CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform man-in-the-middle attacks.
Siemens reports that the following products are affected:
The IAM client in affected products is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack.
CVE-2025-40800 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-40800. A base score of 9.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
Siemens ProductCERT reported this vulnerability to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-868571 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of this vulnerability will allow an attacker to reset the Admin password.
Siemens reports that the following products are affected:
On Elspec G5 devices through 1.2.2.19, a person with physical access to the device can reset the Admin password by inserting a USB drive (containing a publicly documented reset string) into a USB port.
CVE-2025-59392 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-59392. A base score of 7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Siemens ProductCERT reported this vulnerability to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-734261 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
Successful exploitation of these vulnerabilities could result in unauthorized access to the device.
Johnson Controls reports the following products are affected:
Under certain circumstances a successful exploitation of this vulnerability could result in access to the device.
CVE-2025-43875 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-43875. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Under certain circumstances a successful exploitation of this vulnerability could result in access to the device.
CVE-2025-43876 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-43876. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Johnson Controls reported these vulnerabilities to CISA.
Johnson Controls recommends users complete the following actions to address these issues:
For detailed mitigation instructions, see the Johnson Controls Product Security Advisories JCI-PSA-2025-14 and JCI-PSA-2025-15. Johnson Controls recommends implementing measures to minimize risks to all building automation systems.
Further ICS security notices and product security guidance are located at the Johnson Controls product security website.
Contact Johnson Controls Global Product Security.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
Successful exploitation of this vulnerability could allow a standard user to obtain NT Authority/SYSTEM privileges.
The following AJAT dental imaging software (owned by Varex Imaging) containing vulnerable SDKs is affected:
The AJAT Panoramic Dental Imaging Software SDK is vulnerable to DLL hijacking, which may allow an attacker to obtain NT Authority/SYSTEM as a standard user.
CVE-2024-22774 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-22774. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Damian Semon Jr. of Blue Team Alpha Inc reported this vulnerability to CISA.
Varex Imaging, which acquired Direct Conversion Lt (formerly Oh AJAT Ltd) has provided a software patch for this vulnerability. Varex Imaging recommends users download the [Panoramic Dental Imaging SW patch] (https://vareximaging.sharepoint.com/:f:/r/sites/External/DetectorSW/Software/PC/SNAP/Ajat%20Dental%20SW?csf=1&web=1&e=hdFtCI). The files must be run on each workstation running the Panoramic Dental Imaging software. After downloading, users must run the file called AJAT_DENTAL_IMAGING_9.4.55.9888.exe.
For more information, contact Varex Imaging directly for assistance.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of this vulnerability could allow an attacker to upload maliciously modified firmware onto the device.
Siemens reports the following products are affected:
Affected devices do not properly check the integrity of firmware updates. This could allow a local attacker to upload maliciously modified firmware onto the device. In a second scenario, a remote attacker who is able to intercept the transfer of valid firmware from the server to the device could modify the firmware "on the fly".
CVE-2022-31807 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2022-31807. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
Siemens ProductCERT reported this vulnerability to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-420375 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of these vulnerabilities could allow an authenticated attacker to impersonate the server potentially enabling man-in-the-middle, traffic decryption, or unauthorized access to services that trust these certificates.
Siemens reports that the following products are affected:
Affected applications contain private SSL/TLS keys on the server that are not properly protected allowing any user with server access to read these keys. This could allow an authenticated attacker to impersonate the server potentially enabling man-in-the-middle, traffic decryption or unauthorized access to services that trust these certificates.
CVE-2025-40818 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
Affected applications do not properly validate license restrictions against the database, allowing direct modification of the system_ticketinfo table to bypass license limitations without proper enforcement checks. This could allow an attacker with database access to circumvent licensing restrictions by directly modifying database values and potentially enabling unauthorized use beyond the permitted scope.
CVE-2025-40819 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Siemens ProductCERT reported these vulnerabilities to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-626856 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by the MITRE Corporation, has released the 2025 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses. This annual list identifies the most critical weaknesses adversaries exploit to compromise systems, steal data, or disrupt services.
Prioritizing the weaknesses outlined in the Top 25 is integral to CISA’s Secure by Design and Secure by Demand initiatives, which promote building and procuring secure technology solutions. CISA and MITRE encourage organizations to review this list and use it to inform their respective software security strategies.
The 2025 CWE Top 25:
Recommendations for Stakeholders:
By shining a light on the most dangerous software weaknesses, CISA and MITRE reinforce collective efforts to reduce vulnerabilities at the source, strengthen national cybersecurity, and improve long-term resilience. For details, refer to the 2025 CWE Top 25.
Today, CISA released updated Cross-Sector Cybersecurity Performance Goals (CPG 2.0) with measurable actions for critical infrastructure owners and operators to achieve a foundational level of cybersecurity.
This update incorporates lessons learned, aligns with the most recent National Institute of Standards and Technology Cybersecurity Framework revisions, and addresses the most common and impactful threats facing critical infrastructure today.
CPG 2.0 includes a new component focused on the essential role of governance in managing cybersecurity. It emphasizes accountability, risk management, and strategic integration of cybersecurity into day-to-day operations, reinforcing the principle that effective governance is the cornerstone of a resilient cyber posture.
CPGs are streamlined and outcome-driven cybersecurity protections for information technology and operational technology environments and provide:
For more information, visit CPG 2.0 and Cross-Sector Cybersecurity Performance Goals | CISA.
Successful exploitation of this vulnerability could allow an attacker to craft a malicious DICOM file and, if opened, could crash the application resulting in a denial-of-service condition.
The following open source products and specified components are affected:
An out-of-bounds write vulnerability exists in the Grassroots DICOM library (GDCM). The issue is triggered during parsing of a malformed DICOM file containing encapsulated PixelData fragments (compressed image data stored as multiple fragments). This vulnerability leads to a segmentation fault caused by an out-of-bounds memory access due to unsigned integer underflow in buffer indexing. It is exploitable via file input, simply opening a crafted malicious DICOM file is sufficient to trigger the crash, resulting in a denial-of-service condition.
CVE-2025-11266 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.6 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H).
A CVSS v4 score has also been calculated for CVE-2025-11266. A base score of 6.8 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N).
Morgen Malinoski reported this vulnerability to CISA.
The maintainer of the software recommends users update Grassroots DICOM (GDCM) to v3.2.2 or later from the main GitHub repository.
SimpleITK and medInria have both released fixes for the vulnerability.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
Successful exploitation of this vulnerability could result in the alteration of PLC settings or the upload of malicious programs.
The following versions of OpenPLC_V3 are affected:
OpenPLC_V3 is vulnerable to a cross-site request forgery (CSRF) attack due to the absence of proper CSRF validation. This issue allows an unauthenticated attacker to trick a logged-in administrator into visiting a maliciously crafted link, potentially enabling unauthorized modification of PLC settings or the upload of malicious programs which could lead to significant disruption or damage to connected systems.
CVE-2025-13970 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-13970. A base score of 7.0 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:H).
Muhammad Ali and Anthony Marrongelli of University of Central Florida (UCF) reported this vulnerability to CISA.
Pull request #310 resolves this issue. Users are advised to update OpenPLC_V3 to pull request #310 or later from the main GitHub repository.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.
Successful exploitation of these vulnerabilities requires an attacker to upload a malicious .ctl file. This could lead to information disclosure or arbitrary code execution.
The following releases of AzeoTech DAQFactory, a software and application development platform, are affected:
In AzeoTech DAQFactory release 20.7 (Build 2555), an Out-of-bounds Write vulnerability can be exploited by an attacker to cause the program to write data past the end of an allocated memory buffer. This can lead to arbitrary code execution or a system crash.
CVE-2025-66590 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-66590. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
In AzeoTech DAQFactory release 20.7 (Build 2555), an Out-of-bounds Read vulnerability can be exploited by an attacker to cause the program to read data past the end of an allocated buffer. This could allow an attacker to disclose information or cause a system crash.
CVE-2025-66589 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-66589. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
In AzeoTech DAQFactory release 20.7 (Build 2555), an Access of Uninitialized Pointer vulnerability can be exploited by an attacker which can lead to arbitrary code execution.
CVE-2025-66588 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-66588. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
In AzeoTech DAQFactory release 20.7 (Build 2555), the affected application is vulnerable to memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-66587 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-66587. A base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
In AzeoTech DAQFactory release 20.7 (Build 2555), an Access of Resource Using Incompatible Type vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-66586 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-66586. A base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
In AzeoTech DAQFactory release 20.7 (Build 2555), a Use After Free vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-66585 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-66585. A base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
In AzeoTech DAQFactory release 20.7 (Build 2555), a Stack-Based Buffer Overflow vulnerability can be exploited to cause memory corruption while parsing specially crafted .ctl files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-66584 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-66584. A base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Michael Heinzl reported vulnerabilities CVE-2025-66590, CVE-2025-66589, CVE-2025-66588, and CVE-2025-66585 to CISA.
ZDI reported vulnerabilities CVE-2025-66590, CVE-2025-66587, CVE-2025-66586, CVE-2025-66585, and CVE-2025-66584 to CISA.
AzeoTech has released the following update that addresses these issues:
AzeoTech also recommends users take the following actions to reduce the risk:
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform man-in-the-middle attacks.
