A brute-force attack exposed firewall configuration files of every SonicWall customer who used the company’s cloud backup service, the besieged vendor said Wednesday.

An investigation aided by Mandiant confirmed the totality of compromise that occurred when unidentified attackers hit a customer-facing system of SonicWall controls. The company previously said less than 5% of its firewall install base stored backup firewall configuration files in the cloud-based service.

SonicWall did not answer questions about the extent to which the investigation revealed a more widespread impact for its customers, or if its assessment of that 5% figure remained accurate. The company initially revised its disclosure to clarify the scope of exposure was less than 5% of firewalls as of Sept. 17, but has since removed that detail from the blog post. 

“The investigation confirmed that an unauthorized party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service,” the company said in a statement.

The convoluted phrasing reignited criticism from threat researchers who have been tracking developments since SonicWall first reported the attack. 

Attackers accessed a “treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said in an email.

“This raises questions about why the vendor didn’t implement basic protections like rate limiting and stronger controls around public APIs,” he added. 

SonicWall customers have confronted a barrage of actively exploited vulnerabilities in SonicWall devices for years. 

Fourteen defects affecting the vendor’s products have been added to the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities (KEV) catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a wave of about 40 Akira ransomware attacks between mid-July and early August.

While those attacks were linked to exploited vulnerabilities in SonicWall devices, the latest attack marked a direct hit on SonicWall’s internal infrastructure and practices.

The company said it has notified all impacted customers, released tools to assist with threat detection and remediation and encouraged all customers to log in to the MySonicWall.com platform to check for potential exposure.

“Although the passwords were encrypted, attackers have all the time in the world to crack them offline at their leisure,” Dewhurst said. 

“If the passwords used were weak in the first place, it’s almost certain that the threat actor has the plaintext versions already,” he added. “If the threat actor is unable to crack the passwords, you’re not out of the woods, as the information leaked will help in more complex targeted attacks.”

SonicWall said it has implemented additional security hardening measures and is working with Mandiant to improve the security of its cloud infrastructure and monitoring systems.

The post SonicWall admits attacker accessed all customer firewall configurations stored on cloud portal appeared first on CyberScoop.

This year’s theme focuses on government entities and small and medium-sized businesses that are vital to protecting the systems and services that keep our communities running.

The post Cybersecurity Awareness Month 2025: Prioritizing Identity to Safeguard Critical Infrastructure appeared first on SecurityWeek.

The CISA is set to expire on September 30, 2025, raising urgent questions about risk, politics, and the future of threat intelligence.

The post The Cybersecurity Information Sharing Act Faces Expiration appeared first on SecurityWeek.

Threat intelligence professionals have a sense of foreboding about a maximum-severity vulnerability Forta disclosed last week in its file-transfer service GoAnywhere MFT, as they steel themselves for active exploitation and signs of compromise.

Forta has not declared the defect actively exploited and did not answer questions to that effect from CyberScoop. Yet, researchers at watchTowr said they’ve obtained credible evidence of active exploitation of the vulnerability dating back to Sept. 10. 

The disagreement between vendor and research firm highlights a stubborn conundrum in the world of vulnerability disclosure and management. When defects turn out to be more severe  and actively exploited than vendors initially report, it creates unnecessary challenges for defenders and impacted users.

Forta did not answer questions about or respond to watchTowr’s latest findings. Forta maintains it discovered the vulnerability or its potential impact during a “security check” on Sept. 11, but it hasn’t included those details in the advisory. 

The cybersecurity vendor previously updated its security advisory for the deserialization vulnerability — CVE-2025-10035 — with details that baffled some researchers due to its lack of clarity. Forta added indicators of compromise and stack traces that, if present in customers’ log files, indicate their “instance was likely affected by this vulnerability,” the company said.

Ben Harris, founder and CEO at watchTowr, discredited some of Forta’s public statements about the vulnerability as he and his team of researchers confirmed suspicions they had about attacks linked to the vulnerability when it was first disclosed.

“What a mess,” he told CyberScoop. “All they had to do was just be honest and transparent — and instead, have turned this into scandal.”

Threat hunters’ concerns about the vulnerability were amplified when Forta updated its advisory to share specific strings for customers to monitor in their log files. 

