Researchers are warning that cybercriminals exploited an Oracle PeopleSoft zero-day vulnerability and potentially infiltrated the networks of more than 100 organizations in an attack spree that largely impacted higher education.
Mandiant and Google Threat Intelligence Group said it became aware of the attacks earlier this month as part of its ongoing monitoring of ShinyHunters operations. The notorious cybercrime group claims it hacked more than 100 organizations and started naming victims and publishing allegedly stolen data Tuesday.
University of Nottingham, one of ShinyHunters’ alleged victims, on Wednesday confirmed a significant amount of student data was stolen during a cyberattack after the threat group leaked some of the school’s data.
The attacks date back to at least May 27, according to Mandiant, and involve the exploitation of CVE-2026-35273, a defect in Oracle PeopleSoft PeopleTools that allows unauthenticated attackers to execute remote code and takeover affected servers.
Oracle disclosed the vulnerability and recommended some steps for mitigation Wednesday, weeks after the attacks were already underway. The vendor hasn’t released a patch to address the defect and did not respond to a request for comment.
Google said it alerted more than 100 organizations of potentially vulnerable endpoints in their environments, but it declined to confirm how many victims are compromised.
“This campaign is still active. We have observed ShinyHunters sending extortions as recently as today,” Charles Carmakal, chief technology officer at Mandiant Consulting, told CyberScoop Thursday evening. He added that more victims, beyond Google’s visibility, may be impacted.
Most of the potential victim pool is based in the United States and 68% are in the higher education sector, according to Google.
“We have previously observed ShinyHunters target the education sector this year, however it’s possible this targeting is representative of the majority of exposed PeopleSoft instances belonging to the sector,” Carmakal said.
Oracle PeopleSoft PeopleTools includes more than 40 tools for human resources and customer relationship management.
The attacks come less than a year after the Clop ransomware group exploited a zero-day in Oracle E-Business Suite that affected dozens of victims. The data theft extortion campaign that followed those attacks, which began in August, didn’t get underway until October.
Federal prosecutors have charged a Russian national with conspiracy to commit unauthorized computer access in connection with a sprawling cyber-espionage campaign linked to the Russia-aligned threat group Void Blizzard, according to a criminal complaint filed in federal court this week.
Denis Nikolayevich Obrezko, a Russian citizen, is accused of breaking into systems owned by companies in the United States and elsewhere, according to an FBI affidavit unsealed Tuesday. Investigators allege Obrezko facilitated the campaign by purchasing a virtual private server and domain names used in attacks targeting businesses, educational institutions, and other organizations.
The charges come roughly a year after Microsoft publicly identified Void Blizzard — which it also tracks as Laundry Bear — as a state-sponsored Russian threat group conducting large-scale espionage operations against government agencies, defense suppliers, and critical infrastructure providers across NATO member states, Ukraine, and beyond. Dutch intelligence and security services separately confirmed in May 2025 that the group had infiltrated the Netherlands’ national police force in September 2024, stealing work-related contact information on police staff.
The FBI affidavit describes a methodical but largely unsophisticated operation. Investigators say Void Blizzard primarily relied on stolen session tokens to authenticate to victim accounts without triggering re-authentication requirements, then used a U.S.-based commercial proxy service to mask the connection’s location. The group typically routed traffic through a VPN before selecting proxy IP addresses in the same region as a target, allowing it to bypass geographic firewall restrictions.
From June-July 2024, the FBI received tips from a foreign partner and a U.S.-based private-sector firm identifying several American companies being targeted by the emerging group. Investigators subsequently verified intrusions at 11 U.S. companies, a figure the affidavit describes as likely a fraction of the total victim count nationwide.
Void Blizzard’s methods, while not technically advanced, have proven broadly effective. Microsoft researchers noted in 2025 that the group’s success illustrates the sustained risk posed by even basic intrusion techniques when applied at scale. The group has been observed harvesting bulk email and files from compromised cloud environments, accessing Microsoft Teams conversations, and cataloging Microsoft Entra ID configurations to map organizational structures.
In April 2025, Microsoft identified a separate spear-phishing campaign attributed to Void Blizzard that targeted more than 20 non-governmental organizations in Europe and the United States, using typosquatted domains to spoof Microsoft authentication pages. The affidavit corroborates that activity, identifying domains such as miscrsosoft[.]com and micsrosoftonline[.]com registered through accounts connected to the same infrastructure used by the group.
