> ai://ti

autonomous threat intelligence feed

Top Stories

๐Ÿ’ฃ Exploits
Cisco AsyncOS 0-day Under Attack by Suspected Chinese APT Group
A zero-day vulnerability in Cisco AsyncOS is being actively exploited by a suspected Chinese government-linked group. The flaw, tracked as CVE-2025-20393, allows attackers to execute arbitrary commands on affected appliances, with no fix currently available.

Key points:

  • CVE-2025-20393 affects Cisco AsyncOS software for Secure Email Gateway and Secure Email and Web Manager.
  • The vulnerability was discovered by Cisco Talos and has been exploited since late November.
  • The threat actor, UAT-9686, is believed to be a Chinese state-sponsored APT.
  • Cisco has provided IoCs for detection but has not released patches or workarounds.
  • CISA has added CVE-2025-20393 to its Known Exploited Vulnerabilities catalog.
Sources: The Register Security (1 articles)
๐Ÿ’ฃ Exploits
HPE Addresses Critical RCE Vulnerability in OneView Software
Hewlett Packard Enterprise has released a patch for a critical remote code execution vulnerability in its OneView software. The flaw, tracked as CVE-2025-37164, affects all versions prior to 11.00 and can be exploited by unauthenticated attackers.

Key points:

  • The vulnerability allows remote code execution via low-complexity code injection attacks.
  • No workarounds are available; affected users must upgrade to version 11.00 or apply a security hotfix.
  • The flaw was reported by a Vietnamese security researcher and has not been confirmed as exploited in the wild.
  • HPE has a history of addressing multiple vulnerabilities in its products, including StoreOnce and Aruba devices.
Sources: Bleeping Computer (1 articles)
๐Ÿ’ฃ Exploits
SonicWall Alerts Users to SMA1000 Zero-Day Vulnerability Exploited in Attacks
SonicWall has issued a warning regarding a zero-day vulnerability in the SMA1000 Appliance Management Console, which is being exploited in attacks. Users are urged to apply the latest hotfix to mitigate risks associated with this local privilege escalation flaw (CVE-2025-40602).

Key points:

  • The vulnerability (CVE-2025-40602) allows local privilege escalation and is linked to zero-day attacks.
  • Attackers are chaining this flaw with another critical vulnerability (CVE-2025-23006) for remote code execution.
  • SonicWall recommends users upgrade to the latest hotfix to address the security issue.
  • Over 950 SMA1000 appliances are reportedly exposed online, increasing the risk of exploitation.
  • The vulnerability poses significant risks to organizations relying on SMA1000 for secure remote access.
Sources: Bleeping Computer (1 articles)
๐Ÿ’ฃ Exploits
SonicWall SMA 1000 Zero-Day Vulnerability Actively Exploited
SonicWall has reported a zero-day vulnerability in its SMA 1000 remote-access appliance, tracked as CVE-2025-40602, which is being actively exploited. This flaw allows attackers to escalate privileges and potentially take over systems. Users are urged to apply patches immediately.

Key points:

  • The vulnerability, CVE-2025-40602, allows authenticated attackers to escalate privileges.
  • It can be chained with another flaw, CVE-2025-23006, for unauthenticated remote code execution.
  • SonicWall advises users to update to the latest hotfix versions and restrict access to trusted networks.
  • Hundreds of SMA 1000 units are exposed on the internet, increasing the risk of exploitation.
  • SonicWall has faced multiple security incidents in 2025, including a breach affecting all MySonicWall cloud backup customers.
Sources: The Register Security (1 articles)

Other Updates

๐Ÿšจ Intrusions
Data Breach at Virginia Mental Health Authority Affects Over 113,000 Individuals
RBHA suffered a ransomware attack impacting over 113,000 individuals' personal data.

Key points:

  • The ransomware attack occurred on September 29, with RBHA detecting it the following day.
  • Personal information potentially accessed includes names, Social Security numbers, and health information.
  • RBHA has advised affected individuals to monitor for identity theft and fraud.
  • The Qilin group claimed responsibility for the attack and has leaked a significant amount of data.
  • RBHA is a public agency providing mental health and crisis services in Richmond.
Sources: SecurityWeek (1 articles)
๐Ÿ’ฃ Exploits
Critical RCE Vulnerability in React2Shell (CVE-2025-55182) Requires Immediate Patching
React2Shell (CVE-2025-55182) poses a severe RCE threat, necessitating urgent patching and validation.

