Five CVEs. Not a list. A migration path. How breaches move downward through trust layers—and why your SOC never sees it.
A 2025 Breach Scenario Reconstructed from Pattern-True Artifacts
You've seen the infographic. Five green boxes. "Top 10 Critical Vulnerabilities Actively Exploited in 2025." Swipe right.
Citrix NetScaler. FortiWeb. SharePoint. Oracle EBS. React2Shell.
Most people see a patch checklist. I see a descent.
The Shape No One Recognizes
A mid-market enterprise gets breached. Five CVEs exploited in sequence. Security calls it opportunistic scanning. Engineering calls it a patch-management failure. Compliance calls it an audit gap.
None of them recognize the shape.
The attacker isn't moving laterally. They're moving downward—through the organization's trust stack—inheriting each layer's authority as they go.
The artifacts aren't a list. They're a migration path.
The Actors
The Organization—A typical hybrid enterprise with a hardened perimeter, fragmented identity, and legacy ERP integrations.
The Adversary—Not a "sophisticated actor," but one who understands trust physics better than the defenders.
The Systems—Edge appliances, collaboration platforms, ERP, and modern web stacks. Each layer believes its own trust model is correct.
Trigger Event
A memory-corruption RCE in the Citrix NetScaler ADC/Gateway (CVE-2025-7775) is exploited. The SOC sees anomalous traffic but classifies it as credential-stuffing noise.
The attacker is now running code inside the device that decides who gets in.
The breach has already passed the point where traditional detection makes sense.
The Descent
Step 1—Perimeter Identity Gate (Citrix NetScaler)
The attacker compromises the system that adjudicates identity.
Inherited authority: entry.
The organization believes the perimeter is intact because the logs still show "successful authentication." They're correct. The authentication was successful—for the attacker.
Step 2—Perimeter Logic Layer (FortiWeb WAF)
The attacker uses a path traversal and authentication bypass (CVE-2025-64446) to impersonate an administrator.
Inherited authority: policy.
The WAF now enforces the attacker's decisions. Security believes the WAF is blocking malicious traffic. It is—except the malicious traffic the attacker has reclassified as safe.
Step 3—Collaboration Layer (SharePoint ToolShell)
The attacker executes RCE in SharePoint (CVE-2025-53770).
Inherited authority: social trust.
SharePoint treats the attacker as an internal contributor. Documents are exfiltrated not through data theft, but through normal collaboration flows. No DLP triggers. No anomalies. The attacker is behaving exactly like a trusted colleague.
Step 4—Operational Core (Oracle EBS BI Publisher)
The attacker reaches ERP (CVE-2025-61882).
Inherited authority: operational control.
They don't steal financial data. They alter a single integration parameter that changes how invoices are routed. The business experiences a vendor payment delay. Finance opens a ticket with IT. IT blames the integration team.
The attacker now controls the business logic.
Step 5—Application Substrate (React2Shell / RSC)
The attacker exploits React Server Components deserialization (CVE-2025-55182).
Inherited authority: interpretive authority.
The application layer—the system that interprets user intent—now executes attacker payloads as if they were legitimate requests. From the outside, the system behaves normally. From the inside, the substrate is compromised.
At this point, the breach is not in progress. It is complete.
Discovery
The breach is discovered not through detection but through contradiction.
Finance reports inconsistent invoice routing. Engineering sees unexplained RSC crashes. Security sees clean WAF logs that don't match network telemetry. Identity sees no failed logins.
Each team sees a different symptom. None see the pattern.
The breach is finally recognized when an external auditor notices that the ERP's integration logs contain timestamps that don't align with the application's request logs—a temporal inconsistency that cannot occur unless the trust stack has been compromised.
Diagnosis
The post-incident review reveals the real failure.
The organization defended systems. The attacker exploited assumptions.
The perimeter assumed its own authority was legitimate. The WAF assumed its own logic was correct. Collaboration assumed internal users were trustworthy. ERP assumed integrations were safe. The application assumed its own serialization boundaries were sound.
Each layer trusted itself. The attacker simply inherited that trust.
Outcome
The breach didn't destroy data, encrypt systems, or exfiltrate terabytes. It did something more damaging: it rewrote the organization's operational reality for six weeks before anyone noticed.
The financial loss was modest. The epistemic loss—the loss of confidence in the organization's own systems—was catastrophic.
The Pattern Repeats
On February 25, 2026—the day before I published the formal version of this analysis—Cisco disclosed CVE-2026-20127, a maximum-severity (CVSS 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller and Manager. CISA issued Emergency Directive 26-03 within hours. The Australian Signals Directorate reported that the vulnerability had been exploited as a zero-day since at least 2023 by a sophisticated threat actor tracked as UAT-8616.
The attack pattern is structurally identical. The attacker exploited a broken peering authentication mechanism to gain administrative access to the SD-WAN Controller—the system that governs how all traffic routes, segments, and is secured across the enterprise. They added a rogue peer to the network management plane, then downgraded firmware to escalate to root. Cisco Talos reported that the actor cleared logs, purged command history, and erased network connection records.
This is not edge compromise. It is control-plane inheritance. The attacker inserted themselves into the trust fabric of the network itself, becoming an authorized peer from the system's perspective.
A trust-stack descent model built from 2025 artifacts. A zero-day exploited since 2023, disclosed independently in 2026, that conforms to the same pattern. The model isn't retrospective. It's structural.
What This Teaches
Axiom 1. Breaches are not lateral movement. They are downward trust-stack traversal.
Axiom 2. CVEs are not vulnerabilities. They are entry points into collapsing assumptions.
Axiom 3. Detection fails not because attackers are sophisticated, but because defenders monitor the wrong layer.
Axiom 4. The attacker's power comes from inheriting authority, not stealing credentials.
Axiom 5. The breach is complete long before the first alert fires.
Methodological Note
This is a reconstructed scenario, not a report of a specific real-world incident. The five 2025 CVEs are real, actively exploited vulnerabilities documented by CISA, Google Threat Intelligence Group, AWS, Microsoft, and others. The scenario composes them into a coherent attack narrative to illustrate trust-stack descent as a breach architecture pattern. The inherited-authority model and trust-stack traversal framework are original analytical contributions.
The formal, citable version of this paper is published on Zenodo:
DOI: 10.5281/zenodo.18791789
Narnaiezzsshaa Truong is the founder of Soft Armor Labs and the author of the EIOC (Emotional Indicators of Compromise) and Adversarial Pattern Recognition (APR) frameworks. She writes about the layer beneath the architecture.
Top comments (0)