Critical Infrastructure and Identity Systems Under Relentless Assault

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Critical Vulnerabilities in Network and Virtualisation Infrastructure

A recurring theme this week is the active exploitation of severe flaws in the core infrastructure that powers enterprise networks and data centres, often before patches are widely available or applied.

• Cisco ASA/FTD Mass Exploitation: Two critical, unauthenticated RCE vulnerabilities (CVE-2025-20333, CVE-2025-20362) are being actively exploited, with over 48,000 devices still exposed. Attackers are deploying sophisticated malware, such as the RayInitiator bootkit, to maintain persistence even after a device is rebooted, posing a severe long-term threat.
• VMware Zero-Day Privilege Escalation: The China-linked threat actor UNC5174 has been exploiting a zero-day in VMware Tools and Aria Operations (CVE-2025-41244) since October 2024. The flaw allows any local user to escalate to root privileges by placing a malicious binary in a writable directory, which is then executed by a VMware service.
• Critical Sudo Flaw Actively Exploited: CISA has added a critical Sudo vulnerability (CVE-2025-32463, CVSS 9.3) to its Known Exploited Vulnerabilities (KEV) catalogue. This flaw allows a local attacker to bypass sudoers restrictions and execute arbitrary commands as root, compromising the entire Linux host.

2. Sophisticated Ransomware and Extortion Operations

Ransomware groups are refining their techniques to maximise impact, focusing on bypassing security controls and disrupting operations to force payment.

• Akira Ransomware Bypasses MFA on SonicWall VPNs: The Akira group is circumventing OTP-based MFA on SonicWall SSL-VPNs by using previously stolen credentials and potentially compromised OTP seeds. This attack, linked to CVE-2024-40766, demonstrates that patching a vulnerability is insufficient if credentials are not also reset, rendering MFA ineffective.
• The Jaguar Land Rover (JLR) Incident: A major cyberattack, claimed by “Scattered Lapsus$ Hunters,” caused a month-long production shutdown, highlighting the real-world consequences of cyber incidents. The attack, likely involving social engineering and weak identity governance, disrupted the global supply chain, affected over 100,000 jobs, and required a £1.5 billion government loan guarantee, underscoring cybersecurity as a systemic economic risk.

3. Evolution of Social Engineering and Malware Delivery

Attackers are continuously developing new methods to deceive users and deliver payloads, abusing trusted brands and file formats to bypass technical controls.

• Fake Microsoft Teams Installers: A malvertising and SEO poisoning campaign is pushing fake Microsoft Teams installers that deliver the Oyster backdoor. The installers are deceptively signed with legitimate-looking code-signing certificates, tricking users and systems into trusting the malicious payload.
• MatrixPDF Phishing Toolkit: A commercially available crimeware tool, MatrixPDF, allows attackers to turn any legitimate PDF into an interactive phishing lure. By adding clickable overlays that link to external malicious sites, the toolkit creates files that appear benign to static analysis, only triggering the attack when a user clicks inside the document.

3. Critical Flaws in Cloud and Container Platforms

As organisations shift to modern development platforms, attackers are following, finding critical misconfigurations and vulnerabilities in cloud-native technologies.

• Red Hat OpenShift AI Privilege Escalation: A critical flaw (CVE-2025-10725, CVSS 9.9) in Red Hat OpenShift AI allows any authenticated user, such as a data scientist in a Jupyter notebook, to escalate privileges to cluster administrator. The flaw stems from an overly permissive RBAC binding that grants excessive job-creation rights to all users, potentially leading to a full compromise of the AI/ML cluster and its underlying infrastructure.

Proactive Steps for the Week

Emergency Patching and Credential Reset:

• Cisco ASA/FTD: Immediately patch all Cisco ASA and FTD devices against CVE-2025-20333 and CVE-2025-20362. For compromised devices, a full factory reset is required to remove bootkit persistence.
• VMware: Apply the latest patches for VMware Tools and Aria Operations to address CVE-2025-41244. Audit for any suspicious binaries in /tmp or other writable directories.
• SonicWall VPN: If your SonicWall VPN was ever vulnerable to CVE-2024-40766, immediately reset all user credentials and OTP seeds, in addition to ensuring the firmware is patched.

Enforce Strict Identity and Access Management:

• Harden MFA: Move beyond OTP to phishing-resistant MFA (FIDO2/WebAuthn) for all administrative and remote access accounts.
• Audit RBAC: Review Role-Based Access Control policies in cloud and container platforms (like OpenShift AI) to ensure no over-permissive bindings exist, especially those granting privileges to broad groups like system: authenticated.

Enhance Monitoring for Stealthy Attacks:

• Monitor for Bootkits: Deploy EDR solutions capable of detecting firmware-level persistence and monitor for the execution of known malicious drivers used in BYOVD attacks.
• Scan for Anomalous PDFs: Implement email security gateways that can detonate and analyse PDFs for active content and malicious annotations, blocking those that trigger outbound connections to unknown domains.

Conduct Security Awareness Training:

• Train on New Lures: Immediately educate users on the risks of downloading software from search engine ads and on the dangers of clicking interactive buttons or links within PDF attachments from untrusted sources.

Review and Test Incident Response Plans:

• Prepare for Supply Chain Disruption: Ensure business continuity and incident response plans account for prolonged IT/OT outages and include communication strategies for suppliers, regulators, and customers.