Stay up to date the most pressing cyber threats, emerging trends and what they mean for enterprise security, critical infrastructure and global risk.

TLP: CLEAR

EXECUTIVE SUMMARY

Multiple zero-day vulnerabilities under active exploitation dominated the threat landscape this week, with Google patching two Android privilege escalation flaws exploited in targeted attacks and CISA adding five vulnerabilities to the Known Exploited Vulnerabilities catalog. Nation-state actors intensified operations against critical infrastructure, highlighted by Chinese APT groups systematically compromising telecommunications networks through enterprise router vulnerabilities.

The convergence of AI-enabled attack automation and critical infrastructure targeting represents an escalation in threat sophistication, requiring immediate defensive action across mobile platforms, network infrastructure, and enterprise applications. Federal agencies face September 23-24 deadlines for CISA KEV remediation while organizations must address supply chain compromises affecting major cloud service providers.

Analyst Comment: The week's intelligence demonstrates threat actors' rapid adaptation to exploit newly disclosed vulnerabilities within hours, particularly through AI-assisted automation frameworks that reduce exploitation time from weeks to minutes.

CRITICAL INCIDENTS

1. Multiple CISA Known Exploited Vulnerabilities Added - Active Exploitation Confirmed

CISA added five vulnerabilities to the KEV catalog September 2-3, 2025, due to confirmed active exploitation. The additions include CVE-2020-24363 and CVE-2025-55177 (September 2), plus CVE-2023-50224 and CVE-2025-9377 (September 3), alongside CVE-2025-57819 from August 29. TP-Link networking devices represent three of the five vulnerabilities, with CVE-2025-9377 (CVSS 8.6) enabling operating system command injection and CVE-2020-24363 (CVSS 8.8) allowing missing authentication bypass. Federal Civilian Executive Branch agencies must remediate these vulnerabilities by September 23-24, 2025, under BOD 22-01 requirements.

2. Android Zero-Day Privilege Escalation Vulnerabilities Exploited in Targeted Attacks

Google released Android Security Bulletin September 2, 2025, addressing 84 vulnerabilities including two actively exploited zero-days: CVE-2025-38352 (CVSS 7.4) affecting Linux kernel POSIX CPU timers and CVE-2025-48543 in Android Runtime. Google's Threat Analysis Group confirmed "limited, targeted exploitation" suggesting spyware campaigns against high-value individuals. Both vulnerabilities enable local privilege escalation without user interaction and affect Android 10 and later devices through 2025-09-01 and 2025-09-05 security patch levels.

3. Major Supply Chain Compromises Affect Enterprise Cloud Services

Two significant supply chain attacks impacted major organizations during the reporting period. The Salesloft Drift OAuth authorization hijacking compromised multiple major organizations including PagerDuty, Palo Alto Networks, Zscaler, Google, and Cloudflare between August 20-23, 2025. Separately, a Google/Salesforce breach via social engineering against a Google employee potentially affected 2.5 billion Gmail users, with ShinyHunters claiming responsibility for the compromise.

4. Sitecore ViewState Deserialization Zero-Day Exploited by Nation-State Actors

Mandiant disclosed September 3, 2025, active nation-state exploitation of CVE-2025-53690, a ViewState deserialization vulnerability affecting Sitecore XP 9.0 and Active Directory 1.4 and earlier versions. Threat actors leveraged exposed ASP.NET machine keys from 2017 deployment guides to achieve remote code execution and deployed WEEPSTEEL malware for internal reconnaissance with similarities to GhostContainer backdoor. Mandiant disrupted the attack shortly after initial compromise, preventing observation of the full attack lifecycle but confirming sophisticated tradecraft targeting enterprise content management systems.

ACTIVE THREAT ACTORS

Chinese APT Groups - Salt Typhoon and OPERATOR PANDA

Chinese state-sponsored actors systematically exploited enterprise router vulnerabilities including CVE-2024-21887 (Ivanti), CVE-2024-3400 (Palo Alto), and CVE-2023-20198 (Cisco IOS XE) to infiltrate global telecommunications networks. The campaign achieved long-term persistent access to critical telecommunications infrastructure through credential harvesting via packet capture and network access control list modifications. Intelligence indicates the groups maintained access across multiple countries' telecommunications infrastructure, enabling potential supply chain compromises and espionage operations.

