Cyber Threat Intelligence — 19 Sept. 2025
A concise, fact-checked roundup of material changes in the threat landscape affecting enterprise defenders over the past 24–48 hours.
CISA: Malware deployed after Ivanti EPMM zero-day exploits (CVE-2025-4427, CVE-2025-4428)
Incident date (ET): Primarily May 2025 Disclosure (ET): Sept. 18–19, 2025 Why it matters: Post-exploitation tradecraft and IOCs for Ivanti EPMM give blue teams concrete detection and hardening steps. Summary: CISA’s Malware Analysis Report details two malware sets observed after exploitation of Ivanti EPMM CVE-2025-4427/-4428, with detection artefacts and guidance. Source: www.cisa.gov/news-even…
WatchGuard: Critical Firebox/Fireware OS RCE patched (CVE-2025-9242)
Incident date (ET): Not stated Disclosure (ET): Sept. 17 (vendor) / Sept. 18–19, 2025 (coverage) Why it matters: Unauthenticated RCE on edge appliances warrants accelerated patch cycles and compensating controls. Summary: Out-of-bounds write in IKEv2/iked enables RCE; fixes released; CVSS 9.3. Source: www.scworld.com/news/watc…
www.bleepingcomputer.com/news/secu…
Gamaredon & Turla collaboration targeting Ukraine (ESET)
Incident date (ET): Ongoing (activity traced to at least Feb. 2025) Disclosure (ET): Sept. 19, 2025 Why it matters: Coordinated Russian APT operations raise the bar for detection and attribution across NATO-aligned networks. Summary: Evidence of infrastructure interplay and Kazuar backdoor deployment indicates operational coordination between Gamaredon and Turla. Source: thehackernews.com/2025/09/r…
www.globenewswire.com/news-rele…
Novakon HMIs: Multiple unpatched vulnerabilities
Incident date (ET): Not stated Disclosure (ET): Sept. 19, 2025 Why it matters: Unpatched ICS HMI flaws increase operational risk where compensating controls are weak. Summary: RCE and information-exposure issues remain unpatched; users should apply network isolation, access control, and monitoring. Source: www.securityweek.com/unpatched…
Google Chrome: Exploited zero-day patched (CVE-2025-10585)
Incident date (ET): Exploitation prior to patch Disclosure (ET): Sept. 18, 2025 Why it matters: Widely deployed browser; rapid enterprise roll-out is required to reduce exposure. Summary: Type-confusion flaw in V8 confirmed exploited in the wild; addressed in an out-of-band update. Source: thehackernews.com/2025/09/g…
SilentSync RAT via malicious PyPI packages
Incident date (ET): Not stated Disclosure (ET): Sept. 18, 2025 Why it matters: Software-supply-chain abuse in popular registries continues to deliver initial access at scale. Summary: Two PyPI packages (“sisaws”, “secmeasure”) dropped SilentSync RAT enabling command execution, data theft, and screen capture on Windows. Source: thehackernews.com/2025/09/s…
SonicWall: Password resets after firewall backup preferences exposed
Incident date (ET): Not stated Disclosure (ET): Sept. 18, 2025 Why it matters: Configuration artefact exposure can enable downstream compromise if credentials or tokens are reused. Summary: Breach exposed firewall configuration backup files in MySonicWall; resets urged. Trade press cites impact under five per cent of customers. Source: www.securityweek.com/sonicwall…
U.K. charges two teenagers over 2024 Transport for London cyberattack
Incident date (ET): Aug. 2024 Disclosure (ET): Sept. 18–19, 2025 Why it matters: Legal follow-through provides precedent and deterrence; attribution in media differs from official filings. Summary: Charges announced in relation to the 2024 TfL incident; reports note ~£39M financial impact and that core transport operations were not affected. Media mention links to “Scattered Spider”; official charging materials do not name a group. Source: www.theguardian.com/uk-news/2…