The IOCs added to Forta’s advisory “makes us logically uneasy because it strongly suggests that attackers may already be active,” Harris said prior to confirming active exploitation. The details added to the vendor’s “Am I Impacted?” section in the advisory “implies this isn’t just a hypothetical risk,” Harris added. 

Researchers from Rapid7 and VulnCheck drew similar conclusions, noting its rare for vendors to publish IOCs for new critical vulnerabilities absent confirmed exploitation. 

“While the IOCs do not confirm exploitation in the wild, they strongly suggest the vendor believes that this vulnerability will be exploited if it has not already been,” said Stephen Fewer, senior principal researcher at Rapid7.

Private key, the missing link

Vulnerability researchers uncovered additional details about the steps attackers would have to take to achieve exploitation, including unexplained access to a specific private key.

“To successfully achieve remote-code execution, an attacker must send a signed Java object to the target GoAnywhere MFT server. The target server will use a public key to verify the signed object and, if the signature is valid, then an unsafe deserialization vulnerability can be hit, achieving arbitrary code execution,” Fewer said. 

“The missing detail is how the attacker can achieve this when the required private key is not present in the code base of GoAnywhere MFT,” he added.

This key, its whereabouts and how an attacker might gain access to it has researchers on edge, leading some to speculate the private key may have been leaked or otherwise stolen from a cloud-based GoAnywhere license server, which is designed to legitimize signed objects.

Researchers don’t have the private key and have been unable to produce a working exploit without it.

“Adversaries overall are opportunistic,” said Caitlin Condon, vice president of security research at VulnCheck. “It’s a pretty big deal for them to somehow get access to private keys.”

Cybercriminals have accessed private keys before, as evidenced earlier this month when an attacker exploited a zero-day vulnerability in Sitecore by using sample keys customers copied and pasted from the vendor’s documentation. 

A key was at the root cause of a major China-affiliated espionage attack on Microsoft Exchange Online in 2023, which exposed emails belonging to high-ranking U.S. government officials and others. Microsoft never definitively determined how the threat group it tracks as Storm-0558 acquired the key, and a federal review board later lambasted the company for “a cascade of security failures” in a scathing report about the attack and its widespread impact.

Vendor responsibility tested

Vendors are responsible for providing their customers with timely and actionable information that can protect them against attacks, including explicit acknowledgement of active exploitation, experts said. 

“This provides clarity and peace of mind for defenders looking to prioritize vulnerabilities more effectively in a challenging threat climate, rather than forcing them to speculate or rely on third-party research to answer questions that the supplier is best positioned to address,” said Caitlin Condon, vice president of security research at VulnCheck. 

“The easiest way to know whether this vulnerability, or any vulnerability, has been exploited would be for the vendor to explicitly disclose whether they’re aware of confirmed malicious activity in customer environments,” she said.

The maximum-severity score designated to CVE-2025-10035 is a revealing signal, Condon added. “It’s unusual for a vendor to assign a perfect 10 CVSS score unless they’ve validated vulnerability details and confirmed how an adversary would conduct a successful attack,” she said. 

Forta has been through this before. Its customers were previously targeted with a widely exploited zero-day vulnerability in the same file-transfer service two years ago. Fortra’s description of CVE-2025-10035 bears striking similarities to CVE-2023-0669, a defect exploited by Clop, resulting in attacks on more than 100 organizations, and at least five other ransomware groups.

Harris criticized Fortra for its reluctance to share crucial information.

“As an organization that signed CISA’s Secure By Design pledge that includes wording around transparency for in-the-wild exploitation, the situation seems rather disappointing,” he said. 

Enterprises, security professionals and defenders rely on accurate data to determine exposure and react accordingly, Harris added. 

“When transparency is missing, these same teams are left in the dark and left with inadequate information to make risk decisions,” he said. “Given the context of the solution being used, and the organizations that use this solution, we cannot understate the impact of additional dwell time for an attacker in some of these environments.”

The post Worries mount over max-severity GoAnywhere defect appeared first on CyberScoop.

The Cybersecurity and Infrastructure Security Agency acknowledged it’s yet to get a complete handle on the scope and impact of attacks involving Cisco zero-day vulnerabilities that prompted it to release an emergency directive Thursday. 

The attack timeline dates back almost a year, according to an investigation Cisco and federal authorities did behind the scenes to identify the root cause and then coordinate the issuance of patches to address software defects under active exploitation. 

