Microsoft’s September 2025 Patch Tuesday delivers fixes for 81 vulnerabilities, including two publicly disclosed zero-days. Nine flaws are classified as critical, with five involving remote code execution, one tied to information disclosure, and two to elevation of privilege.
Breakdown of Vulnerabilities
41 Elevation of Privilege vulnerabilities
22 Remote Code Execution vulnerabilities
16 Information Disclosure vulnerabilities
2 Security Feature Bypass vulnerabilities
3 Denial of Service vulnerabilities
1 Spoofing vulnerability
These totals do not include earlier fixes for three Azure flaws, one Dynamics 365 FastTrack Implementation Assets flaw, two Mariner bugs, five Microsoft Edge issues, and one Xbox vulnerability. Non-security updates released this month include Windows 11 KB5065426 and KB5065431, and Windows 10 KB5065429.
Zero-Day Vulnerability
CVE-2025-55234 | Windows SMB Elevation of Privilege Vulnerability
This vulnerability can be exploited through relay attacks. Depending on configuration, an attacker could relay SMB sessions and gain elevated privileges. Microsoft recommends enabling SMB Server Signing and Extended Protection for Authentication (EPA) to mitigate risk, though both may introduce compatibility issues with older devices. September updates introduce new auditing capabilities to help administrators assess client compatibility with SMB hardening.
CVE-2024-21907 | Newtonsoft.Json Denial of Service Vulnerability in SQL Server
This flaw arises from mishandling exceptional conditions in Newtonsoft.Json prior to version 13.0.1. Passing crafted data to the JsonConvert.DeserializeObject method can trigger a StackOverflow exception, causing denial of service. Updates for SQL Server now integrate the patched Newtonsoft.Json library. This vulnerability was originally disclosed in 2024.
Other Critical Vulnerabilities
Microsoft also patched multiple remote code execution flaws across Windows components and Microsoft Office, as well as high-severity information disclosure and privilege escalation vulnerabilities. These issues remain attractive targets for attackers and should be prioritized in patching schedules.
Adobe and Other Vendor Updates
Other vendors issuing security updates in September 2025 include:
Adobe: Patched a Magento flaw called “SessionReaper” impacting eCommerce sites
Argo: Fixed an Argo CD bug allowing low-privileged tokens to access repository credentials
Cisco: Released updates for WebEx, Cisco ASA, and related products
Google: Issued September Android updates addressing 84 flaws, including two zero-days under active exploitation
SAP: Released updates across multiple products, including a maximum-severity command execution flaw in NetWeaver
Sitecore: Addressed an actively exploited zero-day tracked as CVE-2025-53690
TP-Link: Confirmed a zero-day in certain router models, with patches in development for US customers
Recommendations for Users and Administrators
Organizations should prioritize applying patches for systems using SMB Server and SQL Server given the public disclosure of both zero-days. Administrators are advised to test and enable SMB Server Signing and EPA where possible and use the new auditing capabilities to prepare for enforcement. SQL Server deployments should be updated to versions incorporating Newtonsoft.Json 13.0.1 or later.
Security teams should also review vendor advisories from Adobe, Cisco, Google, SAP, and Sitecore, particularly where vulnerabilities are confirmed to be under active attack.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Not Just Research: Threat Actors Are Weaponizing AI for Ransomware
CVE-2025-42957: Critical SAP S/4HANA Code Injection Vulnerability Actively Exploited
How can Netizen help?
Not Just Research: Threat Actors Are Weaponizing AI for Ransomware
AI-powered ransomware is no longer a distant possibility. Although the recently surfaced PromptLock turned out to be a research prototype created at NYU Tandon School of Engineering, attackers are already using tools like Claude Code to automate reconnaissance, exploitation, and extortion in the wild. What began as an academic demonstration of “Ransomware 3.0” has already been mirrored by real threat actors targeting healthcare, defense, and financial organizations
When PromptLock samples first appeared on VirusTotal in August 2025, security researchers suspected a new form of ransomware. Analysis by ESET showed it relied on OpenAI’s GPT-OSS:20b model, dynamically generating Lua scripts to perform reconnaissance and execute malicious actions. Soon after, academics confirmed that PromptLock was in fact a controlled proof-of-concept. Their goal was to demonstrate how large language models could coordinate an entire ransomware chain, from surveying a victim’s environment to deploying customized payloads and even writing tailored extortion notes. The research highlighted how easily a benign-looking AI utility could conceal hidden instructions, making detection increasingly difficult.
The fact that PromptLock was only a lab project does not mean the threat is hypothetical. Anthropic’s August 2025 threat intelligence report revealed real-world misuse of its Claude Code agent. According to the report, attackers were able to use the tool for reconnaissance, lateral movement, and large-scale data theft, embedding their preferred tactics and playbooks into configuration files so the assistant would respond in ways that supported their campaign. The same system generated ransom notes, packaged malware with evasion techniques, and analyzed stolen data to set extortion demands, some of which exceeded half a million dollars. Victims ranged from a defense contractor to financial institutions and healthcare providers, with stolen material including social security numbers, banking details, patient records, and ITAR-controlled documentation.
Anthropic responded by banning the malicious accounts and working to strengthen its detection capabilities. Security experts stress that although the core techniques of ransomware have not changed, AI drastically lowers the barrier to entry and accelerates every phase of an attack. As Exabeam’s Steve Povolny observed, what once required teams of skilled operators can now be achieved faster and cheaper through modular, AI-driven tasks, in the same way non-coders now build enterprise applications with AI assistance.
