Contact
Under Attack?

Quest Security and Service Advisories

As an ongoing service to Quest's valued clients, our team of experts monitors security and service advisories we are seeing in the market from multiple vendors and these important notices are sent to our clients. You can view an overview of our recent advisories below. If you need more information on any of these advisories, or would like to set up a meeting to discuss them further, please reach out to our team.

February 2026

Security Advisory: Notepad++ Update Compromise (2/4):

Quest is advising our customers of a recent compromise involving the well-known text editor Notepad++, widely used by IT admins and developers.

What Was Discovered

The Notepad++ development team and independent researchers confirmed this week that the software’s official update infrastructure was compromised by a sophisticated threat actor between June and December 2025. During this period, certain update requests were intercepted and redirected to attacker-controlled servers, which delivered malicious payloads instead of legitimate update files.

The identified malware included a custom backdoor (dubbed “Chrysalis”), capable of providing persistent remote access. This activity is believed to be the result of a compromised update service, not a flaw in the application itself.

What Happened

  1. Using the hijacked software update mechanism, targeted users who checked for updates could have received a trojanized installer that dropped additional malicious components.
  2. This did not occur to all users—only specific users targeted by the threat actors.
  3. The activity has been attributed to the Lotus Blossom group, a China-linked espionage actor known for targeted supply-chain and reconnaissance operations.

What Was the Impact

  1. Unauthorized code execution on affected systems via malicious update components.
  2. Backdoor installation (e.g., Chrysalis) granting remote persistent access.
  3. Credential theft or lateral movement in environments where affected systems had elevated privileges.

Who Is at Risk

The attack is believed to be highly selective rather than broadly distributed. However, systems that installed Notepad++ updates from mid-2025 may be at risk.

What Does Quest Recommend?

  1. Ensure all Notepad++ installations are updated to version 8.8.9 or higher from the official source.
  2. Remove older or unknown installers and unused plugins.
  3. Add known IOCs to EDR/AV platforms and isolate any affected systems.

Quest is actively reviewing telemetry and can assist with version checks, IOC scanning, and remediation. Please reach out and let us know how we can help.

January 2026

Security Advisory: Cisco Communications Manager Vulnerability impacting Multiple Products (1/22):

Quest has been notified of a security advisory addressing critical vulnerabilities in multiple Cisco Unified Communications Manager products. Cisco has urgently patched a critical security vulnerability that could allow unauthenticated users to perform privilege escalation exploits on impacted products listed in their Security Advisory.

Vendor: Cisco (Unified CM, Unified CM SME, Unified CM IM&P, UC, Cisco Webex Calling)

CVE(s): CVE-2026-20045

CVSS: 8.2 (Critical)

In the wild: Yes

Unauthenticated: Yes

Description: A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device

Impact: This vulnerability could enable attackers to gain admin-level / root privileges on affected systems.

Workarounds: No

Link to source(s): Cisco Security Advisory

Indicators of Compromise (IOC) available: No

Recommendation: Review the vendor advisory, confirm applicability, and update to a patched version as soon as feasible.

If you need help reviewing or patching the affected Cisco products, or would like to discuss these vulnerabilities further, please let us know.

Security Advisory: Strengthen Email Security with BIMI (1/20):

As the sophistication of email attacks against organizations continues to grow, there is a simple but powerful way to improve protection against phishing while also strengthening brand trust. That technology is called BIMI, which allows your verified company logo to appear next to legitimate emails in employee and customer inboxes. This gives recipients a quick visual signal that a message is authentic and not a spoofed email.

BIMI works alongside traditional email security controls like SPF, DKIM, and DMARC to ensure that only properly authenticated emails receive this brand indicator.

A recent high-profile example where BIMI proved valuable occurred during the widespread wave of Instagram password reset emails earlier this month.

1. Valid password reset emails were being sent from Instagram but were not initiated by the users themselves

2. As this issue became publicized, threat actors quickly weaponized the situation by sending spoofed messages with identical content but not from Instagram

3. Many recipients struggled to distinguish real messages from fake ones because sender names and addresses appeared legitimate

4. Instagram had BIMI enabled for their domain, ensuring their logo was visible in official messages

5. This allowed Instagram to communicate to users a simple and reliable way to identify valid emails

6. This visual distinction helped users pause, verify, and avoid malicious links

Example of Phishing email without BIMI

img 1

 

Valid Email with BIMI logo

img 2

Beyond security, BIMI also strengthens brand confidence

1. Recipients see your logo consistently in the inbox, reinforcing brand recognition

2. Users gain confidence that messages truly come from your organization

3. Customers are less likely to ignore or mistrust legitimate communications

Major email providers such as Google, Yahoo, and Apple validate BIMI participation. This means your organization is not only improving security but also meeting higher trust standards recognized by leading email platforms.

