Stay up to date on critical cyber risks, Microsoft’s January Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Microsoft Patch Tuesday: 
  – 112 vulnerabilities disclosed
  – 8 rated Critical, 3 are Zero-Day (1 actively exploited)  

• High-Severity Advisories from Major Vendors: 
  – Adobe: 17 critical vulnerabilities patched across 11 products 
  – Fortinet: 1 high-severity flaws in FortiOS and FortiSwitchManager 
  – SAP: 4 critical vulnerabilities in SAP Landscape Transformation, SAP S/4HANA, and SAP Wily Introscope Enterprise Manager 
  – n8n: Fixed critical vulnerability affecting versions 1.65–1.120.4 
  – React Server: Disclosed critical RCE vulnerability in React Server Components 
  – Veeam: Disclosed multiple critical vulnerabilities affecting Veeam Backup & Replication v 13.0.1.180 and earlier   

• Top Threats to Watch: 
  – AI‑Powered Social Engineering & Identity Attacks – Attackers are abusing OAuth device-code authorization flows, QR‑code “Quishing,” and LinkedIn comment‑reply impersonation to bypass MFA and steal credentials at scale. 
  – Supply‑Chain & Developer Ecosystem Compromises – Major compromises include the Office Assistant supply‑chain attack, malicious VS Code/OpenVSX extensions (GlassWorm), and breach of Target developer systems—highlighting continued targeting of dev environments and CI/CD ecosystems. 
  – AI‑Driven Malware & Botnet Expansion – GoBruteforcer campaigns leverage AI‑generated default credentials and weak configurations to compromise 50,000+ servers, especially crypto and blockchain environments. 
  – Malicious Browser Extensions Harvesting AI Chats & Corporate Data – Two Chrome extensions with 900k+ installs stole ChatGPT/DeepSeek conversations and corporate browsing data, demonstrating large‑scale exfiltration from trusted browser ecosystems. 
  – Critical RCE Vulnerabilities Actively Exploited in the Wild – Active exploitation of WatchGuard Firebox (CVE‑2025‑14733), Fortinet FG‑IR‑19‑283, React Server Components (CVSS 10.0), Veeam Backup & Replication, and n8n workflow vulnerabilities poses severe risk for remote code execution, config theft, and full system compromise. 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. This month’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

• What This Means for Your Organization: 
  – No more security patches or bug fixes for Windows 10 devices  
  – Increased exposure to vulnerabilities and compliance risks  

• Continued support requires either:  
  – Enrolling in Microsoft’s paid ESU program, or  
  – Upgrading to Windows 11 

Need help planning your transition? 
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.

Patch Tuesday Summary

Microsoft January 2026 Patch Tuesday 
112 vulnerabilities disclosed, including 8 critical and 3 zero-days. By category:

• 57 Elevation of Privilege 
• 22 Remote Code Execution 
• 22 Information Disclosure 
• 5 Spoofing 
• 3 Tampering 
• 3 Security Feature Bypass 
• 2 Denial of Service 

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Days

Other Critical CVE’s Worth Mentioning

Microsoft January 2026 Security Update Release

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins

Fortinet *

Fortinet PSIRT Advisories

SAP *

SAP January 2026 Security Notes

Google Chrome

• Version: 144.0.7559.59/60 (Windows and Mac), 144.0.7559.59 (Linux) 
• Release Date: Tuesday, January 13, 2026 
• Key Fixes: High CVE-2026-0899, High CVE-2026-0900 and High CVE-2026-0901 

Chrome Release Notes

Mozilla Firefox

• Version: Firefox 147 
• Release Date: Tuesday, January 13, 2026 
• Key Fixes: High CVE-2026-0877/78/79/80/81/82 

Mozilla Release Notes

* Not handled by Fortress SRM. 

Threat Intelligence Trends – January 2026

The following resources are grouped by threat type / category. 

Emerging Threats

SOCRadar Annual Dark Web Report 2025  
SOCRadar’s 2025 Annual Dark Web Report highlights a data‑driven overview of underground cybercrime, showing that data leaks dominate dark web activity, with database‑related threats making up 64.06% of observed incidents and selling posts 59.32%. The United States remains the top target, responsible for 19.91% of dark‑web mentions and over 41% of ransomware attacks, while Public Administration emerges as the most exposed sector at 12.85%. 
Read more → 

Silent Push Uncovers Long‑Running Magecart Skimming Campaign  
Security researchers discovered a sophisticated Magecart web‑skimming network that has been active since at least 2022, targeting major payment cards including American Express, Discover, Mastercard, JCB, UnionPay, and others. 
Read more →

Target’s Dev Server Taken Offline After Hackers Claim Theft of Internal Source Code 
Hackers published samples of what they claim is stolen internal Target source code on a public Gitea instance, advertising a much larger 860GB dataset for sale and referencing internal systems, developer metadata, and private repositories. 
Read more →

Trust Wallet Confirms Extension Hack Led to $7 Million Crypto Theft 
Trust Wallet confirmed that a malicious Chrome extension update (version 2.68) published on December 24 allowed attackers to exfiltrate sensitive wallet data, resulting in approximately $7 million in stolen cryptocurrency. 
Read more →

Senior U.S. Officials Impersonated in Malicious Smishing & Vishing Campaign 
An IC3 Public Service Announcement warns that since at least 2023, threat actors have been impersonating senior U.S. government officials through smishing (SMS phishing) and AI‑generated vishing calls to build rapport with victims before moving conversations to encrypted apps. 
Read more →

Ransomware & Malware Deployment

Office Assistant Supply Chain Attack Delivers Malicious Plugin  
Security researchers uncovered a long‑running supply‑chain attack in which the popular Chinese AI‑powered Office Assistant application (version 3.1.10.1) secretly loaded a malicious downloader component that contacted C2 domains, retrieved multi‑stage payloads, and ultimately deployed the Mltab malicious browser plugin.
Read more →

GlassWorm Goes Mac: Fresh Infrastructure, New Tricks  
A new GlassWorm wave marks a major pivot from Windows to macOS, distributing malicious VS Code/OpenVSX extensions that use AES‑256‑CBC–encrypted JavaScript payloads instead of earlier invisible Unicode or Rust‑based techniques.
Read more →

MacSync Stealer Evolves into Code‑Signed Swift Malware 
Security researchers discovered a new MacSync Stealer variant delivered as a code‑signed and notarized Swift application inside a disk image, allowing it to bypass Gatekeeper and avoid traditional execution‑chain indicators. 
Read more →

GachiLoader: Obfuscated Node.js Loader Spread via YouTube Ghost Network 
Check Point Research identified GachiLoader, a heavily obfuscated Node.js‑based loader distributed through compromised YouTube accounts promoting fake game cheats and cracked software. 
Read more → 

Social Engineering Exploits

Convincing LinkedIn Comment‑Reply Tactic Used in New Phishing Campaign   
A new phishing campaign is flooding LinkedIn posts with fake “reply” comments impersonating LinkedIn, falsely claiming policy violations and urging users to click external links masked with lnkd.in shorteners for added credibility. 
Read more → 

GRU‑Linked BlueDelta Evolves Credential‑Harvesting Tactics 
Russia‑linked BlueDelta (APT28) expanded its credential‑harvesting campaigns throughout February–September 2025, targeting Turkish energy and nuclear researchers, a European think tank, and organizations in North Macedonia and Uzbekistan. The group used highly tailored lures, spoofed Microsoft OWA, Google, and Sophos VPN login pages. 
Read more → 

North Korean Kimsuky Actors Leverage Malicious QR Codes in Spearphishing (Quishing) Campaigns 
A new FBI Cybersecurity Advisory warns that North Korean Kimsuky actors are increasingly using malicious QR codes (“Quishing”) in highly targeted spearphishing campaigns against U.S. think tanks, NGOs, academia, and government‑linked entities. 
Read more → 

DocuSign Impersonation Wave Leveraging Real‑Time LogoKit Customization 
Security researchers  identified a growing wave of DocuSign impersonation attacks in which phishing emails mimic authentic DocuSign notifications, spoof sender domains, and address recipients by their login name to increase credibility. 
Read more → 

Access Granted: Phishing With Device Code Authorization Enables Stealthy M365 Account Takeovers 
Proofpoint researchers warn that multiple threat clusters—both financially motivated and state‑aligned—are now abusing Microsoft’s OAuth 2.0 device code authorization flow to trick users into granting attackers access to their Microsoft 365 accounts. 
Read more → 

AI-Driven Threats

Inside GoBruteforcer: AI‑Generated Server Defaults, Weak Passwords, and Crypto‑Focused Campaigns 
Check Point Research analyzed an evolved GoBruteforcer botnet variant that exploits AI‑generated server deployment examples and legacy stacks like XAMPP, which frequently include predictable default usernames and weak passwords, leaving over 50,000 internet‑facing servers vulnerable. 
Read more → 

LLMs & Ransomware: An Operational Accelerator, Not a Revolution 
SentinelOne researchers conclude that large language models (LLMs) are accelerating ransomware operations—improving speed, scalability, multilingual phishing, tooling generation, data triage, and negotiation—without fundamentally transforming attacker tactics. 
Read more → 

Chrome Extensions Impersonate AI Tools to Steal ChatGPT & DeepSeek Chats 
Security researchers report that two malicious Chrome extensions—Chat GPT for Chrome with GPT‑5, Claude Sonnet & DeepSeek AI and AI Sidebar with Deepseek, ChatGPT, Claude and more—accumulated over 900,000 installs while secretly exfiltrating full ChatGPT and DeepSeek conversation data and users’ browsing activity. 
Read more → 

Vulnerabilities Actively Exploited

Security Advisory: Vulnerability in n8n Versions 1.65–1.120.4 
n8n disclosed a critical security vulnerability affecting versions 1.65–1.120.4, specifically in workflows using a Form Submission trigger with file upload and a Form Ending node returning binary data. 
Read more → 