PromptLock itself may be only a proof-of-concept, but its design reflects tactics that are already active in the wild. The lesson for defenders is clear: AI is now serving attackers not just as a consultant, but as an operator, compressing the time it takes to plan and launch ransomware campaigns. Security teams will need to assume that adversaries can rapidly construct large-scale, tailored attacks with the same ease that businesses now adopt AI to streamline development and operations.
CVE-2025-42957: Critical SAP S/4HANA Code Injection Vulnerability Actively Exploited
A newly confirmed wave of exploitation is targeting CVE-2025-42957, a critical code injection flaw in SAP’s S/4HANA ERP platform. First disclosed and patched in SAP’s August 2025 security updates, the vulnerability was discovered by SecurityBridge and carries a CVSS v3 score of 9.9. The issue affects both on-premises and private cloud deployments of S/4HANA and is now being abused in the wild, with exploitation attempts spiking after the release of SAP’s patch.
The vulnerability allows attackers with only low-privileged user access to inject ABAP code into the system, ultimately giving them complete control of both the SAP environment and the host operating system. Although a valid account is required, the complexity of the attack is minimal and can be carried out remotely over the network. According to SecurityBridge, the patch is relatively easy to reverse engineer, which means attackers can quickly develop working exploits.
Reports from both SecurityBridge and Pathlock confirm that malicious actors are already testing and abusing this flaw. Once exploited, an attacker could directly manipulate or delete corporate data in the SAP database, create persistent backdoor accounts with administrative privileges, steal hashed passwords, and extend control into the host operating system. The fact that a single compromised user account can lead to full system compromise makes this vulnerability especially dangerous.
SAP customers are strongly urged to apply the August 2025 patches without delay. Beyond patching, SecurityBridge advises enabling the Unified Connectivity framework (UCON) to restrict remote function call (RFC) usage, and monitoring logs carefully for unusual RFC activity or newly created administrative accounts. Organizations should also audit privileged accounts and system activity to ensure attackers have not already established persistence.
CVE-2025-42957 highlights how attackers continue to focus on SAP environments as high-value targets. The vulnerability requires little effort to exploit, provides complete system access, and has already been weaponized in real-world attacks. Organizations that delay remediation face the risk of data theft, operational disruption, and potentially long-lasting compromise.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Cybersecurity leaders know that technical defenses alone are not enough. To truly safeguard sensitive information, organizations need a structured framework that brings together people, processes, and technology. That’s where ISO/IEC 27001 comes in. As the most widely recognized international standard for information security management, ISO 27001 helps organizations build a resilient Information Security Management System (ISMS) that reduces risk, ensures compliance, and inspires trust across clients and partners.
For companies operating in highly regulated sectors such as healthcare, finance, and defense, ISO 27001 certification has quickly become a prerequisite for doing business. But even beyond compliance, the standard offers strategic advantages that extend well into daily operations.
Understanding ISO 27001
ISO 27001 establishes a clear framework for managing information security by requiring organizations to identify risks, implement controls, and continuously refine their defenses. At its foundation is the CIA triad:
Confidentiality – protecting sensitive information from unauthorized access.
Integrity – ensuring that data remains accurate and unaltered.
Availability – guaranteeing that systems and data are accessible when needed.
Certification requires more than paperwork; it demands organizational commitment, executive buy-in, and third-party audits to confirm that security is not just documented but operationalized.
Why ISO 27001 Matters
Strengthened Security and Reduced Breach Risk
The structured risk assessments required by ISO 27001 uncover blind spots in existing security programs and ensure that controls evolve alongside new threats. This makes breaches less likely and less damaging when they occur.
Increased Trust With Clients and Partners
Certification demonstrates to customers that their data is handled responsibly. In a climate where supply chain security is under constant scrutiny, ISO 27001 signals maturity and accountability.
Competitive Advantage in the Marketplace
For many contracts, particularly in government and critical infrastructure, ISO 27001 is not optional. Organizations without certification risk being sidelined, while certified entities gain a competitive edge.
Cost Savings Through Prevention
Data breaches are expensive, with costs extending well beyond regulatory fines. By reducing the likelihood and impact of incidents, ISO 27001 helps organizations protect both reputation and bottom line.
Streamlined Compliance Across Frameworks
Because ISO 27001 aligns closely with frameworks like NIST CSF, GDPR, and SOC 2, certification can reduce the burden of overlapping audits and improve efficiency for compliance teams.
Building a Culture of Security
One of ISO 27001’s most impactful benefits is cultural. By embedding information security into every layer of operations, organizations move beyond check-the-box compliance and foster a security-first mindset. Employees receive ongoing training, human error is reduced, and decision-making increasingly considers risk alongside business goals.
How Netizen Can Help
Achieving ISO 27001 certification requires expertise and sustained effort, but you don’t have to go it alone. Netizen has guided government, defense, and commercial organizations through complex compliance initiatives, helping them align security programs with business objectives.
Our CISO-as-a-Service offering gives organizations of any size access to executive-level expertise, while our 24x7x365 Security Operations Center (SOC) provides continuous monitoring and incident response. From compliance gap assessments to audit readiness, penetration testing, and security engineering, Netizen delivers the capabilities needed to not only meet ISO 27001 requirements but exceed them.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Researchers have detailed a new proof-of-concept attack showing how adversaries can use AI-generated summaries to push ransomware and other malicious commands directly to unsuspecting users.
