Daily Brief

CISA has issued an alert about active exploitation of a high-severity SonicWall VPN flaw, CVE-2021-20035, affecting federal agencies. The vulnerability allows remote attackers with low privileges to execute arbitrary code on SMA 100 series appliances. Originally discovered and patched in September 2021, this flaw was initially thought to facilitate only DoS attacks but has since been found to allow code execution. SonicWall recently updated the security advisory, boosting the CVSS score to 7.2 due to its exploitation in targeted attacks. U.S. Federal Civilian Executive Branch (FCEB) agencies are mandated to patch their systems by May 7th, per the Binding Operational Directive 22-01. Although the directive only applies to federal agencies, all network defenders are urged to prioritize fixing this flaw to avoid potential breaches. This alert follows recent warnings from SonicWall about other actively exploited vulnerabilities in their firewall products, underscoring ongoing security challenges.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in SonicWall SMA 100 Series to its KEV catalog due to active exploits. The vulnerability, known as CVE-2021-20035 with a CVSS score of 7.2, involves an operating system command injection that can lead to unauthorized code execution. Affected devices include SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v across various platforms such as ESX, KVM, AWS, and Azure. SonicWall issued an advisory in September 2021, describing the vulnerability as allowing remote authenticated attacks through improper neutralization in the SMA100 management interface. The flaw permits attackers to execute arbitrary commands as a 'nobody' user, escalating the potential for targeted code execution attacks. Details on the exact nature of the active exploitations remain undisclosed, but the threat is considered significant enough to warrant a required update by Federal Civilian Executive Branch agencies by May 7, 2025.

Apple has released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to patch two actively exploited vulnerabilities. The vulnerabilities, identified as CVE-2025-31200 and CVE-2025-31201, were fixed by improving bounds checking and removing vulnerable code sections respectively. These security flaws were exploited in highly sophisticated attacks targeting specific individuals, demonstrating advanced exploitation techniques. Google Threat Analysis Group (TAG) reported one of these vulnerabilities, highlighting the collaborative efforts in cybersecurity. Users of affected Apple devices are urged to update their systems immediately to protect against these security risks. This incident marks the fifth instance of zero-day vulnerabilities in Apple's software being actively exploited since the beginning of the year. Persistent cyber threats emphasize the ongoing need for vigilance and regular updates in the tech industry to safeguard user data and privacy.

A whistleblower at the US National Labor Relations Board (NLRB), Dan Berulis, blew the whistle on questionable practices by DOGE IT department at the agency. Berulis reported that DOGE staffers were improperly granted superuser access, allowing them to read, copy, and alter agency data. He observed gigabytes of data being exfiltrated and disabled security protocols, such as multi-factor authentication changes. A significant finding was login attempts from a Russian IP address to an account set up for a DOGE aide shortly after its creation. US-CERT was engaged to investigate but was subsequently instructed to halt all investigations and reporting on the matter. Following the public disclosure of these activities, Democratic lawmakers have called for investigations into DOGE's actions at the NLRB. The whistleblower's report raises serious concerns about data security and potential manipulation at a critical federal agency.

Microsoft's latest updates for Windows 11 24H2 have triggered blue screen crashes post-installation and system reboot. The problematic updates identified are April cumulative update KB5055523 and March preview update KB5053656, both causing severe operational disruptions. Users have experienced a specific blue screen error coded 0x18B, which signifies a SECURE_KERNEL_ERROR. No comprehensive fix has been provided yet, with Microsoft implementing a temporary workaround through a Known Issue Rollback (KIR). KIR mechanism, introduced in 2021, allows Microsoft to retract faulty updates silently and automatically for personal and unmanaged devices, generally within 24 hours. IT departments managing affected systems must manually install a Group Policy .msi file to implement the rollback, which requires a system restart to take effect. Microsoft is currently preoccupied with integrating Copilot into its services, possibly deprioritizing the immediate resolution of existing technical issues, including long-standing bugs in OneDrive synchronization.

