Patch Now: Cisco Secure ASA, Secure FTD, UCCX; SonicWall Investigation Report; Follow-up: M&S; Miljödata; Nevada State Government Systems

Two vulnerabilities affecting both *Cisco Secure Adaptive Security Appliance (ASA) software and Cisco Secure Firewall Threat Defense (FTD) software*, both disclosed and patched in late September 2025, are still being exploited, now in a new attack that can lead to denial of service (DoS). Cisco reiterates that CVE-2025-20333 (CVSS 9.9) and CVE-2025-20362 (CVSS 6.5) can be used to execute arbitrary code and access restricted URL endpoints related to a remote access VPN, respectively, and are now being used in attacks that cause unpatched devices to unexpectedly and continuously reload. These flaws had already been exploited for several months when Cisco first patched them, including a May 2025 breach of a US government agency; both the US Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security Centre (NCSC) issued emergency patch directives in September. Cisco's new advisories also thank Australian and Canadian cyber authorities, and provide instructions for identifying and applying fixes. Separately, Cisco published an advisory disclosing two critical flaws in *Cisco Unified Contact Center Express (UCCX)*, neither of which is known to be exploited. CVE-2025-20354, CVSS score 9.8, allows an attacker to execute arbitrary commands and elevate privileges to root by uploading a crafted file through the Java RMI process, due to improper authentication mechanisms. CVE-2025-20358, CVSS score 9.4, allows an attacker to create and execute arbitrary scripts as an internal non-root user by "redirecting the authentication flow to a malicious server and tricking the CCX Editor into believing the authentication was successful," due to improper authentication mechanisms between the editor and an affected Unified CCX server. These flaws affect UCCX regardless of device configuration, and there are no workarounds; Cisco urges users to update to fixed releases 12.5 SU3 ES07 or 15.0 ES01.

When "SonicWall detected suspicious activity related to the downloading of backup firewall configuration files stored in a specific cloud environment" in early September, the company brought in Mandiant to investigate. The company initially said that the incident affected about five percent of their customers; a month later, SonicWall said that the breach affected all customers who used the MySonicWall cloud backup. The investigation is now complete. Among the findings: the breach was the work of an unspecified state-sponsored threat actor, and "was isolated to the unauthorized access of cloud backup files from a specific cloud environment using an API call." SonicWall has also states that the breach is not related to a series of Akira ransomware attacks that are targeting edge devices.

In follow-up news to stories covered in previous edition of NewsBites: In their Half Year Results For The 26 Weeks Ended 27 September 2025, *Marks & Spencer (M&S)* says they expect that the cyberattack they experienced this past spring will cost the company £136 million (US$177.2 million); a portion of those losses will be offset by "insurance income proceeds of £100.0m" (US$130.3 million). The Swedish Authority for Privacy Protection (IMY) says it will investigate an August 2025 cyber incident that targeted IT systems supplier *Miljödata* and resulted in personal information of more than 1.5 million people being posted to the Darknet. IMY head of unit Jenny Bård said, "Central to us is to investigate any shortcomings that can provide lessons for the future, to reduce the risk of this type of incident happening again." A ransomware attack that disrupted *Nevada state government IT systems* this summer was found to have its roots in a May incident in which an employee inadvertently downloaded malware.

On Tuesday, November 4, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-11371 is a local file inclusion flaw affecting Gladinet CentreStack and Triofox. Successful exploitation of the flaw could lead to disclosure of system files. Researchers at Huntress have observed the vulnerability being exploited in the wild in attacks against vulnerable Gladinet CentreStack and Triofox products. Gladinet released an updated version of CentreStack to address the issue on October 14, 2025. CVE-2025-48703 is a critical OS command injection vulnerability affecting CWP (Control Web Panel or CentOS Web Panel) that "allows unauthenticated remote code execution via shell metacharacters in the t_total parameter in a filemanager changePerm request. A valid non-root username must be known." Researchers at Fenrisk published a technical write-up of the vulnerability in June 2025. The issue has been addressed in CWP version 0.9.8.1205. Both vulnerabilities have mitigation dues dates of November 25, 2025 for US Federal Civilian Executive Branch (FCEB) agencies.

