A curated summary of publicly disclosed, enterprise-relevant incidents from the past 48 hours.
Incident: Fortra GoAnywhere CVSS 10 vulnerability exploited as a zero-day prior to disclosure
Date of Incident (ET): Sept. 10, 2025 Date of Disclosure/Publication (ET): Sept. 26, 2025
Summary: WatchTowr reported credible evidence that CVE-2025-10035 in Fortra GoAnywhere MFT was exploited at least one week pre-disclosure, enabling unauthenticated command execution via deserialization in the License Servlet.
Source: https://www.securityweek.com/recent-fortra-goanywhere-mft-vulnerability-exploited-as-zero-day/
Incident: Cisco firewall zero-days exploited in China-linked ArcaneDoor attacks
Date of Incident (ET): Not available Date of Disclosure/Publication (ET): Sept. 26, 2025
Summary: Cisco confirmed exploitation of CVE-2025-20333 and CVE-2025-20362 against ASA 5500-X devices lacking secure boot, enabling remote code execution and persistence consistent with ArcaneDoor tradecraft.
Source: https://www.securityweek.com/cisco-firewall-zero-days-exploited-in-china-linked-arcanedoor-attacks/
Incident: RayInitiator bootkit and LINE VIPER loader deployed on legacy Cisco ASA devices
Date of Incident (ET): Not available Date of Disclosure/Publication (ET): Sept. 26, 2025
Summary: UK NCSC malware analysis detailed RayInitiator and LINE VIPER targeting ASA 5500-X devices without secure boot, providing stealthy persistence and control in follow-on operations.
Incident: CISA orders urgent mitigation for Cisco ASA/FTD zero-days across federal networks
Date of Incident (ET): Not available Date of Disclosure/Publication (ET): Sept. 25, 2025
Summary: CISA Emergency Directive 25-03 mandated agencies to identify ASA/FTD devices, collect memory, and patch or disconnect systems by 11:59 p.m. ET Sept. 26 due to active exploitation of CVE-2025-20333 and CVE-2025-20362.
Incident: Cisco IOS/IOS XE SNMP zero-day actively exploited (CVE-2025-20352)
Date of Incident (ET): Not available Date of Disclosure/Publication (ET): Sept. 25, 2025
Summary: Cisco warned CVE-2025-20352 is under active exploitation; crafted SNMP packets can trigger denial of service and potentially permit code execution with root privileges on affected devices.
Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte
Incident: New macOS XCSSET variant targets developers with Firefox data theft, clipper and persistence
Date of Incident (ET): Not available Date of Disclosure/Publication (ET): Sept. 25, 2025
Summary: Microsoft reported an evolved XCSSET strain abusing infected Xcode projects, adding Firefox targeting, clipboard hijacking for cryptocurrency theft, and LaunchDaemon-based persistence.
Incident: Unofficial ‘postmark-mcp’ npm package exfiltrated user email via malicious code
Date of Incident (ET): Not available Date of Disclosure/Publication (ET): Sept. 25, 2025
Summary: A rogue npm package impersonating postmark-mcp silently forwarded users’ sent emails to an attacker-controlled address before removal from the registry.
Incident: Malicious Rust crates stole Solana and Ethereum wallet keys
Date of Incident (ET): Not available Date of Disclosure/Publication (ET): Sept. 25, 2025
Summary: Two crates on Crates.io embedded credential-stealing code to exfiltrate cryptocurrency wallet seed phrases and keys; 8,424 downloads were recorded prior to takedown.
Source: https://thehackernews.com/2025/09/malicious-rust-crates-steal-solana-and.html
Incident: Salesforce patches critical ForcedLeak flaw enabling AI agent data exfiltration
Date of Incident (ET): Not available Date of Disclosure/Publication (ET): Sept. 25, 2025
Summary: Noma Labs detailed “ForcedLeak” in Salesforce Agentforce (CVSS 9.4), where indirect prompt injection and an allowlisted domain weakness enabled CRM data exfiltration; mitigations were released.
Source: https://thehackernews.com/2025/09/salesforce-patches-critical-forcedleak.html
Incident: North Korean AkdoorTea backdoor targets crypto developers via fake interviews
Date of Incident (ET): Not available Date of Disclosure/Publication (ET): Sept. 25, 2025
Summary: ESET-linked reporting described AkdoorTea used in “Contagious Interview” lures to compromise Windows, Linux and macOS developer environments in the cryptocurrency sector.
Source: https://thehackernews.com/2025/09/north-korean-hackers-use-new-akdoortea.html
Incident: RedNovember espionage targeted perimeter appliances of US defence contractors
Date of Incident (ET): 2024–2025 Date of Disclosure/Publication (ET): Sept. 25, 2025
Summary: Recorded Future reporting via SecurityWeek detailed RedNovember compromising edge devices and deploying Pantegana and other tooling across government, defence, aerospace and legal sectors.
Source: https://www.securityweek.com/chinese-cyberspies-hacked-us-defense-contractors/
Incident: Vane Viper ad-fraud and malware network generated approximately one trillion DNS queries
Date of Incident (ET): Not available Date of Disclosure/Publication (ET): Sept. 25, 2025
Summary: Infoblox research tied Vane Viper’s adtech-linked infrastructure to global malvertising, malware delivery and fraud campaigns at massive DNS scale across enterprise networks.
Source: https://thehackernews.com/2025/09/vane-viper-generates-1-trillion-dns.html
Incident: RTX confirms ransomware attack caused European airport disruptions via Collins Aerospace
Date of Incident (ET): Sept. 19, 2025 Date of Disclosure/Publication (ET): Sept. 25, 2025
Summary: RTX disclosed in an SEC filing that ransomware impacting Collins Aerospace software disrupted airport check-in operations across several European hubs; investigation and recovery are ongoing.
Source: https://www.securityweek.com/rtx-confirms-airport-services-hit-by-ransomware/
Incident: Unit 42 links Bookworm malware to Chinese APT Stately Taurus
Date of Incident (ET): Not available Date of Disclosure/Publication (ET): Sept. 24, 2025
Summary: Palo Alto Networks’ Unit 42 connected Bookworm to Stately Taurus, documenting espionage operations against government and commercial targets across Europe and Asia.
Source: https://unit42.paloaltonetworks.com/bookworm-to-stately-taurus/