CIA Director John Ratcliffe's Signal chats regarding a secret military operation were almost entirely deleted from his smartphone. A court order to preserve the chat, named Signalgate, was issued amid accusations of violating federal record-keeping rules by using auto-deleting messages. The only remnants found on Ratcliffe’s phone were the group’s name and some member profiles, lacking substantive message content. These chats included highly sensitive information about an imminent military strike in Yemen, which was mistakenly shared with a journalist. American Oversight, a watchdog, claims the Trump administration systematically destroyed evidence, potentially breaching the Federal Records Act. Various government agencies were faster than the CIA in complying with the court's order to preserve these communications. The incident raises significant concerns about the transparency, accountability, and security practices of government officials handling classified information. The misuse of personal accounts and unsecured apps for discussing classified operations points to a disregard for established protocols and security measures.

Over 16,000 Fortinet devices were found compromised with a symlink backdoor, enabling read-only access to sensitive files. This security issue was identified and reported by The Shadowserver Foundation, which noted an increase from 14,000 to 16,620 affected devices. Fortinet had earlier alerted customers about the new persistence mechanism leveraged by attackers to maintain remote access on FortiGate devices, despite patches to the original vulnerabilities. Attackers used zero-day vulnerabilities to initially compromise the devices and then implanted symbolic links in the language files folder. These links provided ongoing access to the root filesystem of SSL-VPN enabled devices, even after vulnerabilities were addressed in new FortiOS versions. Fortinet has informed affected customers via email and released an updated AV/IPS signature to remove the malicious links and prevent similar future exploits. Customers are advised to reset all credentials and follow suggested security measures to protect against potential information breaches due to this exposure.

Security teams are currently overwhelmed by the sheer volume of security alerts and vulnerabilities, making it difficult to distinguish serious threats from less significant ones. True resilience in cybersecurity is not about addressing every vulnerability but focusing on those that are genuinely exploitable and pose real-world risks. Adversarial Exposure Validation offers a structured approach by mimicking real attacker behaviors to identify and prioritize the most significant exposures. This method not only tests vulnerabilities for exploitability but also evaluates the contextual risk they pose, moving beyond simplistic severity scores. Advanced tools such as Breach and Attack Simulation (BAS) and Automated Penetration Testing are critical, as they simulate real-world attack scenarios to discover actionable vulnerabilities. Consistent use of these tools helps organizations transition from periodic vulnerability assessment to continuous, proactive security improvements. Adversarial Exposure Validation is essential for modern security operations, shifting from reactive measures to proactive risk management, aligning defensive strategies more closely with actual threat landscapes. Security practitioners are encouraged to consult resources like the comparison whitepaper on Breach and Attack Simulation versus Automated Penetration Testing to choose the most suitable tools for their needs.

Apple released emergency updates for two zero-day vulnerabilities found in various operating systems including iOS, macOS, and others. The vulnerabilities, identified as CVE-2025-31200 and CVE-2025-31201, were utilized in highly sophisticated, targeted attacks on specific individuals. CVE-2025-31200 allows execution of remote code via a maliciously crafted media file affecting CoreAudio, discovered jointly by Apple and Google's Threat Analysis team. CVE-2025-31201 involves a security bypass in RPAC, which compromises Pointer Authentication, a feature defending against memory exploits. Apple promptly issued fixes for these vulnerabilities in updates iOS 18.4.1, iPadOS 18.4.1, and other affected systems. These security flaws impact a broad range of devices, both new and old, underlining the need for all users to update their devices swiftly. This patch marks Apple's continued effort to mitigate zero-day exploits, with five critical fixes already released in the same year.

The U.S. government secured funding for the CVE (Common Vulnerabilities and Exposures) Program just before the existing contract was set to expire. The funding extension prevents any interruption in the CVE services, which are crucial globally for identifying and managing security vulnerabilities in technology products. MITRE, a nonprofit that has been managing the CVE database, disclosed uncertainties about continuing federal support, prompting concerns about the program's future. In response, CVE board members announced plans to establish the CVE Foundation to maintain and enhance the program's independence and sustainability without sole reliance on federal funding. The newly formed CVE Foundation aims to address the vulnerability management ecosystem's vulnerabilities by reinforcing the program's global trust and community-driven approach. Despite the funding extension by CISA, there are ongoing discussions and concerns within the cybersecurity community about the need for a more globally collaborative approach to managing vulnerabilities. The situation has exposed potential risks, such as split-standards and reduced confidence in the CVE process, highlighted by reactions from international agencies and vendors.