“We observed initial activity that we believe was related back in November,” Chris Butera, acting deputy executive assistant director for cybersecurity at CISA, said during a media briefing Thursday. “It started off as reconnaissance activity on these types of devices, and that’s what kicked off back in November.”

That malicious activity — read-only memory modification — “began as early as November 2024, if not earlier,” he said. 

CISA said it’s aware of hundreds of Cisco firewalls in use across the federal government that are potentially susceptible to exploitation. The mandated steps outlined in the emergency directive will help the agency understand the full scope of those devices and the extent of compromise across federal agencies, Butera said.

Critical infrastructure operators are also likely affected, and CISA is asking those organizations to report incidents as they are confirmed, Butera said. 

He also addressed a considerable delay from discovery to disclosure. Cisco said it initiated an incident response investigation into the attacks on multiple federal agencies in May, but four months passed before it disclosed the malicious activity and patched the zero-day vulnerabilities. 

During that time, CISA chose to hold off on releasing the emergency directive, which requires federal agencies to take immediate action by the end of Friday. 

“With any vulnerability coordination, it takes some time to properly understand what that vulnerability is and whether that vulnerability is being exploited, and some time for the vendors to develop a patch to mitigate that,” Butera said. “So the timeline involved both investigation and patch development for that process.”

He added that CISA and Cisco collaborated to implement mitigation steps and remediate the malicious activity. The agency also worked with Cisco through the coordinated vulnerability disclosure process “so we could appropriately address the risk as fully as possible during this time,” Butera said.

Federal officials are concerned attacks may accelerate or shift in the wake of CISA’s effort to prod agencies to thwart the threat. 

“As soon as these vulnerabilities are released to the threat actor, we believe the threat actor will likely try to pivot and change tactics,” Butera said. “We think it’s really important for our organization to try to detect that threat actor activity as quickly as possible, so that is what’s driving the tight timeline.” 

Officials declined to discuss the attackers’ origins or motivations in detail. Butera said CISA is not focused on attribution at this time, and he did not confirm research from outside threat intelligence firms pinning the espionage attacks on a China state-affiliated threat group tracked as UAT4356 and Storm-1849. 

Butera said the espionage attacks linked to the Cisco zero-day vulnerabilities are separate and not connected to the widespread and ongoing China state-sponsored attack spree Mandiant and Google Threat Intelligence Group researchers warned about Wednesday. Those attacks also involve exploitation of network edge devices.

The post CISA says it observed nearly year-old activity tied to Cisco zero-day attacks appeared first on CyberScoop.

The hackers remained undetected for three weeks, deploying China Chopper, remote access scripts, and reconnaissance tools.

The post GeoServer Flaw Exploited in US Federal Agency Hack appeared first on SecurityWeek.

Hackers chained two Ivanti EPMM vulnerabilities to collect system information, dump credentials, and execute malware.

The post CISA Analyzes Malware From Ivanti EPMM Intrusions appeared first on SecurityWeek.

SonicWall said it confirmed an attack on its MySonicWall.com platform that exposed customers’ firewall configuration files — the latest in a steady stream of security weaknesses impacting the besieged vendor and its customers.

The company’s security teams began investigating suspicious activity and validated the attack “in the past few days,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop. “Our investigation determined that less than 5% of our firewall install base had backup firewall preference files stored in the cloud for these devices accessed by threat actors.”

While SonicWall customers have been repeatedly bombarded by actively exploited vulnerabilities in SonicWall devices, this attack marks a new pressure point — an attack on a customer-facing system the company controls.

This distinction is significant because it indicates systemic security shortcomings exist throughout SonicWall’s product lines, internal infrastructure and practices. 

“Incidents like this underscore the importance of security vendors — not just SonicWall — to hold themselves to the same or higher standards that they expect of their customers,” Mauricio Sanchez, senior director of enterprise security and networking research at Dell’Oro Group, told CyberScoop. 

“When the compromise occurs in a vendor-operated system rather than a customer-deployed product, the consequences can be particularly damaging because trust in the vendor’s broader ecosystem is at stake,” he added. 

SonicWall acknowledged the potential downstream risk for customers is severe. “While the files contained encrypted passwords, they also included information that could make it easier for attackers to potentially exploit firewalls,” Fitzgerald said. 

“This was not a ransomware or similar event for SonicWall, rather this was a series of account-by-account brute force attacks aimed at gaining access to the preference files stored in backup for potential further use by threat actors,” he added. 

