Summary6 min read

Cybersecurity Today: Detailed Summary of "Urgent Vulnerabilities: Patching Exchange, Citrix, and Fortinet" (August 13, 2025)

Host: David Shipley
Podcast: Cybersecurity Today
Episode Title: Urgent Vulnerabilities: Patching Exchange, Citrix, and Fortinet
Release Date: August 13, 2025

Introduction

In this episode of Cybersecurity Today, host David Shipley delves into pressing cybersecurity vulnerabilities affecting major platforms—Microsoft Exchange, Citrix, and Fortinet—and provides comprehensive insights into their implications, ongoing exploitations, and necessary mitigation strategies. Additionally, Shipley shares key observations from DEFCON 33, highlighting emerging threats and community sentiments.

Microsoft Exchange Server Vulnerability (CVE-2025-53786)

Timestamp: [00:00]

David Shipley begins by addressing a critical vulnerability in Microsoft Exchange Server, tracked as CVE-2025-53786. As of the latest scans on August 10, over 29,000 Exchange servers remain unpatched globally, with a significant concentration in the US (7,200 servers), Germany (6,700 servers), and Russia (2,500 servers). The vulnerability, initially disclosed on August 7, 2025, affects Exchange Server versions 2016, 2019, and the subscription edition in hybrid configurations.

Key Details:

Nature of the Vulnerability: Allows attackers with administrative access on-premises to escalate privileges in connected Microsoft cloud environments by forging trusted tokens or API calls.
Potential Impact: Full domain compromise with minimal traces.
Patch Status: Microsoft issued a hotfix in April 2025 and recommends adopting a new hybrid architecture to replace insecure shared identity mechanisms.
Current Exploitation Status: While Microsoft hasn't confirmed active exploitation, the flaw is rated as "exploitation most likely" since the day after its disclosure.

Government Response: On August 7, the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 2502, mandating all federal civilian Executive branch agencies to mitigate the threat by August 11th, 9 AM. Mitigation steps include:

Inventorying Exchange environments.
Disconnecting unsupported public-facing servers.
Applying the latest cumulative updates (CU14 or CU15 for Exchange 2019 and CU23 for Exchange 2016) along with Microsoft's hotfix.

CISA Warning: Failure to patch could result in complete hybrid and on-premises domain compromise. Although the directive targets federal agencies, CISA urges all organizations to adopt these measures urgently.

Notable Quote: David Shipley emphasizes the urgency:
"If they made folks in government get this done over the weekend, you can bet this was urgent." [02:15]

Citrix Bleed 2 Vulnerabilities (CVE-2025-5777 & CVE-2025-6543)

Timestamp: [04:30]

Shipley transitions to the ongoing exploitation of Citrix Bleed 2, highlighting two critical vulnerabilities: CVE-2025-5777 and CVE-2025-6543. Nearly 3,300 Citrix NetScaler devices remain unpatched against CVE-2025-5777, and an additional 4,142 devices are vulnerable to CVE-2025-6543.

Vulnerability Details:

CVE-2025-5777 (Citrix Bleed 2):
- Impact: Allows unauthenticated attackers to read out-of-bounds memory on vulnerable appliances configured as gateways or AAA virtual servers.
- Consequences: Theft of session tokens, credentials, and sensitive data; hijacking sessions; bypassing multi-factor authentication.
- Exploitation: Proof-of-concept exploits appeared less than two weeks post-disclosure, with active exploitation detected in the wild even before the PoC release.
- Notable Incident: The Dutch National Cybersecurity Center linked a breach to CVE-2025-6543 on July 18, causing significant operational disruptions and temporary email service losses.
CVE-2025-6543:
- Official Stance: Citrix describes it as a memory overflow enabling denial of service.
- Reality: CISA notes it has been exploited as a zero-day since May, used to breach multiple critical organizations with traces deliberately removed to obscure compromises.

Government and Security Community Response: CISA has cataloged both vulnerabilities as known exploited, ordering U.S. federal agencies to:

Patch CVE-2025-5777 within a day.
Address CVE-2025-6543 by July 21.

Expert Opinion: Security researchers are adamant about the necessity of applying Citrix updates immediately, citing the risks of credential theft and network compromise. Shipley concurs, stating:
"Not patching Internet-accessible Citrix appliances that are vulnerable to these exploits is beyond reckless at this point." [07:45]

Fortinet SSL VPN Brute Force Attacks

Timestamp: [10:20]

Shifting focus to Fortinet SSL VPN devices, Shipley reports a significant uptick in brute force attack traffic:

Initial Detection: August 3, 2025, by threat intelligence firm GreyNoise.
Scale: Over 780 unique IP addresses involved in the coordinated activity.
Geographical Spread: Malicious IPs from the United States, Canada, Russia, and the Netherlands targeting countries like Hong Kong, Brazil, Spain, and Japan.
Target Specifics: 40 OS profiles meticulously targeted, indicating a deliberate and precise attack vector rather than opportunistic exploitation.

