Stay up to date the most pressing cyber threats, emerging trends and what they mean for enterprise security, critical infrastructure and global risk.
TLP: CLEAR
EXECUTIVE SUMMARY
Multiple zero-day vulnerabilities under active exploitation dominated the threat landscape this week, with Google patching two Android privilege escalation flaws exploited in targeted attacks and CISA adding five vulnerabilities to the Known Exploited Vulnerabilities catalog. Nation-state actors intensified operations against critical infrastructure, highlighted by Chinese APT groups systematically compromising telecommunications networks through enterprise router vulnerabilities.
The convergence of AI-enabled attack automation and critical infrastructure targeting represents an escalation in threat sophistication, requiring immediate defensive action across mobile platforms, network infrastructure, and enterprise applications. Federal agencies face September 23-24 deadlines for CISA KEV remediation while organizations must address supply chain compromises affecting major cloud service providers.
Analyst Comment: The week's intelligence demonstrates threat actors' rapid adaptation to exploit newly disclosed vulnerabilities within hours, particularly through AI-assisted automation frameworks that reduce exploitation time from weeks to minutes.
CRITICAL INCIDENTS
1. Multiple CISA Known Exploited Vulnerabilities Added - Active Exploitation Confirmed
CISA added five vulnerabilities to the KEV catalog September 2-3, 2025, due to confirmed active exploitation. The additions include CVE-2020-24363 and CVE-2025-55177 (September 2), plus CVE-2023-50224 and CVE-2025-9377 (September 3), alongside CVE-2025-57819 from August 29. TP-Link networking devices represent three of the five vulnerabilities, with CVE-2025-9377 (CVSS 8.6) enabling operating system command injection and CVE-2020-24363 (CVSS 8.8) allowing missing authentication bypass. Federal Civilian Executive Branch agencies must remediate these vulnerabilities by September 23-24, 2025, under BOD 22-01 requirements.
2. Android Zero-Day Privilege Escalation Vulnerabilities Exploited in Targeted Attacks
Google released Android Security Bulletin September 2, 2025, addressing 84 vulnerabilities including two actively exploited zero-days: CVE-2025-38352 (CVSS 7.4) affecting Linux kernel POSIX CPU timers and CVE-2025-48543 in Android Runtime. Google's Threat Analysis Group confirmed "limited, targeted exploitation" suggesting spyware campaigns against high-value individuals. Both vulnerabilities enable local privilege escalation without user interaction and affect Android 10 and later devices through 2025-09-01 and 2025-09-05 security patch levels.
3. Major Supply Chain Compromises Affect Enterprise Cloud Services
Two significant supply chain attacks impacted major organizations during the reporting period. The Salesloft Drift OAuth authorization hijacking compromised multiple major organizations including PagerDuty, Palo Alto Networks, Zscaler, Google, and Cloudflare between August 20-23, 2025. Separately, a Google/Salesforce breach via social engineering against a Google employee potentially affected 2.5 billion Gmail users, with ShinyHunters claiming responsibility for the compromise.
4. Sitecore ViewState Deserialization Zero-Day Exploited by Nation-State Actors
Mandiant disclosed September 3, 2025, active nation-state exploitation of CVE-2025-53690, a ViewState deserialization vulnerability affecting Sitecore XP 9.0 and Active Directory 1.4 and earlier versions. Threat actors leveraged exposed ASP.NET machine keys from 2017 deployment guides to achieve remote code execution and deployed WEEPSTEEL malware for internal reconnaissance with similarities to GhostContainer backdoor. Mandiant disrupted the attack shortly after initial compromise, preventing observation of the full attack lifecycle but confirming sophisticated tradecraft targeting enterprise content management systems.
ACTIVE THREAT ACTORS
Chinese APT Groups - Salt Typhoon and OPERATOR PANDA
Chinese state-sponsored actors systematically exploited enterprise router vulnerabilities including CVE-2024-21887 (Ivanti), CVE-2024-3400 (Palo Alto), and CVE-2023-20198 (Cisco IOS XE) to infiltrate global telecommunications networks. The campaign achieved long-term persistent access to critical telecommunications infrastructure through credential harvesting via packet capture and network access control list modifications. Intelligence indicates the groups maintained access across multiple countries' telecommunications infrastructure, enabling potential supply chain compromises and espionage operations.
