Threat Newsletter Week 3-4

Docker Fixes Critical Ask Gordon AI Flaw Allowing Code Execution via Image Metadata

Cybersecurity researchers have disclosed details of a now-patched security flaw impacting Ask Gordon, an artificial intelligence (AI) assistant built into Docker Desktop and the Docker Command-Line Interface (CLI), that could be exploited to execute code and exfiltrate sensitive data.

The critical vulnerability has been codenamed DockerDash by cybersecurity company Noma Labs. It was addressed by Docker with the release of version 4.50.0 in November 2025.

„In DockerDash, a single malicious metadata label in a Docker image can be used to compromise your Docker environment through a simple three-stage attack: Gordon AI reads and interprets the malicious instruction, forwards it to the MCP [Model Context Protocol] Gateway, which then executes it through MCP tools,“ Sasi Levi, security research lead at Noma, said in a report shared with The Hacker News.

„Every stage happens with zero validation, taking advantage of current agents and MCP Gateway architecture.“

Source: The hacker news / Securityweek

Link: https://thehackernews.com/2026/02/docker-fixes-critical-ask-gordon-ai.html

Link: https://www.securityweek.com/dockerdash-flaw-in-docker-ai-assistant-leads-to-rce-data-theft/

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

Microsoft has announced a three-phase approach to phase out New Technology LAN Manager (NTLM) as part of its efforts to shift Windows environments toward stronger, Kerberos-based options.

The development comes more than two years after the tech giant revealed its plans to deprecate the legacy technology, citing its susceptibility to weaknesses that could facilitate relay attacks and allow bad actors to gain unauthorized access to network resources. NTLM was formally deprecated in June 2024 and no longer receives updates.

„NTLM consists of security protocols originally designed to provide authentication, integrity, and confidentiality to users,“ Mariam Gewida, Technical Program Manager II at Microsoft, explained. „However, as security threats have evolved, so have our standards to meet modern security expectations. Today, NTLM is susceptible to various attacks, including replay and man-in-the-middle attacks, due to its use of weak cryptography.“

Despite the deprecated status, Microsoft said it continues to find the use of NTLM prevalent in enterprise environments where modern protocols like Kerberos cannot be implemented due to legacy dependencies, network limitations, or ingrained application logic. This, in turn, exposes organizations to security risks, such as replay, relay, and pass-the-hash attacks.

Source: The hacker news / Securityweek / Windows IT PRO blog

Link: https://thehackernews.com/2026/02/microsoft-begins-ntlm-phase-out-with.html

Link: https://www.securityweek.com/microsoft-moves-closer-to-disabling-ntlm/

Link: https://techcommunity.microsoft.com/blog/windows-itpro-blog/advancing-windows-security-disabling-ntlm-by-default/4489526

Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released

Ivanti has rolled out security updates to address two security flaws impacting Ivanti Endpoint Manager Mobile (EPMM) that have been exploited in zero-day attacks, one of which has been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities (KEV) catalog.

The critical-severity vulnerabilities are listed below –

• CVE-2026-1281 (CVSS score: 9.8) – A code injection allowing attackers to achieve unauthenticated remote code execution
• CVE-2026-1340 (CVSS score: 9.8) – A code injection allowing attackers to achieve unauthenticated remote code execution

However, it bears noting that the RPM patch does not survive a version upgrade and must be reapplied if the appliance is upgraded to a new version. The vulnerabilities will be permanently addressed in EPMM version 12.8.0.0, which will be released later in Q1 2026.

Source: The hacker news / Bleeping computer / Securityweek / Ivanti security advisory

Link: https://thehackernews.com/2026/01/two-ivanti-epmm-zero-day-rce-flaws.html

Link: https://www.bleepingcomputer.com/news/security/ivanti-warns-of-two-epmm-flaws-exploited-in-zero-day-attacks/

Link: https://www.securityweek.com/ivanti-patches-exploited-epmm-zero-days/

Link: https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340?language=en_US

SolarWinds Fixes Four Critical Web Help Desk Flaws With Unauthenticated RCE and Auth Bypass

SolarWinds has released security updates to address multiple security vulnerabilities impacting SolarWinds Web Help Desk, including four critical vulnerabilities that could result in authentication bypass and remote code execution (RCE).

