eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Trojanized SonicWall SSL VPN NetExtender Application
Bottom Line: SonicWall, in coordination with Microsoft, disclosed a campaign where attackers created fake webpages to distribute a malicious version of the NetExtender VPN client designed for data theft. eSentire has observed and responded to this threat.
Microsoft Threat Intelligence (MSTIC) and SonicWall have identified a malicious campaign distributing a compromised version of SonicWall's SSL VPN NetExtender application through a fraudulent website. MSTIC dubbed this malicious application as SilentRoute malware. The modified version (based on NetExtender v10.3.2.27), signed by "CITYLIGHT MEDIA PRIVATE LIMITED" contains altered components designed to bypass security validations and exfiltrate sensitive VPN configuration data. This SilentRoute malware specifically targets usernames, passwords, and domain information, transmitting the stolen data to a remote server.
The attackers have modified two core executable files in the NetExtender package. The first file, NeService.exe, is a critical Windows service used by the NetExtender application to validate digital certificates of its components. In the trojanized version, the certificate validation logic is patched to always return success, allowing the malicious components to run even if validation fails. The second file, NetExtender.exe, contains custom code added by the attackers that is triggered when the victim clicks the “Connect” button. This code captures the user’s VPN credentials and configuration details and transmits them to a remote server.
eSentire Threat Intelligence Analysis:
The successful installation of the trojanized NetExtender client results in the theft of VPN credentials, which attackers can leverage to gain unauthorized access to corporate networks. Such access may facilitate further malicious activities, including data theft, privilege escalation, and the deployment of additional malware. eSentire’s Threat Response Unit (TRU) observed an incident involving the installation of a trojanized version of SonicWall’s NetExtender VPN client. Since the malicious application is visually indistinguishable from the legitimate software, the risk of execution by end users is high.
Although code signing is intended to verify the authenticity and integrity of software, this incident illustrates how attackers can exploit or circumvent this mechanism. In this case, the trojanized installer was signed using a digital certificate unrelated to SonicWall, undermining user trust. Therefore, code signing alone cannot guarantee software safety and must be supplemented with additional security measures such as runtime integrity verification, robust Endpoint Detection and Response (EDR) solutions, and enhanced user awareness to mitigate such sophisticated attacks.
n response to the release of this report and eSentire’s observations, the Threat Intelligence team issued an advisory titled “Trojanized SonicWall VPN Client Detected” on June 25th, 2025. The team has performed threat hunts across the customer base, and known Indicators of Compromise (IoCs) are added to the eSentire Threat Intelligence Feed. Users should exercise caution when downloading software and ensure that all VPN clients are downloaded exclusively from official vendor websites such as sonicwall.com and mysonicwall.com. Additionally, organizations are advised to monitor Dark Web markets for any signs of compromised user credentials to proactively detect potential breaches.
Actively Exploited Citrix Vulnerability CVE-2025-6543
Bottom Line: A critical unintended control flow and Denial-of-Service (DoS) vulnerability in NetScaler products (CVE-2025-6543) was disclosed and confirmed to be exploited in the wild. Organizations using vulnerable instances are recommended to apply relevant patches immediately.
On June 25th, 2025, Citrix publicly disclosed a critical security vulnerability, identified as CVE-2025-6543 (CVSS: 9.2). This vulnerability affects NetScaler ADC (previously Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway). CVE-2025-6543 is classified as a memory overflow vulnerability, which can lead to unintended control flow and result in a Denial of Service (DoS) condition.
NetScaler ADC and NetScaler Gateway are extensively used across various organizations, including on-premises and cloud-based deployments. NetScaler ADC plays a key role in securing, optimizing, and managing web application traffic. NetScaler Gateway is primarily utilized for remote access, offering Single Sign-On (SSO) and user authentication for remote users, particularly within Citrix infrastructures.
According to Citrix’s official security bulletin, CVE-2025-6543 constitutes a memory overflow or buffer overflow flaw. This type of vulnerability permits an attacker to perform unauthorized access to the memory locations and read or write operations on memory, disrupting the application’s intended control flow. By manipulating memory access, an attacker could potentially gain control of the system, execute arbitrary commands, and achieve Remote Code Execution (RCE). Additionally, such disruption often results in memory corruption, causing application crashes and leading to service unavailability.
Citrix clarified that exploitation of this vulnerability is only possible when the affected NetScaler appliances are configured as a Gateway (including VPN virtual servers, ICA Proxy, CVPN, or RDP Proxy) or as an AAA virtual server. The issue also impacts Secure Private Access deployments in on-premises and hybrid NetScaler environments.
While Citrix confirmed that exploitation attempts of CVE-2025-6543 have been observed in the wild, no detailed technical information or publicly available Proof-of-Concept (PoC) exploit code has been released to date. The vulnerability can be mitigated by applying the released security patches. For further details regarding the vulnerability, refer to the security advisory published by eSentire Threat Intelligence team on June 26th, 2025.
eSentire Threat Intelligence Analysis:
CVE-2025-6543 requires the NetScaler instance to be configured as a Gateway or AAA virtual server. This configuration requirement is commonly observed in multiple organizations. This configuration also mirrors the prerequisite for the previously disclosed and widely exploited CVE-2023-4966 (CVSS score: 9.4), also known as CitrixBleed. This highlights the potential risk posed by similarly configured systems vulnerable to CVE-2025-6543.
