September 26, 2025 | ITBriefcase.net
Why it matters: This week exposed critical vulnerabilities across managed file transfer platforms, AI agent systems, and enterprise email security, demonstrating how attackers increasingly target fundamental business infrastructure. Fortra’s GoAnywhere MFT faces its third major ransomware-targeted vulnerability in three years with a maximum-severity deserialization flaw, while Salesforce’s Agentforce platform revealed how AI agents create entirely new attack surfaces through indirect prompt injection. The convergence of traditional infrastructure vulnerabilities, emerging AI security risks, and continued exploitation of patch bypasses underscores the expanding complexity of enterprise threat landscapes.
The bottom line: Organizations must prioritize immediate patching of critical file transfer and email security systems, implement comprehensive AI security governance frameworks, and address the growing sophistication of patch bypass techniques as attackers demonstrate increasing ability to circumvent previous security fixes.
What’s ahead: Ten critical security developments spanning managed file transfer platforms, AI agent vulnerabilities, email security exploits, and infrastructure compromise that define cybersecurity priorities for late September 2025.
1. Fortra GoAnywhere MFT Hit by Maximum Severity Deserialization Vulnerability
Fortra disclosed CVE-2025-10035, a critical deserialization vulnerability in GoAnywhere MFT’s License Servlet carrying a maximum CVSS score of 10.0. The flaw allows attackers with validly forged license response signatures to inject arbitrary commands without authentication or user interaction. The vulnerability affects internet-accessible GoAnywhere Admin Console installations and follows previous ransomware exploitation of similar GoAnywhere flaws by Cl0p and other threat actors in 2023 and 2024. Impact: Critical – Maximum severity managed file transfer vulnerability enabling remote command execution without authentication, targeting systems historically exploited by ransomware groups. Action Steps: Update GoAnywhere MFT immediately to version 7.8.4 or Sustain Release 7.6.3. Restrict GoAnywhere Admin Console access to internal networks only, removing all public internet exposure. Monitor Admin Audit logs for suspicious activity and scan log files for “SignedObject.getObject” error strings indicating potential exploitation attempts. Implement enhanced egress filtering and alert on large file uploads or high-volume traffic to suspicious destinations. Establish incident response procedures specifically addressing managed file transfer system compromise and data exfiltration scenarios.2. Critical Salesforce Agentforce AI Vulnerability Enables CRM Data Exfiltration
Noma Security disclosed ForcedLeak (CVSS 9.4), a critical vulnerability chain affecting Salesforce Agentforce AI agent platform. The flaw enables attackers to exfiltrate sensitive CRM data through indirect prompt injection attacks embedded in Web-to-Lead forms. Malicious instructions hidden in customer submission fields can trick autonomous AI agents into executing unauthorized data exfiltration commands, bypassing content security policies through an expired domain vulnerability. Salesforce patched the issue on September 8, 2025. Impact: Critical – AI agent vulnerability demonstrating fundamentally new attack surfaces in autonomous systems, enabling automated CRM data theft through trusted business processes. Action Steps: Apply Salesforce patches immediately enforcing Trusted URLs for Agentforce and Einstein AI agents. Audit all existing lead data submissions for suspicious instructions or unusual text patterns. Implement strict input validation and tool-calling security guardrails for AI agent interactions. Deploy real-time prompt injection detection mechanisms monitoring AI agent behavior and data access patterns. Establish AI security governance frameworks addressing autonomous agent risk management and security testing requirements.3. Libraesva Email Security Gateway Command Injection Vulnerability Disclosed
Security researchers disclosed CVE-2025-59689, a command injection vulnerability in Libraesva Email Security Gateway (ESG) that can be triggered through malicious emails containing crafted compressed attachments. The medium-severity flaw (CVSS 6.1) enables arbitrary command execution as a non-privileged user due to improper sanitization during active code removal from compressed archive formats. The vulnerability affects email security infrastructure designed to protect organizations from malicious content. Impact: High – Email security gateway vulnerability enabling command execution through malicious attachments, undermining systems designed to protect enterprise email infrastructure. Action Steps: Apply Libraesva ESG security updates immediately across all email security gateway deployments. Implement enhanced email attachment scanning specifically monitoring for compressed archive formats and potential sanitization bypass attempts. Deploy additional email security layers including sandboxing and detonation capabilities for suspicious attachments. Review email security gateway configurations and update policies restricting dangerous attachment types. Establish monitoring for unusual command execution attempts on email security infrastructure.4. Intel Firmware Patch Bypass Chain Continues with CVE-2025-26399
