< ciso
brief />
Tag Banner

All news with #cisco tag

237 articles · page 7 of 12

China-linked DKnife AitM Framework Targets Routers

🔒 Cisco Talos researchers disclosed DKnife, a modular Linux-based adversary-in-the-middle (AitM) framework used by China-linked actors since at least 2019. The toolkit deploys seven router-focused implants to perform deep packet inspection, TLS termination, DNS and update hijacking, credential harvesting, and malware delivery via intercepted APKs and binary replacement. Operators used DKnife to push ShadowPad and DarkNimbus variants and to target Chinese-language services and app updates through compromised routers and edge devices.
read more →

Clawdbot and DKnife: Security Risks from Rapid AI Adoption

🚨 As AI agent frameworks surge, Talos warns of two immediate threats: Clawdbot — a popular open-source agentic tool (aka Moltbot/OpenClaw) that requires users to store credentials and API keys locally and can accept unvetted Skills granted broad system privileges. DKnife, active since at least 2019, is a modular Linux attack framework that compromises routers and edge devices to intercept traffic, hijack updates, and deliver malware while evading many endpoint defenses. The newsletter urges skepticism toward rushed AI tools and recommends hardening gateways, auditing firmware, enforcing strong authentication, and monitoring for suspicious update behaviors.
read more →

Threat Source: Resilience, trends, and hard truths

📰 Hazel Burton opens this Threat Source newsletter by acknowledging how difficult it can be to stay engaged with the news and suggests small, human respites—like the U.K. show Taskmaster—to remind readers creativity and levity persist under pressure. On the technical side, Cisco Talos Incident Response’s Q4 2025 report shows exploitation of public-facing applications remains the leading initial access vector (down from 62% to ~40%), while phishing and credential harvesting rose and ransomware incidents fell to 13% with Qilin still common. The newsletter urges rapid patching, correct MFA configuration and monitoring, and comprehensive logging to detect suspicious activity.
read more →

UAT-8099 Targets IIS in Asia with Region-Specific BadIIS

🔍 Cisco Talos has identified a UAT-8099 campaign active from August 2025 through early 2026 that targets vulnerable IIS servers across Asia, concentrating on victims in Thailand and Vietnam. The actor uses web shells, PowerShell, and the GotoHTTP remote-control tool to maintain access and deploy region-customized BadIIS variants that hardcode country codes and inject SEO-fraud content. New persistence mechanisms, hidden accounts, and log-wiping utilities support long-term stealth and evasion.
read more →

Q4 2025 Talos IR: Public-Facing Exploits and Phishing

🔒 Talos Incident Response (Talos IR) reports that in Q4 2025 threat actors again favored exploitation of public-facing applications, appearing in nearly 40% of engagements, while phishing rose to the second-most common initial access vector. Notable exploit activity targeted Oracle E-Business Suite (CVE-2025-61882) and React2Shell (CVE-2025-55182), and attackers rapidly weaponized these flaws close to disclosure. Talos also observed deployment of APT-linked implants such as BadCandy and AquaShell, plus campaigns that targeted Native American tribal organizations for credential harvesting. The report emphasizes timely patching, strong MFA controls, centralized logging, and rapid incident response to limit impact.
read more →

Reconnaissance Risks and Recent Vulnerability Disclosures

🔍 Cisco Talos stresses the simple but essential advice: know your environment, and pay attention to reconnaissance rather than dismissing it as noise. Researchers disclosed patched vulnerabilities in Foxit PDF Editor, Epic Games Store, and MedDream PACS, including privilege escalation, use‑after‑free, and XSS that could enable code execution or unauthorized access. The newsletter also covers active phishing and ransomware activity and provides telemetry on prevalent malware. Organizations should patch affected products, enhance detection for recon patterns, and apply layered defenses.
read more →

Talos Disclosures: Foxit, Epic Games, and MedDream Flaws

🔒 Cisco Talos disclosed multiple vulnerabilities affecting Foxit PDF Editor, the Epic Games Store installer, and MedDream PACS. The issues include installer privilege escalation, two use‑after‑free flaws in Foxit that can be triggered by crafted PDF JavaScript, and 21 reflected XSS vulnerabilities in MedDream. Vendors have issued patches under Cisco’s disclosure policy. Administrators should apply vendor updates and consider IDS/IPS signatures such as Snort to detect attempted exploitation.
read more →

Actively Exploited Cisco UC RCE Flaw Requires Patching

⚠️ Cisco has released patches for a critical remote code execution vulnerability, CVE-2026-20045, affecting Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw allows unauthenticated remote attackers to gain user access via crafted HTTP requests and then escalate privileges to root without user interaction. No workarounds exist; fixes are version-specific and organizations should apply the matching patch or migrate unsupported 12.5 systems.
read more →

Cisco Fixes Actively Exploited Zero-Day in Unified CM, Webex

🔒 Cisco released patches for a critical, actively exploited vulnerability tracked as CVE-2026-20045 that affects multiple Unified Communications products and Webex Calling Dedicated Instance. The flaw (CVSS 8.2) allows unauthenticated remote attackers to execute arbitrary commands via crafted HTTP requests against the web-based management interface. Cisco urged customers to upgrade to fixed releases or apply published patch files; there are no workarounds. The U.S. CISA has added the issue to its KEV catalog with a remediation deadline of February 11, 2026.
read more →

Cisco fixes critical Unified Communications RCE zero-day

🔒 Cisco released patches to address a critical remote code execution vulnerability, CVE-2026-20045, actively exploited against Unified Communications Manager, Unity Connection, and Webex Calling Dedicated Instance. The flaw stems from improper validation of user-supplied input in HTTP requests to the web management interface and can allow an attacker to gain user access and escalate to root. Administrators should apply the version-specific updates or provided .cop patch files immediately, as Cisco reports no available workarounds.
read more →