CVE-2024-4966 was disclosed October 10th, 2023, as an unauthenticated sensitive information disclosure vulnerability impacting NetScaler ADC and NetScaler Gateway appliances. The flaw was exploited by LockBit 3.0 affiliates in November 2023. The attackers, after acquiring the session cookies, were able to establish an authenticated session within the NetScaler appliance without a username, password, or access to MFA tokens.
In addition to CVE-2025-6543, the month of June also saw the disclosure of other vulnerabilities in NetScaler products. On June 17th, 2025, Citrix announced and released patches for CVE-2025-5777(CVSS: 9.3) and CVE-2025-5349 (CVSS: 8.7). CVE-2025-5777 is dubbed as Citrix Bleed 2 by the security researcher Kevin Beaumont based on similarities observed to CVE-2023-4966.
Given the confirmed exploitation of CVE-2025-6543, its potential to cause RCE and DoS, and the history of threat actors quickly weaponizing Citrix vulnerabilities, it is critical that organizations immediately apply all recommended patches and mitigations to protect their environments. Citrix noted that NetScaler ADC and NetScaler Gateway versions 12.1 and 13.0 are now End-of-Life (EoL); organizations using these versions are recommended to upgrade to a supported version immediately.
eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2025-6543. The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
China’s Salt Typhoon Hackers Target Canadian Telecom Firms
Bottom Line: The Canadian Centre for Cyber Security (CCCS) and the FBI released a joint advisory, warning of ongoing espionage-motivated attacks from the Chinese APT group Salt Typhoon, targeting Canadian telecommunications organizations.
On June 19th, 2025, the Canadian Centre for Cyber Security (CCCS) and the United States' Federal Bureau of Investigation (FBI) released a joint advisory, providing details regarding ongoing espionage-related cyber-attacks, targeting Canadian telecommunications companies. The reported attacks were attributed to the Chinese Advanced Persistence Threat (APT) group Salt Typhoon (aka FamousSparrow, Earth Estrie, UNC2286), first observed in 2019, and believed to be linked to China's Ministry of State Security (MSS).
CCCS states that the initial attack against the Canadian telecommunications company was observed in February 2025, and that the threat actors exploited the vulnerability CVE-2023-20198 to gain initial access. CVE-2023-20198 (CVSS: 10) is a privilege escalation vulnerability found within Cisco IOS XE software, that allows a remote, unauthenticated attacker to create accounts on impacted devices and gain administrator privileges, enabling further attacks. The vulnerability was initially disclosed on October 16th, 2023, and Cisco released a security patch to address the vulnerability a few days later. According to CCCS, threat actors exploited this vulnerability to retrieve the running configuration files from impacted devices, modifying at least one of the files to configure a Generic Routing Encapsulation (GRE) tunnel to enable “traffic collection from the network”.
CCCS highlights that they have found overlaps for indicators of Salt Typhoon within separate investigations reported by their partners, and within industry reporting, suggesting that Salt Typhoon is targeting a broader scope of industries and not just the telecommunications sector. CCCS also notes that the targeting of Canadian devices may “allow the threat actors to collect information from the victim’s internal network, or use the victim’s device to enable the compromise of further victims”.
eSentire Threat Intelligence Analysis:
Telecommunications companies are valuable and high-priority targets for espionage-related cyber-attacks, as these organizations are considered to be key sources of foreign intelligence collection. Telecommunications Service Providers (TSPs) carry telecommunications traffic and can collect and store large amounts of customer data, which may be perceived to have high intelligence value by threat actors. Within their advisory, CCCS and the FBI note that threat actors “persistently compromised TSPs globally, often as part of broad and long-running intelligence programs to exfiltrate bulk customer data and collect information on high-value targets of interest”.
Salt Typhoon have a history of targeting telecommunications providers, especially those within the United States, to conduct espionage-related attacks. In October 2024, Salt Typhoon compromised several United States-based telecommunication companies, including AT&T, Lumen, and Verizon, through the exploitation of vulnerabilities found within Cisco routers. This compromise, considered to be one of the most “damaging series of cyberattacks” against the U.S., granted the threat actors access to call, text message, and communications metadata of customers, including Donald Trump, JD Vance, and Kamala Harris. The attack may have also enabled the threat actors to gain access to systems that store data requests by the U.S. government, including “potential identities of Chinese targets of U.S. surveillance”. In December 2024, Chinese officials denied the claims that Salt Typhoon is affiliated with the Chinese government.
CCCS provided details that Salt Typhoon used the exploitation of CVE-2023-20198 for initial access, which has been patched since October 2023. Reports indicate that Salt Typhoon has been known to exploit this vulnerability to gain initial access, along with older vulnerabilities found within Cisco products. APT groups have demonstrated a pattern of exploiting older, and previously patched vulnerabilities, especially within critical edge devices, as organizations often fail to update applications within their environment, potentially due to inadequate patch management protocols.
Organizations should ensure that a robust patch management policy is in place, which can enable the detection and mitigation of critical vulnerabilities that may be present in an environment, with a focus on edge devices and publicly facing assets. Organizations should also ensure that Endpoint Detection and Response (EDR) tools are deployed within their environment, which can be used to detect and contain threats. eSentire's Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2023-20198. eSentire's Threat Response Unit (TRU) published an advisory for CVE-2023-20198 on October 17th, 2023, urging organizations to apply relevant security patches or mitigations, as there were ongoing reports of exploitation in the wild.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
