At a glance.
- CitrixBleed 2 vulnerability is being exploited.
- Cisco fixes two maximum-severity flaws.
- Salt Typhoon breached a Canadian telecom.
- US Justice Department charges British hacker for allegedly causing $25 million in damages.
- Patches issued for vulnerabilities affecting hundreds of printer models.
- Michigan hospital network says data belonging to 740,000 people were stolen by ransomware gang.
CitrixBleed 2 vulnerability is being exploited.
A critical Citrix vulnerability (CVE-2025-5777) that was patched last week is now being exploited in the wild, according to researchers at ReliaQuest. The vulnerability, which has been compared to 2023's CitrixBleed flaw, can allow attackers to bypass authentication measures and hijack user sessions. Users of NetScaler ADC and NetScaler Gateway should apply the patches as soon as possible.
ReliaQuest explains, "Citrix Bleed 2 mirrors the original in its ability to bypass authentication and facilitate session hijacking, but it introduces new risks by targeting session tokens instead of session cookies. Unlike session cookies, which are often tied to short-lived browser sessions, session tokens are typically used in broader authentication frameworks, such as API calls or persistent application sessions. This means that attackers could potentially maintain access longer and operate across multiple systems without detection, even after the user has terminated the browser session."
Cisco fixes two maximum-severity flaws.
Cisco has patched two maximum-severity remote code execution flaws affecting Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC), Beyond Machines reports. The vulnerabilities (CVE-2025-20281 and CVE-2025-20282) "could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user."
CVE-2025-20281 is due to insufficient validation of user-supplied input, and can be exploited by submitting a crafted API request. CVE-2025-20282 results from "a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system," and can allow attackers to upload malicious files to vulnerable devices.
Salt Typhoon breached a Canadian telecom.
The Canadian Centre for Cyber Security and the US FBI have released a bulletin warning that the Chinese state-sponsored threat actor Salt Typhoon is targeting Canadian telecoms, breaching at least one entity earlier this year. The bulletin states, "Three network devices registered to a Canadian telecommunications company were compromised by likely Salt Typhoon actors in mid-February 2025. The actors exploited CVE-2023-20198 to retrieve the running configuration files from all three devices and modified at least one of the files to configure a GRE tunnel, enabling traffic collection from the network."
The bulletin adds, "[W]e assess that PRC cyber actors will almost certainly continue to target Canadian organizations as part of this espionage campaign, including telecommunications service providers and their clients, over the next two years."
US Justice Department charges British hacker for allegedly causing $25 million in damages.
The US Justice Department has charged a British national going by the online alias "IntelBroker" with causing an estimated $25 million in damages by stealing and selling data from organizations around the world. The suspect, 25-year-old Kai West, is accused of hacking more than forty entities over the past two years.
West was arrested in France in February 2025, and the US is seeking his extradition. BleepingComputer notes that IntelBroker's stolen data was usually posted for sale on the BreachForums hacking forum, and West allegedly served as an administrator of the forum until this past January. The Record reports that four suspected BreachForums administrators were arrested in France earlier this week, though the French police haven't commented on the matter.
Patches issued for vulnerabilities affecting hundreds of printer models.
Rapid7 discovered eight vulnerabilities affecting over seven hundred printer models, most of which are manufactured by Brother, SecurityWeek reports. The most serious of the flaws (CVE-2024-51978) can allow an unauthenticated attacker to generate the default administrator password for the device if they know the target device's serial number. The threat actor can discover the serial number via another one of the flaws (CVE-2024-51977).
The vulnerabilities affect 689 models from Brother, as well as 46 from Fujifilm Business Innovation, five from Ricoh, six from Konica Minolta, and two from Toshiba. Patches and mitigations are available for the flaws, although Brother says CVE-2024-51978 can only be fully fixed via a new manufacturing process. The flaw can be mitigated by changing the default password.
Michigan hospital network says data belonging to 740,000 people was stolen by ransomware gang.
Michigan hospital network McLaren Health Care says information belonging to more than 740,000 people was stolen during a ransomware attack last August, the Record reports. The affected data included names, Social Security numbers, driver’s license numbers, medical data, and health insurance information. McLaren operates thirteen hospitals and various medical services across Michigan, and the attack disrupted services at the time.
The INC ransomware gang is believed to be responsible for the attack.
