Weekly Security News - 29th September 2025

5 mins read

Microsoft Edge to block malicious extensions, Cisco firewall exploited, WordPress sites being compromised...

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. We’ve also got the latest CVE information to help you stay ahead of vulnerabilities. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly.

News & Articles

Microsoft Edge to block malicious sideloaded extensions

Microsoft is planning to introduce a new Edge security feature that will protect users against malicious extensions sideloaded into the web browser.

Edge enables developers to install extensions locally (also known as sideloading) for testing purposes before publishing them to the Microsoft Edge Add-ons store by toggling the “Developer Mode” option on the Extensions management page and clicking the “Load unpacked” button.

However, users can also sideload third-party extensions that aren’t distributed through official channels and aren’t scanned for malware.

But Redmond revealed on Thursday in the Microsoft 365 roadmap, “Microsoft Edge will detect and revoke malicious sideloaded extensions.” Although the company didn’t provide further details on how these dangerous extensions will be identified, the new security feature is set to launch in November for standard multi-tenant instances worldwide.

Cisco warns of ASA firewall zero-days exploited in attacks

Cisco has warned customers to patch two zero-day vulnerabilities that are actively being exploited in attacks and impact the company’s firewall software.

The first one (CVE-2025-20333) allows authenticated, remote attackers to execute arbitrary code on devices running vulnerable Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) software, while the second (CVE-2025-20362) enables remote attackers to access restricted URL endpoints without authentication.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of attempted exploitation of this vulnerability,” the company warned in security advisories regarding the two zero-day flaws.

First-Ever Malicious MCP Server Found in the Wild Steals Emails via AI Agents

The first-ever malicious Model-Context-Prompt (MCP) server discovered in the wild, a trojanised npm package named postmark-mcp that has been secretly exfiltrating sensitive data from users’ emails.

The package, downloaded approximately 1,500 times per week, contained a backdoor that copied every email processed by the tool to a server controlled by the attacker. This incident highlights a significant and emerging threat in the AI-powered software supply chain.

According to security firm Koi analysis postmark-mcp package was designed as an MCP server to integrate with the Postmark email service, allowing AI assistants to automate email-sending tasks.

However, starting with version 1.0.16, a single line of malicious code was added. This code silently added a Bcc field to every outgoing email, sending a copy to phan@giftshop[.]club.

This attack serves as a stark warning about the risks associated with the rapidly growing MCP ecosystem, emphasising the need for robust verification and continuous monitoring of all third-party tools used by AI agents.

Hackers Exploiting WordPress Websites With Silent Malware to Gain Admin Access

A sophisticated malware campaign targeting WordPress websites has been discovered employing advanced steganographic techniques and persistent backdoor mechanisms to maintain unauthorised administrator access.

The malware operates through two primary components that work in tandem to create a resilient attack infrastructure, enabling cybercriminals to establish persistent footholds on compromised websites while remaining undetected by traditional security measures.

The attack begins with the deployment of malicious files designed to masquerade as legitimate WordPress components.

The primary component disguises itself as the “DebugMaster Pro” plugin, complete with convincing metadata including version numbers, GitHub repositories, and professional descriptions.

Latest Vulnerabilities & Exploits

CVE-2025-20363 – CRITICAL
A vulnerability in the web services of Cisco Secure Firewall Adaptive Security Appliance
(ASA) Software, Cisco Secure Firewall Threat Defense (FTD) Software, Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software could allow an unauthenticated, remote attacker (Cisco ASA and FTD Software) or authenticated, remote attacker (Cisco IOS, IOS XE, and IOS XR Software) with low user privileges to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device.
CVE-2025-20362 – MEDIUM
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication that should otherwise be inaccessible without authentication. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on a device. A successful exploit could allow the attacker to access a restricted URL without authentication.
CVE-2025-20333 – CRITICAL
A vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to execute arbitrary code on an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP(S) requests. An attacker with valid VPN user credentials could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to execute arbitrary code as root, possibly resulting in the complete compromise of the affected device.
CVE-2025-10894 – CRITICAL
Malicious code was inserted into the Nx (build system) package and several related plugins. The tampered package was published to the npm software registry, via a supply-chain attack. Affected versions contain code that scans the file system, collects credentials, and posts them to GitHub as a repo under user’s accounts.
CVE-2025-57319 – HIGH
fast-redact is a package that provides do very fast object redaction. A Prototype Pollution vulnerability in the nestedRestore function of fast-redact version 3.5.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
CVE-2025-57324 – MEDIUM
parse is a package designed to parse JavaScript SDK. A Prototype Pollution vulnerability in the SingleInstanceStateController.initializeState function of parse version 5.3.0 and before allows attackers to inject properties on Object.prototype via supplying a crafted payload, causing denial of service (DoS) as the minimum consequence.
CVE-2025-59833 – HIGH
Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them via point deduction. Users can view all hints for free, undermining the business logic of the platform and reducing the integrity of the challenge system. This issue has been patched in version 2.3.0
CVE-2025-59827 – HIGH
Flag Forge is a Capture The Flag (CTF) platform. In version 2.1.0, the /api/admin/assignbadge endpoint lacks proper access control, allowing any authenticated user to assign high-privilege badges (e.g., Staff) to themselves. This could lead to privilege escalation and impersonation of administrative roles. This issue has been patched in version 2.2.0.
CVE-2025-59828 – HIGH
Claude Code is an agentic coding tool. Prior to Claude Code version 1.0.39, when using Claude Code with Yarn versions 2.0+, Yarn plugins are auto-executed when running yarn –version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins would be executed prior to the user accepting the risks of working in an untrusted directory. Users running Yarn Classic were unaffected by this issue. This issue has been fixed in version 1.0.39. Users on standard Claude Code auto-update will have received this fix automatically. Users performing manual updates are advised to update to the latest version.
CVE-2025-59824 – LOW
Omni manages Kubernetes on bare metal, virtual machines, or in a cloud. Prior to version 0.48.0, Omni Wireguard SideroLink has the potential to escape. Omni and each Talos machine establish a peer-to-peer (P2P) SideroLink connection using WireGuard to mutually authenticate and authorize access. The WireGuard interface on Omni is configured to ensure that the source IP address of an incoming packet matches the IPv6 address assigned to the Talos peer. However, it performs no validation on the packet’s destination address. The Talos end of the SideroLink connection cannot be considered a trusted environment. Workloads running on Kubernetes, especially those configured with host networking, could gain direct access to this link. Therefore, a malicious workload could theoretically send arbitrary packets over the SideroLink interface. This issue has been patched in version 0.48.0