The bugs could be exploited to bypass security controls, access restricted services, and crash firewalls.

The post SonicWall Urges Immediate Patching of Firewall Vulnerabilities appeared first on SecurityWeek.

The bugs could allow attackers to modify protected resources and escalate their privileges to administrator.

The post Palo Alto Networks, SonicWall Patch High-Severity Vulnerabilities appeared first on SecurityWeek.

Would-be attackers spent 2025 swimming in a sea of more than 40,000 newly published vulnerabilities, VulnCheck said in a report released Wednesday, but only 1% of those defects, just 422, were exploited in the wild.

As the deluge of vulnerabilities grows every year, and CVSS ratings lose significance for vulnerability management prioritization, some defenders are turning to research on known exploited vulnerabilities to narrow their scope of work and place more emphasis on verified risks. 

“The growth in CVE volume is ludicrous, not necessarily unfounded, but it’s large. Defenders don’t know what to pay attention to,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop. “Prioritization is still a huge problem.”

Too many defenders and researchers are paying attention to defects and unsubstantiated exploit concepts that aren’t worth their time, Condon added. “The indicators of risk that used to be semi reliable, now no longer are.”

The technologies exploited by attackers are developed and sold by many repeat offenders. Some of the vendors on VulnCheck’s list of the most routinely targeted vulnerabilities enjoy large market shares.

Other vendors, especially those in network edge device space, have been inundated with malicious activity for years and remain the preferred intrusion point for all attacks.

Network edge devices were responsible for 191 of the 672 products impacted by new known exploited vulnerabilities last year, representing 28% of the top targeted technologies in 2025, according to VulnCheck. 

“Anything that’s in that position of being at the network edge, guarding access to corporate networks, often in a privileged place for secure communication,” is naturally a large target, Condon said. 

This problem is exacerbated by the fact many network devices are running on code bases that haven’t been radically changed in about a decade. Meanwhile, attackers have copies of that software and use fully automated analysis pipelines to quickly identify new vulnerabilities.

“Threat actors are much more organized presently than we all collectively are on defense,” Condon said. Defenders have to assume there’s going to be a new zero-day in any network edge device at any time, and patches will be reversed for exploit development in short order, she added.

Each of the top 50 vulnerabilities VulnCheck flagged in its report were exploited in the wild last year with at least 20 working public exploits, attacks originating from at least two state-sponsored or cybercrime threat groups. The top exploited vulnerabilities were also linked to least one ransomware variant and appeared in at least two instances of known botnet activity.

Four of the 10 most routinely targeted vulnerabilities last year — CVE-2025-53770 and CVE-2025-53771, which are variants of previously disclosed vulnerabilities CVE-2025-49706 and CVE-2025-49704 — were contained in Microsoft SharePoint. All four of the zero-day vulnerabilities were exploited en masse and initially compromised more than 400 organizations, including the Departments of Energy, Homeland Security and Health and Human Services.

VulnCheck confirmed a combined 69 known exploits for the quartet of SharePoint vulnerabilities. Researchers attributed the exploited vulnerabilities to a collective 29 threat groups and 18 ransomware variants, yet the attackers involved likely targeted more than one of the zero-days, resulting in some overlap.

Microsoft topped the list with nine of the 50 routinely targeted vulnerabilities appearing in its products last year. Ivanti was responsible for five, or 10% of the most targeted vulnerabilities last year. Fortinet ranked third on VulnCheck’s list with four vulnerabilities, followed by VMware with three, while SonicWall and Oracle each ranked high on the list with two exploited defects. 

The most targeted vulnerability of 2025 belongs to React2Shell, a maximum-severity defect in React Server Components that racked up 236 valid public exploits before the end of the year, less than a month after it was publicly disclosed by Meta and React. 

More than 200 of those public exploits were validated by VulnCheck by mid-December, as Palo Alto Networks Unit 42 confirmed more than 60 organizations were impacted by an initial wave of attacks.

VulnCheck’s research underscores that technology, ultimately in all of its forms, is the problem. 

“We are at a point here where we’re not talking about a single vendor or technology. We are talking about writ large, we are getting creamed. We’ve got to start assessing ruthlessly and immediately how technology needs to evolve to be more resilient to these attacks over the long term,” Condon said. 

“We need to start being much more realistic about the state of our tech and what that means for cybersecurity.”

The post Vulnerabilities grew like weeds in 2025, but only 1% were weaponized in attacks appeared first on CyberScoop.

Federal cyber authorities shared new details Thursday about the Akira ransomware group’s techniques, the tools it uses and vulnerabilities it exploits for initial access alongside the release of a joint cybersecurity advisory.

Members of the financially motivated group, which initially appeared in March 2023, are associated with other threat groups, including Storm-1567, Howling Scorpius, Punk Spider, Gold Sahara, and may have connections with the disbanded Conti ransomware group, officials said. Akira uses a double-extortion model, encrypting systems after stealing data to amplify pressure on victims.