Siemens reports that the following products are affected:
The SALT SDK is missing server certificate validation while establishing TLS connections to the authorization server. This could allow an attacker to perform a man-in-the-middle attack.
CVE-2025-40801 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-40801. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Siemens ProductCERT reported this vulnerability to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-710408 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of these vulnerabilities could allow an attacker to enumerate valid user names and to bypass locked-out user sessions.
Siemens reports that the following product is affected:
The affected application is vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users.
CVE-2025-40806 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-40806. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
The affected application is vulnerable to capture-replay of authentication tokens. This could allow an authenticated but already locked-out user to establish still valid user sessions.
CVE-2025-40807 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-40807. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).
Kira from The Raven Security reported these vulnerabilities to Siemens ProductCERT.
Siemens ProductCERT reported these vulnerabilities to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-356310 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
CISA released 12 Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations.
Successful exploitation of these vulnerabilities could allow an attacker to modify firmware and gain full access to the device.
The following versions of iSTAR Ultra and iSTAR Edge door controllers are affected:
Johnson Controls iSTAR Ultra, Ultra SE, Ultra LT versions prior to 6.9.7.CU01 and Ultra G2, Ultra G2 SE, Edge G2 versions prior to 6.9.3 are vulnerable to OS Command Injection under certain circumstances that could allow an attacker full control of the device.
CVE-2025-43873 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-43873. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Johnson Controls iSTAR Ultra, Ultra SE, Ultra LT versions prior to 6.9.7.CU01 and Ultra G2, Ultra G2 SE, Edge G2 versions prior to 6.9.3 are vulnerable to OS Command Injection under certain circumstances that could allow an attacker full control of the device.
CVE-2025-43874 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-43874. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Reid Wightman of Dragos reported these vulnerabilities to CISA.
Johnson Controls recommends users take the following actions:
For more information please contact Johnson Controls Global Product Security or visit their Cybersecurity page.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
Note: This joint Cybersecurity Advisory is being published as an addition to the Cybersecurity and Infrastructure Security Agency (CISA) May 6, 2025, joint fact sheet Primary Mitigations to Reduce Cyber Threats to Operational Technology and European Cybercrime Centre’s (EC3) Operation Eastwood, in which CISA, Federal Bureau of Investigation (FBI), Department of Energy (DOE), Environmental Protection Agency (EPA), and EC3 shared information about cyber incidents affecting the operational technology (OT) and industrial control systems (ICS) of critical infrastructure entities in the United States and globally.
FBI, CISA, National Security Agency (NSA), and the following partners—hereafter referred to as “the authoring organizations”—are releasing this joint advisory on the targeting of critical infrastructure by pro-Russia hacktivists:
The authoring organizations assess pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat (APT) groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate (or gain access to) OT control devices within critical infrastructure systems. Pro-Russia hacktivist groups—Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), Sector16, and affiliated groups—are capitalizing on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage. Targeted sectors include Water and Wastewater Systems, Food and Agriculture, and Energy.
The authoring organizations encourage critical infrastructure organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of pro-Russia hacktivist-related incidents. For additional information on Russian state-sponsored malicious cyber activity, see CISA’s Russia Threat Overview and Advisories webpage.
Download the PDF version of this report:
Over the past several years, the authoring organizations have observed pro-Russia hacktivist groups conducting cyber operations against numerous organizations and critical infrastructure sectors worldwide. The escalation of the Russia-Ukraine conflict in 2022 significantly increased the number of these pro-Russia groups. Consisting of individuals who support Russia’s agenda but lack direct governmental ties, most of these groups target Ukrainian and allied infrastructure. However, among the increasing number of groups, some appear to have associations with the Russian state through direct or indirect support.
The authoring organizations assess that the Russian General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455—tracked in the cybersecurity community under several names (see Appendix B: Additional Designators Used for Cited Groups)—is likely responsible for supporting the creation of CARR —also known as “The People’s Cyber Army of Russia”—in late February or early March of 2022. Actors suspected to be from GRU unit 74455 likely funded the tools CARR threat actors used to conduct distributed denial-of-service (DDoS) attacks through at least September 2024.
In April 2022, the group began using a new Telegram channel featuring the name “CyberArmyofRussia_Reborn” to organize and plan group actions. The channel creators recruited actors to use CARR as an unattributable platform for conducting cyber activities beneath the level of an APT, aimed at deterring anti-Russia rhetoric. CARR threat actors presented themselves as a group of pro-Russia hacktivists supporting Russia’s stance on the Ukrainian conflict, and they soon began claiming responsibility for DDoS attacks against the U.S. and Europe for supporting Ukraine.
CARR documented these actions through embellished images and videos shared on their social media channels, promoting Russian ideology, disseminating talking points, and publicizing leaked information from hacks attributed to Russian state threat actors.
In late 2023, CARR expanded their operations to include attacks on industrial control systems (ICS), claiming an intrusion against a European wastewater treatment facility in October 2023. In November 2023, CARR targeted human-machine interface (HMI) devices, claiming intrusions at two U.S. dairy farms.
The authoring organizations assess that by late September 2024, CARR channel administrators became dissatisfied with the level of support and funding provided by the GRU. This dissatisfaction led CARR administrators and an administrator from another hacktivist group, NoName057(16), to create the Z-Pentest group, employing the same tactics, techniques, and procedures (TTPs) as CARR but separate from GRU involvement.
The authoring organizations assess that the Center for the Study and Network Monitoring of the Youth Environment (CISM), established on behalf of the Kremlin, created NoName057(16) as a covert project within the organization. Senior executives and employees within CISM developed and customized the NoName057(16) proprietary DDoS tool DDoSia, paid for the group’s network infrastructure, served as administrators on NoName057(16) Telegram channels, and selected DDoS targets.
Active since March 2022, NoName057(16) has conducted frequent DDoS attacks against government and private sector entities in North Atlantic Treaty Organization (NATO) member states and other European countries perceived as hostile to Russian geopolitical interests. The group operates primarily through Telegram channels and used GitHub, alongside various websites and repositories, to host DDoSia and share materials and TTPs with their followers.
In 2024, NoName057(16) began collaborating closely with other pro-Russia hacktivist groups, operating a joint chat with CARR by mid-2024. In July 2024, NoName057(16) jointly claimed responsibility with CARR for an alleged intrusion against OT assets in the U.S. The high degree of cooperation with CARR likely contributed to the formation of Z-Pentest, which is composed of actors and administrators from both teams, in September 2024.
Established in September 2024, Z-Pentest is composed of members from CARR and NoName057(16). The group specializes in OT intrusion operations targeting globally dispersed critical infrastructure entities. Additionally, the group uses “hack and leak” operations and defacement attacks to draw attention to their pro-Russia messaging. Unlike other pro-Russia hacktivist groups, Z-Pentest largely avoids DDoS activities, claiming OT intrusions as attempts to garner more attention from the media.
Shortly after Z-Pentest’s inception, the group announced alliances with CARR and NoName057(16), possibly to leverage the other groups’ subscribers to grow the new channel. In March 2025, Z-Pentest posted evidence claiming OT device intrusions to their channel using a NoName057(16) cyberattack campaign hashtag. Similarly, in April 2025, Z-Pentest shared a video purporting defacement of an HMI by changing system names to NoName057(16) and CARR references. Z-Pentest continues to create new alliances with other groups, like Sector16, to continue growing their subscriber base and incidentally propagate TTPs with new partners.
Formed in January 2025, Sector16 is a novice pro-Russia hacktivist group that emerged through collaboration with Z-Pentest. Sector16 actively maintains an online presence, including a public Telegram channel where they share videos, statements, and claims of compromising U.S. energy infrastructure. These communications often align with pro-Russia narratives and reflect their self-proclaimed support for Russian geopolitical objectives.
Members of Sector16 may have received indirect support from the Russian government in exchange for conducting specific cyber operations that further Russian strategic goals. This aligns with broader Russian cyber strategies that involve leveraging non-state threat actors for certain cyber activities, adding a layer of deniability.
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 18. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
Pro-Russia hacktivist groups employ easily disseminated and replicated TTPs across various entities, increasing the likelihood of widespread adoption and escalating the frequency of intrusions. These groups have limited capabilities, frequently misunderstanding the processes they aim to disrupt. Their apparent low level of technical knowledge results in haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact. Despite these limitations, the authoring organizations have observed these groups willfully cause actual harm to vulnerable critical infrastructure.
Pro-Russia hacktivist groups use the TTPs in this Cybersecurity Advisory to target virtual network computing (VNC)-connected HMI devices. These groups are primarily seeking notoriety with their actions. While they have caused damage in some instances, they regularly make false or exaggerated claims about their attacks on critical infrastructure to garner more attention. They frequently misrepresent their capabilities and the impacts of their actions, portraying minor incursions as significant breaches, but such incursions can still lead to lost time and resources for operators remediating systems.
Additionally, pro-Russia hacktivists use an opportunistic targeting methodology. They leverage superficial criteria, such as victim availability and existing vulnerabilities, rather than focusing on strategically significant entities. Their lack of strategic focus can lead to a broad array of targets, ranging from water treatment facilities to oil well systems. Pro-Russia hacktivists have demonstrated a pattern of frequently taking advantage of the widespread availability of vulnerable VNC connections. While system owners typically use VNC connections for legitimate remote system access functions, threat actors can maliciously use these connections to broadly target numerous platforms and services. Consequently, these groups can indiscriminately compromise critical infrastructure entities, including those in the Water and Wastewater, Food and Agriculture, and Energy Sectors.
