< ciso
brief />
Tag Banner

All news with #cisco tag

237 articles · page 4 of 12

Cisco issues critical Webex and ISE vulnerability fixes

⚠️ Administrators using Cisco Webex Services with SSO integrated via Control Hub must upload a new identity provider (IdP) SAML certificate to remediate a critical impersonation vulnerability (CVE-2026-20184). Cisco has patched the cloud-side service, but affected customers must perform the configuration change in Control Hub; there are no workarounds. Cisco also released critical fixes for ISE and ISE-PIC addressing remote code execution and path traversal flaws that require patching and credential hygiene.
read more →

Foxit Reader and LibRaw Vulnerabilities — Talos Advisory

🔒 Cisco Talos disclosed a use-after-free flaw in Foxit Reader (TALOS-2026-2365 / CVE-2026-3779) exploitable via malicious PDF JavaScript, and six vulnerabilities in LibRaw including heap-based buffer overflows and integer overflows across multiple CVEs. All issues were patched by vendors following Cisco’s disclosure policy. Administrators should apply vendor updates and deploy Snort rules from Talos to detect exploitation.
read more →

PowMix botnet targets Czech workers with randomized C2

🔒 Cisco Talos researchers disclosed a previously undocumented botnet named PowMix that has been active against workers in the Czech Republic since at least December 2025. The campaign uses malicious ZIP attachments containing a Windows LNK that launches a PowerShell loader to extract and run the malware in memory while opening decoy compliance-themed documents. PowMix establishes persistence via a scheduled task, verifies process trees to avoid duplicate instances, and uses randomized beaconing intervals and REST-like C2 URL paths that embed encrypted heartbeat data and unique victim identifiers to evade network detections. The bot supports remote code execution, dynamic C2 migration, and self-deletion commands.
read more →

Cisco patches critical Webex SSO flaw; action required

🔒 Cisco released updates addressing four critical vulnerabilities, including a fixed improper certificate validation bug in Webex Services SSO integration (CVE-2026-20184) that could enable user impersonation via crafted tokens. While Cisco patched the service-side defect, customers using SSO must upload a new SAML certificate for their IdP into Control Hub to avoid service interruptions. The company also fixed three critical ISE flaws that require administrative credentials to exploit.
read more →

Cisco Patches Critical Webex and Identity Services Flaws

🛡️ Cisco has released updates to address four critical vulnerabilities across Webex Services and Identity Services Engine (ISE) that could permit arbitrary code execution and user impersonation. A cloud-side SSO certificate validation flaw (CVE-2026-20184, CVSS 9.8) can allow unauthenticated impersonation, while three ISE input validation issues (CVE-2026-20147, CVE-2026-20180, CVE-2026-20186; CVSS 9.9) enable remote command or code execution when an attacker has appropriate credentials. Cisco provides specific patch levels and migration guidance and advises customers to apply updates or upload a new IdP SAML certificate to Control Hub where applicable.
read more →

State-Sponsored Threats: Shared Access Paths, Varied Goals

🔍 Talos' 2025 Year in Review documents state-sponsored activity from China, Russia, North Korea, and Iran, each pursuing different goals such as espionage, disruption, and financial gain. Despite varied motives, adversaries consistently exploit both newly disclosed and long-known vulnerabilities, and rely on identity-based access and stealthy persistence. Notable examples include rapid exploitation and web shells from China, geopolitically timed campaigns and common malware families from Russia, North Korean social-engineering and a $1.5B crypto theft, and Iran's mix of visible disruption and stealthy APT activity such as ShroudedSnooper. Defenders are urged to prioritise patching, identity security, network visibility, and hunts for long-term presence.
read more →