How ClickFix Works
The tactic, called ClickFix, manipulates victims into running self-sabotaging commands under the guise of resolving an error or fixing an issue. In past incidents, attackers impersonated Booking.com or injected fake reCAPTCHA prompts, tricking users into pasting commands into the Windows Run prompt. In one campaign, over 100 automotive dealership websites briefly displayed malicious instructions to visitors.
The new proof-of-concept from CloudSEK takes ClickFix a step further by abusing AI summarization tools. Researchers showed how attackers could embed malicious instructions into HTML content using techniques like invisible white-on-white text, zero-width characters, tiny font sizes, and off-screen text placement. While these elements remain invisible to a human reader, they dominate an AI model’s context window, surfacing prominently in generated summaries.
When an AI assistant, browser extension, or email summarizer processes the content, the summary may end up displaying the hidden payload as if it were legitimate advice. CloudSEK demonstrated how such a summary could instruct a victim to paste a PowerShell command into the Run prompt, initiating a ransomware infection. Because the instructions appear to come from the AI summarizer itself, not an external attacker, the victim is far less likely to question them.
CSS Obfuscation and Prompt Overload
The success of this attack relies on a blend of CSS obfuscation and what researchers call “prompt overdose.” By repeating hidden payloads multiple times in the HTML, the attacker ensures that the malicious instructions outweigh legitimate context during summarization.
This manipulation effectively turns the AI tool from a passive summarizer into an active participant in the social engineering chain. What looks like a harmless article, blog post, or email to a human user may, once summarized, output only the attacker’s malicious instructions.
Defensive Recommendations
CloudSEK’s guidance for defenders focuses on improving how AI pipelines preprocess and handle content:
Summarizers should normalize or strip suspicious CSS attributes before processing inputs.
Enterprises should implement prompt sanitizers that filter hidden payloads before they reach summarization models.
Detection rules should be created for repeated, hidden text patterns that could dominate AI outputs.
Organizations deploying internal AI summarizers should enforce strict preprocessing policies at gateways, content systems, and browser extensions.
Most importantly, researchers emphasize the need for enterprise-level AI policy enforcement and secure design patterns that prevent AI outputs from triggering sensitive actions without explicit user approval.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five critical vulnerabilities from August that should be immediately patched or addressed if present in your environment. Detailed writeups below:
CVE-2025-7775
CVE-2025-7775 describes a critical memory overflow vulnerability affecting NetScaler ADC and NetScaler Gateway when configured in several modes, including Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy), AAA virtual server, and load balancing virtual servers bound with IPv6 services or DBS IPv6 servers, as well as CR virtual servers of type HDX. The vulnerability arises from improper memory handling that can be triggered remotely, allowing an attacker to achieve remote code execution or denial of service depending on the exploitation path. With network-based access, an attacker could craft malicious packets targeting exposed NetScaler services, leading either to the execution of arbitrary code on the device or the crash and disruption of critical VPN and proxy services.
This flaw is particularly dangerous in enterprise and cloud environments where NetScaler appliances serve as critical access gateways, since exploitation could result in full compromise of infrastructure, service outages, and lateral movement into internal networks. The vulnerability has been assigned a CVSS v3 base score of 9.8, with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting its low attack complexity, lack of required privileges, and ability to compromise confidentiality, integrity, and availability. Under CVSS v4, the score remains severe at 9.2, further underscoring the risk in production environments. Public reporting confirms that this issue has already been exploited as a zero-day, with CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog and multiple security researchers tracking widespread attacks. Reports indicate that over 28,000 NetScaler appliances remained exposed to the flaw at the time of disclosure, amplifying the urgency for remediation.
Citrix addressed CVE-2025-7775 in emergency updates released on August 26, 2025, as part of a security bulletin that also included two additional NetScaler vulnerabilities. Organizations running affected versions of NetScaler ADC and Gateway should immediately apply the patches provided by Citrix, or implement compensating controls such as disabling IPv6 bindings and restricting external exposure of management and gateway interfaces until patching is complete. Exploitation of this flaw can grant attackers direct access to internal systems by hijacking critical VPN or load balancing infrastructure, making rapid patching and hardening of NetScaler environments an operational priority. More detailed guidance and official mitigation steps are available from Citrix’s advisory and the CISA KEV catalog.
CVE-2025-53771
CVE-2025-53771 describes a medium-severity improper authentication vulnerability in Microsoft Office SharePoint that allows an unauthorized attacker to perform spoofing attacks over a network. The flaw stems from insufficient validation within SharePoint’s authentication mechanisms, which permits a malicious actor to manipulate requests and impersonate legitimate users or services. By exploiting this weakness, an attacker could craft specially designed network requests to trick SharePoint into granting them access under a falsified identity, undermining the trust model of the platform. This can allow further exploitation when chained with other vulnerabilities, particularly in the ToolShell exploit chain where spoofing was used to bypass protections and gain entry into sensitive administrative interfaces.
The vulnerability poses a significant risk in enterprise environments because SharePoint often serves as a central hub for collaboration, document storage, and workflow automation. Spoofing attacks targeting SharePoint can compromise the confidentiality of business-critical data and may facilitate privilege escalation or lateral movement if an attacker manages to impersonate privileged users. While this issue requires network access, the attack complexity is low and no user interaction is necessary, meaning it can be reliably executed once the attacker identifies a vulnerable system. The vulnerability has been assigned a CVSS v3 base score of 6.5 with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, highlighting the impacts to confidentiality and integrity but not availability. Under CVSS v2 scoring, the base score is listed at 7.5 due to differences in weighting methodology.
