This week, we briefed our clients on FileFix, a more familiar tactic to tricking users into executing malicious code on their system using File Explorer.
KEY TAKEAWAYS
New alternative to popular ClickFix technique discovered: FileFix. Learn how it works and how to protect your organization.
What to know about the cyber risks from the Iran conflict.
ClickFix campaigns are one of the most common drive-by infection methods used by threat actors today. PacketWatch Threat Intelligence has reported on these campaigns multiple times throughout 2025. One of the biggest reasons for ClickFix's widespread adoption is its effectiveness. With just a few quick and simple actions, the threat actor can trick the victim into downloading and executing malicious code. Security researcher 'mrd0x' disclosed a new ClickFix alternative method they call FileFix.
Instead of prompting the victim with an error message or fake Captcha, where the user is tricked into opening a Windows Terminal and executing code, they are instead prompted with a lure showing that a new file has been shared with them. The victim is instructed to open File Explorer, a utility typically much more familiar to the average user than the Windows Terminal. They are then prompted to hit 'CTRL + L', which selects the address bar in the file explorer. The lure page includes an "Open File Explorer" button, that will open File Explorer, but also copies an additional PowerShell command to the clipboard.
Fig 1: FileFix Lure Prompt | Source: mrd0x
The victim is then instructed to paste the "file path" into the search bar and press 'Enter'. Once the victim does this, the hidden PowerShell command is pasted into the search bar and executed. Since Windows allows commands to be run from the File Explorer search bar, the net result is the same as if it had been entered into a command prompt.
How to Protect Your Organization
This technique has a very high likelihood of being adopted and abused by cybercriminals. It is critically important to educate end users on how this attack works. User awareness training is one of the best defenses against this style of attack. Having a fully up-to-date EDR solution deployed to every endpoint will also help detect and prevent any malicious payload that is successfully downloaded from this attack. These EDR tools can also be used to monitor web browsers for suspicious child processes, such as cmd.exe, powershell.exe, or mshta.exe.
Resources:
On June 22, 2025, the Department of Homeland Security issued a National Terrorism Advisory Bulletin regarding the conflict in Iran. The bulletin states that the conflict is causing a "heightened threat environment" in the United States, mostly due to the increased likelihood of "low-level" cyber attacks against U.S. networks by pro-Iranian hacktivists. Per the bulletin, both hacktivists and Iranian government-affiliated threat actors will routinely target "poorly secured U.S. networks and internet-connected devices for disruptive cyber attacks".
How to Protect Your Organization
As the bulletin states, hacktivists tend to target "poorly secured networks", i.e., low-hanging fruit. These targets tend to be unpatched or end-of-life systems, default configurations or misconfigurations, unmanaged assets, and insecure ports/protocols. The best defense against this type of threat actor is good cyber hygiene. Ensure all edge devices are fully patched. All end-of-life network devices that are internet-facing should be replaced with supported hardware. Assure that only ports and services that are absolutely necessary for the function of the business are exposed. Use multi-factor authentication on every account wherever possible. Disable default accounts and ensure strong passwords, especially for privileged accounts. Don't be the low-hanging fruit.
Resources:
Vulnerability Roundup
Last week, Citrix disclosed a critical out-of-bounds memory read vulnerability in their Netscaler ADC and NetScaler Gateway devices, tracked as CVE-2025-5777. Successful exploitation of this vulnerability allows unauthenticated attackers to access session tokens, credentials, and other sensitive data from these devices. Leaked session tokens can be used by attackers to hijack user sessions, resulting in multi-factor authentication (MFA) bypass. This vulnerability and set of circumstances closely resembles CVE-2023-4966, known as "Citrix Bleed".
