Daily Brief

A coordinated scanning campaign targeted Citrix NetScaler infrastructure, utilizing over 63,000 IPs to identify login panels and product versions, suggesting organized reconnaissance efforts. GreyNoise detected 111,834 scanning sessions, with 79% targeting Citrix Gateway honeypots, indicating potential pre-exploitation mapping rather than random scanning. Approximately 64% of the scanning traffic originated from residential proxies, bypassing reputation filters by appearing as legitimate consumer ISP addresses. The campaign focused on the EPA setup file path, hinting at interest in developing version-specific exploits or validating vulnerabilities against Citrix ADC weaknesses. Two critical vulnerabilities, CVE-2025-5777 and CVE-2025-5775, pose significant risks, with the latter being exploited as a zero-day. GreyNoise recommends reviewing the necessity of internet-facing Citrix Gateways, restricting access to specific directories, and monitoring for unusual access patterns. System administrators are advised to disable version disclosures in HTTP responses and consider the shared IP addresses for improved detection and response.

CISA has identified a critical vulnerability in SolarWinds Web Help Desk, tracked as CVE-2025-40551, actively exploited in the wild, prompting urgent patching directives. This flaw, stemming from an untrusted data deserialization issue, allows unauthenticated attackers to execute remote commands on unpatched systems. Federal agencies have been mandated to patch affected systems within three days under Binding Operational Directive 22-01 to mitigate potential threats. Alongside CVE-2025-40551, SolarWinds addressed several other vulnerabilities, including hardcoded credentials and authentication bypass flaws, enhancing overall system security. CISA encourages all network defenders, including private sector entities, to promptly apply patches to safeguard against ongoing exploitation attempts. SolarWinds Web Help Desk is widely used across government, corporate, healthcare, and educational sectors, emphasizing the critical nature of timely vulnerability management. The active exploitation of Web Help Desk vulnerabilities in the past underscores the importance of rapid response to emerging threats.

A critical vulnerability in React Native's Metro development server is being actively exploited, affecting both Windows and Linux systems through malicious code execution. The flaw, CVE-2025-11953, allows unauthenticated attackers to execute OS commands via a vulnerable endpoint, posing significant security risks to applications built with this tool. Despite the vulnerability's severity, with a CVSS score of 9.8, public acknowledgment and awareness remain limited, potentially delaying widespread mitigation efforts. Researchers from JFrog and VulnCheck have observed active exploitation attempts, with attackers using a PowerShell-based loader to disable Microsoft Defender and deploy Rust-based binaries. The vulnerability affects a popular npm package with nearly 2.5 million weekly downloads, highlighting the risk posed by widely used but inconsistently monitored developer tools. Meta has issued a fix, but the gap between observed exploitation and public recognition stresses the need for more proactive vulnerability management and awareness. Identified attack origins include IP addresses 65.109.182.231, 223.6.249.141, and 134.209.69.155, with payloads hosted on specific IPs, indicating a coordinated effort by attackers.

The US Cybersecurity and Infrastructure Security Agency (CISA) updated 59 vulnerability notices in 2025 to reflect ransomware exploitation, without notifying defenders. Glenn Thorpe of GreyNoise criticized the lack of alerts, noting missed opportunities to prevent ransomware attacks by not informing defenders of critical changes. CISA's Known Exploited Vulnerability (KEV) catalog is updated frequently, but the pace can outstrip defenders' ability to respond effectively. The catalog's "known ransomware use" indicator changes without announcement, impacting risk assessments and prioritization strategies for cybersecurity teams. Analysis revealed Microsoft CVEs were the most affected, with other vendors like Ivanti, Fortinet, PANW, and Zimbra also impacted. GreyNoise introduced an RSS feed to notify defenders of changes in ransomware status, addressing the communication gap left by CISA. The situation underscores the need for timely communication from cybersecurity agencies to better equip organizations in defending against ransomware threats.

Docker has addressed a critical vulnerability in its AI assistant, Ask Gordon, with the release of version 4.50.0, mitigating risks of code execution and data exfiltration. The flaw, named DockerDash by Noma Labs, exploited unverified metadata in Docker images to execute malicious code through a three-stage attack process. Attackers could leverage this vulnerability to perform remote code execution or exfiltrate sensitive data, impacting both cloud and desktop environments. The issue stemmed from the AI assistant's failure to differentiate between standard metadata and executable commands, leading to a Meta-Context Injection risk. The vulnerability was exploited by embedding malicious instructions in Docker image metadata, compromising the AI's reasoning process and security boundaries. Docker's patch also addresses a related prompt injection vulnerability, highlighting the importance of zero-trust validation for AI systems. Organizations are urged to treat AI supply chain risks seriously, as trusted input sources can be manipulated to control AI execution paths.