SonicWall did not identify or name those responsible for the attack, adding that it hasn’t seen evidence of any online leaks of the stolen files. The company said it disabled access to the backup feature, took steps across infrastructure and processes to bolster the security of its systems and initiated an investigation with assistance from an incident response and consulting firm. 

Sanchez described the breach as a serious issue. “These files often contain detailed network architecture, rules, and policies that could provide attackers with a roadmap to exploit weaknesses more efficiently,” he said. “While resetting credentials is a necessary first step, it does not address the potential long-term risks tied to the information already in adversaries’ hands.”

SonicWall said it has notified law enforcement, impacted customers and partners. Customers can check if impacted serial numbers are listed in their MySonicWall account, and those determined to be at risk are advised to reset credentials, contain, remediate and monitor logs for unusual activity.

Many vendors allow customers to store configuration data in cloud-managed portals, a practice that introduces inherent risks, Sanchez said. 

“Vendors must continuously weigh the convenience provided against the potential consequences of compromise, and customers should hold them accountable to strong transparency and remediation practices when incidents occur,” he added.

Organizations using SonicWall firewalls have confronted persistent attack sprees for years, as evidenced by the vendor’s 14 appearances on CISA’s known exploited vulnerabilities catalog since late 2021. Nine of those defects are known to be used in ransomware campaigns, according to CISA, including a recent wave of about 40 Akira ransomware attacks. 

Fitzgerald said SonicWall is committed to full transparency and the company will share updates as its investigation continues.

The post Attack on SonicWall’s cloud portal exposes customers’ firewall configurations appeared first on CyberScoop.

CISA says it is time for the CVE Program to focus on improving trust, responsiveness, and the caliber of vulnerability data.

The post CISA: CVE Program to Focus on Vulnerability Data Quality appeared first on SecurityWeek.

Ashden Fein, Micaela McMurrough, Caleb Skeath, and John Webster Leslie of Covington and Burling write: The U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) plans to delay the publication of its much-anticipated cybersecurity incident reporting rule implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  According to an entry on the Spring 2025 Unified Agenda...

Source

Jonathan Greig reports: Federal civilian agencies have until September 25 to patch a vulnerability in popular content management system Sitecore after incident responders said they disrupted a recent attack involving the bug. Sitecore published a bulletin on Wednesday about CVE-2025-53690, which affects several of the company’s products. A key issue with the bug is the use of...

Source

The Trump administration’s new AI Action Plan calls for companies and governments to lean into the technology when protecting critical infrastructure from cyberattacks.

But it also recognizes that these systems are themselves vulnerable to hacking and manipulation, and calls for industry adoption of “secure by design” technology design standards to limit their attack surfaces.

The White House plan, released Wednesday, calls for critical infrastructure owners — particularly those with “limited financial resources” — to deploy AI tools to protect their information and operational technologies.

“Fortunately, AI systems themselves can be excellent defensive tools,” the plan said. “With continued adoption of AI-enabled cyberdefensive tools, providers of critical infrastructure can stay ahead of emerging threats.”

Over the past year, large language models have shown increasing capacity to write code and conduct certain cybersecurity functions at a much faster rate than humans. But they also leave massive security holes in their code architectures and can be jailbroken or overtaken by other parties through prompt injection and data poisoning attacks, or leak sensitive data by accident.

As such, the administration’s plan builds on a previous initiative by the Cybersecurity and Infrastructure Security Agency under the Biden administration to promote “secure by design” principles for technology and AI vendors. That approach was praised in some quarters for bringing industry together to agree to a set of shared security principles. Others rolled their eyes at the entirely voluntary nature of the commitments, arguing that the approach amounted to a pinky promise from tech companies in lieu of regulation. 

The Trump plan states that “all use of AI in safety-critical or homeland security applications should entail the use of secure-by-design, robust, and resilient AI systems that are instrumented to detect performance shifts, and alert to potential malicious activities like data poisoning or adversarial example attacks.”

The plan also recommends the creation of a new AI-Information Sharing and Analysis Center (AI-ISAC) led by the Department of Homeland Security to share threat intelligence on AI-related threats.

“The U.S. government has a responsibility to ensure the AI systems it relies on — particularly for national security applications — are protected against spurious or malicious inputs,” the plan continues. “While much work has been done to advance the field of AI Assurance, promoting resilient and secure AI development and deployment should be a core activity of the U.S. government.”

