CyberSecurity news

FlagThis - #cisco

Divya@gbhackers.com - 36d

Cisco Patches ClamAV and Meeting Management Flaws - Cisco has patched a critical vulnerability in its ClamAV software, including a denial of service bug and a privilege escalation flaw.
Cisco has issued critical security patches to address vulnerabilities in its ClamAV software and Meeting Management platform. A denial-of-service flaw, identified as CVE-2025-20128, affects ClamAV and can be exploited by submitting a crafted file that terminates the scanning process. Proof-of-concept exploit code is available, although there's no indication it has been used in the wild. This ClamAV vulnerability is due to a heap-based buffer overflow bug within the OLE2 file parser, impacting Cisco Secure Endpoint Connectors for Windows, Linux, and macOS. Cisco advises users to immediately update to ClamAV versions 1.4.2 or 1.0.8 to remediate this threat, since a successful attack could disrupt security workflows by stopping the malware scanning function.

Additionally, a critical privilege escalation vulnerability, CVE-2025-20156, has been discovered in the Cisco Meeting Management REST API. This flaw allows remote authenticated attackers with low privileges to elevate their access to administrator level on affected devices. It stems from improper authorization enforcement within the REST API, enabling attackers to gain control of edge nodes managed by Cisco Meeting Management. The vulnerability impacts versions 3.9 and earlier, but not 3.10. Upgrading to version 3.9.1 or 3.10 is essential as there are no workarounds available. Cisco has released software updates to address this vulnerability, also impacting the Broadworks platform.

Recommended read:
References :
  • gbhackers.com: Cisco has issued a critical advisory regarding a privilege escalation vulnerability in its Meeting Management REST API.
  • securityaffairs.com: Cisco addressed a critical flaw in its Meeting Management that could allow it to gain administrator privileges on vulnerable instances.
  • The Hacker News: Cisco has released software updates to address a critical security flaw impacting Meeting Management that could permit a remote, authenticated attacker with low level access
  • Pyrzout :vm:: Cisco Meeting Management REST API Privilege Escalation Vulnerability
  • ciso2ciso.com: Cisco Meeting Management REST API Privilege Escalation Vulnerability – Source:sec.cloudapps.cisco.com #'Cyber
  • www.helpnetsecurity.com: Cisco fixes ClamAV vulnerability with available PoC and critical Meeting Management flaw 'tmiss
  • The Register - Security: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management
  • www.heise.de: Cisco: Critical security vulnerability in Meeting Management Cisco warns of a critical vulnerability in Meeting Management as well as vulnerabilities in Broadworks and ClamAV.
  • ciso2ciso.com: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management
  • Pyrzout :vm:: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com
  • ciso2ciso.com: The article highlights a critical vulnerability in Cisco's Meeting Management tool.
  • jbz: Patch now: Cisco fixes critical Meeting Management flaw —The Register
  • The Register: The story focuses on a 9.9-rated vulnerability in Cisco Meeting Management, highlighting potential remote code execution risks.
  • heise online English: This discusses the vulnerability in Cisco's Meeting Management software.
  • www.theregister.com: Patch now: Cisco fixes critical Meeting Management flaw —The Register
  • jbz: Patch now: Cisco fixes critical Meeting Management flaw —The Register ï½¢ "An attacker could exploit this vulnerability by sending API requests to a specific endpoint," and this could allow admin-level access over edge nodes, which are components of Cisco's video conferencing infrastructure managed by this tool, the biz warned in a Wednesday security alert ï½£
  • The Register - Security: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com
@cyberscoop.com - 14d

Salt Typhoon's Ongoing Telecom Attacks - Chinese nation-state actor Salt Typhoon targets telecommunications providers, breaching five firms between December 2024 and January 2025, exploiting Cisco vulnerabilities despite sanctions.
The Chinese nation-state hacking group Salt Typhoon, despite facing US sanctions, continues to actively target telecommunications providers. Between December 2024 and January 2025, Recorded Future observed Salt Typhoon breaching five telecom firms, including a US-based affiliate of a UK telecom provider, a US internet service provider, and companies in Italy, South Africa, and Thailand. The group also performed reconnaissance on a Myanmar-based telecom provider.

