Hackers exploit Citrix NetScaler flaws to breach Dutch critical infrastructure

Hackers have breached several critical infrastructure organisations in the Netherlands by exploiting a memory-overflow flaw in Citrix’s NetScaler ADC and Gateway (CVE-2025-6543), rated critical. The Dutch National Cyber Security Centre said attackers infiltrated networks in early May, weeks before Citrix disclosed the vulnerability on 25 June. Using sophisticated methods, the intruders erased evidence to hide their activities. A similar critical flaw (CVE-2025-5777) was also disclosed in June.

Researchers reports more than 4,100 internet-exposed NetScaler instances remain vulnerable to CVE-2025-6543 and over 3,300 to CVE-2025-5777 worldwide, with exploitation attempts detected for both.

CISA has added both flaws to its Known Exploited Vulnerabilities catalogue and is urging immediate patching, warning of risks similar to the 2023 “CitrixBleed” wave of attacks. Citrix has faced multiple zero-day disclosures in recent years, raising concerns about the potential scale of these intrusions.

Fortinet warns of critical FortiSIEM flaw with in-the-wild exploit code

Fortinet is urging immediate patching to address a critical remote unauthenticated command injection flaw in FortiSIEM, tracked as CVE-2025-25256 (CVSS 9.8). The vulnerability affects versions 5.4 through 7.3 and could allow attackers to execute arbitrary code via crafted CLI requests. While Fortinet has not confirmed zero-day exploitation, the company warns that functional exploit code is circulating in the wild.

FortiSIEM is widely used by governments, large enterprises, financial institutions, healthcare providers, and MSSPs, making the flaw particularly high-risk. Compromise detection is difficult, as exploitation leaves no distinctive indicators of compromise.

Patches are available in FortiSIEM 7.3.2, 7.2.6, 7.1.8, 7.0.4, and 6.7.10, though versions 5.4–6.6 will not receive fixes as they are no longer supported.

The disclosure follows recent malicious activity spikes reported by researchers, heightening concerns over potential exploitation.

Microsoft patches 107 flaws, including Windows Kerberos zero-day, in august 2025 updates

Microsoft’s August 2025 Patch Tuesday delivers fixes for 107 security flaws, including a publicly disclosed zero-day in Windows Kerberos (CVE-2025-53779). The vulnerability, rated moderate, could allow an authenticated attacker to gain domain administrator privileges through relative path traversal. Discovered by Akamai’s Yuval Gordon, it was publicly detailed in May.

This month’s release addresses 44 elevation of privilege flaws, 35 remote code execution bugs, 18 information disclosure issues, four denial-of-service vulnerabilities, and nine spoofing flaws. Thirteen are rated critical, nine of which enable remote code execution.

Other notable fixes include critical patches for Windows NTLM, GDI+, DirectX, Microsoft Office, and Windows Message Queuing. Microsoft urges prompt updates, particularly for enterprise and domain controllers, to reduce exposure to potential exploitation.

The update follows a month of significant security activity across vendors, including urgent patches from Adobe, Cisco, Fortinet, Google, and Trend Micro for actively exploited vulnerabilities.

ShinyHunters leak 2.8m Allianz life records in Salesforce breach

Hackers have leaked 2.8 million customer and partner records stolen from US insurance giant Allianz Life in a July Salesforce data breach. The attack, part of a broader campaign targeting Salesforce systems, has been claimed by ShinyHunters, who now say they operate alongside Scattered Spider and former Lapsus$ members.

The leaked “Accounts” and “Contacts” database tables include sensitive personal and professional details such as names, addresses, phone numbers, dates of birth, Tax Identification Numbers, firm affiliations, and licensing information.

The breach was achieved through social engineering, tricking employees into linking a malicious OAuth app to company Salesforce instances. Once connected, attackers exfiltrated the data and issued extortion demands.

ShinyHunters, previously linked to major breaches at AT&T and Snowflake, are using a new Telegram channel to taunt security researchers and law enforcement while taking credit for multiple high-profile attacks. Allianz Life’s investigation remains ongoing.

Nigeria sees world’s fastest cyberattack growth as Africa tops global target list

Nigeria has recorded the world’s fastest surge in cyberattacks, with new data showing Africa as the most targeted region globally. Check Point’s July 2025 Global Threat Intelligence Report reveals Nigerian organisations endured an average of 6,101 weekly attacks — a 67% year-on-year increase — making it the most attacked country in Africa and among the most vulnerable worldwide.

Across the continent, organisations faced 3,374 weekly attacks on average, with Angola (3,731), Kenya (3,468), and South Africa (2,113) also heavily targeted. Telecommunications, Government, and Financial Services were the top sectors attacked, followed by Energy and Utilities.

Globally, organisations averaged 1,947 weekly attacks in July, up 5% from last year. Education was hardest hit, with 4,210 weekly attacks, while Agriculture saw a 115% spike.

Ransomware cases climbed 41% to 487 incidents, driven largely by Qilin, Akira, and Play.

Norway says Russian hackers briefly took control of dam

Norway has officially attributed a cyberattack on the Bremanger hydropower dam in April to Russian hackers, marking the first time the country has directly blamed Moscow for such an incident. On 7 April, attackers gained control of the facility, opening a floodgate that released 500 litres of water per second for four hours before the intrusion was detected and stopped. No injuries were reported.

Beate Gangaas, head of Norway’s PST security police agency, said the attack was part of a “change in activity” from pro-Russian cyber actors, aimed at causing fear and chaos. She warned that Norway’s “Russian neighbour has become more dangerous.”

The incident underscores growing risks to Norway’s energy infrastructure, which relies heavily on hydropower. It follows broader warnings of Russian sabotage campaigns in Europe. Gangaas said she went public to prepare Norwegians and deter further attacks. The Russian embassy in Oslo has not commented.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.