The plan does not detail how the administration intends to define which entities or systems are “safety-critical” or constitute “homeland security applications.” Nor does it outline how companies or utilities of limited financial means would pay for and maintain AI defensive systems, which are not currently capable of autonomous cybersecurity work without significant human expertise and direction.

The plan proposes no new spending for the endeavor, and other sections are replete with mentions of the administration’s intentions to review and limit or reduce federal AI funding streams to states that don’t share the White House’s broader deregulatory approach.

Grace Gedye, an AI policy analyst for Consumer Reports, said “it’s unclear which state laws will be considered ‘burdensome’ and which federal funds are on the line.”

The plan also calls for the promotion and maturation of the federal government’s ability to respond to active cyber incidents involving AI systems. The National Institute of Standards and Technology will lead an effort to partner with industry and AI companies to build AI-specific guidance into incident response plans, and CISA will modify existing industry guidance to loop agency chief AI officers into discussions on active incidents.

Initial reactions to the plan included business-friendly groups cheering the administration’s deregulatory approach to AI and negative reactions from privacy and digital rights groups, who say the White House’s overall approach will push the AI industry further toward less-constrained, more dangerous and more exploitative models and applications.

Patrick Hedger, director of policy for NetChoice, a trade association for tech companies and online businesses, praised the plan, calling the difference between the Trump and Biden approaches to AI regulation “night and day.”

“The Biden administration did everything it could to command and control the fledgling but critical sector,” Hedger said. “That is a failed model, evident in the lack of a serious tech sector of any kind in the European Union and its tendency to rush to regulate anything that moves. The Trump AI Action Plan, by contrast, is focused on asking where the government can help the private sector, but otherwise, get out of the way.”

Samir Jain, vice president of policy at the Center for Democracy and Technology, said the plan had “some positive elements,” including “an increased focus on the security of AI systems.”

But ultimately, he called the plan “highly unbalanced, focusing too much on promoting the technology while largely failing to address the ways in which it could potentially harm people.”

Daniel Bardenstein, a former CISA official and cyber strategist who led the agency’s AI Bill of Materials initiative, questioned the lack of a larger framework in the action plan for how mass AI adoption will impact security, privacy and misuse by industry.

“The Action Plan talks about innovation, infrastructure, and diplomacy — but where’s the dedicated pillar for security and trust?” Bardenstein said. “That’s a fundamental blind spot.”

 The White House plan broadly mirrors a set of principles laid out by Vice President JD Vance in a February speech, when he started off saying he was “not here to talk about AI safety” and likened it to a discipline dedicated to preventing “a grown man or woman from accessing an opinion that the government thinks is misinformation.”  

In that speech, Vance made it clear the administration viewed unconstrained support for U.S.-based industry as a key bulwark against the threat of Chinese AI domination. Apart from some issues like ideological bias — where the White House plan takes steps to prevent “Woke AI” — the administration was not interested in tying the hands of industry with AI safety mandates.

That deregulatory posture could undermine any corresponding approach to encourage industry to make AI systems more secure.

“It’s important to remember that AI and privacy is more than one concern,” said Kris Bondi, CEO and co-founder of Mimoto, a startup providing AI-powered identity verification services. “AI has the ability to discover and utilize personal information without regard to impact on privacy or personal rights. Similarly, AI used in advanced cybersecurity technologies may be exploited.”

She noted that “security efforts that rely on surveillance are creating their own version of organizational risks,” and that many organizations will need to hire privacy and security professionals with a background in AI systems.

A separate section on the Federal Trade Commission, meanwhile, calls for a review of all agency investigations, orders, consent decrees and injunctions to ensure they don’t “burden AI innovation.”

That language, Gedye said, could be “interpreted to give free rein to AI developers to create harmful products without any regard for the consequences.” 

The post Trump AI plan pushes critical infrastructure to use AI for cyber defense appeared first on CyberScoop.

Arizona election officials say a hack targeting a statewide online portal for political candidates resulted in the defacement and replacement of multiple candidate photos with the late Iranian Ayatollah Ruhollah Khomeini.

While officials say the threat is contained and the vulnerability has been fixed, they also blasted the lack of support they’ve received from the federal government, claiming the Cybersecurity and Infrastructure Security Agency is no longer a reliable partner in election security under the Trump administration.

