Threat Advisories

A newly discovered Android banking trojan named Klopatra has infected more than 3,000 devices, with most cases observed in Spain and Italy. First identified by the Italian firm Cleafy in late August 2025, Klopatra is a sophisticated remote access trojan that leverages Hidden VNC to seize full control of compromised smartphones. It employs dynamic overlays to steal credentials and ultimately enables its operators to perform fraudulent financial transactions. 

Cisco has confirmed active exploitation of multiple vulnerabilities in the VPN/web services of Cisco Secure Firewall (ASA) and FTD. Threat actors chained a missing-authorization flaw with a separate web-service buffer overflow to achieve remote code execution and deploy persistent tooling. Government partners and national CERTs have supported the investigation and issued mitigations; CISA has published Emergency Directive ED 25-03 and added the exploited CVEs to its KEV catalog. 

Cloud security company Wiz has uncovered active exploitation attempts of a newly disclosed vulnerability in the Linux utility Pandoc, tracked as CVE-2025-51591 (CVSS score: 6.5). The flaw is a Server-Side Request Forgery (SSRF) issue, which allows attackers to exploit Pandoc’s handling of HTML documents containing <iframe> tags. Specifically, a crafted iframe can trick Pandoc into making unauthorized requests to sensitive internal resources such as the Amazon Web Services (AWS) Instance Metadata Service (IMDS).

Microsoft patched a critical token-validation vulnerability in Entra ID (formerly Azure Active Directory) — CVE-2025-55241 — that could have allowed attackers to impersonate any user, including Global Administrators, across virtually any tenant. The flaw, assigned a CVSS score of 10.0, was reported by researcher Dirk-jan Mollema on 14 July 2025 and addressed by Microsoft on 17 July 2025. Microsoft states there is no evidence the issue was exploited in the wild and that no customer action was required after the fix.

Google released security updates for Chrome to fix four vulnerabilities, including an actively exploited zero-day, CVE-2025-10585 — a type-confusion bug in the V8 JavaScript / WebAssembly engine that can lead to arbitrary code execution when a user visits a crafted webpage. Google’s Threat Analysis Group (TAG) reported the flaw on 16 September 2025 and confirmed an exploit exists in the wild. Technical details have been withheld to limit further abuse. 

Cyber security researchers have flagged a fresh software supply chain attack targeting the NPM (NPM  is one of the world's largest software registries, and the package manager for Node.js projects) registry that has affected more than 40 packages that belong to multiple maintainers.  

What is NPM? 

SalesLoft Drift is an AI-powered chat tool which interacts with Salesforce and is used by a number of large business for providing automated business support to customers. Beginning on August 08th 2025, attackers were able to compromise this tool with the objective of performing data theft.

Path transversal vulnerabilities (CVE-2025-8088) in the popular compression tool WinRAR first disclosed in July 2025 are reportedly being abused by suspected nation state threat actors in order to deploy malware.

Citrix NetScaler has had a difficult summer, with the vulnerability “CitrixBleed 2” being disclosed in July 2025 (a critical vulnerability causing memory exposure leaking sensitive information). However, this is not the end, as another critical vulnerability (CVE-2025-7775) was disclosed yesterday on the 26th of August. Because Citrix devices are normally public facing, the likelihood of exploitation in the wild increases significantly. In fact, both vulnerabilities have been actively exploited, according to Citrix.