Historical Context: An earlier spike in June linked to a unique client signature associated with a Fortigate device in a residential ISP block managed by Pilot Fiber Inc. Two assault waves identified:

A steady, long-running wave.
A concentrated burst post-August 5th with a different TCP signature, suggesting the use of home networks or residential proxies.

Future Implications: Researchers warn that such activity often precedes the disclosure of new CVEs affecting similar technologies within six weeks. This pattern indicates preparedness for exploiting forthcoming vulnerabilities in Fortinet products.

Strategic Advice: Shipley advises organizations to brace for potential new vulnerabilities by enhancing their security postures proactively.

Notable Quote: Highlighting the significance of the trend, he remarks:
"Heightened targeting may signal a new Fortinet vulnerability is coming. Get ready now." [12:50]

Insights from DEFCON 33

Timestamp: [15:10]

Concluding the episode, Shipley shares his experiences and key takeaways from DEFCON 33, one of the globe’s largest cybersecurity conferences with an attendance of approximately 25,000 to 30,000 participants.

Conference Highlights:

Capture the Flag Competitions:
- Events simulating real-world scenarios, such as hacking into a Rivian SUV or commandeering a LEGO-modeled aircraft.
AI Village:
- Showcased impressive deepfake technologies, although Shipley missed attending due to long queues.
Notable Presentations:
- Ex-NSA Chief Paul Nakasone: Engaged in casual interactions like jello shot sessions, but delivered a critical message urging better engagement between the tech community and Washington D.C. He stressed the growing cultural gap and the adverse effects of the Trump administration’s policies on hacker-community relations.
  "The age and culture gap continues to grow between the tech world and Washington D.C." [20:30]
- Eden Zither of Harness: Demonstrated a vulnerability in a carmaker’s web portal that could allow hackers to control vehicle functions remotely, posing severe privacy and safety risks.
- Teen Hackers Ronaldo, Vasquez, Garcia, and Nix: Exposed spyware features in the Motorola Halo 3C smoke and vape detectors, revealing capabilities like real-time audio eavesdropping and fake alert generation.
  "They disabled the detection capabilities and created fake alerts for vaping or gunshots." [23:15]
- Criminal Hacker Godman666: A former darknet operator recounted his journey through various cybercrimes, expressing remorse and issuing a stark warning about the future: "The increasing trend of firing waves of talented, skilled software developers... could drive more people into the same criminal space." [27:40]

Shipley’s Reflection: He underscores the importance of steering the next generation away from cybercrime and ensuring the benefits of technological advancements are widely shared to prevent societal fallout.

Conclusion

David Shipley wraps up the episode by reiterating the critical nature of the discussed vulnerabilities and the necessity for immediate action to safeguard organizational infrastructures. He emphasizes the interconnectedness of cybersecurity communities and the importance of proactive measures in an era of escalating threats.

Final Advice:

Stay Informed: Keep abreast of the latest vulnerabilities and apply patches promptly.
Engage with the Community: Foster better relationships between security professionals and policymakers.
Educate and Mentor: Guide the younger generation towards ethical paths in technology.

Stay vigilant, stay secure, and continue to prioritize cybersecurity in every facet of your operations.

Contact & Feedback:
Listeners are encouraged to share their opinions via email at us@EditorialEchnewsDay.ca or through comments on the podcast's YouTube channel. Support the show by liking, subscribing, or leaving a review on your preferred podcast platform.