LucidRook Lua Malware Targets NGOs and Universities

🛡️ Cisco Talos has identified a new Lua-based backdoor called LucidRook used in October 2025 spear-phishing operations targeting NGOs and universities in Taiwan. Attackers delivered payloads via password-protected archives and deployed either an LNK shortcut chain that dropped a loader named LucidPawn or a fake antivirus EXE. LucidPawn sideloads a malicious DLL (DismCore.dll) and embeds a Lua interpreter to fetch obfuscated bytecode, enabling modular updates while reducing forensic visibility. Collected reconnaissance is RSA-encrypted and exfiltrated via FTP; a related tool, LucidKnight, was observed abusing Gmail GMTP for data exfiltration.
read more →

UAT-10362 Deploys Lua-Based LucidRook Against Taiwan NGOs

🔍 Cisco Talos attributes a previously undocumented cluster, UAT-10362, to targeted spear‑phishing against Taiwanese NGOs and suspected universities, deploying a new Lua‑based stager named LucidRook. The actor uses RAR/7‑Zip lures and a dropper called LucidPawn, relying on repeated DLL side‑loading to execute payloads. LucidRook embeds an Lua 5.4.8 interpreter and Rust libraries to fetch and run encrypted Lua bytecode, while some variants use a reconnaissance DLL, LucidKnight, to profile targets before staging further activity.
read more →

Operationalizing Cisco Talos Year in Review Findings

🔍 The Cisco Talos Year in Review synthesizes vast telemetry and Talos IR casework into practical intelligence for defenders. Incident responders should use the report to build realistic tabletop scenarios, validate detections, and stress-test IR plans focusing on dominant TTPs such as valid account abuse, credential dumping, and MFA bypasses. Map findings to MITRE ATT&CK and prioritize vulnerabilities and detections accordingly. It also highlights evolving phishing themes and nascent AI-enabled threats that should shape training and threat-hunting priorities.
read more →

Automated Credential Theft via React2Shell in Next.js

🔒 Cisco Talos reports attackers are exploiting React2Shell (CVE-2025-55182) in vulnerable Next.js applications to run an automated credential-harvesting campaign. The operation uses a framework called NEXUS Listener and deploys scripts into standard temporary directories to extract environment secrets, SSH keys, cloud tokens, API keys, and command histories. Researchers observed at least 766 hosts compromised across multiple cloud providers, with sensitive data exfiltrated in chunks to a C2 server over HTTP. Administrators should apply React2Shell patches, rotate exposed credentials immediately, enforce IMDSv2, enable secret scanning, and deploy WAF/RASP protections and least-privilege controls.
read more →

React2Shell exposure reveals large-scale credential theft

🔍 Researchers at Cisco Talos discovered that an apparent security lapse exposed the backend of a campaign exploiting the four-month-old React2Shell (CVE-2025-55182) Next.js flaw. A password-protected database and web application holding harvested credentials, tokens, SSH keys, and API secrets was briefly accessible, letting analysts view the attackers' dashboard. The automated campaign compromised hundreds of hosts in a single day and prompted notifications to affected providers while urging immediate patching.
read more →

Cisco fixes critical IMC auth bypass in many devices

🔒Cisco has released patches for a critical authentication bypass in its Integrated Management Controller (IMC), tracked as CVE-2026-20093. The flaw, caused by incorrect handling of password changes, can be exploited via specially crafted HTTP requests to gain unauthenticated admin access. Affected platforms include standalone UCS C-Series, UCS E-Series, Catalyst 8300, and 5000 Series systems. Administrators should apply updates and restrict IMC exposure immediately.
read more →

Cisco Patches Critical IMC and SSM Flaws (CVSS 9.8)

🔒 Cisco released patches for two critical vulnerabilities in its management software that carry a CVSS score of 9.8. CVE-2026-20093 in the Integrated Management Controller (IMC) allows an unauthenticated attacker to bypass authentication and change any user password via a crafted HTTP request. CVE-2026-20160 affects Smart Software Manager On‑Prem and can enable remote command execution as root due to an exposed internal service. Cisco provided fixed releases and urges customers to update immediately; there are no known in-the-wild exploits to date.
read more →

