12.05.25 Threat Report

This week’s report includes a severe Cisco IOS XE vulnerability enabling full device compromise, exposure of US government-linked credentials in infostealer malware dumps, and an advanced cross-platform malware campaign using weaponised PDF invoices. 

1. Cisco Urgently Patches Critical IOS XE Vulnerability Enabling Full Device Takeover

Cisco has issued emergency patches to fix CVE-2025-20188, a critical flaw rated CVSS 10.0, in its IOS XE Software for Wireless LAN Controllers (WLCs). The vulnerability could allow unauthenticated attackers to compromise affected systems fully.

How the Attack Works:

The flaw exists due to a hard-coded JSON Web Token (JWT) within the Out-of-Band AP Image Download feature. If enabled, attackers can:

• Impersonate legitimate users.

• Upload arbitrary files.

• Perform path traversal and execute commands with full root privileges.

Affected devices include:

• Catalyst 9800 Series Wireless Controllers.

• Cloud and embedded variants for Catalyst 9300, 9400, and 9500 switches.

• Embedded Wireless Controllers on Catalyst Access Points.

Potential Impact:

• Full device takeover.

• Network disruption and potential lateral movement.

• Risk of data exfiltration and ransomware deployment.

Recommendation:

• Apply Cisco's security patch immediately using the Cisco Software Checker.

• Disable the Out-of-Band AP Image Download feature if not needed.

• Regularly audit device configurations for unusual settings.

• Monitor network traffic for suspicious activity and enforce strict network segmentation.

2. DOGE Worker’s Credentials Found in Infostealer Malware Dumps

The credentials of Kyle Schutt, an employee at DOGE with access to sensitive Federal Emergency Management Agency data, were found in multiple infostealer malware dumps.

Key Details:

• Schutt’s credentials were found in 51 historical data breaches and 4 active infostealer logs.

• Breaches include the Naz.API dump, ALIEN TXTBASE dump, and Telegram-shared logs.

• It remains unclear when the malware infection occurred, raising significant concerns about personal device security for staff handling government data.

Potential Impact:

• Severe risk of credential reuse and unauthorised access to sensitive government systems.

• Potential national security implications if credentials were reused for official platforms.

Recommendations for DOGE:

• Enforce multi-factor authentication (MFA) across all sensitive accounts.

• Prohibit the use of personal devices for work involving sensitive data.

• Conduct regular employee cyber hygiene training and security awareness sessions.

3. Hackers Weaponising PDF Invoices to Deliver Cross-Platform RAT Malware

A sophisticated phishing campaign has been detected leveraging weaponised PDF invoices to distribute a Remote Access Trojan (RAT), impacting Windows, Linux, and macOS systems.

Attack Methodology:

• Emails pass SPF validation by abusing serviciodecorreo.es as an authorised domain.

• The victim opens the PDF, clicks an embedded button, and downloads a malicious JAR file.

• The attackers use Dropbox, MediaFire, and Ngrok tunnelling for stealth delivery.

• A sophisticated geofencing technique delivers malware only to targets in Italy; others see harmless content.

Malware Capabilities:

• Remote command execution.

• Keystroke logging.

• File access and screenshot capture.

• Webcam and microphone activation.

Potential Impact:

• Full remote control of compromised systems.

• Significant data theft and privacy breaches.

• High risk for organisations using Java Runtime Environment (JRE).

Recommendation:

• Block executable files and suspicious JAR files at the email gateway.

• Deploy endpoint protection and advanced EDR tools.

• Conduct phishing simulation and employee training.

• Ensure all devices have the latest security updates installed.

Stay Informed: Subscribe Now!

Ensure you're subscribed to receive the latest updates from our weekly threat feed!