Microsoft patched 57 vulnerabilities in its Patch Tuesday December 2025 update, including one exploited zero-day and six high-risk vulnerabilities. The exploited zero-day is CVE-2025-62221, a 7.8-rated Use After Free vulnerability in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and gain SYSTEM privileges. CISA promptly added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft credited its own Threat Intelligence Center (MSTIC) and Security Response Center (MSRC) for the find. Microsoft’s Patch Tuesday December 2025 update also issued fixes for 13 non-Microsoft CVEs; all the non-Microsoft CVEs were for Chromium-based Edge vulnerabilities. Other vendors issuing critical Patch Tuesday updates included Fortinet (CVE-2025-59718 and CVE-2025-59719), Ivanti (CVE-2025-10573) and SAP (CVE-2025-42880, CVE-2025-42928, and Apache Tomcat-related vulnerabilities CVE-2025-55754 and CVE-2025-55752).

High-Risk Vulnerabilities Fixed in Patch Tuesday December 2025 Update

Microsoft rated six vulnerabilities as “Exploitation More Likely.” The six are all rated 7.8 under CVSS 3.1, and three are Heap-based Buffer Overflow vulnerabilities. The six high-risk vulnerabilities include: CVE-2025-59516, a 7.8-severity Windows Storage VSP Driver Elevation of Privilege vulnerability. The Missing Authentication for Critical Function flaw in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-59517, also a 7.8-rated Windows Storage VSP Driver Elevation of Privilege vulnerability. Improper access control in Windows Storage VSP Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62454, a 7.8-rated Windows Cloud Files Mini Filter Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Cloud Files Mini Filter Driver could allow an authorized attacker to elevate privileges locally. CVE-2025-62458, a 7.8-severity Win32k Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in Windows Win32K - GRFX could allow an authorized attacker to elevate privileges locally. CVE-2025-62470, a 7.8-rated Windows Common Log File System Driver Elevation of Privilege vulnerability. The Heap-based Buffer Overflow vulnerability in the Windows CLFS Driver could allow local privilege elevation by an authorized attacker. CVE-2025-62472, a 7.8-severity Windows Remote Access Connection Manager Elevation of Privilege vulnerability. The use of uninitialized resource flaw in Windows Remote Access Connection Manager could allow an authorized attacker to elevate privileges locally.

High-Severity Office, Copilot, SharePoint Vulnerabilities also Fixed

The highest-rated vulnerabilities in the December 2025 Patch Tuesday update were rated 8.8, and there were three 8.4-severity vulnerabilities too. All were rated as being at lower risk of exploitation by Microsoft. The four 8.8-rated vulnerabilities include:

• CVE-2025-62549, a Windows Routing and Remote Access Service (RRAS) Remote Code Execution vulnerability
• CVE-2025-62550, an Azure Monitor Agent Remote Code Execution vulnerability
• CVE-2025-62456, a Windows Resilient File System (ReFS) Remote Code Execution vulnerability
• CVE-2025-64672, a Microsoft SharePoint Server Spoofing vulnerability

The three 8.4-severity vulnerabilities include:

• CVE-2025-64671, a GitHub Copilot for Jetbrains Remote Code Execution vulnerability
• CVE-2025-62557, a Microsoft Office Remote Code Execution/Use After Free vulnerability
• CVE-2025-62554, a Microsoft Office Remote Code Execution/Type Confusion vulnerability

Chinese-sponsored groups are using the popular Brickstorm backdoor to access and gain persistence in government and tech firm networks, part of the ongoing effort by the PRC to establish long-term footholds in agency and critical infrastructure IT environments, according to a report by U.S. and Canadian security offices.

The post China Hackers Using Brickstorm Backdoor to Target Government, IT Entities appeared first on Security Boulevard.

U.S. and Canadian cybersecurity agencies are warning that China-sponsored threat actors are using BRICKSTORM malware to compromise VMware vSphere environments. “Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs,” CISA, the NSA and the Canadian Centre for Cyber Security warned in the advisory. Attacks have so far primarily targeted the government and IT sectors, the agencies said.

