Blog - Feisty Fox Security - When Compromise is Not an Option

CVE-2025-53770 and CVE-2025-53771 affecting Microsoft SharePoint

July 24, 2025July 20, 2025 by oddo.wolf

CVE-2025-53770 & CVE-2025-53771 are variants of the existing vulnerabilities CVE-2025-49704 & CVE-2025-49706.

This exploitation activity, publicly reported as “ToolShell”, provides unauthenticated access to systems and enables malicious actors full access to SharePoint content, including file systems, internal configurations, could allow code execution and persistent access through exfiltration of IIS machine keys.

What’s happening

Systems affected

On-premises SharePoint Servers.

What this means

On-premises SharePoint Servers exposed to the internet could be vulnerable to exploitation by remote unauthenticated attack.

What to look for

How to tell if you’re at risk

On-premises Sharepoint servers exposed to the internet are at risk of being exploited.

How to tell if you’re affected

Refer to Microsoft Security Advisory External Link

What to do

Prevention

Refer to Microsoft Security Advisory External Link

Mitigation

Refer to Microsoft Security Advisory External Link

QANTAS

July 18, 2025 by oddo.wolf

Whilst all eyes are on QANTAS at the moment, it is a fact that small and medium sized businesses are targeted MORE frequently than large corporations because attackers know that they are less likely to have been able to get proper cybersecurity assessments due to the general high cost.

If you are a small to medium sized business and just want some big town level advice that suits your budget (and talks to you in your language), let’s have a chat.

CVE-2025-6543 affecting Citrix Netscaler products

July 24, 2025June 26, 2025 by oddo.wolf

CVE-2025-6543 (CVSS 9.2): A memory overflow defect that attackers could exploit for unintended control flow and denial of service. This vulnerability affects NetScaler products configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

There is open-source reporting of active exploitation of this vulnerability.

What’s happening

Systems affected

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-47.46
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-59.19
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.236-FIPS and NDcPP
NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 (end-of-life)

Key Point: These are different versions to those previously listed in previous advisories on CVE-2025-5777 and CVE-2025-5349.

What this means

Organisations who utilise affected NetScaler ADC and NetScaler Gateway versions could be vulnerable to the listed vulnerability

What to look for

How to tell if you’re at risk

If you are running a NetScaler ADC and NetScaler Gateway instance within the listed versions.

What to do

Prevention

Update to the latest version of NetScaler ADC and NetScaler Gateway.

More information

Vendor Advisory

CITRIX | Support External Link

CVE-2025-5349 and CVE-2025-5777 affecting Citrix Netscaler products.

July 24, 2025June 22, 2025 by oddo.wolf

CVE-2025-5777 (CVSS 9.3): An insufficient input validation leading to memory overread vulnerability. This vulnerability affects NetScaler products configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server.

CVE-2025-5349 (CVSS 8.7): An improper access control vulnerability in the NetScaler Management Interface.

What’s happening

Systems affected

The following supported versions of NetScaler ADC and NetScaler Gateway are affected by the vulnerabilities:

NetScaler ADC and NetScaler Gateway 14.1 BEFORE 14.1-43.56
NetScaler ADC and NetScaler Gateway 13.1 BEFORE 13.1-58.32
NetScaler ADC 13.1-FIPS and NDcPP BEFORE 13.1-37.235-FIPS and NDcPP
NetScaler ADC 12.1-FIPS BEFORE 12.1-55.328-FIPS

Note: NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are end-of-life (EOL) but are also vulnerable.

What this means

Organisations who utilise affected NetScaler ADC and NetScaler Gateway versions could be vulnerable to the listed vulnerability.

What to look for

How to tell if you’re at risk

If you are running a NetScaler ADC and NetScaler Gateway instance within the listed versions.

What to do

Prevention

Update to the latest version of NetScaler ADC and NetScaler Gateway.

More information

Vendor Advisory

CITRIX | Support External Link

Mitel MiCollab Vulnerability

July 24, 2025June 21, 2025 by oddo.wolf

New vulnerability (patch bypass) affecting Mitel MiCollab

A new vulnerability (CVE identifier unknown) that bypasses the patch issued for CVE-2024-41713.

What’s happening

Systems affected

Mitel MiCollab versions up to 9.8 SP2 (9.8.2.12) and earlier.

What this means

Organisations who utilise affected Mitel MiCollab versions could be vulnerable to the listed vulnerability.

What to look for

How to tell if you’re at risk

If you are running a Mitel MiCollab instance within the listed versions.

What to do

Prevention

Update to the latest version of Mitel MiCollab.

More information

Vendor Advisory

Mitel Product Security Advisory MISA-2025-0007 | Mitel

Malicious activity due to previously exploited vulnerabilities in Fortinet FortiOS products

July 24, 2025April 10, 2025 by oddo.wolf

This is new information about previous exploitation of vulnerabilities in Fortinet FortiOS products: (CVE-2022-42474, CVE-2023-27997 and CVE-2024-21762).

Widespread exploitation has been identified dating back to as early as 2023, where a threat actor has been able to compromise vulnerable devices and maintain persistence even after patches were applied.

The compromise may have allowed the actor to access sensitive files from compromised devices including credentials and key material.