Loading summary

Transcript1 lines

[00:00]
David Shipley
Over 29,000 Exchange servers remain unpatched Citrix Bleed 2 exploited to breach organizations in the Netherlands with 3,000 unpatched appliances observed still globally on the web Fortinet SSL, VPNs hit by global brute force wave and observations from Defcon 33 this is cybersecurity Today and I'm your host David Shipley coming to you from back home in unusually humid Fredericton, New Brunswick. Over 29,000 Microsoft Exchange servers remain unpatched against a high severity Vulnerability tracked as CVE202553 786, which was first disclosed on August 7th. The flaw affects Exchange Server 2016, Exchange Server 2019 and the subscription Edition in hybrid configurations. If exploited, attackers with admin access to an on premises exchange could escalate privileges in connected Microsoft cloud environments by forging trusted tokens or API calls, potentially leading to full domain compromise while leaving minimal traces. Microsoft fixed this vulnerability in April 2025, issuing a hotfix and urging organizations to adopt a new hybrid architecture that replaces insecure shared identity mechanisms. According to shadow server scans on August 10, 7,200 unpatched servers were found in the US, 6,700 in Germany and 2,500 in Russia. While Microsoft has not confirmed active exploitation, the flaw is rated exploitation most likely the day after the disclosure. On August 7, CISA issued Emergency Directive 2502 requiring all federal civilian Executive branch agencies to mitigate the threat by Monday morning, August 11th at 9am Steps to mitigate include inventorying Exchange environments, disconnecting unsupported public facing servers, and applying April 2025 cumulative updates CU14 or CU15 for Exchange 2019 and CU23 for Exchange 2016, along with Microsoft's hotfix. CISA warned that the failure to Patch could result in complete hybrid and on premise domain compromise. Though the directive applies only to federal agencies, CISA is urging all organizations to take the same actions. And if you're listening, if they made folks in government get this done over the weekend, you can bet this was urgent. Speaking of vulnerabilities, the government gave extremely short notice to Patch that should be dealt with, but thousands still remain vulnerable. The exploitation of Citrix Bleed 2 continues to ramp up, with now the Netherlands alerting incidents this week to critical agencies and infrastructure. More than 3,300 Citrix NetScaler devices remain unpatched against CBE 2025 5777, a critical vulnerability dubbed Citrix Bleed 2 nearly two months after fixes were released. The flaw allows unauthenticated attackers to read out of bounds memory on vulnerable appliances configured as a gateway or AAA virtual server, enabling the theft of session tokens, credentials and other sensitive data. Successful exploitation can let attackers hijack sessions and bypass multi factor authentication. Proof of concept exploits began appearing less than two weeks after the disclosure. Shadow Server reports that as of Monday, 3312 appliances remain exposed with exploitation observed in the wild before the public release of the PoC. Shadow server also detected 4,142 devices unpatched against another critical flaw, CVE2025 6543. Citrix says this memory overflow vulnerability can lead to denial of service, but the Netherlands National Cybersecurity center warns it has been used as a zero day since at least May to breach multiple critical organizations with traces removed to hide compromise. The OpenBAU ministry, the Dutch public prosecution service, confirmed a breach linked to CBE 20256543 on July 18, resulting in significant operational disruption and temporary loss of email services. CISA has added both of the vulnerabilities to its known Exploited vulnerabilities catalog, ordering U.S. federal agencies to patch CVE2025 577 within a day and to address CVE2025 6543 by July 21. Security researchers are urging all organizations to immediately apply Citrix updates, citing active exploitation and the potential for credential theft, network compromise and disruption of critical services. Not patching Internet accessible Citrix appliances that are vulnerable to these exploits is beyond reckless at this point. And while the cyberstorm for exchange in Citrix ramps up, there's a strong possibility of more Fortinet headaches in the forecast. Cybersecurity researchers are warning of a significant spike in brute force traffic aimed at Fortinet SSL VPN devices. Threat intelligence firm Gray Noise reported Tuesday that coordinated activity was first observed on August 3, 2025, involving over 780 unique IP addresses. In the past 24 hours, 56 malicious IPs have been detected originating from the United States, Canada, Russia and the Netherlands. Targets include the United States, Hong Kong, Brazil, Spain and Japan. Greynoise says the traffic was deliberate and Precise, specifically targeting 40 OS profiles and not opportunistic. Analysts believe this indicates a shift in attacker behavior potentially involving the same infrastructure pivoting to a new Fortinet facing service. Historical data revealed by an earlier spike in June tied to a unique client signature linked to a Fortigate device in a residential ISP block managed by Pilot Fiber incident. Historical data revealed an earlier spike in June tied to a unique client signature linked to a Fortigate device in a residential ISP block managed by Pilot Fiber Inc. Two assault waves were identified, one long running and steady and another starting after August 5th, a sudden concentrated burst with a different TCP signature. While the August 3 traffic targeted 40os, activity after August 5 shifted towards 40 manager, raising the possibility the tooling was tested or launched from a home network or via a residential proxy, something we've been observing more and more this year. On the show. Researchers warn that spikes in malicious activity like this are often followed within six weeks by the disclosure of a new CVE affecting the same technology, particularly enterprise edge systems such as VPNs, firewalls and remote access tools that that are frequent targets of advanced threat actors. The