Patch Now: Cisco CVEs are Actively Exploited; GitHub Overhauls npm Authentication; Windows 10 Extended Security Updates Offered to EEA

This week, Cisco published security advisories addressing 17 CVEs. Of those, three are known to be actively exploited. The US Cybersecurity and Infrastructure Security Agency (CISA) has added two of these vulnerabilities – both of which affect Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) – to the Known Exploited Vulnerabilities database: a buffer overflow vulnerability (CVE-2025-20333) and a missing authorization vulnerability (CVE-2025-20362). Cisco has released updates to address both the vulnerabilities, and both have immediate KEV mitigation deadlines. A third actively exploited flaw, a stack-based buffer overflow vulnerability (CVE-2025-20352) exists in the Simple Network Management Protocol (SNMP) subsystem of Cisco's IOS and IOS XE software. Cisco notes that an authenticated remote attacker with low privileges could exploit the flaw to create denial-of-service conditions on vulnerable devices running Cisco IOS and IOS XE software, and an authenticated remote attacker with high privileges could exploit the flaw to execute code with root privileges on vulnerable devices running Cisco IOS XE software. The issue affects all versions of SNMP. Users are urged to update to fixed versions of Cisco IOS and IOS XE software. While there are no workarounds for this vulnerability, Cisco's security advisory does include a mitigation for users unable to update their software immediately.

Following several 2025 supply chain attacks in which GitHub compromises were leveraged to attack the npm ecosystem, GitHub is announcing changes to its authentication and publishing processes. Local publishing will require FIDO-based two-factor authentication (2FA); all access tokens will become "granular," with specifically delimited permissions and 7-day lifetimes; and publishers will be strongly encouraged to configure the Trusted Publishers security capability, which authenticates publishing by "exchanging OIDC identity tokens for short-lived and tightly scoped API tokens for authenticating with package repository publishing APIs," removing reliance on longer-lived and highly privileged API tokens. The eligible providers for trusted publishing will also be expanded. GitHub will deprecate legacy classic tokens and time-based one-time password (TOTP) 2FA; enforce short expirations for granular tokens with publishing permissions; disallow tokens by default for publishing access; and remove the option to bypass 2FA for local package publishing. Maintainers in npm are urged to use trusted publishing, require 2FA for all writes and publishing actions, and use WebAuthn instead of TOTP when configuring 2FA.

Following pressure from a European consumer protection organization, Microsoft has agreed to offer one year of free Extended Security Updates (ESU) for Windows 10 users in the European Economic Area (EEA), which comprises all 27 European Union (EU) member states, as well as Iceland, Liechtenstein, and Norway. In a letter to Microsoft. Luxembourg-based Euroconsumers writes that they are "pleased" with the plan, noting they "are also glad this option will not require users to back up settings, apps, or credentials, or use Microsoft Rewards, ... as linking access to essential security updates to engagement with Microsoft's own services raised reasonable doubt of compliance with obligations under Article 6(6) of the DMA." In the same letter, Euroconsumers also expresses concern about the "short-term measure [which] falls short of what consumers can reasonably expect for a product that remains widely used and does not align with the spirit of the Digital Content Directive (DCD), nor the EU’s broader sustainable goals," as upgrading to the Windows 11 operating system requires a hardware upgrade as well.

Earlier this week, SonicWall released a firmware update that should help users remove rootkit malware that was deployed in attacks against SonicWall Secure Mobile Access (SMA) 100 series appliances over the past several months. In July, the Google Threat Intelligence Group wrote that threat actors had been exploiting an until-then unknown backdoor in end-of-life SonicWall SMA 100 appliances and deploying rootkit malware dubbed OVERSTEP. The malware establishes a reverse shell on compromised devices, exfiltrates sensitive information, and helps intruders maintain persistent access. In a September 22 advisory, SonicWall "strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the 10.2.2.2-92sv version."

SalesForce has released updates to address "a critical ... vulnerability chain in Salesforce Agentforce." The issue, which was detected by researchers at Noma Labs in late July, could potentially be exploited "to potentially exfiltrate sensitive data from its customer relationship management (CRM) tool by means of an indirect prompt injection." The issue affects organizations that use the SalesForce customer relationship management (CRM) platform with Web-to-Lead functionality enabled. Organizations are advised to apply actions recommended by Salesforce; audit lead data for unusual or suspicious submissions; implement strict input validation; and sanitize data from untrusted sources.

