Good Morning Security Gang!
It’s Thursday, August 14th, 2025, and I’m coming to you from the road without my usual double espresso in hand—but the stories today will wake you up just fine.
We’ve got everything from a state attorney general’s office knocked offline, to lawsuits over Zelle scams, to critical zero-days in enterprise gear, to Russian hackers messing with a Norwegian dam, and even a new ransomware strain hitting the Middle East. This is one of those episodes that hits every corner of our industry—public sector, financial tech, ICS/OT, and advanced threat actors. Let’s jump right in.
⚖ Pennsylvania Attorney General’s Office Taken Down in Cyberattack
The Pennsylvania AG’s office suffered a cyber incident that took down landline phones, email systems, and their public website. While attribution remains unclear, Kevin Beaumont flagged that Citrix NetScaler appliances on the network were vulnerable to Citrix Bleed 2 weeks before the outage.
"When you don't run an effective vulnerability management program to address major vulnerabilities in your environment like Citrix, which enables a lot of this... all of this stuff kind of coming home to roost." James Azar
According to Shodan scans shared by Beaumont, one of the two vulnerable devices has been offline since July 29th, while the other was taken down on August 7th. This is exactly what I've been warning about – when you don't run an effective vulnerability management program to address major vulnerabilities like Citrix, this is what happens. The Shadow Server Foundation reported over 3,300 Citrix NetScaler appliances still vulnerable, and now we're seeing real-world consequences of that negligence. This isn't just theoretical anymore; this is government operations being disrupted because basic security hygiene wasn't followed. This underscores the dangers of leaving high-severity vulnerabilities unpatched in public-facing infrastructure.
💸 New York AG Sues Zelle Operator Over Scam Losses
NY Attorney General Letitia James filed suit against Early Warning Services, the operator of Zelle, claiming the company ignored scam abuse for years. The lawsuit alleges $870M in consumer losses over seven years, though Zelle says 99.95% of transactions are fraud-free, challenging the negligence claim. That means only 0.05% of transactions involve fraud, and in any world where that's your fraud rate, it's really hard to prove negligence. The case raises the debate over where consumer protection responsibility lies - banks, fintech operators, or the customer.
🖥 Zoom & Xerox Patch Critical Vulnerabilities
Zoom patched an untrusted search path flaw in its Windows clients (before v6.3.10) that could allow privilege escalation over the network. Xerox fixed multiple vulnerabilities in FreeFlow Core, including CVE-2025-8356 (CVSS 9.8), a path traversal bug enabling RCE. Both vendors urge immediate patching.
🔍 CISA Warns of Actively Exploited N-able nCentral Flaws
Two CVEs (CVE-2025-8875 & CVE-2025-8876) in N-able’s RMM platform are being exploited in the wild. Attackers can achieve remote command execution via insecure deserialization and input injection. Around 2,000 instances are exposed online—many unpatched.
🖧 Intel, AMD, and Nvidia Push Security Advisories
Intel released 34 new advisories addressing high-severity vulnerabilities in Xeon processors, Ethernet drivers for Linux, chipset firmware, and wireless connectivity products. Most of these allow privilege escalation, with some exploitable for denial of service and information disclosure.
AMD disclosed 10 vulnerabilities, including Stack Engine info leakage (ETH Zurich research).
Nvidia patched flaws in its NeMo AI framework that could lead to RCE and data tampering, designed for developing custom generative AI applications, fixing two high-severity issues that could lead to remote code execution and data tampering. This is particularly concerning given the rapid adoption of AI development frameworks across enterprises. When you're dealing with hardware-level vulnerabilities, especially in processors and AI frameworks, the attack surface becomes incredibly complex to manage and patch.
🛡 Fortinet SIEM RCE Actively Exploited
CVE-2025-25256 (CVSS 9.8) in FortiSIEM allows unauthenticated RCE via crafted CLI requests. Government and enterprise networks are at high risk.
This disclosure comes after yesterday's warning about spike in brute force attacks targeting Fortinet SSL VPNs, and here's what's really concerning – attackers are chaining these vulnerabilities together. What we're seeing is threat actors peeling away at the onion, finding one vulnerability as an entry point, then jumping to another vulnerability, then another. This is why you can't look at vulnerability management as point-in-time fixes; you have to view it system-wide and implement proper compensating controls when you can't immediately patch.
"What we're seeing from attackers today is they're chaining this stuff together... you can't look at vulnerability management at a point in time; you really have to look at it system wide and you got to have an open look into specific vulnerabilities." James Azar
🔑 Passkey Bypass Demonstrated at DEF CON
SquareX researchers showed that malicious browser extensions can bypass passkey-based authentication by hijacking WebAuthn API flows. This isn’t a cryptographic flaw, but a browser/extension attack vector—reinforcing that passkeys require strong browser security controls.
