Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

I’ve worked as a threat hunter in several Black Hat Security Conference Network Operations Centers (NOCs) across the globe. So I didn’t expect to be surprised by much when signing on to be a part of the NOC for SCinet—a conference that has the “fastest conference network in the world.” And yet I was surprised by just how diverse the SCinet NOC team was, how collaborative the environment was, and how much we were able to achieve with automation in such a short amount of time.

Welcome back to our threat hunting series with Corelight and CrowdStrike. In our previous posts, we armed you with techniques to spot adversaries during Initial Access and how they establish Persistence to maintain their foothold. Now, we're diving into the shadowy dance of Defense Evasion and Lateral Movement.

CVE-2025-20393 is a CVSS 10.0 Remote Code Execution (RCE) flaw in Cisco Secure Email Gateways currently being actively exploited by China-nexus groups. A recent advisory from Cisco Talos details how an actor dubbed “UAT-9686” is leveraging this vulnerability to target Cisco Secure Email Gateways (ESA) and Secure Email and Web Managers (SMA). The attack allows threat actors to execute arbitrary commands with root privileges and deploy persistence mechanisms.

Critical vulnerabilities in React Server Components (CVE-2025-55182) and Next.js (CVE-2025-66478) enable unauthenticated remote code execution in default configurations. The flaw resides in the "Flight" protocol used for server-side rendering, making it a sought after target for adversaries looking to bypass standard controls. While the public discourse is currently cluttered with unreliable exploits, we need to ground our defense in verifiable network evidence.

In the ever-escalating battle against cyber threats, security teams are often caught in a deluge of alerts, struggling to distinguish real threats from the noise. The sheer volume of threat data can be overwhelming, leading to alert fatigue and, worse, missed detections. But what if you could really cut through the clutter and focus on what truly matters?

In today's rapidly evolving cybersecurity landscape, organizations face unprecedented challenges. Cyber threats are not only increasing in volume but are also becoming more sophisticated and evasive, using AI themselves to enhance their attacks. The attack surface has expanded dramatically, while Security Operations Centers (SOCs) are often left with fewer resources to combat these growing threats.

Endpoint detection and response (EDR) tools, and the analysts using them, have become incredibly effective. They have become so good, in fact, that we're now seeing a clear shift in adversary behavior: attackers are being pushed off the endpoint and onto places where EDR cannot run. This isn't just a theory. As I was writing a separate blog about a recent Cisco exploit which spurred an immediate CISA emergency directive, news dropped about another major network edge vendor, F5.

It feels like the security world is caught in a recurring cycle. We see a spike in strange scanning activity, file it away as internet background noise, and then weeks later, a major zero-day exploit drops, targeting the very technology that was being scanned. The recent Cisco ASA vulnerabilities were a textbook example of this pattern. A September 4, 2025, report from GreyNoise highlighted a massive surge in scanning, with over 25,000 unique IPs probing Cisco ASA devices.

How do you find an adversary who lives where you can't easily look? A recent CISA advisory on the state-sponsored actor "Salt Typhoon" highlights this exact challenge. These actors aren't just breaking in; they're moving in. They persist on network edge devices like routers and firewalls—critical infrastructure that often sits outside the view of traditional endpoint security. From this vantage point, they capture traffic, steal credentials, and plan their next move.

We are proud to announce that Corelight has been recognized as a Leader in The Forrester Wave: Network Analysis And Visibility (NAV) Solutions, Q4 2025. We believe this recognition reflects our focused innovation and the expanding capabilities of our Open NDR platform.