The list of vulnerabilities is as follows –

• CVE-2025-40536 (CVSS score: 8.1) – A security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality
• CVE-2025-40537 (CVSS score: 7.5) – A hard-coded credentials vulnerability that could allow access to administrative functions using the „client“ user account
• CVE-2025-40551 (CVSS score: 9.8) – An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine
• CVE-2025-40552 (CVSS score: 9.8) – An authentication bypass vulnerability that could allow an unauthenticated attacker to execute actions and methods
• CVE-2025-40553 (CVSS score: 9.8) – An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine
• CVE-2025-40554 (CVSS score: 9.8) – An authentication bypass vulnerability that could allow an attacker to invoke specific actions within Web Help Desk

While Jimi Sebree from Horizon3.ai has been credited with discovering and reporting the first three vulnerabilities, watchTowr’s Piotr Bazydlo has been acknowledged for the remaining three flaws. All the issues have been addressed in WHD 2026.1.

Source: The hacker news / Bleeping computer / Securityweek / Infosecurity magazine / horizon3 blog

Link: https://thehackernews.com/2026/01/solarwinds-fixes-four-critical-web-help.html

Link: https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/

Link: https://www.bleepingcomputer.com/news/security/cisa-flags-critical-solarwinds-rce-flaw-as-actively-exploited/

Link: https://www.securityweek.com/solarwinds-patches-critical-web-help-desk-vulnerabilities/

Link: https://www.securityweek.com/fresh-solarwinds-vulnerability-exploited-in-attacks/

Link: https://www.infosecurity-magazine.com/news/solarwinds-web-help-desk/

Link: https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/

Threat Newsletter Week 2-3

Cisco Fixes Actively Exploited Zero-Day CVE-2026-20045 in Unified CM and Webex

Cisco has released fresh patches to address what it described as a „critical“ security vulnerability impacting multiple Unified Communications (CM) products and Webex Calling Dedicated Instance that it has been actively exploited as a zero-day in the wild.

The vulnerability, CVE-2026-20045 (CVSS score: 8.2), could permit an unauthenticated remote attacker to execute arbitrary commands on the underlying operating system of a susceptible device.

„This vulnerability is due to improper validation of user-supplied input in HTTP requests,“ Cisco said in an advisory. „An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root.“

The critical rating for the flaw is due to the fact that its exploitation could allow for privilege escalation to root, it added.

Source: The hacker news / Bleeping computer / Helpnet security / CISCO security advisory

Link: https://thehackernews.com/2026/01/cisco-fixes-actively-exploited-zero-day.html

Link: https://www.bleepingcomputer.com/news/security/cisco-fixes-unified-communications-rce-zero-day-exploited-in-attacks/

Link: https://www.helpnetsecurity.com/2026/01/21/cisco-enterprise-communications-cve-2026-20045/

Link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-voice-rce-mORhqY4b

Cisco Patches Zero-Day RCE Exploited by China-Linked APT in Secure Email Gateways

Cisco on Thursday released security updates for a maximum-severity security flaw impacting Cisco AsyncOS Software for Cisco Secure Email Gateway and Cisco Secure Email and Web Manager, nearly a month after the company disclosed that it had been exploited as a zero-day by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686.

The vulnerability, tracked as CVE-2025-20393 (CVSS score: 10.0), is a remote command execution flaw arising as a result of insufficient validation of HTTP requests by the Spam Quarantine feature. Successful exploitation of the defect could permit an attacker to execute arbitrary commands with root privileges on the underlying operating system of an affected appliance.

However, for the attack to work, three conditions must be met –

• The appliance is running a vulnerable release of Cisco AsyncOS Software
• The appliance is configured with the Spam Quarantine feature
• The Spam Quarantine feature is exposed to and reachable from the internet

Last month, the networking equipment major revealed that it found evidence of UAT-9686 exploiting the vulnerability as early as late November 2025 to drop tunneling tools like ReverseSSH (aka AquaTunnel) and Chisel, and a log cleaning utility called AquaPurge. The attacks are also characterized by the deployment of a lightweight Python backdoor dubbed AquaShell that’s capable of receiving encoded commands and executing them.

Source: The hacker news / Bleeping computer / Securityweek

Link: https://thehackernews.com/2026/01/cisco-patches-zero-day-rce-exploited-by.html

Link: https://www.bleepingcomputer.com/news/security/cisco-finally-fixes-asyncos-zero-day-exploited-since-november/

Link: https://www.securityweek.com/cisco-patches-vulnerability-exploited-by-chinese-hackers/

Palo Alto Fixes GlobalProtect DoS Flaw That Can Crash Firewalls Without Login

Palo Alto Networks has released security updates for a high-severity security flaw impacting GlobalProtect Gateway and Portal, for which it said there exists a proof-of-concept (PoC) exploit.