Microsoft patched CVE-2025-53771 in July 2025 as part of updates addressing the ToolShell exploit chain, which included several interlinked SharePoint flaws. The vulnerability is actively monitored in security advisories and was quickly added to exploitation watchlists because of its role in enabling bypasses of earlier mitigations. Organizations running affected SharePoint environments should apply Microsoft’s July 2025 security updates without delay and ensure that their SharePoint instances are not directly exposed to the internet. CISA and Microsoft advisories emphasize the importance of restricting external access, applying network segmentation, and enabling strict authentication controls to reduce the impact of any spoofing attempts. Since this flaw fits into broader exploit chains, especially those demonstrated during Pwn2Own and later expanded by attackers in the wild, administrators should consider it a priority to patch and monitor for signs of exploitation.
CVE-2025-54948
CVE-2025-54948 is a critical command injection vulnerability affecting the Trend Micro Apex One on-premises management console. The flaw allows a pre-authenticated remote attacker to upload malicious code and execute arbitrary commands on affected systems. Since this vulnerability does not require prior authentication, exploitation is trivial once an attacker can reach the exposed management console, making it particularly dangerous for organizations that have not restricted external access. Exploitation can lead to full compromise of the endpoint security platform, granting adversaries administrative control over large fleets of protected systems.
Trend Micro confirmed that this vulnerability, alongside CVE-2025-54987, was exploited in the wild as zero-days in August 2025. Reports indicated active targeting of enterprises, with attackers leveraging the flaw to gain persistence, disable defenses, and deploy secondary payloads. Security researchers and CISA flagged the issue as part of the Known Exploited Vulnerabilities (KEV) catalog, further underscoring its active use in attacks. Temporary mitigation tools were released by Trend Micro to limit exposure until full security patches could be applied, but these mitigations should be treated only as stopgaps.
The vulnerability has been assigned a CVSS v3 base score of 9.8 (vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its critical nature across confidentiality, integrity, and availability. Under CVSS v2, the vulnerability carries a base score of 10. The EPSS probability sits at 0.18488, indicating a significant likelihood of widespread exploitation.
Organizations using Apex One should immediately apply Trend Micro’s latest patches or, at minimum, deploy the mitigation tools provided while restricting console access to trusted networks. Network monitoring for suspicious uploads, reviewing Apex One administrative activity logs, and implementing compensating controls such as firewall rules and intrusion prevention signatures are recommended until systems are fully remediated. Given its exploitation in the wild, unpatched instances remain high-value targets and should be prioritized for immediate remediation.
CVE-2025-8088
CVE-2025-8088 is a high-severity path traversal vulnerability in the Windows version of WinRAR that enables attackers to execute arbitrary code by crafting malicious archive files. Discovered by security researchers Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET, the flaw was confirmed to be exploited in the wild before disclosure, which led to its addition to the CISA Known Exploited Vulnerabilities (KEV) catalog.
The attack vector relies on specially crafted archive files that bypass WinRAR’s intended directory restrictions. When a user extracts such a file, the embedded payload can overwrite critical files or be executed outside the intended extraction path. Because WinRAR is widely used to handle compressed files, especially in enterprise environments where email attachments and downloads are common, this flaw presents a strong opportunity for attackers to distribute malware, gain persistence, or escalate access within targeted networks. Social engineering campaigns could easily weaponize the vulnerability by disguising malicious archives as legitimate content, tricking users into extraction.
The vulnerability has been rated as critical under CVSS v2 with a score of 10, while CVSS v3 assigned it a high score of 8.8 (vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Under the updated CVSS v4 framework, it carries a score of 8.4, with the primary risk centered on confidentiality, integrity, and availability impacts through unauthorized code execution. EPSS data places its exploitation probability at 0.05624, underscoring that active use has been observed and further exploitation is likely.
Organizations should prioritize mitigation by ensuring they are running patched versions of WinRAR and restricting the use of outdated builds. Since exploitation requires users to interact with malicious archives, endpoint detection and monitoring of suspicious archive extraction behavior should also be employed. Where possible, implementing application control, disabling automatic script execution, and limiting the use of WinRAR in high-risk environments can reduce exposure. Security advisories also suggest deploying Windows Software Restriction Policies (SRP) or Image File Execution Options (IFEO) to mitigate exploitation attempts until full remediation is in place.
CVE-2025-21479
CVE-2025-21479 describes a high-severity memory corruption vulnerability affecting Qualcomm GPU micronodes, where unauthorized command execution during the processing of a specific sequence of GPU instructions can lead to code execution. This flaw allows an attacker to trigger memory corruption by exploiting improperly validated GPU command streams, potentially resulting in arbitrary command execution within the GPU environment. Since GPUs are heavily leveraged for both graphics rendering and compute workloads, exploitation could allow an attacker to interfere with trusted processes, inject malicious operations, or escalate their control over the device.
The attack vector is local in nature, as exploitation requires the attacker to execute crafted GPU command sequences on a vulnerable system. This can occur through malicious applications distributed via app stores or sideloaded APKs on Android devices. Once executed, the malicious commands can corrupt GPU memory structures, allowing an attacker to achieve code execution in the context of GPU processes, which can then be leveraged for persistence or to escape into higher-privilege components of the operating system. Reports have confirmed that this vulnerability has been actively exploited in the wild, leading to its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring the likelihood of targeted attacks against Android and other Qualcomm-powered devices.
