Cybersecurity Snapshot: CISA Highlights Vulnerability Management Importance in Breach Analysis, as Orgs Are Urged To Patch Cisco Zero-Days

CISA’s takeaways of an agency hack include a call for timely vulnerability patching. Plus, Cisco zero-day bugs are under attack — patch now. Meanwhile, the CSA issued a framework for SaaS security. And get the latest on the npm breach, the ransomware attack that disrupted air travel and more!

Here are six things you need to know for the week ending September 26.

1 - CISA: Agency breach shows vulnerability management is key

Inventory all your assets. Manage and prioritize their vulnerabilities. Patch promptly.

Rinse and repeat.

That’s a key message issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week after dissecting a recent hack at an unnamed federal agency in the publication “CISA Shares Lessons Learned from an Incident Response Engagement.” 

Attackers exploited a known vulnerability, CVE-2024-36401, in a public-facing GeoServer, an open source server that lets users share and edit geospatial data. They then spent three weeks moving undetected through the network, planting web shells and setting up persistence before the breach was discovered.
 

CISA’s post-mortem flagged several critical failures:

• Critical bugs weren't patched on time.
• The incident response plan was gathering dust – it had never been tested.
• Security alerts weren't being consistently reviewed.

The advisory breaks down the attackers’ tactics, techniques and procedures (TTPs) and includes indicators of compromise (IOCs).

Mitigation recommendations include:

• Prioritize patching, especially for known exploited vulnerabilities on public-facing systems.
• Drill, drill, drill. Regularly test and practice your incident response plan.
• Centralize your logs in a secure, out-of-band location to spot trouble faster.

The vulnerability management recommendations include having procedures for prioritization and emergency patching, and highlight the importance of identifying high-risk systems via asset management and inventorying.

“CISA urges organizations to apply these lessons learned to bolster their security posture, improve preparedness, and reduce the risk of future compromises,” CISA said in a statement.

For more information about reducing cyber risk with an exposure management program, check out these Tenable blogs:

• “How Exposure Management Has Helped Tenable Reduce Risk and Align with the Business”
• “How Tenable Moved From Siloed Security to Exposure Management”
• “How Tenable’s Security Team Went from Thousands of Alerts to a Handful of Tickets with Exposure Management”
• “How Exposure Management Moves Beyond Vulnerability Scans to A Unified View of Risk”
• “Understanding and Managing Cyber Risk: An Exposure Management FAQ for Business Leaders”

2 - Cisco zero-day bugs under attack – patch now 

Cisco this week rushed out patches for zero-day vulnerabilities that attackers are actively exploiting in the wild.

The vulnerabilities in question impact the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software:

• CVE-2025-20333 (CVSS 9.9): Allows an authenticated, remote attacker to run arbitrary code and completely compromise an affected device.
• CVE-2025-20362 (CVSS 6.5): Lets an authenticated, remote attacker access restricted URL endpoints without authentication.

To get a deep dive into these vulnerabilities, read the Tenable blog “CVE-2025-20333, CVE-2025-20362: Frequently Asked Questions About Zero-Day Cisco Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) Vulnerabilities.”

Cisco also disclosed and patched a third vulnerability – CVE-2025-20363 (CVSS 9.0) – that it said isn’t part of the zero-day exploitation campaign and that impacts the web services of Cisco Secure Firewall ASA Software, Cisco Secure FTD Software, Cisco IOS Software, Cisco IOS XE Software and Cisco IOS XR Software.

Meanwhile, CISA issued Emergency Directive “ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices” instructing federal agencies to identify affected devices, send memory files to CISA for analysis and apply patches immediately.
 

While the directive is for federal agencies, the warning is for everyone. 

“CISA urges all public and private sector organizations to review the Emergency Directive and associated resources and take steps to mitigate these vulnerabilities,” CISA said in a statement.

To get more details, check out:

• The official Cisco advisories for CVE-2025-20333, CVE-2025-20362 and CVE-2025-20363, as well as its statement “Cisco Event Response: Continued Attacks Against Cisco Firewalls.”
• The CISA Emergency Directive “ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices” and complementary “Supplemental Direction ED 25-03: Core Dump and Hunt Instructions.”
• The U.K. National Cyber Security Centre’s “NCSC warns of persistent malware campaign targeting Cisco devices” alert and “Malware Analysis Report: RayInitiatior & LINE VIPER.”
• Coverage from BleepingComputer, CyberScoop, NextGov/FCW and Ars Technica.

3 - New framework tackles SaaS security guesswork

How can you be sure the software-as-a-service (SaaS) applications your organization owns or plans to acquire are secure?

That question drove the Cloud Security Alliance (CSA) to craft the “SaaS Security Capability Framework (SSCF) v1.0,” unveiled this week.

The framework seeks to provide common, consistent criteria that can guide vendors in developing safer applications and help customers better assess these products’ security.

“Without a clear baseline, enterprises, SaaS vendors, and security teams are all left trying to fill in the gaps on their own with a lot of duplicated effort and unnecessary risk,” Lefteris Skoutaris, Associate VP of GRC Solutions at CSA, wrote in a blog.
 