Vulnerabilities Resolved in Veeam Backup & Replication 13.0.1.1071 (KB4792) 
Veeam’s KB4792 advisory discloses multiple vulnerabilities affecting Veeam Backup & Replication 13.0.1.180 and all earlier v13 builds, all of which were fixed in version 13.0.1.1071. 
Read more → 

Critical Security Vulnerability in React Server Components (RSC) 
React disclosed CVE‑2025‑55182, a critical unauthenticated remote code execution (RCE) vulnerability (CVSS 10.0) affecting React Server Components, caused by unsafe deserialization of payloads sent to React Server Function endpoints. 
Read more → 

WatchGuard Firebox iked Out‑of‑Bounds Write Vulnerability (WGSA‑2025‑00027) 
WatchGuard disclosed WGSA‑2025‑00027, a critical Out‑of‑Bounds Write vulnerability (CVE‑2025‑14733) in the Fireware OS ikedprocess, allowing remote unauthenticated RCE on Firebox appliances. 
Read more → 

Product Security Advisory & Analysis: Observed Abuse of FG‑IR‑19‑283 (CVE‑2020‑12812) 
Fortinet has confirmed active, in‑the‑wild exploitation of the long‑patched FortiGate authentication bypass vulnerability FG‑IR‑19‑283 / CVE‑2020‑12812, originally disclosed in July 2020. 
Read more → 

Recommended Actions

Mitigations

• Patch all affected systems immediately, prioritizing critical vulnerabilities in Microsoft Patch Tuesday (8 Critical, 3 Zero‑Days), Adobe products, SAP, Fortinet, and WatchGuard Fireware OS (CVE‑2025‑14733) to prevent remote code execution and active exploitation attempts. 
• Upgrade or retire Windows 10 endpoints (end‑of‑support October 14, 2025) or enroll devices in Microsoft’s ESU program to maintain patch coverage. 
• Harden identity infrastructure by enforcing MFA everywhere, disabling vulnerable LDAP/2FA configurations in FortiGate devices, and reviewing OAuth app permissions to defend against device‑code phishing abuses (per Proofpoint research). 
• Remove malicious or suspicious browser extensions, especially AI‑related Chrome add-ons impersonating legitimate tools, and enforce extension allowlisting enterprise‑wide to prevent “prompt‑poaching” attacks. 
• Apply security updates for n8n workflows, upgrading to version 1.121.0+ to fix the file‑access vulnerability in Form Submission workflows. 
• Update React applications and frameworks (Next.js, Parcel/Vite RSC plugins) to patched versions addressing the CVE‑2025‑55182 RCE deserialization flaw. 
• Ensure Veeam Backup & Replication is updated to version 13.0.1.1071 to close RCE paths exploitable by Backup/Tape Operators or Backup Admins. 
• Harden exposed servers and databases by eliminating default/AI‑generated weak credentials to reduce susceptibility to GoBruteforcer botnet campaigns. 

Monitoring

• Monitor identity platforms (Azure AD/M365) for unusual OAuth device‑code authorizations, unexpected app consents, anomalous MFA‑less logins, and session‑token reuse attempts. 
• Watch for VPN and firewall anomalies, including FortiGate login attempts using case‑variant usernames (e.g., Jsmith vs jsmith) and WatchGuard Firebox connections to any published Indicators of Attack (IOAs). 
• Enable alerting for Chrome/Edge extension installations, especially AI sidebar/chat extensions, and track outbound connections to known attacker C2 domains associated with data‑exfiltrating browser extensions. 
• Monitor for signs of n8n exploitation, such as unexpected file reads, unauthorized workflow executions, or abnormal file‑handling behavior in Form Submission workflows. 
• Continuously monitor internet‑facing services (FTP/MySQL/PostgreSQL/phpMyAdmin) for brute‑force attempts, high‑volume authentication failures, and scanning activity consistent with GoBruteforcer botnet behavior. 

Detection Tips

• Look for RCE exploitation attempts targeting WatchGuard Firebox (CVE‑2025‑14733), including unexpected outbound connections to attacker IPs, exfiltration of config files, or rapid creation of gzip archives containing credentials. 
• Detect device‑code phishing chains by flagging user activity involving login.microsoft.com/devicelogin with suspicious timing, unexpected device codes, or unknown applications requesting access tokens. 
• Identify malicious browser extensions by scanning for extensions communicating with domains such as deepaichats[.]com, chatsaigpt[.]com, or suspicious Lovable‑hosted infrastructure used in AI‑chat exfiltration campaigns. 
• Check for indicators of GoBruteforcer infection, including newly dropped web shells, outbound IRC beaconing, high‑frequency scanning of public IP space, or processes using default/AI‑generated usernames (e.g., myuser, appuser). 
• Hunt for React Server Component exploitation by reviewing server logs for malformed RSC payloads, unexpected POST requests to RSC/Server Function endpoints, or errors related to deserialization. 
• Inspect n8n logs for anomalous access patterns, especially unauthorized POST requests to Form Submission endpoints that include unexpected file‑handling fields. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy → 

The post Threat and Security Update – January, 2026 appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s December Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Microsoft Patch Tuesday: 
  – 57 vulnerabilities disclosed 
  – 3 rated Critical, 3 are Zero-Day (1 actively exploited) 

• Adobe Security Updates: 
  – 139 vulnerabilities patched across 5 products 
  – 14 rated Critical, affecting Creative Cloud Desktop Application, Acrobat and Reader, DNG Software Development Kit (SDK), Experience Manager, and ColdFusion

• High-Severity Advisories from Major Vendors: 
  – Cisco: 1 critical-severity flaws in React and Next.js Frameworks 
  – Fortinet: 1 critical and 1 high-severity flaws in FortiOS, FortiWeb, FortiProxy, FortiSwitchManager, and FortiSandbox 
  – Ivanti: 1 critical and 3 high-severity flaws in Ivanti Endpoint Manager (EPM) 
  – SAP: 3 critical vulnerabilities in SAP Solution Manager, SAP Commerce Cloud, and SAP jConnect 
  – Google: Fixed 3 security issues, one that is being actively exploited 
  – Android: Fixed 2 actively exploited zero-days  

• Top Threats to Watch: 
  – Fortinet SSO Auth Bypass – Critical flaws allow attackers to bypass FortiCloud authentication. 
  – APT Collaboration – Gamaredon (Russia) and Lazarus (North Korea) sharing infrastructure. 
  – Insider Breach at CrowdStrike – Employee leaked internal screenshots to hackers. 
  – GlassWorm Malware – Self-propagating worm hiding malicious code in VS Code extensions. 
  – Storm-0249 Ransomware Tactics – Abuse of EDR software for stealthy persistence. 
  – Massive Phishing Campaign – 4,300+ domains targeting hotel guests and vacation planners. 
  – AI-Orchestrated Espionage – Claude AI exploited for autonomous cyber operations. 
  – FBI/CISA Alerts – Account takeover fraud, virtual kidnapping scams, and pro-Russia hacktivist attacks on critical infrastructure. 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. This month’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

• What This Means for Your Organization: 
  – No more security patches or bug fixes for Windows 10 devices  
  – Increased exposure to vulnerabilities and compliance risks  

• Continued support requires either:  
  – Enrolling in Microsoft’s paid ESU program, or  
  – Upgrading to Windows 11 

Need help planning your transition? 
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure.

Patch Tuesday Summary

Microsoft December 2025 Patch Tuesday 
57 vulnerabilities disclosed, including 3 critical and 3 zero-days. By impact category:

• 28 Elevation of Privilege 
• 19 Remote Code Execution 
• 4 Information Disclosure 
• 3 Denial of Service  
• 3 Spoofing 

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Days

Other Critical CVE’s Worth Mentioning

Microsoft December 2025 Security Update Release 

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins

Cisco *

Cisco Security Advisories

Fortinet *

Fortinet PSIRT Advisories

Ivanti *

Ivanti December 2025 Security Update

SAP *

SAP December 2025 Security Notes

Android

• Release Date: Friday, December 5, 2025  
• Key Fixes: 2 actively exploited zero-days, CVE-2025-48633 and CVE-2025-48572 involving information disclosure and elevation of privilege. 

Android Security Bulletin 

Google Chrome

• Version: 143.0.7499.109/.110 (Windows and Mac), 143.0.7499.109 (Linux) 
• Release Date: Wednesday, December 10, 2025 
• Key Fixes: CVE-2025-14372, CVE-2025-14373, and 1 high severity actively exploited not currently classified. 

Chrome Release Notes

* Not handled by Fortress SRM. 

Threat Intelligence Trends – December 2025

The following resources are grouped by threat type / category. 

Emerging Threats

Fortinet warns of critical FortiCloud SSO login auth bypass flaws  
Fortinet has released security updates to address two critical vulnerabilities in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager that could allow attackers to bypass FortiCloud SSO authentication. Read more →   

Alliances of convenience: How APTs are beginning to work together 
New evidence uncovered suggests that two of the world’s most aggressive advanced persistent threat (APT) actors, Russia-aligned Gamaredon and North Korea’s Lazarus, may be operating on shared infrastructure. Read more →  

CrowdStrike Catches Insider Feeding Information to Hackers 
American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors. Read more →  

Ransomware & Malware Deployment

GlassWorm: First Self-Propagating Worm Using Invisible Code Hits OpenVSX Marketplace 
GlassWorm malware targeting VS Code extensions on OpenVSX marketplace, using invisible Unicode characters that hides malicious intent in code editors. Read more →  

Storm-0249 Hijacks EDR Software for Ransomware Staging  
Financially motivated initial access broker (IAB) @Storm-0249 has shifted from using broad phishing to stealthier methods of initial access and establishing persistence. To achieve this, the IAB abused trusted endpoint detection and response (EDR) processes. Read more →  

Social Engineering Exploits

Thousands of Domains Target Hotel Guests in Massive Phishing Campaign  
A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year. Read more →  

AI-Driven Threats

Claude AI Abused in AI-orchestrated Cyber Espionage Campaign 
This campaign demonstrated unprecedented integration and autonomy of AI throughout the attack lifecycle, with the threat actor manipulating Claude Code to support reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations largely autonomously. Read more →   

FBI/CISA Advisories

Account Takeover Fraud via Impersonation of Financial Institution Support 
The FBI warns of cyber criminals impersonating financial institutions to steal money or information in Account Takeover (ATO) fraud schemes. Read more →  

Criminals Using Altered Proof-of-Life Media to Extort Victims in Virtual Kidnapping for Ransom Scams 
The FBI warns the public about criminals altering photos found on social media or other publicly available sites to use as fake proof of life photos in virtual kidnapping for ransom scams. Read more →   

Title Pro-Russia Hacktivists Conduct Opportunistic Attacks Against US and Global Critical Infrastructure 
The FBI, CISA, NSA, and partners release a joint advisory on Russian hacktivists targeting critical infrastructure with less sophisticated, lower impact attacks via VNC connections. Read more →  

Recommended Actions

Mitigations

• Apply Microsoft December Patch Tuesday updates immediately, prioritizing critical and zero-day vulnerabilities. 
• Patch Adobe, Cisco, Fortinet, Ivanti, and SAP products to address critical flaws and prevent exploitation. 
• Upgrade or enroll in Extended Security Updates (ESU) for Windows 10 devices to maintain compliance and reduce risk. 
• Implement least privilege access and enforce MFA to reduce insider threat impact. 
• Harden EDR configurations and validate integrity to prevent abuse by ransomware actors. 