Pro-Russia hacktivist groups have successfully targeted supervisory control and data acquisition (SCADA) networks using basic methods, and in some cases, performed simultaneous DDoS attacks against targeted networks to facilitate SCADA intrusions. As recently as April 2025, threat actors used the following unsophisticated TTPs to access networks and conduct SCADA intrusions:
To reach a wider audience, pro-Russia hacktivist groups work together, amplify each other’s posts, create additional groups to amplify their own posts, and likely share TTPs. For example, Z-Pentest jointly claimed intrusion of a U.S. system with Sector16. Sector16 later began posting additional intrusions for which the group claimed sole responsibility. It is likely that these and similar groups will continue to iterate and share these methods to disrupt critical infrastructure organizations.
The threat actors’ intrusion methodology is relatively unsophisticated, inexpensive to execute, and easy to replicate. These pro-Russia hacktivist groups abuse popular internet-scraping tools, such as Nmap or OPENVAS, to search for visible VNC services and use brute force password spraying tools to access devices via known default or otherwise weak credentials. Threat actors typically search for these services on the default port 5900 or other nearby ports (5901-5910). Their goal is to gain remote access to HMI devices connected to live control networks.
Once threat actors obtain access, they manipulate available settings from the graphical user interface (GUI) on the HMI devices, such as arbitrary physical parameter and setpoint changes, or conduct defacement activities. Because pro-Russia hacktivist groups seem to lack sector-specific expertise or cyber-physical engineering knowledge, they currently cannot reliably estimate the true impact of their actions. Regardless of outcome, pro-Russia hacktivist groups often post images and screen recordings to their social media platforms, boasting the compromises and exaggerating impacts to garner attention from their peers and the media.
While pro-Russia hacktivist groups currently demonstrate limited ability to consistently cause significant impact, there is a risk that their continued attacks will result in further harm or grievous physical consequences. Attacks have not yet caused injury; however, the attacks against occupied factories and community facilities demonstrate a lack of consideration for human safety.
Victim organizations reported that the most common operational impact caused by these threat actors is a temporary loss of view, necessitating manual intervention to manage processes. However, any modifications to programmatic and systematic procedures can result in damage or disruption, including substantial labor costs from hiring a programmable logic controller programmer to restore operations, costs associated with operational downtime, and potential costs for network remediation.
See Table 1 to Table 10 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
| Technique Title | ID | Use |
|---|---|---|
| Gather Victim Organization Information | T1591 | Threat actors use information available on the internet to determine what systems they believe they have compromised and post the information on their social media. This methodology frequently leads to the threat actors misidentifying their claimed victims. |
| Active Scanning: Vulnerability Scanning | T1595.002 | Threat actors use open source tools to look for IP addresses in target countries with visible VNC services on common ports. |
| Technique Title | ID | Use |
|---|---|---|
| Acquire Infrastructure: Virtual Private Server | T1583.003 | Threat actors use virtual infrastructure to obfuscate identifiers. |
| Technique Title | ID | Use |
|---|---|---|
| Internet Accessible Device | T0883 | Threat actors gain access through less secure HMI devices exposed to the internet. |
| Technique Title | ID | Use |
|---|---|---|
| Valid Accounts | T0859 | Threat actors use password guessing tools to access legitimate accounts on the HMI devices. |
| Technique Title | ID | Use |
|---|---|---|
| Brute Force: Password Spraying | T1110.003 | Threat actors use tools to rapidly guess common or simple passwords. |
| Technique Title | ID | Use |
|---|---|---|
| Default Credentials | T0812 | Threat actors seek and build libraries of known default passwords for control devices to access legitimate user accounts. |
| Remote Services | T0886 | Threat actors leverage VNC services to access system HMI devices. |
| Remote Services: VNC | T1021.005 | Threat actors hunt VNC-enabled devices visible on the internet and connect with remote viewer software. |
| Technique Title | ID | Use |
|---|---|---|
| Graphical User Interface | T0823 | Threat actors interact with HMI devices via GUIs, attempting to modify control devices. |
| Technique Title | ID | Use |
|---|---|---|
| Device Restart/Shutdown | T0816 | While threat actors claim to turn off HMIs, it is possible that operators (not the threat actors) turn the devices off during incident response. |
| Alarm Suppression | T0878 | Threat actors use HMI interfaces to clear alarms caused by their activity and alarms already present on the system at the time of their intrusion. |
| Change Credential | T0892 | Threat actors change the usernames and passwords of HMI devices in operator lockout attempts, usually resulting in a loss of view and operators switching to manual operations. |
| Technique Title | ID | Use |
|---|---|---|
| Modify Parameter | T0836 | Threat actors attempt to change upper and lower limits of operational devices as available from the HMI. |
| Unauthorized Command Message | T0855 | Threat actors attempt to send unauthorized command messages to instruct control system assets to perform actions outside of their intended functionality, causing possible impact. |
| Technique Title | ID | Use |
|---|---|---|
| Loss of Productivity and Revenue | T0828 | Threat actors purposefully attempt to impact productivity and create additional costs for the affected entities. |
| Loss of View | T0829 | Threat actors change credentials on HMI devices, preventing operators from modifying processes remotely. |
| Manipulation of Control | T0831 | Threat actors change setpoints in processes, impacting the efficiency of operations for those specific processes. |
If organizations find exposed systems with weak or default passwords, they should assume threat actors compromised the system and begin the following incident response protocols:
The authoring organizations recommend organizations implement the mitigations below to improve your organization’s cybersecurity posture based on the threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.
Although critical infrastructure organizations can take steps to mitigate risks, it is ultimately the responsibility of OT device manufacturers to build products that are secure by design. The authoring organizations urge device manufacturers to take ownership of the security outcomes of their customers in line with the joint guide Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Secure by Design Software.
Additionally, see CISA’s Secure by Design Alert on how software manufacturers can shield web management interfaces from malicious cyber activity. By using secure by design tactics, software manufacturers can make their product lines secure “out of the box” without requiring customers to spend additional resources making configuration changes, purchasing tiered security software and logs, monitoring, and making routine updates.
For more information on secure by design, see CISA’s Secure by Design webpage.
In addition to applying mitigations, the authoring organizations recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The authoring organizations recommend testing your existing security controls inventory to assess how it performs against the ATT&CK techniques described in this advisory.
To start:
The authoring organizations recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Entities requiring additional support for implementing any of the mitigations in this advisory should contact their regional CISA Cybersecurity Advisor for assistance. Key resources organizations should reference include:
Additional resources that apply to this advisory include:
U.S. organizations are encouraged to report suspicious or criminal activity related to information in this advisory to CISA, FBI, and/or NSA:
Australian organizations: Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations: Report incidents by emailing Cyber Centre at contact@cyber.gc.ca.
New Zealand organizations: Report cyber security incidents to incidents@ncsc.govt.nz or call 04 498 7654.
United Kingdom organizations: Report a significant cyber security incident: report.ncsc.gov.uk (monitored 24 hours) or, for urgent assistance, call 03000 200 973.
The information in this report is being provided “as is” for informational purposes only. The authoring organizations do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by FBI and co-sealers.
Schneider Electric, Nozomi Networks, Eversource Energy, Electricity Information Sharing and Analysis Center, Chevron, BP, and Dragos contributed to this advisory.
December 09, 2025: Initial version.
For further information on targeting methodologies for pro-Russia hacktivist groups, see:
The cybersecurity industry and cyber actor groups often use various names to reference actor groups. While not exhaustive, the following are the most notable names used within the cybersecurity community to reference the groups in this advisory.
Note: Cybersecurity organizations have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the authoring organizations’ understanding for all activity related to these groupings.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Successful exploitation of this vulnerability could allow a user of LX Appliance with a high privilege account to craft a malicious course and launch an XSS attack.
Festo reports that the following products are affected:
The "src" attribute of the "track" tag allows a malicious user to bypass HTML escaping and execute arbitrary code. This affects the package video.js before 7.14.3.
CVE-2021-23414 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Festo coordinated this vulnerability with CERT@VDE.
Festo has identified the following specific workarounds and mitigations users can apply to reduce risk:
For more information see the associated Festo SE & Co. KG security advisory FSA-202301
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Successful exploitation of this vulnerability could result in arbitrary code execution.
The following version of U-boot is affected:
The following specific chips have been confirmed to be affected:
The affected products are vulnerable to a bootloader vulnerability, which could allow an attacker to execute arbitrary code.
CVE-2025-24857 has been assigned to this vulnerability. A CVSS v3 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-24857. A base score of 8.6 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Harvey Phillips of Amazon Element55 reported this vulnerability to CISA.
Konsulko, the third-party maintainer of U-boot, recommends users upgrade to version v2025.4 or later and ensure the physical security of the device.
Qualcomm recommends users with the affected chips to contact support referencing CVE-2025-24857, QPSIIR-1969 or CR4082905.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
CISA released three Industrial Control Systems (ICS) Advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CISA encourages users and administrators to review newly released ICS Advisories for technical details and mitigations.