🌊 Russian Hackers Suspected in Norwegian Dam Sabotage
Norwegian officials say pro-Russian actors accessed and manipulated valve controls at a dam in April, increasing water flow for four hours. While no damage occurred, video of the control panel was posted to Telegram. This fits a growing Russian playbook of blending cyber with physical sabotage.
While this particular incident didn't pose immediate danger, imagine if they had opened all valves simultaneously. A three-minute video showing the dam's control panel was published on Telegram by a pro-Russian cybercriminal group. Norwegian intelligence officials report this is part of a broader campaign of disruptions across Europe blamed on Russia, with more than seven incidents tracked and intelligence suggesting these campaigns are becoming increasingly violent. This perfectly illustrates Russia's modus operandi – cyber becomes kinetic becomes physical very, very quickly.
✈ “Charon” Ransomware Hits Middle East Public Sector & Aviation
Trend Micro identified Charon, a ransomware strain with APT-style capabilities, targeting Middle Eastern government and aviation organizations. Pre-encryption TTPs include AV service disablement and backup deletion, suggesting targeted campaigns rather than opportunistic attacks.
Trend Micro notes similarities between this group and the China-linked Earth Baxia cyberespionage group known for targeting government agencies in the APAC region. These similarities could indicate direct involvement or knowledge transfer, representing another example of how nation-state tactics are proliferating across cybercriminal groups. The customized approach and infrastructure targeting suggest this is a sophisticated operation with specific geopolitical objectives.
🧠 James Azar’s CISO Take
The Pennsylvania AG case shows how preventable incidents can cripple public institutions—especially when unpatched, internet-facing systems sit exposed for weeks. Vulnerability management isn’t just a checkbox—it’s the foundation of operational resilience. On the flip side, the Zelle lawsuit is a reminder that cybersecurity is often intertwined with public perception and policy, where raw numbers and context matter as much as technical defenses.
On the threat landscape side, today’s mix of Fortinet exploitation, ICS sabotage in Norway, and Middle East ransomware attacks is proof that adversaries are chaining exploits and moving across domains—IT to OT, cyber to physical—faster than ever. As CISOs, our job is not just to patch, but to anticipate how these pieces could be connected and weaponized. The only winning strategy is proactive defense, rapid detection, and rehearsed response.
✅ Action Items
🔐 Patch Citrix NetScaler appliances for Citrix Bleed 2 and remove public exposure when possible.
🛡 Apply Zoom (v6.3.10+) and Xerox FreeFlow Core (v8.0.4) updates immediately.
🚨 Update N-able nCentral to v2025.3.1+; review MSP client exposure.
🖧 Apply Intel, AMD, and Nvidia security updates; review advisories for high-risk components.
🛑 Patch FortiSIEM CVE-2025-25256 and monitor for related brute-force traffic.
🌐 Harden browser extension policies to protect passkey logins.
💾 Review OT/ICS access controls to prevent remote manipulation of physical systems.
📄 Track TTPs for Sharon ransomware; apply IOC blocking in public sector and aviation networks.
✅ Story Links:
https://therecord.media/zelle-lawsuit-new-york-state-scams-fraud
https://thehackernews.com/2025/08/zoom-and-xerox-release-critical.html
https://www.securityweek.com/passkey-login-bypassed-via-webauthn-process-manipulation/
https://therecord.media/charon-ransomware-targeting-middle-east-aviation
🔔 Subscribe now for the latest insights from industry leaders, in-depth analyses, and real-world strategies to secure your digital world. https://www.youtube.com/@TheCyberHubPodcast/?sub_confirmation=1
🚨 Important Links to Follow:
👉Website:
👉Listen here: https://linktr.ee/cyberhubpodcast
✅ Stay Connected With Us.
👉Facebook: https://www.facebook.com/CyberHubpodcast/
👉LinkedIn: https://www.linkedin.com/company/cyberhubpodcast/
👉Twitter (X): https://twitter.com/cyberhubpodcast
👉Instagram: https://www.instagram.com/cyberhubpodcast
🤝 For Business Inquiries: info@cyberhubpodcast.com
=============================
🚀 About The CyberHub Podcast.
The Hub of the Infosec Community.
Our mission is to provide substantive and quality content that’s more than headlines or sales pitches. We want to be a valuable source to assist those cybersecurity practitioners in their mission to keep their organizations secure.
Tune in to our podcast Monday through Thursday at 9AM EST for the latest news.
Share this post