Obrezko appeared in court Tuesday and agreed to be taken into custody while awaiting trial.
Government agencies, cybersecurity companies and threat researchers are pouring resources into studying how fast-developing AI tools can be wielded by malicious actors to hack into victim organizations.
But as agentic AI becomes more embedded in business infrastructure, there’s also a high possibility that a breach could be caused by an insider guiding the tool, whether maliciously or due to lack of security controls.
In research shared exclusively with CyberScoop, DTEX researchers detail how a common workflow in Anthropic’s Claude Cowork used in corporate environments offers convenience for AI agent deployment but grants near-total access to the system.
Claude Cowork includes tools that let users remotely control their agents. One particular tool, known as Dispatch, relays commands from a user’s phone to their desktop Claude agent. It also includes a plugin for communicating with Salesforce AI agents that access and transfer data.
DTEX researchers tested two scenarios. The first prompted Claude to summarize information from Salesforce and paste it into a draft Outlook email. The second tasked the agent with archiving selected files and transferring them via the Cowork app.
In both cases, researchers used simple, single-turn prompts and spent between 10-30 minutes preparing to exfil the data.
Alex Desmond, director of insider threat intelligence and innovation at DTEX, told CyberScoop that both improvements in frontier models and deeper integration of AI tools into IT network operations have reduced the time defenders have to react to a breach.
“In cyberattacks, you talk about the kind of execution time of adversaries coming in and dropping ransomware, we’re now seeing the kill chain drop to 30 and 10 minutes depending on what they’re doing,” Desmond said. “Six months ago, that was a couple of hours.”
But that speed, when paired with direct access to business networks or cloud services, can also create an insider threat nightmare for organizations that must monitor for both malicious actors and potential mistakes from legitimate employees using the technology.
Over the past few years, western IT and cybersecurity businesses have been inundated with job applicants secretly working on behalf of the North Korean government. Their salaries are used to evade international sanctions and fund Pyongyang’s nuclear program, but it also positions the individuals to access or steal sensitive data or assets from these companies.
“You’ve got a nation-state actor getting into an environment legitimately,” Desmond said. “Now if you gave them access to AI tools on top of that…you’re like ‘here’s the keys to everything and here’s this awesome tool that’s just going to make your job – stealing our data – easier.’”
Tests by DTEX confirmed that the agents indeed had access to sensitive systems, applications and data – including the ability to download SharePoint corporate data, production documentation in OneDrive, access to Outlook email, Salesforce data (and all the data it can access), and any other files on the user’s endpoint device. For each of these applications, Claude Cowork has a dedicated plugin or API to share externally if prompted.
To be clear, DTEX’s research does not involve exploiting a software bug or configuration vulnerability, and it doesn’t come with a CVE. It’s more of an IT governance and visibility problem. Businesses are racing to integrate AI tools into their workflow and pushing employees to use the technology while failing to put in place the kind of security controls, access policies and monitoring required to spot problems.
For instance, it may not be possible to determine how a data breach or leakage involving an AI agent actually occurred if an organization is not logging and auditing its prompts – or whether the incident was the result of an agent running amok or responding to potentially malicious instructions.
While network and cloud monitoring can identify when data is being accessed or downloaded from SharePoint, that may not be a strong enough signal to stand out for defenders.
“If a user’s normal workflow is to pull sensitive files down to work locally all the time, you don’t have endpoint monitoring and you introduce an AI agent, it then just has access to all that data” along with the ability to exfiltrate it,” Desmond said.
Anthropic is broadening access to its Project Glasswing program, adding approximately 150 organizations in 15 countries, the company announced Tuesday, as its restricted Claude Mythos Preview model has already surfaced more than 10,000 high- or critical-severity software vulnerabilities since the program launched in early April.
The expansion follows an initial cohort of roughly 50 partners that were announced when Anthropic first unveiled the initiative. Those members included technology companies such as Amazon Web Services, Cisco, CrowdStrike, Google, JPMorganChase, the Linux Foundation, Microsoft, NVIDIA, and Palo Alto Networks, among others.
According to the announcement, the new group covers sectors that were underrepresented in the first wave, including power, water, healthcare, communications, and hardware. Many of the new partners are vendors whose codebases underpin critical infrastructure systems.
The company did not give any further details on what companies or organizations were part of the new cohort.