One PRC BRICKSTORM Malware Attack Lasted More Than a Year

CISA – the U.S. Cybersecurity and Infrastructure Security Agency – said it analyzed eight BRICKSTORM samples obtained from victim organizations, including one where CISA conducted an incident response engagement. While the analyzed samples were for VMware vSphere environments, there are also Windows versions of the malware, the agency said. In the incident response case, CISA said threat actors sponsored by the People’s Republic of China (PRC) gained “long-term persistent access” to the organization’s network in April 2024 and uploaded BRICKSTORM malware to a VMware vCenter server. The threat actors also accessed two domain controllers and an Active Directory Federation Services (ADFS) server, successfully compromising the ADFS server and exporting cryptographic keys. The threat actors used BRICKSTORM malware for persistent access “through at least Sept. 3, 2025,” the agency said. BRICKSTORM is an Executable and Linkable Format (ELF) Go-based backdoor. While samples may differ in function, “all enable cyber actors to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2),” the agencies said. BRICKSTORM can automatically reinstall or restart if disrupted. It uses DNS-over-HTTPS (DoH) and mimics web server functionality “to blend its communications with legitimate traffic." The malware gives threat actors interactive shell access on the system and allows them to “browse, upload, download, create, delete, and manipulate files.” Some of the malware samples act as a SOCKS proxy to facilitate lateral movement and compromise additional systems.

PRC Hackers Got Access via a Web Server

CISA said that in its incident response engagement, the PRC hackers accessed a web server inside the organization’s demilitarized zone (DMZ) on April 11, 2024. The threat actors accessed it through a web shell present on the server. “Incident data does not indicate how they obtained initial access to the web server or when the web shell was implanted,” CISA said. On the same day, the hackers used service account credentials to move laterally using Remote Desktop Protocol (RDP) to a domain controller in the DMZ, where they copied the Active Directory (AD) database (ntds.dit). The following day, the hackers moved laterally from the web server to a domain controller within the internal network using RDP and credentials from a second service account. “It is unknown how they obtained the credentials,” CISA said. The hackers copied the AD database and obtained credentials for a managed service provider (MSP) account. Using the MSP credentials, the hackers moved from the internal domain controller to the VMware vCenter server. From the web server, the PRC hackers also moved laterally using Server Message Block (SMB) to two jump servers and an ADFS server, from which they stole cryptographic keys. After gaining access to vCenter, the hackers elevated privileges using the sudo command, dropped BRICKSTORM malware into the server’s /etc/sysconfig/ directory, and modified the system’s init file in /etc/sysconfig/ to run the malware. The modified init file controls the bootup process on VMware vSphere systems and executes BRICKSTORM, CISA said. The file is typically used to define visual variables for the bootup process. The hackers added an additional line to the script to execute BRICKSTORM from the hard-coded file path /etc/sysconfig/. CISA, NSA, and the Canadian Cyber Centre urged organizations to use the indicators of compromise (IOCs) and detection signatures in their lengthy report to detect BRICKSTORM malware samples. CISA also recommended that organizations block unauthorized DNS-over-HTTPS (DoH) providers and external DoH network traffic; inventory all network edge devices and monitor for suspicious network connectivity, and use network segmentation to restrict network traffic from the DMZ to the internal network.

CISA warned today that two Android zero-day vulnerabilities are under active attack, within hours of Google releasing patches for the flaws. Both are high-severity Android framework vulnerabilities. CVE-2025-48572 is a Privilege Escalation vulnerability, while CVE-2025-48633 is an Information Disclosure vulnerability. Both were among 107 Android vulnerabilities addressed by Google in its December security bulletin released today.

Android Vulnerabilities CVE-2025-48572 and CVE-2025-48633 Under Attack

Google warned that the CVE-2025-48572 and CVE-2025-48633 framework vulnerabilities “may be under limited, targeted exploitation.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) followed with its own alert adding the Android vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned. “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice,” the U.S. cybersecurity agency added. The vulnerabilities are so new that the CVE Program lists the CVE numbers as “reserved,” with details yet to be released. Neither Google nor CISA provided further details on how the vulnerabilities are being exploited.

7 Critical Android Vulnerabilities Also Patched

The December Android security bulletin also addressed seven critical vulnerabilities, the most severe of which is CVE-2025-48631, a framework Denial of Service (DoS) vulnerability that Google warned “could lead to remote denial of service with no additional execution privileges needed.” Four of the critical vulnerabilities affect the Android kernel and are all Elevation of Privilege (EoP) vulnerabilities: CVE-2025-48623, CVE-2025-48624, CVE-2025-48637, and CVE-2025-48638. The other two critical vulnerabilities affect Qualcomm closed-source components: CVE-2025-47319, an Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability, and CVE-2025-47372, a Buffer Overflow vulnerability that could lead to memory corruption. Google lists CVE-2025-47319 as “Critical” while Qualcomm lists the vulnerability as Medium severity; both list CVE-2025-47372 as Critical. The Qualcomm vulnerabilities are addressed in detail in The Cyber Express article Qualcomm Issues Critical Security Alert Over Secure Boot Vulnerability published earlier today.