Salt Typhoon exploited vulnerabilities in Cisco IOS XE software, specifically CVE-2023-20198 and CVE-2023-20273, to compromise unpatched Cisco devices. They attempted to compromise over 1,000 Cisco routers globally, focusing on those within telecom networks. Additionally, Salt Typhoon targeted universities, including the University of California and Utah Tech, potentially seeking access to research related to telecommunications and engineering.

Recommended read:
References :
  • cyberscoop.com: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • The Register - Security: More victims of China's Salt Typhoon crew emerge: Telcos just now hit via Cisco bugs
  • Carly Page: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions. Recorded Future says Salt Typhoon breached five firms between December and January, including a US affiliate of a prominent UK provider and a US-based ISP
  • techcrunch.com: The China-backed Salt Typhoon group is still hacking telecommunications providers, despite government sanctions.
  • www.wired.com: Wired's coverage of Salt Typhoon's ongoing hacking activities.
  • Threats | CyberScoop: Salt Typhoon remains active, hits more telecom networks via Cisco routers
  • cyberinsider.com: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • securebulletin.com: RedMike (Salt Typhoon) continues global Telecom attacks
  • CyberInsider: Chinese Hackers Breach Cisco Devices in Global Telecom Attacks
  • Secure Bulletin: Report on RedMike's continued attacks on telecom providers.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks [exp] [net]
  • Talkback Resources: Chinese state-sponsored APT group Salt Typhoon targets telecommunications providers and universities by exploiting Cisco vulnerabilities, creating privileged accounts, bypassing firewalls, and exfiltrating data using GRE tunnels, prompting organizations to patch devices, enforce access controls, and monitor for unauthorized changes.
  • Talkback Resources: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • PCMag UK security: China's Salt Typhoon Spies Are Still Eavesdropping on Global Networks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks
  • ciso2ciso.com: Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks – Source: www.securityweek.com
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • securityaffairs.com: China-linked APT Salt Typhoon breached telecoms by exploiting Cisco router flaws
  • BleepingComputer: China's Salt Typhoon hackers are still actively targeting telecoms worldwide and have breached more U.S. telecommunications providers via unpatched Cisco IOS XE network devices.
  • industrialcyber.co: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • securityonline.info: Cybersecurity researchers at Insikt Group have identified an ongoing cyber espionage campaign by RedMike (also tracked as Salt Typhoon).
  • Industrial Cyber: Insikt Group details RedMike cyber espionage campaign on telecom providers using Cisco vulnerabilities
  • SecureWorld News: Salt Typhoon Expands Espionage Campaign, Targets Cisco Routers
  • Cisco Talos Blog: Weathering the storm: In the midst of a Typhoon
  • cyberscoop.com: Cisco Talos observed the campaign targeting major U.S. telecommunication companies and observed the attackers primarily used legitimate login credentials to gain initial access, making detection and prevention difficult.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
Ameer Owda@socradar.io - 21d

Cisco ISE Critical Flaws Allow Remote Execution - Cisco addressed two critical remote code execution flaws in its Identity Services Engine (ISE) that could allow a remote attacker with read-only administrative privileges to execute arbitrary commands on affected devices.
Cisco has released patches to address two critical remote code execution vulnerabilities in its Identity Services Engine (ISE). The flaws, tracked as CVE-2025-20124 (CVSS score 9.9) and CVE-2025-20125 (CVSS score 9.1), could allow a remote attacker with read-only administrative privileges to execute arbitrary commands on affected devices. The vulnerabilities could prevent privilege escalation and system configuration changes.

The first vulnerability, CVE-2025-20124, is due to insecure deserialization of user-supplied Java byte streams, allowing attackers to execute arbitrary commands and elevate privileges by sending a crafted serialized Java object to an affected API. The second, CVE-2025-20125, is an authorization bypass issue that could allow attackers to obtain sensitive information, modify system configurations, and restart the node by sending a crafted HTTP request to a specific API. Cisco warns that there are no workarounds, advising customers to migrate to a fixed software release as soon as possible.