The scale of what Mythos Preview has already found is drawing attention across the security industry. Cloudflare identified 2,000 bugs across its critical-path systems, including 400 rated high or critical, with a false-positive rate the company described as better than that of human testers. Mozilla found and fixed 271 vulnerabilities in Firefox 150 while testing the model, more than 10 times the number found in a previous Firefox version using an earlier Anthropic model. Several other partners reported that their rates of bug discovery increased more than tenfold after deploying the model.
Anthropic also used Mythos to scan more than 1,000 open-source projects, flagging 23,019 potential vulnerabilities, 6,202 of them estimated as high or critical. Of 1,752 high- or critical-rated findings independently reviewed, over 90% were confirmed as valid.
The findings have shifted what Anthropic describes as the central issue in cybersecurity. Despite the enhanced ability to discover flaws, the company admits there are challenges with verifying, disclosing, and patching them before attackers can take advantage.
“The bottleneck in fixing bugs like these is the human capacity to triage, report, and design and deploy patches for them,” the company said in its blog post.
That bottleneck has broader implications. A joint report from the Cloud Security Alliance, the SANS Institute, and OWASP concluded that organizations are “likely to be overwhelmed” in the near term by threat actors using AI to find and exploit vulnerabilities faster than defenders can patch them.
Anthropic has said it will not release Mythos-class models to the general public, citing the absence of safeguards sufficient to prevent serious misuse. In the interim, it has released Claude Security, a product using its publicly available Claude Opus 4.8 model that has been used to patch more than 2,100 vulnerabilities in three weeks.
The program’s expansion comes as the Trump administration’s AI security efforts remain unsettled. A highly anticipated executive order addressing AI cybersecurity and frontier model oversight was pulled hours before a planned signing in May. The draft order had proposed a voluntary framework requiring AI developers to submit advanced models to a government review up to 90 days before public release, with the National Security Agency holding final say over which systems qualified as “covered frontier models.”
It was not immediately clear when the White House signing might be rescheduled.
LAS VEGAS — One of the big worries during the generative AI boom is where exactly data is traveling when users enter queries or commands into the system. According to new research, those worries may also extend to one of the world’s most popular consumer technology companies.
Apple’s artificial intelligence ecosystem, known as Apple Intelligence, routinely transmits sensitive user data to company servers beyond what its privacy policies indicate, according to Israeli cybersecurity firm Lumia Security.
The research, presented Wednesday at the 2025 Black Hat USA conference, detailed how Apple’s Siri assistant sends the content of dictated messages and commands, including WhatsApp communications, to Apple servers even when such transmission isn’t necessary to complete user requests. The data flows occur outside Apple’s heavily promoted Private Cloud Compute system, which the company markets as providing enhanced privacy protections.
The research comes as Apple has long positioned itself as a privacy-focused company, building marketing campaigns around the company’s concentration on privacy for individual users
Which Siri is which?
The investigation, led by Lumia senior security researcher Yoav Magid, concentrated on several different ways users can interact with Siri. While Siri has been around since 2010, the company announced it was part of Apple Intelligence in 2024.
Magid showed that when given a prompt, Siri automatically scans users’ devices for installed applications related to voice queries and transmits this information to Apple servers. When a user asks about weather, for example, Siri identifies and reports all weather-related apps on the device. Additionally, location data accompanies every Siri request regardless of whether location information is relevant to the query.
Further research showed that audio playback metadata, including the names of songs, podcasts, or videos being played, is sent to Apple servers without explicit user visibility into these data flows.
Perhaps most significantly, the research found that messages dictated through Siri to platforms like WhatsApp are transmitted to Apple servers, raising questions about the end-to-end encryption functionality built into WhatsApp. Magid found these messages are sent through Apple’s Private Cloud Compute infrastructure, which is specifically designed to provide additional privacy protections for sensitive AI processing tasks.
CAPTION: A packet decoded by Lumia Security that shows WhatsApp messages sent through Siri are transmitted to Apple servers, potentially breaking end-to-end encryption. (Lumia Security)
The practice raises questions about end-to-end encryption claims made by messaging platforms, since message content leaves the device through Apple’s systems before reaching intended recipients.
Testing revealed that message transmission to Apple servers continues even when users explicitly disable settings that allow Siri to “learn” from specific applications or network communication to Apple servers is blocked.
“I’m not quite sure why this communication is necessary,” Magid said.
In the course of conducting the research, he found that Apple sometimes processes the data depending on whether a request is processed through traditional Siri infrastructure or the newer Apple Intelligence system.
