Critical Cisco Webex Bug Allows Remote Code Execution via Meeting Links

Cisco has disclosed a high-severity vulnerability in its Webex App (CVE-2025–20236) that allows unauthenticated attackers to execute remote code on victims' systems simply by tricking them into clicking a malicious meeting invite link. This serious flaw affects all operating systems and requires no special configuration, making it easily exploitable.

The root cause lies in insufficient input validation within Webex's custom URL parser, which allows threat actors to download arbitrary files and execute malicious commands with the same privileges as the logged-in user.

As of now, there are no workarounds the only mitigation is to update the Webex App immediately. Cisco has also patched two additional vulnerabilities this week:

• CVE-2025–20178 — A privilege escalation flaw in Secure Network Analytics that lets attackers with admin credentials execute commands as root.
• CVE-2025–20150 — A vulnerability in Nexus Dashboard that allows unauthenticated users to enumerate LDAP usernames remotely.

Cisco's PSIRT confirms there are no public exploits or signs of active exploitation for CVE-2025–20236 as of now. However, urgency is high, as a similar critical flaw in Cisco Smart Licensing Utility (CVE-2024–20439) was recently added to CISA's Known Exploited Vulnerabilities Catalog.

How to Prevent Such Attacks:

1. Apply the Latest Security Patches Immediately
2. Verify Meeting Links
3. Use Endpoint Protection
4. Restrict User Privileges

Malicious NPM Packages Target PayPal Users and Cryptocurrency Transfers

Fortinet researchers have uncovered a new campaign in which malicious NPM packages are being used to steal PayPal credentials and hijack cryptocurrency transactions. These packages, published in early March 2025 by a threat actor using aliases tommyboy_h1 and tommyboy_h2, cleverly disguise themselves with PayPal-themed names like oauth2-paypal and buttonfactoryserv-paypal to trick developers into trusting and installing them.

Once installed, these packages use preinstall hooks to execute hidden malicious scripts that:

• Collect system data such as usernames and directory paths,
• Obfuscate and exfiltrate information to attacker-controlled servers,
• Lay the groundwork for account compromise and cryptocurrency theft.

This is part of a growing trend where attackers exploit popular developer ecosystems like NPM by mimicking legitimate tools or services to steal credentials or deliver malware. Fortinet notes that the threat actor behind both usernames is likely the same person, demonstrating a coordinated attempt to infiltrate developer environments and compromise PayPal-related transactions.

How to Prevent Such Attacks:

• Install Packages Only from Trusted Sources
• Review Package Code and Dependencies
• Monitor Network Logs
• Rotate Credentials Regularly

Symlink Backdoor Found in Over 16,000 Fortinet Devices Enables Persistent Access

A newly discovered symlink backdoor has been found in over 16,000 Fortinet devices, allowing threat actors to retain read-only access to sensitive system files, even after the original vulnerabilities were patched. This discovery comes from The Shadowserver Foundation, a cybersecurity threat monitoring platform, which initially identified 14,000 exposed devices — later updated to 16,620 confirmed cases.

The issue originates from attacks that began as early as 2023 and continued into 2024, where zero-day vulnerabilities in FortiOS were exploited to compromise FortiGate devices — particularly those with SSL-VPN enabled.

After initial access, attackers created symbolic links (symlinks) inside the directory serving language files for SSL-VPN. Since this folder is publicly accessible, it allowed the attackers to persistently view the root file system even if the device firmware was later updated. The symlink itself resided in the user filesystem, avoiding detection by traditional update or patch mechanisms.

Key Impacts:

• Read-only access to critical system files including configurations and credentials.
• Persistence even after patching, as the symlink remains unless explicitly removed.
• Sensitive information exposure, risking further exploitation or data leaks.

Fortinet has since released:

• Updated AV/IPS signatures to detect and remove the malicious symlink.
• Firmware updates to prevent symbolic link abuse and block unknown files/folders via the SSL-VPN web interface.
• Email notifications to affected customers warning of compromise.

