An exploit chain against SonicWall devices

An exploit chain of three vulnerabilities widely impacts SonicWall’s secure access gateway (SMA 100) devices. The first one (CVE-2025-32820), already exploited in the wild, provides writing permissions for any SMA directory; the second one (CVE-2025-32821) allows to insert malicious files at the device’s root level; and the third one (CVE-2025-32819) lets any attacker with a low-privileged account (even when not logged on the targeted device) to perform arbitrary file detection for privilege escalation to admin.

‍

Chinese actors behind SAP NetWeaver campaign

As more information has been provided about the exploitation of the recently disclosed critical vulnerability in SAP NetWeaver (CVE-2025-31324), it now appears that a nexus of three different Chinese state actors - UNC5221, UNC5174 and CL-STA-0048- is behind the attacks. At least 581 systems worldwide have been compromised, mostly in critical infrastructures such natural gas, water management, oil and gas exploration or medical devices. The flaw has been used to drop webshell backdoors aimed at allowing persistent remote access. As part of the incident’s investigation, another deserialization vulnerability (CVE-2025-42999) has been identified and also observed in the wild.

‍

[mitigate]Block access from 5.204.56[.]106[/mitigate]

Ascension caught again

The large healthcare company Ascencion has been compromised by the recent Clop’s Cleo zero-day campaign, resulting in a data breach of 430K patients. The company has already been involved in one of the largest attacks of 2024, as 5.6 million patients’ information were stolen by the notorious ransomware group BlackBasta.

‍

Flaw in chat service exploited for espionage

A Turkish state actor named Cosmic Wolf (aka UNC1326) has exploited a zero-day (CVE-2025-27920) in the Indian chat service Output Messenger in an espionage campaign targeting Iraq-based Kurdish individuals. The directory traversal vulnerability allows executing arbitrary files. The group, which emerged in 2017, is known for attacking ISPs and IT companies across the Middle East and North Africa.

‍

[mitigate]Monitor the “Marbled Dust activity group” alert in Defender for Endpoint[/mitigate]

TeleMessage's fatal vulnerability

Threat actors have exploited a vulnerability in TeleMessage (CVE-2025-47729) an Israel-based mobile application helping to archive message from chats such as WhatsApp, Telegram and Signal. The server-side flaw allows attackers to access server-client communications which appeared to be in plaintext contrary to the vendor’s claim of double encryption. CISA highlights that no mitigation will be available and advises users to stop using the service. The issue raised high concerns after media outlets revealed that the app is popular among Trump administration’s national security officials, including the now-resigned national security advisor Michael Waltz.

‍

‍

FortiVoice exploited

A critical Fortinet vulnerability (CVE-2025-32756) has been exploited as a zero-day against FortiVoice, a calling communication platform. The flaw is a stack overflow vulnerability allowing RCE through crafted HTTP requests. It also impacts FortiMail, FortiNDR, FortiRecorder, and FortiCamera.

‍

Block access from 198.105.127[.]124, 43.228.217[.]173, 43.228.217[.]82, 156.236.76[.]90, 218.187[.]69.244 and 218.187.69[.]59

On-prem Ivanti EPMM hosts targeted

Two Ivanti vulnerabilities (CVE-2025-4427/8), impacting on-prem EPMM hosts, have been exploited as zero-days. The first is an authentication bypass allowing unprivileged attackers to access resources, the second enables RCE. A limited number of organizations has been compromised.

‍

[mitigate]Filter access to the API using either the built in Portal ACLs functionality or an external WAF[/mitigate]

The EU will compete with the CVE program

ENISA, EU’s cybersecurity agency, launched the European Vulnerability Database (EUVD) program. Still in beta mode, EUVD will provide a centralized information system on vulnerabilities, each assigned with an EUVD ID. It will aggregate reports from incident response teams, cybersecurity vendors and other databases. EUVD will also include dashboards of exploited vulnerabilities (similar to CISA KEV list), for critical ones and for flaws powered by European CSIRTs. The initiative was announced as concerns about the future of the CVE program in the US remain high, following important budget cuts in CISA and MITRE.

‍