08/13/2025-08/20/2025 N-able N-central Flaws, Malicious PyPI and npm Packages, CVE-2025-20265.

1. CISA Warns of N-able N-central Flaws Exploited in Zero-day Attacks

CISA warned that attackers are actively exploiting two security flaws in N-able’s N-central remote monitoring and management (RMM) platform. Widely used by MSPs and IT teams, N-central lets admins manage networks and devices from a central console.

The vulnerabilities—CVE-2025-8875 (insecure deserialization) and CVE-2025-8876 (improper input sanitization)—can allow authenticated attackers to execute commands. N-able confirmed the exploits, patched them in N-central 2025.3.1, and urged on-premises customers to upgrade immediately, stressing that its hosted cloud environments show no evidence of compromise.

CISA added the flaws to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch by August 20 under Binding Operational Directive (BOD) 22-01. About 2,000 exposed N-central instances worldwide, mostly in the U.S., Australia, and Germany.CISA also urged private organizations to secure their systems quickly, warning that such flaws remain frequent attack vectors for malicious actors.

2. PyPI Blocks 1,800 Expired-Domain Emails to Prevent Account Takeovers and Supply Chain Attacks

PyPI now checks for expired domains to block supply chain attacks. The update targets domain resurrection attacks, where attackers buy expired domains and hijack PyPI accounts through password resets. These changes improve PyPI’s overall account security posture. Since June 2025, PyPI has unverified more than 1,800 email addresses tied to expiring domains. While not foolproof, the safeguard helps close a major attack vector, especially for abandoned packages still widely used by developers.

Expired domains pose a critical risk because attackers can acquire them, intercept password reset emails, and seize package accounts—an issue highlighted in 2022 when the ctx package was compromised. The new measure, powered by Fastly’s Status API, checks domains every 30 days and un-verifies expired ones. PyPI also urges users to enable two-factor authentication and add a backup email from a trusted domain like Gmail or Outlook.

3. Cisco’s Secure Firewall Management Center now not-so secure, springs a CVSS 10 RCE hole

Cisco has released a patch for a critical vulnerability in its Secure Firewall Management Center (FMC) software that could let unauthenticated, remote attackers execute arbitrary shell commands.

Tracked as CVE-2025-20265 and rated 10.0 on the CVSS scale, the flaw stems from improper input handling in FMC’s RADIUS authentication subsystem during login. Exploitation is possible only if FMC is configured to use RADIUS authentication for its web or SSH management interfaces. Cisco engineer Brandon Sakai discovered the bug during internal testing.

Cisco FMC is widely used by enterprises, MSPs, government agencies, and schools to manage firewalls, intrusion prevention, and other network security tools. While no exploitation has been observed yet, Cisco warns attackers could gain high-level privileges if the flaw is abused.

This marks the latest in a string of maximum-severity bugs in Cisco products, following three separate ISE and ISE-PIC flaws disclosed earlier this summer that also allowed root-level code execution.

4. Malicious PyPI and npm Packages Discovered Exploiting Dependencies in Supply Chain Attacks

Researchers have uncovered a malicious package on the Python Package Index that uses a dependency to establish persistence and enable remote code execution.
The package, termncolor, relied on a secondary library called colorinal in a multi-stage malware chain. Termncolor was downloaded 355 times and colorinal 529 before removal. Once executed, termncolor imported colorinal, which loaded a rogue DLL to decrypt and launch further payloads. The malware deployed “vcpktsvr.exe” with a malicious “libcef.dll,” capable of stealing system data and communicating with a command-and-control server via Zulip chat. Persistence was achieved through a Windows registry entry, while Linux systems were infected with a shared object file called “terminate.so.” The disclosure comes as npm has also faced waves of malicious packages used for data theft, credential harvesting, and cryptocurrency attacks, underscoring the ongoing risks to open-source supply chains.