Michael Moore, the chief information security officer for Arizona’s Secretary of State, told CyberScoop that his office first became aware that something odd was happening on June 23, while many officials were at a conference. One user managing the candidate portal noticed that one of the candidate images uploaded to the site didn’t “make sense” because it appeared to be a picture of Khomeini. The next day they were notified that candidate profiles going back years had also been defaced with the same picture.

“My first call was to Arizona’s [Department of] Homeland Security,” Moore said. “We started troubleshooting, locked down that portion of the site, and started doing preventative measures to reduce our attack surface.” 

Moore said other important systems, such as the statewide voter registration database and its confidentiality system for domestic abuse survivors, are hosted on servers that are  segmented from other parts of the network. He said there is no evidence that the attackers “even attempted” to access state voter rolls.

Incident responders determined that the attacker was using the candidate portal to upload an image file containing a Base 64-encoded PowerShell script that attempted to take over the server.

Moore described the affected candidate portal as an older, legacy system that wasn’t designed for security. Unlike many other statewide systems, the candidate portal was explicitly created to accept uploads from the public.

Moore likened the situation to “a village that’s surrounded by a castle; we’ve got a moat, we’ve  got a drawbridge, we’ve got a portcullis and guards on the walls.”

“But when our village needs to do business,” he said, “we have doors and windows that are open and an adversary can just walk through … masquerading as a legitimate business.” 

The substance and timing of the hack point to someone with pro-Iranian interests. The incident took place the day after the U.S. bombed Iranian nuclear sites, and a Telegram message linked in the defacement promised revenge against Americans for President Donald Trump’s actions. 

Moore said they do not have definitive attribution for the attack at this time.

A deteriorating partnership

For years, CISA has coordinated election security between  states and the federal government, sharing intelligence on vulnerabilities or hacking campaigns, deploying cybersecurity experts, and assisting with active incidents.

Arizona, through its state DHS, contacted multiple federal agencies about the hack, including the FBI. But CISA was not part of that outreach.

In a scathing statement, Secretary of State Adrian Fontes, a Democrat who has long focused on election security, said that this once-fruitful partnership between CISA and states had been damaged as the agency has been “weakened and politicized” under the Trump administration.

“Up until 2024, CISA was a strong and reliable partner in our shared mission of securing American digital infrastructure, but since then the agency has been politicized and weakened by the current administration,” Fontes said.  

Fontes said he personally reached out in a letter to Homeland Security Secretary Kristi Noem months ago in an effort to establish a relationship but was “dismissed outright.”

“Given their recent conduct, and broader trends at the federal level, we’ve lost confidence in [CISA’s] capacity to collaborate in good faith or to prioritize national security over political theater,” he continued. “This is exactly the kind of division that foreign adversaries of Russia, China and Iran seek to exploit. Cybersecurity should never be a partisan issue. When trust breaks down between levels of government, we put our democratic system at risk.”

Since being sworn into power, President Donald Trump and his administration have taken an axe to CISA’s budget and workforce, eliminated regional offices, fired disinformation experts, and drastically reduced the agency’s once-robust support for securing state elections. 

Moore doubled down on Fontes’ sentiments, telling CyberScoop “it was easy and natural to work with CISA until 2024.” Under previous administrations he had a litany of CISA employees on speed dial, but “right now, in 2025, we have no [federal] cybersecurity advisors.”

“We will occasionally communicate with CISA at a regional level, but we don’t have that direct level of support” we used to, he said.

Outside of elections, he referenced the massive SharePoint vulnerability disclosed by Microsoft over the weekend as a prime example of CISA’s diminished capacity and willingness to coordinate national responses to major cyber threats.

“We’re effectively trying to recreate the federal government,” Moore said. “In the past, CISA would have led the charge [to coordinate around the SharePoint flaw]. I didn’t get an email from CISA until [Monday] morning warning about the event, and that’s too late. This started on Friday morning and the damage was done by Monday morning.”

A DHS spokesperson called Fontes’ criticism “misguided.”

“Here are the facts: In late June, the state requested assistance. On July 1st the Arizona Secretary of State posted a notice on their website and took their candidate portal offline for several days ahead of their primary special election,” the spokesperson said. “Since then CISA has been working with Arizona and has provided direct assistance to support their response efforts.”

A former senior DHS official told CyberScoop that “there does seem to be a loss of confidence among both private sector and state and local governments with regard to CISA” under the Trump administration.

