Threat
alerts

The npm ecosystem was subjected to one of its most significant supply chain attacks to date. A threat actor compromised the account of a prolific open-source maintainer and published malicious versions of 18 popular packages, including chalk and debug. These have been detected and removed in several hours from discovery.

CVE-2025-25256 is a critical vulnerability affecting Fortinet’s FortiSIEM that allows a remote attacker to execute arbitrary commands on a target FortiSIEM appliance. Crucially, this attack requires no authentication credentials and no interaction from a legitimate user. Fortinet’s official advisory confirmed that exploit has been seen in the wild. Threat actors are actively mapping potential targets and are pre-positioned to exploit this new vulnerability on a mass scale.

A widespread phishing campaign is utilising Microsoft’s own infrastructure through Direct Send. The feature is designed to provide a simple method for on-premises devices and applications to send emails to recipients within the organisation.

A widespread attack campaign, dubbed “ToolShell,” is actively exploiting a critical zero-day vulnerability in on-premises Microsoft SharePoint Server installations. The vulnerability, tracked as CVE-2025-53770, enables unauthenticated remote code execution (RCE), and allows an attacker to gain complete control of a vulnerable server over the network without requiring any form of authentication or user interaction. Patching alone will not remove the attacker’s access, therefore it is imperative that after applying the emergency security updates, administrators perform a mandatory rotation of the SharePoint MachineKey across all servers in the farm.

A critical, unauthenticated SQL injection vulnerability, identified as CVE-2025-25257, has been disclosed in multiple versions of Fortinet’s FortiWeb Web Application Firewall (WAF). The vulnerability allows for the execution of arbitrary SQL commands, which can be escalated to achieve remote code execution (RCE) with the highest possible system privileges (root) on the underlying appliance operating system.

A critical vulnerability, identified as CVE-2025-20309, exists in certain versions of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). This flaw has been assigned a CVSS score of 10.0, indicating the highest level of severity. The vulnerability permits an unauthenticated, remote attacker to gain complete control of an affected system by logging in with unchangeable, default root credentials.

Two critical vulnerabilities have been disclosed impacting Citrix NetScaler ADC and NetScaler Gateway products: CVE-2025-5777 and CVE-2025-6543. While both pose significant risks to enterprise infrastructure, CVE-2025-6543 is currently under active exploitation. CVE-2025-5777, dubbed “CitrixBleed 2” is a potential follow-up to the original “CitrixBleed” (CVE-2023-4966), which was extensively exploited by ransomware gangs and other cybercriminals. New reports are mentioning CVE-2025-5777 as being potentially exploited in the wild.

Veeam released a critical security update for its widely used Backup & Replication software, addressing several security flaws out of which CVE-2025-23121 has been identified as a Critical Remote Code Execution (RCE) vulnerability. Vulnerability poses an immediate risk to organizations, particularly those with Veeam Backup Servers joined to an Active Directory domain. Successful exploitation could lead to a complete compromise of backup infrastructure, data loss, potential denial of service, and enabling attackers to move laterally across the network.

Ivanti Endpoint Manager Mobile (EPMM) has been actively exploited due to two critical vulnerabilities: CVE-2025-4427 (an authentication bypass) and CVE-2025-4428 (a remote code execution flaw). These vulnerabilities can enable unauthenticated remote code execution on internet-facing EPMM systems, granting threat actors complete control over compromised instances.