Similar queries can trigger different data- handling practices with different privacy implications. For example, asking “What is the weather today?” sends data to Siri servers under one privacy policy, while “Ask ChatGPT what is the weather today?” routes the request through Apple Intelligence’s Private Cloud Compute under different terms.
“Two similar questions, two different traffic flows, two different privacy policies,” Magid noted in a blog.
This dual system means users have no way to predict which privacy framework applies to their interactions, creating uncertainty about how their data will be handled.
Apple’s response and disputed claims
Apple acknowledged some aspects of the research findings after Lumia reported the issues in February. Initially, Magid said Apple indicated it would work toward fixes for identified problems.
However, by July, Magid said that Apple shifted its position, telling researchers that the message transmission behavior was not a privacy issue related to Apple Intelligence, but rather stemmed from third-party services’ use of SiriKit, Apple’s extension system for integrating external apps with Siri.
The company maintained that Siri’s servers operate separately from Apple’s Private Cloud Compute system, though this distinction is not clearly communicated to users.
Apple disputed characterizations that the data collection represented privacy violations, arguing that existing policies adequately disclose the practices.
The company told CyberScoop that it “respectfully disagrees” with the research, with an Apple spokesperson pointing back to the functionality of SiriKit and the privacy policies regarding Siri.
The research highlights how traditional privacy frameworks may be inadequate for governing AI systems that require extensive data analysis to function effectively. The complexity of modern AI systems makes it difficult for users to understand when their data is being transmitted to external servers, processed locally, or shared with third parties.
For enterprise users, the findings could raise compliance concerns when sensitive corporate information potentially leaves organizational networks through employee devices running Apple Intelligence.
“AI capabilities are now all around us. Any typical app these days incorporates AI, whether it’s Grammarly, Canva or Salesforce,” Magid wrote in the blog. “Knowing when a feature is powered by AI or not, is not really trivial anymore.”
Microsoft also issued an advisory about the vulnerability — CVE-2025-53786 — and said it’s not aware of exploitation in the wild.
While the public disclosure and advisories about the defect came late in the day amid one of the largest cybersecurity conferences, Tom Gallagher, VP of engineering at Microsoft Security Response Center, told CyberScoop the timing was coordinated for release following Mollema’s presentation.
Gallagher stressed that exploitation requires an attacker to achieve administrative access to an on-premises Exchange server in a hybrid environment.
Attackers could escalate privileges in an organization’s connected cloud environment because on-premises and cloud-based versions of Exchange share the same permissions in hybrid configurations, Microsoft said in its advisory. The vulnerability affects Entra ID, Microsoft’s identity and access management service, potentially exposing a path for attackers to move from a compromised on-premises Exchange server to a connected cloud-based counterpart.
Authorities are actively monitoring and assessing the scope and impact of the vulnerability, Chris Butera, acting executive assistant director at the Cybersecurity and Infrastructure Security Agency, said in a statement.
Microsoft said it already addressed the vulnerability in April when it introduced changes to improve the security of Exchange Server hybrid deployments. The company and CISA urged organizations to apply Microsoft’s April 2025 Exchange Server hot fix updates to on-premises Exchange servers, implement configuration changes and clear certificates from the shared service principals.
Starting later this month, Microsoft said it will temporarily block Exchange Web Services traffic using the shared service principal. That block will be permanent by the end of October, the company said.
The move is part of Microsoft’s strategy to accelerate and eventually force customers to adopt its dedicated Exchange hybrid app. “Even though adoption of server versions that support dedicated hybrid app has been good, the number of customers who have created the dedicated app remains very low,” Microsoft said in a blog post.
CISA also advised organizations to disconnect any internet-exposed and end-of-life versions of Exchange Server and SharePoint Server.
The coordinated disclosure of the vulnerability comes less than three weeks after security researchers across the industry sounded the alarm about a mass attack spree linked to a critical zero-day vulnerability affecting on-premises Microsoft SharePoint servers. More than 400 organizations were impacted by those attacks, including multiple government agencies, including the Departments of Energy, Homeland Security and Health and Human Services.
A financially motivated threat group is attacking organizations using fully patched, end-of-life SonicWall Secure Mobile Access 100 series appliances, Google Threat Intelligence Group said in a report released Wednesday.
The group, which Google identifies as UNC6148, is using previously stolen admin credentials to gain access to SonicWall SMA 100 series appliances, remote access VPN devices the vendor stopped selling and supporting earlier this year. UNC6148 is likely intruding networks to steal data for extortion and possibly deploy ransomware, according to researchers.
