Max Severity Flaws, Massive Exploits, and AI Security: A Cybersecurity Briefing

Jim Love

Cisco issues emergency patches for maximum severity flaws that allow complete network takeover a popular WordPress theme leads to a mass attack. A new ransomware group, direwolf, is vicious and targeted, and a new Accenture report suggests that companies are far too confident about their ability to safeguard AI. This is Cybersecurity Today. I'm your host Jim Love. Cisco has released critical patches for two maximum severity vulnerabilities in its Identity Services engine that could allow unauthenticated attackers to completely compromise enterprise networks without any user interaction. The flaws, tracked as CVE2025 2281 and CVE2025 2282, both carry the maximum CVSS severity score of of 10.0. They affect Cisco's Identity Service engine, ISE and Passive Identity Connector, core network security tools used by large enterprises, government organizations, and universities to control network access and enforce security policies. CVE20252281 stems from insufficient validation of user supplied input in a specific exposed API, allowing attackers to send crafted API requests that execute arbitrary operating system commands as the root user. The vulnerability affects ISE versions 3.3 and 3.4. The second flaw, CVE2025 2282, involves poor file validation in an internal API, allowing files to be written to privileged directories. Attackers can upload arbitrary files to target systems and execute them with root privileges. This vulnerability affects only version 3.4. Both vulnerabilities require no authentication and no user interaction, making them exceptionally dangerous for the network infrastructure components they target. The two flaws impacting it could enable complete compromise and full remote takeover of the target device. Cisco reported it's not aware of any cases of active exploitation for the two flaws, but emphasized that installing updates should be prioritized immediately. The company provided no workarounds, making patching the only defense organizations should upgrade to ISE 3.3 patch 6 or 3.4 patch 2 immediately. The vulnerabilities were discovered by security researchers Bobby Gould of Trend Micro Zero Day Initiative and Kentaro Kawani of GMO Cybersecurity. These flaws add to growing concerns about Cisco ISE security following multiple critical vulnerabilities patched throughout 2025, including cloud deployment, credential sharing issues, and authentication bypass flaws. For organizations using ISE as their network access control backbone, these vulnerabilities represent an existential threat requiring immediate action. A critical vulnerability in one of WordPress's most popular premium themes has triggered a mass exploitation campaign, with attackers successfully hijacking administrator accounts across thousands of automotive websites. The Motors theme developed by Stylemix themes, with nearly 22,500 sales, contains a privilege escalation flaw tracked as CVE2025 4322 that allows unauthenticated attackers to reset any user's password, including administrators, wordfence explained. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account. The vulnerability was discovered on May 2 and patched in version 5.6.68 on May 14, but many site owners have failed to update by June 7. Researchers observed the start of widespread attacks with Wordfence blocking over 23,000 exploitation attempts since mass attacks began. The attacks follow a predictable pattern. Hackers reset administrator Passwords, log into WordPress dashboards, create new admin accounts for persistence, and then site owners might find themselves locked out of their own websites when their passwords no longer work. One obvious sign of infection is if a site administrator is unable to log in with the correct password, as it may have been changed as a result of this vulnerability, researchers have warned. The campaign highlights a fundamental WordPress security challenge. Themes are central to website functionality and and cannot be easily disabled during attacks. Unlike plugins that can be temporarily deactivated, compromised themes require immediate patching to stop ongoing attacks. Wordfence has identified multiple IP addresses, launching thousands of attack attempts with attackers targeting common URL paths like reset password account and sign in across vulnerable installations. The timing of attacks beginning just days after public disclosure demonstrates how quickly cybercriminals capitalize on disclosed vulnerabilities. Despite the patch being available for weeks, the mass exploitation suggests many WordPress site owners remain unaware of the critical update. Site owners using Motors Themes versions up to 5.6.67 should immediately update to version 5.6.68 and and check for unauthorized admin accounts that attackers may have created for persistent access. A newly discovered ransomware group called Dire Wolf has rapidly claimed 16 victims across 11 countries in just one month, targeting manufacturing and technology sectors with sophisticated double extortion tactics and custom built attacks. Trustwave Spider Labs researchers revealed that Direwolf emerged in May 2025 and has already established a men missing presence, with the highest attack concentrations hitting the United States, Thailand and Taiwan. The group operates with a calculated one month timeline for ransomware payments before releasing stolen data, trustwave's Nathaniel Morales explained. We observed that the threat actors initially publish sample data and a list of exfiltrated files, then give the victims one month to pay before releasing all the stolen data. One victim so far has faced a ransom demand of approximately $500,000. Five of the 16 victims listed on Direwolf's leak site have already data scheduled for release by the end of June, presumably because they've refused to pay. The group's ransomware demonstrates sophisticated technical capabilities. Written in Golang for cross platform portability and antivirus evasion, Direwolf first checks to see if systems are already encrypted before proceeding with their attacks, and once activated, the malware systematically disabled Windows event logging and terminates processes that could hinder its execution. It then destroys system recovery options through Windows commands before Encrypting files using Curve 25519 and ChaCha20 algorithms appending direwolf extensions. What sets Direwolf apart is its highly personalized approach. Each ransom note contains a hardcoded room ID with login access unique to the targeted organization, along with credentials for direct negotiation through live chat rooms. The group also provides GoFile IO links as proof of data exfiltration. This strongly suggests that Direwolf conducts targeted attacks utilizing tailored encryptors and personalized negotiation channels specific to their victims. Despite recent disruptions to major groups like Lockbit and Ghost, Direwolf's rapid success demonstrates that no matter how fast you get rid of groups, there are always new threat actors waiting in the wings to take their place. A stark disconnect between executive confidence and actual cybersecurity preparedness has emerged in a new research report revealing that nine out of 10 major companies lack the security standards needed to defend the AI driven threats they're about to face, but many are far too confident that they can meet those threats. Accenture surveyed 2,286 security and technology executives at companies with more than 1 billion in annual revenue, and then they analyzed the company's actual security practices. The results expose a dangerous gap between perception and reality in corporate AI security. Only 36% of executives admitted that AI is outpacing their security capabilities. These numbers suggest some degree of confidence by most leaders in their handling of AI security. But Accenture's independent analysis tells a different story. The Firm estimates that 90% of those same companies actually lack the security standards they need to defend against present day AI driven threats. The results of this study should be disappointing for anyone who's trying to have a reasoned discussion in their company about the crisis in AI security. AI powered attacks are accelerating rapidly, and listeners to this program will have heard numerous credible reports of weaknesses inherent in current AI models. And the findings suggest that while executives are focusing on deploying AI for business advantages, which is a good thing, we know that they're underestimating the sophisticated security infrastructure required to protect against AI enhanced attacks. This gap between confidence and capability could leave organizations vulnerable to threats they don't realize they can't handle. For companies rushing to implement AI solutions, the message is clear perception isn't protection, and most organizations need to dramatically upgrade their security standards to match the AI driven threat landscape. There's a link to the Accenture study in the show Notes on our site@technewsday ca or.com and coincidentally this weekend we have a guest from Accenture Canada, the head of their data and AI practice. While the subject isn't cybersecurity, it's an interesting background because if this report is right on what I'll call the false confidence of executives, we're going to need to have some frank and knowledgeable discussions. And the more we know, the better off we are. David Shipley will be back on Monday. We'll be taking the holiday this week and I'll be traveling, so we won't have a show on Wednesday for sure, but possibly not on Friday either. We'll be back the week after that. Enjoy your holidays. I'm your host, Jim Love. Thanks for listening.