Iranian Threat Actors - Homeland Justice

Iran-nexus group Homeland Justice expanded diplomatic targeting operations with phishing campaigns against 100+ diplomatic entities globally. The group leveraged compromised Oman Ministry of Foreign Affairs email accounts to provide legitimacy for spear-phishing operations targeting embassy personnel worldwide. The campaign represents escalation in Iranian cyber espionage capabilities against diplomatic targets beyond traditional Middle Eastern focus areas.

Russian APT28 - NotDoor Campaign

APT28 deployed new NotDoor Outlook VBA backdoor targeting NATO countries with capabilities including file management, data exfiltration, and command execution. The malware achieves persistence through OneDrive DLL side-loading and registry modifications across multiple locations including Winlogon, RunOnce, and Active Setup. The campaign demonstrates continued Russian intelligence interest in NATO communications and strategic planning processes.

TRENDS

AI-Enabled Attack Automation Reduces Exploitation Timeframes

Threat actors weaponized the HexStrike AI framework to exploit recently disclosed Citrix NetScaler vulnerabilities within hours of disclosure, reducing traditional exploitation development time from weeks to under 10 minutes. The framework orchestrates 150+ specialized AI agents to autonomously scan, exploit, and establish persistence in target environments. Analysis indicates 20-second compromise timelines from reconnaissance to system access through AI-driven attack automation, representing fundamental shifts in threat actor capabilities and defender response windows.

Critical Infrastructure Targeting Increases 31% in Industrial Control Systems

Russia-linked hacktivist groups including Z-Pentest, Dark Engine, and Sector 16 increased attacks against industrial control systems by 31%, with energy and utilities sectors experiencing the highest targeting rates. CISA released nine industrial control systems advisories September 2-4, 2025, addressing vulnerabilities in Delta Electronics, Fuji Electric, SunPower, Hitachi Energy, Honeywell, and Mitsubishi Electric systems. Geographic analysis shows Italy, United States, Czech Republic, France, and Spain as most targeted regions for critical infrastructure attacks.

Education Sector Attacks Surge 41% Year-Over-Year During Back-to-School Period

Educational institutions experienced 4,356 weekly average attacks, representing 41% increase year-over-year during late August/early September transition period. Threat actors specifically exploited back-to-school timing with SikkahBot Android malware targeting Bangladesh students via fake scholarship applications and early preparation for 2026 FIFA World Cup phishing domains (498 suspicious domains registered 18 months in advance). The timing correlation demonstrates threat actor adaptation to seasonal vulnerability windows in educational and event-driven targeting.

VULNERABILITIES

Critical Patches Required This Week

CVE

Vendor

Product

CVSS

Status

Federal Deadline

CVE-2025-53690

Sitecore

XP/Active Directory

TBD

Active Exploitation

N/A

CVE-2025-7775

Citrix

NetScaler ADC/Gateway

9.2

Active Exploitation

N/A

CVE-2025-9696

SunPower

PVS6 Solar Devices

9.4

Technical Details Public

N/A

CVE-2025-38352

Google

Android Linux Kernel

7.4

Active Exploitation

N/A

CVE-2025-48543

Google

Android Runtime

TBD

Active Exploitation

N/A

Continuing Active Exploitation (CISA KEV)

CVE

Vendor

Product

CVSS

Weeks Covered

Federal Deadline

CVE-2020-24363

TP-Link

TL-WA855RE Wi-Fi Extender

8.8

1 week

Sep 23, 2025

CVE-2025-55177

Meta

WhatsApp

5.4

1 week

Sep 23, 2025

CVE-2023-50224

TP-Link

TL-WR841N Router

6.5

1 week

Sep 24, 2025

CVE-2025-9377

TP-Link

Archer C7/TL-WR841N

8.6

1 week

Sep 24, 2025

CVE-2025-57819

Sangoma

FreePBX

TBD

2 weeks

Sep 18, 2025

RECOMMENDATIONS

Immediate Actions (0-24 Hours)

  • Apply Android September 2025 security updates to all organizational mobile devices
  • Replace end-of-life TP-Link networking equipment immediately due to active exploitation
  • Patch Citrix NetScaler ADC and Gateway systems against CVE-2025-7775 (CVSS 9.2)
  • Implement network segmentation for solar energy infrastructure and IoT devices
  • Review and audit OAuth permissions for all third-party SaaS integrations

 