Cybersecurity experts have identified four vulnerabilities within the Windows Task Scheduler that enable privilege escalation and log deletion. The flaws, found in a binary named "schtasks.exe," potentially allow local attackers to execute privileged commands and malicious payloads without user consent. One major vulnerability involves bypassing User Account Control to perform system-level operations covertly. Attackers could exploit known passwords—possibly obtained via credential cracking or other exploits—to register tasks that impersonate high-privilege users. The vulnerabilities also allow attackers to manipulate task logs and the Windows Event Log System to erase evidence of their activities. Defense evasion techniques associated with these flaws include overwriting and filling security logs, jeopardizing audit trails. The discovery underscores the importance of securing Task Scheduler and related components against potential abuse by attackers inside organizations.

DPP Law Ltd incurred a £60,000 fine for failing to promptly notify a data breach when personal client data was stolen and later found on the dark web. The breach occurred in June 2022, involving a brute-force attack on an underused administrator's account without multi-factor authentication in DPP Law's network. The attacker exploited access to a legacy case management system and extracted 32 GB of sensitive data, including details of identifiable individuals. The UK's Information Commissioner's Office (ICO) highlighted that DPP Law did not consider the incident a data breach initially and delayed reporting it for 43 days. DPP Law disputes the ICO's findings and is appealing the decision, asserting their compliance with legal and cybersecurity standards through Lexcel and Cyber Essentials certifications. ICO's investigation pointed out significant security lapses at DPP Law, stressing the importance of robust cybersecurity measures and timely incident reporting. ICO's enforcement director emphasized that data protection is a legal obligation, warning of substantial fines and reputational damage for non-compliance.

Atlassian is currently dealing with an 'active incident' leading to degraded performance across multiple Jira products. Affected services include Jira, Jira Service Management, Jira Work Management, and Jira Product Discovery. The issues began around 11:46 UTC today, resulting in errors and difficulty loading the Jira user interface and dashboards. Users globally are experiencing prolonged outages, with specific complaints about dashboard widgets failing to load or render. Atlassian teams are urgently investigating these disruptions, although the root cause has not been determined yet. The situation remains ongoing with updates promised as further information is available.

41% of cyberattacks successfully bypass existing security controls in most organizations, as per findings from Picus Security. Traditional security assessments like annual penetration tests and periodic vulnerability scans are insufficient in today's rapidly changing threat landscape. Breach and Attack Simulation (BAS) and Automated Penetration Testing (APT) offer continuous, real-time testing and validation of security measures. These methods allow organizations to simulate real-world attacks, revealing vulnerabilities and ineffective security controls without risking system downtime. Adversarial Exposure Validation combines BAS and APT to provide a comprehensive view of both the effectiveness of security controls and potential attack paths. This approach helps organizations enhance their security by identifying and closing gaps, thus improving their defense against actual cyberattacks. Continuous testing enables proactive risk management, better preparation for potential breaches, and measurable improvements in security protocols.

CISA has extended funding to prevent disruptions in the Common Vulnerabilities and Exposures (CVE) program. The funding extension was crucial as MITRE had warned that existing government funding would expire, potentially causing industry-wide effects. Potential disruptions without the extension included compromised national databases, incident responses, and tool vendor operations. The CVE program, maintained by MITRE and funded by the U.S. DHS, aids clarity and standardization in discussing security vulnerabilities. The newly established CVE Foundation aims to secure program independence and remove reliance on a single government sponsor, ensuring its global neutrality and sustainability. The establishment of the CVE Foundation introduces a non-profit model to manage the CVE program going forward. ENISA has launched the European vulnerability database (EUVD), featuring a multi-stakeholder model, adding to the global cybersecurity infrastructure.