The vulnerability carries a CVSS v3 base score of 8.6 (vector: AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), reflecting its high impact across confidentiality, integrity, and availability once triggered. Under CVSS v2, it is rated 7.2, with exploitation requiring local access but relatively low complexity. EPSS data places the probability of exploitation at 0.12787, reinforcing the fact that attackers are already using it against exposed devices.
Google addressed the flaw in the August 2025 Android security bulletin, patching affected devices through firmware updates. Qualcomm also issued fixes for impacted Adreno GPU drivers and urged OEMs to push updates to their devices as quickly as possible. Organizations and end-users are strongly encouraged to apply the latest Android security updates immediately, as devices running outdated GPU firmware remain at significant risk. Mitigations such as restricting the installation of untrusted apps and monitoring for abnormal GPU behavior should be applied until patches are fully deployed.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
NetScaler ADC and Gateway Security Bulletin: CVE-2025-7775, CVE-2025-7776, CVE-2025-8424
PromptLock: The First AI-Powered Ransomware Emerges Using OpenAI’s gpt-oss:20b
How can Netizen help?
Phish Tale of the Week
Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as Coinbase. They’re sending us a text message, telling us that our Coinbase account was logged into, and we need to call support if it wasn’t us. It seems both urgent and genuine, so why shouldn’t we? Luckily, there’s plenty of reasons that point to this being a scam.
Here’s how we can tell not to call this number:
The first warning sign for this SMS is the context in which it was sent. When I recieved this SMS, I immediately knew not to click on the link due to the fact that I do not have a Coinbase account. On top of that, it’s very apparent that this message was blasted out to random numbers: the message doesn’t even include my name or attempt to provide any level of familiarity.
The second warning signs in this email is the messaging. This message tries to create a sense of urgency in order to get you to take action by using language such as “If this was not you.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through SMS.
The final warning sign for this email is the wording; in our case the smisher suggests we call a random number, something that Coinbase support would never do. All of these factors point to the above being a smishing text, and a very unsophisticated one at that.
General Recommendations:
A smishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages.
Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
Verify that the sender is actually from the company sending the message.
Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
Do not give out personal or company information over the internet.
Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.
Many smishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any SMS requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.
Cybersecurity Brief
In this month’s Cybersecurity Brief:
NetScaler ADC and Gateway Security Bulletin: CVE-2025-7775, CVE-2025-7776, CVE-2025-8424
Citrix has released a security bulletin addressing three high-severity vulnerabilities affecting NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). The flaws are tracked as CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424. One of these, CVE-2025-7775, is confirmed to be under active exploitation in the wild, making immediate patching critical for organizations relying on these products.
The following product versions are vulnerable:
NetScaler ADC and Gateway 14.1 before 14.1-47.48
NetScaler ADC and Gateway 13.1 before 13.1-59.22
NetScaler ADC 13.1-FIPS and NDcPP before 13.1-37.241-FIPS and NDcPP
NetScaler ADC 12.1-FIPS and NDcPP before 12.1-55.330-FIPS and NDcPP
Secure Private Access on-premises or hybrid deployments using NetScaler instances are also affected. Citrix-managed cloud services and Adaptive Authentication have already been patched by the vendor.
Vulnerability Details
CVE-2025-7775
This memory overflow flaw can lead to remote code execution or denial of service. It impacts systems configured as Gateways (VPN, ICA Proxy, CVPN, RDP Proxy), AAA vservers, or load balancers bound with IPv6 services. Content routing virtual servers with HDX are also at risk. The issue has a CVSS v4.0 base score of 9.2 and is being actively exploited.
CVE-2025-7776
A memory overflow vulnerability that results in unpredictable system behavior and denial of service. It is triggered when a Gateway VPN vserver has a PCoIP profile bound to it. The CVSS v4.0 base score is 8.8.
CVE-2025-8424
An improper access control issue impacting the management interface of NetScaler. Attackers who can reach the NSIP, cluster management IP, or SNIP with management access could exploit it. This vulnerability is rated with a CVSS v4.0 score of 8.7.
Citrix strongly urges all affected customers to upgrade their appliances to the following fixed versions or later:
NetScaler ADC and Gateway 14.1-47.48
NetScaler ADC and Gateway 13.1-59.22
NetScaler ADC 13.1-FIPS and NDcPP 13.1-37.241
NetScaler ADC 12.1-FIPS and NDcPP 12.1-55.330
No workarounds exist. Organizations running end-of-life versions such as 12.1 and 13.0 must migrate to supported releases that contain the fixes.
Exploitation of CVE-2025-7775 has already been confirmed. Security teams should immediately review their NetScaler configurations for signs of compromise, paying special attention to AAA vservers, VPN vservers, IPv6-bound load balancers, and PCoIP profiles.
The vulnerabilities were reported by Jimi Sebree of Horizon3.ai, Jonathan Hetzer of Schramm & Partner, and François Hämmerli, working with Citrix to protect customers.
PromptLock: The First AI-Powered Ransomware Emerges Using OpenAI’s gpt-oss:20b
ESET researchers have identified a new proof-of-concept ransomware family, codenamed PromptLock, that leverages artificial intelligence to generate its malicious payloads in real time. This marks one of the first documented cases of ransomware built directly around a large language model (LLM), raising new concerns about AI’s role in accelerating cybercrime.
PromptLock is written in Golang and integrates with OpenAI’s recently released gpt-oss:20b model using the Ollama API. Instead of relying on precompiled binaries, the ransomware dynamically generates Lua scripts during execution, guided by hardcoded prompts. These scripts are capable of:
Enumerating the local filesystem
Inspecting and selecting target files
Exfiltrating chosen data
Encrypting files across platforms
Because the Lua payloads are created at runtime, the indicators of compromise (IoCs) may vary between infections. This variability makes detection more difficult and complicates the work of defenders.
