Another NetScaler Flaw; Multiple Vulnerabilities in Multifunction Printers; Cisco Fixes Critical Flaws in ISE

There are two distinct vulnerabilities Citrix patched in NetScaler. The more severe one allows for memory leaks to disclose session IDs and other secrets to attackers. It is similar to the earlier, already exploited, “Citrix Leak” vulnerability. Expect an exploit to be released soon. The other vulnerability, which is already exploited, appears to only allow for a denial of service attack, but I would not trust Citrix’s analysis enough to not prioritize patching of this vulnerability.

Johannes Ullrich

The new zero-day, CVE-2025-6543, has a CVSS score of 9.2, and with the other two flaws from a week ago, you can bank on threat actors smelling blood in the water. Don’t panic, keep your NetScaler devices updated judiciously and have your threat hunters go to town on the IOCs.

Lee Neely

The Citrix bug is nasty; it's dubbed CitrixBleed 2. It's another unauthenticated out-of-bounds read on a forward-facing web interface. If you must choose which one to patch this month, this is the one.

Moses Frost

Although it may not be readily obvious to some folks, printers can be a really serious attack vector. Some of them store recently printed documents with sensitive information and also may have lists of users who printed those documents. What’s more, sometimes in red team and assumed breach work, we find that we have the ability to print documents on these devices. That might seem innocuous, yielding the ability to waste paper. But in a recent Red Team project, security engineer Kyle Parrish printed pages that had QR codes on them, along with some very enticing words about prizes and other goodies available to individuals who scanned them (using the individuals’ names gathered from the recently printed documents list). Kyle calls the attack “Prishing.” And it worked like a charm, sorry to say, getting the users to scan the codes leading to follow-on exploitation and further social engineering opportunities. We definitely need to educate users to be careful with scanning QR codes, even ones that appear on printers in the workplace.

Ed Skoudis

The usual advice after stories like this is: upgrade. Which makes sense. But it is also somewhat pointless, as we all know that there will be a similar story a few months later with new vulnerabilities. Unless manufacturers start adding a minimum of due care, keep those devices isolated, assume vulnerabilities, and compromise. Minimize your exposure by minimizing the number of devices like this you purchase.

Johannes Ullrich

Brother is publishing firmware updates to partly mitigate the issue, applying those updates is prudent, you also need to change the default password, if you haven’t already.

Lee Neely

On assessments I <3 printers. Make sure you harden them.

Moses Frost

Cisco ISE is a multiheaded beast. It's a RADIUS/TACACS/NAC/IDENTITY everything. It's used for all manner of things, in its most basic form, Wireless Guest Portals, 802.1x for Wireless, or TACACS+ administration. This is an unauthenticated remote code execution flaw through an API and many of those APIs are exposed to internal users. Owning this system could be highly problematic from a security perspective. Lots of companies run this product. If you haven't patched it, patch.

Moses Frost

An identity management engine, created by a leader in the cybersecurity space, does not validate user-supplied input sufficiently. This is about all you have to know about how likely you and your understaffed team will be able to defend your network.

Johannes Ullrich

Well, folks, this edition of NewsBites feels to me rather disheartening. Vulnerabilities in printers, Citrix NetScaler, and this one in Cisco’s Identity Services Engine are bad, and will fuel _tomorrow’s_ breaches. I mean, remote code execution yielding root privileges in identity infrastructure provided by Cisco — such a core component of many organizations’ security? Ouch. And this NewsBites is chock full of _today’s_ breaches too, specifically in healthcare organizations (contributing to a patient’s death, no less) and Africa’s financial sector. It’s understandable that cybersecurity practitioners might feel distraught. But let’s not despair, my friends! Now is the time to be more diligent than ever, leveraging new technologies like AI for defensive, detection, and response purposes, and keeping ourselves smart about thwarting the latest attacks. If you are a cybersecurity practitioner, this is our calling — to do our part to make the world safer and more secure. We must push ourselves to never lose sight of that mission (and I write that just as much to tell myself as I write it for our NewsBites readers).

Ed Skoudis

We have tolerated the scourge of ransomware for far too long now. It is well beyond time that the ransomware problem is moved from being a technical issue to being a major societal threat and the relevant government agencies are given the resources, laws, and support to deal with this threat at the level it needs to be.

Brian Honan

We all knew this day was coming, and this isn’t the first reported case. Ransomware gangs should rightfully be blamed and held accountable. But I also believe that the company bears some responsibility as they are a critical resource for the UK’s NHS. As such, they should have maintained their cybersecurity program at a higher state than was evident in the attack.

Curtis Dukes

The HIPAA Journal report summarizes what’s widely known: the healthcare industry continues to be a victim of cyber-attack. For some it’s a lack of resources, for many others it’s a lack of focus on their cybersecurity program. Automating configuration and patching are critical. Until that occurs, organizations must dedicate themselves to actively managing cybersecurity program. Otherwise, they haven’t established a standard duty of care in protecting PHI for which they are entrusted.

Curtis Dukes

The AMI flaw, CVE-2025-54085, was discovered by Eclypsium in March and has a CVSS score of 10. This can be easily exploited by a single POST request to a vulnerable BMC. Beyond applying updated firmware, make sure you control access to BMC and other management interfaces, don’t rely on their built in protections. Never expose these directly to the Internet.

Lee Neely

All three are bad but what’s particularly disappointing is the use of a hard-coded credential in the Fortinet operating system. When it comes to product vulnerabilities, Fortinet has had a difficult last 18-months. One would have thought that they would have double-downed on security and fixed this poor identity and access mechanism.

Curtis Dukes

While the identified certificate has been revoked, preventing new installs of the known bad package, it’s a good time to make sure that you have a process and guidelines about how and where software is obtained, vetted and installed. Then back it up with appropriate endpoint technical controls.

Lee Neely

One can remember when it was sufficient to say "trusted source in tamper evident packaging." Then, one is older than the average bear. There may not be any trusted sources left.

William Hugh Murray

Interesting report. While they may be targeting Africa’s financial sector, the TTPs can be repurposed to attack any other regional financial sector. The best defense remains patch, configure, and actively monitor one’s enterprise. If you do those three things well, you’ve significantly raised the cost to the attacker to attack you. But then, I didn’t need this threat report to tell me that.

Curtis Dukes

This paper is the output of a study of a Medical Device equipment manufacturer. While it doesn't impact hospitals for example, we can draw some excellent conclusions from this. Even in a regulated space like Healthcare Equipment manufacturing, the process of making the devices could still lack the basics of OT security. It's a good read if you have never worked with ICS equipment before.

Moses Frost

What is needed is security requirements, with consequences for failing to meet them, to support the areas the paper wants manufacturers to consider. Otherwise support, and funding, is unlikely to be consistent.

Lee Neely

Yes, they should, and no doubt that they will. Not because of this white paper, but more because of increasing liability concerns. The remaining question becomes what to do about legacy medical devices. For example, medical imaging machines that stay in service for at least 15 years.

Curtis Dukes

The problem is not that these appliances do not do what they assert but that they are capable of doing too much more and present too large an attack surface. Purpose built appliances do not require general purpose operating systems.

William Hugh Murray

How are your business systems? Are they current and aligned with your current threat model? Do you have a good understanding of the replacement process? There really is no such thing as a quick or cheap transition. Your business units may want longer regression testing and rollback intervals than you expect. With new technology, which likely includes cloud, API gateways and AI, make sure all environments are equally secured; just as the business unit comes up to speed on new processes, you’re going to need to come up to speed on the new security posture, to include monitoring, incident reporting and best practices.

Lee Neely