All news with #cisco tag

Cisco IOS/IOS XE SNMP Stack Overflow — Patch Immediately

⚠️ Cisco has warned of a stack overflow vulnerability in the SNMP subsystem of IOS and IOS XE software identified as CVE-2025-20352. A low-privileged authenticated attacker can send a crafted SNMP packet to cause a system reload and a denial-of-service, while a high-privileged actor could achieve root-level arbitrary code execution. Administrators are urged to apply vendor patches immediately and restrict SNMP access until systems are updated.

Urgent Cisco ASA Zero-Day Duo Under Active Attack Now

⚠️ Cisco is urging customers to immediately patch two zero-day vulnerabilities affecting the VPN web server in Cisco Secure Firewall Adaptive Security Appliance (ASA) and FTD software after observing exploitation in the wild. CVE-2025-20333 (CVSS 9.9) allows an authenticated VPN user to execute arbitrary code as root; CVE-2025-20362 (CVSS 6.5) permits unauthenticated access to restricted URL endpoints. CISA has issued Emergency Directive ED 25-03, added both flaws to the Known Exploited Vulnerabilities catalog with a 24-hour mitigation requirement, and warned of a widespread campaign linked to the ArcaneDoor/UAT4356 cluster that can modify ASA ROM to persist.

CISA Orders Agencies to Patch Cisco ASA/FTD Zero-Days

🔔 CISA has issued Emergency Directive 25-03 requiring Federal Civilian Executive Branch agencies to remediate two actively exploited Cisco vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in ASA and FTD devices. Agencies must inventory appliances, collect forensics, disconnect compromised and end-of-support devices, and apply patches by the stated deadlines. Cisco links the exploitation to the ArcaneDoor campaign, which leverages ROMMON manipulation and in-memory backdoors to maintain persistence.

Cisco warns of ASA firewall zero-days under attack

⚠️ Cisco has warned customers of two actively exploited zero-day vulnerabilities affecting Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software. CVE-2025-20333 enables authenticated attackers to execute arbitrary code remotely, while CVE-2025-20362 allows remote access to restricted URL endpoints without authentication. Cisco's PSIRT reported attempted exploitation and strongly recommends upgrading to fixed software releases.

CISA Directs Agencies to Mitigate Cisco Device Risks

🚨 CISA issued Emergency Directive ED 25-03 directing federal agencies to identify, analyze, and mitigate potential compromises of Cisco ASA and Cisco Firepower devices after adding CVE-2025-20333 and CVE-2025-20362 to the Known Exploited Vulnerabilities Catalog. Agencies must inventory all devices (all versions) and collect memory/core dump files for forensic analysis, transmitting them to CISA by 11:59 p.m. EST on Sept. 26. CISA published supplemental guidance, an Eviction Strategies Tool template, and referenced Cisco and UK NCSC analyses to support containment, eviction, and remediation.

CISA Orders Federal Agencies to Mitigate Cisco ASA Zero-Day

🛡️ CISA issued Emergency Directive 25-03 directing federal civilian agencies to identify and mitigate exploitation of a zero-day affecting Cisco Adaptive Security Appliances (ASA). Agencies must inventory in-scope devices, collect forensic data, and assess compromises using CISA-provided procedures and tools. End-of-support devices must be disconnected and remaining appliances upgraded by 11:59 PM EST on September 26, 2025; CISA will monitor compliance and provide assistance.

Cisco: Actively Exploited SNMP Flaw Risks RCE or DoS

🔒 Cisco has issued an urgent advisory about a high-severity SNMP vulnerability (CVE-2025-20352, CVSS 7.7) in IOS and IOS XE Software that has been exploited in the wild. The flaw is a stack overflow in the SNMP subsystem that can allow an authenticated remote attacker to cause a denial-of-service or, with higher privileges, execute arbitrary code as root. Exploitation requires SNMP community strings or valid SNMPv3 credentials and, for code execution, administrative (privilege 15) access. Cisco called out affected devices including Meraki MS390 and Catalyst 9300 series running Meraki CS 17 and earlier, and issued a fix in IOS XE 17.15.4a. There are no full workarounds; administrators should restrict SNMP access, monitor with "show snmp host", and consider excluding affected OIDs where supported.