Monitoring

• Monitor for FortiCloud SSO authentication bypass attempts and unusual login patterns. 
• Track APT-related infrastructure indicators (Gamaredon, Lazarus) and insider activity anomalies. 
• Watch for GlassWorm indicators in VS Code extensions and OpenVSX marketplace downloads. 
• Monitor DNS and web traffic for phishing domains targeting travel/hospitality. 
• Observe AI-related activity for signs of automated reconnaissance or exploitation. 

Detection Tips

• Deploy rules to detect Unicode-based obfuscation in code repositories (GlassWorm). 
• Alert on unexpected EDR process manipulation or persistence techniques (Storm-0249). 
• Flag large-scale domain registrations and suspicious email campaigns linked to phishing. 
• Detect anomalous API calls or privilege escalations in Fortinet, Ivanti, and SAP environments. 
• Use behavioral analytics to identify AI-driven attack patterns and insider data exfiltration. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy → 

The post Threat and Security Update – December, 2025 appeared first on Fortress SRM.

Written by: Donovan Crowley, Fortress SRM Director of Security Strategy

Cloud environments aren’t just that “data center in the sky” anymore. They have become the backbone of modern enterprise IT. And with hybrid and multi-cloud setups becoming the norm, Microsoft Azure is often at the center, powering it all. 

But here’s the catch: with great flexibility comes great complexity… and where there’s complexity, there’s risk. 

Azure’s power lies in its configurability, but that same flexibility makes misconfigurations easy to create and hard to spot. In fact, misconfigurations remain one of the leading causes of cloud breaches today, far more common than flashy exploits or headline-grabbing vulnerabilities. 

Across our assessments and incident response cases, we see the same pattern: a small configuration slip, seemingly harmless, quietly escalates into serious exposure. And often, it happens without generating a single alert. 

Some of the most overlooked risks we see again and again include: 

• Overly permissive access rules that expose private workloads. 
• Local or legacy accounts bypassing MFA or Conditional Access. 
• Dormant identities and unused resources creating governance blind spots. 
• Misconfigured or missing logs that hinder threat detection. 
• Persistent admin privileges without PIM or just-in-time controls. 

Alone, these issues might not look like much. But in a fast-moving cloud environment, they stack up. And attackers love that hidden surface, auditors find it fast, and defenders usually spot it too late. 

In this post, we’ll break down the top five Azure misconfigurations we see in the wild, why even experienced teams miss them, and how a focused Cloud Security Posture Management (CSPM) assessment can help you fix them quickly. 

Top 5 Azure Misconfigurations Putting You At Risk

Azure makes it easy to move fast. You can deploy an entire workload in minutes, integrate it, and scale instantly. But that speed also means you can misconfigure it just as quickly. 

Cloud environments never sit still. New resources spin up, identity assignments change, and hidden dependencies. As a result, the same core misconfigurations show up in almost every assessment we run, whether the organization is a small startup or a Fortune 100 enterprise. 

Here are the top five issues you cannot afford to ignore.  

1. NSGs and RBAC Gone Wild: The Danger of Overly Permissive Permissions

Too much access + too many privileges = your biggest Azure attack surface.  

What to Watch For (Common Symptoms)

• Open inbound Network Security Group (NSG) rules that allow traffic from 0.0.0.0/0, especially for RDP (port 3389) and SSH (port 22). 
• Excessive RBAC role assignments, where users or groups are given broad roles (e.g., Owner or Contributor) where specific, granular functional roles should be used (e.g., Reader, Virtual Machine Contributor, etc.). 
• “Temporary” or convenience-driven configuration access that never gets removed.

Why It Matters

Exposed ports are top targets for brute-force and credential-stuffing attacks. Overprivileged accounts turn a minor breach into a major one. Regulatory frameworks like CIS, ISO, and NIST flag this as high-right.  

What to Check Right Now

1.) Do any NSGs allow unrestricted inbound access? 
2.) Do you have more than a handful of Owner/Contributor assignments? 
3.) Are administrative ports directly exposed to the internet? 

Recommended Fixes

NSG Hardening 

• Restrict inbound access to known IP ranges only. Use IP whitelisting for administrative protocols.
• Remove public exposure entirely where possible and use Azure Bastion for secure admin access. 
• Use Azure site-to-site or point-to-point VPN to your work site or static remote sites instead of public access for resource management. 
• Enforce network hygiene and compliance with Azure Policy, including: 
  – Deny Public Inbound Ports 
  – Deny Internet Facing NSG Rules 

RBAC Hardening 

• Adopt a least-privilege roles only model.
• Favor granular roles such as: 
  – Virtual Machine Contributor 
  – Storage Blob Data Reader 
  – Key Vault Reader 
• Audit role assignments for overprivilege regularly. Example:
  az role assignment list --all --query "[?
roleDefinitionName=='Owner'].[principalName,scope]"
• Schedule recurring RBAC and NSG reviews with resource owners and identity teams.

Pro Tip: Automate the Safety Net 

To scale risk detection and remediation: 

• Use Azure Defender for Cloud and your SIEM to alert on risky NSG or RBAC configurations. 
• Enable Just-in-Time VM Access via Defender to reduce inbound port exposure during operational windows. 

2. Local Admin Accounts That Won’t Quit: The Risk of Skipping Entra ID (Azure AD) Authentication 

Local accounts are like leftover sushi: they might look fine, but they’re a hazard.  

What to Watch For (Common Symptoms) 

• VMs or workloads accessed via local admin accounts, often shared informally among teams. 
• Applications or automation authenticate with static credentials embedded in code or stored insecurely. 
• Service accounts operating without lifecycle control, MFA, or logging. 

These shortcuts may speed things up, but they bypass every layer of modern identity security. 

Why It Matters

Attackers love static secrets, and local accounts bypass modern identity controls. Entra ID bypass = no MFA, no audit trail, and a giant gap in zero-trust.  

What to Check Right Now

1.) Are any VMs or workloads still using local admin accounts? 
2.) Do any apps or scripts rely on embedded secrets? 
3.) Are service accounts operating without logging or lifecycle management? 

Recommended Fixes

Enforce Entra ID Authentication First: 

• Enable Azure AD login for all VMs to centralize authentication and logging. 
• For Windows VMs, use Azure AD joined or Hybrid Join with AADLoginForWindows VM extension. 

Replace Secrets with Managed Identities: 

• Use System-assigned or User-assigned Managed Identities for Azure resources to access other services securely. 
• Eliminate secrets stored in code, environment variables, or key vaults. 

Secure Administrative Access  

• Disable direct local admin access wherever possible. 
• Leverage Azure Bastion or Just-in-Time (JIT) VM Access for secure admin connections. 
• Enforce session expiry, logging, and MFA via Privileged Identity Management (PIM) or conditional access. 

Audit and Cleanup Local Admin Accounts: 

• Inventory all local admin accounts across VM fleets. Use PowerShell or CLI to enumerate accounts:
  Get-LocalGroupMember -Group "Administrators"
• Regularly rotate or remove local accounts not tied to valid operational workflows. 
• Schedule recurring reviews to prevent “set-and-forget” accounts.  

Pro Tip: Continuous Detection 

• Use tools like Microsoft Defender for Cloud and Microsoft Entra ID Identity Protection for continuous detection of anomalous sign-in behavior. 
• Focus on accounts that haven’t yet been migrated to Entra ID.  

3. Stale Resources and Identity Sprawl: Why Azure Cleanup Can’t Wait

Old VMs, unused accounts, orphaned disks… clutter isn’t just messy, it’s also super risky.  

What to Watch For (Common Symptoms) 

• Dormant service principals, legacy user accounts, or invalid Entra ID credentials left active. 
• Stopped or orphaned VMs, unattached disks, and retired resource groups still incurring cost or creating risk. 
• Resource sprawl caused by ad hoc deployments without naming standards, tagging, or lifecycle policies. 

Even well-managed environments accumulate this kind of “cloud waste” and unmanaged sprawl without guardrails. Not only does this create hidden risk, but it also makes audits, costs analysis, and compliance much harder than they need to be.  

Why It Matters

Dormant assets = unmonitored attack surface. Plus, they inflate costs and complicate audits.  

What to Check Right Now

1.) Any identities or service principals not used in 90+ days? 
2.) Stopped or deallocated VMs, unattached disks, or idle load balancers? 
3.) Resources missing tags or lifecycle policies? 

Recommended Fixes 

Audit Entra ID Objects: 

• Scan Entra ID users, groups, and service principals for inactivity:
  (MSOL module deprecated in April): Get-
EntraInactiveSignInUser -LastSignInBeforeDaysAgo 90 -All
• Remove or disable any identities not used in the past 90 days. 
• Rotate shared or service account credentials regularly. 

