- Mycomputerspot Security Newsletter
- Posts
- Fail-Safe Friday - Executive Action Brief
In partnership with
In the last 48 hours, four items should drive your weekend posture: CISA’s KEV added Microsoft Office PowerPoint (legacy but now actively exploited) and HPE OneView (CVSS 10) to the exploited list; Veeam Backup & Replication shipped a critical RCE fix; Cisco ISE released patches following a public PoC.
Priorities: close KEV gaps with evidence, patch backup/infra managers before change freezes, and treat identity & licensing planes (ISE) as privileged attack paths.
Modernize your marketing with AdQuick
AdQuick unlocks the benefits of Out Of Home (OOH) advertising in a way no one else has. Approaching the problem with eyes to performance, created for marketers with the engineering excellence you’ve come to expect for the internet.
Marketers agree OOH is one of the best ways for building brand awareness, reaching new customers, and reinforcing your brand message. It’s just been difficult to scale. But with AdQuick, you can easily plan, deploy and measure campaigns just as easily as digital ads, making them a no-brainer to add to your team’s toolbox.
Top-level takeaways this week:
Exploit & Zero-Day Velocity ↑ — KEV additions compress deadlines across end-user apps and infra managers.
Infrastructure & Tooling Risk ↑ — Veeam and OneView highlight “platform-of-platforms” exposure.
Identity/Access Plane Risk ↑ — Cisco ISE parsing flaw + public PoC increases admin-tier data exposure risk.
1) CISA KEV additions: Microsoft Office & HPE OneView – High
What changed: CISA added two exploited flaws to KEV; coverage names Microsoft Office PowerPoint CVE-2009-0556 and HPE OneView CVE-2025-37164 with a Jan 28, 2026 remediation deadline for U.S. federal agencies.
Why this matters: KEV = proven exploitation. OneView is infra-wide blast radius; Office files remain ubiquitous delivery vehicles.
2) Veeam Backup & Replication critical RCE – High
What changed: Vendor pushed fixes for Veeam Backup & Replication RCE (CVSS 9.0) and related bugs; affects 13.0.1.180 and earlier, fixed in 13.0.1.1071.
Why this matters: Backup platforms hold keys, tokens, and data snapshots; compromise enables stealthy restore-time implants and ransomware leverage.
3) Cisco ISE / ISE-PIC XML parsing flaw with public PoC – Medium-High
What changed: Cisco issued patches after a public PoC for Cisco ISE file-read issue in the web management interface; additional Snort 3 issues were also fixed.
Why this matters: ISE sits next to identity and network-access policy; file-read + admin context risks credential leakage and rule manipulation.
4) Microsoft warns on misconfigured email routing – Medium-High
What changed: Microsoft reported surging campaigns abusing routing gaps; misconfigured email routing lets actors spoof “internal” mail, often tied to Tycoon 2FA PhaaS.
Why this matters: Trust abuse at the mail layer drives credential theft and BEC, especially for executives and finance workflows.
Stage | Vector / System | What We’re Seeing |
|---|---|---|
Initial Access | Office lure → code exec; spoofed internal mail | KEV Office CVE + internal-looking phishing to harvest creds and land early. |
Privilege & Persistence | Infra/backup control planes | OneView and Veeam fixes point to high-impact admin tiers targeted for long-term control. |
Impact | Data exfil, encryption leverage, policy tamper | Backup theft, restore manipulation, and NAC/ISE rule drift to hide movement. |
Why AI Isn’t Replacing Affiliate Marketing After All
“AI will make affiliate marketing irrelevant.”
Our research shows the opposite.
Shoppers use AI to explore options, but they trust creators, communities, and reviews before buying. With less than 10 percent clicking AI links, affiliate content now shapes both conversions and AI recommendations.
🔄 Patch & Hardening
KEV closure: Track Office PPT CVE-2009-0556 and OneView CVE-2025-37164 to attested closure; capture screenshots/version strings; scope exceptions by business risk.
Veeam: Upgrade to 13.0.1.1071; restrict console/API to admin VLANs/JIT; rotate Veeam service creds and API tokens; verify immutability settings.
Cisco ISE: Apply fixed patch train (3.2 P8 / 3.3 P8 / 3.4 P4); disable unused connectors; enforce RBAC and strong admin auth; forward ISE logs to SIEM.
Email routing: Enforce DMARC reject, SPF hard-fail, and tightened connectors; avoid third-party MX hairpins unless strictly required.
🧑💻 People & Monitoring
Mail/Identity: Alert on same-sender/recipient internal lookalikes; spikes in OAuth consent or MFA fatigue post-phish.
Veeam: Detect job/Repo changes, new backup targets, restore/export actions out of change windows; watch shell spawns from Veeam services.
OneView/ISE: Monitor admin logins from rare ASNs; config/profile changes; unusual API calls; sudden policy/segment updates.
📋 Process
Change freeze on backup/infra managers unless CISO-approved; require dual-control for restores and policy pushes.
Tabletop (30 min): “Office lure → mailbox phish → Veeam pivot → data wipe/restore manipulation.”
🤝 Partners
MSPs: attest Veeam build & immutability; provide privileged account list and last-login evidence.
Platform teams: provide OneView patch attestation and RBAC review; export policy diffs for ISE since Dec 20.
Office exploit trail: New PowerPoint launches spawning non-Office processes; ASR hits on script interpreters; AMSI “macro-like” strings.
Internal-domain phishing: Messages with identical From/To domains via third-party MX; URLs resolving to AiTM kits; rapid failed-then-successful MFA attempts.
Veeam abuse: Creation of new “Backup/Tape Operator” users; repo path changes; restore/export spikes to non-standard shares.
ISE drift: File read errors in logs; unexpected XML uploads to admin UI; NAC policy deltas without CAB records.
Overall: High for backup/infra-plane compromise and email trust abuse; Medium-High for NAC/ISE policy tampering where patching lags or admin exposure persists.
KEV means “already weaponized.” Close it with proof, not promises.
Backups are bargaining chips. Secure Veeam like a domain controller—segmentation, least-privilege, immutability.
Identity edges matter. ISE and mail routing missteps hand attackers policy-level power.
🔄 Verify: KEV status for Office/OneView closed or time-boxed with exceptions and mitigations.
📊 Validate: Veeam upgraded; immutability on; service creds rotated; admin access reviewed.
💼 Confirm: Cisco ISE patch level and admin exposure; logs centralized; RBAC re-attested.
🔹 Double-check: Monday tabletop—“Internal-looking phish → credential theft → Veeam takeover → restore-path abuse.”
Final Insight: If you harden nothing else today, close KEV, lock backups, and fix your mail and NAC edges… because attackers don’t need novelty when our foundations are familiar and exposed.
Modernize Out Of Home with AdQuick
AdQuick unlocks the benefits of Out Of Home (OOH) advertising in a way no one else has. Approaching the problem with eyes to performance, created for marketers and creatives with the engineering excellence you’ve come to expect for the internet.
You can learn more at www.AdQuick.com