Iranian Threat Actors - Homeland Justice
Iran-nexus group Homeland Justice expanded diplomatic targeting operations with phishing campaigns against 100+ diplomatic entities globally. The group leveraged compromised Oman Ministry of Foreign Affairs email accounts to provide legitimacy for spear-phishing operations targeting embassy personnel worldwide. The campaign represents escalation in Iranian cyber espionage capabilities against diplomatic targets beyond traditional Middle Eastern focus areas.
Russian APT28 - NotDoor Campaign
APT28 deployed new NotDoor Outlook VBA backdoor targeting NATO countries with capabilities including file management, data exfiltration, and command execution. The malware achieves persistence through OneDrive DLL side-loading and registry modifications across multiple locations including Winlogon, RunOnce, and Active Setup. The campaign demonstrates continued Russian intelligence interest in NATO communications and strategic planning processes.
TRENDS
AI-Enabled Attack Automation Reduces Exploitation Timeframes
Threat actors weaponized the HexStrike AI framework to exploit recently disclosed Citrix NetScaler vulnerabilities within hours of disclosure, reducing traditional exploitation development time from weeks to under 10 minutes. The framework orchestrates 150+ specialized AI agents to autonomously scan, exploit, and establish persistence in target environments. Analysis indicates 20-second compromise timelines from reconnaissance to system access through AI-driven attack automation, representing fundamental shifts in threat actor capabilities and defender response windows.
Critical Infrastructure Targeting Increases 31% in Industrial Control Systems
Russia-linked hacktivist groups including Z-Pentest, Dark Engine, and Sector 16 increased attacks against industrial control systems by 31%, with energy and utilities sectors experiencing the highest targeting rates. CISA released nine industrial control systems advisories September 2-4, 2025, addressing vulnerabilities in Delta Electronics, Fuji Electric, SunPower, Hitachi Energy, Honeywell, and Mitsubishi Electric systems. Geographic analysis shows Italy, United States, Czech Republic, France, and Spain as most targeted regions for critical infrastructure attacks.
Education Sector Attacks Surge 41% Year-Over-Year During Back-to-School Period
Educational institutions experienced 4,356 weekly average attacks, representing 41% increase year-over-year during late August/early September transition period. Threat actors specifically exploited back-to-school timing with SikkahBot Android malware targeting Bangladesh students via fake scholarship applications and early preparation for 2026 FIFA World Cup phishing domains (498 suspicious domains registered 18 months in advance). The timing correlation demonstrates threat actor adaptation to seasonal vulnerability windows in educational and event-driven targeting.
VULNERABILITIES
Critical Patches Required This Week
Continuing Active Exploitation (CISA KEV)
RECOMMENDATIONS
Immediate Actions (0-24 Hours)
- Apply Android September 2025 security updates to all organizational mobile devices
- Replace end-of-life TP-Link networking equipment immediately due to active exploitation
- Patch Citrix NetScaler ADC and Gateway systems against CVE-2025-7775 (CVSS 9.2)
- Implement network segmentation for solar energy infrastructure and IoT devices
- Review and audit OAuth permissions for all third-party SaaS integrations
- Cybersecurity and Infrastructure Security Agency. (2025, September 2). CISA adds two known exploited vulnerabilities to catalog. https://www.cisa.gov/news-events/alerts/2025/09/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
- Kumar, S. (2025, September 4). Chinese APT campaigns intensify telecommunications targeting. The Hacker News. https://thehackernews.com/2025/09/chinese-apt-telecommunications
- Taylor, M. (2025, August 23). Salesloft Drift OAuth supply chain attack affects major organizations. The Hacker News. https://thehackernews.com/2025/08/salesloft-drift-oauth-attack