The ransomware uses the SPECK 128-bit encryption algorithm and can operate on Windows, Linux, and macOS environments. Analysis of current samples suggests it could also be adapted for destructive capabilities, though data-wiping functionality does not yet appear to be active.
ESET assesses that PromptLock is currently a proof-of-concept rather than a fully weaponized strain deployed at scale. Artifacts linked to PromptLock were uploaded to VirusTotal from the United States on August 25, 2025. No active ransomware campaigns have been confirmed to date.
One key feature is that PromptLock does not require downloading the full LLM model, which could be many gigabytes in size. Instead, attackers can configure the malware to communicate with a remote server running the model via the Ollama API. This approach reduces the footprint on infected systems while maintaining the flexibility of AI-driven payload generation.
The appearance of PromptLock illustrates how AI can lower the barrier to entry for cybercriminals. By outsourcing payload generation to an LLM, attackers can:
Create variable, unpredictable payloads that evade signature-based defenses
Automate the customization of ransom notes and infection routines
Scale ransomware development even with limited technical expertise
This trend is part of a broader shift. Earlier this month, Anthropic confirmed that it banned two groups using its Claude model to develop ransomware variants with advanced encryption and anti-recovery mechanisms. Separately, researchers have warned of novel prompt injection techniques such as PROMISQROUTE, which abuses model-routing systems to downgrade protections and bypass AI safety filters.
Defenders should treat PromptLock as an early warning of where ransomware development may be heading. AI-powered malware offers attackers agility and adaptability that traditional static analysis will struggle to keep up with.
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Ransomware attacks no longer just affect large corporations and government agencies. In fact, small and mid-sized businesses (SMBs) have become one of the most frequently targeted groups by ransomware operators. Their limited IT budgets, inconsistent patching practices, and reliance on third-party services create a perfect environment for threat actors to exploit.
Why Ransomware Groups Target Small Businesses
Threat actors are not only after billion-dollar payouts, they are also opportunistic. Small businesses often lack dedicated cybersecurity personnel and rely on outdated or misconfigured systems, making initial access much easier. Once inside, attackers can rapidly encrypt files or exfiltrate sensitive data for double-extortion tactics.
1. Lower Barriers to Entry
Many SMBs rely on legacy systems, shared credentials, weak remote desktop configurations, or improperly secured VPNs. These provide a wide attack surface with minimal resistance. Tools like Cobalt Strike, PowerShell Empire, or even off-the-shelf ransomware kits allow attackers to exploit these weaknesses with little technical sophistication.
2. Slower Detection and Response
Without a 24/7 security operations center (SOC) or centralized alerting, malicious activity often goes unnoticed for hours or days. This delay gives attackers ample time to disable backups, escalate privileges, and deploy ransomware payloads across endpoints and file servers.
3. High Ransom Payment Rate
Many small businesses cannot afford prolonged downtime. This urgency makes them more likely to pay the ransom to resume operations, especially if their data backups are incomplete, encrypted, or unavailable.
4. Access to Supply Chain Targets
By compromising an SMB that serves larger clients, attackers can use that access as a pivot point into more lucrative targets. Managed service providers (MSPs), legal firms, and regional logistics companies are frequently used as stepping stones in broader campaigns.
Common Ransomware Entry Points in SMB Environments
Understanding how ransomware is typically introduced into SMB networks is the first step toward defending against it:
Phishing emails containing malicious attachments or links to credential-harvesting sites
Exposed RDP or SSH services with weak credentials or no MFA
Compromised third-party software, including remote monitoring and management (RMM) tools
Drive-by downloads from hijacked websites or malvertising campaigns
Unpatched systems, especially for known vulnerabilities like ProxyShell (Exchange), PrintNightmare, or Fortinet SSL VPN flaws
Defensive Strategies That Work
To defend against ransomware, SMBs need a layered approach that combines prevention, detection, and response. The goal is not only to block initial access but also to reduce lateral movement and limit damage if a breach occurs.
Implement Endpoint Detection and Response (EDR)
Traditional antivirus tools often fail to catch modern ransomware strains or fileless attacks. EDR solutions provide behavioral analytics, process monitoring, and memory scanning to detect suspicious activity like credential dumping or PowerShell abuse. They also allow incident responders to isolate infected machines and roll back malicious changes.
Enforce Strong Access Controls
Limit administrative privileges to only what’s necessary. Enforce multi-factor authentication (MFA) on all remote access portals and cloud applications. Regularly audit accounts and disable stale credentials, especially service accounts with elevated rights.
Patch High-Value Targets First
SMBs may not have the resources to patch every system immediately, but they can prioritize. Focus first on systems exposed to the internet, VPN gateways, and assets holding sensitive data. Track patch status through a vulnerability management platform or vulnerability scanning solution.
Harden Backup Infrastructure
A reliable and isolated backup can mean the difference between full recovery and financial collapse. Backups should be encrypted, stored offsite or offline, and regularly tested. Disable backup access from user accounts and ensure backups are not on the same domain as production systems.
Security Awareness Training
Human error remains a primary cause of ransomware incidents. Train employees to recognize phishing attempts, avoid macro-enabled attachments, and report suspicious activity. Simulated phishing campaigns are an effective way to test resilience and adjust training accordingly.