The vulnerability, tracked as CVE-2026-0227 (CVSS score: 7.7), has been described as a denial-of-service (DoS) condition impacting GlobalProtect PAN-OS software arising as a result of an improper check for exceptional conditions (CWE-754)

„A vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to cause a denial-of-service (DoS) to the firewall,“ the company said in an advisory released Wednesday. „Repeated attempts to trigger this issue result in the firewall entering into maintenance mode.“

The issue, discovered and reported by an unnamed external researcher, affects the following versions –

• PAN-OS 12.1 < 12.1.3-h3, < 12.1.4
• PAN-OS 11.2 < 11.2.4-h15, < 11.2.7-h8, < 11.2.10-h2
• PAN-OS 11.1 < 11.1.4-h27, < 11.1.6-h23, < 11.1.10-h9, < 11.1.13
• PAN-OS 10.2 < 10.2.7-h32, < 10.2.10-h30, < 10.2.13-h18, < 10.2.16-h6, < 10.2.18-h1
• PAN-OS 10.1 < 10.1.14-h20
• Prisma Access 11.2 < 11.2.7-h8
• Prisma Access 10.2 < 10.2.10-h29

Palo Alto Networks also clarified that the vulnerability is applicable only to PAN-OS NGFW or Prisma Access configurations with an enabled GlobalProtect gateway or portal. The company’s Cloud Next-Generation Firewall (NGFW) is not impacted. There are no workarounds to mitigate the flaw.

Source: The hacker news / Bleeping computer

Link: https://thehackernews.com/2026/01/palo-alto-fixes-globalprotect-dos-flaw.html

Link: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-dos-bug-letting-hackers-disable-firewalls/

Exploit code public for critical FortiSIEM command injection flaw

Technical details and a public exploit have been published for a critical vulnerability affecting Fortinet’s Security Information and Event Management (SIEM) solution that could be leveraged by a remote, unauthenticated attacker to execute commands or code.

The vulnerability is tracked as CVE-2025-64155, and is a combination of two issues that permit arbitrary write with admin permissions and privilege escalation to root access.

Researchers at penetration testing company Horizon3.ai reported the security issue in mid-August 2025, but it was only fixed on January 13, 2026.

Fortinet describes the CVE-2025-64155 vulnerability as „an improper neutralization of special elements used in an OS command vulnerability in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.“

Horizon3.ai has published a detailed write-up explaining that the root cause of the issue is the exposure of dozens of command handlers on the phMonitor service, which can be invoked remotely without authentication.

Source: Bleeping computer / Securityweek

Link: https://www.bleepingcomputer.com/news/security/exploit-code-public-for-critical-fortisiem-command-injection-flaw/

Link: https://www.bleepingcomputer.com/news/security/hackers-now-exploiting-critical-fortinet-fortisiem-vulnerability-in-attacks/

Link: https://www.securityweek.com/fortinet-patches-critical-vulnerabilities-in-fortifone-fortisiem/

Fortinet Fixes Critical FortiSIEM Flaw Allowing Unauthenticated Remote Code Execution

Fortinet has released updates to fix a critical security flaw impacting FortiSIEM that could allow an unauthenticated attacker to achieve code execution on susceptible instances.

The operating system (OS) injection vulnerability, tracked as CVE-2025-64155, is rated 9.4 out of 10.0 on the CVSS scoring system.

„An improper neutralization of special elements used in an OS command (‚OS command injection‘) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests,“ the company said in a Tuesday bulletin.

Fortinet said the vulnerability affects only Super and Worker nodes, and that it has been addressed in the following versions –

• FortiSIEM 6.7.0 through 6.7.10 (Migrate to a fixed release)
• FortiSIEM 7.0.0 through 7.0.4 (Migrate to a fixed release)
• FortiSIEM 7.1.0 through 7.1.8 (Upgrade to 7.1.9 or above)
• FortiSIEM 7.2.0 through 7.2.6 (Upgrade to 7.2.7 or above)
• FortiSIEM 7.3.0 through 7.3.4 (Upgrade to 7.3.5 or above)
• FortiSIEM 7.4.0 (Upgrade to 7.4.1 or above)
• FortiSIEM 7.5 (Not affected)
• FortiSIEM Cloud (Not affected)

Horizon3.ai security researcher Zach Hanley, who is credited with discovering and reporting the flaw on August 14, 2025, said it comprises two moving parts –

An unauthenticated argument injection vulnerability that leads to arbitrary file write, allowing for remote code execution as the admin user

A file overwrite privilege escalation vulnerability that leads to root access and complete compromise of the appliance

Specifically, the problem has to do with how FortiSIEM’s phMonitor service – a crucial backend process responsible for health monitoring, task distribution, and inter-node communication via TCP port 7900 – handles incoming requests related to logging security events to Elasticsearch.