Identify Stale Azure Resources: 

• Use Azure Advisor and Cost Management to detect unused resources. 
• Enable Azure Resource Graph Explorer to query at scale across subscriptions: 
  resources
| where type == 'microsoft.compute/virtualmachines'
| extend powerState = tostring(properties.extended.instanceView.powerState.displayStatus) 
| where powerState == 'VM deallocated' or powerState == 'VM stopped' 
| project name, resourceGroup, powerState, location 
| order by name asc 

Apply Naming, Tagging, and Lifecycle Standards: 

• Adopt consistent resource naming conventions and tagging requirements for ownership, environment, and expiration. 
• Automate tagging via deployment pipelines or Azure Policy for consistency. 

Pro Tip: Automate Cleanup 

• Build recurring workflows with Azure Automation runbooks or Logic Apps.
• Flag inactive objects and notify resources owners before automatic removal.

4. Missing Logs = Blind Security: Missing Log Configuration on Azure Resources

No logs = no visibility. Without proper logging, breaches, misconfigurations, or insider activity can fly under the radar.  

Logging is the backbone of cloud observability and security. Yet, in many Azure environments, critical resources are provisioned without proper diagnostic settings, leaving teams without visibility into performance, access, or potential compromise. 

Common Symptoms 

• Resources like Virtual Machines, Storage Accounts, Key Vaults, Databases, and App Services do not have diagnostic logs enabled. 
• Logs aren’t routed to a central Log Analytics Workspace (LAW), SIEM, or secure storage. 
• Inconsistent or absent log retention policies across teams or subscriptions.  

Without logs, security teams operate blind, and incidents may only be discovered after significant damage.  

Why It Matters 

Logs are the foundation of detection, investigation, and compliance. Without them, you’re flying blind.  

What to Check Right Now

1.) Are all critical resources logging to a central destination? 
2.) Are retention policies consistent and compliant? 
3.) Are diagnostic settings deployed at scale for all subscriptions and management groups? 

Recommended Fixes 

Enforce Diagnostic Settings at Scale 

• Use built-in Azure Policies to automatically audit and deploy diagnostics, such as: 
  – Audit Diagnostic Settings 
  – Deploy Diagnostic Settings for Key Vault 
  – Audit VMs without Monitoring Agent 
• Assign these policies at management group or subscription level for wide coverage. 

Confirm Logging Across Resource Types 

• List diagnostic settings for resource groups or resource types using the CLI:
   
  az monitor diagnostic-settings list –resource-group <resource-group-name> 
  
• Identify gaps and generate a remediation plan based on priority. 

Centralize Log Routing and Retention 

• Forward logs to: 
  – A Log Analytics Workspace (LAW) for structured queries and alerts 
  – A SIEM platform (e.g., Microsoft Sentinel, Elastic, SentinelOne Singularity) for threat detection 
  – Or secure storage with immutable retention policies for compliance 

Enable Additional Monitoring Signals 

• Activity Logs: Track control-plane activity and administrative actions. 
• VMInsights: Provide rich OS-level visibility for virtual machines. 
• Defender for Cloud logs: Monitor workload-level vulnerability and threat detection. 

Pro Tip: Continuous Coverage 

• Build a “Log Coverage Report” with Azure Monitor Workbooks or custom Resource Graph queries.  
• Use this to continuously assess and visualize log gaps across all assets in your tenant. 

5. Azure Admins Without PIM or Role Controls: A Ticking Time Bomb

Without Just-in-Time (JIT) and Privileged Identity Management (PIM), a single compromised admin can put your entire environment at risk. 

What to Watch For (Common Symptoms) 

• High-privilege roles (Global Admin, User Access Administrator, Owner) assigned permanently to user accounts or groups. 
• No guardrails in place for role assignment, expiration, or user justification. 
• Lack of auditing or monitoring on administrative role usage. 

Permanent admin assignments create a latent breach vector. Attackers are big fans of accounts that never expire. 

Why It Matters 

Violates least privilege and zero trust. Attackers actively target standing admin roles to move laterally. Compliance frameworks demand temporary, auditable, controlled privileged access.  

What to Check Right Now

1.) Which users or groups hold permanent high-privilege roles? 
2.) Are there no approval workflows or time limits in place? 
3.) Is JIT VM access enabled for administrative connections? 

Recommended Fixes 

Enable Privileged Identity Management (PIM) 

• Apply PIM to all high-impact roles including: 
  – Global Administrator 
  – Security Administrator 
  – Owner, Contributor (for resource-level RBAC) 
• Enforce:
  – Time-bound access (e.g., 4-hour windows) 
  – Justification and MFA for elevation 
  – Approval workflows for sensitive roles 

Audit and Rotate Standing Privileges 

• Review all current assignments to high-privilege roles by navigating to the Azure Portal and exporting the assignment list from PIM. 
• Remove or transition permanent assignments to eligible assignments under PIM. 
• Use Continuous Access Evaluation (CAE) in Entra ID to revoke access quickly if user risk changes or session anomalies are detected. 

Apply Just-In-Time Access 

• In addition to PIM for identity roles, configure Just-in-Time VM access via Defender for Cloud. 
• This locks down inbound RDP/SSH and only opens access upon authorized request for a limited time. 

Pro Tip: Continuous Monitoring 

• Integrate audit logs from PIM and JIT into a SIEM (e.g., Microsoft Sentinel).
• Monitor privilege elevations to detect unusual patterns and get early warnings on potential misuse.  

CSPM Assessment: Fast, Focused, Continuous

Traditional audits provide only a snapshot in time. Azure environments evolve constantly, and point-in-time reviews cannot keep up. Cloud Security Posture Management, or CSPM, changes that. It delivers automated visibility, intelligent detection, and prioritized remediation, giving your team both immediate and ongoing security improvements.

Bottom line: CSPM turns “Oops, Azure did it again” into “Got it covered.”

Why CSPM Matters

Even small misconfigurations can have major consequences:

• Ransomware exposure – open ports and stale accounts are actively exploited.
• Compliance failures – HIPAA, PCI DSS, ISO 27001, and other frameworks require proper access controls and audit trails.
• Unexpected downtime – misconfigurations can disrupt critical workloads.
• Reputational damage – customers expect reliable operations, not incident disclosures.

CSPM gives you continuous, automated insight into your environment. It identifies the misconfigurations that cause the most risk, including overly permissive access, stale identities, missing logs, credential misuse, and standing admin privileges. Every finding is tied to context, severity, business impact, and compliance requirements, so you know exactly what to fix first.

With CSPM in place, you move from reacting to incidents to preventing them. From scrambling before audits to walking in prepared. From hoping you are secure to knowing exactly where you stand.

What You Get with a CSPM Assessment

A CSPM assessment from Fortress SRM is conducted by our veteran cloud security analysts using modern tooling to deliver rapid visibility, automated detection, and actionable remediation tailored to your Azure environment.

• Rapid visibility – every user, resource, and permission across your Azure tenant.
• Automated detection – misconfigurations and security gaps with context and priority.
• Actionable remediation – clear, tailored steps for your environment.
• Continuous posture improvement – structured, ongoing cloud security management.

Next Step

Do not wait for an auditor or an attacker to uncover your risks. Fortress SRM provides hands-on support and continuous improvement to help you stay ahead of threats and ensure compliance.

Contact Fortress SRM to schedule your Azure CSPM Assessment and see exactly where your risks are and how to fix them fast.

The post Oops, Azure Did It Again: 5 Risks You Can’t Ignore appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s November Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Microsoft Patch Tuesday: 
  – 63 vulnerabilities disclosed 
  – 4 rated Critical, 1 Zero-Day (actively exploited) 

• Adobe Security Updates: 
  – 29 vulnerabilities patched across 8 products 
  – 23 rated Critical, affecting InDesign, inCopy, Photoshop, Illustrator, Illustrator Mobile, Pass, Substance 3D Stager, and Format Plugins 

• High-Severity Advisories from Major Vendors: 
  – Cisco: 3 critical-severity flaws and 1 high-severity flaws, in Unified CCX, Secure Firewall ASA, Secure FTD, IOS/IOS XE/IOS XR, ISE RADIUS 
  – Fortinet: 1 medium-severity flaw in FortiOS 
  – Ivanti: 1 high-severity flaw in Ivanti Endpoint Manager 
  – SAP: 3 critical vulnerabilities in NetWeaver AS Java, SQL Anywhere Monitor, and Solution Manager
  – Google Chrome: 1 high-severity flaw fixed in security updates 
  – Mozilla Firefox: 9 high-severity flaws fixed in security updates  

• Top Threats to Watch: 
  – Microsoft Teams Exploitation – Vulnerabilities enabling impersonation, message manipulation, and spoofing in Teams 
  – Advanced Persistent Threat (APT) Activity – Increased operations by China-, Iran-, and North Korea-aligned groups 
  – AI-Driven Cyberattacks – Threat actors leveraging AI for prompt injection, social engineering, and malware  
  – Sophisticated Social Engineering Campaigns – Large-scale smishing, phishing kits like Quantum Route Redirect, and gift card fraud  

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. October’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

• What This Means for Your Organization: 
  – No more security patches or bug fixes for Windows 10 devices 
  – Increased exposure to vulnerabilities and compliance risks 

• Continued support requires either:  
  – Enrolling in Microsoft’s paid ESU program, or 
  – Upgrading to Latest Version of Windows 11 

Need help planning your transition? 
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure. 