The SSCF, developed in collaboration with security leaders from various companies, encompasses controls across six key security domains, adapted from the CSA’s “Cloud Controls Matrix”:

• Change Control and Configuration Management
• Data Security and Privacy Lifecycle Management
• Identity and Access Management
• Interoperability and Portability
• Logging and Monitoring
• Security Incident Management, E-Discovery, and Cloud Forensics.

The SSCF seeks to complement existing frameworks like SOC 2 and ISO 27001 by translating high-level security requirements into tangible, actionable features that customers can directly configure and enforce within their SaaS applications. 

In short, the framework gives customers a consistent way to evaluate their SaaS portfolio, while vendors get a clear roadmap of what security controls are expected.

For more information about Saas security:

• “Using Software as a Service (SaaS) securely” (UK NCSC)
• “SaaS security is now a major blind spot for enterprises” (ITPro)
• “SaaS Breaches Skyrocket 300% as Traditional Defenses Fall Short” (Infosecurity)
• “SaaS Cybersecurity: Threats And Mitigation Strategies” (Forbes)

4 - As worm 'Shai-Hulud' burrows into npm, CISA issues warning

CISA has urgent advice for developers using npm, following the latest supply-chain attack against this popular Javascript package registry.

CISA’s alert, issued this week, focuses on the self-replicating worm named Shai-Hulud, which has compromised 500-plus packages on the npm registry since mid-September.

The worm infiltrates a developer's environment, hunts for sensitive credentials like GitHub tokens and cloud API keys, and uploads them to a public repository, CISA said in its alert “Widespread Supply Chain Compromise Impacting npm Ecosystem.”

It then uses those stolen keys to authenticate to npm, inject malicious code into other packages maintained by the developer and spread itself further.
 

CISA recommends that organizations using npm do the following to protect themselves against Shai-Hulud: 

• Review all software dependencies to identify any of the affected packages.
• Pin npm package versions to safe releases published before September 16, 2025.
• Rotate all developer credentials ASAP.
• Enforce phishing-resistant multi-factor authentication for all developer accounts.
• Monitor networks and block connections to known malicious domains.

Meanwhile, GitHub, which owns npm, announced steps to strengthen the registry’s security. For starters, GitHub has already removed over 500 compromised packages, and it’s actively blocking the upload of new packages that contain Shai-Hulud’s indicators of compromise. GitHub also plans to add stronger authentication requirements, including a push toward FIDO-based 2FA and deprecating older, weaker security methods.

“We are going to roll these changes out gradually to ensure we minimize disruption while strengthening the security posture of npm,” reads a GitHub blog. 

GitHub is also strongly encouraging the adoption of "trusted publishing," a security feature that eliminates the need for managing API tokens in build systems. 

For more information about software supply chain security:

• “Software Supply Chain Security” (OWASP)
• “Securing software supply chains: how to safeguard against hidden dependencies” (World Economic Forum)
• “Securing the Software Supply Chain: Recommended Practices for Developers” (CISA)
• “Software Supply Chain Best Practices” (Linux Foundation)
• “5 ways to spot software supply chain attacks and stop worms - before it's too late” (ZDNet)

5 - UK nabs suspect after cyber attack snarls air travel in Europe

U.K. law enforcement authorities have arrested a man in connection with the ransomware attack that wreaked havoc in airports across Europe.

On September 19, Collins Aerospace suffered a ransomware attack that disrupted the availability of its MUSE software, used by airlines to check in passengers at airports.

As a result, chaos ensued in major airports in Europe, including in London, Berlin and Brussels. Hundreds of flights got cancelled or delayed over the course of several days.

“Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing,” Paul Foster, Deputy Director of the NCA’s Cyber Crime Unit, said in a statement.
 

ENISA, the EU’s cybersecurity agency, told news agency Reuters that Collins Aerospace had been hit by a ransomware attack. 

RTX, the parent company of Collins Aerospace, acknowledged in a media statement “a cyber-related disruption to MUSE software in select airports.”

Bernard Montel, EMEA Technical Director and Security Strategist at Tenable, said that while full attack details remain unknown, the impact to multiple airports highlights the risks of insecure third-party systems.

“Truly robust security begins with a strong foundation: identifying the systems that underpin our most vital services and proactively mitigating the vulnerabilities that attackers are most likely to exploit. This is the only way to effectively neutralise the risk," Montel told CFOtech.

To get more details, check out coverage from Reuters, SecurityWeek, CSO and The Guardian.

6 - Alert: Scammers impersonating FBI's IC3 website

Brazen cyber crooks are targeting the very place people go to report online crime. 

In an alert this week, the U.S. Federal Bureau of Investigation (FBI) warned that threat actors are creating fake, or "spoofed," versions of its Internet Crime Complaint Center (IC3) website.

The goal is to trick you into entering personal and financial information on look-alike domains. These spoofed sites use slightly different spellings or alternative domain endings to lure in victims.
 

To protect yourself, the FBI recommends: 

• Go direct: Manually type www.ic3.gov into your browser's address bar. Don't rely on search engine results.
• Watch for "Sponsored" links: In search results, these are often paid ads by impostors trying to divert you from the legitimate site.
• Check the URL: The only official URL is www.ic3.gov. The .gov is your proof.
• Trust your gut: Avoid clicking on links that look suspicious. 

And remember: The real IC3 will never ask for money to recover lost funds and has zero social media presence.