Cyber Security Redefined

Non-human identities & AI agents – The users you never see: taming service accounts and AI agents. A primer on controlling non-human identities (NHIs)—service accounts, API tokens, AI agents—which can outnumber humans 80:1. Challenges: poor ownership, over-permissioning, no lifecycle. Guidance: discover/inventory NHIs, assign owners, automate lifecycle, and enforce guardrails under an identity security fabric. Your […]

SolarWinds Web Help Desk RCE – Third time lucky? Patch Web Help Desk—again. SolarWinds issued hotfix 12.8.7 HF1 for CVE-2025-26399 (CVSS 9.8)—an unauthenticated AjaxProxy deserialisation RCE in Web Help Desk. It’s a patch-bypass of prior CVEs (2024-28986/28988). No known exploitation yet; history suggests urgency as earlier bugs hit CISA KEV. Upgrade immediately. Another critical RCE […]

From document converter to cloud key-nicker. Pandoc CVE-2025-51591 → AWS IMDS. Researchers report in-the-wild abuse of Pandoc SSRF (CVE-2025-51591, CVSS 6.5) to query AWS Instance Metadata Service, stealing EC2 IAM credentials. Root cause: Pandoc renders <iframe> in HTML; mitigations include sandbox flags or sanitising input. Shows continued IMDS targeting via “quiet” dependencies. A flaw in […]

Cisco ASA zero-days: RayInitiator / LINE VIPER. Old firewalls, new tricks The UK NCSC and Cisco detail zero-day exploits against ASA 5500-X firewalls (often EoS), deploying a persistent GRUB bootkit (RayInitiator) and user-mode loader LINE VIPER. Flaws include CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (6.5); a separate CVE-2025-20363 is patched. Tactics: disable logging, intercept CLI, crash […]

SVG → CountLoader / PureRAT – From picture to problem. Phishing emails impersonating Ukrainian authorities deliver SVG attachments that start a chain: SVG → ZIP → CHM → CountLoader → payloads like Amatera Stealer and PureMiner; related campaigns evolve to PureRAT backdoors. Fileless techniques (AOT, process hollowing) and credential theft feature heavily. Those harmless-looking SVGs […]

AI meets phishing: SVGs with a suit and tie. Microsoft warns of a phishing campaign using LLM-generated, business-themed SVG files to hide malicious JavaScript and evade filters. The attack used self-addressed emails (BCC targets) and fake file-share lures; the SVG redirected via CAPTCHA to credential harvest pages. Microsoft’s analysis notes verbose, over-engineered code and business […]

SAP patches critical NetWeaver bugs (CVSS up to 10). Time to patch, not panic. SAP has released September patches addressing multiple flaws, including three critical issues in SAP NetWeaver (CVSS scores up to 10.0) that could allow code execution, arbitrary file upload, or unauthorised access—one via the RMI-P4 module. A high-severity bug in SAP S/4HANA […]

Salty2FA: the phishing kit that pinches your codes (not your chips) Researchers at ANY.RUN have identified Salty2FA, a phishing-as-a-service kit used across the US and EU that steals credentials and bypasses 2FA (including push, SMS and voice). Campaigns ramped up from June 2025 and target sectors such as finance, energy, telecoms, healthcare and government. A […]

Microsoft Patch Tuesday (September 2025): 80 fixes, one very nosey SMB bug Microsoft’s September 2025 Patch Tuesday fixes 80 vulnerabilities: 8 Critical and 72 Important. None are known to be exploited, but one flaw was publicly disclosed before patching: CVE-2025-55234 in Windows SMB, which can enable relay attacks leading to privilege escalation if SMB signing/EPA […]

AsyncRAT rides ScreenConnect: what’s going on? Researchers detail a campaign abusing ConnectWise ScreenConnect to deploy AsyncRAT and pinch credentials and crypto. Attackers either hijack a ScreenConnect session or lure victims with trojanised installers in phishing emails. Once in, they run a layered VBScript + PowerShell loader that fetches two payloads (“logs.ldk” and “logs.ldr”), sets up […]

FBI warning: crime rings are nicking your Salesforce data The FBI has issued a flash alert about two financially motivated threat clusters, UNC6395 and UNC6040, actively raiding Salesforce environments for data theft and extortion. UNC6395 piggy-backed on the Salesloft Drift incident by abusing compromised OAuth tokens, a breach Salesloft links to an earlier GitHub account […]

HybridPetya: the ransomware that slips past Secure Boot Security researchers (ESET) have analysed a new ransomware strain dubbed HybridPetya, which echoes Petya/NotPetya but adds a modern twist: it can bypass UEFI Secure Boot using a now-patched flaw (CVE-2024-7344) in a UEFI component. Samples appeared on VirusTotal in February 2025. HybridPetya works via an installer + […]

Automation is redefining pentesting (and yes, it’s about time) While penetration testing remains essential, the delivery of results hasn’t kept pace. Many teams still receive long, static PDFs and then manually copy findings into tools like Jira or ServiceNow—adding delays and eroding value. It promotes automated pentest delivery: streaming findings in real time into the […]

Citrix rushes fixes for three NetScaler bugs — one’s already being exploited Citrix has released patches for three security flaws in NetScaler ADC and NetScaler Gateway. One of them—CVE-2025-7775 (CVSS 9.2)—is already being actively exploited. The others are CVE-2025-7776 (CVSS 8.8) and CVE-2025-8424 (CVSS 8.7). • 7775/7776 are memory overflow bugs that can lead to […]

Salt Typhoon: edge devices in the firing line “Salt Typhoon,” a China-linked APT, has been exploiting vulnerabilities in edge network devices (notably from Cisco, Ivanti and Palo Alto Networks) to break into organisations worldwide—around 600 victims across 80 countries, including the UK. Initial access involves known CVEs (e.g., Cisco IOS XE and Smart Install flaws, […]

Google: Salesloft Drift breach bigger than expected Google and Mandiant warned that the recent Salesloft Drift OAuth breach is broader than first thought, affecting all Drift integrations, not just Salesforce. Attackers stole OAuth tokens and, in some cases, accessed Salesforce data and even a small number of Google Workspace mailboxes tied specifically to Drift’s email […]

Attackers turn Velociraptor into a C2 taxi • What happened: Researchers spotted attackers installing the open-source forensic tool Velociraptor and then using it to fetch and run Visual Studio Code in “tunnel” mode—turning a developer editor into a handy route back to an attacker-controlled C2 server. • How they got in: Windows msiexec pulled an […]

Browsers: your biggest risk you’re staring at all day This piece argues the humble web browser has become a prime battleground: the author claims over 80% of security incidents now start in browser-based apps and spotlights Scattered Spider (aka UNC3944 / Octo Tempest / Muddled Libra) for targeting identities and data inside Chrome, Edge, Firefox […]

Cisco’s Fire-fighting Console Has a Howler: Patch Your FMC, Pronto Cisco has patched a critical (CVSS 10.0) flaw in Secure Firewall Management Center (FMC) that sits in its RADIUS authentication code. An unauthenticated attacker can inject commands during login and achieve remote code execution—but only if RADIUS is enabled for the FMC web UI or […]

FortiSIEM’s critical wobble: patch first, tea later Fortinet has disclosed a critical pre-auth command-injection flaw in FortiSIEM—CVE-2025-25256 (CVSS 9.8)—and says exploit code exists in the wild. The bug sits in the phMonitor process (port 7900), where inadequate input sanitisation can let an unauthenticated attacker run OS commands. Fortinet lists affected branches and fixed versions, notes […]