CyberAlerts

Description: Hazel highlights the key findings within Cisco Talos’ 2024 Year in Review (now available for download) and details our active tracking of an ongoing campaign targeting users in Ukraine with malicious LNK files.

Source: Cisco Talos Blog

April 3rd, 2025 (2 months ago)

CVE-2025-20120

Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Stored Cross-Site Scripting Vulnerabilities

Description: Multiple vulnerabilities in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow a remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-epnmpi-sxss-GSScPGY4 Security Impact Rating: Medium CVE: CVE-2025-20120,CVE-2025-20203

EPSS Score: 0.02%

Source: Cisco Security Advisory

April 2nd, 2025 (2 months ago)

CVE-2025-20212

Cisco Meraki MX and Z Series AnyConnect VPN Denial of Service Vulnerability

Description: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series devices could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. To exploit this vulnerability, the attacker must have valid VPN user credentials on the affected device. This vulnerability exists because a variable is not initialized when an SSL VPN session is established. An attacker could exploit this vulnerability by supplying crafted attributes while establishing an SSL VPN session with an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN sessions and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established. Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers without manual intervention. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vNRpDvfb Security Impact Rating: High CVE: CVE-2025-20212

EPSS Score: 0.12%

Source: Cisco Security Advisory

April 2nd, 2025 (2 months ago)

CVE-2025-20139

Cisco Enterprise Chat and Email Denial of Service Vulnerability

Description: A vulnerability in chat messaging features of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper validation of user-supplied input to chat entry points. An attacker could exploit this vulnerability by sending malicious requests to a messaging chat entry point in the affected application. A successful exploit could allow the attacker to cause the application to stop responding, resulting in a DoS condition. The application may not recover on its own and may need an administrator to manually restart services to recover. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-dos-tC6m9GZ8 Security Impact Rating: High CVE: CVE-2025-20139

EPSS Score: 0.1%

Source: Cisco Security Advisory

April 2nd, 2025 (2 months ago)

Cisco warns of CSLU backdoor admin account used in attacks

Description: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks. [...]

Source: BleepingComputer

April 2nd, 2025 (2 months ago)

Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine

Description: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. "The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to

Source: TheHackerNews

March 31st, 2025 (2 months ago)

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

Description: Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.

Source: Cisco Talos Blog

March 28th, 2025 (2 months ago)

Critical Cisco Smart Licensing Utility flaws now exploited in attacks

Description: Attackers have started targeting Cisco Smart Licensing Utility (CSLU) instances unpatched against a vulnerability exposing a built-in backdoor admin account. [...]

Source: BleepingComputer

March 20th, 2025 (3 months ago)

Taiwan critical infrastructure targeted by hackers with possible ties to Volt Typhoon

Description: Researchers at Cisco Talos identified a hacking operation against Taiwan that appears to overlap with Chinese state-backed campaigns known as Volt Typhoon and Flax Typhoon.

Source: The Record

March 20th, 2025 (3 months ago)

Cybercriminals Exploit CSS to Evade Spam Filters and Track Email Users' Actions

Description: Malicious actors are exploiting Cascading Style Sheets (CSS), which are used to style and format the layout of web pages, to bypass spam filters and track users' actions. That's according to new findings from Cisco Talos, which said such malicious activities can compromise a victim's security and privacy. "The features available in CSS allow attackers and spammers to track users' actions and

Source: TheHackerNews

March 17th, 2025 (3 months ago)

Threat and Vulnerability Intelligence Database

Example Searches:

	One mighty fine-looking report Description: Hazel highlights the key findings within Cisco Talos’ 2024 Year in Review (now available for download) and details our active tracking of an ongoing campaign targeting users in Ukraine with malicious LNK files. Source: Cisco Talos Blog April 3rd, 2025 (2 months ago)
CVE-2025-20120	Cisco Evolved Programmable Network Manager and Cisco Prime Infrastructure Stored Cross-Site Scripting Vulnerabilities Description: Multiple vulnerabilities in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow a remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface on an affected system. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-epnmpi-sxss-GSScPGY4 Security Impact Rating: Medium CVE: CVE-2025-20120,CVE-2025-20203 EPSS Score: 0.02% Source: Cisco Security Advisory April 2nd, 2025 (2 months ago)
CVE-2025-20212	Cisco Meraki MX and Z Series AnyConnect VPN Denial of Service Vulnerability Description: A vulnerability in the Cisco AnyConnect VPN server of Cisco Meraki MX and Cisco Meraki Z Series devices could allow an authenticated, remote attacker to cause a denial of service (DoS) condition in the Cisco AnyConnect service on an affected device. To exploit this vulnerability, the attacker must have valid VPN user credentials on the affected device. This vulnerability exists because a variable is not initialized when an SSL VPN session is established. An attacker could exploit this vulnerability by supplying crafted attributes while establishing an SSL VPN session with an affected device. A successful exploit could allow the attacker to cause the Cisco AnyConnect VPN server to restart, resulting in the failure of the established SSL VPN sessions and forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established. Note: When the attack traffic stops, the Cisco AnyConnect VPN server recovers without manual intervention. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-meraki-mx-vpn-dos-vNRpDvfb Security Impact Rating: High CVE: CVE-2025-20212 EPSS Score: 0.12% Source: Cisco Security Advisory April 2nd, 2025 (2 months ago)
CVE-2025-20139	Cisco Enterprise Chat and Email Denial of Service Vulnerability Description: A vulnerability in chat messaging features of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper validation of user-supplied input to chat entry points. An attacker could exploit this vulnerability by sending malicious requests to a messaging chat entry point in the affected application. A successful exploit could allow the attacker to cause the application to stop responding, resulting in a DoS condition. The application may not recover on its own and may need an administrator to manually restart services to recover. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ece-dos-tC6m9GZ8 Security Impact Rating: High CVE: CVE-2025-20139 EPSS Score: 0.1% Source: Cisco Security Advisory April 2nd, 2025 (2 months ago)
	Cisco warns of CSLU backdoor admin account used in attacks Description: Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks. [...] Source: BleepingComputer April 2nd, 2025 (2 months ago)
	Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine Description: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. "The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to Source: TheHackerNews March 31st, 2025 (2 months ago)
	Gamaredon campaign abuses LNK files to distribute Remcos backdoor Description: Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024. Source: Cisco Talos Blog March 28th, 2025 (2 months ago)
	Critical Cisco Smart Licensing Utility flaws now exploited in attacks Description: Attackers have started targeting Cisco Smart Licensing Utility (CSLU) instances unpatched against a vulnerability exposing a built-in backdoor admin account. [...] Source: BleepingComputer March 20th, 2025 (3 months ago)
	Taiwan critical infrastructure targeted by hackers with possible ties to Volt Typhoon Description: Researchers at Cisco Talos identified a hacking operation against Taiwan that appears to overlap with Chinese state-backed campaigns known as Volt Typhoon and Flax Typhoon. Source: The Record March 20th, 2025 (3 months ago)
	Cybercriminals Exploit CSS to Evade Spam Filters and Track Email Users' Actions Description: Malicious actors are exploiting Cascading Style Sheets (CSS), which are used to style and format the layout of web pages, to bypass spam filters and track users' actions. That's according to new findings from Cisco Talos, which said such malicious activities can compromise a victim's security and privacy. "The features available in CSS allow attackers and spammers to track users' actions and Source: TheHackerNews March 17th, 2025 (3 months ago)