Microsoft 365 being abused, Brother printers exposing admin passwords, patches for Citrix, Cisco, Chrome and Firefox...
Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.Â
Vulnerabilities and Patches
Active Exploitation of Zero-Day Vulnerability CVE-2025-6543 in NetScaler ADC and NetScaler Gateway
Citrix has released a security advisory to address exploited vulnerability CVE-2025-6543 that could lead to unintended control flow or a denial-of-service condition. CVE-2025-6543 is a ‘memory overflow’ vulnerability with a CVSSv4 base score of 9.2. Successful exploitation could allow a remote unauthenticated attacker to gain unintended control flow and perform denial-of-service (DoS) in NetScaler ADC and NetScaler Gateway. NetScaler is only vulnerable to CVE-2025-6543 when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. Security researchers have suggested that CVE-2025-6543 could allow for remote code execution. The following platforms are known to be affected:
NetScaler ADC
- All prior to 14.1 – 47.46
- All prior to 13.1 – 59.19
- All prior to 13.1 – 37.236-FIPS and NDcPP
NetScaler Gateway
- All prior to 14.1-47.46
- All prior to 13.1-59.19
- All prior to 13.1-37.236-FIPS and NDcPP
Affected organisations must review Citrix Security Bulletin CTX694788 and update to the latest version of NetScaler ADC or NetScaler Gateway. NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End of Life (EOL) and are vulnerable. Organisations using EoL versions must upgrade to the latest release of supported versions as soon as possible. Additionally, Secure Private Access on-premises or Secure Private Access Hybrid deployments using NetScaler instances are also affected by the vulnerabilities. Organisations must upgrade NetScaler to the latest release of supported versions as soon as possible. Note: NetScaler ADC 12.1-FIPS is not affected by CVE-2025-6543.
Cisco Releases Security Advisory Affecting Cisco Identity Service Engine
Cisco has released a security advisory addressing two vulnerabilities, affecting Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC).
- CVE-2025-20281 is an ‘API unauthenticated remote code execution’ vulnerability with a CVSSv3 score of 9.8. A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.
- CVE-2025-20282 is an ‘API unauthenticated remote code execution’ vulnerability with a CVSSv3 score of 10. A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root. This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system.
Affected organisations are encouraged to review Cisco Security Advisory and apply the relevant updates.
Cyber Attacks
Microsoft 365 'Direct Send' abused to send phishing as internal users
An ongoing phishing campaign abuses a little‑known feature in Microsoft 365 called “Direct Send” to evade detection by email security and steal credentials.Â
Direct Send is a Microsoft 365 feature that allows on‑premises devices, applications, or cloud services to send emails through a tenant’s smart host as if they originated from the organization’s domain. It’s designed for use by printers, scanners, and other devices that need to send messages on behalf of the company. However, the feature is a known security risk, as it doesn’t require any authentication, allowing remote users to send internal‑looking emails from the company’s domain. Microsoft recommends that only advanced customers utilize the feature, as its safety depends on whether Microsoft 365 is configured correctly and the smart host is properly locked down. “We recommend Direct Send only for advanced customers willing to take on the responsibilities of email server admins,” explains Microsoft. “You need to be familiar with setting up and following best practices for sending email over the internet. When correctly configured and managed, Direct Send is a secure and viable option. But customers run the risk of misconfiguration that disrupts mail flow or threatens the security of their communication.”Â
The company has shared ways to disable the feature, and says they are working on a way to deprecate the feature. To mitigate this threat, Varonis recommends enabling the “Reject Direct Send” setting in the Exchange Admin Center, which Microsoft introduced in April 2025. Varonis also recommends implementing a strict DMARC policy (p=reject), flagging unauthenticated internal messages for review or quarantine, enforcing SPF hardfail within Exchange Online Protection, enabling Anti‑Spoofing policies, and training employees to spot QR phishing attempts.
Hackers turn ScreenConnect into malware using Authenticode stuffing
Threat actors are abusing the ConnectWise ScreenConnect installer to build signed remote access malware by modifying hidden settings within the client’s Authenticode signature.