What’s happening

Systems affected

FortiOS products that had SSL-VPN functionality exposed during time of compromise (exploitation dates back to as early as 2023).

What this means

Threat actor has been able to compromise vulnerable devices and maintain persistence. The compromise may have allowed the actor to access sensitive files from compromised devices including credentials and key material.

What to look for

How to tell if you’re at risk

If you are using FortiOS products that had SSL-VPN functionality exposed during time of compromise (exploitation dates back to as early as 2023).

What to do

Prevention

Upgrade all devices to 7.6.2, 7.4.7, 7.2.11 & 7.0.17 or 6.4.16.

Review the configuration of all devices.

Treat all configuration as potentially compromised and follow the recommended steps below to recover: Technical Tip: Recommended steps to execute in cas… – Fortinet Community External Link

In addition to this, please refer to the vendor advisory for further information about the exploitation: Analysis of Threat Actor Activity | Fortinet Blog External Link .

More information

CVE

CVE-2022-42475 External Link

CVE-2023-27997 External Link

CVE-2024-21762 External Link

GRU Unit 29155: A Deep Dive into Russian Military Cyber Warfare

July 18, 2025September 26, 2024 by oddo.wolf

https://lnkd.in/dwTuftb9

In the ever-evolving landscape of cyber warfare, the recent Cybersecurity Advisory jointly released by the FBI, CISA, and NSA has shed light on the alarming activities of GRU Unit 29155, a Russian military cyber unit operating under the GRU’s 161st Specialist Training Center. This unit has been actively engaged in a series of cyber operations targeting critical infrastructure worldwide, causing significant disruptions and raising concerns about the vulnerability of vital systems.

Key Findings
The advisory reveals that GRU Unit 29155 has been actively targeting critical infrastructure in the U.S. and globally since at least 2020. Their primary objectives include espionage, sabotage, and reputational harm. The unit’s tactics are diverse, ranging from deploying destructive malware like WhisperGate to conducting website defacements, infrastructure scanning, data exfiltration, and data leak operations.

The advisory also highlights the unit’s technical capabilities and tactics. They employ a range of publicly available tools and techniques for reconnaissance, initial access, lateral movement, command and control, and exfiltration. This includes the use of tools like Acunetix, Nmap, Amass, and Shodan for scanning and vulnerability exploitation, as well as the exploitation of known vulnerabilities in internet-facing systems.

Impact and Targets
The impact of Unit 29155’s activities is far-reaching. They have targeted critical infrastructure and key resource sectors, including government services, financial services, transportation systems, energy, and healthcare, across NATO members, the EU, Central America, and Asian countries. The unit’s actions have resulted in website defacements, data breaches, and the disruption of critical services, causing significant financial and reputational damage.

Conclusion
The activities of GRU Unit 29155 serve as a stark reminder of the evolving threat landscape in cyberspace posing a significant risk to national security and economic stability. It is imperative for organizations and governments to remain vigilant and proactive in their cybersecurity efforts to mitigate these threats.

Remember: Cybersecurity is an ongoing process, not a one-time event. It requires constant vigilance and adaptation to stay ahead of the evolving threat landscape.

Disclaimer: The information provided in this article is based on the Cybersecurity Advisory released by the FBI, CISA, and NSA. Feisty Fox Security does not endorse any specific commercial entity, product, or service mentioned in the advisory.

Staying Ahead in the Cyber Espionage Game

July 18, 2025September 9, 2024 by oddo.wolf

The recent revelations about state-sponsored cyber espionage, particularly the activities of groups like GRU Unit 29155, serve as a stark reminder that the threat landscape is constantly evolving. It’s not just about Australia; businesses and individuals worldwide are potential targets.

Key Takeaways & Actionable Advice:
Espionage & Foreign Interference are Real Threats: These threats have surpassed terrorism in their potential impact. They can bankrupt businesses, disrupt critical infrastructure, and undermine our democratic institutions.

Social Engineering is a Primary Tactic: Cyber spies often use professional networking sites and social media to build relationships and recruit unsuspecting individuals. Be wary of unsolicited approaches, especially those offering lucrative opportunities or requesting sensitive information.

Security Awareness is Everyone’s Responsibility: Don’t make yourself an easy target. Be mindful of what you share online, especially on professional networking sites. Report any suspicious activity to your security team or relevant authorities.

Sabotage is a Growing Concern: Critical infrastructure is increasingly vulnerable to cyberattacks aimed at sabotage. Organisations must prioritise securing their networks and systems to prevent disruptions.

Building a Strong Security Culture is Essential: Security should be embedded in every aspect of your organisation, from the ground up. It’s an ongoing process that requires constant vigilance, education, and adaptation.

Partnerships are Key: Collaboration between government agencies, businesses, and individuals is crucial in combating these threats. We all have a role to play in keeping our digital world safe.

Remember: The threat is real, but it’s not insurmountable. By staying informed, being vigilant, and taking proactive steps to enhance your security posture, you can protect yourself and your organisation from cyber espionage and other malicious activities.

hashtag#cybersecurity hashtag#cyberespionage hashtag#cyberawareness hashtag#securityculture hashtag#protectyourdata