Recommended read:
References :
  • securityaffairs.com: Cisco addressed critical flaws in Identity Services Engine, preventing privilege escalation and system configuration changes.
  • securityonline.info: CVE-2025-20124 (CVSS 9.9) & CVE-2025-20125 (CVSS 9.1): Cisco Patches Critical Flaws in Identity Services Engine
  • ciso2ciso.com: Cisco addressed two critical flaws in its Identity Services Engine (ISE) – Source: securityaffairs.com
  • ciso2ciso.com: Cisco addressed two critical flaws in its Identity Services Engine (ISE) – Source: securityaffairs.com
  • securityonline.info: Cisco has issued a security advisory addressing two critical vulnerabilities in its Identity Services Engine (ISE), a network
  • Pyrzout :vm:: Cisco Identity Services Engine Stored Cross-Site Scripting Vulnerabilities – Source:sec.cloudapps.cisco.com #'Cyber
  • BleepingComputer: Cisco has fixed two critical Identity Services Engine (ISE) vulnerabilities that can let attackers with read-only admin privileges bypass authorization and run commands as root.
  • socradar.io: Critical Cisco ISE Vulnerabilities Patched: CVE-2025-20124 & CVE-2025-20125
  • The Hacker News: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc
  • www.csoonline.com: Cisco’s ISE bugs could allow root-level command execution
  • www.bleepingcomputer.com: Cisco has fixed two critical Identity Services Engine (ISE) vulnerabilities that can let attackers with read-only admin privileges bypass authorization and run commands as root.
  • ciso2ciso.com: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc – Source:thehackernews.com
  • ciso2ciso.com: Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc – Source:thehackernews.com
  • ciso2ciso.com: Cisco’s ISE bugs could allow root-level command execution – Source: www.csoonline.com
Ameer Owda@socradar.io - 86d

Active Exploitation of Decade-Old Cisco ASA WebVPN Vulnerability - An active exploitation of a decade-old cross-site scripting vulnerability in Cisco's ASA Software's WebVPN login page is underway.
Cisco has confirmed the active exploitation of a decade-old vulnerability, CVE-2014-2120, affecting the WebVPN login page of its Adaptive Security Appliance (ASA) software. This cross-site scripting (XSS) vulnerability, originally disclosed in 2014, allows unauthenticated, remote attackers to launch XSS attacks against WebVPN users by enticing them to click a malicious link. The vulnerability stems from insufficient input validation, enabling attackers to inject malicious scripts into the victim's browser. Cisco's Product Security Incident Response Team (PSIRT) became aware of renewed exploitation attempts in November 2024, prompting an updated advisory urging customers to upgrade to a fixed software release immediately.

While Cisco strongly recommends upgrading to patched software versions, it's important to note that free updates will not be provided for vulnerabilities disclosed through Security Notices. Customers are advised to contact their usual support channels to obtain the necessary upgrades. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2014-2120 to its Known Exploited Vulnerabilities (KEV) catalog in November 2024, further highlighting the critical need for swift remediation. Organizations utilizing third-party support should consult their service providers to ensure compatibility with any applied fixes.

Recommended read:
References :
  • securityonline.info: Cisco Systems has issued an updated security advisory regarding CVE-2014-2120, a vulnerability affecting the WebVPN login page of Cisco Adaptive Security Appliance (ASA) Software.
  • The Hacker News: Cisco updated an advisory to warn customers of active exploitation of a decade-old security flaw impacting its Adaptive Security Appliance (ASA).
  • malware.news: Cisco warns of continued exploitation of 10-year-old ASA bug, flaw in WebVPN login page exploited in the wild.
  • securityaffairs.com: The ASA flaw CVE-2014-2120 is being actively exploited in the wild
  • www.scworld.com: Cisco warns of continued exploitation of 10-year-old ASA bug
  • Security Risk Advisors: Cisco ASA WebVPN Login Page Vulnerable to Cross-Site Scripting Attack
  • sec.cloudapps.cisco.com: Cisco's security advisory details the vulnerability, its potential impact, and recommendations for mitigation.
  • socradar.io: SOCRadar analysis of the Androxgh0st botnet and its use of the CVE-2014-2120 vulnerability.
  • malware.news: Malware news article discussing the Androxgh0st botnet's utilization of the old Cisco ASA vulnerability.
drewt@secureworldexpo.com (Drew Todd)@SecureWorld News - 7d

