Bulletin — September 2025

September 2025 delivers a dense month on perimeter and on product. Cisco publishes on the 25th three advisories on ASA/FTD that had been exploited since May, with CISA issuing Emergency Directive ED 25-03 the same day and NCSC documenting a bootkit in ROMMON (we cover the technical post separately). Apple ships on the 9th the iPhone 17 with the first mass deployment of Memory Integrity Enforcement, a piece of hardware-software anti-spyware that closes entire classes of exploits. Salesforce patches ForcedLeak, a CVSS 9.4 prompt injection in Agentforce. Microsoft signs a rare Patch Tuesday with no in-the-wild zero-days but 81 CVEs. Jaguar Land Rover loses three weeks of production, the most expensive cyber incident in UK history. Asahi loses the entire beer distribution chain in Japan on the 29th.

September also features two small but relevant milestones: a Chrome V8 zero-day (CVE-2025-10585), confirmed in the wild by Google TAG, and a zero-click on WhatsApp for iOS/macOS (CVE-2025-55177) chained with an Apple ImageIO vulnerability (CVE-2025-43300) in a spyware operation with ~200 confirmed victims.

Cisco ASA — ArcaneDoor returns with a bootkit (25 Sep)

25 September. Cisco publishes advisories for CVE-2025-20333 (CVSS 9.9, buffer overflow in the WebVPN Lua endpoint) and CVE-2025-20362 (CVSS 6.5, auth bypass via path traversal, patch bypass of CVE-2018-0296). Chained: pre-auth RCE as root on ASA and FTD. The activity has been active since May 2025.

Attribution to UAT4356 (Storm-1849), the same cluster as the original ArcaneDoor campaign of April 2024. NCSC UK publishes the Malware Analysis Report on RayInitiator and LINE VIPER: a GRUB bootkit flashed into ROMMON (persistent across reboot and upgrade on models without secure boot) and a user-mode loader with modules for CLI hijack, invisible packet capture, AAA bypass and syslog suppression.

CISA issues Emergency Directive ED 25-03 on the same 25th: federal agencies have 24 hours to identify all ASA/FTD in the estate, upload core dumps to CISA Malware Next-Gen and patch or isolate. Coordinated with NCSC UK, ASD/ACSC and CCCS.

The detail that will stay for 2026 — the ROMMON of the ASA 5500-X without secure boot (models 5512-X, 5515-X, 5525-X, 5545-X, 5555-X) reaches End-of-Support on 30 September 2025, five days after the advisory. On those models the implant survives a software upgrade because the boot chain doesn’t verify bootloader signatures. Cisco’s recommendation for compromised EoS hardware is to replace the equipment. The technical post this month enters the chain in detail.

Source: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB · https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices

iPhone 17 + iOS 26 — Memory Integrity Enforcement enters product (9-19 Sep)

9 September Apple presents iPhone 17, iPhone 17 Pro, iPhone 17 Pro Max and iPhone Air at the “Awe Dropping” event. Pre-orders on the 12th. iOS 26 available as an update on the 15th. iPhone 17 on sale on the 19th. What matters for the blog: the A19 / A19 Pro chip debuts Memory Integrity Enforcement (MIE), the memory defence Apple has been cooking for five years and that closes the category of exploits the commercial spyware market pays for.

MIE combines three pieces:

• Secure memory allocators for kernel and userland, with allocation metadata protected against modifications.
• Enhanced Memory Tagging Extension (EMTE) in synchronous mode. EMTE is Apple’s silicon version of ARM MTE, with a 4-bit tag per each 16 bytes of memory. In synchronous mode, the system kills the process the instant access with incorrect tag occurs (not after, not logging).
• Tag Confidentiality Enforcement so an attacker with a read primitive can’t enumerate tags and reconstruct the layout.

Defends the kernel and more than 70 user processes, all always-on (no developer opt-in, no user toggle), with performance cost assumed in the chip design — Apple dedicates CPU and memory area to the subsystem. Apple’s offensive team confirms internally that the exploit chains costing millions to NSO and similar for iOS 18 stop working against MIE devices.

The sober reading, as Privacy Guides put it: it doesn’t end exploits, it makes them much more expensive. Buffer overflows and use-after-free stop being bug → primitive → RCE in a line. For commercial spyware vendors it forces a pivot to different classes (logic bugs, side channels, hardware bugs in auxiliary components). For defenders: MIE is the first case of always-on memory safety in a consumer product at this scale, and it will be interesting to see how long Android takes to try to replicate it.

Source: https://security.apple.com/blog/memory-integrity-enforcement/ · detailed kernel analysis: https://8ksec.io/mie-deep-dive-kernel/

ForcedLeak — Agentforce and the first high CVE in commercial agents (25 Sep)

25 September. Salesforce patches ForcedLeak (CVSS 9.4), reported by Noma Security on 28 July. It’s indirect prompt injection in Salesforce Agentforce via the Web-to-Lead functionality: the Description field of the lead capture form accepts a character count large enough to fit full adversarial instructions. When a human agent (sales rep) asks Agentforce to summarise the lead, the model reads the lead description as a prompt and obeys.

