Keane Okelley

**Name of the Vulnerable Software and Affected Versions** Cisco Secure Firewall ASA Software and Secure FTD Software (affected versions not specified) **Description** A flaw exists in the Cisco FXOS Software CLI feature that may allow a local attacker with administrative access to execute arbitrary commands on the underlying operating system with root-level privileges. This is due to inadequate validation of user-provided command arguments. An attacker could exploit this by submitting specially crafted input for specific CLI commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Secure Firewall Management Center (FMC) (affected versions not specified) Cisco Security Cloud Control (SCC) Firewall Management (affected versions not specified) **Description** A flaw in the web-based management interface of Cisco Secure Firewall Management Center (FMC) and Cisco Security Cloud Control (SCC) Firewall Management allows an unauthenticated remote attacker to execute arbitrary Java code with root privileges. The issue is caused by insecure deserialization, which occurs when the software fails to properly validate a user-supplied Java byte stream. An attacker can exploit this by sending a specially crafted serialized Java object to the management interface. This issue was exploited as a zero-day by the Interlock ransomware group starting January 26, 2026, approximately 36 days before public disclosure. Following exploitation, attackers deployed ScreenConnect for persistent access and used PowerShell scripts to harvest software inventories, running services, browser credentials, and network connections before exfiltrating data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software (affected versions not specified) **Description** A flaw exists in the LUA interpreter of the Remote Access SSL VPN feature. This issue could allow a remote attacker with a valid VPN connection to trigger an unexpected device reload, leading to a denial of service (DoS) condition. The root cause is a lack of input validation within the LUA interpreter. An attacker can exploit this by sending specially crafted HTTP packets to the Remote Access SSL VPN server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Entr’ouvert Lasso versions 2.5.1 and 2.8.2 **Description** A denial of service issue exists in the `g assert not reached` functionality. A specially crafted SAML assertion response can cause a denial of service. An attacker can trigger this by sending a malformed SAML response. **Recommendations** Update to a newer version of Entr’ouvert Lasso that addresses this issue.

**Name of the Vulnerable Software and Affected Versions** Entr'ouvert Lasso version 2.5.1 **Description** A denial of service issue exists in the `lasso provider verify saml signature` functionality. A specially crafted SAML response can cause a denial of service. An attacker can trigger this by sending a malformed SAML response. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Entr'ouvert Lasso versions 2.5.1 and 2.8.2 **Description** A type confusion issue exists within the `lasso node impl init from xml` function. A specially crafted SAML response can trigger this issue, potentially leading to arbitrary code execution. An attacker can exploit this by sending a malformed SAML response. The vulnerability resides within the SAML implementation library and impacts Single Sign-On (SSO) infrastructure, potentially enabling lateral movement across federated environments. **Recommendations** Versions prior to 2.5.1 and versions after 2.8.2 should be considered for use. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Entr'ouvert Lasso version 2.5.1 **Description** A denial of service issue exists in the `lasso node init from message with format` functionality. A specially crafted SAML response can cause memory depletion, leading to a denial of service. An attacker can trigger this by sending a malformed SAML response. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Secure Firewall Adaptive Security Appliance (ASA) Software Cisco Secure Firewall Threat Defense (FTD) Software Cisco IOS Software Cisco IOS XE Software Cisco IOS XR Software **Description** A flaw exists in the web services of the listed Cisco products that could allow a remote attacker to execute arbitrary code on an affected device. For Cisco ASA and FTD Software, the attacker does not need to be authenticated. For Cisco IOS, IOS XE, and IOS XR Software, the attacker needs to be authenticated with low user privileges. This issue stems from improper validation of user-supplied input in HTTP requests. An attacker could exploit this by sending crafted HTTP requests to a targeted web service, potentially gaining root access and completely compromising the device. Reports indicate that this vulnerability (CVE-2025-20363) is actively being exploited in attacks by a threat actor known as ArcaneDoor, potentially linked to a Chinese hacking group, deploying malware such as RayInitiator and LINE VIPER. The vulnerability is a heap buffer overflow in the dynamic memory of the affected products. **Recommendations** Apply the security patch available in ASA 9.12 and 9.14. Update Cisco Secure Firewall Adaptive Security Appliance Software and Secure Firewall Threat Defense Software to a fixed version. Update Cisco IOS Software to a fixed version. Update Cisco IOS XE Software to a fixed version. Update Cisco IOS XR Software to a fixed version.

