A recent advisory from Google and Mandiant has uncovered a significant data breach involving Salesforce, where the threat actor UNC6395 deployed stolen OAuth tokens to bypass Multi-Factor Authentication (MFA). Organizations are urged to take steps to protect non-human identities to prevent similar breaches. According to the advisory from the Google…
Date: April 17, 2025
Category: Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has categorized a significant security flaw affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways as a Known Exploited Vulnerability (KEV) due to ongoing active exploitation. This high-severity vulnerability, identified as CVE-2021-20035 (CVSS score: 7.2), involves an operating system command injection that may allow for unauthorized code execution.
According to SonicWall’s advisory from September 2021, “improper neutralization of special elements in the SMA100 management interface permits a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, potentially leading to code execution.”
The vulnerability impacts the following models: SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) running specific versions—10.2.1.0-17sv and earlier (patched in 10.2.1.1-19sv and higher), 10.2.0.7-34sv and earlier (patched in 10.2.0.8-37sv and higher), and 9.0…
CISA Identifies Actively Exploited Vulnerability in SonicWall SMA Devices On April 17, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) took significant action by adding a critical security vulnerability affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) list. This classification stems from…
Date: April 17, 2025
Category: Vulnerability / Network Security
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has categorized a significant security flaw affecting SonicWall Secure Mobile Access (SMA) 100 Series gateways as a Known Exploited Vulnerability (KEV) due to ongoing active exploitation. This high-severity vulnerability, identified as CVE-2021-20035 (CVSS score: 7.2), involves an operating system command injection that may allow for unauthorized code execution.
According to SonicWall’s advisory from September 2021, “improper neutralization of special elements in the SMA100 management interface permits a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user, potentially leading to code execution.”
The vulnerability impacts the following models: SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) running specific versions—10.2.1.0-17sv and earlier (patched in 10.2.1.1-19sv and higher), 10.2.0.7-34sv and earlier (patched in 10.2.0.8-37sv and higher), and 9.0…
A significant data breach involving corporate Salesforce instances has emerged, with hackers exploiting compromised OAuth tokens associated with the Salesloft Drift application. This sophisticated exfiltration campaign has led to the exposure of sensitive data from numerous organizations. The threat group, identified as UNC6395, executed their operations between August 8 and…
Published: April 25, 2025
Category: Secrets Management / DevOps
When discussing identity in cybersecurity, people typically think of usernames, passwords, and the occasional multi-factor authentication prompt. However, an escalating threat lies beneath the surface, rooted in Non-Human Identities (NHIs). While security teams often equate NHIs with Service Accounts, the reality is much broader. NHIs encompass Service Principals, Snowflake Roles, IAM Roles, and platform-specific constructs across AWS, Azure, GCP, and beyond. The variability of NHIs reflects the diversity within modern tech stacks, making effective management essential.
The true risk associated with NHIs stems from their authentication methods.
Secrets: The Currency of Machines
Non-Human Identities primarily rely on secrets—API keys, tokens, certificates, and other credentials—that provide access to systems, data, and critical infrastructure.
The Rising Threat of Non-Human Identities in Cybersecurity In today’s cybersecurity landscape, discussions surrounding identity often center on traditional human elements such as usernames, passwords, and multi-factor authentication (MFA). However, a significant and escalating risk currently lurks beneath this familiar terrain in the form of Non-Human Identities (NHIs). This burgeoning…
Published: April 25, 2025
Category: Secrets Management / DevOps
When discussing identity in cybersecurity, people typically think of usernames, passwords, and the occasional multi-factor authentication prompt. However, an escalating threat lies beneath the surface, rooted in Non-Human Identities (NHIs). While security teams often equate NHIs with Service Accounts, the reality is much broader. NHIs encompass Service Principals, Snowflake Roles, IAM Roles, and platform-specific constructs across AWS, Azure, GCP, and beyond. The variability of NHIs reflects the diversity within modern tech stacks, making effective management essential.
The true risk associated with NHIs stems from their authentication methods.
Secrets: The Currency of Machines
Non-Human Identities primarily rely on secrets—API keys, tokens, certificates, and other credentials—that provide access to systems, data, and critical infrastructure.
📅 April 28, 2025
Cloud Security / Vulnerability
Not all security vulnerabilities pose a high risk on their own, but in the hands of skilled attackers, even minor weaknesses can escalate into significant breaches. This article highlights five real vulnerabilities identified by Intruder’s bug-hunting team, illustrating how attackers exploit overlooked flaws to create serious security incidents.