Iron Mountain confirmed a data breach involving a single folder containing marketing materials, accessed through compromised credentials. No customer sensitive information was involved in the incident. The breach, claimed by the Everest extortion group, involved 1.4 TB of data, but Iron Mountain clarified that no ransomware was deployed, and no other systems were compromised. The compromised folder was on a public-facing file-sharing server used for sharing marketing content with third-party vendors, and the affected credentials have been deactivated. Iron Mountain, a leader in data storage and management, serves over 240,000 customers globally, including 95% of the Fortune 1000, emphasizing the potential risk of reputational damage. The Everest group, known for data-theft-only extortion tactics, has shifted from ransomware deployment to selling access to breached networks, posing ongoing threats to various sectors. The breach serves as a reminder of the importance of securing file-sharing services and monitoring credential access to prevent unauthorized data exposure. Organizations are encouraged to regularly review access controls and implement robust security measures to protect against similar threats.

The rise of autonomous AI agents in enterprises poses significant challenges to traditional identity management systems, creating potential security and compliance risks. AI agents, unlike traditional identities, are adaptive and operate at machine speed, complicating identity governance and increasing the risk of over-privileged access. Traditional IAM, PAM, and IGA platforms struggle to manage AI agents, leading to identity gaps and potential breaches due to unmanaged credentials. Effective AI agent identity management requires continuous discovery and behavior-based monitoring to address the rapid creation and abandonment of these identities. Implementing dynamic least privilege and ensuring traceability are critical to maintaining security and accountability in AI-driven environments. Organizations must treat AI agents as distinct identity classes, integrating lifecycle management to mitigate risks without hindering innovation. As AI agents become integral to business operations, identity management evolves into a crucial control plane for AI security, demanding new strategies and tools.

A critical vulnerability, CVE-2025-11953, in the React Native Metro server is being exploited to breach development systems on Windows and Linux platforms. Attackers leverage the flaw to execute arbitrary OS commands via POST requests on Windows, while on Linux and macOS, arbitrary executables can be run with limited control. The vulnerability affects @react-native-community/cli-server-api versions 4.8.0 through 20.0.0-alpha.2 and has been patched in version 20.0.0 and later. Researchers from JFrog discovered the flaw, which involves the /open-url HTTP endpoint accepting unsanitized POST requests that can be exploited. VulnCheck observed ongoing exploitation of this vulnerability, dubbed Metro4Shell, delivering advanced payloads across platforms, including Rust-based binaries with anti-analysis features. Approximately 3,500 React Native Metro servers are exposed online, posing a significant risk for widespread exploitation. Organizations are urged to act promptly, as the vulnerability remains actively exploited despite a low Exploit Prediction Scoring System (EPSS) score. VulnCheck's report provides indicators of compromise for the attacker infrastructure and payloads, aiding in detection and mitigation efforts.

The UK's Information Commissioner's Office (ICO) launched a formal investigation into X and its Irish subsidiary for using Grok AI to generate nonconsensual sexual images. The ICO seeks to determine if X Internet Unlimited Company and X.AI LLC processed personal data lawfully and had adequate safeguards to prevent misuse. Concerns focus on Grok's potential to create harmful, manipulated images, particularly involving children, without individuals' knowledge or consent. The ICO has the authority to impose fines up to £17.5 million or 4% of global annual turnover for data protection violations. French prosecutors raided X's Paris offices and summoned key executives, including Elon Musk, as part of a related criminal investigation. The European Commission and California Attorney General are also investigating X's compliance with the Digital Services Act and handling of explicit content. This case raises significant concerns about AI's role in data privacy and the importance of robust safeguards to protect personal data.

Security teams face challenges with tool overload, excessive dashboards, and noise, leading to missed signals and pressure to optimize with limited resources. A live session titled "Breaking Down the Modern SOC: What to Build vs Buy vs Automate" aims to provide clarity for security leaders. Hosted by Kumar Saurabh (CEO, AirMDR) and Francis Odum (CEO, SACR), the webinar promises practical insights without jargon. Participants will explore real customer case studies, compare SOC models, and receive a practical checklist for immediate operational improvement. The session addresses the need for a balanced approach in building, buying, and automating SOC processes to enhance efficiency. Attendees will gain a grounded perspective on strengthening SOC capabilities using existing resources amidst shrinking budgets and escalating threats. The webinar serves as a reset point for overwhelmed SOCs, focusing on simplification and effective decision-making.

