Heroes, Happy Earth, Wind & Fire Day. Ba-dee-yah, y'all. Also, a call to action. We need to name the mascot. Details below. Here's a detailed look at the current cybersecurity landscape for September 21, 2025.
CRITICAL ITEMSDate & Time: 2025-09-19T14:12:00
Fortra has patched a critical deserialization vulnerability in its GoAnywhere Managed File Transfer (MFT) software. The flaw, with a maximum CVSS score of 10.0, could allow an unauthenticated attacker to achieve remote code execution. Given the history of MFT solutions being targeted by ransomware groups, immediate patching is essential to prevent widespread compromise.
CVE Details: CVE-2025-10035
Source: The Hacker News ↗
Date & Time: 2025-09-20T14:06:05
CISA has issued an alert detailing two new malware strains discovered on a network compromised via vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). This indicates active and ongoing exploitation of Ivanti products, a frequent target for sophisticated threat actors. Organizations using Ivanti EPMM should assume compromise and initiate threat hunting activities immediately.
CVE Details: n/a
Source: Security Affairs ↗
HIGH SEVERITY ITEMSDate & Time: 2025-09-21T09:11:00
This report highlights that billions of records are breached annually due to simple misconfigurations in servers, firewalls, and cloud services. This serves as a critical reminder that foundational security hygiene is as important as defending against zero-day exploits. Misconfigurations represent a low-cost, high-reward entry point for attackers and are a primary driver of data breaches.
CVE Details: n/a
Source: Security Boulevard ↗
Date & Time: 2025-09-19T16:28:41
AWS has released its Summer 2025 System and Organization Controls (SOC) 1 report, covering 183 services. This is a key resource for compliance and risk management teams to verify the control environment of AWS services their organizations rely on.
Source: AWS ↗
EXECUTIVE INSIGHTSDate & Time: 2025-09-19T14:22:24
This weekly summary underscores the immense volume and velocity of vulnerability disclosures, with over 1,000 new bugs and 135 with public proof-of-concept exploits. This data highlights the critical need for automated, risk-based vulnerability management programs that can prioritize patching based on exploitability and potential impact, as patching everything is not feasible.
Source: Cyble ↗
Date & Time: 2025-09-20T21:00:00
Recent analysis emphasizes the growing risk posed by unmanaged Non-Human Identities (NHIs), such as API keys, service accounts, and machine identities. As cloud-native and DevOps environments expand, the number of NHIs often exceeds human identities, creating a massive and often overlooked attack surface. Leaders must invest in strategies for discovering, managing, and securing these identities to prevent breaches.
Source: Entro Security ↗, Aembit ↗
VENDOR SPOTLIGHTSpotlight Rationale: Addresses the persistent threat of unpatched firmware in network hardware, a long-tail risk that often falls outside the scope of traditional endpoint management. This is directly relevant to the threat of legacy exploits remaining active for years, as highlighted in the user-provided context.
Threat Context: A wireless device exploit uncovered 11 years ago still hasn't been fixed by some manufacturers
Platform Focus: Tenable.io Vulnerability Management
Tenable.io provides comprehensive asset discovery and vulnerability assessment across the entire attack surface, including IT, cloud, and OT environments. Its platform is particularly effective at identifying network devices like routers, switches, and access points that are often unmanaged. It can detect outdated firmware and specific vulnerabilities, such as legacy WPS flaws, enabling security teams to uncover hidden risks within their network infrastructure that standard tools might miss.
Actionable Platform Guidance: Implement a dedicated scanning policy within Tenable.io to audit network infrastructure. This involves creating a credentialed scan targeting the management interfaces of routers, switches, and wireless access points. The scan policy should enable plugins specific to network device vendors (Cisco, Juniper, etc.) and generic firmware version checks to identify devices that have not been patched for known, decades-old vulnerabilities.
Source: Tenable.io ↗
DETECTION & RESPONSE KIT⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Tenable.io
# Tenable.io Scan Policy for Legacy Network Device Vulnerabilities
1. **Create a New Scan:** In Tenable.io, navigate to Scans > My Scans > New Scan.
2. **Select a Template:** Choose the 'Advanced Network Scan' template.
3. **Basic Settings:**
- Name: 'Network Hardware Firmware Audit'
- Targets: Define IP ranges for your network infrastructure (e.g., 192.168.1.0/24, 10.10.0.0/16).
4. **Credentials:**
- Add SSH and/or SNMP credentials for your network devices. Credentialed scanning provides the most accurate firmware and vulnerability data.
5. **Plugins:**
- In the 'Plugins' tab, disable all families first.
- Enable the following plugin families specifically:
- 'CISCO'
- 'Firewalls'
- 'NetScreen'
- 'Junos'
- 'Palo Alto Networks'
- 'SNMP'
- 'General'
- Search for and ensure plugins related to 'Firmware' and specific legacy vulnerabilities (e.g., 'WPS') are enabled.
6. **Save and Launch:** Save the policy and launch the scan against your network infrastructure segments.2. YARA Rule for CVE-2025-10035 (GoAnywhere MFT Deserialization)
rule GoAnywhere_MFT_Deserialization_CVE_2025_10035 {
meta:
description = "Detects potential artifacts related to the GoAnywhere MFT deserialization vulnerability CVE-2025-10035."
author = "Threat Rundown"
date = "2025-09-21"
reference = "https://thehackernews.com/2025/09/fortra-releases-critical-patch-for-cvss.html"
strings:
$java_header = {ac ed 00 05} // Java serialization magic bytes
$gadget_class1 = "org.apache.commons.collections.functors.InvokerTransformer"
$gadget_class2 = "com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl"
condition:
$java_header at 0 and (1 of ($gadget_class*))
}3. SIEM Query — Suspicious Outbound Connections from MFT Server
// Splunk Search
index=firewall OR index=proxy host="[GoAnywhere_MFT_Server_IP]"
| search action=allowed
| stats count by dest_ip, dest_port, user
| lookup known_good_destinations dest_ip OUTPUT
| where isnull(known_good_destinations) AND dest_port NOT IN (80, 443, 21, 22, 25)
// Filter for connections to non-standard ports and unknown destinations, which could indicate C2 activity post-exploitation.4. PowerShell Script — Check GoAnywhere MFT File Version (Illustrative)
# This script checks for an example file's version to infer patch status.
# NOTE: The file path and version number are illustrative and must be verified.
$goAnywherePath = "C:\Program Files\Fortra\GoAnywhere MFT\lib\goanywhere.jar"
if (Test-Path $goAnywherePath) {
try {
$fileInfo = Get-Item $goAnywherePath
$version = $fileInfo.VersionInfo.ProductVersion
# Replace '7.4.1' with the first patched version number
if ([System.Version]$version -lt [System.Version]'7.4.1') {
Write-Host "VULNERABLE: GoAnywhere MFT version $version on $env:COMPUTERNAME is outdated and may be vulnerable to CVE-2025-10035."
} else {
Write-Host "PATCHED: GoAnywhere MFT version $version on $env:COMPUTERNAME appears to be patched."
}
} catch {
Write-Host "Could not determine version for $goAnywherePath on $env:COMPUTERNAME."
}
} else {
Write-Host "GoAnywhere MFT path not found on $env:COMPUTERNAME."
}This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!