• Person Name: CTIN Alerts

Active Exploitation of Cisco AsyncOS Zero-Day Targeting Email Security Appliances

The Cybersecurity Association of Pennsylvania (PennCyber), in coordination with the Commonwealth Threat Intelligence Network (CTIN), is alerting members to active exploitation of a critical, unpatched zero-day vulnerability affecting Cisco AsyncOS software used in Cisco Secure Email Gateway (SEG) and Cisco Secure Email and Web Manager appliances.

Cisco has confirmed that a China-nexus advanced persistent threat (APT) actor, tracked as UAT-9686, is actively exploiting this vulnerability in the wild. Cisco became aware of the intrusion activity on December 10, 2025, and has identified a limited subset of exposed appliances as being impacted. At this time, the full scope of affected organizations remains unknown.

Vulnerability Overview

The vulnerability, tracked as CVE-2025-20393, carries a CVSS score of 10.0 and represents a maximum-severity risk. The flaw stems from improper input validation within AsyncOS, allowing an unauthenticated attacker to execute arbitrary commands with root-level privileges on the underlying operating system.

Cisco has also confirmed evidence of persistent access mechanisms deployed by threat actors, enabling continued control over compromised appliances even after initial access.

All versions of Cisco AsyncOS are affected. Successful exploitation requires the following conditions to be present:

• The Spam Quarantine feature is enabled

• The Spam Quarantine service is exposed to the internet

While Spam Quarantine is not enabled by default, PennCyber and CTIN strongly recommend that organizations immediately verify their configurations.

How to Check Exposure

Administrators should validate whether Spam Quarantine is enabled by:

1. Connecting to the web management interface

2. Navigating to:

   • Network > IP Interfaces > [Interface] (Secure Email Gateway), or

   • Management Appliance > Network > IP Interfaces > [Interface] (Secure Email and Web Manager)

3. Confirming whether the Spam Quarantine option is checked

Observed Threat Activity

Cisco’s investigation indicates exploitation activity dating back to late November 2025. The threat actor has been observed deploying multiple post-exploitation tools, including:

• ReverseSSH (AquaTunnel) and Chisel for encrypted tunneling and lateral access

• AquaPurge, a log-cleaning utility designed to evade forensic detection

• A custom Python backdoor, AquaShell, capable of receiving encoded commands via unauthenticated HTTP POST requests and executing them on the system shell

The use of AquaTunnel has previously been associated with known Chinese threat groups such as APT41 and UNC5174, reinforcing the assessment that this is a sophisticated, state-aligned operation.

Mitigation Guidance (No Patch Available)

At the time of this advisory, no security patch is available. PennCyber and CTIN strongly recommend the following immediate defensive actions:

• Restrict internet exposure and place appliances behind a firewall allowing access only from trusted hosts

• Separate mail handling and management functions onto distinct network interfaces

• Disable HTTP access for the main administrator portal

• Monitor web and system logs for anomalous or unexpected traffic

• Disable any non-essential network services

• Enforce strong authentication mechanisms (e.g., SAML or LDAP)

• Change all default and administrative credentials immediately

Cisco has stated that if compromise is confirmed, a full rebuild of the appliance is currently the only reliable method to remove the attacker’s persistence mechanisms.

Federal Impact and Broader Threat Activity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-20393 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are required to implement mitigations no later than December 24, 2025.

Separately, threat intelligence firm GreyNoise has reported a coordinated, automated credential-based campaigntargeting exposed enterprise VPN infrastructure, including Cisco SSL VPN and Palo Alto Networks GlobalProtect portals. While this activity does not currently involve vulnerability exploitation, it highlights elevated threat actor interest in perimeter access points and reinforces the need for strong authentication and access controls.

PennCyber & CTIN Recommendations

Organizations using Cisco email security appliances should treat this issue as high priority, immediately assess exposure, and implement all available mitigations. MSPs and MSSPs are strongly encouraged to proactively review customer environments and validate secure configurations.

PennCyber and CTIN will continue to monitor this situation and provide updates as new intelligence becomes available.

• Person Name: CTIN Alerts

Summary

The Pennsylvania Cybersecurity Association through the Commonwealth Threat Intelligence Network (CTIN) is issuing this alert following the discovery of the "GhostPoster"malware campaign. This sophisticated operation leveraged 17 Mozilla Firefox add-ons—collectively downloaded over 50,000 times—to deliver malicious payloads via steganography. By hiding code within innocent-looking logo files, the malware bypasses traditional security scans to hijack affiliate links, inject tracking code, and strip away browser security protections.

Threat Overview

According to research from Koi Security, the GhostPoster campaign utilizes "Trojan Horse" tactics, masquerading as legitimate tools such as VPNs, ad blockers, weather trackers, and translation utilities.

The attack chain is particularly elusive:

1. Steganographic Loading: The malware is hidden inside the extension’s logo file. Upon loading, it parses the image for a specific "===" marker to extract a JavaScript loader.