A critical vulnerability, CVE-2025-11953, in the "@react-native-community/cli" npm package is being actively exploited by threat actors. The flaw, known as Metro4Shell, has a CVSS score of 9.8, enabling remote command execution on affected systems. VulnCheck observed the exploitation beginning December 21, 2025, with threat actors delivering a Base64-encoded PowerShell script. The script configures Microsoft Defender exclusions and establishes a TCP connection to an attacker-controlled server for further payload delivery. The payload, written in Rust, includes anti-analysis features to avoid detection and complicate static inspection. Despite ongoing exploitation, the vulnerability has not received widespread public attention or acknowledgment from the broader community. This incident serves as a reminder of the risks when development infrastructure becomes accessible and is treated as production-level.

Hackers are exploiting CVE-2025-11953, a critical vulnerability in React Native's Metro server, to deploy malicious payloads on Windows and Linux systems. The flaw allows unauthenticated attackers to execute arbitrary OS commands on Windows and run executables on Linux and macOS, posing a significant risk to development environments. Metro, a key component for React Native projects, can expose development-only HTTP endpoints, which hackers have targeted to deliver base-64 encoded PowerShell payloads. JFrog researchers discovered and disclosed the vulnerability in November, prompting the emergence of multiple proof-of-concept exploits. VulnCheck observed ongoing exploitation of this flaw, dubbed Metro4Shell, with attacks delivering advanced payloads across platforms, leveraging a Rust-based binary on Windows. Approximately 3,500 React Native Metro servers are exposed online, increasing the potential attack surface for this vulnerability. Despite active exploitation, the vulnerability maintains a low score in the Exploit Prediction Scoring System, underscoring the need for proactive security measures. Organizations are advised to act swiftly, utilizing provided indicators of compromise and updating to the patched version 20.0.0 or later to mitigate risks.

French police conducted a raid on X's Paris office, investigating alleged algorithmic manipulation by foreign entities and misuse of AI technologies. The investigation began in January 2025, prompted by complaints from a French parliament member and a senior public institution official. Allegations include organized disruption of data processing systems and fraudulent data extraction, with further scrutiny on X's Grok AI chatbot. Prosecutors claim Grok AI disseminated Holocaust denial content and sexually explicit deepfakes, raising significant legal and ethical concerns. Enhanced powers allow French police to wiretap and surveil X executives, with Elon Musk and former CEO Linda Yaccarino summoned for interviews in April 2026. Potential charges include organized crime, possession and dissemination of child pornography, and creation of sexual deepfakes. The European Commission and several countries have launched parallel investigations into Grok's image-generation capabilities, amid calls for app store removals. X has criticized the investigation as a political attack on free speech, while digital rights groups demand accountability and regulatory action.

Microsoft has officially ended support for TLS 1.0 and 1.1 on Azure Storage, mandating TLS 1.2 or newer for encrypted connections as of February 3, 2026. The transition affects all Azure Storage services, including Azure Files, Queue Storage, and Table Storage, ensuring enhanced security across platforms. TLS 1.0 and 1.1, dating back to 1999 and 2006 respectively, are considered outdated and less secure, prompting this move to modern encryption standards. Organizations using legacy systems may face operational challenges, as older applications often rely on deprecated TLS versions, necessitating updates or replacements. Microsoft had initially planned to retire these older TLS versions in 2024 but extended the deadline to accommodate legacy system transitions. Compliance with regulatory standards like those from NIST, which advocate for TLS 1.2, is a key driver for this update, aligning with best practices for secure communications. Administrators must ensure all client connections to Azure Storage are updated to use TLS 1.2 to maintain access and data security.

French prosecutors conducted a raid on X's Paris offices, focusing on the Grok AI tool used for generating illicit content, including sexually explicit images and deepfakes. The investigation, initiated in January 2025, expanded following complaints about illegal content dissemination and Holocaust-denial material on the platform. The National Gendarmerie's cybercrime unit, with Europol's support, is probing seven criminal offenses, including child pornography and operating an illegal online platform. Elon Musk and X CEO Linda Yaccarino have been summoned for voluntary interviews, with other employees to be questioned as witnesses to provide clarity on compliance measures. The European Commission and other international bodies are examining X's risk assessments under the Digital Services Act, following a €120 million fine for transparency violations. The investigation aims to ensure X's operations align with French law, addressing concerns over algorithm manipulation and fraudulent data extraction. The case underscores the growing scrutiny on AI tools and platforms regarding compliance with national and international legal standards.