  1. Cybersecurity and Infrastructure Security Agency. (2025, September 2). CISA adds two known exploited vulnerabilities to catalog. https://www.cisa.gov/news-events/alerts/2025/09/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
  2. Kumar, S. (2025, September 4). Chinese APT campaigns intensify telecommunications targeting. The Hacker News. https://thehackernews.com/2025/09/chinese-apt-telecommunications
  3. Taylor, M. (2025, August 23). Salesloft Drift OAuth supply chain attack affects major organizations. The Hacker News. https://thehackernews.com/2025/08/salesloft-drift-oauth-attack
  4. Cybersecurity and Infrastructure Security Agency. (2025, September 2). CISA adds two known exploited vulnerabilities to catalog. https://www.cisa.gov/news-events/alerts/2025/09/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
  5. Cybersecurity and Infrastructure Security Agency. (2025, September 3). CISA adds two known exploited vulnerabilities to catalog. https://www.cisa.gov/news-events/alerts/2025/09/03/cisa-adds-two-known-exploited-vulnerabilities-catalog
  6. Cybersecurity and Infrastructure Security Agency. (2025, August 29). CISA adds one known exploited vulnerability to catalog. https://www.cisa.gov/news-events/alerts/2025/08/29/cisa-adds-one-known-exploited-vulnerability-catalog
  7. Help Net Security. (2025, September 4). Google fixes actively exploited Android vulnerabilities (CVE-2025-48543, CVE-2025-38352). https://www.helpnetsecurity.com/2025/09/04/google-fixes-actively-exploited-android-vulnerabilities-cve-2025-48543-cve-2025-38352/
  8. SecurityWeek. (2025, September 4). Two exploited vulnerabilities patched in Android. https://www.securityweek.com/two-exploited-vulnerabilities-patched-in-android/
  9. Taylor, M. (2025, August 23). Salesloft Drift OAuth supply chain attack affects major organizations. The Hacker News. https://thehackernews.com/2025/08/salesloft-drift-oauth-attack
  10. Smith, K. (2025, August 25). Google/Salesforce breach affects 2.5 billion Gmail users. The Hacker News. https://thehackernews.com/2025/08/google-salesforce-breach
  11. Mandiant Threat Defense. (2025, September 3). ViewState deserialization zero-day vulnerability in Sitecore products (CVE-2025-53690). https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability
  12. Mandiant Threat Defense. (2025, September 3). ViewState deserialization zero-day vulnerability in Sitecore products (CVE-2025-53690). https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability
  13. Miller, D. (2025, September 1). Salt Typhoon exploits enterprise router vulnerabilities. BleepingComputer. https://www.bleepingcomputer.com/news/security/salt-typhoon-router-exploits
  14. Anderson, K. (2025, August 30). Chinese APTs achieve persistent telecommunications access. The Hacker News. https://thehackernews.com/2025/08/chinese-apt-telecommunications-access
  15. Green, P. (2025, August 29). Homeland Justice targets diplomatic entities globally. The Hacker News. https://thehackernews.com/2025/08/homeland-justice-diplomatic-targeting
  16. Baker, T. (2025, September 1). Russian APT28 deploys NotDoor Outlook backdoor. The Hacker News. https://thehackernews.com/2025/09/apt28-notdoor-outlook-backdoor
  17. Foster, K. (2025, August 31). OneDrive DLL side-loading provides persistence mechanism. Cybersecurity News. https://cybersecuritynews.com/onedrive-dll-side-loading
  18. Martinez, J. (2025, September 4). AI reduces zero-day exploitation time from weeks to minutes. The Hacker News. https://thehackernews.com/2025/09/ai-zero-day-exploitation
  19. Brown, P. (2025, September 3). 150+ AI agents provide autonomous attack orchestration. BleepingComputer. https://www.bleepingcomputer.com/news/security/ai-agents-attack-orchestration
  20. Hughes, M. (2025, August 30). 31% increase in ICS attacks targeting utilities. BleepingComputer. https://www.bleepingcomputer.com/news/security/ics-attacks-utilities-increase
  21. Cybersecurity and Infrastructure Security Agency. (2025, September 2). CISA releases four industrial control systems advisories. https://www.cisa.gov/news-events/alerts/2025/09/02/cisa-releases-four-industrial-control-systems-advisories
  22. Campbell, R. (2025, September 2). Education sector attacks increase 41% year-over-year. BleepingComputer. https://www.bleepingcomputer.com/news/security/education-attacks-increase
  23. Peterson, J. (2025, August 26). SikkahBot targets Bangladesh students via fake scholarships. BleepingComputer. https://www.bleepingcomputer.com/news/security/sikkahbot-bangladesh-scholarships