Understanding the Genesis of Breaches: Analyzing Five Real Vulnerabilities April 28, 2025 In the realm of cybersecurity, not every vulnerability is inherently catastrophic. However, when exploited by skilled attackers, even minor weaknesses can culminate in significant breaches. Recent findings from Intruder’s dedicated bug-hunting team illustrate the alarming potential of overlooked…
📅 April 28, 2025
Cloud Security / Vulnerability
Not all security vulnerabilities pose a high risk on their own, but in the hands of skilled attackers, even minor weaknesses can escalate into significant breaches. This article highlights five real vulnerabilities identified by Intruder’s bug-hunting team, illustrating how attackers exploit overlooked flaws to create serious security incidents.
June 5, 2025
Network Security / Vulnerability
Cisco has issued security patches for a severe vulnerability affecting its Identity Services Engine (ISE). This flaw, identified as CVE-2025-20286 and rated 9.9 out of 10 on the CVSS scale, could be exploited by unauthenticated attackers to perform harmful actions on vulnerable systems. The vulnerability, categorized as a static credential issue, affects cloud deployments on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco warned that attackers could potentially access sensitive data, perform limited administrative tasks, alter system configurations, or disrupt services in the affected environments. The networking company credited Kentaro Kawane from GMO Cybersecurity for reporting the flaw and acknowledged the presence of a proof-of-concept (PoC) exploit, although no active exploitation has been confirmed.
Critical Cisco ISE Authentication Bypass Vulnerability Threatens Cloud Environments on AWS, Azure, and OCI On June 5, 2025, Cisco announced the release of security patches addressing a high-severity vulnerability within its Identity Services Engine (ISE). This flaw, designated as CVE-2025-20286, has received a CVSS score of 9.9 out of 10,…
June 5, 2025
Network Security / Vulnerability
Cisco has issued security patches for a severe vulnerability affecting its Identity Services Engine (ISE). This flaw, identified as CVE-2025-20286 and rated 9.9 out of 10 on the CVSS scale, could be exploited by unauthenticated attackers to perform harmful actions on vulnerable systems. The vulnerability, categorized as a static credential issue, affects cloud deployments on Amazon Web Services (AWS), Microsoft Azure, and Oracle Cloud Infrastructure (OCI). Cisco warned that attackers could potentially access sensitive data, perform limited administrative tasks, alter system configurations, or disrupt services in the affected environments. The networking company credited Kentaro Kawane from GMO Cybersecurity for reporting the flaw and acknowledged the presence of a proof-of-concept (PoC) exploit, although no active exploitation has been confirmed.
In the ever-evolving landscape of cyber threats, while phishing and ransomware consistently steal headlines, there is a more insidious risk that lurks beneath the surface in many organizations: the exposure of Git repositories that leak sensitive data. This risk quietly undermines security by creating shadow access to critical systems. Git…
On November 8, 2024, IoT Security / Vulnerability
The creators of the AndroxGh0st malware are now exploiting a wider range of security vulnerabilities affecting various internet-facing applications, while also deploying the Mozi botnet. According to a recent report by CloudSEK, this botnet employs remote code execution and credential theft techniques to maintain ongoing access, using unpatched vulnerabilities to infiltrate critical infrastructures.
AndroxGh0st is a Python-based attack tool specifically designed to target Laravel applications, aiming to extract sensitive data related to services such as Amazon Web Services (AWS), SendGrid, and Twilio. Active since at least 2022, it has previously exploited vulnerabilities in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and maintain persistent control over compromised systems. Earlier this January, U.S. cybersecurity and intelligence agencies…
AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services November 8, 2024 In a notable escalation of cyber threats, the creators of AndroxGh0st malware are now exploiting a wider range of security vulnerabilities affecting numerous internet-facing applications. This malicious software has recently adopted the Mozi botnet, a tool…
On November 8, 2024, IoT Security / Vulnerability
The creators of the AndroxGh0st malware are now exploiting a wider range of security vulnerabilities affecting various internet-facing applications, while also deploying the Mozi botnet. According to a recent report by CloudSEK, this botnet employs remote code execution and credential theft techniques to maintain ongoing access, using unpatched vulnerabilities to infiltrate critical infrastructures.
AndroxGh0st is a Python-based attack tool specifically designed to target Laravel applications, aiming to extract sensitive data related to services such as Amazon Web Services (AWS), SendGrid, and Twilio. Active since at least 2022, it has previously exploited vulnerabilities in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and maintain persistent control over compromised systems. Earlier this January, U.S. cybersecurity and intelligence agencies…
In a significant cybersecurity incident, researcher Jeremiah Fowler has revealed a critical data breach involving IMDataCenter, a Florida-based data solutions company. The breach has resulted in the exposure of a vast database that contains sensitive personal information belonging to individual users and various client organizations. The compromised database, which includes…