Successful exploitation of this vulnerability could result in information disclosure including capture of camera account credentials.
The following D-Link CCTV camera model is confirmed to be affected; specific affected models for Sparsh Securitech and Securus CCTV are unavailable:
A malicious actor can access camera configuration information, including account credentials, without authenticating when accessing a vulnerable URL.
CVE-2025-13607 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).
A CVSS v4 score has also been calculated for CVE-2025-13607. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).
Souvik Kandar reported this vulnerability to CISA.
Securus CCTV and Sparsh Securitech did not respond to CISA's requests for coordination. Users of cameras from these vendors are encouraged to reach out to their respective customer service representatives to see if their specific model of camera is affected.
D-Link has released a security advisory and a software update for the affected camera model. Please visit this D-Link Security Announcement for further information.
D-Link strongly urges all users to install the relevant updates and regularly check for further updates. After downloading the software update, it is essential to ALWAYS validate its success by comparing the software version on your product interface to the software update version.
The model number listed in this advisory is known only for D-Link India Limited. Users of cameras produced by the other listed vendors are encouraged to evaluate this vulnerability within their environment.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
CISA, in partnership with Federal Bureau of Investigation, the National Security Agency, Department of Energy, Environmental Protection Agency, the Department of Defense Cyber Crime Center, and other international partners published a joint cybersecurity advisory, Pro-Russia Hacktivists Create Opportunistic Attacks Against US and Global Critical Infrastructure.
This advisory, published as an addition to the joint fact sheet on Primary Mitigations to Reduce Cyber Threats to Operational Technology (OT) released in May 2025, details that pro-Russia hacktivist groups are conducting less sophisticated, lower-impact attacks against critical infrastructure entities, compared to advanced persistent threat groups. These attacks use minimally secured, internet-facing virtual network computing (VNC) connections to infiltrate or gain access to OT control devices within critical infrastructure systems.
The groups involved, including Cyber Army of Russia Reborn, Z-Pentest, NoName057(16), and Sector16, are taking advantage of the widespread prevalence of accessible VNC devices to execute attacks, resulting in varying degrees of impact, including physical damage.
These groups often seek notoriety by making false or exaggerated claims about their attacks. Their methods are opportunistic, leveraging superficial criteria such as victim availability and existing vulnerabilities. They attack a wide range of targets, from water treatment facilities to oil well systems, using similar tactics, techniques, and procedures.
Top Recommended Actions:
OT owners and operators and critical infrastructure entities should take the following steps to reduce the risk of attacks through VNC connections:
For more information on Russian state-sponsored threat actor activity, visit CISA’s Russia Cyber Threat Overview and Advisories page.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Updated December 9, 2025: Check for signs of potential compromise on all internet accessible REACT instances after applying mitigations. For more information, see React Blog: Critical Security Vulnerability in React Server Components.
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of ongoing intrusions by People’s Republic of China (PRC) state-sponsored cyber actors using BRICKSTORM malware for long-term persistence on victim systems. BRICKSTORM is a sophisticated backdoor for VMware vSphere1,2 and Windows environments.3 Victim organizations are primarily in the Government Services and Facilities and Information Technology Sectors. BRICKSTORM enables cyber threat actors to maintain stealthy access and provides capabilities for initiation, persistence, and secure command and control. The malware employs advanced functionality, including multiple layers of encryption (e.g., HTTPS, WebSockets, and nested TLS), DNS-over-HTTPS (DoH) to conceal communications, and a SOCKS proxy to facilitate lateral movement and tunneling within victim networks. BRICKSTORM also incorporates long-term persistence mechanisms, such as a self-monitoring function that automatically reinstalls or restarts the malware if disrupted, ensuring its continued operation.
The initial access vector varies. In one confirmed compromise, PRC state-sponsored cyber actors accessed a web server inside the organization’s demilitarized zone (DMZ), moved laterally to an internal VMware vCenter server, then implanted BRICKSTORM malware. See CISA, the National Security Agency, and Canadian Cyber Security Centre’s (Cyber Centre’s) joint Malware Analysis Report (MAR) BRICKSTORM Backdoor for analysis of the BRICKSTORM sample CISA obtained during an incident response engagement for this victim. The MAR also discusses seven additional BRICKSTORM samples, which exhibit variations in functionality and capabilities, further highlighting the complexity and adaptability of this malware.
After obtaining access to victim systems, PRC state-sponsored cyber actors obtain and use legitimate credentials by performing system backups or capturing Active Directory database information to exfiltrate sensitive information. Cyber actors then target VMware vSphere platforms to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden rogue VMs to evade detection.
CISA recommends that network defenders hunt for existing intrusions and mitigate further compromise by taking the following actions:
See joint MAR BRICKSTORM Backdoor for additional detection resources. If BRICKSTORM, similar malware, or potentially related activity is detected, report the incident to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.
Disclaimer: The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
1 Matt Lin et al., “Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies,” Google Cloud Blog, April 4, 2024, https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement.
2 Maxime, “NVISO analyzes BRICKSTORM espionage backdoor,” NVISO, April 15, 2025, https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor.
3 Sarah Yoder et al., “Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors,” Google Cloud Blog, September 24, 2025, https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign.
Malware Analysis at a Glance |
|
|---|---|
| Executive Summary | The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. CISA, NSA, and Cyber Centre are releasing this Malware Analysis Report to share indicators of compromise (IOCs) and detection signatures based off analysis of eight BRICKSTORM samples. CISA, NSA, and Cyber Centre urge organizations to use the IOCs and detection signatures to identify BRICKSTORM malware samples. |
| Key Actions |
|
| Indicators of Compromise | For a downloadable copy of IOCs associated with this malware, see: MAR-251165.c1.v1.CLEAR. |
| Detection |
This malware analysis report includes YARA and Sigma rules. For a downloadable copy of the Sigma rules associated with this malware, see: AR25-338A Sigma YAML. |
| Intended Audience |
Organizations: Government and critical infrastructure organizations. Roles: Digital forensics analysts, incident responders, vulnerability analysts, system administrators |
|
Malware Analysis Report Brickstorm Backdoor
(PDF, 1.37 MB
)
|
|
The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Canadian Centre for Cyber Security (Cyber Centre) assess People’s Republic of China (PRC) state-sponsored cyber actors are using BRICKSTORM malware for long-term persistence on victim systems. Victim organizations are primarily in the Government Services and Facilities and Information Technology Sectors. BRICKSTORM is a sophisticated backdoor for VMware vSphere (specifically VMware vCenter servers and VMware ESXI)1 and Windows environments.2
The cyber actors have been observed targeting VMware vSphere platforms. Once compromised, the cyber actors can use their access to the vCenter management console to steal cloned virtual machine (VM) snapshots for credential extraction and create hidden, rogue VMs. See CISA’s Alert PRC State-Sponsored APT Actors Employ BRICKSTORM Malware Across Public Sector and Information Technology.
CISA analyzed eight BRICKSTORM samples obtained from victim organizations, including an organization where CISA conducted an incident response engagement.
At the victim organization where CISA conducted an incident response engagement, PRC state-sponsored cyber actors gained long-term persistent access to the organization’s internal network in April 2024 and uploaded BRICKSTORM malware to an internal VMware vCenter server. They also gained access to two domain controllers and an Active Directory Federation Services (ADFS) server. They successfully compromised the ADFS server and exported cryptographic keys. The cyber actors used BRICKSTORM for persistent access from at least April 2024 through at least Sept. 3, 2025.
CISA, NSA, and Cyber Centre urge organizations to use the indicators of compromise (IOCs) and detection signatures in this Malware Analysis Report to identify BRICKSTORM malware samples. If identified, follow the guidance in the Incident Response section.
Download the PDF version of this report:
For a downloadable copy of IOCs associated with this malware, see:
For a downloadable copy of the SIGMA rule associated with this malware, see:
For more information on PRC state-sponsored cyber activity, see CISA’s People’s Republic of China Threat Overview and Advisories webpage.
BRICKSTORM is a custom Executable and Linkable Format (ELF) Go-based backdoor. The analyzed samples differ in function, but all enable cyber actors to maintain stealthy access and provide capabilities for initiation, persistence, and secure command and control (C2). Even though the analyzed samples were for VMware vSphere environments, there is reporting about Windows versions.
BRICKSTORM initiates by running checks and maintains persistence by using a self-watching function and automatically reinstalls or restarts if disrupted.
For C2, BRICKSTORM uses multiple layers of encryption (HTTPS, WebSockets, nested Transport Layer Security [TLS]) to hide its communications with the cyber actors’ C2 server. It also uses DNS-over-HTTPS (DoH) and mimics web server functionality to blend its communications with legitimate traffic. For remote system control, BRICKSTORM gives cyber actors interactive shell access on the system and allows them to browse, upload, download, create, delete, and manipulate files. In addition, some samples act as a SOCKS proxy, facilitating lateral movement and allowing cyber actors to compromise additional systems.
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 18. See Appendix A: MITRE ATT&CK Techniques for tables mapping the cyber actors’ activity to MITRE ATT&CK tactics and techniques.
