Welcome to another edition of InfoSec.Watch. This week: an actively exploited Cisco zero‑day, record-scale DPRK crypto theft, and hybrid infrastructure attacks that should be on every defender’s radar.
🚨 Top Stories
WatchGuard Firebox RCE under active exploitation (CVE-2025-14733)
WatchGuard released fixes and published indicators of attack for a critical out-of-bounds write that can lead to unauthenticated RCE in certain VPN configurations.
Source: WatchGuard PSIRT Advisory (WGSA-2025-00027)
💡 Key Takeaway: Treat as perimeter emergency patching: inventory Firebox appliances, apply fixed releases/hotfixes, and hunt for the published IoAs in firewall logs.
HPE OneView CVSS 10 RCE: patch/hotfix now (CVE-2025-37164)
HPE urged customers to update OneView, citing a critical unauthenticated RCE affecting OneView 5.20–10.20 with fixes available (including hotfixes) and guidance for appliance deployments.
Source: HPE Security Bulletin (HPESBGN04985)
💡 Key Takeaway: If OneView is reachable from any management network segment, patch first, then validate RBAC and restrict access paths (VPN/jump hosts) before the next change freeze.
Aflac confirms ~22.65M individuals potentially impacted in June incident
Aflac published an update stating its review determined personal information associated with ~22.65M individuals was involved and that notifications/resources are underway.
Source: Aflac Newsroom Update
💡 Key Takeaway: Assume long-tail fraud risk: align comms + IAM controls (MFA resets, call-center scripts), and pre-stage monitoring for credential stuffing and identity-based abuse.
🛡️ Vulnerability Spotlight
CVE‑2025‑20393 — Cisco AsyncOS (active exploitation)
Active exploitation against email security infrastructure increases blast radius due to privileged positioning in mail flow and admin interfaces.
Source: Cisco Advisory
💡 Key Takeaway: Prioritize controls that reduce exploitability (ACLs, VPN-only admin, MFA, logging) and hunt for persistence on gateway hosts.
Chrome V8 exploitation signals ongoing browser risk
Browser engine vulnerabilities continue to be leveraged in the wild; rapid updates remain critical.
Source: Chrome Releases
💡 Key Takeaway: Enforce auto-update, shorten patch SLAs for browsers, and use enterprise policies to block outdated versions.
📈 Trend to Watch
Fake GitHub PoC repos are becoming an infection vector for defenders
Kaspersky reported WebRAT being distributed via GitHub repositories masquerading as exploit PoCs for high-CVSS vulnerabilities—targeting students and early-career security practitioners.
Source: Kaspersky Securelist
💡 Key Takeaway: Treat PoCs like untrusted software: detonate in disposable sandboxes, enforce ‘no local run’ on analyst workstations, and use allowlisted tooling for exploit testing.
🧰 Tool / Resource of the Week
CISA Known Exploited Vulnerabilities (KEV) Catalog
A continuously updated list of vulnerabilities confirmed exploited in the wild—ideal for patch prioritization.
Source: CISA KEV Catalog
💡 Key Takeaway: Map KEV to your asset inventory weekly and treat KEV matches as “patch now / mitigate now” items with exec visibility.
⚡ Quick Hits
IC3 warns of smishing/vishing impersonating senior U.S. officials (AI voice included)
IC3 details tactics where attackers build rapport via text/voice and quickly move targets to encrypted messaging apps to continue the scam.
Source: FBI IC3 Public Service Announcement
💡 Key Takeaway: Update exec-protection playbooks: require out-of-band verification for “urgent” requests and add voice + messaging impersonation to phishing simulations.
NHS England supplier DXS discloses cyberattack; DevMan ransomware claims theft
DXS disclosed a security incident affecting office servers; reporting indicates a ransomware group claimed responsibility and data theft.
Source: Digital Health (industry reporting)
💡 Key Takeaway: Treat suppliers as part of your blast radius: tighten third-party access paths, validate segmentation, and ensure incident-notification SLAs are enforceable.
TechCrunch: NHS tech provider confirms data breach disclosure
Additional reporting on the DXS incident highlights disclosure details and downstream impacts for health sector supply chains.
Source: TechCrunch
💡 Key Takeaway: Use this as a trigger to review your vendor inventory for health/insurance adjacent services—especially those holding PII and supporting authentication workflows.
⚔️ Actionable Defense Move of the Week
Deploy a zero‑day containment playbook for edge/admin planes
Create a one-hour response checklist for edge appliances and admin interfaces: isolate, capture telemetry, rotate creds, validate persistence, and monitor egress.
💡 Key Takeaway: When a zero‑day drops, speed beats perfection—prebuilt containment steps prevent “analysis paralysis” during active exploitation.
🧠 Final Word
This week reinforces a simple truth: attackers are concentrating on high‑leverage choke points—email gateways, identity pathways, and critical services. Heading into 2026, resilience means faster mitigation, tighter identity controls, and better visibility where it matters most.
💡 Key Takeaway: Make “time-to-mitigate” a first-class metric for edge systems, and wire it into your incident and patch governance.