The Department of Commerce’s vulnerability disclosure program (VDP), designed to protect its public-facing information technology systems, has been deemed “not fully effective” according to a recent audit conducted by the department’s Office of Inspector General (OIG). The audit highlights several shortcomings in the department’s approach to vulnerability disclosure and remediation.  The Commerce Department established its VDP in response to a directive from the Cybersecurity and Infrastructure Security Agency (CISA). This directive required all federal agencies to implement a vulnerability disclosure policy that allows members of the public to identify and report security vulnerabilities in internet-accessible government systems. Such programs are considered a critical component of federal cybersecurity efforts, enabling agencies to leverage external expertise to safeguard digital infrastructure.  However, the OIG’s audit, formally titled Audit of the Department’s Vulnerability Reporting and Resolution Program (Report Number OIG-26-002-A), found that the department’s program fell short in several key areas. “The Department established a vulnerability disclosure program; however, it was not fully effective,” the report states. Specifically, the audit found that not all internet-accessible systems were included in the VDP, testing guidelines restricted the tools public security researchers could use, reported vulnerabilities were not always fully remediated, and remediation deadlines were frequently missed. 

Gaps in Remediation and Vulnerability Reporting 

The OIG reviewed 71 resolved vulnerability disclosures and found that only 57 (80%) had been fully remediated, leaving 14 (20%) unresolved. Moreover, the audit indicated that since 2023, the department failed to meet established deadlines for remediating vulnerabilities approximately 35% of the time. “Without an effective vulnerability disclosure program, the Department cannot protect its internet-accessible systems, leaving them susceptible to potential compromise and exploitation,” the report warned.  The audit also highlighted structural issues with the VDP. The department limited its scope to 64 internet-accessible websites, excluding 22 department-owned or operated sites. Additionally, the contractor managing the VDP portal prohibited the use of automated scanners, tools widely used by public security researchers to detect vulnerabilities. 

OIG Recommendations and Next Steps 

To address these deficiencies, the OIG issued three recommendations. First, the department should revise its VDP testing scope to align with CISA’s Binding Operational Directive 20-01, which emphasizes including all internet-accessible systems in vulnerability disclosure efforts. Second, the department should update and implement standard operating procedures for vulnerability reporting and resolution to ensure comprehensive remediation across affected systems. Finally, the OIG recommended establishing an automated system to coordinate communication between contractors and bureaus and prompt timely action on delayed remediation efforts. 

The Importance of Vulnerability Disclosure Programs (VDPs) 

The OIG audit highlights the critical role of vulnerability disclosure programs (VDPs) in federal cybersecurity. CISA has emphasized that a strong VDP allows agencies to detect weaknesses before they are exploited, ensuring that vulnerabilities reported by security researchers are systematically assessed, tracked, and remediated.  Organizations looking to strengthen their cybersecurity posture can leverage platforms like Cyble, a world-leading AI-powered threat intelligence solution. Cyble provides real-time visibility into exposed assets, vulnerabilities, and emerging threats, helping organizations proactively manage risk.  Trusted by enterprises and federal agencies worldwide, Cyble’s AI-driven tools, including Blaze AI, automate threat detection, vulnerability management, and incident response, keeping systems protected before attackers strike.  Book a personalized demo and discover your vulnerabilities with Cyble Today! 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added an Oracle Identity Manager vulnerability to its Known Exploited Vulnerabilities database after the SANS Internet Storm Center reported attack attempts on the flaw. CVE-2025-61757 is a 9.8-severity Missing Authentication for Critical Function vulnerability in the Identity Manager product of Oracle Fusion Middleware that was patched as part of Oracle’s October update and detailed in a blog post last week by Searchlight Cyber, which had discovered the vulnerability and reported it to Oracle. Following the Searchlight post, the SANS Internet Storm Center looked for exploitation attempts on the vulnerability and found evidence as far back as August 30. “Given the complexity of some previous Oracle Access Manager vulnerabilities, this one is somewhat trivial and easily exploitable by threat actors,” Searchlight Cyber said in its post. Cyble threat intelligence researchers had flagged the vulnerability as important following Oracle’s October update.