At the victim organization where CISA conducted an incident response engagement, PRC state-sponsored cyber actors accessed a web server on April 11, 2024. The web server was inside the organization’s demilitarized zone (DMZ), and cyber actors accessed it through a web shell [T1505.003] present on the server. Incident data does not indicate how they obtained initial access to the web server or when the web shell was implanted. On the same day, the cyber actors used service account credentials [T1078] to move laterally using Remote Desktop Protocol (RDP) [T1021.001] from the web server to a domain controller in the DMZ, from which they copied the Active Directory (AD) database (ntds.dit) [T1003.003].
On April 12, 2024, the cyber actors moved laterally from the web server to a domain controller within the internal network using RDP and credentials associated with a second service account. It is unknown how they obtained the credentials. Subsequently, they copied the AD database, obtaining credentials for a managed service provider (MSP) account. Using the MSP credentials, the cyber actors proceeded to move from the internal domain controller to the VMware vCenter server.
From the web server, the actors also moved laterally using Server Message Block (SMB) to two jump servers and an ADFS server, from which they exfiltrated cryptographic keys. See Figure 1 for a diagram of the cyber actors’ movement.
After gaining access to vCenter, the cyber actors elevated privileges using the sudo command [T1548.003], dropped BRICKSTORM malware in the server’s /etc/sysconfig/ directory [T1105], and modified the system’s init file in /etc/sysconfig/ to run BRICKSTORM.
The modified init file controls the bootup process [T1037] on VMware vSphere systems and executes BRICKSTORM. Typically, this file is used to define certain visual variables for the bootup process. After the setting for visual variables, an additional line was added to the script to execute BRICKSTORM from the hard-coded file path /etc/sysconfig/.
Note: CISA is still completing analysis to understand the malicious activity and full impact of the compromise.
See Table 1 through Table 8 for metadata of the analyzed malware.
| File Name | vmsrc |
|---|---|
| Size | 7692288 bytes |
| Type | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped |
| MD5 | 8e4c88d00b6eb46229a1ed7001451320 |
| SHA1 | 9bf4c786ebd68c0181cfe3eb85d2fd202ed12c54 |
| SHA256 | aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38 |
| SHA512 | 5e654776e9c419e11e6f93a452415a601bd9a2079710f1074608570e498a9af37b81bb57c98cb8bb626c5ee4b3e35757d3ae8c1c3717f28d9f3fe7a4cebe0608 |
| ssdeep | 49152:9lDeYNeYunc1S3/U05q+CIKUbwgBfd1Vww/uUJSZina/TokDDko0n8oQhEoAgsUJ:O3lcE380sIDbdB11p3i/TokEIowlb/r |
| Entropy | 5.993799 |
| File Name | vnetd |
|---|---|
| Size | 26603668 bytes |
| Type | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped |
| MD5 | 39111508bfde89ce6e0fe6abe0365552 |
| SHA1 | f639d9404c03af86ce452db5c5e0c528b81dc0d7 |
| SHA256 | 013211c56caaa697914b5b5871e4998d0298902e336e373ebb27b7db30917eaf |
| SHA512 | 74b4c6f7c7cae07c6f8edf3f2fb1e9206d4f1f9734e8e4784b15d192eec8cd8a4f59078fc0c56dc4ad0856cdd792337b5c92ffd3d2240c8a287a776df4363bba |
| ssdeep | 196608:GbkKsdDjru3WUIOsW5SYVRk/Qvk1LzK3RMxy2wBW:GwKMjr3Os4k/QiLzERMMdW |
| Entropy | 6.211446 |
| File Name | if-up |
|---|---|
| Size | 15511700 bytes |
| Type | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped |
| MD5 | dbca28ad420408850a94d5c325183b28 |
| SHA1 | fb11c6caa4ea844942fe97f46d7eb42bc76911ab |
| SHA256 | 57bd98dbb5a00e54f07ffacda1fea91451a0c0b532cd7d570e98ce2ff741c21d |
| SHA512 | 659205fa2cfa85e484c091cc2e85a7ec4e332b196e423b1f39bafdc8fca33e3db712bbe07afcc091ff26d9b4f641fa9a73f2a66dce9a0ced54ebeb8c2be82a7f |
| ssdeep | 98304:dzB06b0KX4Mnb+sJf+AjBzH3MF4m1d4U2TuAJ5VGY3glknTSk2nH:dFQKIsJBBzXMum83RJ5VGY3gS2nH |
| Entropy | 6.102490 |
| File Name | viocli |
|---|---|
| Size | 6311936 bytes |
| Type | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped |
| MD5 | 0a4fa52803a389311a9ddc49b7b19138 |
| SHA1 | 97001baaa379bcd83677dca7bc5b8048fdfaaddc |
| SHA256 | b3b6a992540da96375e4781afd3052118ad97cfe60ccf004d732f76678f6820a |
| SHA512 | 65ebf5dfafb8972ffead44271436ec842517cfaaf3d1f1f1237a32d66e1d280943bd3a69f1d539a1b7aca6152e96b29bc822e1047e2243f6aec8959595560147 |
| ssdeep | 49152:BgClz8/9cMSThwhWyh/zypzOzRzqm9hRp6FY+fAn/bkNqr+HfHF2xkdpb3gAiDli:W08/9I6WMzUcRz9zvn//Z5D |
| Entropy | 6.005898 |
| File Name | vts |
|---|---|
| Size | 6303744 bytes |
| Type | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped |
| MD5 | 82bf31e7d768e6d4d3bc7c8c8ef2b358 |
| SHA1 | de28546ec356c566cd8bca205101a733e9a4a22d |
| SHA256 | 22c15a32b69116a46eb5d0f2b228cc37cd1b5915a91ec8f38df79d3eed1da26b |
| SHA512 | 4c52caf2e5f114103ed5f60c6add3aa26c741b07869bb66e3c25a1dc290d4a8bf87c42c336e8ac8ebf82d9a9b23eaa18c31f7051a5970a8fe1125a2da890340f |
| ssdeep | 49152:uP9kPWdmrJl+9zxKsSJ32ssUZGHZ9ECKDfvCb3XKRbaYJcRHMH9xkdgY3gqF2HxR:yqWdmd4x5SgssUZ0OCKDfvChYrRq |
| Entropy | 6.005438 |
| File Name | vmckd |
|---|---|
| Size | 6311936 bytes |
| Type | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped |
| MD5 | 18f895e24fe1181bb559215ff9cf6ce3 |
| SHA1 | c3549d4e5e39a11f609fc6fbf5cc1f2c0ec272b4 |
| SHA256 | f7cda90174b806a34381d5043e89b23ba826abcc89f7abd520060a64475ed506 |
| SHA512 | 79276523a6a507e3fa1b12b96e09b10a01c783a53d58b9ae7f5780a379431639a80165e81154522649b8e2098e86d1a310efffebe32faafc7b3bc093eec60a64 |
| ssdeep | 49152:6XUQ9anktEg7z/QbPB83A+FQGQzqufqCjt2F81jh+eS53OOwJylHJHuxkdqz3gHG:mVankxn2Pe3JQGQz57t2Y4f3TwrQHAz |
| Entropy | 6.005752 |
| Size | 8332689 bytes |
|---|---|
| Type | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped |
| MD5 | a52e36a70b5e0307cbcaa5fd7c97882c |
| SHA1 | 44a3d3f15ef75d9294345462e1b82272b0d11985 |
| SHA256 | 39b3d8a8aedffc1b40820f205f6a4dc041cd37262880e5030b008175c45b0c46 |
| SHA512 | bbe18d32bef66ccfa931468511e8ba55b32943e47a1df1e68bb5c8f8ae97a5bf991201858ae9632fa24df5f6c674b6cb260297a1c11889ca61bda68513f440ce |
| ssdeep | 98304:78Se5lqfYMKDdopPx0E4j+dM/GLaCXNwqYL6wt/5APUnb:78Se54fYMUaiE4j+dM/GLaCXNmLP+ |
| Entropy | 6.063930 |
| Size | 8332689 bytes |
|---|---|
| Type | ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped |
| MD5 | a02469742f7b0bc9a8ab5e26822b3fa8 |
| SHA1 | 10d811029f6e5f58cd06143d6353d3b05bc06d0f |
| SHA256 | 73fe8b8fb4bd7776362fd356fdc189c93cf5d9f6724f6237d829024c10263fe5 |
| SHA512 | 8e29aeb3603ffe307b2d60f7401bd9978bebe8883235eb88052ebf6b9e04ce6bf35667480cedea5712c1e13e8c6dcfb34d5fde0ddca6ca31328de0152509bf8f |
| ssdeep | 98304:78Se5lqfYMKDdopPx0E4j+dM/GLaCXNwqYL6wt/5APUnU:78Se54fYMUaiE4j+dM/GLaCXNmLP+ |
| Entropy | 6.063928 |
All analyzed samples enable cyber actors to maintain stealthy access and provide capabilities for environment configuration (initiation), persistence, and secure C2. While initiation and persistence functions are similar across the samples, the secure C2 function varies. BRICKSTORM uses custom handlers to set up a SOCKS proxy, create a web server on the compromised system, and execute commands on the compromised system.
Samples 7 and 8 were designed to work in virtualized environments, using a virtual socket (VSOCK) interface to enable inter-VM communication, facilitate data exfiltration, and maintain persistence.
Most samples used Exclusive OR (XOR) cipher encryption to hide key strings, such as the Internet Protocol version 4 (IPv4) addresses of public DoH servers, within their code.
