{"id":18878,"date":"2026-01-17T11:23:41","date_gmt":"2026-01-17T11:23:41","guid":{"rendered":"https:\/\/sekuritasit.com\/?p=18878"},"modified":"2026-01-17T11:23:41","modified_gmt":"2026-01-17T11:23:41","slug":"uat-8837-critical-infrastructure-attack","status":"publish","type":"post","link":"https:\/\/sekuritasit.com\/index.php\/2026\/01\/17\/uat-8837-critical-infrastructure-attack\/","title":{"rendered":"UAT-8837 Critical Infrastructure Attack"},"content":{"rendered":"\n\n\n\n <\/colgroup>\n\n\n\n\n
\n

\n What is the Attack?\n <\/p>\n<\/td>\n

\n

\n An active campaign has been linked, with medium confidence, to a threat actor designated UAT-8837, which Cisco Talos assesses as a China-nexus group targeting critical infrastructure organizations in North America. Observed activity includes targeted intrusions aimed at gaining initial access, credential harvesting, and internal reconnaissance.<\/p>\n

UAT-8837 primarily gains initial access by exploiting public-facing application vulnerabilities, including both known n-day flaws and previously undisclosed zero-day vulnerabilities. In recent activity, the actor exploited CVE-2025-53690, a ViewState deserialization zero-day vulnerability in Sitecore products, indicating access to advanced exploitation capabilities and potential use of zero-day exploits.<\/p>\n

Sitecore is a widely used digital experience platform (DXP) that provides content management, personalization and e-commerce capabilities for enterprises. The flaw enables preauthentication remote code execution (RCE) against internet-facing Sitecore deployments.\n <\/p>\n<\/td>\n<\/tr>\n

\n

\n What is the recommended Mitigation?\n <\/p>\n<\/td>\n

\n

\n \u2022 Organizations should immediately patch and remediate all exposed public-facing applications, with priority given to Sitecore deployments affected by CVE-2025-53690.
\n
\n Security Bulletin SC2025-005
\n <\/a>
\n
\n \u2022 Defensive teams should monitor for post-exploitation activity consistent with UAT-8837 behavior.\n <\/p>\n<\/td>\n<\/tr>\n

\n

\n What FortiGuard Coverage is available?\n <\/p>\n<\/td>\n

\n

\n \u2022 FortiGuard Labs is actively monitoring this threat activity and will continue to provide updates as the situation evolves, including new intelligence, indicators, and protection guidance.
\n
\n \u2022 FortiGuard Antivirus & Behavior Detection: Delivers protection against known malware and uses advanced behavioral analysis to detect and block unknown threats.
\n
\n \u2022 Indicators of Compromise (IOCs) Service: FortiGuard Labs has blocked all known linked Indicators of Compromise (IOCs), and the team is continuously monitoring for emerging threats and new IOCs.
\n
\n \u2022 FortiGuard Incident Response: Organizations suspecting a compromise can contact the FortiGuard Incident Response team for rapid investigation and remediation support.\n <\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Read More<\/a>\u00a0<\/p>","protected":false},"excerpt":{"rendered":"

What is the Attack? An active campaign has been linked, with medium confidence, to a threat actor designated UAT-8837, which Cisco Talos assesses as a China-nexus group targeting critical infrastructure organizations in North America. Observed activity includes targeted intrusions aimed at gaining initial access, credential harvesting, and internal reconnaissance. UAT-8837 primarily gains initial access by […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-18878","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t