warning here is clear. Heightened targeting may signal a new fortinet vulnerability is coming. Get ready now. Some thoughts on DEFCON 33 as I mentioned on the show on Monday, the sheer size of this 25,000 to 30,000 person security conference can be a lot to process. I was in awe watching hundreds of people compete in sector specific capture the flag competitions for for automobiles. Picture dozens of folks working on laptops on folded tables with network lines running from there into a real rivian SUV and cargo van, or folks trying to do the same to a real full size boat that was part of the conference. Or in the case of aircraft, they had simulated aircraft with Lego models where you could actually see the little engines spinning and people trying to take over the planes. I had wanted to attend some of the dedicated villages and did see some fantastic deepfake work at the AI village, but never did make it through the multi hour waiting lines for the social engineering village which was a bit of a disappointment. The major talks were all quite impressive but a few notable highlights. Watching ex NSA chief Paul Nakasoni do jello shots with defcon founder Jeff Moss AKA the Dark Tangent was a bit surreal, but definitely part of the hacker vibe that's still being kept alive at defcon despite its now Godzilla like size. Nakasone did have some sobering messages, particularly for his former colleagues, that they need to re engage with the hacker and security community. He warned that the age and culture gap continues to grow between the tech world and Washington D.C. the Trump administration has created significant leads the Trump administration has created significant uncertainty and in many cases growing hostility within the hacker community with its approach to domestic and foreign policy. Eden Zither, who works as a security researcher at software delivery company Harness, told attendees at the conference that the fly discovered allowed the creation of an admin account that granted unfettered access to the unnamed carmakers centralized web portal. With this access, a malicious hacker could have viewed the personal and financial data of the carmaker's customers, tracked vehicles, and enrolled customers in features that allow owners or the hackers to control some of their car's functions from anywhere, including things like locking and unlocking the car. Special props to teen hackers Ronaldo, Vasquez, Garcia and Nix, who showed how they discovered some interesting and potentially disturbing spy features in a popular smoke and vape detector detecting IoT device. The device, made by a Motorola subsidiary, is called a Halo 3C, which they have since dubbed as the Snitch Puck. The device, they learned, goes beyond detecting smoking and vaping, including a distinct feature for discerning THC vaping. In particular, it also has a microphone for listening out for aggression, gunshots and keywords such as someone calling for help. These devices are commonly deployed in schools. During their DEFCON talk, they showed how they reverse engineered the device and learned how to take full control of it in order to turn it into a real time audio eavesdropping bug. They disabled the detection capabilities, created fake alerts for vaping or gunshots, and even played whatever sound or audio they chose out of the device's speakers. The humor possibilities of this are endless. These kids are all right. A session that stood out to me was from a criminal hacker who goes by the alias Godman666 who it seemed was trying to reform his ways and make amends. Godman was recognized by wired magazine in 2022 as one of, quote, the most dangerous people on the Internet, end quote. And his talk covered how he operated in the darknet's criminal underbelly for over a decade. He started with carding, which is the practice of trading, installing credit card information before moving to spam operations and riding through drug distribution network, the Silk Road, as well as tour carding forums. He is alleged to have built phishing empires, sold hacking tools and ran infrastructure for major Darknet markets, including, he says, engineering one of the darknet's largest ever phishing operations. What stood out for me in his talk, besides the times he seemed less than remorseful, particularly for when he extorted other criminals when he learned their identities. Blaming them for their poor operational security was how he was recruited into a life of crime and drugs at such a vulnerable age at 16 and now how as a grown adult he's never held a legitimate job in his life. I can't help but think of how groups like the Comm which are growing in size and scope, and ensnaring younger teenage, mostly males into the same path could lead to an even greater explosion in the number of kids who are going to go down the Same road as Godman 666, which will create untold chaos for so many, including those perpetrators. But his warning at the end of his talk is what really chilled me. Godman666 warned that the increasing trend of firing waves of talented, skilled software developers around the world in a rush to embrace AI generated code and efficiency could drive more people into the same criminal space that he lived in, just as they seek to survive. And that should give all of us pause. Not to pull the full brake on AI, but certainly to heed warnings like this and think about how we're going to ensure that everyone can benefit from this new technological revolution. Because if we don't, the consequences could be real. As always, stay skeptical. Don't YOLO patches for critical services like Exchange on Prem or Citrix netscaler, and we should all be thinking about how we can steer the next generation away from a life like Godman. We're always interested in your opinion and you can contact us@EditorialEchnewsDay CA or or leave a comment under the YouTube video as well and help us spread the word. Give us a Like or subscribe or leave us a review on your favorite podcast platform. If you like the show, please tell others. We'd love to grow our audience even more and we need your help. I've been your host, David Shipley, sitting in for Jim Love, who will be back on Friday. Thanks for listening.