In particular, the administration change has led to a “deemphasis of CISA in terms of being the primary federal civilian cyber response agency,” the former official continued. Additionally, the agency does not yet have a Senate-confirmed leader and “they’ve lost a lot of talent, mostly on the technical side, like engineering and the technical services division that’s hard to replace,” they added.

The official requested anonymity to speak candidly with CyberScoop about their interactions with DHS.

Further, the lack of action from the federal government on other critical matters related to the agency, like reauthorization of the expiring Cybersecurity Information Sharing Act, have “led stakeholders of CISA to question whether or not it is the same agency they could count on six or seven months ago.”

The official said they believe the administration is looking to change perceptions and expectations around CISA’s mission, as Trump, Noem and others have sharply criticized the agency for its election security work.

“My sense is this is exactly what they wanted, which was a reset of the relationship with CISA and the department, but also how it is perceived and acts in the interagency and beyond,” the official said.“When they say focus the core mission on cyber, to me that says programs of record like EINSTEIN and a lot of emphasis on things like [the Continuous Diagnostics and Mitigation program], resetting the relationship on infrastructure protection and providing more targeted resources for assessments, or cyber hygiene related initiatives,” they continued. “That has yet to make its way through the pipeline, though, and what you have now is kind of a half thought out plan.”

The post After website hack, Arizona election officials unload on Trump’s CISA appeared first on CyberScoop.

On Sunday, July 20, Microsoft Corp. issued an emergency security update for a vulnerability in SharePoint Server that is actively being exploited to compromise vulnerable organizations. The patch comes amid reports that malicious hackers have used the SharePoint flaw to breach U.S. federal and state agencies, universities, and energy companies.

In an advisory about the SharePoint security hole, a.k.a. CVE-2025-53770, Microsoft said it is aware of active attacks targeting on-premises SharePoint Server customers and exploiting vulnerabilities that were only partially addressed by the July 8, 2025 security update.

The Cybersecurity & Infrastructure Security Agency (CISA) concurred, saying CVE-2025-53770 is a variant on a flaw Microsoft patched earlier this month (CVE-2025-49706). Microsoft notes the weakness applies only to SharePoint Servers that organizations use in-house, and that SharePoint Online and Microsoft 365 are not affected.

The Washington Post reported on Sunday that the U.S. government and partners in Canada and Australia are investigating the hack of SharePoint servers, which provide a platform for sharing and managing documents. The Post reports at least two U.S. federal agencies have seen their servers breached via the SharePoint vulnerability.

According to CISA, attackers exploiting the newly-discovered flaw are retrofitting compromised servers with a backdoor dubbed “ToolShell” that provides unauthenticated, remote access to systems. CISA said ToolShell enables attackers to fully access SharePoint content — including file systems and internal configurations — and execute code over the network.

Researchers at Eye Security said they first spotted large-scale exploitation of the SharePoint flaw on July 18, 2025, and soon found dozens of separate servers compromised by the bug and infected with ToolShell. In a blog post, the researchers said the attacks sought to steal SharePoint server ASP.NET machine keys.

“These keys can be used to facilitate further attacks, even at a later date,” Eye Security warned. “It is critical that affected servers rotate SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers. Patching alone is not enough. We strongly advise defenders not to wait for a vendor fix before taking action. This threat is already operational and spreading rapidly.”

Microsoft’s advisory says the company has issued updates for SharePoint Server Subscription Edition and SharePoint Server 2019, but that it is still working on updates for supported versions of SharePoint 2019 and SharePoint 2016.

CISA advises vulnerable organizations to enable the anti-malware scan interface (AMSI) in SharePoint, to deploy Microsoft Defender AV on all SharePoint servers, and to disconnect affected products from the public-facing Internet until an official patch is available.

The security firm Rapid7 notes that Microsoft has described CVE-2025-53770 as related to a previous vulnerability — CVE-2025-49704, patched earlier this month — and that CVE-2025-49704 was part of an exploit chain demonstrated at the Pwn2Own hacking competition in May 2025. That exploit chain invoked a second SharePoint weakness — CVE-2025-49706 — which Microsoft unsuccessfully tried to fix in this month’s Patch Tuesday.