Upon execution, BRICKSTORM runs checks and can reinstall and restart itself to maintain persistence. BRICKSTORM initiates a function (referred to as main_startNew in some samples) to configure environment variables specific to the compromised environment, enabling it to operate effectively. Following this, BRICKSTORM identifies if it is already in its intended state and proceeds to continue running, copy itself for execution, or terminate based on the following logic:
/etc/sysconfig/ (Samples 1 through 2 and 4 through 7) or /etc/sysconfig/network/ (Sample 3) by attempting to load file contents from that path.PATH environment variable by appending the copied location’s path [T1574.007]. This ensures the newly copied version of BRICKSTORM will be executed first if any commands or processes attempt to run VMware vSphere.See Figure 2 for the operational flow of the malware.
See Table 9 for checked variables, copied locations, and copied file names of the analyzed samples.
| Sample | Checked Environment Variable To Determine if Running as a Child Process | Copied Location | Copied File Name |
|---|---|---|---|
| Sample 1 | VMware [T1036] | /opt/vmware/sbin | vmware-sphere |
| Sample 2 | [redacted]ET4 | /usr/java/jre-vmware/bin/ | updatemgr |
| Sample 3 | CZePMeGj | etc/applmgmt/appliance/ | vami |
| Sample 4 | [redacted]NET6 | /usr/java/jre-vmware/bin/ | updatemgr |
| Sample 5 | FIOON | /usr/java/jre-vmware/bin/ | updatemgr |
| Sample 6 | [redacted]NET4 | /usr/java/jre-vmware/bin/ | updatemgr |
| Sample 7 | VREG | ||
| Sample 8 | VARGS |
To ensure its continued operations, BRICKSTORM uses built-in self-monitoring and persistence capabilities while running. Specifically, it has a built-in self-watching function (referred to as main_selfWatcher in some samples) to maintain persistence. This function monitors if BRICKSTORM is running correctly and, if not, BRICKSTORM reinstalls and executes itself, mirroring its initiation capabilities.
The self-watching function begins by checking a specific environment variable (see Table 10) to confirm whether BRICKSTORM is running as an active process. If the check returns a false value (indicating the variable is not set), BRICKSTORM assumes it is not running properly. In response, BRICKSTORM re-installs itself from predefined file path—/etc/sysconfig/ (Samples 1 through 2 and 4 through 8) or /etc/sysconfig/network/ (Sample 3)—to a new location (the file name of the new BRICKSTORM instance and location copied varies by sample; see Table 10). BRICKSTORM then updates the PATH environment variable to include the new file location, ensuring the newly copied backdoor file is executed first. Subsequently, the parent instance terminates its own execution, allowing the new process to take over.
If the initial checks confirm that BRICKSTORM is running as intended (the variable is set), the self-watcher function allows the code to continue its operations.
See Table 10 for details on checked variables, processes, copied locations, and file names associated with the analyzed samples.
| Sample | Checked Environment Variable | Checked Process Existence | Copies To | Newly Copied File Name |
|---|---|---|---|---|
| Sample 1 | Sphere | vmware-sphere | /opt/vmware/sbin/ | vmware-sphere |
| Sample 2 | [redacted]NET3 | vnetd | /usr/java/jre-vmware/bin/ | updatemgr |
| Sample 3 | rcMJVF | vami | /etc/applmgmt/appliance/ | vami |
| Sample 4 | [redacted]NET5 | updatemgr | /usr/java/jre-vmware/bin/ | updatemgr |
| Sample 5 | DIGNN | updatemgr | /usr/java/jre-vmware/bin/ | updatemgr |
| Sample 6 | [redacted]NET3 | updatemgr | /usr/java/jre-vmware/ | updatemgr |
| Sample 7 | VREG | |||
| Sample 8 | VARGS |
After passing initiation checks, BRICKSTORM establishes a connection to a C2 server, secures communications with the server, and enables cyber actors’ full control over the compromised system. This control includes capabilities such as file system management and interactive shell access. In most samples, BRICKSTORM also provides a SOCKS proxy to facilitate tunneling and lateral movement.
The implementation of these capabilities varies across samples, with notable differences in Samples 7 and 8, which specifically target virtualized environments.
Initial Connection to the C2 Server: Sample 1 first creates an encrypted Domain Name System (DNS) query for a hard-coded C2 domain (the domain has been redacted from this report because according to public reporting, the cyber threat actors are not reusing C2 domains).3 The sample uses DoH to resolve the address of its C2 servers by sending an encrypted HTTPS request to one of the following legitimate public DoH resolvers [T1071.001]:
If the C2 domain is not found in the public DoH resolver cache, the legitimate resolver forwards the request to the next server in the DNS hierarchy, ultimately reaching the threat actors’ DNS server. The DNS server responds with the correct IP address for the domain. The response is sent back through the legitimate DoH resolver to BRICKSTORM, which receives the encrypted response, decrypts it to get the C2 server’s IP address, and establishes a connection.
Establishing Secure Communications: Sample 1 establishes an encrypted connection to the C2 server using HTTPS, then upgrades the session to WebSockets with an additional layer of TLS encryption. To do this, Sample 1 first communicates over HTTPS with a specific legitimate cloud platform (redacted). The sample then sends an HTTP upgrade request to convert the initial encrypted HTTPS connection into a persistent WebSocket connection: wss://[REDACTED].com/api. Sample 1 nests additional layers of TLS encryption within the WebSocket session and performs a series of nested TLS handshakes within the established WebSocket tunnel. The first handshake is the standard TLS handshake for the initial HTTPS request to the cloud platform. The second TLS handshake occurs within the WebSocket tunnel, during which BRICKSTORM authenticates itself to the C2 server using a hard-coded key.
Upon successful authentication, BRICKSTORM establishes a multiplexing layer, which allows it to send multiple commands and data streams over the same connection. It does this using both Simple Multiplexing (smux) and Yet Another Multiplexer (Yamux) libraries to create virtual streams over a single underlying TLS-secured connection based on client configuration or handshake data. Multiplexing conceals threat actor activity by embedding multiple commands and network tunnels within a single encrypted stream.
See Figure 3 for the applicable decompiler output.
Full System Control: Once the secure connection to the C2 domain is established, Sample 1 uses a custom Go package wssoft2 to manage incoming network connections and to process commands it receives. Commands are directed to one of three handlers based on the function it needs: SOCKS Handler, Web Service Handler, and Command Handler.
The SOCKS Handler sets up a SOCKS proxy [T1090.001] to route C2 traffic and facilitate lateral movement within the victim network. To set up the proxy, the handler parses JSON requests from the C2 server. If the request is valid, the handler delegates request handling to wssoft2/core/handler/socks.SocksWithLocalAddr, which performs SOCKS relaying and network tunneling over Transmission Control Protocol (TCP), User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP).
See Figure 4 for the handler’s decompiler output.
The Web Service Handler establishes covert C2 communication by creating a legitimate-appearing web server on the compromised system. It uses the net/http package and gorilla/mux library to create the web server, which includes a hidden Application Programming Interface (API) endpoint for receiving and executing commands from the C2 server. See Figure 5 for the Web Service Handler decompiler output that sets up specific API endpoints.
Through the API, the cyber actors can browse, upload, download, create, delete, and manipulate files and folders on the victim’s system. See Table 11 for file management commands contained in BRICKSTORM.
| Command | Function |
|---|---|
| file-md5 | Calculates the MD5 checksum of a specified file to verify file integrity. |
| get-file | Downloads a file from the compromised system to the C2 server [T1041]. |
| list-dir | Lists the contents of a directory on the compromised system (e.g., browses the file system) [T1083]. |
| put-file | Uploads a file from the C2 server to the compromised system. |
| slice-up | Reads and downloads specific, partial sections of a file. |
To evade detection, BRICKSTORM serves seemingly legitimate web file types, such as Hypertext Markup Language (HTML), Cascading Style Sheets (CSS), and JavaScript, from a designated directory.
See Figure 6 for the Web Service Handler decompiler output.
The Command Handler executes shell commands on the compromised system, giving the cyber threat actors full control over the compromised system through interactive command-line access. The handler receives a JSON request from the C2 server, parses it, and extracts it. The handler then sets up a pseudo-terminal (a virtual command-line interface) and runs the command on the victim system.
See Figure 7 for the Command Handler decompiler output.
Initial Connection to the C2 Server: Like Sample 1, these samples create an encrypted DNS query for hard-coded C2 domains (redacted) and use DoH to resolve the addresses of their C2 servers by sending an encrypted HTTPS request to one of the following legitimate public DoH resolvers:
Note: Some of these samples use XOR encryption to decrypt IPv4 addresses for DoH servers.
Establishing Secure Communications: Like Sample 1, these samples establish WebSocket Secure (WSS) connections with the C2 server and set up a multiplexing layer.
Full System Control: Once the connection is established with the C2 server via WebSockets, these BRICKSTORM samples receive commands that are directed to one of four specific handlers to perform tasks on the compromised system: SOCKS Handler, Web Service Handler, Command Handler, or CommandNoContext Handler. The SOCKS, Web Service, and Command Handlers function similar to the Sample 1 handlers. The CommandNoContext Handler executes shell commands on the compromised system without using an explicit security context.
