Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The IT environment is evolving. Organizations have embraced hybrid work models, expanded their operations and personnel footprints, and digitalized their processes and capabilities. And those in charge of these now sprawling environments must deal with the increasingly complicated task of keeping endpoints, users, and more both operational and secure.

On May 21, 2025, ProjectDiscovery published technical details for multiple vulnerabilities they discovered in Versa Concerto, including authentication bypasses, remote code execution (RCE), and container escapes. Versa Concerto is a centralized management platform used to manage Versa’s SD-WAN and SASE services. It is a Spring Boot-based application deployed via Docker containers and routed through Traefik.

The ways in which people work are changing, and so are the approaches needed to secure modern work. As organizations race to gain the benefits of cloud computing, relax rules around bring-your-own devices, and leverage hybrid-work models that require edge devices such as VPN gateways, the result is an expanding, disparate IT environment. And even worse, users are a part of the attack surface — one threat actors are all too ready and willing to exploit.

Arctic Wolf has recently observed the distribution of a trojanized RVTools installer via a malicious typosquatted domain. The domain matches the legitimate domain, however, the Top Level Domain (TLD) is changed from.com to.org. RVTools is a widely used VMware utility for inventory and configuration reporting, developed by Robware. Once the malicious installer was downloaded, the installer attempts to make outbound connections to known command and control infrastructure.

The cloud provides many great business advantages – efficiency, speed-to-market, and many others – and has been rapidly adopted by organizations all over the world. While the rise in cloud operations allows organizations to operate in a way that’s more cost-effective and flexible, opening data, assets, and networks to the internet creates additional risk — particularly around misconfigurations and non-compliance.

On May 13, 2025, Fortinet published a security advisory on a critical severity stack-based overflow vulnerability, CVE-2025-32756, impacting FortiVoice, FortiCamera, FortiMail, FortiNDR, and FortiRecorder. The vulnerability allows remote unauthenticated threat actors to execute arbitrary code or commands via crafted HTTP requests. In the advisory Fortinet stated that the vulnerability has been exploited in the wild on FortiVoice.

On May 7, 2025, watchTowr publicly disclosed technical details and a proof-of-concept (PoC) exploit for a pre-authenticated Remote Code Execution (RCE) chain affecting SysAid On-Premises, a self-hosted IT service management (ITSM) platform used by organizations to manage IT support tasks. Although the vulnerabilities were patched in March 2025, they had not been assigned Common Vulnerabilities and Exposures (CVE) identifiers and were disclosed for the first time with watchTowr’s publication.

Software vulnerabilities are an unfortunate reality of enterprise IT. New vulnerabilities are being discovered all the time, and while most will never be exploited by an adversary, without a program to quickly discover and remediate high-priority vulnerabilities, organizations are putting themselves at risk.

As of early May 2025, Arctic Wolf has observed exploitation in the wild of CVE-2024-7399 in Samsung MagicINFO 9 Server—a content management system (CMS) used to manage and remotely control digital signage displays. The vulnerability allows for arbitrary file writing by unauthenticated users, and may ultimately lead to remote code execution when the vulnerability is used to write specially crafted JavaServer Pages (JSP) files.

Between April and May 2025, several large UK retailers were impacted by security incidents which resulted in the disruption of their operations. Arctic Wolf is monitoring the threat landscape for new indicators of compromise related to Scattered Spider and DragonForce, and will alert Managed Detection and Response customers if any malicious activity is observed.

As part of our ongoing tracking of the threat actor TA4557 (also known as Venom Spider), the Arctic Wolf Labs team discovered a new campaign targeting corporate human resources departments and recruiters. The threat group uses phishing techniques to drop an enhanced version of a potent backdoor called More_eggs onto victim devices.