Oracle Identity Manager Vulnerability CVE-2025-61757 Explained

CVE-2025-61757 affects the REST WebServices component of Identity Manager in Oracle Fusion Middleware versions 12.2.1.4.0 and 14.1.2.1.0. The easily exploitable pre-authentication remote code execution (RCE) vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of the vulnerability can result in takeover of Identity Manager. The Searchlight researchers began looking for vulnerabilities after an Oracle Cloud breach earlier this year exploited a host that Oracle had failed to patch for CVE-2021-35587. In the source code for the Oracle Identity Governance Suite, the researchers found that that the application compiles Groovy script but doesn’t execute it. Taking inspiration from a previous Java capture the flag (CTF) event, they noted that Java annotations are executed at compile time, not at run time, so they are free from the constraints of the Java security manager and can call system functions and read files just like regular Java code. “Since Groovy is built on top of Java, we felt we should be able to write a Groovy annotation that executes at compile time, even though the compiled code is not actually run,” they said. After experimenting with the code, they achieved RCE. “The vulnerability our team discovered follows a familiar pattern in Java: filters designed to restrict authentication often contain easy-to-exploit authentication bypass flaws,” the Searchlight researchers said. “Logical flaws in how Java interprets request URIs are a gift that continues giving when paired with matrix parameters. “Participating in CTFs, or even staying up to date with research in the CTF space, continues to pay dividends, giving us unique insights into how we can often turn a seemingly unexploitable bug into an exploitable one.”

Oracle EBS Victims Climb Past 100

Meanwhile, the number of victims from the CL0P ransomware group’s exploitation of Oracle E-Business Suite vulnerabilities has now climbed past 100 after the threat group claimed additional victims late last week. Mazda and Cox Enterprises are the latest to confirm being breached, bringing the confirmed total to seven so far. Mazda said it was able to contain the breach without system or data impact, but Cox said the personal data of more than 9,000 was exposed.

U.S., Australian and UK officials today announced sanctions against Media Land, a Russian bulletproof hosting (BPH) provider, citing Media Land’s “role in supporting ransomware operations and other forms of cybercrime.” “These so-called bulletproof hosting service providers like Media Land provide cybercriminals essential services to aid them in attacking businesses in the United States and in allied countries,” stated U.S. Under Secretary of the Treasury for Terrorism and Financial Intelligence John K. Hurley. “Today’s trilateral action with Australia and the United Kingdom, in coordination with law enforcement partners, demonstrates our collective commitment to combatting cybercrime and protecting our citizens.” UK Foreign Secretary Yvette Cooper added, “Cyber criminals think that they can act in the shadows, targeting hard working British people and ruining livelihoods with impunity. But they are mistaken – together with our allies, we are exposing their dark networks and going after those responsible.” Today’s announcements came from the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC), Australia’s Department of Foreign Affairs and Trade, and the UK’s Foreign Commonwealth and Development Office. OFAC and the FBI also designated three members of Media Land’s leadership team and three of its sister companies. In the U.S., OFAC sanctions require blocking and mandatory reporting of all property and interests of the designated persons and entities and prohibit all transactions involving any property or interests of designated or blocked persons. BPH service providers offer access to specialized servers and infrastructure designed to evade detection and disruption by law enforcement.

Russian Bulletproof Hosting Provider and Individuals Sanctioned

Media Land LLC, headquartered in St. Petersburg, Russia, has provided BPH services to criminal marketplaces and ransomware actors, including “prolific ransomware actors such as LockBit, BlackSuit, and Play,” the U.S. statement alleges. Media Land infrastructure has also been used in DDoS attacks, the U.S. says. Media Land, ML Cloud (a Media Land sister company), Aleksandr Volosovik (general director of Media Land who has allegedly advertised the business on cybercrime forums under the alias “Yalishanda”), and Kirill Zatolokin (a Media Land employee allegedly responsible for collecting payment and coordinating with cyber actors) were designated by OFAC for their cyber activities. The UK alleges that Volosovik “has been active in the cyber underground since at least 2010, and is known to have worked with some of the most notorious cyber criminal groups, including Evil Corp, LockBit and Black Basta.” Yulia Pankova was designated by OFAC for allegedly assisting Volosovik with legal issues and finances. Also designated are Media Land Technology (MLT) and Data Center Kirishi (DC Kirishi), fully-owned subsidiaries of Media Land.

