ZeroFox Daily Intelligence Brief - September 26, 2025

ZeroFox Daily Intelligence Brief - September 26, 2025

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

• Threat Actors Exploit AI Agent Weakness to Steal Data
• Cisco and CISA Issue Event Responses for Cisco Zero-Day Vulnerabilities
• Geopolitical Focus: Drones Disrupt Europe Airports, U.S. Sanctions Arms Traffickers, and More

Threat Actors Exploit AI Agent Weakness to Steal Data

Source: https://hackread.com/forcedleak-salesforce-agentforce-ai-agent-crm-data/

What we know: Threat actors have reportedly exploited a severe criticality flaw, dubbed ForcedLeak flaw, in AI-driven Salesforce Agentforce to leak sensitive customer relationship management (CRM) data. They have further abused an expired, but still trusted, Salesforce domain to exfiltrate the stolen data.

Context: ForcedLeak stems from indirect prompt injection in Agentforce, enabling attackers to trick AI agents into retrieving and transmitting private CRM data. The incident comes amid recent Salesforce attacks affecting multiple organizations in a supply chain campaign.

Analyst note: Given Salesforce’s central role in major company's enterprise operations, the stolen CRM data could be exploited to compromise downstream partners and facilitate further social engineering attacks across the supply chain. Strengthening AI-agent configurations are likely essential to prevent recurring ForcedLeak-style attacks.

Cisco and CISA Issue Event Responses for Cisco Zero-Day Vulnerabilities

Source: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

What we know: Both Cisco and CISA have released advisories in response to active exploitation of zero-day vulnerabilities in Cisco ASA and Firepower devices. CISA’s Emergency Directive 25-03 requires federal agencies to identify affected devices, collect forensic data, and patch or disconnect them immediately.

Context: Cisco has dedicated a specialized, full-time team to this investigation, working closely with a limited set of affected customers. The exploited bugs can enable threat actors to deploy remote code execution and malware, putting critical federal networks at risk.

Analyst note: If agencies or organizations do not implement the mitigation measures listed in Cisco’s advisories (CVE-2025-20333 advisory and CVE-2025-20362 advisory) and CISA’s directive, attackers could maintain long-term access, exfiltrate sensitive data, or disrupt operations. Delayed mitigation will likely increase the chances of widespread breaches, operational disruptions, and risks for government operations and public services.

Geopolitical Focus: Drones Disrupt Europe Airports, U.S. Sanctions Arms Traffickers, and More

• Between September 22 and September 25, 2025, drone sightings near airports in Denmark and Norway resulted in the closure of multiple airports, flight cancellations, delays, and diversions. ZeroFox assesses that the incidents very likely indicate Europe’s growing vulnerability to airspace intrusions stemming from Russia–Ukraine conflict, although direct links to Russia remain unconfirmed. This is likely to strain the air travel and air cargo sectors due to an uncertain environment.
• The U.S. Treasury has sanctioned five individuals and one entity involved in generating illicit revenue for North Korean government’s weapons and ballistic missile programs by facilitating arms sales to Burma’s military regime.
• On September 25, 2025, U.S. President Donald Trump said that he will not allow Israel to annex the West Bank, addressing the issue after a phone call with Israeli Prime Minister Benjamin Netanyahu.
• Satellite imagery suggests that Iran allegedly carried out a missile test at its Imam Khomeini Spaceport. Although Tehran has not confirmed the test, the development comes as Iran rebuilds missile infrastructure damaged by Israel in the 12-day war in June 2025.
• Tropical Storm Bualoi hit the Philippines on September 26, killing at least four people and forcing over 433,000 to evacuate due to flooding and landslide threats. Bualoi follows Typhoon Ragasa, which struck the Philippines, Taiwan, China, and Vietnam, causing multiple fatalities.

DEEP AND DARK WEB INTELLIGENCE

DarkForums user Shin0bi: A threat actor, named "Shin0bi," has claimed to leak 6.3 million records associated with Bouygues Telecom, which reportedly contains names, addresses, dates of birth, phone numbers, email addresses, and banking details. ZeroFox analysts note the data samples Shin0bi posted bear similarities with samples shared previously on other forums, like LeakBase and DarkForums, indicating that Shin0bi has likely recycled and combined data from older leaks.

VULNERABILITY AND EXPLOIT INTELLIGENCE

CVE-2025-10879 and CVE-2025-10880: The Dingtian DT-R002 relay board vulnerabilities reportedly could enable attackers to remotely retrieve usernames and proprietary protocol passwords without authentication. Threat actors could exploit these vulnerabilities to compromise sensitive credentials in critical manufacturing environments. CISA has released an ICS advisory addressing these two bugs.

Affected products: All versions of Dingtian DT-R002