How Netizen Helps SMBs Reduce Ransomware Risk
Netizen provides tailored cybersecurity solutions to help SMBs strengthen their security posture without needing a full-time CISO. Services include:
Vulnerability assessments and penetration testing to identify weak points before attackers do.
Fully managed phishing campaigns and end-user security awareness programs.
Advanced endpoint protection and monitoring solutions for ransomware defense.
Automated vulnerability scanning and continuous compliance reporting through our assessment platform.
Netizen is ISO 27001:2013 and CMMI Level 3 certified and is recognized by the U.S. Department of Labor for hiring and retaining military veterans.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
SDocker Fixes CVE-2025-9074: Critical Container Escape Vulnerability in Docker Desktop
New Attack Technique Uses RAR Filenames to Deploy VShell Backdoor on Linux
How can Netizen help?
SDocker Fixes CVE-2025-9074: Critical Container Escape Vulnerability in Docker Desktop
Docker has released an urgent patch addressing CVE-2025-9074, a critical container escape vulnerability impacting Docker Desktop for Windows and macOS. Rated CVSS 9.3, this flaw could allow a malicious container to break out of isolation, compromise host systems, and access sensitive files.
The issue is fixed in Docker Desktop version 4.44.3, and security teams are strongly advised to update immediately.
The flaw stems from how Docker Desktop handled access to the Docker Engine API. Researcher Felix Boulet discovered that containers could communicate with the API at 192.168.65[.]7:2375 without authentication.
This design oversight meant that a malicious or compromised container could:
Launch new containers without needing the Docker socket.
Bind the host’s C:\ drive (on Windows) to the container, granting read/write access.
Escalate privileges by modifying critical system files or DLLs.
A proof-of-concept (PoC) exploit showed that a simple web request from a container could mount the host filesystem and compromise the system.
Researcher Philippe Dugre (zer0x64) demonstrated that attackers could escalate privileges to full administrator access. By mounting the host filesystem, an attacker could:
Read sensitive files, including credentials.
Overwrite system DLLs to persist as an admin.
Deploy backdoors for long-term host compromise.
Linux systems are not impacted by CVE-2025-9074. Docker on Linux communicates with the Engine API through a named pipe rather than a TCP socket, preventing the same attack vector.
The primary risk comes from malicious containers controlled by threat actors. However, researchers warn that an SSRF (Server-Side Request Forgery) vulnerability in a separate application could also proxy requests to the Docker API, making exploitation possible without direct container access.
Depending on request methods available (POST, PATCH, DELETE), attackers could remotely spin up privileged containers and escape to the host.
Mitigation and Recommendations
Update immediately to Docker Desktop 4.44.3 or later.
Avoid running untrusted containers, particularly from public sources.
Restrict Docker Engine API access and monitor for suspicious container launches.
Audit host systems for unauthorized file changes or DLL modifications (Windows).
Organizations that rely on containers in production should treat this as a high-priority incident and integrate Docker security monitoring into their broader DevSecOps practices.
New Attack Technique Uses RAR Filenames to Deploy VShell Backdoor on Linux
Cybersecurity researchers have identified a new Linux malware campaign that abuses malicious RAR archive filenames to deliver the VShell backdoor. The technique allows attackers to bypass traditional antivirus detection by hiding payloads in the filename itself rather than in the file contents.
The attack begins with phishing emails disguised as invitations to a beauty product survey offering a monetary reward. These messages include a RAR archive attachment named yy.rar. Inside the archive is a file with a specially crafted filename containing embedded Bash commands.
When a shell script or command interprets the filename, the embedded payload executes. This leads to the download of an ELF binary tailored to the victim’s architecture, which then connects to a command-and-control server to retrieve and execute the encrypted VShell backdoor.
Traditional antivirus tools scan file contents, not file names. Since the malicious logic resides in the filename, the payload slips past conventional detection methods. Execution only occurs when the filename is parsed by the shell, not when the archive is extracted, adding another layer of stealth.
VShell is a Go-based remote access tool used by multiple threat groups, including UNC5174. It provides remote shell access, file operations, process management, port forwarding, and encrypted communication. Because it runs entirely in memory, VShell avoids leaving disk artifacts that could be detected during forensic analysis.
In addition to VShell delivery, researchers at Picus Security detailed a Linux malware tool called RingReaper. This tool leverages the Linux kernel’s io_uring framework to evade detection by endpoint monitoring tools. By replacing traditional system calls with io_uring primitives, RingReaper avoids hooks commonly used by EDR solutions.
RingReaper is capable of enumerating system processes, network sessions, and logged-in users, while also enabling privilege escalation through SUID binaries. It can erase traces of its activity after execution, making detection even more difficult.
Organizations should harden their defenses by sanitizing shell input in scripts, deploying behavioral-based detection systems, and analyzing archive attachments beyond just file content. Linux EDR tools need to adapt to io_uring-based activity, while user awareness training should reinforce caution around unexpected email attachments.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
After two decades of maturing technical defenses, organizations are confronting a difficult reality: even the strongest tools cannot fully protect them if human behavior is left unaddressed. As technology has advanced, attackers have adapted, shifting focus from purely exploiting infrastructure to targeting people directly. In many breaches, the entry point is not a software flaw but a human one.
For five years in a row, Verizon’s Data Breach Investigations Report has found that the majority of breaches involve a human element. In 2024, nearly 60% of global breaches were traced back to actions or decisions made by individuals. Yet employees are not the problem. Most failures stem from environments where security is unnecessarily complex, communicated in technical jargon, or treated as a barrier to productivity.
