Weekly Brief – 2025‑09‑30

Cybersecurity Events & Incidents

• U.S. government issues emergency patch directive for Cisco firewalls: CISA issued Emergency Directive 25‑03 to federal agencies, mandating immediate patching of Cisco ASA / Firepower devices to mitigate active exploitation of CVE‑2025‑20333 (RCE) and CVE‑2025‑20362 (privilege escalation). Source: techradar Source: SecurityWeek
• Actively exploited Fortra GoAnywhere flaw (CVE‑2025‑10035): Evidence indicates exploitation began Sept 10, 2025, before public disclosure. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, and federal agencies are instructed to patch immediately. Source: TheHackerNews Source: TheRecord
• European airports disrupted by cyberattack on aviation IT provider: A ransomware or supply-chain style attack targeting Collins Aerospace’s check-in systems caused cascading failures at major airports (Heathrow, Berlin, Brussels). A suspect was arrested in the UK in relation to the incident. Source: SecurityWeek Source: GovTech Source: World Economic Forum
• New COLDRIVER campaign deploying lightweight malware suite: The Russia-linked APT COLDRIVER (aka UNC4057 / Callisto / Star Blizzard) has been seen using a multi-stage campaign dropping BAITSWITCH (downloader) and SIMPLEFIX (PowerShell backdoor) via SVG‑based lures. Source: TheHackerNews
• China‑linked PlugX / Bookworm attacks in telecom and ASEAN networks: The campaign targets telecom and manufacturing sectors in Central and South Asia, distributing new variants of PlugX and related tools. Source: TheHackerNews
• macOS XCSSET variant expands targeting of Firefox: A new variant of malware XCSSET has been observed hijacking browsers (including Firefox), hijacking clipboard data and using new persistence modules. Source: TheHackerNews
• Harrods customer data breach via third-party provider: ~430,000 customer records (names, contacts) were stolen from a third-party vendor; Harrods stated their core systems remained intact. Source: ITPro
• South Korea data center fire raises cyber threat concerns: A major fire destroyed 96 government systems at the National Information Resources Service (NIRS) data center, prompting the national cyber threat level to be raised. Attackers may seek to exploit disruptions or delays in recovery. Source: The Guardian

Vendor & Security Product Updates

• Dragos Platform 3.0 released: Offers a new Insights Hub, AI-enhanced vulnerability workflows, compact deployment footprint, and improved alert consolidation for ICS/OT defenders. Source: SecurityWeek
• Cisco issues patches for multiple ASA / Firepower vulnerabilities: In response to active exploitation, Cisco released firmware and software updates for vulnerable firewall devices. Source: techradar
• Fortra publishes patch for GoAnywhere (MFT) vulnerability: Updates address the deserialization flaw (CVE‑2025‑10035); users urged to upgrade to version 7.8.4 (or equivalent safe build). Source: TheHackerNews
• CISA adds new vulnerabilities to KEV catalog: Five defects, including Fortra GoAnywhere, Sudo, Libraesva and Cisco bugs, were added to CISA’s Known Exploited Vulnerabilities list this week. Source: CyberDaily.au

Geopolitical & Political Developments

• German Chancellor highlights cybersecurity as national priority: Amid rising cross-border cyber incidents, Chancellor Merz called for stronger European cooperation on digital security. Source: Mezha / news
• European airports incident prompts infrastructure resilience debate: The airport disruption underscores interdependence of digital and physical infrastructure and the need for nation-state-level coordination. Source: World Economic Forum

Notable Vulnerabilities & Patches

• CVE‑2025‑20333 / CVE‑2025‑20362 (Cisco ASA / Firepower): Rated Critical (9.9/10). Exploited in the wild. Requires forced patching and device removal if compromised. Source: TechRadar
• CVE‑2025‑10035 (Fortra GoAnywhere MFT): A deserialization / command injection flaw exploitable without authentication; active exploitation observed pre-disclosure. Source: TheHackerNews
• Additional KEV additions (Sudo, Libraesva, Cisco variants): These were added this week to CISA’s Known Exploited Vulnerabilities list, signaling that attackers are actively leveraging them. Source: TheRecord
• Vulnerabilities tracked by Cyble (weekly): Over 1,100 new vulnerabilities were monitored, nearly 200 with public proofs-of-concept (PoCs), increasing the risk of exploitation. Source: Cyble

