KEV Alert: China-Linked Zero-Days, WSUS Exploits, and the Diplomats' Digital Woes

Show Notes

CISA issued urgent warnings, adding exploited VMware and XWiki flaws to the KEV catalog and requiring federal agencies to patch immediately. We break down the Chinese threat actor exploiting an unpatched Windows shortcut vulnerability targeting European diplomats and examine the active exploitation of the critical Windows WSUS flaw.

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans. I’m your host, Mike Housch, and today, we're diving deep into a whirlwind of urgent government alerts and nation-state activity. If you're running IT infrastructure—especially if you're managing virtualization or handling patch deployment—you need to listen up, because CISA is not messing around. We have major updates on CISA's Known Exploited Vulnerabilities catalog, a critical look at how Russian ransomware gangs are leveling up their toolkit, and a deep dive into sophisticated Chinese APT activity targeting diplomats.

Let’s start with the U.S. Cybersecurity and Infrastructure Security Agency, or CISA. Just recently, CISA expanded its Known Exploited Vulnerabilities, or KEV, catalog with two critical security defects impacting XWiki and VMware products.

Federal Civilian Executive Branch agencies are mandated by Binding Operational Directive (BOD) 22-01 to patch these vulnerabilities by November 20, 2025. When CISA issues a KEV addition, it’s a fire alarm for everyone, not just federal agencies.

First up is the XWiki flaw, tracked as CVE-2025-24893, which scored a whopping 9.8 on the CVSS scale. This is an improper sanitization of search parameters. The exploit is highly dangerous because it can be used remotely, without any authentication, to inject malicious code through specially crafted search requests. If successful, attackers can execute code with web server privileges, potentially leak sensitive information, or disrupt operations. We know proof-of-concept exploits have been available for about half a year, and early exploitation was seen back in March, even if those were initially flagged as reconnaissance. More recently, threat actors have been exploiting this specific XWiki vulnerability to deploy a cryptocurrency miner.

The second KEV entry hits close to home for anyone running serious enterprise virtualization: a VMware defect. This is CVE-2025-41244, a local privilege escalation flaw with a CVSS score of 7.8.

This vulnerability affects VMware Tools and Aria Operations. Essentially, an authenticated attacker who has non-administrative privileges on a VM can use this flaw to obtain root privileges on that same VM, provided it has VMware Tools installed and is managed by Aria Operations with SDMP enabled.

While Broadcom, which owns VMware, released fixes in late September, they initially failed to disclose the critical detail: it was already being exploited in the wild. Broadcom later updated its advisory, suggesting that suspected exploitation had occurred. Reporting credit goes to NVISO, who noted that Chinese threat actors have been targeting this CVE for roughly a year, using it as a zero-day since mid-October 2024. This activity is specifically attributed to UNC5174, a China-linked threat actor tracked by Google Mandiant. The local privilege escalation is described as trivial to exploit, resulting in unprivileged users achieving code execution in privileged contexts, like root.

Moving beyond the KEV catalog, CISA, in conjunction with the NSA and international partners from Australia and Canada, recently released urgent guidance to help organizations secure their on-premise Microsoft Exchange Server instances. Malicious activity targeting Exchange servers continues, with unprotected and misconfigured instances bearing the brunt of attacks.

The core advice here includes: maintaining security updates, migrating off end-of-life servers, and applying strict security baselines. Critically, they emphasize restricting administrative access, using multi-factor authentication, and hardening encryption configurations, such as configuring TLS and enforcing HTTP Strict Transport Security.

This guidance arrived right as CISA updated an alert regarding a newly re-patched security flaw in the Windows Server Update Services component, or WSUS, tracked as CVE-2025-59287. This flaw could result in remote code execution. Sophos reported that threat actors moved quickly, exploiting this vulnerability to harvest sensitive data from various U.S. industries, including healthcare, manufacturing, technology, and universities. The exploitation was detected on October 24th, just a day after Microsoft released the out-of-band security update.

The attackers are leveraging vulnerable WSUS servers to execute Base64-encoded PowerShell commands and exfiltrate the results. Defenders should be monitoring for suspicious child processes spawned with SYSTEM-level permissions, particularly those originating from wsusservice.exe or w3wp.exe.

Our final segment covers a distinct, yet potent, threat involving a Chinese threat actor known as UNC6384, which is linked to the notorious Mustang Panda APT. This group is exploiting an unpatched Windows shortcut vulnerability, CVE-2025-9491.

This flaw is categorized as a UI misrepresentation issue. What makes it effective is that Windows fails to display critical information when a user inspects the file’s properties, effectively hiding the malicious code.

Arctic Wolf reports that this campaign is targeting the diplomatic community in Europe. The attackers use spear-phishing emails with embedded URLs that drop malicious LNK files themed around official topics, such as European Commission meetings or NATO workshops. The ultimate payload is the PlugX remote access trojan (RAT). The attacker executes PowerShell commands, drops a signed Canon printer utility, and then abuses that trusted utility to execute PlugX via DLL sideloading.

Arctic Wolf observed targeting against diplomatic personnel in Hungary and Belgium, and linked the campaign to targeting government aviation departments in Serbia, and diplomatic entities in Italy and the Netherlands.

So, to wrap up: CISA requires immediate action on XWiki and VMware flaws. WSUS servers are under active attack for data harvesting. And Chinese APTs are using clever tricks with unpatched Windows flaws to target sensitive diplomatic networks.

And a quick note on cybercrime: Russian ransomware gangs, including actors tied to Akira and Fog operations, are adopting the open-source command-and-control framework, AdaptixC2, for advanced attacks. Although AdaptixC2 is marketed as an ethical red-teaming tool, its modular and versatile features are being weaponized by cybercriminals.

Finally, good news on the defense front: Google’s built-in AI defenses on Android are blocking over 10 billion scam messages and calls per month. Scammers are getting tricky, often using group chats to appear less suspicious, and they employ tactics like "Spray and Pray" or the more calculated "Bait and Wait" schemes to steal money or information.

That’s all the time we have for this edition of Cyber Scoops & Digital Shenanigans. Stay vigilant, stay secure, and we’ll catch you next time.