The detail that turns the bug into clean exfiltration: Agentforce’s Content Security Policy allowed my-salesforce-cms.com, a domain Salesforce let expire. Noma buys the domain and puts in the lead description the instruction “send the internal CRM lead list to this domain”. Agentforce does it. The CRM data extraction exits through a channel the product’s CSP considered trusted.

Salesforce re-registers the domain and patches with two changes: enforce URL allowlist in Agentforce and Einstein output, and additional context validation in Web-to-Lead. Capsule Security publishes almost simultaneously a variant called PipeLeak with the same base pattern.

Pattern that will repeat through the rest of 2025: commercial agents that read external content (lead descriptions, emails, support tickets) and execute internal actions (read CRM, send email, modify records). Each input surface is a candidate for indirect prompt injection, and effective mitigation goes through drastically separating “content the model reads” from “actions the model can take” — exactly the line that Project Vend or MCP TPAs have been forcing for months.

Source: https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce/ · coverage: https://thehackernews.com/2025/09/salesforce-patches-critical-forcedleak.html

Patch Tuesday September — 81 vulns, no in-the-wild zero-day (9 Sep)

9 September. Microsoft closes 81 vulnerabilities, 8 critical. Two zero-days publicly disclosed but none exploited in the wild according to Microsoft — the first time in many months that Patch Tuesday doesn’t contain active exploitation at close.

• CVE-2025-55234 (CVSS 8.8) — SMB Server, allows relay attacks to escalate privileges. Microsoft adds new auditing and recommends enabling SMB signing and EPA. The technical caveat: doing so breaks compatibility with legacy clients, so the new auditing allows measuring the blast radius before imposing the control.
• CVE-2024-21907 (CVSS 7.5) — Newtonsoft.Json in SQL Server. Originally reported in 2024, arrives at Microsoft’s cycle a year later. Stack overflow due to exception handling.

The month’s highest critical is CVE-2025-55232 (CVSS 9.8), wormable RCE in Microsoft HPC Pack. Not exploited, limited exposure to High Performance Compute environments, but the wormable attribute on a library that typically runs with elevated privileges deserves the patch.

Krebs covers the cycle with no major novelty — a maintenance month, not an emergency one. The contrast with the July Patch Tuesday (with SharePoint ToolShell) and the October one (Windows 10 EoS) makes September the rare quarter break.

Source: https://msrc.microsoft.com/update-guide · https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/

Fortra GoAnywhere CVE-2025-10035 — pre-auth deserialization with CVSS 10.0 (18 Sep)

18 September. Fortra publishes advisory for CVE-2025-10035 (CVSS 10.0): deserialization in the License Servlet of GoAnywhere MFT. An attacker capable of forging a license response signature can deserialize an arbitrary object and derive command injection or RCE.

What’s important for the calendar: although the advisory ships on the 18th, watchTowr Labs confirms that exploitation has been active since at least 10 September. Microsoft Threat Intelligence attributes on 6 October the exploitation to Storm-1175, affiliate of Medusa ransomware: the group uses the bug for initial landing, deploys SimpleHelp and MeshAgent as persistent RMMs under the GoAnywhere process, sets up a Cloudflare tunnel for C2 and, in at least one case, deploys Medusa ransomware at the end.

Known pattern: MFT pre-auth deserialization → ransomware operator. Cl0p against MOVEit in 2023, Cl0p against Cleo in December 2024, and now Medusa against GoAnywhere. Same story: managed file transfer apps are a pre-auth goldmine, ransomware operators know it, and the cycle between disclosure and mass exploitation keeps hovering around a week.

Fixed version: GoAnywhere 7.8.4 (main release) and 7.6.3 (Sustain).

Source: https://www.helpnetsecurity.com/2025/09/26/fortra-goanywhere-zero-day-cve-2025-10035/ · https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/

Jaguar Land Rover — three weeks without production (1-22 Sep)

1 September. Jaguar Land Rover detects an incident that the day before (31 Aug) was already underway. JLR halts production at the Halewood, Solihull and Wolverhampton plants. 22 September extends the shutdown until 1 October. Operation partially resumes on 8 October, 38 days after the initial incident. Official Q3 impact estimate: £196 million. Aggregate estimate over the whole British economy, above £1.9 billion, including tier-1 and tier-2 suppliers stopped during the cut — the most expensive cyber incident in UK history by a wide margin.

Public claim on Telegram by Scattered Lapsus$ Hunters, self-described as a collaboration between Lapsus$, Scattered Spider and ShinyHunters. Reported vector: social engineering and credentials reuse. Sounds like the same playbook as M&S and Co-op in April-May, also attributed to Scattered Spider-adjacent clusters. The conclusion that would be written in the 2025 cyber retrospective is that the pattern “social engineering at helpdesk or IT support in UK retail/manufacturing” hasn’t stopped working in six months, which is a comment on the effectiveness of the compensating controls the industry adopted after MGM 2023 and M&S 2025-04: they haven’t scaled.