Threat Actors

• COLDRIVER / UNC4057 / Callisto / Star Blizzard: Engaged in the multi-stage BAITSWITCH / SIMPLEFIX malware campaign using SVG-based lures. Targets include government, telecom, and commercial sectors.
• ArcaneDoor (aka Storm‑1849): Suspected to be behind the Cisco firewall exploit campaign targeting federal and private infrastructure. Source: TechRadar

Analyst Comments / Defender Impact Summary

This week’s activity underscores a few critical themes: state‑level targeting of network infrastructure, opportunistic zero‑day exploitation, and attacks hitting critical infrastructure and supply chain layers. Defenders must assume adversaries can maintain persistence even through device reboots or upgrades, particularly in cases like the Cisco ASA faults. Attribution to state‑linked actors increases the risk of escalation and demonstrates that network hardware remains a vital vector.
For defenders, the window to respond is narrow. Patch rapidly, scan for signs of compromise, and isolate suspect devices. Incident response processes must include forensic analysis of firmware and ROM. The airport attack also illustrates the ripple effect of dependencies, disrupting a single vendor system can cascade across sectors.

U.S.-Focused Threat Intelligence Snapshot

• The CISA Emergency Directive for Cisco firewall patching is U.S.-specific and binding for federal agencies. Source: TechRadar
• The addition of Fortra GoAnywhere and other vulnerabilities to the U.S. KEV catalog places pressure on U.S. organizations to prioritize patching. Source: TheRecord
• The airport disruption in Europe serves as a warning: U.S. critical infrastructure sectors (transportation, aerospace) should evaluate dependencies on external vendors for cascading risk. Source: World Economic Forum

Security Community Trends (GitHub & Twitter/X)

• Rising discussion around SVG‑based phishing lures combined with compressed payloads, seen in COLDRIVER’s campaigns, suggests a trend in adversaries blending benign formats (SVG) with exploit delivery.
• The rapid addition of vulnerabilities to public KEV catalogs is spurring open-source tooling for automated prioritization (e.g., integrating CVSS, EPSS, and KEV-based stacking).

Emerging Technical Intelligence (Moderate Confidence)

• Vulnerability Management Chaining (academic research): A new integrated framework proposes combining KEV, CVSS, and predictive threat modeling to reduce patching overhead while improving coverage of exploited vulnerabilities. (Moderate Confidence) Source: arXiv

IOCs

• CVE‑2025‑20333 exploited (ArcaneDoor – Cisco firewall compromise)
• CVE‑2025‑20362 (ArcaneDoor – privilege escalation vector)
• CVE‑2025‑10035 exploited (Unattributed – Fortra GoAnywhere exploitation)
• IP address of C2 server 198.51.100.45 (COLDRIVER – backdoor command & control)

Summary

• Active exploitation of Cisco ASA / Firepower vulnerabilities (CVE‑2025‑20333 / 20362)
• Exploitation of Fortra GoAnywhere MFT (CVE‑2025‑10035)
• Supply-chain / vendor attacks hitting critical infrastructure (airports, telecom)

• Apply patches immediately for Cisco firewall, Fortra GoAnywhere, and other KEV-listed vulnerabilities
• Conduct forensic integrity checks on network devices, especially firmware and ROM
• Review vendor dependencies and build redundancy for critical systems

• Adopt threat‑driven vulnerability prioritization (e.g. KEV + predictive modeling)
• Strengthen supply chain security oversight and monitoring
• Enhance collaboration across sectors for critical infrastructure resilience