Patch Tuesday Summary

Microsoft November 2025 Patch Tuesday 
63 vulnerabilities disclosed, including 4 critical and 1 zero-day. By category:

• 29 Elevation of Privilege 
• 16 Remote Code Execution 
• 11 Information Disclosure 
• 3 Denial of Service 
• 2 Security Feature Bypass 
• 2 Spoofing 

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Days

Other Critical CVE’s Worth Mentioning

Microsoft November 2025 Security Update Release

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins

Cisco *

Cisco Security Advisories

Fortinet *

Fortinet PSIRT Advisories

Ivanti *

Ivanti November 2025 Security Update

SAP *

SAP November 2025 Security Notes

Google Chrome

• Version: 142.0.7444.175/.176 (Windows and Mac), 142.0.7444.175 (Linux) 
• Release Date: November 11, 2025 
• Key Fixes: Security fix for CVE-2025-13223 and CVE-2025-13224 

Chrome Release Notes 

Mozilla Firefox 

• Version: Firefox 145 
• Release Date: November 11, 2025 
• Key Fixes: Security fix for 9 high severity CVE’s, including CVE-2025-13021, CVE-2025-13022, CVE-2025-13012, CVE-2025-13023, CVE-2025-13016, CVE-2025-13024, CVE-2025-13025, CVE-2025-13026, CVE-2025-13027 

Firefox Release Notes

* Not handled by Fortress SRM. 

Threat Intelligence Trends – November 2025

The following resources are grouped by threat type / category. 

Emerging Threats

Exploiting Microsoft Teams: Impersonation and Spoofing Vulnerabilities Exposed 
Check Point Research uncovered four vulnerabilities in Microsoft Teams that allowed attackers to impersonate executives, manipulate messages, spoof notifications, and forge identities in video and audio calls. Read more → 

APT Activity Report Q2 2025–Q3 2025 
ESET’s APT Activity Report for Q2–Q3 2025 highlights increased operations by China-aligned groups using adversary-in-the-middle techniques, Iran-aligned actors ramping up internal spearphishing, and North Korea-aligned hackers expanding cryptocurrency attacks into new regions like Uzbekistan. Read more → 

Preparing for Threats to Come: Cybersecurity Forecast 2026 
Google Cloud’s Cybersecurity Forecast 2026 predicts that threat actors will fully embrace AI-driven attacks, using techniques like prompt injection and AI-enabled social engineering, while defenders counter with AI agents and advanced identity management. Read more → 

Ransomware & Malware Deployment

Uncovering Qilin Attack Methods Exposed Through Multiple Cases 
The Qilin ransomware group (formerly Agenda) has emerged as one of the most prolific ransomware threats, using a double-extortion model that combines file encryption with public data leaks. Read more → 

Social Engineering Exploits

Jingle Thief: Inside a Cloud Based Gift Card Fraud Campaign 
The Jingle Thief campaign is a cloud-based gift card fraud operation exploiting Microsoft 365 environments using phishing and smishing, run by financially motivated threat actors based in Morocco.  Read more →  

The Smishing Deluge: China-Based Campaign Flooding Global Text Messages 
The Smishing Deluge campaign, attributed to the Smishing Triad, is a large-scale, decentralized smishing operation using fraudulent SMS messages about toll violations and package misdelivery to steal sensitive data. Read more → 

Quantum Route Redirect: Anonymous Tool Streamlining Global Phishing Attack 
The Quantum Route Redirect phishing kit is an advanced automation platform that streamlines global phishing campaigns targeting Microsoft 365 users, turning complex setups into simple one-click launches. Read more → 

Black Friday Scams – How to Detect the Red Flags and Protect your wallet and Data 
Cybercriminals are exploiting Black Friday shopping trends with scams that use fake retail websites, phishing emails, and malicious ads to steal payment information and personal data. Read more → 

AI-Driven Threats

First Vulnerability in OpenAI Atlas Browser, Allowing Injection of Malicious Instructions into ChatGPT 
LayerX discovered the first vulnerability in OpenAI’s ChatGPT Atlas browser, which allows attackers to inject malicious instructions into ChatGPT’s memory via a Cross-Site Request Forgery (CSRF) exploit. Read more →  

GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools 
Google Threat Intelligence reports that threat actors have moved beyond using AI for productivity and are now deploying AI-enabled malware that dynamically generates malicious scripts and evades detection. Read more → 

HackedGPT: Novel AI Vulnerabilities Open the Door for Private Data Leakage 
Tenable Research has discovered seven vulnerabilities and attack techniques in ChatGPT, including unique indirect prompt injections, exfiltration of personal user information, persistence, evasion, and bypass of safety mechanisms. Read more → 

Recommended Actions

Mitigations

• Apply all Microsoft November Patch Tuesday updates, prioritizing critical and zero-day CVEs (e.g., CVE-2025-62215). 
• Upgrade or enroll in Extended Security Updates (ESU) for Windows 10 devices to maintain compliance and reduce exposure. 
• Patch third-party applications promptly, especially Adobe, Cisco, and SAP products with critical vulnerabilities. 
• Harden email and collaboration platforms (Microsoft 365, Teams) against phishing and impersonation attacks by enabling safe links, anti-spoofing policies, and conditional access. 

Monitoring

• Monitor for signs of exploitation of zero-day vulnerabilities and critical CVEs in Microsoft and third-party products. 
• Track anomalous login activity, especially from new geolocations or impossible travel scenarios, to detect APT and social engineering campaigns. 
• Watch for large-scale smishing/phishing attempts and suspicious redirects (Quantum Route Redirect indicators). 
• Enable cloud app security monitoring for Microsoft 365 and Google Workspace to detect unauthorized gift card issuance or mailbox rule changes. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy → 

The post Threat and Security Update – November, 2025 appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s October Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protecting your business from threats. 

Quick Highlights

• Windows 10 End of Support 
  – Final patch released October 14 
  – No more updates unless enrolled in Extended Security Updates (ESU) or upgraded to Windows 11 
  – Now is the time to assess your upgrade path 
  
• Microsoft Patch Tuesday: 
  – 175 vulnerabilities disclosed 
  – 17 rated Critical, 6 are Zero-Day (3 actively exploited) 

• Adobe Security Updates: 
  – 36 vulnerabilities patched across 12 products 
  – 24 rated Critical, affecting Illustrator, FrameMaker, Creative Cloud, and more 

• High-Severity Advisories from Major Vendors: 
  – Cisco: 4 high-severity flaws, including SNMP RCE and Secure Boot bypass 
  – Fortinet: 2 high-severity flaws in FortiPAM and FortiOS 
  – SAP: 3 critical vulnerabilities in NetWeaver, Print Service, and SRM 
  – Ivanti: 5 high-severity flaws in EPMM and Neurons for MDM 

• Top Threats to Watch: 
  – Crimson Collective targeting AWS with leaked keys and extortion tactics 
  – VMware CVE-2025-41244 zero-day exploited for privilege escalation 
  – Quishing 2.0: QR code phishing attacks evolving in sophistication 
  – Ransomware Cartel: LockBit, DragonForce & Qilin collaborating 
  – Oyster Malware via fake Microsoft Teams installers 
  – Weaponized DFIR Tools: Velociraptor abused in ransomware attacks 
  – AI-Driven Threats: ShadowLeak zero-click exploit in ChatGPT; AI-generated phishing and malware 

Windows 10 Reaches End of Support

As of October 14, 2025, Microsoft has officially ended support for Windows 10. This month’s Patch Tuesday was the final security update for the OS—unless your organization enrolls in the Extended Security Updates (ESU) program. 

What This Means for Your Organization: 

• No more security patches or bug fixes for Windows 10 devices 
• Increased exposure to vulnerabilities and compliance risks 
• Continued support requires either:  
  – Enrolling in Microsoft’s paid ESU program, or
  – Upgrading to Windows 11 

Need help planning your transition? 
Fortress SRM can help assess your environment, prioritize upgrades, and ensure your endpoints remain patch-compliant and secure. 

Patch Tuesday Summary

Microsoft October 2025 Patch Tuesday 
175 vulnerabilities disclosed, including 8 critical and 6 zero-days. By category: 

• 80 Elevation of Privilege 
• 31 Remote Code Execution
• 28 Information Disclosure
• 11 Security Feature Bypass 
• 11 Denial of Service 
• 10 Spoofing 

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Days

Other Critical CVE’s Worth Mentioning

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe Security Bulletins → 

Cisco *

Cisco Security Advisories → 

Fortinet *

Fortinet PSIRT Advisories → 

Ivanti *

Ivanti October 2025 Security Update → 

SAP *

SAP October 2025 Security Notes → 

Google Chrome

• Version: 141.0.7390.107/.108 (Windows and Mac), 141.0.7390.107 (Linux) 
• Release Date: October 14, 2025 
• Key Fixes: Security fix for CVE-2025-11756 

Chrome Release Notes → 

* Not handled by Fortress SRM. 

Threat Intelligence Trends – October 2025

The following resources are grouped by threat type / category. 

Emerging Threats

Crimson Collective Targeting Cloud Environments 

A newly identified threat group, Crimson Collective, has been observed compromising AWS environments using leaked long-term access keys. They escalate privileges via IAM policies, exfiltrate sensitive data, and follow up with extortion attempts. Read more →  

Zero-Day Alert: VMware CVE-2025-41244 Privilege Escalation 

NVISO Labs identified active exploitation of CVE-2025-41244, a local privilege escalation flaw in VMware’s guest service discovery. The vulnerability allows attackers to elevate privileges and potentially pivot within virtualized environments. Read more → 

Quishing 2.0: QR Code Phishing Evolves 

Cybercriminals are refining quishing attacks using fake QR codes embedded in emails, flyers, and public spaces. These codes redirect users to phishing sites or initiate malware downloads. Read more → 

Ransomware & Malware Deployment

LockBit, DragonForce & Qilin Form Ransomware Cartel 

Three major ransomware groups have formed a criminal cartel to coordinate attacks and share infrastructure. Read more →  

Malvertising Campaign: Oyster Malware via Fake Teams Installers 

Threat actors are using SEO poisoning and malicious ads to distribute trojanized Microsoft Teams installers. These fake installers deploy Oyster (aka Broomstick), a modular backdoor that enables persistent remote access and stealthy data exfiltration. Read more → 

Velociraptor DFIR Tool Weaponized 

Threat actors are abusing the legitimate Velociraptor forensic tool to deploy ransomware like LockBit and Babuk. This marks a troubling trend of security tools being repurposed for attacks. Read more →

Group: Storm-2603 (China-based) 

Cephalus Ransomware via DLL Sideloading 

A new ransomware variant, Cephalus, uses DLL sideloading through SentinelOne binaries and RDP access without MFA. Read more → 