How to Prevent Such Attacks:

1. Patch Promptly and Verify Thoroughly
2. Disable Unnecessary Services
3. Monitor File System Integrity
4. Reset All Credentials Post-Compromise
5. Enable Advanced Threat Detection

6 Million Users at Risk, Hidden Chrome Extensions Found with Dangerous Tracking Capabilities

A startling discovery has revealed that 57 Chrome browser extensions installed by over 6 million users contained hidden tracking capabilities and posed significant privacy and security risks. These extensions were not searchable through the Chrome Web Store or visible in search engine results, making them effectively "hidden" unless users had the direct installation link.

While these types of hidden extensions are often used for internal development or enterprise tools, in this case, some were aggressively promoted through malicious ads and questionable sites, likely to lure unsuspecting users into installing them under false pretenses.

The initial investigation began with an extension called "Fire Shield Extension Protection", which was heavily obfuscated and connected to a suspicious domain unknow.com. Upon further analysis, Tuckner linked this domain to dozens of other extensions masquerading as ad blockers, coupon tools, or privacy protectors.

What these extensions could do:

• Access cookies (including headers like "Authorization")
• Track browsing activity and behavior
• Modify search results and providers
• Inject and execute remote scripts through iframes
• Execute various actions remotely (e.g., open/close tabs, view top visited sites)

Although Tuckner did not find direct evidence of password or cookie theft, the permissions and covert logic within these extensions raise red flags. Many of the extensions exhibit command-and-control-like behavior, hinting at spyware-level surveillance capabilities.

Google has responded by starting an investigation and removing many of the identified extensions, though some still remain active as of the latest update. A few with the highest user counts include:

• Cuponomia — Coupon and Cashback (700,000 users — public)
• Fire Shield Extension Protection (300,000 — unlisted)
• Browser WatchDog for Chrome (200,000 — public)
• Browser Checkup by Doctor (200,000 — public)

How to Prevent Such Attacks:

1. Avoid installing extensions from unknown sources or suspicious links.
2. Stick to well-reviewed extensions with transparent permissions and active developer support.
3. Review extension permissions before installing. If it asks for access to cookies, tabs, or browsing history and it doesn't need to avoid it.
4. Use browser security tools that alert you to risky extensions or behavior.
5. Perform regular audits of your installed extensions and remove anything unnecessary or suspicious.
6. If you've used any of the mentioned extensions, uninstall them immediately and change passwords on your critical accounts.

Cyberattack on Nippon Life India Mutual Fund Cripples Website Access for Over a Week

In a concerning development, Nippon Life India Mutual Fund has experienced a massive cyberattack, leaving its official website offline for over a week and disrupting online services for investors and stakeholders. The cyber incident, which impacted the company's IT infrastructure, prompted an immediate shutdown of affected systems as part of the organization's containment strategy.

According to the regulatory filing submitted to stock exchanges, the company swiftly took precautionary measures, including isolating the affected systems, to prevent further impact and initiate a thorough investigation. The management has since confirmed that remediation efforts are underway, though a specific timeline for full restoration of services has not yet been disclosed.

Despite the severity of the situation, Nippon Life India Mutual Fund has reassured that, as of now, there is no evidence of any breach of customer data. However, the extended disruption has raised concerns among investors who rely on the platform for digital access to their mutual fund portfolios and transactions.

Cybersecurity analysts highlight that this event emphasizes the critical importance of cyber resilience in the financial sector, especially among institutions that manage vast amounts of sensitive financial and personal information.

How to Prevent Such Attacks:

To avoid incidents like this, financial institutions should prioritize the following cybersecurity practices:

1. Implement real-time intrusion detection systems (IDS) and endpoint protection
2. Regularly patch vulnerabilities in servers, web applications, and third-party software.
3. Adopt a Zero Trust Architecture
4. Enforce network segmentation
5. Conduct periodic cybersecurity audits and penetration testing
6. Maintain regular backups and a comprehensive incident response plans
7. Educate employees and users on phishing and social engineering threats

REFERENCES

https://www.securityweek.com/malicious-npm-packages-target-cryptocurrency-paypal-users/