The vendor appears 14 times on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. Half of those exploited vulnerabilities affect SonicWall SMA 100 appliances, including three of the four defects added to CISA’s catalog this year.
“In response to the evolving threat landscape — and in alignment with our commitment to transparency and customer protection — SonicWall plans to accelerate the end-of-support date for the SMA 100,” Bret Fitzgerald, senior director of global communications at SonicWall, told CyberScoop.
“SonicWall has been actively guiding customers toward more modern, secure solutions such as our Cloud Secure Edge service and the SMA 1000 series,” he added
“We understand that not all customers have transitioned yet, and we remain committed to supporting existing SMA 100 deployments with firmware updates throughout the remaining lifecycle. These updates may become more frequent as we prioritize risk mitigation and the ongoing protection of our user base,” Fitzgerald said.
Google said it lacks evidence for the initial infection vector UNC6148 used to access SonicWall devices because the threat group’s malware selectively removes log entries. Yet, researchers said several vulnerabilities could have been exploited by UNC6148, including CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039 or CVE-2025-32819.
“UNC6148 may have used one of the mentioned CVEs to obtain administrator credentials prior to the targeted appliance being updated to the latest firmware version (10.2.1.15-81sv), and then used them to later establish a VPN session before possibly exploiting another unknown vulnerability after the appliance was fully updated,” Zander Work, senior security engineer at Google Threat Intelligence Group, said in an email.
“However, there was insufficient forensic data to confirm this for incidents that we have investigated to date,” Work added.
Insights into post-compromise activities are also limited. “We believe that UNC6148 may conduct data theft for extortion or possibly ransomware deployment as the end-stage goal of their intrusions, but haven’t been able to confirm this due to limited investigative insights at this time,” Work said.
One of UNC6148’s targeted victims appeared on the World Leaks data leak site in June, and the threat group’s activity overlaps with SonicWall exploitation in late 2023 and early 2024, including attacks involving the deployment of Abyss-branded ransomware, according to Google.
Exploited SonicWall defects are popular vectors for ransomware, with the majority of the vendor’s CVEs on CISA’s catalog — 9 out of 14 — known to be used in ransomware campaigns, according to the federal agency.
Mandiant learned more about UNC6148’s technical operations during an investigation into an attack in June. In that attack, UNC6148 established a SSL VPN session on a SMA 100 series appliance using local administrator credentials before it deployed a reverse shell through unknown means.
The reverse shell allowed the threat group to perform reconnaissance, manipulate files, and export and import settings to the SMA 100 appliance, before it deployed the OVERSTEP backdoor, which Google shared technical details about in its report.
The investigation helped Google “learn more about how [UNC6148] may leverage previously compromised SonicWall appliances for further intrusion operations, even after organizations have applied security updates,” Work said.
Google and SonicWall declined to say how many SonicWall SMA 100 devices have been abused by UNC6148, nor how many organizations have been impacted by this ongoing campaign.
A 21-year-old former Army soldier pleaded guilty Tuesday to charges stemming from a series of attacks and extortion attempts last year on telecommunications companies, including AT&T.
Cameron John Wagenius, who identified himself as “kiberphant0m” and “cyb3rph4nt0m” on online criminal forums, conducted extensive malicious activity for years, including while he was on active duty, the Justice Department said.
Wagenius pleaded guilty to conspiring to commit wire fraud, extortion in relation to computer fraud and aggravated identity theft. He faces a maximum of 27 years in prison for the charges and is scheduled for sentencing on Oct. 6. Wagenius previously pleaded guilty to two counts of unlawful transfer of confidential phone records information in connection with this conspiracy, the Justice Department said.
“This is one of the most significant wins in the fight against cybercrime,” Allison Nixon, chief research officer at Unit 221B, told CyberScoop. “The cybersecurity workers helping the victims through a storm, federal law enforcement with the fastest federal arrest I have ever witnessed, and the prosecutors now destroying them in court — all brought their A game and they deserve to celebrate tonight.”
Details prosecutors shared about Wagenius as part of their ongoing investigation underscore the bold actions cybercriminals take to extort multiple victims at scale and evade capture. Prior to his arrest in December, Wagenius attempted to sell stolen information to a foreign intelligence service as part of a broader attempt to defect to Russia or another country that he believed would allow him to avoid arrest.
Officials said Wagenius and co-conspirators attempted to defraud at least 10 victim organizations by obtaining login credentials for the organizations’ networks. In November, Wagenius made multiple attempts to extort $500,000 from a major telecommunications company while threatening to leak call records of high-ranking public officials, according to court documents filed in February.