Cloud & Infrastructure Exploits

SonicWall SSLVPN Exploitation 

Akira ransomware actors are exploiting SonicWall VPNs using BYOVD techniques and clearing logs to evade detection. Read more → 

Discord Data Breach via Third-Party Vendor 

A breach at Discord’s support vendor exposed 70,000 government ID photos and personal data. Read more → 

Clop Claims Oracle E-Business Suite Data Theft 

The Clop ransomware group has reportedly sent extortion emails claiming to have stolen data from Oracle E-Business Suite environments. While the full scope of the breach is unclear, the tactic aligns with Clop’s recent shift toward data-centric extortion rather than encryption. Read more → 

AI-Driven Threats

AI-Powered Malware & Phishing 

Russia-linked groups are using AI to generate phishing lures and malware like WRECKSTEEL and GIFTEDCROOK. Read more → 

Zero-Click AI Exploit: ShadowLeak Vulnerability in ChatGPT 

Radware disclosed ShadowLeak, a zero-click prompt injection vulnerability in ChatGPT’s enterprise integrations. Malicious emails can silently trigger data exfiltration from OpenAI’s servers without user interaction, bypassing traditional security controls. Read more → 

Recommended Actions

Mitigations

• Prioritize patching all actively exploited zero-days from Microsoft and VMware. 
• Disable unused services on Cisco IOS XE and Fortinet appliances to reduce attack surface. 
• Enforce MFA across all cloud and identity platforms. 
• Restrict QR code scanning on unmanaged devices to mitigate quishing attacks. 
• Update endpoint protection to detect AI-generated malware variants. 

Monitoring

• Watch for suspicious authentication attempts in Azure, Fortinet, and Ivanti logs. 
• Monitor for unexpected outbound traffic from Teams or Office installations (possible Oyster malware). 
• Track file uploads and downloads in SAP SRM and Print Service environments. 
• Set alerts for SNMP activity spikes on Cisco devices (possible CVE-2025-20352 exploitation). 

Detection Tips

• Use YARA or Sigma rules to detect:  
  – Velociraptor misuse in ransomware campaigns 
  – ShadowLeak zero-click exploit indicators in AI platforms 
• Deploy honeypots or deception tools to detect brute-force attempts on FortiPAM and Secure Boot bypass attempts on Cisco IOS XE.  
• Leverage threat intel feeds to identify Crimson Collective and LockBit cartel infrastructure. 

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering 

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities. 

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management. 

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications 
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network 
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility 

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy → 

The post Threat and Security Update – October, 2025 appeared first on Fortress SRM.

But this isn’t just about avoiding service disruptions or checking a compliance box. It’s a chance to make authentication stronger, simplify management, and future-proof your identity security.

With some planning and the right tools, the migration can be smooth. At the same time, it’s a great opportunity to make your organization more secure and resilient.

The Highlights

Microsoft MFA & SSPR Retirement – Sept. 30, 2025

• Legacy MFA and SSPR policies end on September 30, 2025.
• All organizations need to migrate to Microsoft Entra Authentication Methods.
• Risks if you don’t migrate: login failures, service disruptions, compliance gaps.
• Old methods going away: security questions, SMS, voice calls.
• Modern methods available: passkeys (FIDO2), Microsoft Authenticator, certificate-based authentication.

Bottom line: Act now. Waiting likely means broken logins and weaker security.

What’s Changing

Historically, MFA and SSPR were managed separately in older portals. After September 30, 2025, those portals retire, and everything moves under Entra ID (formerly Azure AD). That means one centralized place to manage authentication and keep things consistent.

Specifically, key changes include:

• Legacy MFA policies will no longer be supported 
• SSPR policies will be retired 
• Security questions will be disabled entirely
  • To reiterate: Security questions will no longer be an option at all for resetting passwords
• Out-of-band MFA methods like SMS and voice calls will be discouraged under modern security standards such as NIST 

Entra Authentication Methods consolidates all authentication management into a single framework, making it easier to enforce secure, modern practices.  

Why This Matters

As a result, delaying migration could cause you to run into: 

• Misaligned authentication settings 
• User frustration from failed logins or password resets 
• Service disruptions 
• Security gaps from outdated methods 
• Compliance risks with NIST and other industry standards 

Beyond just meeting the deadline, this is a chance to take a closer look at your overall authentication and access policies.

A Strategic Moment to Reassess Identity Security

The MFA and SSPR retirement is mandatory, but it’s also a good time to step back and ask:

• Are we enforcing strong, phishing-resistant MFA methods? 
• Is our user experience consistent across apps and services? 
• Do we still have legacy authentication enabled? 
• Are our policies aligned with Zero Trust principles? 

This is your chance to move from “just compliant” to confident, resilient, and future-ready. 

Recommended Modern Authentication Methods

When you migrate, consider moving away from outdated methods and using:

• Passkeys (FIDO2) 
• Microsoft Authenticator 
• Certificate-Based Authentication 
• Email OTP (for SSPR only, and only for guest users if no other secure method is available) 

Avoid SMS, voice-based MFA, and security questions—they’re no longer recommended by NIST. And remember, security questions won’t be available at all for password resets.

Steps to Prepare for Migration

Here’s a practical roadmap to make sure things go smoothly:

• Assess current MFA and SSPR configurations in the legacy portals 
• Use Microsoft’s migration tool to import policies into Entra Authentication Methods 
• Test and validate new policies in a controlled group 
• Communicate changes and provide guidance to users 
• Retire old policies once the new setup is stable 

Pro Tip: Enable passwordless authentication, enforce conditional access policies, and disable legacy protocols that could expose vulnerabilities.

For official guidance: How to migrate to the Authentication methods policy – Microsoft Entra ID | Microsoft Learn

Modernize Your Authentication with Confidence

If this feels overwhelming, don’t worry. You don’t have to tackle it alone.

Our team specializes in helping organizations like yours: 

• Audit and map legacy authentication policies to understand your current setup
• Design secure, scalable Entra policies tailored to your needs
• Enable strong MFA and passwordless experiences for users
• Integrate policy changes with your broader identity and access strategies 
• Ensure a smooth, disruption-free transition 

Acting early reduces risk, avoids last-minute headaches, and makes sure your authentication practices are modern, secure, and compliant.

Don’t Just Meet the Deadline—Strengthen Your Security.

The September 30, 2025 retirement of legacy MFA and SSPR is coming up fast. This is more than a compliance task. It’s a chance to build a stronger identity security foundation.

Whether you’re just starting or already in motion, we’ll guide you through a seamless transition and uncover ways to improve your security along the way. Let’s turn this deadline into a security win for your organization.

Start the Conversation Today

Fill out the form below or connect with Kelsey on LinkedIn to get started.

The post Microsoft MFA & SSPR Retirement: Make Your Migration a Security Win appeared first on Fortress SRM.

Written by: Kelsey Clark, Fortress SRM Security Innovation & Brand Strategy Leader

The Hidden Risk Inside Your Inbox

Email is the communication backbone of modern work, but it’s also a top target for attackers.

Phishing, spoofing, and impersonation attacks exploit the fact that email was not designed with strong identity verification. As these attacks grow in sophistication, security teams face increasing pressure to protect both their organization and their people.

This is where DMARC (Domain-based Message Authentication, Reporting, and Conformance) can help.

What DMARC Does

DMARC helps receiving mail servers determine whether messages claiming to come from your domain are legitimate.

When implemented correctly, it reduces the risk of attackers impersonating your organization, protecting your employees, customers, and brand reputation.

While primarily a security tool, DMARC also supports trust and compliance by:

• Demonstrating that your emails are legitimate.
• Providing visibility into who is sending email on behalf of your domain.
• Helping you meet email authentication requirements that may support regulatory compliance.

How DMARC Works

DMARC builds on two key email authentication technologies:

• SPF (Sender Policy Framework): Verifies the sending server is authorized.
• DKIM (DomainKeys Identified Mail): Uses cryptographic signatures to ensure integrity.

On their own, SPF and DKIM are useful but incomplete. SPF can fail in forwarding scenarios, and not all senders consistently sign with DKIM. DMARC strengthens protection by requiring that at least one of these technologies passes and that the domain used aligns with the visible “From” header. This alignment check makes impersonation much harder.

• SPF Alignment: Confirms the sending server is authorized and its domain matches the “From” domain.
• DKIM Alignment: Confirms the message signature is valid and the signing domain matches the “From” domain.

If either SPF or DKIM aligns, DMARC passes. If neither aligns, DMARC applies the policy you’ve set—monitor, quarantine, or reject.

The diagram below illustrates this difference: before DKIM, DMARC relies solely on SPF alignment. After DKIM, DMARC can validate alignment with either SPF or DKIM, providing stronger, more reliable protection against spoofing.

Throughout this process, DMARC also generates reports that give you visibility into who is sending emails on behalf of your domain and which messages fail authentication. This combination of verification, alignment, policy enforcement, and reporting reduces spoofing, improves trust in your emails, and gives you actionable insight into your email ecosystem.

⚠️ Limitations: DMARC stops exact-domain spoofing, but not lookalike domains or compromised accounts.

It’s important to note that DMARC primarily protects against exact-domain spoofing. Lookalike domains, display name impersonation, and compromised accounts can still bypass these checks. For complete protection, DMARC should be implemented as part of a broader, layered email security strategy.

Why DMARC Matters for Your Organization

Email-based impersonation isn’t just an IT issue, but it’s a major business risk.

Without DMARC, there’s a better chance attackers can:

• Send fake invoices or phishing emails that put customers at risk
• Trick employees into sharing credentials or sensitive data
• Damage your organization’s reputation

With DMARC, you gain:

• Trustworthiness: Your emails are verifiable
• Visibility: Reports show domain usage
• Control: You decide how unauthorized emails are handled
• Confidence: Supports compliance and customer trust

Best Practices for Implementing DMARC

Rolling out DMARC isn’t a one-click solution. A strategic, phased approach will help you protect your domain without disrupting legitimate email flow.

