← Back to Blog
Security Briefing4 min read2026-04-25

Security Briefing, April 25 2026: Firestarter Persistence, Zimbra Exposure, and BlackFile Vishing Extortion

Today’s pattern is ugly but clear: edge appliances, inboxes, and helpdesk trust flows are all being abused in ways that survive shallow remediation.


Top line: Three stories deserve immediate attention this morning: firewall malware that can survive patch cycles, an email platform with thousands of exposed vulnerable servers, and a vishing-heavy extortion crew turning ordinary support workflows into breach paths.


1. Firestarter turns patching into a false finish line on Cisco firewalls

CISA and the U.K. NCSC are warning that the Firestarter backdoor can persist on Cisco Firepower and Secure Firewall devices even after reboots, firmware updates, and security patches. The malware, tied to a Cisco-tracked espionage actor, hooks into the LINA process, reinstalls itself when terminated, and can be triggered through crafted WebVPN traffic. Cisco’s own guidance is blunt: fixed releases matter, but reimaging is the recommended cleanup path.


2. More than 10,000 exposed Zimbra servers are still sitting in the blast radius

Shadowserver says over 10,500 internet-exposed Zimbra Collaboration Suite servers remain vulnerable to CVE-2025-48700, an XSS flaw already listed by CISA as actively exploited. The bug affects multiple ZCS branches and can let unauthenticated attackers execute JavaScript in a victim’s webmail session when a malicious email is viewed in the Classic UI. That matters because Zimbra has a long history of being a stepping stone for email theft and state-backed targeting.


3. BlackFile is proving that fake helpdesk calls still break modern enterprises

BlackFile is being tied to a surge of vishing-led extortion attacks against retail and hospitality organizations. The attackers spoof IT support, harvest employee credentials and one-time passcodes through fake login pages, then register their own devices to get around MFA. From there, they raid systems like Salesforce and SharePoint through standard APIs, steal sensitive files, and escalate pressure with ransom demands and even swatting tactics.


What security teams should do today

  1. Run Cisco firewall compromise checks and plan reimaging where indicators appear.
  2. Close out Zimbra patching and hunt for malicious-email-driven session abuse.
  3. Tighten helpdesk identity checks, especially for remote support and MFA reset flows.
  4. Review SaaS export activity and device enrollment events for signs of BlackFile-style intrusion.

Sources


Bottom line: Today’s pattern is ugly but clear: edge appliances, inboxes, and helpdesk trust flows are all being abused in ways that survive shallow remediation.

Find the trust breaks before they become incidents

KENSAI helps teams surface exposed attack paths across edge appliances, email systems, identity flows, and cloud tooling before attackers turn normal workflows into breach infrastructure.

Free Scan →

Stay sharp.

🗡️ KENSAI Security Team