Weekly Security News – 10th February 2025

Casio UK hit by data theft, Microsoft killing off Defender VPN, increase in CVE's being exploited and updates for Cisco and Veeam...

Welcome to this week’s Security News. We’ve collated the best articles from the around the internet and put them all into one place. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

Critical Veeam Vulnerability Enables Code Execution via Man-in-the-Middle Attack

Veeam has released patches to address a critical security flaw impacting its Backup software that could allow an attacker to execute arbitrary code on susceptible systems. The vulnerability, tracked as CVE-2025-23114, carries a CVSS score of 9.0 out of 10.0.

“A vulnerability within the Veeam Updater component that allows an attacker to utilize a Man-in-the-Middle attack to execute arbitrary code on the affected appliance server with root-level permissions,” Veeam said in an advisory.

The shortcoming impacts the following products –

  • Veeam Backup for Salesforce — 3.1 and older
  • Veeam Backup for Nutanix AHV — 5.0 | 5.1 (Versions 6 and higher are unaffected by the flaw)
  • Veeam Backup for AWS — 6a | 7 (Version 8 is unaffected by the flaw)
  • Veeam Backup for Microsoft Azure — 5a | 6 (Version 7 is unaffected by the flaw)
  • Veeam Backup for Google Cloud — 4 | 5 (Version 6 is unaffected by the flaw)
  • Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization — 3 | 4.0 | 4.1 (Versions 5 and higher are unaffected by the flaw)

The issue has been addressed in the newer versions. Affected organisations are encouraged to review Veeam’s security advisories.

Cisco Releases Security Advisories for Multiple Products

Cisco has released nine security advisories addressing multiple vulnerabilities, including one critical (CVE-2025-20124 and CVE-2025-20125) and two high severity (CVE-2024-20397, CVE-2025-20169, CVE-2025-20170, CVE-2025-20171, CVE-2025-20173, CVE-2025-20174, CVE-2025-20175, CVE-2025-20176) advisories affecting Cisco Identity Services Engine (ISE), Cisco NX-OS, Cisco Expressway, Cisco IOS, Cisco IOS XE, Cisco IOS XR, Secure Email and Web Manager, Secure Email Gateway, and Secure Web Appliance.

The critical vulnerability affects Cisco ISE and Cisco ISE Passive Identity Connector, software which facilitates endpoint management. The vulnerability could allow an authenticated, remote attacker to execute arbitrary commands and elevate privileges on an affected device, provided that the attacker has valid read-only administrative credentials. One high severity advisory affect Cisco NX-OS Software, which is a network operating system. This vulnerability could allow an attacker to bypass NX-OS image signature verification and load unverified software. The other high severity advisory details vulnerabilities affecting Cisco IOS Software, Cisco IOS XE Software, and Cisco IOS XR Software, which are networking software systems. The vulnerabilities could allow an authenticated, remote attacker to conduct a denial-of-service (DoS) attack on an affected device. Additionally, six medium severity advisories were also issued.

Affected organisations are encouraged to review Cisco’s security advisories.

Cyber Attacks

Hackers Using Fake Microsoft ADFS Login Pages to Steal Credentials

A global phishing campaign is underway, exploiting a legacy Microsoft authentication system to steal user credentials and bypass multi-factor authentication (MFA), targeting over 150 organisations.

A sophisticated phishing campaign is exploiting vulnerabilities in Microsoft’s Active Directory Federation Services (ADFS) to compromise user accounts and bypass multi-factor authentication (MFA. The attackers are leveraging phishing emails, mimicking legitimate notifications and luring victims to spoofed ADFS login pages. These emails often use urgent tones, warn of supposed updates or policy changes, and incorporate legitimate branding, logos, and even contact information to appear genuine. URL obfuscation and shortened links further conceal the malicious destination. The attackers personalize the phishing pages to match the target organization’s specific MFA setup, such as tailoring prompts for push notifications, and mechanisms like Microsoft Authenticator, Duo Security, and SMS verification. The phishing landing page replicates the organization’s ADFS portal, dynamically pulling logos and design elements, creating a convincing counterfeit. While some client-side validation might exist, the page does not verify credentials against the organization’s systems since any username and password combination is accepted. The next step involves capturing the user’s second-factor authentication. Phishing templates are designed to collect various MFA factors, including codes from authenticator apps, SMS messages, or even push notifications. This information, coupled with the stolen credentials, is relayed to the attackers. To complete the deception, the victim is redirected to the genuine ADFS login page after submitting their information, reinforcing the illusion of a successful login.

With the stolen credentials and MFA details, the attackers proceed with account takeover (ATO), often using VPNs to mask their location.

Casio UK site hit by data theft attack exposing customer information

Casio UK’s online store was breached between 14 and 24th January 2025, it has emerged, resulting in the exposure of personal and financial information of customers who made purchases during this time.