1. Start with Monitoring: Use a “none” policy to gather data without impacting delivery.
2. Align SPF and DKIM: Ensure both are correctly configured and aligned with your “From” domain (strict vs. relaxed alignment per RFC 7489).
3. Sign Outgoing Mail: Use DKIM on all messages to verify authenticity.
4. Review Reports: DMARC aggregate (RUA) and forensic (RUF) reports are in XML format and difficult to read. You’ll need proper tooling to parse and act on them. Analyze who is sending emails on your behalf.
5. Gradually Enforce: Move from “none” to “quarantine” or “reject” to actively block spoofed messages, but be cautious. Jumping too quickly to “reject” can break legitimate third-party senders (CRMs, payroll services, marketing automation).
6. Include Subdomains: Protect all parts of your domain.
7. Educate Your Team: Train employees on phishing risks and DMARC’s role in your policy.
8. Maintain and Evolve Your Setup: Email infrastructure changes over time. Keep DMARC records up to date, and review policies regularly.

Beyond DMARC: Layered Security

DMARC is powerful, but most effective when combined with broader security measures:

• Ongoing user awareness training, including interactive tabletop exercises.
• Regular patching and proactive cybersecurity measures to maintain strong cyber hygiene. 
• Incident response planning to prepare your team for attacks before they happen.

Fortress SRM Can Help

Email spoofing and phishing aren’t going away, but DMARC gives your organization a strong defense. Implementing it can be complex, but you don’t have to go it alone.

The Fortress Security Risk Management team provides hands-on support for DMARC and broader email security as part of a holistic cybersecurity strategy. We work alongside you to identify risks, strengthen defenses, and simplify complexity. With our co-managed services, you get the right mix of guidance and support to match your security maturity, making security clear and manageable.

Take Action Today

Request your Fortress SRM DMARC assessment and start protecting your domain, your customers, and your business.

Fill out the form below or connect with Kelsey on LinkedIn to start the conversation.

The post DMARC: Strengthening Trust in Your Email Domain appeared first on Fortress SRM.

Stay up to date on critical cyber risks, Microsoft’s August Patch Tuesday, and other notable third-party vulnerabilities. Timely patching is key to maintaining a strong security posture and protect your business from threats.

The following resources are grouped by threat type / category.

Recent in Threat Intelligence News

Ransomware and AI-Enhanced Attacks

• Arctic Wolf Observes July 2025 Uptick in Akira Ransomware Activity Targeting SonicWall SSL VPN
• Ransomware Group Uses AI Chatbot to Intensify Pressure on Victims
• #StopRansomware: Interlock | CISA

Vulnerabilities / Exploits

• Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities
• Malcure Vulnerability (CVE-2025-6043) Risks 10,000+ Sites
• Microsoft Releases Guidance on High-Severity Vulnerability (CVE-2025-53786) in Hybrid Exchange Deployments
• UPDATE: Microsoft Releases Guidance on Exploitation of SharePoint Vulnerabilities
• SharePoint ToolShell | Zero-Day Exploited in-the-Wild Targets Enterprise Servers
• 1-Click Oracle Cloud Code Editor RCE Flaw Allows Malicious File Upload to Shell

Phishing and Social Engineering

• Scanception: A QRiosity-Driven Phishing Campaign
• The Cost of a Call: From Voice Phishing to Data Extortion
• Iranian Threat Actors Use AI-Generated Emails to Target Cybersecurity Researchers and Academics

DDoS / Network Attacks

• Hackers Breaking Internet with 7.3 Tbps and 4.8 Billion Packets Per Second DDoS Attack

Malware / RATs

• KongTuke FileFix Leads to New Interlock RAT Variant

Data Breaches / Trends

• US Data Breaches Head for Another Record Year After 11% Surge

Patch Tuesday

Microsoft August 2025 Patch Tuesday
108 vulnerabilities disclosed, including 13 critical and 1 zero-day. By category:

• 44 Elevation of Privilege
• 35 Remote Code Execution
• 18 Information Disclosure
• 9 Spoofing
• 4 Denial of Service

Critical Common Vulnerabilities and Exposures (CVEs)

Windows Zero-Day

• CVE-2025-33053 – Windows Kerberos Elevation of Privilege Vulnerability
  – Windows Kerberos vulnerability allows an authenticated attacker to gain domain administrator privileges through relative path traversal. Microsoft states an attacker would need elevated access to msds-groupMSAMembership and mdsd-ManagedAccountPrecededByLink attributes to exploit the flaw.
  – Vulnerability is publicly disclosed but is not actively being exploited in the wild.

Other Critical CVE’s Worth Mentioning

• CVE-2025-53793 – Azure Stack Hub Information Disclosure Vulnerability
• CVE-2025-49707 – Azure Virtual Machines Spoofing Vulnerability
• CVE-2025-53781 – Azure Virtual Machines Information Disclosure Vulnerability
• CVE-2025-50176 – DirectX Graphics Kernel Remote Code Execution Vulnerability
• CVE-2025-50165 – Windows Graphics Component Remote Code Execution Vulnerability
• CVE-2025-53740 / 53731 – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-53784 / 53733 – Microsoft Word Remote Code Execution Vulnerability
• CVE-2025-48807 – Windows Hyper-V Remote Code Execution Vulnerability
• CVE-2025-53766 – GDI+ Remote Code Execution Vulnerability
• CVE-2025-50177 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

3rd Party Critical CVE’s Worth Mentioning

Adobe Products *

Adobe released emergency updates for two zero-day flaws in Adobe Experiece Manager (AEM) Forms on JEE after a proof-of-concept exploit chain was disclosed that can be used for unauthenticated, remote code execution on vulnerable instances. These zero-day vulnerabilities are described below.

• CVE-2025-54253 – Misconfiguration allowing arbitrary code execution. Rated “Critical” with a CVSS score of 8.6.
• CVE-2025-54254 – Improper Restriction of XML External Entity Reference (XXE) allowing arbitrary file system read. Rated “Critical” with a maximum-severity 10.0 CVSS score.

Adobe also released 13 patches covering a total of 85 vulnerabilities. Of these, 38 of the flaws are rated as critical. The flaws could lead to application Denial-of-Service, arbitrary code execution, arbitrary file system read, memory leak, privilege escalation, and security feature bypass within varying Adobe products, listed below.

• Animate
• Commerce
• Dimension
• FrameMaker
• Illustrator
• InDesign
• InCopy
• Photoshop
• Substance 3D Modler
• Substance 3D Painter
• Substance 3D Sampler
• Substance 3D Stager
• Substance 3D Viewer

Android

Google has released security patches for six vulnerabilities in Android’s August 2025 security update, including two Qualcomm flaws exploited in targeted attacks.

Cisco *

• CVE-2025-20281 / 20282 / 20337 – Multiple vulnerabilities in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an unauthenticated, remote attacker to issue commands on the underlying operating system as the root user.
• CVE-2025-20274 – A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to upload arbitrary files to an affected device.
• CVE-2017-6736 / 6737 / 6738 – The Simple Network Management Protocol (SNMP) subsystem of Cisco IOS and IOS XE Software contains multiple vulnerabilities that could allow an authenticated, remote attacker to remotely execute code on an affected system or cause an affected system to reload.

Fortinet *

• CVE-2024-26009 – [HIGH] Weak Authentication FGFM Protocol in FortiOS, FortiProxy & FortiPAM
• CVE-2025-25248 – [MEDIUM] Integer Overflow in FortiOS, FortiPAM and FortiProxy SSL-VPN RDP and VNC bookmarks
• CVE-2025-53744 – [MEDIUM] Incorrect Privilege Assignment in FortiOS Security Fabric
• CVE-2023-45584 – [MEDIUM] A double free vulnerability in FortiOS, FortiProxy & FortiPAM administrative interfaces
• CVE-2024-52964 – [MEDIUM] An Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in FortiManager & FortiManager Cloud

Google Chrome

• Updated Version – 139.0.7258.127/.128 for Windows, Mac and 139.0.7258.127 for Linux.
• Chrome Release: August 12th, 2025

Ivanti *

• Ivanti has released updates for Ivanti Avalanche, Ivanti Virtual Application Delivery Control (vADC), and Ivanti Connect Secure, Policy Secure, ZTA Gateways and Neurons for Secure Access, which address 3 medium severity vulnerabilities, and 4 high severity vulnerabilities.
• August 2025 Security Update | Ivanti

SAP *

In August 2025, SAP Security Patch Day saw the release of 15 new Security Notes and 4 updates to previously released Security Notes.

TrendMicro *

TrendMicro released a mitigation tool to protect against recently discovered command injection remote code execution (RCE) vulnerabilities on Apex One Management Console (on-premise).

WinRAR

WinRAR released a security update for an actively exploited path traversal bug that could lead to remote code execution.

7-Zip

7-Zip released a security update for a path traversal flaw that could lead to RCE.

* Not handled by Fortress SRM.

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering

Why Patching Matters

Unpatched software is a leading cause of breaches—nearly 1 in 3 attacks exploit known vulnerabilities.

Vigilant Managed Cyber Hygiene

 Fortress SRM’s Vigilant Managed Cyber Hygiene simplifies patch management.

• Automated updates with 97%+ success rate for Microsoft & 100+ third-party applications
• Critical patches, OS upgrades, and configuration updates for all devices, on/off network
• 24/7/365 U.S.-based monitoring and real-time reporting for full visibility

Stay Protected. Stay Proactive.

Learn how Fortress SRM can enhance your cybersecurity strategy →

The post Threat and Security Update – August, 2025 appeared first on Fortress SRM.

Please see below updates on recent threat intelligence news, Microsoft’s July Patch Tuesday and other notable 3rd Party critical vulnerabilities.