U.S. and UK Sanction Alleged Aeza Entities

OFAC and the UK also designated Hypercore Ltd., an alleged front company of Aeza Group LLC, a BPH service provider designated by OFAC earlier this year, and two additional individuals and entities that have allegedly led, materially supported, or acted for Aeza Group. OFAC said that after its designations of Aeza Group and its leadership on July 1, 2025, “Aeza leadership initiated a rebranding strategy focusing on removing any connections between Aeza and their new technical infrastructure. OFAC’s designations today serve as a reminder that OFAC will take all possible steps to counter sanctions evasion activity by malicious cyber actors and their enablers.” Maksim Vladimirovich Makarov, allegedly the new director of Aeza, and Ilya Vladislavovich Zakirov, who allegedly helped establish new companies and payment methods to obfuscate Aeza’s activity, were also designated. Smart Digital Ideas DOO and Datavice MCHJ – Serbian and Uzbek companies allegedly utilized by Aeza to evade sanctions and set up technical infrastructure not publicly associated with the Aeza brand – were also designated.

Five Eyes Guidance for Defending Against BPH Providers

Also today, the U.S. and other “Five Eyes” countries issued guidance for defending against risks from bulletproof hosting providers. “Organizations with unprotected or misconfigured systems remain at high risk of compromise, as malicious actors leverage BPH infrastructure for activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) stated in announcing the guidance. “BPH providers pose a significant threat to the resilience and security of critical systems and services.” Included in the guidance are recommendations for a “nuanced approach to dynamically filter ASNs, IP ranges, or individual IP addresses to effectively reduce the risk of compromise from BPH provider-enabled activity.”

Fortinet may have silently patched an exploited zero-day vulnerability more than two weeks before officially disclosing the vulnerability. CVE-2025-64446 in Fortinet’s FortiWeb web application firewall (WAF) may have been exploited as early as October 6, according to DefusedCyber in a post on X. Fortinet is believed to have patched the 9.8-rated vulnerability in FortiWeb 8.0.2 in late October, but didn’t publish an advisory disclosing the exploited vulnerability until November 14. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog the same day as Fortinet’s disclosure. Late today, Fortinet disclosed another exploited FortiWeb vulnerability - CVE-2025-58034, a 7.2-rated OS Command Injection vulnerability.

Fortinet Silent Patch Raises Concerns

The delayed notification in the case of CVE-2025-64446 has raised concerns with some in the cybersecurity industry, who say the delay may have put Fortinet customers at a disadvantage. “Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild,” VulnCheck’s Caitlin Condon said in a blog post. “We already know security by obscurity doesn't work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not,” Condon added. “When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders.” The Cyber Express has reached out to Fortinet for comment and will update this article with any response.

CVE-2025-64446 FortiWeb Vulnerability

CVE-2025-64446 is a 9.8-severity relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, and FortiWeb 7.0.0 through 7.0.11. The vulnerability could potentially allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. Fortinet recommends disabling HTTP or HTTPS for internet facing interfaces until an upgrade can be performed. “If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced,” Fortinet’s advisory said. Shadowserver shows several hundred internet-facing FortiWeb management instances, which presumably would be vulnerable until upgraded. After completing upgrades, Fortinet recommends that FortiWeb customers “review their configuration for and review logs for unexpected modifications, or the addition of unauthorized administrator accounts.” watchTowr said CVE-2025-64446 appears to comprise two vulnerabilities: a path traversal vulnerability, and an authentication bypass vulnerability. watchTowr shared one sample request stream that it said was “evidence of a threat actor looking to exploit a vulnerability ... that allowed privileged administrative functions to be reached.” In the example, the threat actor “exploited the vulnerability to add administrative accounts to the target and vulnerable appliance, serving as a weak persistence mechanism. “To be explicitly clear,” watchTowr added, “this is a complete compromise of the vulnerable appliance.”

AttackIQ has released an updated attack graph in response to the recently revised CISA Advisory (AA24-109A) which disseminates Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) associated with the Akira ransomware group, identified through FBI investigations as recently as November 2025.

The post Updated Response to CISA Advisory (AA24-109A): #StopRansomware: Akira Ransomware appeared first on AttackIQ.

The post Updated Response to CISA Advisory (AA24-109A): #StopRansomware: Akira Ransomware appeared first on Security Boulevard.

