Another NetScaler Flaw; Multiple Vulnerabilities in Multifunction Printers; Cisco Fixes Critical Flaws in ISE

On Wednesday, June 25, 2025, Citrix released a fix for a critical memory overflow vulnerability in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway. The vulnerability could lead "to unintended control flow and Denial of Service." This issue is being actively exploited in the wild and is separate from the two NetScaler vulnerabilities Citrix disclosed on June 17. Users are urged to update to the most recent versions of the affected products as soon as possible.

Researchers at Rapid7 have found eight vulnerabilities affecting multiple models of Brother multifunction printers. The most concerning of the bunch is CVE-2024-51978, a critical vulnerability that can be exploited by someone knowing the device's serial number to generate the default administrator password. Brother says that the issue cannot be fully mitigated with firmware updates and has implemented a manufacturing change for all affected models; Brother has suggested a workaround for the older printer models: manually change the administrator password on all affected devices. The other seven flaws are rated higher high or medium severity. The flaws also affect multiple printers from other manufacturers, including FUJIFILM Business Innovation, Ricoh, Toshiba Tec Corporation, and Konica Minolta, Inc.

Cisco has released updates to address a pair of maximum severity unauthenticated remote code execution vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC). As described by Cisco, one of the vulnerabilities, CVE-2025-20281, "is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device." The second vulnerability, CVE-2025-20282, "is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system." Users running affected products are urged to update to fixed versions as soon as possible.

The UK's National Health Service (NHS) has determined that the 2024 ransomware attack affecting pathology firm Synnovis was a contributing factor in a patient's death. According to BBC, "King's College Hospital NHS Foundation Trust confirmed that one patient had 'died unexpectedly' during the cyber attack on 3 June 2024, which disrupted more than 10,000 appointments." The ransomware attack disrupted services provided by Synnovis, which prevented NHS healthcare practitioners from obtaining blood test results in a timely manner.

Since the beginning of May 2025, the US Department of Health and Human Services Office for Civil Rights (HHS OCR) received 85 reports of healthcare-related cybersecurity breaches affecting 500 or more individuals. Of the 85 reported breaches, seven affected 100,000 or more individuals: Episource LLC (5,418,866); Serviceaide (483,126); and Ocuco (240,961); Marlboro-Chesterfield Pathology (235,911); Harbin Clinic (176,149); Central Kentucky Radiology (166,953); and Select Medical Holdings Corporation (119,525). (The data analyzed in the HIPAA Journal article are from May 2025 only.) The majority of the reported breaches involved hacking or an IT incident affecting data on a network server. In a separate but related story, Mainline Health Systems has disclosed a breach affecting just over 101,000 individuals to the Maine Attorney General's Office.

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) added three security issues to their Known Exploited Vulnerabilities (KEV) catalog: an authentication bypass by spoofing vulnerability in AMI baseboard management controller (BMI) firmware; a path traversal vulnerability in D-Link DIR-859 routers; and a hard-coded credentials vulnerability in Fortinet FortiOS. All three were added on Wednesday, June 25 and have mitigation due dates of July 16, 2025. CISA also published two Industrial Control Systems (ICS) advisories. The first is for a critical authentication bypass vulnerability in Mitsubishi Electric air conditioning systems. The second ICS advisory is for a pair of vulnerabilities affecting TrendMakers Sight Bulb Pro firmware: the first is a use of a broken or risky cryptographic algorithm flaw, and the second is an improper neutralization of special elements used in a command flaw.

SonicWall and Microsoft Threat Intelligence have identified a campaign involving a maliciously altered version of the SonicWall SSL VPN NetExtender application. In their write-up of the situation, SonicWall says, "The website impersonating the legitimate NetExtender is hosting a Trojanized version of SonicWall’s actual NetExtender version 10.3.2.27 (the latest release version), digitally signed by 'CITYLIGHT MEDIA PRIVATE LIMITED.'" Once users download the trojanized version of the app, the malware steals and exfiltrates all pertinent data related to the VPN configuration. SonicWall and. Microsoft have taken down the sites hosting the malicious versions of the app and have revoked the installer's digital certificate. The SonicWall write-up also include indicators of compromise.

Researchers from Palo Alto Networks Unit 42 have detected "a series of attacks targeting financial organizations across Africa." Using both open-source and publicly available tools, "the threat actor copies signatures from legitimate applications to forge file signatures, to disguise their tool set and mask their malicious activities." The attacks have been ongoing since at least July 2023. Unit 42 posits that the threat actors are acting as initial access brokers, obtaining access to the financial institutions to sell to others on criminal forums.

The US Food and Drug Administration (FDA) has published a white paper calling for medical device manufacturers to build cybersecurity into their operational technology (OT). "To secure an industrial network, it is important to obtain visibility. Some connected hardware modules are embedded within other equipment and may be hidden from the end user. Once all devices are fully understood, they can be logically arranged on the network to maximize infrastructure security." The paper urges medical device manufacturers to address areas of consideration: technical information exchange, which may include transparency about the manufacturing environment and network as well as a software bill of materials (SBOM); Security, Standards, and Compliance, which includes security standards, compliance assessments, continuous monitoring, and vulnerability management; and security by design, which includes vendor and customer design, role-based access control, and change control. "Securing medical product manufacturing cannot be done by individuals or single companies. It requires coordinated efforts from all involved parties across public and private sectors."

In testimony before the US House of Representatives Judiciary Subcommittee on Courts, Intellectual Property, Artificial Intelligence, and the Internet, The Honorable Michael Y. Scudder Jr., Chair Committee on Information Technology of the Judicial Conference of the United States said that the Judiciary's case management/electronic case filing (CM/ECF) system and its portal, the Public Access to Court Electronic Records (PACER) system "are outdated, unsustainable due to cyber risks, and require replacement." Judge Scudder added that the Judiciary's "strategy is for new case management and PACER systems to be developed and rolled out on an incremental basis, meaning functionality of a modernized system is implemented in waves versus the past model of implementation only after a system is fully designed, developed, and tested."