2. Delayed Execution: To evade sandbox detection, the malware remains dormant for over six days after installation.

3. Probabilistic C2 Communication: The loader only attempts to contact its command-and-control (C2) server 10% of the time, making network-level detection extremely difficult.

Impact and Capabilities

Once active, GhostPoster deploys a comprehensive toolkit designed to monetize and monitor user activity through:

• Security Header Stripping: Removing Content-Security-Policy and X-Frame-Options, leaving users vulnerable to clickjacking and XSS attacks.

• Affiliate Hijacking: Intercepting e-commerce links to divert commissions to threat actors.

• Profile Tracking: Injecting Google Analytics code into every visited page to profile user behavior.

• Hidden Iframe Injection: Forcing the browser to visit attacker-controlled URLs in the background for ad fraud.

• CAPTCHA Bypassing: Utilizing automated scripts to bypass bot detection safeguards.

A Message from PennCyber Leadership

"The GhostPoster campaign is a stark reminder that browser extensions have become a primary vector for supply chain attacks," says Scott Davis, Chairman of the Cybersecurity Association of PA. "By hiding malicious code in something as mundane as a logo file, these actors are deliberately targeting the trust users place in official marketplaces."

Davis adds, "For Pennsylvania businesses and residents, the 'free' software model remains a significant risk. As we see with these 17 add-ons, if you aren't paying for the product, your data and your security often become the currency. We urge all users to audit their browser environments immediately."

Affected Add-ons

If you have any of the following extensions installed, remove them immediately and clear your browser cache:

Recommendations for Mitigation

• Inventory Extensions: Organizations should use Group Policy Objects (GPOs) to restrict browser extension installations to an approved "allow-list."

• Monitor C2 Traffic: Check network logs for communication with known malicious domains: www.liveupdt[.]comand www.dealctr[.]com.

• Enforce Zero Trust: Treat all browser add-ons as third-party software that requires a security review before deployment on corporate assets.

• Person Name: CTIN Alerts

A critical vulnerability known as React2Shell is rapidly escalating into a large-scale global exploitation campaign, prompting urgent warnings from U.S. and international cybersecurity authorities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has ordered federal agencies to remediate the flaw by December 12, 2025, underscoring the severity and active exploitation of the issue.

Tracked as CVE-2025-55182 with a CVSS score of 10.0, the vulnerability impacts the React Server Components (RSC) Flight protocol and stems from unsafe deserialization. Exploitation allows an attacker to inject malicious logic that executes in a privileged server context. The exposure extends well beyond React itself, affecting widely deployed frameworks such as Next.js, Waku, Vite, React Router, and RedwoodSDK.

“This is not a theoretical or edge-case vulnerability,” said Scott Davis, Chairman and President of the Cybersecurity Association of Pennsylvania. “React2Shell is trivial to exploit, requires no authentication, and gives attackers direct execution on production servers. That combination dramatically raises both the likelihood and impact of compromise.”

According to Cloudforce One, Cloudflare’s threat intelligence team, exploitation requires only a single, specially crafted HTTP request. No user interaction or elevated permissions are needed. Once successful, attackers can execute arbitrary JavaScript with full server privileges.

Since public disclosure on December 3, 2025, multiple threat actors have launched parallel campaigns leveraging React2Shell for reconnaissance, persistence, and malware delivery. The activity was severe enough that CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and subsequently accelerated the federal remediation deadline from December 26 to December 12.

Cloud security firm Wiz reports a “rapid wave of opportunistic exploitation,” with the majority of attacks targeting internet-facing Next.js applications and containerized workloads running in Kubernetes and managed cloud environments.

Cloudflare telemetry shows attackers using large-scale internet scanning and asset discovery tools to identify exposed React and Next.js deployments. Notably, some reconnaissance campaigns deliberately excluded Chinese IP ranges. The highest concentration of probing activity was observed in Taiwan, Xinjiang Uyghur, Vietnam, Japan, and New Zealand, regions frequently associated with geopolitical intelligence collection.

While attacks remain largely opportunistic, more selective targeting has been observed against .gov domains, academic research institutions, and critical infrastructure operators, including a national authority overseeing uranium, rare metals, and nuclear fuel imports and exports.

Additional findings from threat intelligence partners include:

• Targeting of high-sensitivity technology platforms such as enterprise password managers and secure vault services, suggesting potential supply chain attack objectives

• Scanning of edge-facing SSL VPN appliances whose administrative portals embed React-based components

• Early exploitation attempts traced to IP addresses previously associated with Asia-affiliated threat clusters

Kaspersky’s honeypot analysis recorded more than 35,000 exploitation attempts in a single day on December 10, 2025. Attackers commonly validated access using basic commands such as whoami before deploying cryptocurrency miners, Mirai/Gafgyt variants, and RondoDox botnet malware.