Akira ransomware has claimed more than $244 million in ransomware proceeds as of late September, the FBI and Cybersecurity and Infrastructure Security agency said in the joint advisory. The group primarily targets small- and medium-sized businesses with many victims impacted in the manufacturing, education, IT, health care, financial and agriculture sectors.

“For the FBI, it is within the top five variants that we investigate,” Brett Leatherman, assistant director at the FBI Cyber Division, said during a media briefing Thursday. “It’s consequential. This group is very consequential that they fall likely within our top five.”

Ransomware is the FBI’s top cybercriminal threat, which is “enormous in terms of the amount of losses, the number of active variants and its disruptive effect,” he said. “The FBI is investigating over 130 ransomware variants targeting U.S. businesses in just about any critical infrastructure sector you can think of.”

The advisory, which was also supported by Europol and cyber authorities in France, Germany and the Netherlands, included six new vulnerabilities Akira is known to exploit, including defects affecting Cisco firewalls and virtual private networks, Windows, VMware ESXi, Veeam Backup and Replication and SonicWall firewalls.

“We know that they are actively looking at the vulnerabilities disclosed in [the joint advisory] in order to monetize their activity,” Leatherman said. 

Researchers previously warned that Akira hit about 40 victims by exploiting CVE-2024-40766, a year-old vulnerability, between mid-July and early August. That burst was followed by another wave of ransomware attacks linked to active exploits of the defect.

The joint advisory, which updates previous guidance around hunting for and defending against Akira, was not in response to any specific attack, said Nick Andersen, executive assistant director for cybersecurity at CISA. 

“It’s more a reflection of the reality that our nation’s ransomware adversaries are continuously evolving their tactics and therefore it’s critical that we improve our defenses as well,” he said. 

Akira operates with quickness, exfiltrating data in just over two hours from initial access in some incidents, according to the advisory. 

The FBI and researchers have observed Akira break into systems using stolen credentials, vulnerabilities, brute-force and password-spraying attacks. Authorities said Akira has abused remote access tools such as AnyDesk and LogMeIn to maintain persistence, created new accounts to establish footholds, and leveraged tools to escalate privileges. 

Some of the indicators of compromise were observed as recently as this month, Leatherman said. 

“Actors are incredibly adaptable and are emphasizing operational security in their actions. Their attacks are increasingly becoming more sophisticated, complex and layered,” he added. “They can be extremely costly for victims, often with remediation costs far outpacing those of the original demand.”

The post FBI calls Akira ‘top five’ ransomware variant out of 130 targeting US businesses appeared first on CyberScoop.

SonicWall said a state-sponsored threat actor was behind the brute-force attack that exposed firewall configuration files of every customer that used the company’s cloud backup service. 

The vendor pinned the responsibility for the attack on an undisclosed nation state Tuesday, after Mandiant concluded its investigation into the incident.

SonicWall did not attribute the attack to a specific country or threat group and Mandiant declined to provide additional information. The vendor’s update, which lacked a root-cause analysis, was mostly an effort to put the attack behind it as leadership made pledges to improve SonicWall’s security practices.

“The malicious activity has been contained and was isolated to our firewall cloud backup service, which stores firewall configuration files in a specific cloud bucket,” SonicWall CEO Bob VanKirk said in a pre-recorded video published alongside the update. “There was no impact to any SonicWall product, firmware, source code, production network, or to any customer data or any other SonicWall system.”

Yet, customer data was impacted because backup firewall configuration files were stolen. Ryan Dewhurst, head of proactive threat intelligence at watchTowr, previously told CyberScoop those files contain a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more.”

The vendor’s public disclosures regarding the attack have been convoluted and, in some cases, erroneous. SonicWall played down the scope of compromise in its initial disclosure, framing it as impacting less than 5% of its firewall install base, but walked that assessment back weeks later when Mandiant confirmed the totality of exposure. 

SonicWall said Mandiant determined the state-sponsored attacker gained access to the cloud backup files using an API call, but it did not provide further detail. 

Other critical details remain unknown, including how many customers were impacted and how long the nation-state attacker maintained access to SonicWall’s customer portal. The company said it detected suspicious activity on MySonicWall.com in September. 

The attack on SonicWall’s customer-facing system was disclosed a week after researchers and authorities warned about a fresh burst of about 40 Akira ransomware attacks involving exploits of a year-old vulnerability affecting SonicWall firewalls. The company said those attacks impacting customers are unrelated to the attack on SonicWall’s cloud backup environment.

“There is no evidence that this event is related to recent increases in the Akira ransomware attacks on edge devices,” VanKirk said. 

SonicWall customers have confronted a series of actively exploited vulnerabilities in SonicWall devices, including four flaws exploited in the wild this year.

Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA. 

VanKirk said the company is committed to continuously improve the security of its products and systems, adding that all of Mandiant’s recommended remediations have been enacted or are actively underway.

The post SonicWall pins attack on customer portal to undisclosed nation-state appeared first on CyberScoop.