Binarly researchers discovered CVE-2025-26399, a patch bypass vulnerability continuing a chain of Intel firmware security flaws. This vulnerability bypasses CVE-2024-28988, which itself was a bypass of the previously exploited CVE-2024-28986. The recursive patch bypass pattern demonstrates persistent weaknesses in firmware security implementations and highlights challenges in effectively remediating complex platform security vulnerabilities across multiple generations of security fixes. Impact: Medium – Firmware-level patch bypass vulnerability demonstrating persistent platform security weaknesses requiring comprehensive security validation beyond initial patch deployment. Action Steps: Apply Intel’s latest firmware security updates immediately across all affected platform installations. Implement firmware security validation processes verifying patch effectiveness beyond vendor assertions. Deploy platform attestation and integrity monitoring solutions detecting firmware compromise indicators. Review firmware update procedures and establish enhanced testing protocols validating security fix effectiveness. Establish procedures for tracking recursive patch bypass vulnerabilities across vendor security advisory histories.5. Critical Vulnerabilities Impact Industrial Control Systems and Manufacturing
Multiple industrial control system vulnerabilities emerged affecting critical infrastructure including Novakon HMI systems with remote code execution and information exposure flaws. Manufacturing execution systems face persistent targeting as attackers recognize the strategic value of operational technology compromise. The vulnerabilities require coordinated IT/OT security responses balancing operational safety requirements with urgent security patch deployment needs. Impact: Medium – Industrial control system vulnerabilities affecting manufacturing and critical infrastructure requiring specialized operational technology security responses. Action Steps: Apply vendor-specific security updates for Novakon HMI and affected industrial control systems according to operational safety protocols. Implement network segmentation strictly isolating industrial control systems from enterprise networks and internet access. Deploy OT-specific security monitoring detecting unusual industrial protocol communications and unauthorized HMI access attempts. Review industrial control system access controls and authentication mechanisms for potential compromise indicators. Establish procedures for coordinating security updates with operational safety requirements and production continuity needs.6. Jaguar Land Rover Faces Extended Production Disruption from Cyberattack
Jaguar Land Rover (JLR) extended production pauses following a significant cyberattack affecting Collins Aerospace systems used for passenger check-in, boarding pass printing, and luggage dispatch. The ransomware incident reportedly caused difficulties in recovery operations, forcing airports to resort to manual check-in and boarding processes. The attack demonstrates the cascading impact of supply chain cybersecurity incidents affecting automotive and aerospace manufacturing operations. Impact: Medium – Supply chain cyberattack causing extended manufacturing disruption and demonstrating cascading impact on automotive and aerospace production operations. Action Steps: Review supply chain cybersecurity dependencies and implement enhanced vendor security assessment procedures. Establish business continuity plans specifically addressing supply chain technology provider compromise scenarios. Deploy enhanced monitoring for unusual activity in critical supply chain integration points and shared technology platforms. Implement backup operational procedures enabling continued production during supplier technology outages. Establish incident coordination protocols with key technology suppliers and manufacturing partners.7. Model Context Protocol Vulnerabilities Highlight AI Security Infrastructure Risks
Security researchers published a comprehensive ranking of Model Context Protocol weaknesses highlighting critical risks including prompt injection, command injection, and authorization bypass vulnerabilities. The analysis provides a roadmap for securing AI infrastructure foundations as organizations increasingly deploy AI agents and autonomous systems. The vulnerabilities demonstrate how fundamental AI communication protocols create new attack surfaces requiring specialized security controls. Impact: Medium – AI infrastructure protocol vulnerabilities requiring comprehensive security frameworks for autonomous agent deployments and AI system integrations. Action Steps: Implement comprehensive AI security frameworks addressing Model Context Protocol vulnerabilities and communication security. Deploy enhanced validation and sanitization for all AI agent inputs and cross-system communications. Review AI infrastructure configurations and implement strict authorization controls for agent-to-agent interactions. Establish security testing procedures specifically validating AI protocol implementations and communication security. Implement monitoring solutions detecting unusual AI agent behavior patterns and potential protocol exploitation attempts.8. Supermicro BMC Firmware Vulnerabilities Enable Authentication Bypass