“[Wagenius’] greatest significance is in how absolutely destroyed he’s getting,” Nixon said, adding that he was part of a gang that made threats against Nixon and Unit221B, which specializes in breaking the anonymity of English-speaking cybercriminals.
“He was in the Army, living on base in Texas, when he leaked the hacked call records of President Trump and his family in a failed bid to extort AT&T,” Nixon said. “He pled guilty without even a plea bargain, and the government might still file additional charges. Amazing.”
Authorities did not name Wagenius’ alleged victims in court filings. AT&T in July confirmed cybercriminals accessed the company’s Snowflake environment in April and stole six months of phone and text records of “nearly all” of its customers.
Wagenius’ alleged co-conspirators, Connor Moucka and John Binns, were indicted in November for allegedly extorting more than 10 organizations after breaking into cloud platforms used by AT&T and other major companies. Moucka, a Canadian citizen, consented to extradition to the United States in March to face 20 federal charges stemming from his alleged involvement in a series of attacks targeting as many as 165 Snowflake customers, one of the most widespread and damaging attack sprees on record.
Some of the records allegedly in Wagenius’ possession were stolen in the attack spree on Snowflake customer databases, according to cybercrime researchers. Federal law enforcement also found evidence on seized Wagenius’ devices indicating he had access to thousands of stolen identification documents and large amounts of cryptocurrency.
Justice Department officials said Wagnius and his co-conspirators attempted to extort at least $1 million from victim data owners. “They successfully sold at least some of this stolen data and also used stolen data to perpetuate other frauds, including SIM-swapping,” officials said in a news release.
“Cybercriminals are shockingly slow to update their threat model, and still operate on the assumption that they won’t be jailed and will get a job in the industry afterwards,” Nixon said. “As multi-decade sentences pile up, reality will set in: Brazen cybercriminals are much more likely to die in prison than they used to, and anonymity isn’t real.”
Authorities and researchers are intensifying warnings about active exploitation and pervasive scanning of a critical vulnerability affecting multiple versions of Citrix NetScaler products.
There is now widespread agreement among security professionals that the critical vulnerability, CVE-2025-5777, which Citrix disclosed June 17, is serious and harkens back to a 2023 defect in the same products: “CitrixBleed,” or CVE-2023-4966. Naturally, threat hunters are scrambling to assess and stop the strikingly similar challenges summoned by exploits of the newest CVE.
For some Citrix customers, the warnings are too late. Vulnerability scans confirm active exploits occurred within a week of disclosure, and attackers have been swarming, hunting for exposed instances of the impacted devices since exploit details were publicly released earlier this month.
“This vulnerability in Citrix NetScaler ADC and Gateway systems, also referred to as CitrixBleed 2, poses a significant, unacceptable risk to the security of the federal civilian enterprise,” Chris Butera, acting executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency, said in a statement. CISA added the exploit to its known exploited vulnerabilities catalog on July 10.
“As America’s cyber defense agency and the operational lead for federal civilian cybersecurity, CISA is taking urgent action by directing agencies to patch within 24 hours and we encourage all organizations to patch right away,” Butera added. The agency typically requires agencies to resolve “high risk” vulnerabilities within 30 days and “critical risk” vulnerabilities within 15 days.
The pre-authentication remote memory disclosure vulnerability, which has a CVSS score of 9.3, has been increasingly targeted for attacks globally. Imperva researchers on Friday said they’ve observed more than 11.5 million attack attempts targeting thousands of sites since the exploit was disclosed.
“Attackers appear to be scanning extensively for exposed instances and attempting to exploit the memory-leak vulnerability to harvest sensitive data,” Imperva researchers said in a blog post.
Nearly 2 in 5 attack attempts have targeted sites in the financial services industry and 3 in 5 of those targeted sites are based in the United States, according to Imperva.
GreyNoise scans have observed 22 unique malicious IPs attempting to exploit CVE-2025-5777 thus far. The first malicious IP was observed June 23 and a spike of 11 unique malicious IPs was observed Friday.
“I haven’t seen any attrition yet. This could be as bad or even worse than CitrixBleed,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, told CyberScoop. “The attack is very repeatable and those systems rarely have network monitoring. They also aren’t regularly updated, so patching them may be an issue.”
The number of Citrix customers already impacted remains unknown and victims have yet to come forward.