 ConnectWise ScreenConnect is a remote monitoring and management (RMM) software that allows IT admins and managed service providers (MSPs) to troubleshoot devices remotely. When a ScreenConnect installer is built, it can be customized to include the remote server the client should connect to, what text is shown in the dialog boxes, and logos that should be displayed. This configuration data is saved within the file’s authenticode signature. This technique, called authenticode stuffing, allows for the insertion of data into a certificate table while keeping the digital signature intact. Cybersecurity firm G DATA observed malicious ConnectWise binaries with identical hash values across all file sections except for the certificate table. The only difference was a modified certificate table containing new malicious configuration information while still allowing the file to remain signed.Â
G DATA says the first samples were found in the BleepingComputer forums, where members reported being infected after falling for phishing attacks. Similar attacks were reported on Reddit. These phishing attacks utilized either PDFs or intermediary Canva pages that linked to executables hosted on Cloudflare’s R2 servers (r2.dev). The file, called “Request for Proposal.exe,” is a malicious ScreenConnect client configured to connect to the attacker’s servers at 86.38.225[.]6:8041 (relay.rachael-and-aidan.co[.]uk). Essentially, the threat actors converted the legitimate ConnectWise ScreenConnect client into malware that allows them to stealthily gain access to infected devices. After contacting G DATA, ConnectWise revoked the certificate used in these binaries, and G DATA is now flagging these samples as Win32.Backdoor.EvilConwi.* and Win32.Riskware.SilentConwi.*.
In Other News...
Chrome 138, Firefox 140 Patch Multiple Vulnerabilities
Chrome 138 has arrived with 11 security fixes, including three for medium- and low-severity bugs reported by security researchers. These include a use-after-free defect in Animation for which Google handed out a $4,000 bug bounty reward, and an insufficient policy enforcement issue in Loader and an insufficient data validation flaw in DevTools that earned the reporting researchers $1,000 rewards each.Â
The latest Chrome iteration is now rolling out as version 138.0.7204.49 for Linux and as versions 138.0.7204.49/50 for Windows and macOS. Google makes no mention of any of the addressed vulnerabilities being exploited in attacks, but users are advised to update their browsers as soon as possible. On Wednesday, Mozilla dropped Firefox 140 to the stable channel with patches for 13 security defects and announced updates for Firefox ESR 128.12 and Firefox ESR 115.25. Two of the CVEs addressed with the latest Firefox release are high-severity memory safety bugs, namely a use-after-free issue in FontFaceSet and memory corruption defects that, with enough effort, could be exploited for remote code execution. The update also fixes six medium-severity vulnerabilities leading to the exposure of a persistent UUID to identify the browser, a lack of warning when opening files with the terminal extension, policy bypass, phishing attacks on Android, security checks bypass, and cross-site scripting attacks.Â
Firefox ESR 128.12 was rolled out with patches for five of these vulnerabilities, while Firefox ESR 115.25 arrived with two fixes. Mozilla makes no mention of any of these bugs being exploited in the wild.
Brother printer bug in 689 models exposes default admin passwords
A total of 689 printer models from Brother, along with 53 other models from Fujifilm, Toshiba, and Konica Minolta, come with a default administrator password that remote attackers can generate. Even worse, there is no way to fix the flaw via firmware in existing printers. The flaw, tracked under CVE-2024-51978, is part of a set of eight vulnerabilities discovered by Rapid7 researchers during a lengthy examination of Brother hardware. This crucial vulnerability can be chained with other vulnerabilities discovered by Rapid7 to determine the admin password, take control of devices, perform remote code execution, crash them, or pivot within the networks they’re connected to. Not all the flaws affect every one of the 689 Brother printer models, but other manufacturers, including Fujifilm (46 models), Konica Minolta (6), Ricoh (5), and Toshiba (2), are impacted as well. The default password in the impacted printers is generated during manufacturing using a custom alogirthm based on the device’s serial number. According to a detailed technical analysis by Rapid7, the password generation algorithm follows an easily reversible process:
- Take the first 16 characters of the serial number.
- Append 8 bytes derived from a static “salt” table.
- Hash the result with SHA256.
- Base64-encode the hash.
- Take the first eight characters and substitute some letters with special characters.
- Attackers can leak the serial number of the target printer using various methods or by exploiting CVE-2024-51977. They can then use the algorithm to generate the default admin password and log in as admin.
From there, they may reconfigure the printer, access stored scans, read address books, exploit CVE-2024-51979 for remote code execution, or exploit CVE-2024-51984 to harvest credentials.