The attack involved malicious scripts placed on the website, which were designed to capture sensitive data, including credit card details. Customers who interacted with the site during this period may have had their information compromised. The breach was discovered by cybersecurity firm JSCrambler, which informed Casio about the issue on 28 January. Upon receiving the notification, Casio is said to have moved quickly to remove the malicious code from its e-commerce platform. The compromised script was eliminated within 24 hours of its detection.

JSCrambler revealed that the attack exploited vulnerabilities in the Magento e-commerce platform used by Casio UK. The cybercriminals deployed the malicious code in two stages. Initially, a basic skimmer was installed on the website, which then triggered the download of a more sophisticated script from a Russian hosting provider. This second-stage skimmer used obfuscation techniques, including custom encoding and XOR-based string concealment, to avoid detection by security systems. The attack specifically targeted the checkout process. Once customers added items to their cart, the skimmer redirected them to a fake checkout form rather than the legitimate payment page. Although the form did not match the website’s design and could not be activated by clicking the “buy now” button, it still managed to collect sensitive customer data. This included billing addresses, email addresses, phone numbers, credit card holder’s names, credit card numbers, expiration dates, and CVV codes. After entering their information, victims were shown a fake error message and then redirected back to Casio UK’s legitimate checkout page, where they could complete their purchase.

In Other News...

Microsoft kills off Defender VPN on February 28th

Microsoft is set to kill the free VPN service included with its Defender app on Windows 11, macOS, Android, and iOS devices with the reason being lack of usage and effectiveness.

As first reported by Windows Latest, the Big Tech giant has notified users of the change via its Support page. The date for the end of the virtual private network (VPN) service is set for 28th February 2025. While you have time until the end of the month to find a best free VPN replacement, other Microsoft Defender features – Device Protection, Identity Theft, and Credit Monitoring (US only) – won’t be affected.

As per Microsoft’s own words: “Our goal is to ensure you, and your family remain safer online. We routinely evaluate the usage and effectiveness of our features. As such, we are removing the privacy protection feature and will invest in new areas that will better align with customer needs.” If you ever use the Microsoft VPN Defender feature, this announcement may not come as a total surprise.

Launched in 2023, Microsoft’s VPN tool came with quite a few considerable limitations when compared with some of the best VPN services on the market. For starters, it doesn’t allow you to choose the location you wish your internet connection to be rerouted from. This means that you can’t use Microsoft’s tool, for example, as a streaming VPN to watch your favourite TV shows when abroad, nor to bypass internet censorship.

Another possible reason behind the lack of usage is that Microsoft only rolled out the VPN feature for Microsoft 365 Individual and Family subscribers across the UK and US. As Windows Latest points out, Microsoft originally shared plans for Defender VPN to arrive in new regions “but that never happened”. Once Microsoft retires its Defender VPN feature for good, no action is required from Windows 11, macOS, and iOS users. If you’re using Android, however, you’ll need to manually remove your VPN profile from the device if you ever used this tool. You can do so by heading to your phone’s Settings, tapping on VPN, and the info bar on Microsoft Defender’s VPN profile to remove it.

768 CVEs Exploited in 2024, Reflecting a 20% Increase from 639 in 2023

As many as 768 vulnerabilities with designated CVE identifiers were reported as exploited in the wild in 2024, up from 639 CVEs in 2023, registering a 20% increase year-over-year.

Describing 2024 as “another banner year for threat actors targeting the exploitation of vulnerabilities,” VulnCheck said 23.6% of known exploited vulnerabilities (KEV) were known to be weaponized either on or before the day their CVEs were publicly disclosed. This marks a slight decrease from 2023’s 26.8%, indicating that exploitation attempts can take place at any time in a vulnerability’s lifecycle. “During 2024, 1% of the CVEs published were reported publicly as exploited in the wild,” VulnCheck’s Patrick Garrity said in a report shared with The Hacker News. “This number is expected to grow as exploitation is often discovered long after a CVE is published”.

The report comes over two months after the company revealed that 15 different Chinese hacking groups out of a total of 60 named threat actors have been linked to the abuse of at least one of the top 15 routinely exploited vulnerabilities in 2023. “Not surprisingly, the Log4j CVE (CVE-2021-44228) is associated with the most threat actors overall, with 31 named threat actors linked to its exploitation,” Garrity noted late last year, adding the company identified 65,245 hosts potentially vulnerable to the flaw. In all, there are roughly 400,000 internet-accessible systems likely susceptible to attacks stemming from the exploitation of 15 security shortcomings in Apache, Atlassian, Barracuda, Citrix, Cisco, Fortinet, Microsoft, Progress, PaperCut, and Zoho products.