Initial Connection to the C2 Server: Sample 7 retrieves configuration parameters from environment variables, performs checks, generates a TLS configuration used for secure communication to BRICKSTORM’s client, and starts a network communications routine. This sample also uses a VSOCK interface to enable inter-VM communication, support data exfiltration, and maintain persistence in virtualized environments.
Upon execution, Sample 7 retrieves the following three configuration values from environment variables using the os_Getenv function:
listenAddr (listen address and port)listenPath (listen path to route requests to the WSS connection)password (authentication key)Establishing Secure Communications: Sample 7 establishes a secure WebSocket server with minimal external dependencies; specifically, all communication is encrypted using in-memory self-signed certificates. This enables encrypted communication without relying on publicly trusted Certificate Authorities (CAs) or storing certificate files on disk. It dynamically generates a self-signed X.509 certificate and a corresponding 2048-bit Rivest–Shamir–Adleman (RSA) private key in memory, which are loaded into a tls.Certificate struct and assigned to the certificate field’s tls.Config object. This allows the server to handle HTTPS/WSS connections using the in-memory self-signed certificate, as standard NET/HTTP servers are configured to use tls.Config.
Sample 7 uses a single, multiplexed connection over secure WebSockets to communicate with a specified C2 address (retrieved from the listenAddr value) and path (retrieved from the listenPath value). During or before the WSS handshake, Sample 7 implements a custom authentication check, involving the specific pre-shared authentication key (retrieved from password value).
Full System Control: Once the WSS connection with the C2 server is established, Sample 7 processes incoming commands through one of four handlers: Web Service Handler, Command Handler, VSOCK-proxy handler, or VSOCK handler.
The Web Service Handler functions similar to Sample 1’s Web Service Handler.
The Command Handler functions similar to Sample 1’s Command Handler.
The VSOCK-proxy Handler performs VSOCK relaying and network tunneling. It implements a proxy with specific configuration arguments to establish a tunneled connection to process JSON payloads. First, the handler unmarshals the payload data and extracts and validates the TunnelAddr, Context ID (CID), Port, and Family configuration arguments. Based on the validated arguments, the handler binds to a specific VSOCK address (defined by the CID and port) and establishes a connection to the destination specified by TunnelAddr. When the connection is completed or terminated, the handler sends an appropriate success or error response back to the client. This functionality enables cyber actors to maintain covert communication channels, evade detection, and pivot within virtualized environments.
The VSOCK Connection Handler creates and connects to VSOCK endpoints to maintain covert connections within the virtual environment. It processes incoming network requests containing a JSON payload with specific configuration arguments for connecting to a VSOCK endpoint. The handler extracts the JSON payload from the request and uses a JSON parser to unmarshal the data into a structured object with fields for Context (CID), Port, and Family. The handler checks the unmarshalled data for validity and, if the configuration is valid, the handler establishes a connection to a VSOCK endpoint using a specified CID and port number. If the virtual socket creation is successful, the handler allocates a new runtime object to hold the CID and port information. If unmarshalling fails, validation fails, or the destination connection cannot be established, the handler returns an appropriate error to the client.
Like Sample 7, Sample 8:
listenAddr, listenPath, and password) from environment variables,Sample 8’s handlers directing commands differ from Sample 7. In addition to a Web Service Handler, Command Handler, VSOCK-proxy Handler, and VSOCK Connection Handler, Sample 8 also has two additional handlers: The SOCKS Handler (which functions similar to Sample 1’s SOCKS Handler) and the CommandNoContext Handler (which functions similar to Samples 2 through 6’s CommandNoContext Handler).
Deploy the CISA-created YARA rules in Table 12 to detect malicious activity. See Appendix B: Scanning Guidance on Remote Hosts for guidance on how to identify activity with these rules.
| BRICKSTORM Rule 1 |
|---|
|
rule CISA_251165_02 : BRICKSTORM backdoor installs_other_components communicates_with_c2 exfiltrates_data { meta: author = "CISA Code & Media Analysis" incident = "251165" date = "2025-09-29" last_modified = "202051001_1008" actor = "n/a" family = "BRICKSTORM" capabilities = "installs-other-components communicates-with-c2 exfiltrates-data" malware_type = "backdoor" tool_type = "unknown" description = "Detects Go-Based BRICKSTORM backdoor samples" sha256_1 = "aaf5569c8e349c15028bc3fac09eb982efb06eabac955b705a6d447263658e38" strings: $s0 = { 6D 61 69 6E 2E 73 74 61 72 74 4E 65 77 } $s1 = { 6D 61 69 6E 2E 73 65 6C 66 57 61 74 63 68 65 72 } $s2 = { 6D 61 69 6E 2E 73 65 74 53 65 72 76 69 63 65 43 66 67 } $s3 = { 73 6F 63 6B 73 2E 48 61 6E 64 6C 65 53 6F 63 6B 73 52 65 71 75 65 73 74 } $s4 = { 77 65 62 2E 57 65 62 53 65 72 76 69 63 65 } $s5 = { 63 6F 6D 6D 61 6E 64 2E 48 61 6E 64 6C 65 54 54 59 52 65 71 75 65 73 74 } $s6 = { 77 65 62 73 6F 63 6B 65 74 2E 28 2A 57 53 43 6F 6E 6E 65 63 74 6F 72 29 2E 43 6F 6E 6E 65 63 74 } $s7 = { 66 73 2E 28 2A 57 65 62 53 65 72 76 65 72 29 2E 52 75 6E 53 65 72 76 65 72 } $s8 = { 68 74 74 70 73 3A 2F 2F 31 2E 30 2E 30 2E 31 2F 64 6E 73 2D 71 75 65 72 79 } $s9 = { 68 74 74 70 73 3A 2F 2F 31 2E 31 2E 31 2E 31 2F 64 6E 73 2D 71 75 65 72 79 } $s10 = { 68 74 74 70 73 3A 2F 2F 38 2E 38 2E 34 2E 34 2F 64 6E 73 2D 71 75 65 72 79 } $s11 = { 68 74 74 70 73 3A 2F 2F 38 2E 38 2E 38 2E 38 2F 64 6E 73 2D 71 75 65 72 79 } $s12 = { 68 74 74 70 73 3A 2F 2F 39 2E 39 2E 39 2E 39 2F 64 6E 73 2D 71 75 65 72 79 } condition: 8 of them } |
| BRICKSTORM Rule 2 |
|---|
|
rule CISA_251155_02 : BRICKSTORM backdoor installs_other_components communicates_with_c2 exfiltrates_data { meta: author = "CISA Code & Media Analysis" incident = "251155" date = "2025-09-15" last_modified = "20250916_1511" actor = "n/a" family = "BRICKSTORM" capabilities = "installs-other-components communicates-with-c2 exfiltrates-data" malware_type = "backdoor" tool_type = "unknown" description = "Detects Go-Based BRICKSTORM backdoor samples" sha256_1 = "320a0b5d4900697e125cebb5ff03dee7368f8f087db1c1570b0b62f5a986d759" sha256_1 = "dfac2542a0ee65c474b91d3b352540a24f4e223f1b808b741cfe680263f0ee44" sha256_1 = "b91881cb1aa861138f2063ec130b2b01a8aaf0e3f04921e5cbfc61b09024bf12" sha256_1 = "bfb3ffd46b21b2281374cd60bc756fe2dcc32486dcc156c9bd98f24101145454" strings: $s0 = { 04 30 0F B6 54 04 2C 31 D1 88 4C 04 34 48 FF C0 } $s1 = { 48 83 F8 04 7C E7 48 C7 04 24 } $s2 = { 48 8D 44 24 34 48 89 44 24 08 48 C7 44 24 10 04 } $s3 = { 48 89 44 24 48 48 89 4C 24 50 48 8B 6C 24 38 48 } $s4 = { 48 83 EC 40 48 89 6C 24 38 48 8D 6C 24 38 C7 44 24 } $s5 = { 83 EC 38 48 89 6C 24 30 48 8D 6C 24 30 C6 44 24 } $s6 = { 4C 24 20 48 89 44 24 40 48 89 4C 24 48 48 8B 6C } $s7 = { 64 48 8B 0C 25 F8 FF FF FF 48 3B 61 10 0F 86 81 } $s8 = { 64 48 8B 0C 25 F8 FF FF FF 48 3B 61 10 0F 86 91 } condition: all of them } |
Deploy the CISA-created Sigma rule in Table 13 to detect BRICKSTORM.
