At a glance.
- Citrix patches critical zero-day.
- Cisco fixes two maximum-severity flaws.
- US Justice Department charges British hacker for allegedly causing $25 million in damages.
Citrix patches critical zero-day.
Citrix has issued a patch for a critical flaw (CVE-2025-6543) affecting NetScaler ADC and NetScaler Gateway appliances that are configured as gateway virtual servers or authentication, authorization, and accounting (AAA) virtual servers, the Register reports. The flaw is a "[m]emory overflow vulnerability leading to unintended control flow and Denial of Service." Citrix has observed exploitation of the vulnerability, though the company didn't share specifics.
Benjamin Harris, CEO of watchTowr, told the Register that the flaw's 9.2 CVSS score suggests attackers are using the vulnerability to carry out more than just denial-of-service (DoS) attacks. Harris stated, "The CVSS metrics reflect code execution or similar, not DoS as the most impactful outcome. Vulnerable appliances being observed to enter a 'denial of service condition' likely reflects failed exploitation, given the class of vulnerability being discussed here."
The vulnerability is separate from another critical Citrix flaw (CVE-2025-5777) that made headlines this week. Users are urged to update their Citrix products as soon as possible.
Cisco fixes two maximum-severity flaws.
Cisco has patched two maximum-severity remote code execution flaws affecting Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), Beyond Machines reports. The vulnerabilities (CVE-2025-20281 and CVE-2025-20282) "could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user."
CVE-2025-20281 is due to insufficient validation of user-supplied input, and can be exploited by submitting a crafted API request. CVE-2025-20282 results from "a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system," and can allow attackers to upload malicious files to vulnerable devices.
US Justice Department charges British hacker for allegedly causing $25 million in damages.
The US Justice Department has charged a British national going by the online alias "IntelBroker" with causing an estimated $25 million in damages by stealing and selling data from organizations around the world. The suspect, 25-year-old Kai West, is accused of hacking more than forty entities over the past two years.
West was arrested in France in February 2025, and the US is seeking his extradition. BleepingComputer notes that IntelBroker's stolen data was usually posted for sale on the BreachForums hacking forum, and West allegedly served as an administrator of the forum until this past January. The Record reports that four suspected BreachForums administrators were arrested in France earlier this week, though the French police haven't commented on the matter.