Quest can guide you through:

1. DMARC readiness and enforcement

2. SPF and DKIM validation

3. BIMI record configuration

4. Verified Mark Certificate guidance

If you would like a short BIMI readiness review or technical walkthrough, please let our team know.

Security Advisory: Fortinet Vulnerability impacting Multiple Products (1/15):

Quest has been notified of a security advisory addressing a vulnerability in Fortinet products. Fortinet has patched the vulnerability that could allow unauthenticated users to execute arbitrary code or commands via specifically crafted requests.

Vendor: Fortinet (FortiOS and FortiSwitchManager)

CVE(s): CVE-2025-25249

CVSS: 7.4 (High)

In the wild: No

Unauthenticated: Yes

Description: A heap-based buffer overflow vulnerability in FortiOS and FortiSwitchManager cw_acd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests.

Impact: This vulnerability could enable attackers to gain admin-level privileges on affected systems.

Workarounds: Yes, temporary workarounds are available until upgrading to a non-affected version.

Link to source(s): Fortinet Security Advisory

Indicators of Compromise (IOC) available: No

Recommendation: Review the vendor advisory, confirm applicability, apply the workaround, and update to a patched version as soon as feasible.

If you need assistance reviewing or implementing the temporary workaround, patching impacted Fortinet products, or discussing these vulnerabilities in more detail, please reply to this email, and we will set up a call.

December 2025

Security Advisory: BRICKSTORM Malware Targeting VMware and Windows (12/19):

Quest has been made aware of BRICKSTORM, a critical backdoor malware campaign actively targeting VMware vSphere environments, including ESXi and vCenter, as well as Windows systems. This threat enables stealthy, long-term access and can be used to exfiltrate VM snapshots, harvest credentials, and run remote shells. If you manage VMware or Windows servers, act now.

Link to Source(s):

Who’s Affected:

  • VMware ESXi hosts
  • VMware vCenter servers
  • Windows servers and desktops

Immediate Actions (Do These Now):

  1. Scan systems using the latest YARA and Sigma rules from the CISA MAR.
  2. Patch Windows and VMware components to the latest releases.
  3. Audit VMware for unauthorized VMs, snapshots, or unexpected processes.
  4. Block risky protocols such as DNS-over-HTTPS and inspect encrypted WebSocket traffic.
  5. Segment networks — enforce strict separation between DMZ and internal systems.
  6. Monitor for anomalous processes, SOCKS proxying, and unusual outbound connections.

Temporary Mitigations:

  • Restrict DNS-over-HTTPS and suspicious encrypted traffic.
  • Apply stricter firewall rules and microsegmentation.
  • Increase logging and alerting on vCenter/ESXi and Windows endpoints.
  • Ensure the latest Windows and VMware patches are installed.

Indicators and Resources:

  • IOCs Available: Hashes, YARA, and Sigma rules included in CISA MAR 251165.
  • Reference: CISA Malware Analysis Report – BRICKSTORM Backdoor

If you need assistance reviewing or implementing the mitigations and recommendations, or if you’d like to discuss these vulnerabilities in more detail, please let us know.

Security Advisory: Critical Vulnerabilities in React Server Components (12/10):

Quest has been made aware of a critical vulnerability affecting web applications built with React Server Components (RSC) and related frameworks such as Next.js. Known as React2Shell, this flaw allows unauthenticated remote code execution (RCE) through specially crafted HTTP requests.

If you use React Server Components or frameworks like Next.js, patch now and implement temporary mitigations to prevent compromise.

Vendor: Meta (React), Vercel (Next.js)

CVE(s): CVE-2025-55182

CVSS: 10.0 (Critical)

In the Wild: Yes-active exploitation confirmed

Unauthenticated: Yes

Description: A critical vulnerability in React Server Components (RSC) allows unauthenticated remote code execution (RCE) via unsafe deserialization in the Flight protocol. Attackers can send specially crafted HTTP requests to React Server Function endpoints, enabling arbitrary code execution without credentials. Internet-facing devices running vulnerable versions are being targeted by threat actors; immediate action is required.