Key points:

  • CVE-2025-55182 affects React versions 19.0.0 to 19.2.0 and Next.js versions 15.0.0 to 16.0.6.
  • Exploitation in the wild has been reported, emphasizing the need for rapid validation of fixes.
  • Rapid7's DAST solution now includes a module to test for React2Shell vulnerabilities.
  • Immediate patching is advised, with specific version upgrades recommended for React and Next.js.
  • Temporary WAF rules for Flight endpoints are suggested while applying patches.
Sources: Rapid7 Research Blog (1 articles)
๐Ÿšจ Intrusions
Kimsuky Distributes DocSwap Android Malware via QR Code Phishing
Kimsuky is spreading DocSwap malware via QR codes, masquerading as a delivery app to exploit Android users.

Key points:

  • Kimsuky uses QR codes and phishing tactics to distribute DocSwap malware, posing as a legitimate delivery app.
  • The malware, once installed, can log keystrokes, capture audio, and access sensitive data from the device.
  • Victims are misled into ignoring security warnings by claims of the app being an official release.
  • The attack includes a tracking script that prompts users to install a security module under false pretenses.
  • Other malware samples have been found disguised as legitimate apps, indicating a sophisticated approach to infection.
Sources: The Hacker News (1 articles)
๐Ÿ’ฃ Exploits
Fortinet vulnerabilities CVE-2025-59718 and CVE-2025-59719 actively exploited in the wild
Fortinet's CVE-2025-59718 and CVE-2025-59719 are under active exploitation, necessitating immediate remediation.

Key points:

  • CVE-2025-59718 and CVE-2025-59719 allow attackers to bypass authentication and gain administrative access.
  • The vulnerabilities affect FortiOS, FortiProxy, FortiWeb, and FortiSwitchManager products.
  • Active exploitation has been confirmed, with attackers downloading system configuration files.
  • Fortinet has released patches and mitigation guidance for affected versions.
  • Organizations should disable FortiCloud SSO administrative login as an immediate defensive measure.
Sources: Rapid7 Research Blog (1 articles)
๐Ÿ’ฃ Exploits
Cisco alerts on unpatched AsyncOS zero-day exploited by Chinese threat group
Cisco warns of a critical AsyncOS zero-day exploited by UAT-9686, affecting specific email appliances.

Key points:

  • The vulnerability, tracked as CVE-2025-20393, is exploited when the Spam Quarantine feature is enabled and exposed to the internet.
  • Attacks involve deploying AquaShell backdoors and other malware like AquaTunnel and Chisel.
  • Cisco recommends restricting access to vulnerable appliances and implementing strong security measures.
  • The campaign has been active since at least late November 2025, with attacks detected on December 10.
  • Cisco advises affected customers to contact their Technical Assistance Center for support.
Sources: Bleeping Computer (1 articles)
๐Ÿ’ฃ Exploits
CISA Alerts on Exploited CVE-2025-59374 in Asus Update Tool
CISA warns of exploitation of a critical flaw in the Asus Live Update tool, urging federal agencies to act.

Key points:

  • CVE-2025-59374 has a CVSS score of 9.3 and is linked to a supply chain compromise.
  • The vulnerability was part of the Operation ShadowHammer attack attributed to APT41.
  • Over 1 million users may have downloaded the compromised utility, but only 600 specific devices were targeted.
  • CISA added the vulnerability to its Known Exploited Vulnerabilities catalog, urging immediate action.
  • Federal agencies have three weeks to identify and mitigate the risk associated with this flaw.
Sources: SecurityWeek (1 articles)

Read More by Category

All ๐Ÿ’ฃ Exploits ๐Ÿšจ Intrusions ๐ŸŽฏ Campaigns โ˜๏ธ Cloud ๐Ÿค– AI ๐Ÿช™ Blockchain ๐Ÿ›๏ธ Policy

Additional Signals