The Akira ransomware group poses an “imminent threat to critical infrastructure,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned today. CISA joined with the FBI, other U.S. agencies and international counterparts to issue a lengthy updated advisory on the ransomware group, adding many new Akira tactics, techniques and procedures (TTPs), indicators of compromise (IoCs), and vulnerabilities exploited by the group. Akira is consistently one of the most active ransomware groups, so the update from CISA and other agencies is significant. As of late September, Akira has netted about $244.17 million in ransom payments, CISA said. The Akira ransomware group information was sourced from “FBI investigations and trusted third-party reporting,” the agency said. In a busy two days for the agency, CISA also added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog (CVE-2025-9242, a WatchGuard Firebox Out-of-Bounds Write vulnerability, CVE-2025-12480, a Gladinet Triofox Improper Access Control vulnerability, and CVE-2025-62215, a Microsoft Windows Race Condition vulnerability), and reissued orders to federal agencies to patch Cisco vulnerabilities CVE-2025-20333 and CVE-2025-20362.

Akira Ransomware Group Targets Vulnerabilities for Initial Access

The CISA Akira advisory notes that in a June 2025 incident, Akira encrypted Nutanix Acropolis Hypervisor (AHV) virtual machine (VM) disk files for the first time, expanding the ransomware group’s abilities beyond VMware ESXi and Hyper-V by abusing CVE-2024-40766, a SonicWall vulnerability. The updated advisory adds six new vulnerabilities exploited by Akira threat actors for initial access, including:

• CVE-2020-3580, a cross-site scripting (XSS) vulnerability in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD)
• CVE-2023-28252, a Windows Common Log File System Driver Elevation of Privilege vulnerability
• CVE-2024-37085, a VMware ESXi authentication bypass vulnerability
• CVE-2023-27532, a Veeam Missing Authentication for Critical Function vulnerability
• CVE-2024-40711, a Veeam Deserialization of Untrusted Data vulnerability
• CVE-2024-40766, a SonicWall Improper Access Control vulnerability

“Akira threat actors gain access to VPN products, such as SonicWall, by stealing login credentials or exploiting vulnerabilities like CVE-2024-40766,” the CISA advisory said. In some cases, they gain initial access with compromised VPN credentials, possibly by using initial access brokers or brute-forcing VPN endpoints. The group also uses password spraying techniques and tools such as SharpDomainSpray to gain access to account credentials. Akira threat actors have also gained initial access through the Secure Shell (SSH) protocol by exploiting a router’s IP address. “After tunneling through a targeted router, Akira threat actors exploit publicly available vulnerabilities, such as those found in the Veeam Backup and Replication component of unpatched Veeam backup servers,” the advisory said.

Akira’s Latest Discovery, Persistence and Evasion Tactics

Visual Basic (VB) scripts are frequently used by the group to execute malicious commands, and nltest /dclist: and nltest /DOMAIN_TRUSTS are used for network and domain discovery. Akira threat actors abuse remote access tools such as AnyDesk and LogMeIn for persistence and to “blend in with administrator activity,” and Impacket is used to execute the remote command wmiexec.py and obtain an interactive shell. Akira threat actors also uninstall endpoint detection and response (EDR) systems to evade detection. In one incident, Akira threat actors bypassed Virtual Machine Disk (VMDK) file protection by powering down the domain controller’s VM and copying the VMDK files to a newly created VM, CISA said. “This sequence of actions enabled them to extract the NTDS.dit file and the SYSTEM hive, ultimately compromising a highly privileged domain administrator’s account,” the advisory said. Veeam.Backup.MountService.exe has also been used for privilege escalation (CVE-2024-40711), and AnyDesk, LogMeIn, RDP, SSH and MobaXterm have been used for lateral movement. Akira actors have used tunneling utilities such as Ngrok for command and control (C2) communications, initiating encrypted sessions that bypass perimeter monitoring. PowerShell and Windows Management Instrumentation Command-line (WMIC) have also been used to disable services and execute malicious scripts. Akira threat actors have been able to exfiltrate data in just over two hours from initial access, CISA said. The new Akira_v2 variant appends encrypted files with an .akira or .powerranges extension, or with .akiranew or .aki. A ransom note named fn.txt or akira_readme.txt appears in both the root directory (C:) and each user’s home directory (C:\Users). CISA recommended a number of security best practices for combatting the Akira ransomware threat, including prioritizing remediating known exploited vulnerabilities, enforcing phishing-resistant multifactor authentication (MFA), and maintaining regular, tested offline backups of critical data.

Two former cybersecurity pros were indicted with conspiring with a third unnamed co-conspirator of using the high-profile BlackCat ransomware to launch attacks in 2023 against five U.S. companies to extort payment in cryptocurrency and then splitting the proceeds.

