Today’s roundup
What’s That Coming Over The Hill? (Monsta FTP Remote Code Execution CVE-2025-34299)
Cisco fixes critical UCCX flaw allowing Root command execution
Cisco became aware of a new attack variant against Secure Firewall ASA and FTD devices
Google sounds alarm on self-modifying AI malware
Hidden Logic Bombs in Malware-Laced NuGet Packages Set to Detonate Years After Installation
Vibe-Coded Malicious VS Code Extension Found with Built-In Ransomware Capabilities
Trojanized ESET Installers Drop Kalambur Backdoor in Phishing Attacks on Ukraine
U.S. Congressional Budget Office hit by suspected foreign cyberattack
Nevada government declined to pay ransom, says cyberattack traced to breach in May
SonicWall Firewall Backups Stolen by Nation-State Actor
Summary
A pre-authenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-34299, has been discovered in Monsta FTP, a web-based FTP client. The flaw, present in versions up to 2.11.2 and impacting over 5,000 internet-exposed instances, allows an attacker to upload arbitrary files to an arbitrary server path by tricking the application into downloading a malicious file from a controlled SFTP host. The vulnerability was patched in version 2.11.3, released on August 26, 2025.
Cisco has issued security updates addressing a critical vulnerability (CVE-2025-20354, CVSS 9.8) in its Unified Contact Center Express (UCCX) software. This flaw in the Java Remote Method Invocation (RMI) process permits an unauthenticated, remote attacker to upload arbitrary files and execute commands with root privileges. Fixed releases include 12.5 SU3 ES07 and 15.0 ES01, with no available workarounds.
Cisco has warned of a new attack variant actively targeting its Secure Firewall Adaptive Security Appliance (ASA) and Threat Defense (FTD) devices by exploiting CVE-2025-20333 and CVE-2025-20362. This activity, attributed with high confidence to the ArcaneDoor threat actor, can trigger unexpected device reloads, leading to denial-of-service conditions. These vulnerabilities were previously exploited in zero-day attacks to deploy advanced malware families, RayInitiator and LINE VIPER.
Google’s Threat Intelligence Group (GTIG) reports the emergence of a new generation of malware that incorporates artificial intelligence during execution to dynamically mutate, adapt, and collect data, thereby enhancing evasion and persistence. Examples include PROMPTFLUX, a VBScript dropper leveraging the Google Gemini API for self-obfuscation, and PROMPTSTEAL, a Python data miner that queries the Hugging Face API to generate commands for data collection. This marks a shift towards more autonomous AI-integrated cyberattacks.
Nine malicious NuGet packages, published between 2023 and 2024 by a user named "shanhai666," have been identified containing hidden logic bombs. These payloads are designed to detonate on specific dates starting in August 2027, with the potential to sabotage database operations and corrupt industrial control systems, highlighting a significant future threat within the software supply chain.
A malicious Visual Studio Code (VS Code) extension, dubbed "susvsex" and reportedly created with the assistance of AI, has been found on Microsoft's official marketplace. This extension possesses basic ransomware capabilities and does not attempt to conceal its malicious functionality, raising concerns about the deployment of AI-generated malware within developer ecosystems.
A Russia-aligned threat group, identified as InedibleOchotense, has been conducting phishing campaigns targeting Ukrainian entities since May 2025. The campaign impersonates ESET, a Slovak cybersecurity company, distributing trojanized ESET installers via spear-phishing emails and Signal messages to deploy the previously undocumented Kalambur backdoor.
The U.S. Congressional Budget Office (CBO) has confirmed it experienced a cybersecurity incident involving a suspected foreign hacker who breached its network. This intrusion potentially exposed sensitive data, and an investigation is underway to determine the full scope and impact on the federal agency.
The State of Nevada has successfully recovered from a ransomware attack that occurred on August 24, 2025, affecting 60 state agencies and disrupting critical health and public safety services. The state confirmed it did not pay the ransom and traced the initial breach to May 2025, with recovery efforts incurring approximately $1.6 million in costs.
SonicWall has disclosed that backups of its firewall configurations were stolen from its MySonicWall systems by a suspected nation-state actor. The company clarified that this incident is distinct from the recent Akira ransomware attacks that have targeted its devices, indicating a separate compromise of its internal security infrastructure.
Want to dig deeper?
Vulnerabilities
Cyber Groups
| Akira | GOLD SAHARA, PUNK SPIDER, Howling Scorpius |
Malware Families