Impact: Full server compromise, including ability to install web shells, deploy malware, and pivot within the environment. Exploits are low complexity and hard to detect.

Affected Versions:

  • React: 19.0.0, 19.1.0, 19.1.1, 19.2.0
  • RSC packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (same versions)
  • Next.js: 14.3.0-canary.77+, all 15.x, all 16.x

Workarounds: Yes; Temporary – Apply WAF rules to block suspicious payloads (__proto__, constructor, prototype) and monitor logs until patched.

Link to source(s):

CVE Record: CVE-2025-55182

CISA Adds One Known Exploited Vulnerability to Catalog

Indicators of Compromise (IOC) available: Limited – Look for unusual POST requests targeting RSC endpoints and signs of reverse shells or web shells.

Mitigation & Recommendations:

  1. Upgrade Immediately:
    • React: 19.0.1, 19.1.2, 19.2.1 or newer
    • Next.js: >=15.0.5, 16.0.7, or latest patched versions
  2. Apply WAF Rules: Block suspicious payloads containing __proto__, constructor, or prototype.
  3. Audit Applications: Review for RSC exposure and tighten server permissions.
  4. Monitor Systems: Look for unusual POST requests and signs of compromise.

If you need assistance reviewing, implementing the mitigation & recommendations or would like to discuss these vulnerabilities in more detail, please let us know.

Security Advisory: Critical Fortinet Vulnerabilities Impacting Multiple Products(12/9):

Quest has been notified of a security advisory addressing critical vulnerabilities in Fortinet products. Fortinet has urgently patched vulnerabilities that could allow unauthenticated users to bypass SSO login authentication for FortiOS, FortiCloud, FortiWeb, FortiProxy, and FortiSwitchManager, granting admin-level privileges on impacted products listed in their Security Advisory.

Vendor: Fortinet (FortiCloud, FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager)

CVE(s): CVE-2025-59718, CVE-2025-59719

CVSS: 9.1 (Critical)

In the Wild: No (but exploitation is expected shortly)

Unauthenticated: Yes

Description: A vulnerability in the verification of cryptographic signatures in FortiOS may allow an unauthenticated attacker to bypass FortiOS FortiCloud SSO login authentication via a crafted SAML response message.

Impact: This vulnerability could enable attackers to gain admin-level privileges on affected systems.

Workarounds: Yes, temporary workarounds are available until upgrading to a non-affected version.

Link to source(s): Fortinet Security Advisory

Indicators of Compromise (IOC) available: No

Recommendation: Review the vendor advisory, confirm applicability, immediately apply the workaround, and update to a patched version as soon as possible.

If you need assistance reviewing or implementing the temporary workaround, patching impacted Fortinet products, or discussing these vulnerabilities in more detail, please reply to this email, and we will set up a call.

November 2025

Security Advisory: Critical Cisco Unified Contact Center Express Vulnerabilities (11/5):

Quest has been notified of a security advisory addressing critical vulnerabilities in Cisco Unified Contact Center Express (Unified CCX) products. Cisco has urgently patched vulnerabilities that could allow unauthenticated users to perform privilege-escalation exploits on impacted products listed in their Security Advisory.

Vendor: Cisco

CVE(s): CVE-2025-20354, CVE-2025-20358

CVSS: 9.8 (Critical)

In the wild: Cisco PSIRT is not aware of any public announcements or malicious use as of this posting.

Unauthenticated: Yes

Description: Cisco Unified Contact Center Express Remote Code Execution Vulnerabilities

Impact: A vulnerability in the Java Remote Method Invocation (RMI) process of Cisco Unified CCX could allow an unauthenticated, remote attacker to upload arbitrary files and execute arbitrary commands with root permissions on an affected system.

Workarounds: None

Link to source(s): https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ

Indicators of Compromise (IOC) available: No

Recommendation: Review the vendor advisory, confirm applicability, and apply updates as necessary.

If you need assistance reviewing and patching impacted Cisco Unified Contact Center Express (Unified CCX) products—or would like to discuss these vulnerabilities in more detail—please let us know, and we will set up a call.

October 2025

Security Advisory: Critical Vulnerabilities in Veeam Products (10/14):

Quest is reaching out to inform you of critical security vulnerabilities disclosed on October 14, 2025, affecting Veeam Backup & Replication and Veeam Agent for Microsoft Windows. These vulnerabilities may pose a significant risk to backup infrastructure if not addressed promptly.