Security researchers disclosed multiple vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware enabling authentication bypass and unauthorized remote access to server management interfaces. The flaws affect critical server infrastructure management capabilities and could allow attackers to bypass fundamental security controls protecting enterprise compute platforms. The vulnerabilities highlight ongoing challenges in securing out-of-band management systems. Impact: Medium – Server management infrastructure vulnerabilities enabling authentication bypass and unauthorized access to critical compute platform controls. Action Steps: Apply Supermicro BMC firmware updates immediately across all affected server management infrastructure. Implement network segmentation isolating BMC interfaces from general network access and restricting management plane connectivity. Deploy enhanced monitoring for unusual BMC authentication attempts and unauthorized management operations. Review server management access controls and implement multi-factor authentication requirements for all BMC access. Establish procedures for validating BMC firmware integrity and detecting unauthorized firmware modifications.9. Scattered Spider Teen Hackers Arrested for Critical Infrastructure Attacks
UK and US authorities arrested two teenage suspects linked to the Scattered Spider hacking group, charging them with computer intrusion, extortion, and identity theft related to critical infrastructure attacks. The arrests include charges connected to the August 2024 Transport for London cyberattack. The case demonstrates law enforcement’s increasing focus on sophisticated cybercrime groups targeting critical infrastructure and the involvement of young perpetrators in advanced persistent threat activities. Impact: Low – Law enforcement action against sophisticated threat actors demonstrating international cooperation in prosecuting critical infrastructure cyberattacks. Action Steps: Review threat intelligence on Scattered Spider tactics, techniques, and procedures and update defensive postures accordingly. Implement enhanced monitoring for social engineering attacks and help desk compromise techniques associated with this threat group. Deploy identity verification procedures strengthening authentication for privileged access and sensitive operations. Establish threat hunting procedures specifically targeting Scattered Spider indicators of compromise. Implement security awareness training addressing sophisticated social engineering techniques used by advanced threat actors.10. Multiple DDoS and Botnet Operations Disrupted by Law Enforcement
Authorities disrupted multiple botnet operations including a sophisticated DDoS infrastructure using over 300 servers and 100,000 SIM cards designed to mimic cellphones and overwhelm network infrastructure. Additional operations targeted Docker container botnets providing customers with infected network access for conducting distributed denial of service attacks. The disruptions demonstrate continued law enforcement focus on botnet infrastructure supporting cybercrime operations. Impact: Low – Law enforcement botnet disruptions reducing immediate DDoS threat capabilities while highlighting ongoing infrastructure-as-a-service cybercrime models. Action Steps: Implement DDoS mitigation capabilities including traffic scrubbing and rate limiting to protect against botnet-based attacks. Deploy enhanced monitoring for unusual network traffic patterns and potential participation in botnet operations. Review network infrastructure configurations and implement egress filtering preventing internal systems from participating in DDoS attacks. Establish incident response procedures specifically addressing DDoS scenarios and service availability threats. Implement network device security controls preventing compromise and recruitment into botnet operations.Key Takeaways for IT Leaders
This week’s developments highlight several critical trends:- Managed file transfer targeting intensifies with Fortra GoAnywhere’s third major vulnerability in three years, demonstrating persistent threat actor focus on secure file transfer systems handling sensitive enterprise data
- AI agent security emerges as a critical concern with Salesforce Agentforce vulnerability revealing fundamentally new attack surfaces in autonomous systems requiring specialized governance frameworks
- Patch bypass persistence continues with Intel firmware vulnerability chains demonstrating attackers’ ability to circumvent previous security fixes through recursive exploitation techniques
- Infrastructure convergence accelerates as attacks span traditional IT systems, operational technology platforms, and emerging AI infrastructures requiring comprehensive cross-domain security strategies
Stay informed on the latest cybersecurity developments by following ITBriefcase.net for daily updates and in-depth analysis.