The post Security Experts Charged with Launching BlackCat Ransomware Attacks appeared first on Security Boulevard.

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning after confirming that a critical flaw in the Linux Kernel, tracked as CVE-2024-1086, is being actively exploited in ongoing ransomware attacks targeting Linux systems worldwide.  CVE-2024-1086 is a use-after-free vulnerability in the Linux Kernel’s netfilter: nf_tables component. The flaw arises when the nft_verdict_init() function improperly allows positive values to be used as a drop error within the hook verdict, which can lead to a double-free scenario in nf_hook_slow() when NF_DROP is mishandled.  Although the faulty code originated from a commit introduced back in February 2014, the vulnerability was not officially disclosed until January 31, 2024. A patch to address it was submitted in January 2024. 

Scope and Impact of CVE-2024-1086

The Linux Kernel flaw affects versions from 3.15 up to 6.8-rc1, meaning a wide range of major Linux distributions are vulnerable. Impacted systems include:  Ubuntu: 18.04, 20.04, 22.04, and 23.10  Red Hat Enterprise Linux (RHEL): 

• RHEL 7 – 3.10.0-1062.4.1.el7 
• RHEL 8 – 4.18.0-147.el8 
• RHEL 9 – 5.14.0-362.24.2.el9_3 

Debian: kernel version 6.1.76-1  Exploitation of CVE-2024-1086 allows attackers with local access to escalate their privileges to root level, granting full control of compromised systems. With root access, threat actors can disable security protections, install malware, move laterally within a network, steal data, and deploy ransomware payloads. 

Ransomware Connection and Agency Action

CISA has now confirmed that CVE-2024-1086 is being used in ransomware attacks. The vulnerability was initially added to the agency’s Known Exploited Vulnerabilities (KEV) catalog on May 30, 2024, with federal agencies ordered to apply security patches or mitigations no later than June 20, 2024.  In its official statement, CISA described this Linux Kernel flaw as a “frequent attack vector for malicious cyber actors,” emphasizing the significant risks it poses to government and enterprise networks alike. Agencies and organizations are instructed to follow vendor guidance for patching or discontinue use of affected products if no fixes are available. 

Exploit Availability and Threat Landscape

In late March 2024, a security researcher using the alias Notselwyn released a detailed write-up and a proof-of-concept (PoC) exploit for CVE-2024-1086. The PoC demonstrated how attackers could achieve local privilege escalation on Linux kernel versions ranging from 5.14 to 6.6.  According to security researchers, the exploit has proven to be highly reliable, showing success rates exceeding 99% in some tests. The public availability of this exploit code, combined with confirmed use in ransomware operations, significantly increases the risk of widespread attacks. 

Mitigation and Recommended Actions

System administrators are advised to verify immediately whether their Linux installations are affected. Running the command uname -r will reveal the kernel version in use. If the version falls between 3.15 and 6.8-rc1, the system may still be vulnerable.  To protect against exploitation: 

• Update to Linux Kernel 6.8-rc2 or later, or apply vendor-provided patches. 
• Blocklist the nf_tables module if it is not required. 
• Restrict access to user namespaces to minimize the attack surface. 
• Consider loading the Linux Kernel Runtime Guard (LKRG) module to add runtime protection, though administrators should be aware that it may affect system stability. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two DELMIA Apriso vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Today’s addition of CVE-2025-6204 and CVE-2025-6205 to the KEV catalog follow last month’s addition of CVE-2025-5086 to the CISA database, which was the first addition of an industrial control system (ICS)/operational technology (OT) vulnerability to the exploited vulnerabilities catalog since December 2023. However, IT vulnerabilities added to the KEV catalog often appear in ICS/OT products too. DELMIA Apriso is manufacturing operations management (MOM) and manufacturing execution system (MES) software from Dassault Systèmes that is used to manage production processes and connect factory floors to enterprise resource planning (ERP) systems. In a blog post last month, Johannes Ullrich, SANS Internet Storm Center (ISC) founder and Dean of Research for SANS Technology Institute, said DELMIA Apriso differs from the small IoT devices that are often the focus of manufacturing security in that it is “‘big software’ that is used to manage manufacturing. ... This type of Manufacturing Operation Management (MOM) or Manufacturing Execution System (MES) ties everything together and promises to connect factory floors to ERP systems. But complex systems like this have bugs, too.”