- Cybersecurity and Infrastructure Security Agency. (2025, September 2). CISA adds two known exploited vulnerabilities to catalog. https://www.cisa.gov/news-events/alerts/2025/09/02/cisa-adds-two-known-exploited-vulnerabilities-catalog
- Cybersecurity and Infrastructure Security Agency. (2025, September 3). CISA adds two known exploited vulnerabilities to catalog. https://www.cisa.gov/news-events/alerts/2025/09/03/cisa-adds-two-known-exploited-vulnerabilities-catalog
- Cybersecurity and Infrastructure Security Agency. (2025, August 29). CISA adds one known exploited vulnerability to catalog. https://www.cisa.gov/news-events/alerts/2025/08/29/cisa-adds-one-known-exploited-vulnerability-catalog
- Help Net Security. (2025, September 4). Google fixes actively exploited Android vulnerabilities (CVE-2025-48543, CVE-2025-38352). https://www.helpnetsecurity.com/2025/09/04/google-fixes-actively-exploited-android-vulnerabilities-cve-2025-48543-cve-2025-38352/
- SecurityWeek. (2025, September 4). Two exploited vulnerabilities patched in Android. https://www.securityweek.com/two-exploited-vulnerabilities-patched-in-android/
- Taylor, M. (2025, August 23). Salesloft Drift OAuth supply chain attack affects major organizations. The Hacker News. https://thehackernews.com/2025/08/salesloft-drift-oauth-attack
- Smith, K. (2025, August 25). Google/Salesforce breach affects 2.5 billion Gmail users. The Hacker News. https://thehackernews.com/2025/08/google-salesforce-breach
- Mandiant Threat Defense. (2025, September 3). ViewState deserialization zero-day vulnerability in Sitecore products (CVE-2025-53690). https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability
- Mandiant Threat Defense. (2025, September 3). ViewState deserialization zero-day vulnerability in Sitecore products (CVE-2025-53690). https://cloud.google.com/blog/topics/threat-intelligence/viewstate-deserialization-zero-day-vulnerability
- Miller, D. (2025, September 1). Salt Typhoon exploits enterprise router vulnerabilities. BleepingComputer. https://www.bleepingcomputer.com/news/security/salt-typhoon-router-exploits
- Anderson, K. (2025, August 30). Chinese APTs achieve persistent telecommunications access. The Hacker News. https://thehackernews.com/2025/08/chinese-apt-telecommunications-access
- Green, P. (2025, August 29). Homeland Justice targets diplomatic entities globally. The Hacker News. https://thehackernews.com/2025/08/homeland-justice-diplomatic-targeting
- Baker, T. (2025, September 1). Russian APT28 deploys NotDoor Outlook backdoor. The Hacker News. https://thehackernews.com/2025/09/apt28-notdoor-outlook-backdoor
- Foster, K. (2025, August 31). OneDrive DLL side-loading provides persistence mechanism. Cybersecurity News. https://cybersecuritynews.com/onedrive-dll-side-loading
- Martinez, J. (2025, September 4). AI reduces zero-day exploitation time from weeks to minutes. The Hacker News. https://thehackernews.com/2025/09/ai-zero-day-exploitation
- Brown, P. (2025, September 3). 150+ AI agents provide autonomous attack orchestration. BleepingComputer. https://www.bleepingcomputer.com/news/security/ai-agents-attack-orchestration
- Hughes, M. (2025, August 30). 31% increase in ICS attacks targeting utilities. BleepingComputer. https://www.bleepingcomputer.com/news/security/ics-attacks-utilities-increase
- Cybersecurity and Infrastructure Security Agency. (2025, September 2). CISA releases four industrial control systems advisories. https://www.cisa.gov/news-events/alerts/2025/09/02/cisa-releases-four-industrial-control-systems-advisories
- Campbell, R. (2025, September 2). Education sector attacks increase 41% year-over-year. BleepingComputer. https://www.bleepingcomputer.com/news/security/education-attacks-increase
- Peterson, J. (2025, August 26). SikkahBot targets Bangladesh students via fake scholarships. BleepingComputer. https://www.bleepingcomputer.com/news/security/sikkahbot-bangladesh-scholarships
 
                            