Other observed payloads include Cobalt Strike beacons, Sliver, Fast Reverse Proxy (FRP), the Nezha monitoring tool, and Node.js-based toolkits designed to harvest sensitive files and extract secrets using TruffleHog and Gitleaks. Researchers also identified a Go-based backdoor featuring reverse shell access, reconnaissance capabilities, and full command-and-control functionality.

VulnCheck estimates that more than 140 proof-of-concept exploits are circulating in the wild. While roughly half are broken or misleading, functional repositories include tooling to deploy in-memory web shells such as Godzilla, automate scanning, and even install lightweight web application firewalls to block rival attackers.

Security researcher Rakesh Krishnan further identified an open directory hosted at 154.61.77[.]105:8082 containing a React2Shell PoC script and two target lists: one with 35,423 domains and another with 596 prioritized URLs, including well-known brands such as Starbucks, Porsche, Lululemon, and Dia Browser. Analysis indicates the actor is actively scanning and infecting sites listed in the latter file.

Cyber insurance and security firm Coalition has drawn direct parallels between React2Shell and the Log4Shell crisis of 2021, characterizing it as a “systemic cyber risk aggregation event.”

“This vulnerability sits at the intersection of modern web development and cloud infrastructure,” Davis added. “When a core framework like React is impacted at this level, the blast radius is enormous. Organizations that assume this is someone else’s problem are making a dangerous bet.”

According to The Shadowserver Foundation, more than 137,200 internet-exposed IP addresses were running vulnerable code as of December 11, 2025. The United States accounts for over 88,900 of those instances, followed by Germany (10,900), France (5,500), and India (3,600).

PennCyber and CTIN strongly urge organizations to immediately apply vendor patches, audit exposed React and Next.js services, and monitor for post-exploitation activity. Given the speed, scale, and sophistication of ongoing attacks, React2Shell should be treated as an active incident, not a routine patching exercise.

• Person Name: CTIN Alerts

This morning, Cloudflare experienced a significant internal service degradation that disrupted numerous internet services worldwide. The issue began at approximately 6:48 AM ET, causing intermittent failures across platforms that rely on Cloudflare’s infrastructure. By 7:03 AM ET, Cloudflare confirmed ongoing investigations, and at 7:21 AM ET, partial recovery was observed, though elevated error rates persisted. As of 7:37 AM ET, remediation efforts continue.

The outage affected major services including X (formerly Twitter), ChatGPT, Spotify, Canva, Letterboxd, and even Downdetector, which tracks outages. Cloudflare’s own dashboard and API were impacted, resulting in widespread HTTP 500 errors and disruptions to CDN delivery, DNS resolution, and security services such as WAF and bot detection.

Organizations should monitor their critical services and consider contingency plans for dependencies on Cloudflare. For real-time updates, visit Cloudflare Status.

• Person Name: Scott Davis

The Pennsylvania Attorney General’s Office has acknowledged a data security incident that occurred on or around August 9, 2025, potentially involving personal information of certain individuals. While there is currently no evidence of misuse or attempted misuse of the data, the Office has confirmed that some files accessed without authorization contained sensitive information, including names and Social Security numbers, and in some cases, medical information.

Details of the Incident

The Attorney General’s Office detected suspicious activity in its network on August 9, 2025, and immediately launched an investigation with the assistance of cybersecurity specialists. The investigation revealed that certain files may have been accessed without authorization. The Office emphasized that it takes the privacy and security of all information very seriously and has implemented measures to reduce the risk of similar incidents in the future.

On November 14, 2025, the Office began notifying affected individuals via email and offered complimentary identity protection services to those whose sensitive information was involved. The Federal Bureau of Investigation has also been notified and is assisting in the investigation.

What Information Was Involved?

• For some individuals: Name and Social Security number
• For others: Name, Social Security number, and/or medical information

Background and Vulnerability Timeline

According to prior reporting by the Cybersecurity Association of Pennsylvania, the vulnerability in the Attorney General’s Office systems was publicly disclosed on July 14, 2025 but remained unresolved until after August 9, when ransomware commands were executed, locking data that attackers had likely accessed earlier.

Scott Davis, Chairman of the Cybersecurity Association of Pennsylvania, previously warned:

“Every ransomware attack today is a data breach. If a cybercriminal has access to encrypt the data, they had access and likely transmitted the data off your network days before you even realized you had an incident.”

This incident underscores the critical importance of timely patching and proactive monitoring to prevent exploitation of known vulnerabilities.

What You Can Do

Affected individuals are encouraged to:

• Monitor financial accounts for suspicious activity.
• Obtain free credit reports at www.annualcreditreport.com.
• Review identity theft prevention resources at ftc.gov/idtheft.

For questions or assistance, call 1-833-353-8060 (Monday–Friday, 8:00 a.m.–8:00 p.m. ET, excluding U.S. holidays).