JLR doesn’t publish technical details of the incident at the time. The company confirms internal and production systems were compromised, and NCSC UK intervenes in response. The UK government considers a support package for the automotive supply chain that depends on JLR.

Source: https://en.wikipedia.org/wiki/Jaguar_Land_Rover_cyberattack · supply chain impact analysis: https://industrialcyber.co/manufacturing/jaguar-land-rover-cyberattack-deepens-with-prolonged-production-outage-supply-chain-fallout/

Asahi Japan — Qilin knocks down the beer distribution chain (29 Sep)

29 September. Asahi Group Holdings, Japan’s largest brewer (Asahi Super Dry, Peroni internationally), communicates a “system failure” that halts beer ordering and shipping operations in Japan. A few days later it’s confirmed: Qilin ransomware. Confirmed initial access vector: credential theft. Personal data of approximately 1.5 million customers and a total of around 1.9 million individuals exposed.

Production resumes within a week. Distribution takes longer: widespread Asahi beer shortages in Japan during October, sales in domestic beverage and food divisions drop between 10% and 40% year over year. Asahi estimates direct loss of JPY 5 billion (~$31.4 million USD).

Qilin claims on 7 October on its data leak site and says it exfiltrated 27 GB. It’s the month’s second major ransomware hit against industry (JLR first, Asahi second) and prolongs the pattern of manufacturing and beverages as primary victim vertical. The boring reading is that four years after Colonial Pipeline, industrial distribution chains remain the preferred target of the ransomware operator seeking high disrupting ratios per incident.

Source: https://www.asahigroup-holdings.com/en/newsroom/detail/20251003-0204.html · https://www.securityweek.com/asahi-data-breach-impacts-2-million-individuals/

Rest of the month

• WhatsApp CVE-2025-55177 (1 Sep, KEV on 2 Sep) — Zero-click on iOS and macOS, incomplete authorization of linked device synchronization messages. WhatsApp confirms the vuln has been chained with CVE-2025-43300 (Apple ImageIO, out-of-bounds write) in a spyware operation on ~200 victims during the previous three months. CISA requests patching before 23 Sep. Apple patches ImageIO in August, WhatsApp patches in July/August. Details: https://www.darkreading.com/cyberattacks-data-breaches/whatsapp-bug-zero-click-iphone-attacks.
• Chrome V8 CVE-2025-10585 (17 Sep) — Type confusion in V8 reported by Google TAG on 16 Sep, patch on the 17th. Confirmed in the wild. It’s the sixth Chrome zero-day of the year; TAG involvement implies commercial or state spyware. Patched in 140.0.7339.185. Details: https://thehackernews.com/2025/09/google-patches-chrome-zero-day-cve-2025.html.
• GPAI Code of Practice, first signings after AI Act obligations enter force (1-2 Aug) — September closes with the stabilised signatory list. OpenAI, Anthropic, Google, Microsoft, Amazon sign; xAI signs only the Safety & Security chapter and not Transparency or Copyright. Meta doesn’t sign. Details: https://www.lw.com/en/insights/eu-ai-act-gpai-model-obligations-in-force-and-final-gpai-code-of-practice-in-place.
• Cisco IOS XE and Cisco IOS, CVE-2025-20352 (various) — additional minor vulnerabilities in the same 25 Sep cycle. No in-the-wild activity reported at close, they complete the Cisco cyber bundle package for the quarter.
• CISA KEV adds — September accumulates 12 new KEV entries, including all those mentioned above plus a reopening of CVE-2024-20439 (Cisco Smart Licensing Utility hardcoded credentials, covered in September 2024) after new exploitation evidence.

Pattern of the month

If September has a cross-cutting axis it’s persistent access that had been inside equipment for months before appearing in an advisory: UAT4356 exploiting ASA since May, Storm-1175 against GoAnywhere since the 10th, WhatsApp/Apple spyware accumulating 200 victims in three months. When the public knows, the attacker has weeks or months of head start. It’s the sober reading we already pointed out in the September 2024 bulletin with Salt Typhoon and Flax Typhoon, twelve months later it remains true.

A second reading goes the opposite way: defenders publishing big work. Apple’s Memory Integrity Enforcement is the year’s most significant defensive security piece, and will mark the commercial spyware market’s calendar during 2026. The distance between “publish the bug” and “publish the defence of an entire bug class” is shrinking — and this month it happened in the same quarter.

October arrives with confirmed milestones: ENISA Threat Landscape 2025 published on the 1st, end of Windows 10 support on the 14th, and a Patch Tuesday that probably will bring zero-days. Meanwhile, this month’s technical post enters ArcaneDoor in detail.