CISA Adds Cisco Code Injection CVE to KEV Catalog (Jan 2026)

🔔 CISA has added CVE-2026-20045, a code injection vulnerability affecting Cisco Unified Communications products, to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The agency warns that code injection is a frequent attack vector and poses significant risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate KEV items by the required deadlines. CISA strongly urges all organizations to prioritize timely remediation as part of vulnerability management.
read more →

From Arts Degree to Cybersecurity: Rona Spiegel's Path

🔐 Rona Michele Spiegel transitioned from an arts and multimedia background into cybersecurity by blending early human-computer interface work with formal study and hands-on industry experience. She helped establish a user experience practice at Deloitte, worked in technology governance at Cisco, earned a Master of Information and Cybersecurity, and later focused on cloud controls at Wells Fargo before joining Autodesk to lead security and trust for mergers and acquisitions. Spiegel emphasizes careful risk assessment in M&A—especially when absorbing small, resource-constrained companies—while navigating AI-driven complexity, addressing hiring and entry-level gaps, and preventing burnout through inclusive leadership and mentoring.
read more →

Cisco patches critical zero-day in email gateway products

⚠️ Cisco has released patches for a critical zero-day, CVE-2025-20393, in AsyncOS that affects Secure Email Gateway (SEG) and Secure Email and Web Manager (SEWM) appliances. The flaw allows a remote attacker to gain root by sending a crafted HTTP request to the Spam Quarantine interface when it is enabled and reachable from the internet. Cisco first learned of exploitation in December, issued a public advisory on Dec. 17, and has now published fixes to address the issue.
read more →

Cisco Patches AsyncOS Zero-Day Targeting SEG/SEWM Appliances

🔒 Cisco has released a fix for a maximum‑severity AsyncOS zero‑day (CVE-2025-20393) that has been exploited since November 2025. The flaw impacts Cisco Secure Email Gateway and Secure Email and Web Manager appliances with non-standard configurations when the Spam Quarantine feature is exposed to the internet, permitting arbitrary command execution as root. Cisco Talos links the intrusions to a Chinese-nexus actor tracked as UAT-9686, which deployed persistence and tunneling implants and a log-wiping utility. CISA has added the vulnerability to its known exploited vulnerabilities catalog and ordered federal remediation under BOD 22-01.
read more →

Cisco patches critical AsyncOS RCE exploited by APT

🔒 Cisco has released patches for a maximum-severity remote command execution vulnerability (CVE-2025-20393, CVSS 10.0) in AsyncOS that affects Cisco Secure Email Gateway and Secure Email and Web Manager. The defect stems from insufficient validation of HTTP requests in the Spam Quarantine feature and can allow arbitrary commands to run as root when the feature is enabled and reachable from the internet. Cisco says a China-nexus APT tracked as UAT-9686 exploited the bug in the wild, deploying tunneling tools, a log-cleaner and a Python backdoor, and that fixes remove persistence artifacts. Administrators should apply the provided fixed releases and follow the vendor's hardening guidance to restrict access and monitor for anomalous activity.
read more →

Predicting 2026: Cyber Threats, AI Risks, and APTs

🔮 Cisco Talos outlines expectations for cybersecurity in 2026, warning of continued geopolitical-driven campaigns such as infostealers, phishing, and proxy-enabled destructive operations. The briefing highlights the growing risk posed by inadequately governed generative AI agents that could cause breaches or mimic insider threats through flawed design or prompt manipulation. Talos also emphasizes that familiar weaknesses — unpatched systems, leaked credentials, and absent MFA — will remain primary enablers of intrusion. The advisory specifically flags UAT-8837, a medium-confidence China-nexus APT targeting critical infrastructure since 2025, and urges patching, credential hygiene, and proactive hunting.
read more →

Incident Response Perspectives with Terryn Valikodath

🔍 Terryn Valikodath, Senior Incident Response Consultant at Cisco Talos, describes a role that blends technical investigation with clear communication and proactive planning. He explains how his team balances developing incident response plans, running tabletop exercises and threat hunts with hands-on reactive investigations and remediation. Terryn highlights the reward of teaching through multi-day cyber range trainings and the satisfaction of helping organizations recover and build trust.
read more →

CISOs Name Top 10 Vendors for AI-Enabled Security in 2025

🔒 The CSO 2025 Security Priorities Study asked more than 640 senior security executives to rank leaders in AI-enabled security, and established, name-brand vendors dominated the results. CISOs prioritized product innovation but heavily weighed reputation, breach history, business value, cost, time to integrate, and peer adoption. The top-ranked providers included Cisco, Microsoft, and Google, while MSSPs and cloud-native service providers also gained visibility as teams seek managed incident response.
read more →

Cisco ISE XML Parsing Flaw Risks Sensitive Data Exposure

🔒 Cisco has disclosed a vulnerability (CVE-2026-20029) in Cisco ISE and ISE-PIC that could allow an authenticated administrator to read arbitrary files on the server due to improper XML parsing. Proof-of-concept exploit code exists though no active attacks are reported. Cisco assigns CVSS 4.9 (medium). Administrators should rotate credentials, limit who and what can reach ISE, and install the vendor patch as soon as service downtime allows.
read more →

China-linked UAT-7290 Targets Telcos via Edge Exploits

🛡️ Cisco Talos warns that a China-linked actor tracked as UAT-7290 has expanded its focus to telecommunications providers in Southeastern Europe. The group leverages Linux-based malware and one-day public exploits against edge network devices, plus targeted SSH brute force, to gain initial access and escalate privileges. UAT-7290 also establishes Operational Relay Boxes (ORBs) that are reused by other China-aligned actors. Talos published technical details and IOCs to help affected organizations respond.
read more →