Security Check-in Quick Hits: Cisco Zero-Days Exploited, Fortra GoAnywhere Flaw, Chinese Espionage Campaigns, Shai-Hulud npm Attack, Volvo Ransomware Breach

For September 28, 2025

Sep 28, 2025

Cisco ASA Zero-Days Under Active Exploitation: A Wake-Up Call for Network Security

In a major development shaking the cybersecurity landscape, Cisco has disclosed two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software that are being actively exploited by sophisticated threat actors. CVE-2025-20333 allows authenticated remote code execution as root on affected devices, while CVE-2025-20362 enables unauthenticated access to restricted VPN web server endpoints.5900a7 These flaws, part of a chain that could grant full control over vulnerable systems, have been linked to a state-sponsored campaign dubbed UAT4356 or Storm-1849, with evidence pointing to Chinese involvement.5e382a

The attacks, first investigated in May 2025 after reports from government agencies, targeted ASA 5500-X series devices with VPN web services enabled, allowing malware implantation, command execution, and data exfiltration.0a9346 A third vulnerability, CVE-2025-20363, was discovered during the probe but shows no signs of exploitation yet.8f2e6d The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive (ED 25-03) mandating federal agencies to patch or mitigate by October 16, 2025, adding the flaws to its Known Exploited Vulnerabilities catalog.498c40

Impacts are severe: compromised firewalls could lead to broader network infiltration, especially in critical sectors. Organizations using Cisco ASA or FTD should immediately apply patches—available for versions like 9.16.4.55 and 7.2.9.2—and disable unused VPN features.91da5b Indicators of compromise include unexpected HTTP requests and anomalous VPN logs. This incident underscores the risks of unpatched edge devices and the growing sophistication of nation-state actors targeting infrastructure.

Fortra GoAnywhere Zero-Day: Pre-Patch Exploitation Highlights Supply Chain Risks

Fortra’s GoAnywhere Managed File Transfer (MFT) software, a staple for secure data exchanges in enterprises, has been hit by a critical zero-day vulnerability (CVE-2025-10035) exploited in the wild before patches were released on September 18, 2025.7f06ac This deserialization flaw in the License Servlet, rated a perfect CVSS 10.0, allows unauthenticated remote command injection, potentially leading to full system compromise.60fc78

Evidence from cybersecurity firm watchTowr Labs shows exploitation dating back to September 10, 2025—eight days pre-advisory—where attackers achieved remote code execution (RCE) and created backdoor admin accounts like “admin-go.”80a7b0 The vulnerability is a chain: an access control bypass (known since 2023), unsafe deserialization, and knowledge of a private key.ffd6dc Rapid7 analysis confirms attackers originated from IP 155.2.190.197, previously tied to brute-force attacks.1d2d4e

GoAnywhere’s history of zero-days—exploited by Cl0p ransomware in 2023—makes this particularly alarming for sectors like healthcare and finance.7a513f Organizations should upgrade to v7.8.4 or v7.6.3 immediately and ensure admin consoles aren’t internet-exposed.115653 Monitor for stack traces in logs indicating exploitation. This event reinforces the need for rapid patching and zero-trust architectures in file transfer tools, as supply chain vulnerabilities continue to attract ransomware and espionage groups.

China-Linked Espionage: PlugX, Bookworm, and Salt Typhoon Target Global Telecoms

Chinese state-sponsored actors are ramping up cyber espionage, deploying malware like PlugX and Bookworm to infiltrate telecoms and manufacturing in Asia, while the Salt Typhoon group breaches critical infrastructure worldwide.4e37e5 PlugX, a modular RAT used by groups like Mustang Panda, has evolved with new variants overlapping RainyDay and Turian backdoors, targeting Central and South Asian networks via DLL side-loading.6405aa

Bookworm, another RAT from Mustang Panda, enables command execution, file exfiltration, and persistence, with variants using UUID-encoded shellcode.a1a768 These tools have hit ASEAN-affiliated entities amid geopolitical tensions.ad50b2 Salt Typhoon (linked to China’s MSS) has compromised U.S. telecoms, stealing data from nearly every American and targeting 80+ countries since 2021, focusing on counterintelligence and IP theft.63e0bf Supported by firms like Sichuan Juxinhe, the group exploits routers for persistent access.aa7031

Impacts include surveillance of officials and disruption risks to telecom, government, and military networks.364fb4 Defenses: Segment networks, monitor for anomalous traffic, and apply patches promptly. International alerts from FBI, CISA, and allies highlight the need for global cooperation against these persistent threats.

Shai-Hulud Worm: A Self-Replicating Menace in the npm Supply Chain

The npm ecosystem faces a wormable supply chain attack via “Shai-Hulud,” a self-propagating malware that has compromised over 500 packages, including popular ones like @ctrl/tinycolor.cb3cea Starting with phishing for developer credentials, it injects malicious post-install scripts that steal secrets (e.g., AWS, GitHub, npm tokens) using tools like TruffleHog.9a270b

The worm creates public GitHub repos named “Shai-Hulud” to exfiltrate data, drops malicious workflows for further theft, and uses stolen npm tokens to republish infected versions of maintainers’ packages, spreading exponentially.6fcb1d AI-generated content aids evasion, building on prior attacks like S1ngularity/Nx.78088c CISA warns of widespread impacts, urging credential rotation and trusted publishing.946940

This first large-scale npm worm threatens open-source integrity, potentially affecting millions of apps.7f3058 Mitigation: Scan for IOCs like bundle.js hashes, enforce MFA, limit token scopes, and monitor CI/CD. GitHub is enhancing security, but developers must adopt proactive measures to curb propagation.

Volvo Data Breach: Ransomware Hits Supplier, Exposes Employee PII

Volvo Group North America has notified employees of a data breach stemming from a ransomware attack on HR supplier Miljödata, exposing names and Social Security numbers.2145b5 The incident, occurring on August 20, 2025, and detected three days later, affected Volvo’s personnel data confirmed compromised by September 2.aa8fa1

DataCarry ransomware claimed responsibility, leaking info from 870,000 accounts including emails, addresses, phone numbers, IDs, DOBs, and gender—impacting 25+ companies and 200 Swedish municipalities.112661 Volvo’s systems remained untouched; the breach was isolated to Miljödata’s environment.0471e9 Victims receive 24 months of free credit monitoring.c4206a

This highlights third-party risks in supply chains, with potential for identity theft.5f0166 Recommendations: Monitor credit, enable fraud alerts, and vet vendors rigorously. Miljödata has enhanced security, but the event stresses the need for robust incident response in HR tech.