Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

In late July 2025, Arctic Wolf Labs began observing a surge of intrusions involving suspicious SonicWall SSL VPN activity. Malicious logins were followed within minutes by port scanning, Impacket SMB activity, and rapid deployment of Akira ransomware. Victims spanned across multiple sectors and organization sizes, suggesting opportunistic mass exploitation. This campaign has recently escalated, with new infrastructure linked to it observed as late as September 20, 2025.

Endpoint security offers immense value to organizations looking to harden their attack surface and reduce overall risk. But endpoint security has evolved considerably over the decades, and not all endpoint security is created equal. Aurora Endpoint Security delivers market-leading AI-driven prevention, detection, and response, stopping threats before they disrupt your business.

On September 25, 2025, Cisco released fixes for two vulnerabilities in Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) that are currently being actively exploited by a sophisticated threat actor. The US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03 requiring Federal Civilian Executive Branch (FCEB) agencies to patch these vulnerabilities by 12 PM EDT on September 26.

On September 23, 2025, SolarWinds released a hotfix for a critical vulnerability impacting Web Help Desk (WHD), tracked as CVE-2025-26399. The vulnerability arises from a deserialization flaw in the AjaxProxy component that could allow a remote unauthenticated threat actor to achieve remote code execution. CVE-2025-26399 is the second bypass of a flaw originally disclosed last year as CVE-2024-28986 within WHD, with the first bypass being CVE-2024-28988.

On September 18, 2025, Fortra released a patch addressing a critical vulnerability in GoAnywhere Managed File Transfer (MFT), tracked as CVE-2025-10035. The vulnerability stems from a deserialization flaw in the License Servlet of GoAnywhere MFT, allowing a remote threat actor with a valid forged license response signature to deserialize an arbitrary, threat-actor-controlled object and potentially achieve command injection.

On September 17, 2025, WatchGuard released fixes for a critical out-of-bounds write vulnerability (CVE-2025-9242) in the iked process of WatchGuard Fireware OS, which powers their Firebox firewall appliances. This flaw allows a remote unauthenticated threat actor to execute arbitrary code and affects both the mobile user VPN with IKEv2 and the branch office VPN with IKEv2 when configured with a dynamic gateway peer.

In today’s ever-evolving threat landscape, security teams are under pressure to detect and respond to threats faster than ever. With the overwhelming volume and manual effort required to operationalize security, many organizations struggle to stay ahead. Arctic Wolf Threat Intelligence is here to help change that, by providing high-fidelity, actionable insights that empower teams to shift left and prevent threats before they escalate.

Cyber threats are frequent, unpredictable, and indiscriminate—affecting organizations of every size and industry. For any organization, a cyber incident is a matter of “when,” not “if”. As such, businesses must be able to prepare for, respond to, and recover from incidents, and must continually refine these capabilities to stay ahead.

On September 17, 2025, SonicWall released a knowledge base article detailing the exposure of firewall configuration backup files stored in certain MySonicWall accounts. SonicWall states that after identifying the incident they began an investigation containing the incident, terminating the ‘unauthorized access point’, and working with law enforcement and select cybersecurity agencies globally.

On September 15, 2025, reports surfaced that the widely used npm package @ctrl/tinycolor had been compromised by malware as part of a broader supply chain attack affecting over 40 packages initially, with the number rising to more than 180 according to Aikido’s blog. Upon further investigation, the first malicious package that was identified as compromised in this campaign was rxnt-authentication, which was updated on September 14, 2025, at 17:58:50 UTC.

On September 9, 2025, Adobe released an out-of-band security update to address a critical vulnerability in Adobe Commerce and Magento Open Source. The vulnerability, tracked as CVE-2025-54236 and referred to in open-source reporting as “SessionReaper,” allows a remote unauthenticated threat actor to take over customer accounts through the Commerce REST API.

On September 9, 2025, SAP released its September 2025 Security Patch Day update with patches for 21 vulnerabilities. The most severe of these, CVE-2025-42944, is a maximum-severity deserialization vulnerability of untrusted Java objects in SAP NetWeaver that resides in the RMI-RP4 module. A remote unauthenticated threat actor can exploit this vulnerability by submitting a malicious payload to an open port to achieve arbitrary OS command execution.

On 19 August 2025, the Arctic Wolf Cybersecurity Operations Center (cSOC) uncovered and remediated a sophisticated delivery chain: a threat actor leveraged GitHub’s repository structure together with paid placements on Google Ads to funnel users toward a malicious download hosted on a lookalike domain. By embedding a commit‑specific link in the advertisement, the attackers made the download appear to originate from an official source, effectively sidestepping typical user scrutiny.

The consequences of a successful cyber attack can be stark. Organizations often face significant financial damage due to lost revenue due to downtime, plus compliance, legal, and regulatory costs, and legal fees arising from potential lawsuits, not to mention reputational damage. These costs can quickly blow the average out of the water, with many organizations facing seven-figure costs to restore their operations and fully remediate a breach. The numbers tell the story.