Cisco warns of IOS and IOS XE SNMP zero-day attacks

🛡️ Cisco released security updates addressing a high-severity zero-day, tracked as CVE-2025-20352, in IOS and IOS XE. The flaw is a stack-based buffer overflow in the SNMP subsystem that allows authenticated remote attackers with low privileges to trigger DoS, and high-privileged actors to execute code as root on affected devices. Cisco reports exploitation in the wild after Administrator credentials were compromised and urges customers to upgrade; as a temporary mitigation it recommends limiting SNMP access to trusted users.

What Happens When You Engage Talos Incident Response

🔐 Cisco Talos Incident Response (Talos IR) provides rapid, 24/7 crisis support and proactive services to contain, investigate, and remediate cybersecurity incidents. Talos combines deep threat intelligence, digital forensics, and a vendor-agnostic approach to work with existing tools and environments. Engagements follow a structured IR lifecycle—Preparation, Identification, Containment, Eradication, Recovery, and Lessons learned—to minimize disruption and build long-term resilience.

IR Playbooks and Mental Health After Major Incidents

🛡️ Joe Marshall uses the VPN Filter investigation to illuminate the often-hidden personal cost of incident response. He recounts months of high-pressure analysis into a modular SOHO botnet attributed to APT28 that featured persistence and a potentially destructive kill switch, and describes how prolonged stress produced burnout, fractured relationships, and career impact. Marshall offers four practical mitigations — boundaries, peer support, unplugged self-care, and mandatory decompression — and underscores how a Cisco Talos Incident Response (IR) Retainer can ensure organizations respond decisively while protecting staff wellbeing.

Alex Ryan: From Zero Chill to Quiet Confidence at Talos

🔒 In this Humans of Talos interview, Alex Ryan, an Incident Commander with Cisco Talos Incident Response, reflects on her unconventional path from liberal arts degrees to a career in cybersecurity and threat intelligence. She describes the technical and emotional realities of incident response—triaging IOCs, conducting forensic analysis, and quickly building customer trust—while managing high stress and business risk. Ryan also discusses recovering from burnout after parenthood, learning to set boundaries, and how a supportive team helps sustain long-term performance.

Where CISOs Should See Splunk Go Next: AI & Resilience

🔍 At .Conf in Boston, Splunk and parent company Cisco positioned machine data as central to next‑generation AI incident response, arguing telemetry represents roughly 55% of global data growth. They stressed tighter integration of security and observability, a federated data model with new support for Snowflake, and standards work such as OpenTelemetry and the Open Cybersecurity Framework (OCSF). Splunk also previewed enhanced security operations capabilities — a premier Enterprise Security bundle, Detection Studio, and agentic AI features — while acknowledging customer concerns about costs, legacy positioning, and support.

Why a Cisco Talos Incident Response Retainer Matters

🔒 A Cisco Talos Incident Response (IR) Retainer provides organizations with prioritized access to Talos' global threat intelligence and incident response specialists, combining proactive preparedness with rapid 24/7 mobilization. The retainer includes tailored IR plans, playbooks, readiness assessments, and tabletop exercises, plus proactive threat hunting using the PEAK Framework. Clients receive vendor-agnostic integration guidance, optional Cisco technology deployment, coordinated legal and PR support, and detailed post-incident reviews to reduce downtime and reputational harm.

Inside Black Hat's NOC: Zero-Hour Security Operations

🛡️ At Black Hat, Palo Alto Networks' NOC operates a zero-hour defense model that protects critical infrastructure while enabling controlled exploit training. Engineers from Cortex and Unit 42 collaborate with partners like Corelight to develop rapid detections, deploy contextual rules on PA-5430 firewalls, and automate responses via Cortex XSIAM. The environment balances visibility, segmentation and automated enforcement to stop external threats without disrupting sanctioned exercises.

