< ciso
brief />
Tag Banner

All news with #cisco tag

237 articles · page 8 of 12

Cisco switches enter reboot loops due to DNS client bug

⚠️ Multiple Cisco switch models are entering reboot loops after an apparent firmware bug in the internal DNS client began treating DNS lookup failures as fatal errors. The problem began around 2 AM and affected devices log fatal DNS_CLIENT errors (for example 'SRCADDRFAIL' when resolving 'www.cisco.com'), then reboot every few minutes, seriously disrupting network operations. Administrators report affected lines include CBS, SG and Catalyst C1200/C1300 series. Temporary mitigations include disabling DNS or SNTP on management interfaces or blocking outbound management access while Cisco investigates.
read more →

From Resolutions to Response: UAT-7290 APT Disclosure

🔒 Cisco Talos' Threat Source newsletter contrasts personal resolution habits with practical security practices and highlights an important APT disclosure. The post details a new Talos finding on UAT-7290, an espionage-focused actor active since at least 2022 that targets South Asian telecom and network infrastructure using implants named RushDrop, DriveSwitch, and SilentRaid. It urges defenders to apply updated detection signatures, audit and harden internet-facing devices, and ensure incident response plans are ready, while also summarizing notable weekly headlines and telemetry.
read more →

China-linked UAT-7290 Targets South Asian Telecoms

📡 Cisco Talos attributes a long-running cyber-espionage campaign to UAT-7290, a China-nexus actor targeting telecommunications providers since at least 2022. The group prioritizes public-facing edge devices in South Asia and has recently expanded activity into Southeastern Europe, using one-day exploits and SSH brute-force to gain persistent footholds. Its Linux-focused toolkit includes RushDrop, DriveSwitch and the modular backdoor SilentRaid, while Bulbature is used to convert compromised systems into relay nodes that can support other China-linked operators.
read more →

China-linked UAT-7290 Targets Telecoms, Deploys ORBs

🔍 Cisco Talos attributes a China-nexus cluster named UAT-7290 to espionage-focused intrusions against South Asian and Southeastern European organizations. The actor conducts detailed reconnaissance and exploits one-day vulnerabilities and SSH brute force to compromise edge devices, primarily targeting telecommunications providers. UAT-7290 deploys Linux-based tooling including RushDrop, DriveSwitch, and SilentRaid, and uses the Bulbature backdoor to establish Operational Relay Box (ORB) nodes for broader access.
read more →

UAT-7290: China-Nexus APT Targeting Telecom Edge Devices

🔍 Cisco Talos discloses UAT-7290, a China‑nexus APT active since at least 2022 that targets telecommunications infrastructure in South Asia and has recently expanded into Southeastern Europe. The actor conducts extensive reconnaissance, uses one‑day exploits and target-specific SSH brute force, and primarily deploys a Linux-centric toolset including RushDrop, DriveSwitch, SilentRaid, and Bulbature. Talos notes UAT-7290 also provisions Operational Relay Box (ORB) nodes that may support other China-nexus operators and provides ClamAV and Snort signatures for detection.
read more →

Cisco patches XML parsing flaw in ISE and Snort 3 software

🔒 Cisco has issued updates to address a medium-severity XML parsing vulnerability (CVE-2026-20029, CVSS 4.9) in Identity Services Engine (ISE) and ISE Passive Identity Connector. The flaw in the licensing feature allows an authenticated administrator to upload a crafted file and read arbitrary files from the underlying operating system. Cisco lists specific fixed releases and patches (pre-3.2 must migrate; 3.2/3.3/3.4 have patches; 3.5 not vulnerable), reports no workaround, and acknowledges a public PoC while noting no known in-the-wild exploitation. The advisory also includes fixes for two Snort 3 DCE/RPC issues affecting multiple Cisco products.
read more →

Cisco patches ISE flaw after PoC exploit released; update

🔒 Cisco has released patches for an Identity Services Engine (ISE) XML-parsing vulnerability tracked as CVE-2026-20029 that can be abused by remote attackers with valid administrative credentials. The flaw in ISE and ISE Passive Identity Connector allows a crafted XML upload to read arbitrary files on the host. Cisco notes a public proof-of-concept is available and urges customers to upgrade to patched releases rather than rely on temporary mitigations.
read more →

UK launches £210M plan to strengthen public cyberdefenses

🔒 The UK is investing more than £210 million to boost cyber defenses across government departments and the wider public sector through a new Government Cyber Action Plan. The initiative creates a dedicated Government Cyber Unit, mandates minimum security standards, and strengthens incident response capabilities. A new Software Security Ambassador Scheme will promote best practices with firms including Cisco, Palo Alto Networks, Sage, NCC Group, and Santander. The plan builds on the Cyber Security and Resilience Bill and earlier measures to curb ransom payments and telecom spoofing.
read more →

How Cisco Talos Powers Security Across Cisco Products

🔐 Cisco Talos is the threat intelligence and security research arm that underpins Cisco's defensive products. Its telemetry-driven intelligence feeds reputation and detection services across the portfolio, including SNORT and SnortML for deep packet inspection and zero-day detection. Talos also powers web and DNS filtering, email threat prevention, layered malware protection, and investigative tooling such as Orbital and Talos IR.
read more →

SASE Certifications: Validating Converged Network Security

🔐 This article outlines seven certification programs from leading vendors that validate skills in converged, cloud-native Secure Access Service Edge (SASE) architectures. It summarizes entry to professional-level credentials from Cato Networks, Cisco, Fortinet, Netskope, Palo Alto Networks, Versa, and Zscaler, highlighting target audiences, exam formats, costs, and key competencies such as SD‑WAN, ZTNA, CASB and FWaaS. The piece also notes Gartner’s market projection and emphasizes that these credentials address a widening skills gap as enterprises migrate from perimeter-based defenses.
read more →