Salt Typhoon Group Expands Espionage Using JumbledPath - Chinese cyber espionage group Salt Typhoon is expanding its espionage campaign by compromising telecom networks globally using a custom malware called JumbledPath to monitor network traffic, gaining access through stolen credentials and exploiting Cisco router vulnerabilities.
The Chinese state-sponsored hacking group Salt Typhoon is expanding its espionage campaign, targeting U.S. telecommunication providers and other networks globally. The group, active since at least 2019, has been breaching major companies like AT&T, Verizon, and Lumen Technologies. Between December 2024 and January 2025, Salt Typhoon compromised additional telecom networks across the globe. The attacks involve a custom utility called JumbledPath, used to stealthily monitor network traffic and potentially capture sensitive data.

Salt Typhoon gains initial access through stolen credentials and exploiting vulnerabilities in Cisco routers. Specifically, they target internet-exposed Cisco network routers, leveraging CVE-2023-20198 and CVE-2023-20273 to escalate privileges and gain root access. Once inside, they extract credentials by intercepting authentication traffic, modify network configurations, and create hidden accounts to maintain persistent access. The group's objectives include intercepting sensitive communications, tracking political activists, and stealing research from academic institutions.

Recommended read:
References :
  • bsky.app: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • securityaffairs.com: Salt Typhoon used custom malware JumbledPath to spy U.S. telecom providers
  • www.bleepingcomputer.com: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Anonymous ???????? :af:: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • BleepingComputer: The Chinese state-sponsored Salt Typhoon hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Carly Page: state-sponsored hacking group uses a custom utility called JumbledPath to stealthily monitor network traffic and potentially capture sensitive data in cyberattacks on U.S. telecommunication providers.
  • Blog: New Details: Salt Typhoon Used Leaked Creds in Telecom Attack
  • SecureWorld News: Chinese cyber espionage group Salt Typhoon has made headlines in the last year, breaching major , including AT&T, Verizon, and Lumen Technologies.
  • cyberscoop.com: Salt Typhoon gained initial access to telecoms through Cisco devices
  • www.bleepingcomputer.com: Chinese hackers breach more U.S. telecoms via unpatched Cisco routers
  • gbhackers.com: Gbhackers news on Salt Typhoon Hackers Exploit Cisco Vulnerability
  • www.the420.in: The 420 news on Chinese Hackers Target US Telecom Giants
MalBot@malware.news - 71d

Cisco Data Breach Due to Misconfiguration - Cisco experienced a 4.5TB data leak due to an internal misconfiguration, exposing source code and other sensitive information accessed by the hacker group 'IntelBroker'.
References: DataBreaches.Net , malware.news ,
Cisco experienced a significant data leak due to an internal misconfiguration. The hacker group known as "IntelBroker" claimed responsibility for accessing sensitive information. This occurred after Cisco inadvertently left its DevHub instance exposed, allowing unauthorized access. The breach enabled the hackers, identified as @zjj, @IntelBroker, and @EnergyWeaponUser to download approximately 4.5TB of data, which is associated with various Cisco products.

While much of the exposed data was public, the hackers also accessed files not intended for public release. Cisco's investigation confirmed that the data was obtained from a public-facing DevHub environment. The initial samples shared by the group included files relating to various Cisco software offerings, totaling 2.9GB. The breach included software from key products, including Cisco IOS XE, Webex and Umbrella, and raised concerns about potential vulnerabilities.

