This Week in Cybersecurity: Looking Back at Week 46

This week highlights an surge in active exploitation targeting critical network and identity infrastructure, confirmed by the zero day attacks against Cisco and Citrix and the urgent patch for an exploited Windows Kernel bug.

Simultaneously, the user’s browser has been validated as the weakest link, with shadow AI usage, poor SSO practices and massive Phishing-as-a-Service (PhaaS) networks combining to create unprecedented identity and data loss risks.

1. Critical Exploitation & Patching Urgency

Advanced Hackers Exploited Zero Days in Cisco and Citrix

A report from Amazon’s threat intelligence team revealed an advanced, highly resourced threat actor exploiting two separate zero day vulnerabilities in critical network infrastructure in the Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC/Gateway.

The campaign leveraged a flaw in NetScaler to bypass authentication and a pre-authentication Remote Code Execution (RCE) vulnerability in Cisco ISE, granting administrator level access to compromised systems. The deployment of a custom, in memory webshell after exploitation illustrates a major trend of threat actors focusing on critical identity and network access control infrastructure to evade detection.

Our Take: Targeted Exploitation Demands Immediate Action.

The focus on network access control (NAC) tools like Cisco ISE and remote access tools like NetScaler highlights their criticality. Immediately verify the versions of your appliances and enforce out-of-band validation for all changes to NAC policies.

Critical WatchGuard VPN Flaw Under Active Exploitation

WatchGuard has issued a critical advisory (CVSS Score 9.3) for an Out-of-bounds Write vulnerability, noted as CVE 2025 9242, in the iked process of WatchGuard Fireware OS. This vulnerability affects Firebox appliances configured for Mobile User VPN with IKEv2 and may allow a remote, unauthenticated attacker to execute arbitrary code.

WatchGuard has confirmed there is evidence suggesting this vulnerability is under active exploitation in the wild.

The resolution requires immediate update to the patched versions of Fireware OS, and administrators must rotate all locally stored secrets as a precaution.

Our Take: VPNs are Primary Targets.

External facing network devices, especially VPN endpoints, are relentlessly targeted. If immediate patching is not possible, implement strict firewall rules and temporary access restrictions. Due to the confirmed active exploitation, secret rotation is mandatory across all potentially exposed appliances.

Patch Tuesday Fixes Actively Exploited Windows Kernel Bug

Microsoft’s Patch Tuesday security updates for November 2025 addressed 63 vulnerabilities, including a critical, actively exploited Windows Kernel Elevation of Privilege (EoP) vulnerability tracked as CVE 2025 62215. This flaw is a race condition in the Windows Kernel.

An attacker who successfully exploits this vulnerability can gain SYSTEM privileges on the compromised machine.

The urgent patch emphasises the immediate threat posed by vulnerabilities that allow attackers to move from a low level foothold to complete system control.

Our Take: Prioritise EoP Patches for In the Wild Exploits.

Actively exploited Kernel EoP bugs are the final step in a successful attack chain.

Ensure this patch is deployed to all Windows endpoints and servers immediately, as its exploitation is a known commodity for threat actors.

2. Identity & Browser Risk

Browser Security Report Reveals Identity and AI Blind Spots

A new Browser Security Report 2025 warns that most identity, SaaS and AI related risks are converging in the user’s browser, yet traditional security controls are failing to monitor this layer.

The report identifies that GenAI is now the top data exfiltration channel, with 77% of employees pasting sensitive data into GenAI prompts. Furthermore, identity governance is failing, as 68% of corporate logins occur without SSO (Single Sign-On) and unmanaged browser extensions act as an ungoverned supply chain for data exfiltration and session hijacking.

Our Take: Control the Browser or Lose the Data.

Security teams must adopt Session Native Controls to regain visibility. Mandate SSO across all services and implement policies that block unauthorised browser extensions and restrict copy/paste functions to prevent unmonitored data loss via shadow AI tools.

AI Companies Accidentally Leak Keys and Passwords on GitHub

Security researchers discovered that 65% of 50 leading AI companies have accidentally published highly sensitive information, including API keys, tokens and other credentials, on public code repositories like GitHub.