SolarWinds has released a hot fix to address a critical unauthenticated AjaxProxy deserialization remote code execution vulnerability (CVE-2025-26399) in Web Help Desk. In their security advisory, SolarWinds notes that "this vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986." The first hotfix, for CVE-2024-28986, was released in August 2024; the CVE was later added to the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog. Users are urged to update to SolarWinds Web Help Desk 12.8.7 HF1.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory summarizing CISA's response to and lessons learned from a cybersecurity incident at a U.S. federal civilian executive branch (FCEB) agency in July and August 2024. The unnamed agency discovered the attack when its endpoint detection and response (EDR) tool generated an alert, which CISA determined was approximately three weeks after a threat actor first compromised the agency by exploiting a critical flaw in GeoServer, an open-source server application for handling geospatial data. CVE-2024-36401, CVSS score 9.8, allows an unauthenticated attacker to achieve remote code execution (RCE) by crafting input that receives unsafe XPath evaluation. CISA identified three major shortfalls: first, the agency did not remediate vulnerabilities promptly. The threat actor compromised two GeoServers using CVE-2024-36401, despite the flaw having been disclosed 11 days before the first compromise and 25 days before the second, including appearing in the Known Exploited Vulnerabilities (KEV) catalog four days after the first compromise. Second, the agency's incident response plan (IRP) was untested and incomplete, which "delayed certain elements of CISA’s response as the IRP did not have procedures for involving third-party assistance or for granting third-party access to their security tools." Third, EDR was not comprehensively implemented and the agency did not continuously review EDR alerts, allowing three weeks of undetected intrusion. Based on this investigation, CISA offers recommendations for improving security posture: establish a properly-prioritized vulnerability management program; "maintain, practice, and update cybersecurity IRPs"; implement and centrally aggregate comprehensive and detailed logs; require phishing-resistant MFA, and implement allowlisting.

The UK's National Crime Agency has announced the arrest of "a man in his forties in West Sussex" in connection with the ransomware attack on Collins Aerospace Multi-User System Environment (MUSE) software that caused major disruptions to several EU airports, including Heathrow in London, starting September 19, 2025. The suspect was arrested on suspicion of violating the Computer Misuse Act, but has been released on conditional bail. Meanwhile, RTX (formerly Raytheon Technologies), the parent conglomerate owning Collins Aerospace, has filed form 8-K with the US Securities and Exchange Commission (SEC), disclosing their September 19 discovery of ransomware on systems supporting MUSE software, a product RTX describes as allowing "multiple airlines to share check-in and gate resources at airports, including baggage handling." Upon detection, RTX assessed and worked to contain and remediate the incident per the company's incident response plan, notifying domestic and international authorities and continuing to investigate with the aid of third-party cybersecurity experts. RTX does not believe the incident will have a material impact; the company says it is communicating with customers to provide support and guidance, noting that those affected "have shifted to back-up or manual processes and have experienced certain flight delays and cancellations." As of this writing, airports are still waiting on RTX and Collins to restore systems. Cybersecurity experts Kevin Beaumont and Dominic Alvieri have noted on social media and to news sources that evidence suggests the ransomware involved is HardBit.

The US Secret Service has published a press release announcing their dismantling and ongoing investigation of a network comprising "300 co-located SIM servers and 100,000 SIM cards across multiple sites" in New York, New Jersey, and Connecticut. These SIM farm facilities were all located within 35 miles of the headquarters of the United Nations in Manhattan; the Secret Service's announcement comes during the high-level week of the UN General Assembly's 80th session currently underway. Matt McCool, Special Agent In Charge of the Secret Service's New York Field Office, suggests a connection between the equipment and "multiple telecommunications-related imminent threats directed towards senior US government officials this spring." McCool alleges that the system had "potential to disable cell phone towers and essentially shut down the cellular network in New York City," and may have facilitated communication between "potential threat actors and criminal enterprises [...] [including] cellular communications between foreign actors and individuals that are known to federal law enforcement." WIRED notes that the capabilities of SIM farms include "everything from spam to swatting to fake account creation and fraudulent engagement with social media or advertising campaigns." The equipment and data are still under forensic examination.