“A lot of the attacks seem opportunistic, so there are likely multiple threat actors using the bug,” Childs said.
Citrix maintains there was no evidence of active exploitation when it disclosed the vulnerability. The vendor hasn’t shared much publicly in almost three weeks, other than an update in a June 26 blog post noting that CISA was aware of evidence of active exploitation. The company did not respond to a request for comment.
In the June blog post, Anil Shetty, senior vice president of engineering at NetScaler, disputed comparisons between CVE-2025-5777 and CVE-2023-4966. “While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related,” Shetty wrote. Cloud Software Group is the parent company of Citrix.
Researchers are also leveling criticism at Citrix for the relative ease by which an attacker can compromise a vulnerable instance of Citrix NetScaler with just a few requests.
‘“The term “CitrixBleed’ is used because the memory leak can be triggered repeatedly by sending the same payload, with each attempt leaking a new chunk of stack memory — effectively bleeding sensitive information,” Akamai Security Intelligence Group said in a blog post.
Akamai researchers described the root cause of the vulnerability as “an uninitialized login variable, combined with improper memory handling, lack of input validation and missing error handling in Citrix NetScaler’s authentication logic.”
Zach Edwards, an independent cybersecurity researcher, told CyberScoop that CVE-2025-5777 and CVE-2023-4966 are “extremely similar,” aside from subtle differences in the versions of NetScaler impacted.
“The fact that these pre-authentication vulnerabilities keep coming up, which can facilitate complete compromises, is disappointing to see,” Edwards said. “It’s unclear how these significant vulnerabilities keep making their way through development processes, but Citrix clients, especially in the government and enterprise sectors, should be demanding more and requiring additional public context about the steps Citrix takes to test its software prior to a release.”
In an era characterized by escalating cybersecurity threats, rapidly evolving technological landscapes, and heightened regulatory demands, organizations face significant pressure to modernize their Governance, Risk, and Compliance (GRC) practices. The federal government is also pivoting toward automation, with Policy-as-Code (PaC) becoming a foundational element in modern cybersecurity governance and compliance.
A critical driver accelerating this urgency is a recent executive order that explicitly underscores robust cybersecurity frameworks, continuous monitoring, and adaptive compliance strategies. In response, organizations must move toward adopting innovative solutions such as Policy-as-Code methodologies.
Aligning with the cyber EO
In June, the White House issued an executive order that directs the National Institute of Standards and Technology, the Cybersecurity and Infrastructure Security Agency, and the Office of Management and Budget to launch a pilot within one year that expresses federal cyber policy in a machine‑readable format. The same section instructs the Federal Acquisition Regulation Council to revise procurement rules so that by January 2027, agencies may buy only consumer IoT products whose Cyber Trust Mark can be parsed automatically.
This isn’t just a technical experiment: It’s a blueprint for the future of cyber governance. This is a decisive endorsement of automation-based compliance and signals a governmentwide expectation that policy implementation must be verifiable, scalable, and code-driven.
These deadlines extend beyond federal departments. Any company that sells software, cloud services, or connected devices to the public sector will soon need to prove that its security controls are written and enforced through machine‑readable rules. The fastest and most reliable way to supply that proof is Policy-as-Code. Teams that move early will gain an advantage when the new rules shape purchasing decisions. Teams that wait risk a backlog of manual controls and a shrinking share of government business.
What is Policy-as-Code?
Policy-as-Code refers to the practice of translating governance, risk management, and compliance policies into machine-readable formats by leveraging automation, and creating a more structured, dynamic, and scalable compliance environment. Policy-as-Code removes ambiguity from interpretation and puts security policies on equal footing with infrastructure and application logic. The result is a proactive compliance governance that scales as fast as today’s threats.
The Risk Management Framework (RMF) has long provided structured guidelines for organizations to categorize, select, implement, assess, authorize, and continuously monitor their information systems. However, traditional RMF processes often rely heavily on manual efforts, making them less responsive and increasingly prone to errors in today’s fast-paced digital environment.
As of today:
Release velocity has accelerated: Development teams merge code many times each day; manual assessment packages cannot keep pace.
Architectural complexity has grown: Hybrid clouds, containers, edge devices, and software‑as‑a‑service platforms create connections too dense for spreadsheet mapping.
Regulatory concurrency has intensified: Programs must show conformance with FISMA, FedRAMP, CMMC, the Secure Software Development Framework, multiple state privacy laws, and sector‑specific rules at the same time.