Three vulnerabilities in WordPress plugins are being actively exploited. A critical unauthenticated sensitive information exposure to privilege escalation vulnerability (CVE-2025-11749) in AI Engine could be exploited by "unauthenticated attackers to extract the bearer token, which can be used to gain access to a valid session and perform many actions like creating a new administrator account, leading to privilege escalation." Users are advised to update to AI Engine versions 3.1.4 or newer. A critical authentication bypass vulnerability (CVE-2025-5397) in the Noo JobMonster theme for WordPress could be exploited to access administrative accounts. Users are advised to updated to version 4.8.2 or newer. And a critical missing authorization vulnerability (CVE-2025-11833) in the Post SMTP plugin for WordPress could be exploited to allow "unauthenticated attackers to read arbitrary logged emails sent through the Post SMTP plugin, including password reset emails containing password reset links, which can lead to account takeover." Users are urged to update to version 3.6.1 or newer.

Japanese financial media company Nikkei Inc., which owns major publications including the Nikkei and the Financial Times, has published an announcement disclosing a data breach that was discovered in September 2025. Authentication credentials for employee Slack accounts were stolen when "an employee's personal computer was infected with a virus," leading to an unauthorized login that may have leaked "information regarding employees and business partners" including "names, email addresses, and chat histories for 17,368 individuals registered on Slack." Upon discovering the incident, Nikkei implemented "countermeasures" including changing passwords, and moving forward the company plans to "further strengthen personal information management to prevent any recurrence." Nikkei notes that while they are not obligated under the Personal Information Protection Law to report "personal information used for reporting and writing purposes," they have voluntarily reported the incident to the Personal Information Protection Commission in the interest of transparency. "No leakage of information related to sources or reporting activities has been confirmed." The company has offered an online form for submitting inquiries.

This week, Apple released updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, Safari, and Xcode. In all, Apple addressed more than 100 vulnerabilities, including unexpected app termination or memory process corruption in ImageIO (CVE-2025-43338 & CVE-2025-43372) and FontParser (CVE-2025-43400), and a memory corruption issue in WebKit (CVE-2025-43431). Apple's updates include releases for 26.x lines and older versions of iOS, iPadOS, and macOS. Heise notes that the updates for iOS 18.7.2 and iPadOS 18.7.2 were released several days after the rest of the updates, and that those updates include fewer fixes than the updates for iOS 26.1 and iPadOS 26.1.

Researchers at Check Point Security detected multiple vulnerabilities affecting Microsoft Teams that "could allow attackers to impersonate executives, manipulate messages, and spoof notifications." Check Point found that vulnerabilities in the platform allowed users to edit messages "without triggering the standard “Edited” label," to spoof notifications, to change display names in private chats, and to forge a caller's identity during calls. Check Point disclosed the issues to Microsoft in March 2024; the flaws were addressed through "a series of fixes throughout 2024, with the final fix for video and audio calls taking place at the end of October 2025."

Hyundai AutoEver America (HAEA), a US automotive IT services affiliate of Hyundai Motor Group, has begun sending notification letters to individuals affected by a February/March 2025 data breach. Upon detecting a cyber incident on March 1, HAEA immediately terminated unauthorized access "to the affected portion of [their] environment," and worked with third-party cybersecurity experts and law enforcement to investigate and ensure containment, including adding security enhancements, blocking indicators of compromise (IoCs), and strengthening monitoring and logging. The notices state that "the nature and scope of the incident required [HAEA] to spend significant time and resources to analyze the available data and forensic information to complete our investigation," which revealed that unauthorized activity spanned from February 22 to March 2, compromising data including names, Social Security numbers, and driver's licenses. Affected individuals will be offered 24 months of identity protection and three-bureau credit monitoring services.