What Defines Security Culture
Every organization has a security culture, whether intentional or not. The question is whether it supports secure behavior.
Security culture refers to the shared beliefs, perceptions, and attitudes about cybersecurity across a workforce. When employees believe security is important, understand their role in it, and see themselves as targets, they are more likely to act securely. When they see it as someone else’s responsibility, or as an obstacle, risk rises quickly.
Behavior follows environment. If policies, tools, and leadership make security difficult, employees will find workarounds. If those same systems simplify security, people are more likely to make safe choices as part of their daily routines.
Four Levers That Shape Security Culture
Leadership signals – Executives set the tone. If they visibly prioritize security with funding, accountability, and organizational support for the CISO, the message is clear.
Security team engagement – The way employees experience security day to day matters. Supportive and approachable teams build trust. Teams that are rigid or unhelpful erode it.
Policy design – Policies that are overly technical or inconvenient push employees toward insecure shortcuts. Simple, practical rules reinforce the idea that security is achievable.
Security training – Training should be engaging, role-specific, and relevant. When it feels outdated or disconnected, it signals that security is just a checkbox.
Aligning Culture Across the Organization
Leadership may set direction, but employees measure culture by what they experience daily. If executives talk about security as a priority but policies are impractical, teams are unapproachable, or training is irrelevant, trust breaks down.
Aligning leadership, policies, team engagement, and training creates the conditions where security becomes part of normal operations. When employees see that security is supported, achievable, and integrated into their roles, the human risks that attackers exploit are significantly reduced.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
A 20-year-old Florida man tied to one of the most disruptive cybercrime groups in recent memory has been sentenced to ten years in federal prison and ordered to pay $13 million in restitution to victims.
Noah Michael Urban of Palm Coast, Florida, better known in underground circles as Sosa, King Bob, Elijah, Gustavo Fring, and Anthony Ramirez, pleaded guilty earlier this year to charges of wire fraud and conspiracy.
Federal prosecutors said Urban and his co-conspirators engaged in SIM-swapping campaigns that diverted victims’ mobile phone calls and text messages to devices under their control, allowing the theft of at least $800,000 from five individuals between August 2022 and March 2023.
Although prosecutors initially recommended an eight-year term, the judge imposed a 120-month sentence along with three years of supervised release. The restitution order, which covers both Florida and California cases against Urban, was set at $13 million.
Scattered Spider Operations
Urban was indicted in Los Angeles in late 2024 as one of five key members of Scattered Spider, also tracked as Oktapus, Scatter Swine, and UNC3944. The group specialized in SMS phishing (smishing) and voice phishing (vishing) campaigns that targeted employees of U.S. companies. Victims were lured to fraudulent authentication portals mimicking Okta login pages, tricked into entering passwords and MFA codes, and then exploited for access into corporate environments.
The operation spanned the summer of 2022 and hit more than 130 organizations, including Twilio, LastPass, DoorDash, MailChimp, and Plex. Stolen access enabled follow-on intrusions, theft of proprietary data, and millions of dollars’ worth of stolen cryptocurrency.
Star Fraud and SIM-Swapping Tactics
Urban wasn’t just part of Scattered Spider, he also belonged to Star Fraud, a notorious collective of SIM-swappers with a reputation for attacking major telecom providers. Investigations found that Star Fraud members repeatedly compromised mobile carrier employees, gaining temporary control over victims’ phone numbers.
In one seven-month span in 2022, Star Fraud boasted of 100 separate intrusions into T-Mobile systems, according to logs published by KrebsOnSecurity. These SIM-swapping capabilities were critical to high-profile extortion campaigns, including the MGM Resorts and Caesars Entertainment breaches in 2023.
Urban’s Online Persona: “The Com” and Leaked Music
For years, Urban was a fixture in The Com, a largely Telegram- and Discord-based community of English-speaking cybercriminals. Using the moniker King Bob, he frequently bragged about stealing unreleased rap music, or “grails,” often obtained via SIM-swapping techniques. Some of these tracks were sold; others were given away freely on forums.
Judge Targeted in Hack
In an extraordinary development, Urban’s case intersected with a direct attack on the judiciary itself. While Urban was in federal custody, a co-defendant in the California prosecution reportedly hacked into a magistrate judge’s email account and accessed sealed documents tied to Urban’s indictment.
Court transcripts from February 2025 confirm the breach occurred after an attacker impersonated a judge in a call to a court contractor, successfully requesting a password reset. Judge Harvey E. Schlesinger, presiding over Urban’s case, later described it as a “big faux pas” and confirmed the compromise had been traced to Scattered Spider associates attempting to gather intelligence on Urban’s legal proceedings.
Urban, speaking through one of his online accounts, has insisted his sentence is unjust, claiming the judge in his case failed to account for his age and bias stemming from the incident.
Broader Implications
The sentencing of Noah Urban marks a significant milestone in U.S. law enforcement’s pursuit of Scattered Spider and affiliated groups. Yet the threat posed by these actors remains. Scattered Spider continues to operate, reportedly forming new alliances with ShinyHunters and LAPSUS$ under the larger umbrella of The Com. Analysts say these alliances are intended to consolidate resources in response to law enforcement crackdowns, producing more versatile and dangerous operations.
Flashpoint research has noted Scattered Spider’s wave-based attack strategy, in which entire sectors are targeted in short, concentrated bursts. By focusing on human weaknesses rather than purely technical flaws, groups like Scattered Spider demonstrate how deception remains one of the most effective paths into corporate systems.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Netizen Blog and News 
You must be logged in to post a comment.