Name of the Vulnerable Software and Affected Versions: Cisco Secure Firewall ASA Software and Secure FTD Software (affected versions not specified) Description: A vulnerability exists in the management and VPN web servers that could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial-of-service (DoS) condition. This issue is due to improper validation of user-supplied input on an interface with VPN web services. An attacker could exploit this by sending crafted HTTP requests to a targeted web server on an affected device. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices (affected versions not specified) **Description** A vulnerability in the Cisco AnyConnect VPN server could allow an unauthenticated, remote attacker to cause a DoS condition for targeted users of the AnyConnect service on an affected device. This issue is due to insufficient entropy for handlers used during SSL VPN session establishment. An attacker could exploit this by brute forcing valid session handlers or, if authenticated, by connecting to the AnyConnect VPN service to retrieve and predict valid session handlers. The attacker would then send a crafted HTTPS request to the AnyConnect VPN server, potentially terminating targeted SSL VPN sessions and forcing users to reauthenticate. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices (affected versions not specified) **Description** A vulnerability in the Cisco AnyConnect VPN server could allow an unauthenticated, remote attacker to hijack an AnyConnect VPN session or cause a denial of service (DoS) condition for individual users of the AnyConnect VPN service on an affected device. This issue is due to weak entropy for handlers used during the VPN authentication process and a race condition in the same process. An attacker could exploit this by correctly guessing an authentication handler and sending crafted HTTPS requests to an affected device, potentially taking over the AnyConnect VPN session from a target user or preventing the target user from establishing a session. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices (affected versions not specified) **Description** The issue is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this by sending a crafted HTTPS request to the VPN server of an affected device, causing the Cisco AnyConnect VPN server to restart. This results in the failure of established SSL VPN connections, forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established. When the attack traffic stops, the Cisco AnyConnect VPN server recovers without requiring manual intervention. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices (affected versions not specified) **Description** A vulnerability in the Cisco AnyConnect VPN server could allow an unauthenticated, remote attacker to cause a DoS condition in the AnyConnect service on an affected device. This issue is due to insufficient resource management when establishing TLS/SSL sessions. An attacker could exploit this vulnerability by sending a series of crafted TLS/SSL messages to the VPN server of an affected device, causing the Cisco AnyConnect VPN server to stop accepting new connections and preventing new SSL VPN connections from being established. Existing SSL VPN sessions are not impacted. The server recovers gracefully without requiring manual intervention when the attack traffic stops. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco Meraki MX and Cisco Meraki Z Series Teleworker Gateway devices (affected versions not specified) **Description** The issue is due to insufficient validation of client-supplied parameters while establishing an SSL VPN session. An attacker could exploit this by sending a crafted HTTPS request to the VPN server of an affected device, causing the Cisco AnyConnect VPN server to restart. This results in the failure of established SSL VPN connections, forcing remote users to initiate a new VPN connection and reauthenticate. A sustained attack could prevent new SSL VPN connections from being established. The server recovers without manual intervention once the attack traffic stops. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SNIProxy versions 0.6.0-2 through the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba) **Description** A buffer overflow vulnerability exists in the handling of wildcard backend hosts of SNIProxy. A specially crafted HTTP or TLS packet can lead to arbitrary code execution. An attacker could send a malicious packet to trigger this vulnerability. **Recommendations** For SNIProxy versions 0.6.0-2, consider disabling the handling of wildcard backend hosts until a patch is available. For the master branch (commit: 822bb80df9b7b345cc9eba55df74a07b498819ba), restrict access to the vulnerable code path to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenStack versions prior to git master 05194e7618 **Description** A privilege escalation issue exists in the oslo.privsep functionality of OpenStack. This is due to overly permissive functionality within tools that leverage this library within a container, which can lead to increased privileges. The issue is related to insecure privilege management. **Recommendations** For versions prior to git master 05194e7618, consider restricting access to the oslo.privsep functionality to minimize the risk of exploitation until a patch is available. As a temporary workaround, review and adjust the permissions and access controls within containers that utilize the oslo.privsep library to prevent unauthorized privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenStack Kolla git master 05194e7618 **Description** A privilege escalation issue exists in the sudo functionality. A misconfiguration in `/etc/sudoers` within a container can lead to increased privileges. **Recommendations** For OpenStack Kolla git master 05194e7618, ensure proper configuration of `/etc/sudoers` within containers to prevent privilege escalation. As a temporary workaround, consider restricting access to the sudo functionality until a proper configuration can be implemented.