Recommended read:
References :
  • DataBreaches.Net: The hacker and forum owner known as “IntelBroker” announced that he and others breached Cisco systems and obtained source code and other valuable information.
  • malware.news: The hacker and forum owner known as “IntelBroker” announced that he and others breached Cisco systems and obtained source code and other valuable information.
  • Cyber Security News: The infamous hacker group Inter Broker has successfully breached Cisco’s network, allegedly exfiltrating approximately 4.5TB of sensitive data associated with various Cisco products.
Divya@gbhackers.com - 33d

Critical Cisco Meeting Management Bug Fixed - Cisco's Meeting Management tool has a critical vulnerability that allows a remote attacker to gain admin access, highlighting the importance of prompt security updates.
Cisco has released a critical patch for a high-severity vulnerability in its Meeting Management tool, which has been given a rating of 9.9. The vulnerability, identified as CVE-2025-20156, could allow a remote attacker with low privileges to gain admin-level access to affected devices. This exploit is achieved by sending specific API requests to a designated endpoint, thus bypassing access control protocols on the system. This flaw primarily affects edge nodes, which are critical components of Cisco's video conferencing infrastructure managed by the tool. Cisco has acknowledged the vulnerability and issued an alert, urging customers to apply the patch immediately.

The vulnerability impacts most versions of Cisco Meeting Management, with the exception of version 3.10. Users with earlier releases, 3.8 and below, will need to migrate to a supported version. Specifically, release 3.9 should be upgraded to version 3.9.1. Although there have been no confirmed reports of the exploit being used in the wild yet, Cisco encourages all users to update as soon as possible, as a Proof-of-Concept (PoC) exploit could surface at any time. The discovery of this flaw was credited to Modux bug hunter Ben Leonard-Lagarde.

Recommended read:
References :
  • ciso2ciso.com: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com
  • The Register: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug No in-the-wild exploits … yet Cisco has pushed a patch for a critical, 9.9-rated vulnerability in its Meeting Management tool that could allow a remote, authenticated attacker with low privileges to escalate to administrator on affected devices.…
  • jbz: Patch now: Cisco fixes critical Meeting Management flaw —The Register ï½¢ "An attacker could exploit this vulnerability by sending API requests to a specific endpoint," and this could allow admin-level access over edge nodes, which are components of Cisco's video conferencing infrastructure managed by this tool, the biz warned in a Wednesday security alert ï½£
  • Pyrzout :vm:: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management – Source: go.theregister.com
  • ciso2ciso.com: Patch now: Cisco fixes critical 9.9-rated, make-me-admin bug in Meeting Management
  • www.theregister.com: Patch now: Cisco fixes critical Meeting Management flaw —The Register
Ameer Owda@socradar.io - 85d

Exploitation of Old Cisco ASA Vulnerability - An older Cisco ASA vulnerability is being actively exploited by the Androxgh0st botnet, allowing for XSS attacks.
A decade-old vulnerability in Cisco's Adaptive Security Appliance (ASA) software, CVE-2014-2120, is being actively exploited, prompting a renewed warning from Cisco. Initially deemed medium severity with a CVSS score of 4.3, the vulnerability allows Cross-site Scripting (XSS) attacks. Attackers can trick users into accessing malicious links, injecting scripts to gain unauthorized access. The Androxgh0st botnet is leveraging this flaw, alongside others, for broader malicious campaigns, including malware distribution. Cisco's Product Security Incident Response Team (PSIRT) observed active attacks as early as November 2024, leading to an updated advisory urging users to upgrade to patched versions.

The vulnerability stems from insufficient input validation in the ASA's WebVPN login page. While originally requiring user interaction to exploit, recent reports indicate a shift towards more sophisticated attack methods employed by the Androxgh0st botnet. Cisco emphasizes the importance of updating vulnerable ASA versions despite the vulnerability's age and relatively low initial severity rating. This incident highlights the ongoing threat posed by older, unpatched systems and the need for comprehensive security practices to mitigate risks from evolving cyber threats.

Recommended read:
References :
  • malware.news: Old Cisco ASA Vulnerability (CVE-2014-2120) Fuels Androxgh0st Botnet Activity
  • sec.cloudapps.cisco.com: Cisco has issued a fresh warning regarding CVE-2014-2120, a decade-old vulnerability in its Adaptive Security Appliance (ASA).
  • socradar.io: Old Cisco ASA Vulnerability (CVE-2014-2120) Fuels Androxgh0st Botnet Activity

Blogs

Research Tools