Today’s pattern is ugly but clear: edge appliances, inboxes, and helpdesk trust flows are all being abused in ways that survive shallow remediation.
Top line: Three stories deserve immediate attention this morning: firewall malware that can survive patch cycles, an email platform with thousands of exposed vulnerable servers, and a vishing-heavy extortion crew turning ordinary support workflows into breach paths.
CISA and the U.K. NCSC are warning that the Firestarter backdoor can persist on Cisco Firepower and Secure Firewall devices even after reboots, firmware updates, and security patches. The malware, tied to a Cisco-tracked espionage actor, hooks into the LINA process, reinstalls itself when terminated, and can be triggered through crafted WebVPN traffic. Cisco’s own guidance is blunt: fixed releases matter, but reimaging is the recommended cleanup path.
Shadowserver says over 10,500 internet-exposed Zimbra Collaboration Suite servers remain vulnerable to CVE-2025-48700, an XSS flaw already listed by CISA as actively exploited. The bug affects multiple ZCS branches and can let unauthenticated attackers execute JavaScript in a victim’s webmail session when a malicious email is viewed in the Classic UI. That matters because Zimbra has a long history of being a stepping stone for email theft and state-backed targeting.
BlackFile is being tied to a surge of vishing-led extortion attacks against retail and hospitality organizations. The attackers spoof IT support, harvest employee credentials and one-time passcodes through fake login pages, then register their own devices to get around MFA. From there, they raid systems like Salesforce and SharePoint through standard APIs, steal sensitive files, and escalate pressure with ransom demands and even swatting tactics.
Bottom line: Today’s pattern is ugly but clear: edge appliances, inboxes, and helpdesk trust flows are all being abused in ways that survive shallow remediation.
KENSAI helps teams surface exposed attack paths across edge appliances, email systems, identity flows, and cloud tooling before attackers turn normal workflows into breach infrastructure.
Free Scan →Stay sharp.
🗡️ KENSAI Security Team