This flaw, along with another high-severity improper access control flaw tracked as CVE-2025-5349, affect the following products and versions:
It should be noted that versions 12.1 and 13.0 are end-of-life. Citrix recommends customers upgrade appliances to supported versions. Additionally, after patches have been applied, Citrix recommends running the following commands to terminate all active ICA and PCoIP sessions:
Administrators are strongly urged to patch as soon as possible as this vulnerability is under active exploitation.
https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420&articleURL=NetScaler_ADC_and_NetScaler_Gateway_Security_Bulletin_for_CVE_2025_5349_and_CVE_2025_5777
https://www.darkreading.com/vulnerabilities-threats/citrix-patches-vulns-netscaler-adc-gateway
https://www.bleepingcomputer.com/news/security/new-citrixbleed-2-netscaler-flaw-let-hackers-hijack-sessions/
Cisco has disclosed two maximum-severity vulnerabilities in their Identity Services Engine (ISE) and ISE Passive Identity Connector (ISE-PIC) products. The first vulnerability, tracked as CVE-2025-20281, is an unauthenticated remote code execution (RCE) flaw that allows for a remote attacker to run arbitrary code as root. It affects ISE and ISE-PIC versions 3.3 and later, regardless of device configuration. The second vulnerability, tracked as CVE-2025-20282, is another RCE vulnerability that allows unauthenticated remote attackers to upload arbitrary files and execute them on the system as root. This flaw affects ISE and ISE-PIC versions 3.4, regardless of device configuration. Administrators are urged to patch as soon as possible. Fixed release details can be found on the Cisco support page here.
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ise-unauth-rce-ZAd2GnJ6
https://thehackernews.com/2025/06/critical-rce-flaws-in-cisco-ise-and-ise.html
Researchers at Rapid7 disclosed 8 new vulnerabilities affecting 689 models of Brother's printer, scanner, and label maker devices. Per their research, these same vulnerabilities also affect multiple printer models from FUJIFILM, Ricoh, Toshiba, and Konica Minolta. The most severe of this set of vulnerabilities is CVE-2025-51978, which is classified as an authentication bypass. Rapid7's research uncovered the default administrative password generation procedure. This default password is set based on each device's unique serial number. A separate vulnerability, tracked as CVE-2025-51977, allows an unauthenticated attacker to leak the serial number, along with other sensitive information. Once this information is obtained, the attacker can then use it to discover the device's default administrator password. Since network devices such as printers do not run EDR tools and are typically not monitored for security, threat actors can use these devices to maintain persistence and pivot throughout the network.
Seven of the 8 vulnerabilities can be remediated by updating the device's firmware. However, CVE-2025-51978 can only be addressed in the hardware manufacturing process. Therefore, all models made before the vulnerability discovery will remain vulnerable. As a workaround, administrators need to change the default administrator password on these devices. Administrators should also ensure access to printer's admin interfaces are not exposed to external networks. A full list of affected Brother devices can be found here.
https://www.rapid7.com/blog/post/multiple-brother-devices-multiple-vulnerabilities-fixed/
https://support.brother.com/g/b/faqend.aspx?c=us&lang=en&prod=group2&faqid=faq00100846_000
https://support.brother.com/g/s/id/security/CVE-2017-9765.pdf
A new directory traversal vulnerability for WinRAR was disclosed by the Zero Day Initiative. The vulnerability, tracked as CVE-2025-6218, if successfully exploited, allows for malicious archive files to "silently" extract files into system directories, auto-run or startup folders. These malicious files could then launch and trigger automatically the next time the victim logs into Windows. The vulnerability only affects the Windows version of WinRAR, versions 7.11 and older. Administrators are urged to patch WinRAR to version 7.12 or higher.
TeamViewer recently disclosed a high-severity privilege escalation vulnerability, tracked as CVE-2025-36537. The flaw allows an attacker with local unprivileged access to delete files using SYSTEM privileges, potentially leading to general escalation of privileges. Affected products include "TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior to version 15.67". The vendor also notes that devices running TeamViewer without the Remote Management features Backup, Monitoring, or Patch Management, are not affected. For a full listing of affected products and versions, see the disclosure page here. Administrators are encouraged to update to version 15.67 or higher as soon as possible.
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.