Surge in Network Scans Targets Cisco ASA Devices Worldwide

🔎 Security researchers observed a large surge in network scans probing Cisco ASA login portals and Cisco IOS Telnet/SSH endpoints, with GreyNoise recording two major spikes in late August 2025. The second wave on August 26, 2025, was largely (about 80%) driven by a Brazilian botnet using roughly 17,000 IPs and overlapping Chrome-like user agents that suggest a common origin. Administrators are urged to apply the latest patches, enforce MFA for remote ASA logins, avoid exposing management pages and services directly, and use VPN concentrators, reverse proxies, geo-blocking, and rate limiting to reduce risk.

Remote Access Abuse Signals Major Pre-Ransomware Risk

🔒 Cisco Talos finds abuses of remote access software and services are the most common pre-ransomware indicator, with threat actors leveraging legitimate tools such as RDP, PsExec, PowerShell and remote-support apps like AnyDesk and Microsoft Quick Assist. The report highlights credential dumping (for example, Mimikatz) and network discovery as other frequent TTPs. It recommends rapid response, MFA, application allowlisting and enhanced endpoint monitoring to limit ransomware execution.

From Summer Camp to Grind Season — Threat Source Recap

📰 This week’s Threat Source newsletter highlights three significant vulnerabilities Talos researchers uncovered and helped remediate: a Dell firmware persistence flaw (Revault), an Office for macOS permissions bypass, and router compromises that blend malicious traffic with legitimate ISP flows. The author, William Largent, also emphasizes mental health and recommends a paper on AI behavioral pathologies to help anticipate malicious or errant AI-driven activity. Top headlines include a 4.4M-record TransUnion breach, a Salesloft Drift AI token compromise, a Passwordstate high-severity fix, an Azure AD credential leak, and a WhatsApp zero-day. Watch the Talos Threat Perspective episode and read the Dell write-up for mitigation guidance.

U.S. Offers $10M Reward for Info on FSB Cyber Hackers

🛡️ The U.S. Department of State is offering up to $10 million for information on three Russian FSB officers accused of carrying out cyberattacks against U.S. critical infrastructure. The named individuals — Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov — are tied to the FSB's Center 16, tracked under aliases such as Berserk Bear and Dragonfly. Charged in March 2022, the officers are alleged to have run intrusions from 2012–2017 targeting government agencies and energy firms, and recent activity shows exploitation of CVE-2018-0171 in end-of-life Cisco devices. The State Department directs tips to its Rewards for Justice Tor channel; eligible informants could receive rewards and relocation assistance.

Salt Typhoon APT Expands to Netherlands, Targets Routers

🔒 Salt Typhoon, a persistent Chinese-aligned threat actor, has expanded operations into the Netherlands by compromising routers at smaller ISPs and hosting providers. Intelligence agencies report the group exploits known flaws in Ivanti, Palo Alto Networks, and Cisco devices to obtain long-term access and pivot through trusted provider links. Authorities urge organizations to audit configurations, disable management access, enforce public-key administrative authentication, remove default credentials, and keep vendor-recommended OS versions up to date to reduce exposure.

Joint Advisory Reveals Salt Typhoon APT Techniques Worldwide

🔍 Salt Typhoon, a Chinese state-aligned APT also tracked as Operator Panda/RedMike, is the subject of a joint advisory from intelligence and cybersecurity agencies across 13 countries. The report links the group to Chinese entities tied to the PLA and MSS and documents repeated exploitation of n-day flaws in network edge devices from vendors such as Ivanti, Palo Alto Networks and Cisco. It details persistence via ACL modifications, tunneled proxies, credential capture via RADIUS/TACACS+, and exfiltration over peering and BGP, and urges telecoms to hunt for intrusions, patch quickly and harden management interfaces.