When Attackers Become Trusted Users: Identity Threats

🔐 In this episode of the Talos Threat Perspective, Hazel Burton examines how identity is being used to gain, extend, and maintain access inside environments. Drawing on the 2025 Talos Year in Review, the video outlines how attackers target identity systems and MFA workflows, establish persistent high-trust access, and use internal phishing to move laterally. It also explores risks from over-permissioned AI agents and identity-linked access, and how adversaries blend into normal user behaviour, complicating detection and containment.
read more →

Critical Cisco IMC auth bypass gives attackers Admin access

🔒 Cisco has released patches for a critical Integrated Management Controller (IMC) authentication bypass (CVE-2026-20093) that allows unauthenticated, remote attackers to gain Admin privileges by sending a crafted HTTP password-change request. The flaw affects CIMC on UCS C-Series and E-Series servers and permits altering any account password, including Admin. Cisco's PSIRT reports no known in-the-wild exploitation or public proof-of-concept yet and stresses there are no workarounds, so customers should upgrade to fixed software immediately.
read more →

Talos 2025 Year in Review: Identity, AI, and Speed

🔒 The Cisco Talos 2025 Year in Review, discussed by Christopher Marshall and Peter Bailey, highlights accelerating attacker speed and a shift toward identity as the primary battleground. The report shows rapid weaponization of new flaws alongside persistent exploitation of legacy, end-of-life infrastructure, and a sharp rise in fraudulent device registration. Defenders are urged to prioritize identity controls, visibility, lifecycle discipline, and secure AI governance to keep pace.
read more →

Cisco Source Code Stolen After Trivy Supply-Chain Breach

🔐 Cisco has confirmed a breach of its internal development environment after threat actors leveraged credentials stolen in the recent Trivy supply-chain compromise. Attackers used a malicious GitHub Action to harvest CI/CD credentials and clone more than 300 repositories, including source for AI-powered products and some customer code. Multiple AWS keys were also taken and used in limited unauthorized activity. Cisco has isolated affected systems, begun reimaging, and is rotating credentials while investigating ongoing fallout tied to related supply-chain attacks.
read more →

Talos: Critical Bugs Found in Canva, TP-Link, HikVision

🔒 Cisco Talos disclosed multiple vulnerabilities impacting Canva Affinity, TP-Link Archer AX53, and HikVision face recognition terminals. Researchers identified 19 EMF-related issues in Canva Affinity, including out-of-bounds reads and a type confusion that can lead to memory corruption and arbitrary code execution. TP-Link’s AX53 contains 10 vulnerabilities across tmpServer, tdpServer and SSH hostkey handling that range from buffer overflows to write-what-where flaws and credential exposure via MITM. A HikVision SADP XML parser stack-based buffer overflow can be triggered by a malicious network packet. All identified issues have been patched following coordinated disclosure; users should apply vendor updates and consider Snort rule coverage for detection.
read more →

Talos Year in Review: Identity, Vulnerabilities, and Trends

🔒 The Talos 2025 Year in Review synthesizes Cisco telemetry, incident response cases, and Talos research into a free, cross‑functional report highlighting identity-focused attacks, supply‑chain risks, and phishing trends. Key findings include React2Shell as the most targeted CVE, ToolShell ranking third, and Qilin as the dominant ransomware variant. The report warns that attackers increasingly compromise network infrastructure — especially ADCs and management platforms — to bypass MFA and escalate across environments, and recommends prioritizing patching and treating these devices as identity control points.
read more →

2025 Threat Trends: Talos and Splunk Double-Header

🔍 In this episode of Talos Takes, Amy is joined by William Largent (Cisco Talos) and Lou Stella (Splunk) for a double-header review of the newly released Cisco Talos 2025 Year in Review and the Splunk Top 50 Cybersecurity Threats. The conversation draws on Cisco telemetry, Talos original research, and Talos Incident Response engagements to move beyond headlines and identify actionable trends. Highlights include the professionalization of ransomware-as-a-service, the persistent exploitation of decade-old vulnerabilities, and practical guidance to help defenders prioritize mitigations and shrink their attack surface for the year ahead.
read more →