CCTR.47.NOV.25

Monday morning cyber coffee read CCTR.47.NOV.25

Amazon threat intelligence identified an advanced threat actor exploiting zero-day vulnerabilities in Cisco ISE (CVE-2025-20337) and Citrix Bleed Two (CVE-2025-5777) before public disclosure. The actor deployed a custom in-memory web shell as a backdoor, designed specifically for these environments. Their access to multiple unpublished vulnerabilities indicates a highly capable, well-resourced threat actor targeting identity and network access control infrastructure.

  • Restrict external exposure of Cisco ISE, Citrix and similar management interfaces.

  • Patch immediately and verify all branches and versions are fully updated.

https://aws.amazon.com/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/

Unit 42 uncovered LANDFALL, a previously unknown Android spyware family targeting Samsung Galaxy devices by exploiting a zero-day (CVE-2025-21042) in the Android image processing library. The campaign shows similarities to other mobile exploit chains involving WhatsApp and iOS image processing flows and appears linked to commercial spyware operators in the Middle East.

Samsung later patched a second related vulnerability (CVE-2025-21043), further closing this attack surface.

Some of this activity dates back to mid-2024, highlighting how sophisticated exploits can quietly circulate in public repositories for long periods.

https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/

Whilst we’re on Android, CVE-2025-48593 is a critical zero-click RCE in the Android System component, affecting devices running Android 13-16.

Remember Android is no longer limited to mobile phones. These systems now appear in building control devices, video conferencing systems, kiosks and embedded appliances.

https://medium.com/meetcyber/7-fast-fixes-for-cve-2025-48593-zero-click-rce-62703666a1d7

According to the Zscaler ThreatLabz 2025 Mobile, IoT & OT Threat Report, there has been a 67% rise in Android malware and a major shift toward attacks on IoT and OT systems, with 40% of IoT attacks now targeting critical industries.

  • So, hunt, patch and verify coverage across all Android-based assets.

  • Segment and isolate them to prevent botnet propagation and lateral movement.

https://industrialcyber.co/reports/zscaler-warns-industrial-operations-face-mounting-risk-as-iot-ot-attacks-surge-across-energy-manufacturing-sectors/

PreviousCCTR.48.NOV.25NextCCTR.46.NOV.25

Last updated