DELMIA Apriso Vulnerabilities CVE-2025-6204 and CVE-2025-6205 Under Attack

CISA typically doesn’t say what threat groups are exploiting vulnerabilities added to the KEV catalog or how they’re being exploited, and CISA’s latest DELMIA Apriso notice only says that “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” CISA gave federal civilian agencies a deadline of November 18 to patch the vulnerabilities. CVE-2025-6205 is the higher-rated of the two vulnerabilities, a 9.1-severity Missing Authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 that could allow an attacker to gain privileged access to the application. CVE-2025-6204 is an 8.0-rated Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 that could allow an attacker to execute arbitrary code. Both vulnerabilities were initially published in the National Vulnerability Database (NVD) on August 4, 2025. The Dassault Systèmes advisories for CVE-2025-6204 and CVE-2025-6205 include links for customers to access remediation information. CVE-2025-5086, the DELMIA Apriso vulnerability added to the CISA KEV database in September, is a 9.0-rated Deserialization of Untrusted Data vulnerability that also affects Release 2020 through Release 2025 and could lead to remote code execution. That vulnerability was initially published on June 2, 2025. Before CVE-2025-5086, an analysis by The Cyber Express shows that the most recent ICS/OT vulnerability added to the KEV catalog was CVE-2023-6448, a 9.8-severity Insecure Default Password vulnerability in Unitronics VisiLogic before version 9.9.00, used in Vision and Samba PLCs and HMIs.

On Sunday, July 20, Microsoft Corp. issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited to compromise vulnerable organizations. The patch comes amid reports that malicious hackers have used the SharePoint flaw to breach U.S. federal and state agencies, universities, and energy companies.

In an advisory about the SharePoint security hole, a.k.a. CVE-2025-53770, Microsoft said it is aware of active attacks targeting on-premises SharePoint Server customers and exploiting vulnerabilities that were only partially addressed by the July 8, 2025 security update.

The Cybersecurity & Infrastructure Security Agency (CISA) concurred, saying CVE-2025-53770 is a variant on a flaw Microsoft patched earlier this month (CVE-2025-49706). Microsoft notes the weakness applies only to SharePoint Servers that organizations use in-house, and that SharePoint Online and Microsoft 365 are not affected.

The Washington Post reported on Sunday that the U.S. government and partners in Canada and Australia are investigating the hack of SharePoint servers, which provide a platform for sharing and managing documents. The Post reports at least two U.S. federal agencies have seen their servers breached via the SharePoint vulnerability.

According to CISA, attackers exploiting the newly-discovered flaw are retrofitting compromised servers with a backdoor dubbed “ToolShell” that provides unauthenticated, remote access to systems. CISA said ToolShell enables attackers to fully access SharePoint content — including file systems and internal configurations — and execute code over the network.

Researchers at Eye Security said they first spotted large-scale exploitation of the SharePoint flaw on July 18, 2025, and soon found dozens of separate servers compromised by the bug and infected with ToolShell. In a blog post, the researchers said the attacks sought to steal SharePoint server ASP.NET machine keys.

“These keys can be used to facilitate further attacks, even at a later date,” Eye Security warned. “It is critical that affected servers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers. Patching alone is not enough. We strongly advise defenders not to wait for a vendor fix before taking action. This threat is already operational and spreading rapidly.”

Microsoft’s advisory says the company has issued updates for SharePoint Server Subscription Edition and SharePoint Server 2019, but that it is still working on updates for supported versions of SharePoint 2019 and SharePoint 2016.

CISA advises vulnerable organizations to enable the anti-malware scan interface (AMSI) in SharePoint, to deploy Microsoft Defender AV on all SharePoint servers, and to disconnect affected products from the public-facing Internet until an official patch is available.

The security firm Rapid7 notes that Microsoft has described CVE-2025-53770 as related to a previous vulnerability — CVE-2025-49704, patched earlier this month — and that CVE-2025-49704 was part of an exploit chain demonstrated at the Pwn2Own hacking competition in May 2025. That exploit chain invoked a second SharePoint weakness — CVE-2025-49706 — which Microsoft unsuccessfully tried to fix in this month’s Patch Tuesday.

Microsoft also has issued a patch for a related SharePoint vulnerability — CVE-2025-53771; Microsoft says there are no signs of active attacks on CVE-2025-53771, and that the patch is to provide more robust protections than the update for CVE-2025-49706.

This is a rapidly developing story. Any updates will be noted with timestamps.