Featured Story
Nearly 50,000 Cisco firewalls vulnerable to actively exploited flaws
Summary
Nearly 50,000 Cisco ASA/FTD instances vulnerable to two bugs that are actively being exploited by “advanced” attackers remain exposed to the internet.
The vulnerabilities in question are CVE-2025-20333 (9.9) and CVE-2025-20362 (6.5), which affect Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices.
The successful attacks are highly likely launched by those behind the ArcaneDoor campaign, who previously targeted the same Cisco products in 2024.
The attackers are deploying malware called RayInitiator and Line Viper, with RayInitiator being a bootkit designed to ensure persistent access to devices.
Other News
Hackers Exploit Milesight Routers to Send Phishing SMS to European Users
Summary
Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022, with campaigns primarily targeting Sweden, Italy, and Belgium using typosquatted URLs that impersonate government platforms like CSAM and eBox, as well as banking, postal, and telecom providers.
Of the 18,000 routers accessible on the public internet, 572 are potentially vulnerable due to exposing inbox/outbox APIs.
The attackers are exploiting CVE-2023-43261, a now-patched information disclosure flaw, and some routers expose SMS-related features without requiring any authentication.
The phishing URLs include JavaScript that checks for mobile devices before serving malicious content urging users to update their banking information.
China-Linked Hackers Exploit New VMware Zero-Day Since October 2024
Summary
A newly patched security flaw impacting Broadcom VMware Tools and VMware Aria Operations has been exploited in the wild as a zero-day since mid-October 2024 by a China-linked threat actor called UNC5174.
The vulnerability is CVE-2025-41244 (CVSS score: 7.8), a local privilege escalation bug affecting VMware Cloud Foundation, VMware vSphere Foundation, VMware Aria Operations, VMware Tools, and VMware Telco Cloud platforms.
A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed may exploit this vulnerability to escalate privileges to root on the same VM.
When successful, exploitation results in unprivileged users achieving code execution in privileged contexts.
Beware of phishing scams involving your energy bill
Summary
Now that it’s getting colder and we’re turning the heating back on, scammers are seizing their opportunity: they try to attract your attention with supposed discounts on your energy bill, cheap pellets, etc.
A recent example contains many spelling mistakes and was reported almost 2,000 times this week via suspicious@safeonweb.be.
Safeonweb.be advises not to click on links in suspicious messages, not to open attachments and not to download applications if asked to.
If you have clicked on a link, do not complete the fields and terminate any interaction, and never give out personal codes. If you have entered a password that you also use elsewhere, change it immediately.
Suspicious messages can be forwarded to any of the three email addresses from Safeonweb.
Our SOC is also available to assist in case there are any doubts or suspicions about text or mail messages.