Policy-as-Code resolves these gaps because rules run continuously, update quickly, and leave a clear evidence trail.
Strategic benefits of implementing Policy-as-Code
Organizations adopting Policy-as-Code experience several transformative benefits, positioning themselves advantageously within a highly competitive regulatory environment:
Risk reduction: Automated enforcement minimizes risks associated with human error, improving compliance accuracy and reducing vulnerabilities.
Operational efficiency: Automating policy enforcement streamlines processes, significantly reducing the administrative burden and enabling teams to focus on strategic tasks rather than routine compliance checks.
Regulatory agility: When NIST updates a control catalog, teams change one file and push the update across every environment with a pull request.
Enhanced security posture: Real-time monitoring capabilities bolster an organization’s security posture, swiftly identifying and addressing potential threats or breaches.
Cost savings: By reducing the manual effort needed for compliance monitoring and enforcement, Policy-as-Code can lead to considerable cost reductions over time.
Greater resilience: Codified governance reduces ambiguity and enhances organizational readiness under stress.
Making it Work: practical steps for effective implementation
To effectively adopt Policy-as-Code and maximize its benefits, organizations should consider the following structured approach:
Comprehensive policy mapping and evaluation: Begin by evaluating every policy, regulation and policy applicable to your organization, map all the frameworks (e.g. NIST SP 800-53, ISO/IEC 27002 etc.) applicable to your organization, and assign a unique identifier to each of the mapped control. This mapping forms the foundation for robust automation.
Convert prose to machine‑readable schemas: Translate Word and PDF controls into structured formats such as OSCAL.
Integration into development pipelines: Evaluate and deploy specialized automation platforms capable of integrating seamlessly into existing DevSecOps workflows and lifecycle. These platforms should offer real-time compliance verification, automated remediation capabilities, and ensure continuous validation of compliance at every stage of the software development process, from initial coding through deployment and operation.
Ongoing monitoring and continuous improvement: Implement robust tools for continuous compliance monitoring. Regularly review and update policy logic to accommodate evolving regulatory landscapes and cybersecurity threats.
Automate evidence collection: Connect cloud APIs, container scanners, and endpoint telemetry to a central repository so evidence accrues automatically.
Training and capacity building: Invest in targeted training programs to equip your teams with the necessary technical and conceptual understanding of Policy-as-Code methodologies and Git workflows, and teach developer teams regulatory vocabulary.
Cultural alignment and leadership support: Actively cultivate a culture that values compliance automation and proactive risk management. Secure buy-in and sustained support from senior leadership to ensure smooth adoption and integration.
Pilot and iterate: Begin with a high-priority control (e.g., encryption at rest) and run a focused pilot. Measure its effectiveness, gather stakeholder feedback, and iterate. Success here builds momentum.
Inform and measure impact: Codified controls should feed into your broader risk dashboards and compliance reporting mechanisms, track policy coverage, mean time to remediation, audit hours saved, and defects prevented. Share results with executive stakeholders.
The road ahead
The future of cybersecurity governance clearly points toward increased automation, dynamic regulatory adaptation, and highly responsive compliance frameworks. Policy-as-Code is not merely a temporary trend but a fundamental shift in how organizations approach GRC. Soon, federal contracts may require delivery of not only human-readable SSPs but also machine-verifiable compliance packages. Audits may involve running scripts instead of reviewing PDFs. And AI-powered governance engines will cross-check deployments against codified policies in real time.
The EO’s emphasis on rules-as-code is just the beginning. The EO also sets timelines for managing AI vulnerabilities and adopting post‑quantum cryptography. Agencies must publish an AI vulnerability dataset by Nov. 1 and must transition to quantum‑resistant encryption by 2030.
The clock is ticking. Agencies must pilot rules as code by June 2026, and suppliers must attach machine-readable security labels by January 2027. Organizations that translate policy into executable pipelines now will close vulnerabilities faster, cut assessment costs, and enter bid rooms as trusted partners. Those that wait will face manual backlogs, increased expenses, and shrinking market share once the grace period ends. Policy-as-Code is no longer experimental, but an operational and compliance imperative that will distinguish tomorrow’s security-ready organizations from everyone else.
The future of cyber and AI governance won’t be documented; it will be deployed!
Ibrahim Waziri Jr. is a principal security product manager in Microsoft’s Cybersecurity, Cloud, AI & Trust Engineering Team, a cybersecurity fellow at New America, and an adjunct professor of cybersecurity at Marymount University.