Weekly Recap - Firewall Exploits, AI Data Theft and More

⚡ Over the past week attackers exploited flaws in edge and network products from Fortinet, SonicWall, Cisco, and WatchGuard, targeting firewalls and appliances to gain deeper access. Browser extensions and Android TVs were abused for data theft and botnet recruitment. Campaigns by groups such as Ink Dragon, Kimsuky, and LongNosedGoblin deployed implants and innovative delivery chains, highlighting the urgent need for rapid patching, inventory verification, and tighter controls on trusted systems.
read more →

Credential-based attacks target Cisco and Palo Alto VPNs

🔒 Security researchers observed a coordinated credential-stuffing campaign targeting Cisco SSL VPN and Palo Alto Networks GlobalProtect portals over a two-day span in mid-December. GreyNoise reported millions of automated login sessions from more than 10,000 unique IPs, using a consistent TCP fingerprint and a Firefox-like user agent. The activity did not exploit software flaws but instead relied on large-scale username/password probes. Analysts urged enforcing strong passwords and MFA, auditing exposed edge devices, and leveraging threat-intel blocklists to filter malicious traffic.
read more →

Cisco Confirms Zero-Day in Secure Email Appliances

⚠️ Cisco Talos has identified an active campaign exploiting a zero-day in AsyncOS, impacting Cisco Secure Email Gateway, Cisco Secure Email and Web Manager. The flaw targets systems with the spam quarantine feature enabled and has been active since at least late November; a vendor patch is not yet available. Cisco currently recommends wiping and rebuilding compromised devices, and analysts urge restricting access to management ports and deploying compensating controls while organizations plan remediation.
read more →

Large Password-Spraying Campaign Targets Cisco, PAN VPNs

🔐 An automated password-spraying campaign is targeting multiple VPN platforms, with credential-based attacks observed against Palo Alto Networks GlobalProtect portals and Cisco SSL VPN gateways. GreyNoise recorded login attempts peaking at 1.7 million over 16 hours from more than 10,000 unique IPs, largely originating from the 3xK GmbH hosting space. The actor reused common username/password combinations and used an unusual Firefox user agent, indicating scripted credential probing rather than exploitation. Administrators are advised to enforce strong passwords, enable MFA, audit appliances, and block known malicious IPs.
read more →

Cisco: Zero-day Exploitation of Secure Email Appliances

⚠️ Cisco warns a China-linked actor is actively exploiting a previously unknown zero-day in its Secure Email appliances to gain persistent access when the Spam Quarantine feature is enabled and exposed to the internet. Cisco Talos reports activity since at least late November and says no patch is available. In confirmed compromises, Cisco advises wiping and rebuilding affected appliances to remove persistence; organizations should immediately restrict access to management ports and apply compensating controls while awaiting a fix.
read more →

Cisco warns of exploited AsyncOS zero-day CVE-2025-20393

🚨 Cisco has warned of a maximum-severity zero-day in AsyncOS (CVE-2025-20393) that is actively exploited by a China-nexus APT tracked as UAT-9686. The flaw carries a CVSS score of 10.0 and can allow arbitrary command execution as root when the Spam Quarantine feature is enabled and reachable from the internet. Cisco observed attacks since late November 2025 and advises isolating affected appliances, restricting internet access, tightening authentication, monitoring web logs, and rebuilding compromised units until a patch is available.
read more →

Cisco Talos: Libbiosig, Grassroot DiCoM, and step-ca Flaws

🔔 Cisco Talos disclosed multiple vulnerabilities affecting libbiosig, Grassroot DiCoM, and Smallstep step-ca. The issues include stack-based buffer overflows in libbiosig’s MFER parser that may allow arbitrary code execution, several out-of-bounds reads in DiCoM that can leak sensitive data, and an authentication bypass in step-ca enabling unauthorized certificate issuance. Vendors have released patches in accordance with Cisco’s disclosure policy; administrators should apply updates promptly and obtain the latest Snort rule sets to detect exploitation attempts.
read more →

Chinese-nexus APT UAT-9686 Targets Cisco AsyncOS Appliances

🔒 Cisco Talos identified a targeted campaign, tracked as UAT-9686, that compromises appliances running Cisco AsyncOS, including Secure Email Gateway and Secure Email and Web Manager. The actor, assessed as a Chinese-nexus APT, deployed a Python backdoor called AquaShell that decodes specially crafted HTTP POSTs and executes system shell commands after being placed in a web server file. Operators also used a Go-based reverse SSH tool (AquaTunnel), Chisel for tunneling, and a log wiper named AquaPurge. Cisco has published advisories and recommends following remediation guidance and opening cases with TAC if IOCs are observed.
read more →

CISA Adds Three CVEs to Known Exploited Vulnerabilities

🔔 CISA added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The entries are CVE-2025-20393 (Cisco multiple products, improper input validation), CVE-2025-40602 (SonicWall SMA1000, missing authorization), and CVE-2025-59374 (ASUS Live Update, embedded malicious code). These flaws are frequent attack vectors that pose significant risks to federal and nonfederal organizations. Agencies covered by BOD 22-01 must remediate by the required due dates; CISA urges all organizations to prioritize mitigation.
read more →

Microsoft Patch Tuesday December 2025: 57 Vulnerabilities

🛡️ Microsoft released its December 2025 Patch Tuesday addressing 57 vulnerabilities, two labeled as critical and the remainder as important. Cisco Talos notes Microsoft assessed exploitation of the two critical issues as less likely, while several important flaws are considered more likely to be attacked. Talos published Snort and Snort 3 rules to detect exploitation attempts and recommends updating firewall SRUs and applying vendor patches promptly.
read more →