disclosed tactics, techniques, and procedures (TTPs), including credential brute force attacks, spear-phishing using multilingual lures, and malware delivery via malicious archives exploiting vulnerabilities. They've also been observed hacking into IP cameras at Ukrainian border crossings to monitor and track aid shipments. The GRU unit, known as military unit 26165, has been linked to compromising a wide array of entities, spanning air, sea, and rail transportation modes.

To defend against these threats, organizations are urged to familiarize themselves with the identified TTPs and indicators of compromise (IOCs), increase monitoring and threat hunting, and strengthen their network defenses. The attacks have targeted companies and government organizations in numerous countries, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The advisory is co-signed by over 20 agencies from multiple countries, underscoring the global nature of this threat.

Recommended read:
References :
  • Metacurity: This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies.
  • NCSC News Feed: UK and allies expose Russian intelligence campaign targeting western logistics and technology organisations
  • CyberInsider: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
  • securityonline.info: Russian GRU’s APT28 Targets Global Logistics Supporting Ukraine Defense
  • securityonline.info: Russian GRU Targets Global Logistics Supporting Ukraine Defense
  • www.cybersecuritydive.com: Russian stepping up attacks on firms aiding Ukraine, Western nations warn
  • cyberinsider.com: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
  • BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
  • BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
  • securityaffairs.com: Russia-linked APT28 targets western logistics entities and technology firms
  • Threats | CyberScoop: Multi-national warning issued over Russia’s targeting of logistics, tech firms
  • socprime.com: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
  • Blog: Russian APT28 targets Western firms supporting Ukraine
  • SOC Prime Blog: Detect APT28 Attacks: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
  • Metacurity: Russia's APT28 accused of infiltrating Western logistics, technology firms
  • Resources-2: Russian APT28 (aka Fancy Bear/Unit 26165) targets Western logistics and tech firms in Ukraine aid tracking operation
  • Virus Bulletin: Details a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies involved in the coordination, transport and delivery of foreign assistance to Ukraine.
  • DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
  • www.scworld.com: CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing an elevated threat to supply chains
  • eSecurity Planet: Russian Hackers Target Western Firms Aiding Ukraine, Spy on Shipments
  • www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.
  • cyberscoop.com: Multi-national warning issued over Russia’s targeting of logistics, tech firms
  • industrialcyber.co: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
  • www.csoonline.com: Russian APT28 compromised Western logistics and IT firms to track aid to Ukraine
  • Industrial Cyber: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
  • www.microsoft.com: New Russia-affiliated actor Void Blizzard targets critical sectors for espionage

Posts

Blogs

Research Tools