Threat
alerts

A widespread attack campaign, dubbed “ToolShell,” is actively exploiting a critical zero-day vulnerability in on-premises Microsoft SharePoint Server installations. The vulnerability, tracked as CVE-2025-53770, enables unauthenticated remote code execution (RCE), and allows an attacker to gain complete control of a vulnerable server over the network without requiring any form of authentication or user interaction. Patching alone will not remove the attacker’s access, therefore it is imperative that after applying the emergency security updates, administrators perform a mandatory rotation of the SharePoint MachineKey across all servers in the farm.

A critical, unauthenticated SQL injection vulnerability, identified as CVE-2025-25257, has been disclosed in multiple versions of Fortinet’s FortiWeb Web Application Firewall (WAF). The vulnerability allows for the execution of arbitrary SQL commands, which can be escalated to achieve remote code execution (RCE) with the highest possible system privileges (root) on the underlying appliance operating system.

A critical vulnerability, identified as CVE-2025-20309, exists in certain versions of Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME). This flaw has been assigned a CVSS score of 10.0, indicating the highest level of severity. The vulnerability permits an unauthenticated, remote attacker to gain complete control of an affected system by logging in with unchangeable, default root credentials.

Two critical vulnerabilities have been disclosed impacting Citrix NetScaler ADC and NetScaler Gateway products: CVE-2025-5777 and CVE-2025-6543. While both pose significant risks to enterprise infrastructure, CVE-2025-6543 is currently under active exploitation. CVE-2025-5777, dubbed “CitrixBleed 2” is a potential follow-up to the original “CitrixBleed” (CVE-2023-4966), which was extensively exploited by ransomware gangs and other cybercriminals. New reports are mentioning CVE-2025-5777 as being potentially exploited in the wild.

Veeam released a critical security update for its widely used Backup & Replication software, addressing several security flaws out of which CVE-2025-23121 has been identified as a Critical Remote Code Execution (RCE) vulnerability. Vulnerability poses an immediate risk to organizations, particularly those with Veeam Backup Servers joined to an Active Directory domain. Successful exploitation could lead to a complete compromise of backup infrastructure, data loss, potential denial of service, and enabling attackers to move laterally across the network.

Ivanti Endpoint Manager Mobile (EPMM) has been actively exploited due to two critical vulnerabilities: CVE-2025-4427 (an authentication bypass) and CVE-2025-4428 (a remote code execution flaw). These vulnerabilities can enable unauthenticated remote code execution on internet-facing EPMM systems, granting threat actors complete control over compromised instances.

A new wave of cyberattacks using the ClickFix social engineering technique is now targeting Linux, expanding from its earlier focus on Windows and macOS. ClickFix deceives users into copying and executing malicious commands under the guise of fixing fake software errors and CAPTCHA tests. It is now used by multiple threat actors to deliver infostealers, remote access trojans, and ransomware.

A severe vulnerability, tracked as CVE-2025-32433, has been discovered in the Erlang/OTP SSH implementation and affects all devices running the Erlang/OTP SSH daemon. This flaw allows unauthenticated remote code execution on affected devices. With SSH being a widely used remote access protocol, the vulnerability poses a significant risk, especially in critical infrastructure. Researchers warn that threat actors could soon begin scanning for and exploiting vulnerable systems.

The notorious threat actor RedCurl, renowned for its corporate espionage activities since 2018, has recently pivoted to deploying ransomware specifically targeting Hyper-V virtual machines. Historically, RedCurl’s modus operandi has involved advanced social engineering techniques, such as sending phishing emails with malicious attachments and leveraging legitimate tools like PowerShell to execute malware.