Weekly Security Bulletin: Threat Advisory & Security News

As cyber threats continue to evolve, this week’s bulletin brings attention to critical vulnerabilities, targeted attack campaigns, and emerging security news that demand immediate action and awareness from cybersecurity teams and compliance leaders.

Vulnerability Highlights

This week saw the disclosure of multiple critical and high-severity vulnerabilities affecting widely used enterprise products and development platforms. The nature of these flaws — from unauthenticated remote code execution to privilege escalation — underscores the urgency for security teams to prioritize patch management and system hardening.

1. Citrix NetScaler – CVE-2025-6543 & CVE-2025-5777 - Critical DoS Vulnerability
Critical DoS vulnerability in NetScaler ADC and Gateway products could allow unauthenticated remote attackers to disrupt business-critical services The vulnerabilities impact several versions of NetScaler configured for VPN and access control services. Citrix has released updated builds, and customers are advised to patch immediately to maintain business continuity.
Read more »

2. Cisco ISE & ISE-PIC – CVE-2025-20281 & CVE-2025-20282 - Remote Code Execution Risk
A severe RCE vulnerability enabling unauthenticated root-level compromise of Cisco’s Identity Services Engine and its Passive Identity Connector (ISE-PIC). These flaws, rated CVSS 9.8 and 10.0, can be exploited remotely without credentials to execute code with root-level access. The vulnerabilities stem from improper validation of user input via the API. Exploitation could lead to full system compromise, making this a high-priority risk for network security infrastructure.
Read more »

3. Notepad++ – CVE-2025-49144 - Privilege Escalation via Installer
A vulnerability in the Notepad++ v8.8.1 installer allows attackers to escalate privileges to SYSTEM level by manipulating executable search paths. The attack relies on placing a malicious executable in the same folder as the installer (commonly the Downloads folder). While not a remote vulnerability, it can be exploited through social engineering. A fix is scheduled in version 8.8.2.
Read more »

4. Open VSX Registry – CVE-2025-6705 - Supply Chain Risk for Developers
A sandboxing issue threatens millions of developers by enabling malicious CI job execution. A security flaw in Eclipse’s Open VSX Registry has raised concerns for the developer community. Due to insufficient sandboxing of CI jobs, an attacker with access to an extension could execute arbitrary code during the auto-publish process, potentially hijacking the platform’s service account. This puts millions of developers and downstream users at risk, especially those relying on VS Code forks or automated build systems.
Read more »

Summary Insight:
These vulnerabilities demonstrate a mix of traditional attack vectors (DoS, privilege escalation) and modern supply chain threats. Organizations should act promptly by applying vendor patches, auditing exposed APIs, and reviewing installer integrity and CI/CD workflows.

Ongoing Attack Campaigns
This week highlights two significant attack campaigns that underscore the evolving tactics of threat actors — from exploiting misconfigurations in cloud identity services to conducting state-sponsored cyber espionage targeting critical infrastructure.

nOAuth Abuse in Microsoft Entra ID
Threat actors exploit SaaS misconfigurations for full account takeovers using email-based impersonation. A critical vulnerability dubbed nOAuth has been discovered in Microsoft Entra ID (formerly Azure AD), where attackers exploit misconfigured OpenID Connect settings and unverified email attributes to impersonate users. This low-complexity attack bypasses multifactor authentication and security controls, enabling full account takeover and unauthorized access to Microsoft 365 resources—without needing stolen credentials. Organizations are urged to review and secure their identity configurations immediately.
Details »

Salt Typhoon Targets Cisco IOS XE in Targeted Cyber-Espionage
The China-linked Salt Typhoon APT group exploited a critical Cisco IOS XE vulnerability (CVE-2023-20198) to breach a Canadian telecom provider. By leveraging a privilege escalation flaw, the attackers gained admin access to network devices, extracted configuration files, and established a GRE tunnel for covert traffic collection. This incident is part of a broader, stealthy cyber-espionage campaign targeting global telecommunications infrastructure.
Details »

Key Insight:
These incidents reveal the growing threat posed by both misconfigurations in identity systems and sophisticated, state-backed actors exploiting known vulnerabilities. Proactive monitoring, patch management, and secure identity configurations remain critical defense measures.

Security News You Shouldn’t Miss
Africa’s Financial Sector Under Siege
Cybercriminals weaponize open-source tools to mimic trusted apps and conduct fraud campaigns. Cybercriminals targeting Africa’s financial sector are leveraging open-source and publicly available tools to build their attack infrastructure. They use tunneling for covert communication and remote access, and forge file signatures by mimicking legitimate applications to evade detection. By spoofing trusted software, these actors effectively disguise their malicious activities, making their attacks harder to trace and prevent.
Read »

APT-C-36 (Blind Eagle) Escalates Activity
Latin American targets face rapid phishing-to-exfiltration attacks, exploiting Windows vulnerabilities. APT-C-36 (Blind Eagle), a threat group active since 2018, continues to target government, financial, and critical infrastructure entities in Latin America, particularly Colombia. The group uses phishing emails with malicious .url files exploiting a Windows vulnerability (CVE-2024-43451) to capture NTLMv2 hashes. Following initial compromise, they deliver payloads via WebDAV and maintain command-and-control using dynamic DNS over TCP port 1512. A February 2025 campaign highlighted the group’s efficiency, completing data exfiltration of over 65 MiB within five hours, demonstrating strong operational security and rapid execution capabilities.
Read »

Phishing via Microsoft 365 Direct Send
A technique allowing spoofed internal emails to bypass filters and deceive users. A sophisticated phishing campaign has been actively targeting over 70 organizations across the United States since May 2025. The attackers are leveraging a legitimate feature within Microsoft 365 known as Direct Send, which is typically used to relay emails through a company’s smart host (e.g., company-com.mail.protection.outlook.com) without requiring authentication.
Read »

North Korean Hackers Weaponize GitHub
Kimsuky group abuses GitHub repos to deliver XenoRAT via personalized spearphishing. Since March 2025, the North Korean cyber espionage group Kimsuky has been conducting a stealthy spearphishing campaign that weaponizes GitHub’s private repository infrastructure. This operation showcases a strategic abuse of trusted cloud platforms to deliver malware while evading traditional security defenses.
Read »

Stay vigilant, patch systems, and review authentication and endpoint controls regularly. For consultation and for tailored cybersecurity advisory, contact our team at Crowe UAE, +971 55 343 8693, manesh.nair@crowe.ae