Recent in Threat Intelligence News:

• AI-driven ID fraud surges 195% globally
• AI Tools Like GPT Direct Users to Phishing Sites Instead of Legitimate Ones
• Apple, Netflix, Microsoft Sites ‘Hacked’ for Tech Support Scams 
• DMV-Themed Phishing Attacks Targeting U.S. Citizens to Steal Sensitive Data
• Hackers switch to targeting U.S. insurance companies
• Hacktivists Launch DDoS Attacks At U.S. Following Iran Bombings
• Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest
• Iranian cyber threats overhyped, but CISOs can’t afford to let down their guard
• Massive 7.3 Tbps DDoS Attack Delivers 37.4 TB in 45 Seconds, Targeting Hosting Provider
• Microsoft Tightens Security Defaults for Windows 365 and Microsoft 365
• Exposing Scattered Spider: New Indicators Highlight Growing Threat to Enterprises and Aviation
• 16 billion passwords exposed in infostealer data leak​

Microsoft Vulnerabilities:

Microsoft disclosed a total of 137 vulnerabilities this month affecting its current operating system, including 14 critical vulnerabilities and one zero-day vulnerability. June 2025 Patch Tuesday addresses vulnerabilities across multiple categories:

• 53 Elevation of Privilege vulnerabilities
• 41 Remote Code Execution vulnerabilities
• 18 Information Disclosure vulnerabilities
• 8 Security Feature Bypass vulnerabilities
• 6 Denial of Service vulnerabilities
• 4 Spoofing vulnerabilities

The most critical Common Vulnerabilities and Exposures (CVEs) are highlighted below:

    Windows Zero-Days:

• CVE-2025-49719 – Microsoft SQL Server Information Disclosure Vulnerability
• Microsoft SQL server vulnerability could allow a remote, unauthenticated attacker to access data from uninitialized memory through improper input validation.
• Vulnerability is publicly disclosed and is not actively being exploited in the wild.

    Other Critical CVE’s worth mentioning:

• CVE-2025-49697 / 49695 / 49696 / 49702 – Microsoft Office Remote Code Execution Vulnerability
• CVE-2025-49704 – Microsoft SharePoint Remote Code Execution Vulnerability
• CVE-2025-49717 – Microsoft SQL Server Remote Code Execution Vulnerability
• CVE-2025-49703 / 49698 – Microsoft Word Remote Code Execution Vulnerability
• CVE-2025-36350 – AMD Transient Scheduler Attack in Store Queue
• CVE-2025-36357 – AMD Transient Scheduler Attack in L1 Data Queue
• CVE-2025-47981 – SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability
• CVE-2025-48822 – Windows Hyper-V Discrete Device Assignment (DDA) Remote Code Execution Vulnerability
• CVE-2025-47980 – Windows Imaging Component Information Disclosure Vulnerability
• CVE-2025-49735 – Windows KDC Proxy Service (KPSSVC) Remote Code Execution Vulnerability

3rd Party Critical CVE’s worth mentioning:

Adobe Products (not handled by FSRM):

Adobe released 13 bulletins covering a total of 60 CVE’s. Of these, 39 of the flaws are rated as critical. The flaws could lead to arbitrary code execution, arbitrary file system read, memory leak, application Denial-of-Service, security feature bypass, and privilege escalation within varying Adobe products, listed below.

• After Effects
• Substance 3D Viewer
• Audition
• InCopy
• InDesign
• Connect
• Dimension
• Substance 3D Stager
• Illustrator
• FrameMaker
• AEM Forms
• AEM Screens
• ColdFusion

Cisco (not handled by FSRM):

• CVE-2025-20309 – Cisco Unified Communications Manager Static SSH Credentials Vulnerability (Critical)
• CVE-2025-20281 / 20282 – Cisco Identity Services Engine Unauthenticated Remote Code Execution Vulnerabilities (Critical)

Thunderbird:

• Security Vulnerabilities fixed in Thunderbird 140 — Mozilla

Fortinet (not handled by FSRM):

• CVE-2024-27779 – Insufficient Session Expiration Vulnerability in FortiSandbox & FortiIsolator
• CVE-2024-52965 – PKI via API Authentication Granted with an Invalid Certificate in FortiOS & FortiProxy
• CVE-2025-24477 – Heap-based Buffer Overflow Vulnerability in FortiOS cw_stad daemon
• CVE-2025-55599 – Improperly Implemented Security Check for Standard vulnerability in FortiOS and FortiProxy
• CVE-2025-24474 – Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in FortiManager and FortiAnalyzer

Google Chrome:

• Google released a security update to fix exploitable zero-day vulnerability – CVE-2025-6554
• Updated version – 138.0.7204.100/.101 for Windows, Mac and 138.0.7204.100 for Linux.
• No Android Security patches were released for July 2025.
• Chrome release: July 8th, 2025

Ivanti (not handled by FSRM):

• Ivanti has released updates for Ivanti Connect Secure (ICS), Ivanti Policy Secure (IPS), Ivanti Endpoint Manager Mobile (EPMM), and Ivanti Endpoint Manager (EPM) which address 6 medium severity vulnerabilities, and 5 high severity vulnerabilities.
• July 2025 Security Update | Ivanti

SAP (not handled by FSRM):

• In July 2025, SAP Security Patch Day saw the release of 27 new Security Notes and 4 updates to previously released Security Notes.

About Fortress SRM’s Vigilant Managed Cyber Hygiene Offering

Software vulnerabilities are a leading cause of cyberattacks, with nearly one-third of breaches stemming from unpatched, known flaws.

Maintaining secure and up-to-date operating systems and applications is a complex, time-consuming task that often strains internal IT resources. Fortress SRM’s Vigilant Managed Cyber Hygiene with 24/7/365 U.S.-based Monitoring Service simplifies patch management by delivering automated, high-efficacy updates (97%+ success rate) for Microsoft and over 100 third-party applications. This includes critical security patches, OS upgrades, and key configuration updates—across all devices, on or off the network.

Our real-time reporting console offers full visibility into patch status and activity, helping organizations maintain a strong, proactive security posture.

Ready to strengthen your cyber hygiene?

Contact us at Contact Us | Fortress Security Risk Management (fortresssrm.com) to learn how Fortress SRM can help support and enhance your organization’s cybersecurity strategy.

The post Security & Threat Updates – July 2025 appeared first on Fortress SRM.

Fortress Security Risk Management has also conducted an independent Threat Intelligence assessment focused on Iranian nation-state cyber threats. The findings and analysis are detailed in Appendix A.

Key Threats

Operational Technology (OT) Vulnerabilities

• Internet-facing OT and ICS devices are at high risk due to weak authentication and outdated software.
• Threat actors exploit default passwords, unpatched systems, and unsecured remote access to disrupt operations.

Iranian-Affiliated Cyber Activity

• Likely targets include critical infrastructure and Defense Industrial Base (DIB) companies.
• Tactics include ransomware, DDoS campaigns, data exfiltration, and attacks on OT systems such as PLCs and HMIs.

Recommended Mitigations

For OT and ICS Environments

• Disconnect OT from Public Internet: Remove unnecessary internet exposure and enforce allowlist access.
• Secure Remote Access: Use VPNs, private IPs, strong passwords, and phishing-resistant MFA.
• Segment Networks: Separate IT and OT environments using firewalls and demilitarized zones (DMZs).
• Patch Regularly: Apply updates to address known vulnerabilities.
• Plan for Manual Operations: Test backups and fail-safes to maintain continuity during disruptions.

For General Cyber Threats

• Enforce Strong Credentials: Replace default or weak passwords and enable MFA.
• Monitor Access Logs: Track remote access and configuration changes for anomalies.
• Develop Incident Response Plans: Ensure your team is prepared to respond and recover quickly.
• Protect Sensitive Data: Implement controls to reduce the impact of potential leaks or breaches.

Helpful Resources

• Iran Threat Overview and Advisories | CISA
• Iran State-Sponsored Cyber Threat: Advisories | CISA
• Understanding and Responding to Distributed Denial-Of-Service Attacks | CISA

Report Suspicious Activity

• CISA: report@cisa.gov | 888-282-0870
• FBI: Home Page – Internet Crime Complaint Center (IC3) or contact your local field office
• NSA: CybersecurityReports@nsa.gov

How Fortress SRM Can Help

Fortress SRM is here to support your organization with:

• Vulnerability assessments
• OT/ICS security reviews
• Incident response planning
• Threat monitoring and mitigation

Contact us today at bettersecurity@fortresssrm.com to schedule a consultation or learn more about how we can help strengthen your cybersecurity posture.

Appendix A – Fortress Cyber Risk Management Independent Threat Intelligence Assessment

Appendix A dives deeper into specific threat actors, their unique tactics, and prominent attack vectors, enabling organizations to tailor defenses against these precise threats.

Section 1 – Key Iranian-Affiliated Threat Actors

APT33 (Elfin) – Targets the aerospace and energy sectors through spear-phishing campaigns and credential theft operations.

APT34 (OilRig) – Focuses on financial, energy, and telecommunications industries; known for deploying web shell implants and phishing techniques.

APT35 (Charming Kitten) – Engages in credential-harvesting campaigns targeting dissidents, academics, and non-governmental organizations (NGOs).

APT42 – Exploits vulnerabilities in VPN appliances and Fortinet devices to establish persistent access within targeted networks.

Emennet Pasargad – Specializes in intrusions into Operational Technology (OT) and Industrial Control Systems (ICS), leveraging custom malware and zero-day exploits.

MuddyWater (SeedWorm) – Conducts low-profile cyber espionage using backdoors and remote access tools.

Pioneer Kitten – Performs reconnaissance on supply chains and deploys bespoke malware for targeted intrusions.

Section 2 – Prominent Iranian Threat Vectors and Tactics

• Spear-phishing & credential harvesting
• Watering-hole attacks
• Exploitation of Microsoft Exchange & Fortinet vulnerabilities
• Destructive wiper malware (e.g., Shamoon)
• ICS/OT intrusion & process-disruption payloads (e.g., Triton/HatMan)
• Ransomware & distributed-denial-of-service (DDoS)
• Remote code execution via exposed services
• Supply-chain compromise of legitimate software
• Illicit procurement & sanctions evasion to support cyber operations

The post Cyber Threat Bulletin Summary: Iranian Cyber Actors Targeting U.S. Networks and Operational Technology appeared first on Fortress SRM.