Microsoft also has issued a patch for a related SharePoint vulnerability — CVE-2025-53771; Microsoft says there are no signs of active attacks on CVE-2025-53771, and that the patch is to provide more robust protections than the update for CVE-2025-49706.

This is a rapidly developing story. Any updates will be noted with timestamps.

Authorities and researchers are intensifying warnings about active exploitation and pervasive scanning of a critical vulnerability affecting multiple versions of Citrix NetScaler products.

There is now widespread agreement among security professionals that the critical vulnerability, CVE-2025-5777, which Citrix disclosed June 17, is serious and harkens back to a 2023 defect in the same products: “CitrixBleed,” or CVE-2023-4966. Naturally, threat hunters are scrambling to assess and stop the strikingly similar challenges summoned by exploits of the newest CVE. 

For some Citrix customers, the warnings are too late. Vulnerability scans confirm active exploits occurred within a week of disclosure, and attackers have been swarming, hunting for exposed instances of the impacted devices since exploit details were publicly released earlier this month. 

“This vulnerability in Citrix NetScaler ADC and Gateway systems, also referred to as CitrixBleed 2, poses a significant, unacceptable risk to the security of the federal civilian enterprise,” Chris Butera, acting executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said in a statement. CISA added the exploit to its known exploited vulnerabilities catalog on July 10.

“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action by directing agencies to patch within 24 hours and we encourage all organizations to patch right away,” Butera added. The agency typically requires agencies to resolve “high risk” vulnerabilities within 30 days and “critical risk” vulnerabilities within 15 days.

The pre-authentication remote memory disclosure vulnerability, which has a CVSS score of 9.3, has been increasingly targeted for attacks globally. Imperva researchers on Friday said they’ve observed more than 11.5 million attack attempts targeting thousands of sites since the exploit was disclosed. 

“Attackers appear to be scanning extensively for exposed instances and attempting to exploit the memory-leak vulnerability to harvest sensitive data,” Imperva researchers said in a blog post.

Nearly 2 in 5 attack attempts have targeted sites in the financial services industry and 3 in 5 of those targeted sites are based in the United States, according to Imperva.

GreyNoise scans have observed 22 unique malicious IPs attempting to exploit CVE-2025-5777 thus far. The first malicious IP was observed June 23 and a spike of 11 unique malicious IPs was observed Friday. 

“I haven’t seen any attrition yet. This could be as bad or even worse than CitrixBleed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop. “The attack is very repeatable and those systems rarely have network monitoring. They also aren’t regularly updated, so patching them may be an issue.”

The number of Citrix customers already impacted remains unknown and victims have yet to come forward. 

“A lot of the attacks seem opportunistic, so there are likely multiple threat actors using the bug,” Childs said.

Citrix maintains there was no evidence of active exploitation when it disclosed the vulnerability. The vendor hasn’t shared much publicly in almost three weeks, other than an update in a June 26 blog post noting that CISA was aware of evidence of active exploitation. The company did not respond to a request for comment.

In the June blog post, Anil Shetty, senior vice president of engineering at NetScaler, disputed comparisons between CVE-2025-5777 and CVE-2023-4966. “While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related,” Shetty wrote. Cloud Software Group is the parent company of Citrix.

Researchers are also leveling criticism at Citrix for the relative ease by which an attacker can compromise a vulnerable instance of Citrix NetScaler with just a few requests. 

‘“The term “CitrixBleed’ is used because the memory leak can be triggered repeatedly by sending the same payload, with each attempt leaking a new chunk of stack memory — effectively bleeding sensitive information,” Akamai Security Intelligence Group said in a blog post.

Akamai researchers described the root cause of the vulnerability as “an uninitialized login variable, combined with improper memory handling, lack of input validation and missing error handling in Citrix NetScaler’s authentication logic.”

Zach Edwards, an independent cybersecurity researcher, told CyberScoop that CVE-2025-5777 and CVE-2023-4966 are “extremely similar,” aside from subtle differences in the versions of NetScaler impacted.

“The fact that these pre-authentication vulnerabilities keep coming up, which can facilitate complete compromises, is disappointing to see,” Edwards said. “It’s unclear how these significant vulnerabilities keep making their way through development processes, but Citrix clients, especially in the government and enterprise sectors, should be demanding more and requiring additional public context about the steps Citrix takes to test its software prior to a release.”

The post CitrixBleed 2 beckons sweeping alarm as exploits spread across the globe appeared first on CyberScoop.