Summary of Vulnerabilities:

  1. CVE-2025-48983 — Mount Service RCE vulnerability (affects domain-joined servers only)
    • Severity: Critical | CVSS v3.1: 9.9
    • Impact: Allows remote code execution (RCE) on backup infrastructure hosts by an authenticated domain user.
    • Affected versions: Veeam Backup & Replication 12.3.2.3617 and earlier v12 builds
    • Fixed in: Veeam Backup & Replication 12.3.2.4165 (Patch)
  2. CVE-2025-48984 — Backup Server RCE vulnerability (affects domain-joined servers only)
    • Severity: Critical | CVSS v3.1: 9.9
    • Impact: Allows RCE on the backup server by an authenticated domain user.
    • Affected versions: Veeam Backup & Replication 12.3.2.3617 and earlier v12 builds
    • Fixed in: Veeam Backup & Replication 12.3.2.4165 (Patch)
  3. CVE-2025-48982 — Local privilege escalation in Veeam Agent
    • Severity: High | CVSS v3.1: 7.3
    • Impact: Allows local privilege escalation if a system administrator restores a malicious file.
    • Affected versions: Veeam Agent for Microsoft Windows 6.3.2.1205 and earlier v6 builds
    • Fixed in: Veeam Agent for Microsoft Windows 6.3.2.1302

Recommended Actions:

  1. Patch immediately:Upgrade Veeam Backup & Replication to 12.3.2.4165 and Veeam Agent for Microsoft Windows to 6.3.2.1302 as soon as possible.
  2. Review deployment architecture: If you’re running VBR in a domain, review exposure and confirm hardening aligns with best practices. (Best-practice reference: https://bp.veeam.com/security/Design-and-implementation/Hardening/Workgroup_or_Domain.html#best-practice)
  3. Monitor systems: Ensure your infrastructure is monitored for any signs of compromise and follow your organization’s incident response procedures if needed.
  4. Details and downloads: See Veeam KB4771 (Veeam Software) for full details and download links.

Additional Notes:

  1. Unsupported product versions are likely vulnerable and should be considered at risk.
  2. The Veeam Software Appliance and the upcoming Veeam Backup & Replication v13 for Microsoft Windows are not impacted by these vulnerabilities due to architectural differences.

If you need assistance reviewing these vulnerabilities, assessing your environment, or completing a health check, please let us know.

Security Advisory: Immediate Critical Risk in MySonicWall Firewall Backups (10/9):

Quest has been notified of an updated security advisory addressing critical risks involving MySonicWall Cloud Backup files. SonicWall has completed its investigation and confirmed that all customers who used the company’s cloud backup service were affected by last month’s security breach. SonicWall is urging customers to reset their MySonicWall credentials (if they have not already) and implement the Remediation Playbook linked below.

SonicWall is recommending IMMEDIATE Mitigation Steps. We strongly urge all partners and customers using SonicWall firewalls to take the following actions immediately:

Confirm impacted device serial numbers
Knowledge base: https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330

  1. Log in to your MySonicWall.com account and verify whether cloud backups exist for your registered firewalls.
  2. Check whether impacted serial numbers are listed in your account. Upon login, navigate to Product Management | Issue List. Affected serial numbers will be flagged with details such as Friendly Name, Last Download Date, and Known Impacted Services.

Run the Remediation Playbook
The Playbook includes a SonicWall tool that analyzes the firewall configuration file and provides targeted remediation guidance.
Remediation Playbook: https://www.sonicwall.com/support/knowledge-base/remediation-playbook/250916130050523

Critical actions to the following procedures include:

  1. Reset and update passwords for all local users.
  2. Reset temporary access codes (TOTP) for local users.
  3. Update passwords on LDAP, RADIUS, or TACACS+ servers.
  4. Update the shared secret in all IPsec site-to-site and GroupVPN policies.
  5. Update passwords used for any L2TP/PPPoE/PPTP WAN interfaces.
  6. Reset the Cloud Secure Edge (CSE) API key.

Additional high- and low-priority actions may be required; see the Remediation Playbook for details.

If you need assistance reviewing this situation or would like to discuss the risk in more detail, please contact our team.

If you do not "Reject All", we will use cookies to give you the best experience possible on our website. To find out more, read our privacy policy.
Contact Quest Today  ˄
close slider