Note: This rule can be run in an entity’s security information and event management (SIEM) system, but it will only be useful if the SIEM contains the vCenter logs. Additionally, this detection method will not work if run on endpoint detection and response (EDR) logs.
| BRICKSTORM |
|---|
|
## CISA Code & Media Analysis ## ############ README ############### ## Edit rules and queries as needed for your hunt and based on your environment. ## Ensure your EDR/SIEM instance has enough memory to run these AND/OR condition based queries. May take longer to run than conventional Sigma rule query. ## Do not edit "logsource-product:" unless you are editing this rule to meet specific logsources/fields and know your environment. ## TLP GREEN + Please use local installation of Sigma to convert this rule. ## TLP CLEAR may convert rules using online converter of choice. ################################### title: BRICKSTORM Backdoor Activity r2 incident: 251157.r2 tlp: CLEAR id: 329bec83-54bd-405f-a5ab-ba97ec5e6057 status: test description: BRICKSTORM malware is a backdoor with multiple capabilities that threat actors use to set up persistence on exploited systems. references: - https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign - https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement - https://ctid.mitre.org/blog/2024/05/22/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion/ - https://cybersecuritynews.com/new-brickstorm-stealthy-backdoor/ author: CISA Code & Media Analysis date: 2025-09-29 modified: 2025-09-29 tags: - attack.brickstorm - attack.unc5221 logsource: product: cma detection: keywords_1: - 'vCenter' keywords_2: - 'inventory object' - 'object' keywords_3: - 'clone' - 'destroy'
keywords_4: - 'GET' - 'POST' - 'PUT' keywords_5: - 'HTTP/1.1' keywords_6: - '200' keywords_7: - '/rest/com/vmware/cis/session' - '/rest/appliance/access/ssh' keywords_8: - 'User Agent'
keywords_9: - 'sed -i' keywords_10: - 'export' - 'echo' keywords_11: - 'vami-lighttp' - '/etc/sysconfig/init'
keywords_12: - 'Administrator' keywords_13: - 'Creating local person user' - 'Adding users' - 'Updating local group' - 'Removing principals' - 'Deleting principal' keywords_14: - 'PrincipalManagement'
keywords_15: - 'sshd' keywords_16: - 'Postponed keyboard-interactive/pam'
keywords_17: - '/bin/vmx' keywords_18: - '-x' keywords_19: - '/vmfs/volumes.vmx' keywords_20: - '2>/dev/null' keywords_21: - '0>/dev/null'
keywords_22: - '$parts =' keywords_23: - 'Get-Item -Path' keywords_24: - '"C:\Windows\System32\drivers\etc\hosts":frag*' keywords_25: - '$loader =' keywords_26: - '[IO.File]::ReadAllText' keywords_27: - 'Invoke-Expression $loader'
keywords_28: - 'cp' - 'delete' keywords_29: - 'home/vsphere-ui/vcli' - '/opt/vmware/sbin' keywords_30: - 'vami-httpd'
keywords_31: - 'testComputer$' keywords_32: - 'ldap-ivanti'
keywords_33: - 'https://9.9.9.9/dns-query' - 'https://45.90.28.160/dns-query' - 'https://45.90.30.160/dns-query' - 'https://149.112.112.112/dns-query' - 'https://9.9.9.11/dns-query' - 'https://1.1.1.1/dns-query' - 'https://1.0.0.1/dns-query' - 'https://8.8.8.8/dns-query' - 'https://8.8.4.4/dns-query' - '/home/bin/netmon' - '/home/bin/logd' - '/home/runtime/logd' - '/home/config/logd.spec.cfg' - '/api/file/change-dir' - '/api/file/delete-dir' - '/api/file/delete-file' - '/api/file/mkdir' - '/api/file/list-dir' - '/api/file/rename' - '/api/file/put-file' - '/api/file/get-file' - '/api/file/slice-up' - '/api/file/file-md5' - '/api/file/up' - '/api/file/stat' condition: keywords_1 and keywords_2 and keywords_3 or keywords_4 and keywords_5 and keywords_6 and keywords_7 and keywords_8 or keywords_9 and keywords_10 and keywords_11 or keywords_12 and keywords_13 and keywords_14 or keywords_15 and keywords_16 or keywords_17 and keywords_18 and keywords_19 and keywords_20 and keywords_21 or keywords_22 and keywords_23 and keywords_24 and keywords_25 and keywords_26 and keywords_27 or keywords_28 and keywords_29 and keywords_30 or keywords_31 and keywords_32 or keywords_33 falsepositives: - Rate of FP low-moderate with some strings. - Use this rule in an infected environment/logs. - Analyst may need to make adjustments to the query as required. level: high |
See the following resources for detecting BRICKSTORM.
Google Mandiant’s tactics, techniques, and procedures (TTPs)-based hunt guidance and YARA detections rules provided in Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors.
Google Mandiant’s BRICKSTORM Espionage Campaign YARA Rules, available at Github.
Google Mandiant’s BRICKSTORM Scanner: BRICKSTORM Indicator of Compromise Scanner.
Use the script by first mounting an image followed by the scan.
To mount the image:
To unmount the image:
The script can also be used by mounting a remote server to your local VM to scan its file system:
NVISO’s analysis of Windows-based variants with IOCs and detection rules contains YARA and other detection and hunting rules. See NVISO Incident Response BRICKSTORM Backdoor Analysis.
CrowdStrike’s VirtualGHOST PowerShell Script: CrowdStrike / VirtualGHOST
This script can be used to identify unregistered VMware VMs.
To run in the script PowerShell or pwsh, complete the following steps:
To run the script in Windows, use .\Detect-VirtualGHOST.ps1.
To run in the script in Linux, use sudo apt install -y powershell.
For vCenter servers, use username@domain.local instead of root. For ESXi Servers, you may use root username.
U.S. organizations: If BRICKSTORM, similar malware, or potentially related activity is detected, CISA and NSA urge organizations to report the activity as required by law and applicable policies. To enable CISA to provide tailored incident response assistance and build a comprehensive picture of this activity, CISA and NSA urge organizations to:
Canadian organizations: Report incidents by emailing Cyber Centre at contact@cyber.gc.ca or online via the reporting tool Report a Cyber Incident - Canadian Centre for Cyber Security.
CISA, NSA, and Cyber Centre recommend organizations implement the mitigations below to improve organization cybersecurity posture based on the cyber actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.
CISA, NSA, and Cyber Centre do not endorse any commercial entity, product, company, or service, including any entities, products, companies, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA, NSA, or Cyber Centre.
VMware contributed to this advisory.
December 4, 2025: Initial version.
See Table 14 through Table 20 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
| Technique Title | ID | Use |
|---|---|---|
| Boot or Logon Initialization Scripts | T1037 | The cyber actors modify the init file to execute BRICKSTORM. |
| Hijack Execution Flow: Path Interception by PATH Environment Variable | T1574.007 | BRICKSTORM modifies the PATH environment variable so that the copied version of the BRICKSTORM will execute if commands or process reference it. |
| Server Software Component: Web Shell | T1505.003 | The cyber actors accessed a web server inside a victim organization’s DMZ using a web shell. |
| Technique Title | ID | Use |
|---|---|---|
| Abuse Elevation Control Mechanism: Sudo and Sudo Caching | T1548.003 | The cyber actors elevated privileges using the sudo command. |
| Technique Title | ID | Use |
|---|---|---|
| Masquerading | T1036 | Some BRICKSTORM samples mimic legitimate names. For example, Sample 1, which was obtained from a VMware vSphere platform, is named vmsrc or vmware-sphere. |
| Valid Accounts | T1078 | The cyber actors moved laterally using RDP with valid service account credentials. |
| Technique Title | ID | Use |
|---|---|---|
| File and Directory Discovery | T1083 | BRICKSTORM can list directory contents on the compromised system. |
| Technique Title | ID | Use |
|---|---|---|
| OS Credential Dumping: NTDS | T1003.003 | The cyber actors copied ntds.dit. |
| Technique Title | ID | Use |
|---|---|---|
| Application Layer Protocol: Web Protocols | T1071.001 | BRICKSTORM uses DoH to resolve the address of its C2 servers by sending an encrypted HTTPS request. |
| Ingress Tool Transfer | T1105 |
The cyber actors dropped BRICKSTORM malware in the VMware vSphere server’s /etc/sysconfig/ directory. BRICKSTORM can download files from the cyber actors’ C2 server to the compromised system. |
| Proxy: Internal Proxy | T1090.001 | BRICKSTORM sets up a SOCKS proxy that routes C2 traffic and allows cyber actors to move laterally throughout the victim network. |
| Technique Title | ID | Use |
|---|---|---|
| Exfiltration Over C2 Channel | T1041 | BRICKSTORM can upload files from the victim system to the cyber actors’ C2 server. |
The following tools are designed to support the identification of potentially malicious artifacts and activities but should not be used as standalone detection mechanisms.
Remote YARA Scan Using Nessus
Remote YARA Scan without Nessus
For more information see Tenable’s Threat Hunting with YARA and Nessus.
1 Matt Lin et al., “Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies,” Google Cloud Blog, April 4, 2024, https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement.
2 Maxime, “NVISO analyzes BRICKSTORM espionage backdoor,” NVISO, April 15, 2025, https://www.nviso.eu/blog/nviso-analyzes-brickstorm-espionage-backdoor.
3 Sarah Yoder et al., “Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors,” Google Cloud Blog, September 24, 2025, https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign.
Successful exploitation of this vulnerability could open project files protected by user authentication using disclosed credential information, and obtain or modify project information.
The following versions of GX Works2 are affected:
An attacker could disclose credential information stored in plaintext from project files. As a result, the attacker may be able to open project files protected by user authentication using disclosed credential information, and obtain or modify project information.
CVE-2025-3784 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-3784. A base score of 6.8 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
Jiho Shin of Sungkyunkwan University reported this vulnerability to Mitsubishi Electric. Mitsubishi Electric reported this vulnerability to CISA.
The fixed version for this vulnerability is currently under development by Mitsubishi Electric. Until the fixed version is released, please implement the following mitigations:
See Mitsubishi Electric's security bulletin for information on the availability of the security updates.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.