This information, often buried in deleted code snippets and old file versions, could grant attackers access to internal company systems, private AI models and sensitive training data.

The core problem stems from programmer error and is compounded by the lack of clear, automated mechanisms for secret detection.

Our Take: Automate Secret Detection in the SDLC.

Relying on human review to prevent credential leaks in public code is a proven failure. Organisations, especially those leveraging GenAI, must enforce automated secret scanning within their continuous integration/continuous delivery (CI/CD) pipelines and code repositories to ensure tokens and API keys are never pushed to public spaces.

3. Cybercrime & Phishing

Google Files Lawsuit to Disrupt ‘Lighthouse’ Phishing-as-a-Service

Google has filed a landmark lawsuit to dismantle a China based cybercriminal operation known as “Lighthouse,” a massive Phishing-as-a-Service (PhaaS) network that has targeted millions of people globally through SMS phishing (smishing) attacks. The operation sells subscription based phishing kits that mimic trusted brands.

Google alleges the scheme has compromised millions of credit cards and is seeking an injunction under laws like the RICO Act to disrupt the core infrastructure and deter future cybercrime enterprises.

Our Take: Phishing as a Service Professionalisation Continues.

The sheer scale and commercialisation of PhaaS demonstrate that phishing is no longer an amateur threat. Ensure your organisation trains employees on SMS phishing (smishing) and implement Web Application Firewalls (WAFs) and threat intelligence subscriptions to rapidly detect and block known malicious infrastructure.

ClickFix Phishing Campaign Targets Hotel Systems with PureRAT Malware

A massive phishing campaign is targeting the hospitality industry by luring hotel managers to highly sophisticated ClickFix social engineering pages to steal credentials and deploy the PureRAT malware.

The campaign utilises spear phishing emails that impersonate Booking.com to compromise platform accounts such as Booking.com or Expedia.

This fraud model demonstrates the professionalisation of fraud models, with criminals trading compromised hotel administrator accounts and using “as-a-service” tools to lower the barriers to entry for this type of cybercrime.

Our Take: Sector Specific Fraud Demands Targeted Training.

Phishing is evolving to exploit industry specific workflows and trusted brands such as Booking.com. Train your staff, particularly those in finance, procurement and customer service, on industry specific social engineering techniques and enforce strict policies against using personal credentials for corporate platforms.

Strategic Defence Against Next Generation Exploitation

This week’s intelligence confirms that threat actors are strategically operating at the highest levels of privilege, whether exploiting critical zero days in network appliances (Cisco/Citrix) or using the browser as a tool for unmonitored data exfiltration. The time to upgrade is now.

Secora Consulting’s specialised service pillars are designed to counter the advanced, persistent threats highlighted this week:

• Proactive Technical Validation: The exploitation of zero days in Cisco/Citrix and WatchGuard VPNs demands more than just patching. Our Adversary Simulation Testing and Penetration Testing services stress test your environment against these exact TTPs, identifying and closing the most critical blind spots before attackers exploit them.

• Risk & Vulnerability Management: To counter the continuous stream of flaws such as Windows Kernel, Cisco and WatchGuard, our Vulnerability Assessments provide the technical clarity needed for effective remediation prioritisation.

• Compliance & Supply Chain Resilience: The successful Europol takedown and the EU’s focus on crisis management (ENISA) underscore the need for assured processes. Our Third Party Assurance Assessments, combined with NIS2 Directive Consultancy or ISO 27001 Consultancy, ensure your organisation meets mandatory resilience and security standards.

• People & Process Resilience: The massive success of PhaaS networks and ClickFix phishing campaigns proves human error remains the primary attack vector. Our Simulated Phishing Attacks and Crisis Management Exercises transform your staff into an effective human firewall and ensure your executive team is prepared to respond legally and operationally during a major breach.

Security must be a layered, strategic function. Contact us today to strengthen your security architecture and turn these threats into actionable defence strategy. ⬇️