Source: The hacker news / Dark reading

Link: https://thehackernews.com/2026/01/fortinet-fixes-critical-fortisiem-flaw.html

Link: https://www.darkreading.com/vulnerabilities-threats/fortinet-critical-fortisiem-flaw-exploited

Microsoft Fixes 114 Windows Flaws in January 2026 Patch, One Actively Exploited

Microsoft on Tuesday rolled out its first security update for 2026, addressing 114 security flaws, including one vulnerability that it said has been actively exploited in the wild.

Of the 114 flaws, eight are rated Critical, and 106 are rated Important in severity. As many as 58 vulnerabilities have been classified as privilege escalation, followed by 22 information disclosure, 21 remote code execution, and five spoofing flaws. According to data collected by Fortra, the update marks the third-largest January Patch Tuesday after January 2025 and January 2022.

These patches are in addition to two security flaws that Microsoft has addressed in its Edge browser since the release of the December 2025 Patch Tuesday update, including a spoofing flaw in its Android app (CVE-2025-65046, 3.1) and a case of insufficient policy enforcement in Chromium’s WebView tag (CVE-2026-0628, CVSS score: 8.8).

The vulnerability that has come under in-the-wild exploitation is CVE-2026-20805 (CVSS score: 5.5), an information disclosure flaw impacting Desktop Window Manager. The Microsoft Threat Intelligence Center (MTIC) and Microsoft Security Response Center (MSRC) have been credited with identifying and reporting the flaw.

„Exposure of sensitive information to an unauthorized actor in Desktop Windows Manager (DWM) allows an authorized attacker to disclose information locally,“ Microsoft said in an advisory. „The type of information that could be disclosed if an attacker successfully exploited this vulnerability is a section address from a remote ALPC port, which is user-mode memory.“

There are currently no details on how the vulnerability is being exploited, the scale of such efforts, and who may be behind the activity.

Source: The hacker news / Bleeping computer / Krebs on security / Dark reading / Securityweek / CISCO Talos intelligence group / SANS internet storm center

Link: https://thehackernews.com/2026/01/microsoft-fixes-114-windows-flaws-in.html

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-january-2026-patch-tuesday-fixes-3-zero-days-114-flaws/

Link: https://krebsonsecurity.com/2026/01/patch-tuesday-january-2026-edition/

Link: https://www.darkreading.com/application-security/microsofts-starts-2026-bang-zero-day

Link: https://www.securityweek.com/microsoft-patches-exploited-windows-zero-day-111-other-vulnerabilities/

Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-january-2026/

Link: https://isc.sans.edu/diary/January%202026%20Microsoft%20Patch%20Tuesday%20Summary/32624

ServiceNow Patches Critical AI Platform Flaw Allowing Unauthenticated User Impersonation

ServiceNow has disclosed details of a now-patched critical security flaw impacting its ServiceNow artificial intelligence (AI) Platform that could enable an unauthenticated user to impersonate another user and perform arbitrary actions as that user.

The vulnerability, tracked as CVE-2025-12420, carries a CVSS score of 9.3 out of 10.0. It has been codenamed BodySnatcher by AppOmni.

„This issue […] could enable an unauthenticated user to impersonate another user and perform the operations that the impersonated user is entitled to perform,“ the company said in an advisory released Monday.

The shortcoming was addressed by ServiceNow on October 30, 2025, by deploying a security update to the majority of hosted instances, with the company also sharing the patches with ServiceNow partners and self-hosted customers.

The following versions include a fix for CVE-2025-12420 –

• Now Assist AI Agents (sn_aia) – 5.1.18 or later and 5.2.19 or later
• Virtual Agent API (sn_va_as_service) – 3.15.2 or later and 4.0.4 or later

ServiceNow credited Aaron Costello, chief of SaaS Security Research at AppOmni, with discovering and reporting the flaw in October 2025. While there is no evidence that the vulnerability has been exploited in the wild, users are advised to apply an appropriate security update as soon as possible to mitigate potential threats.

Source: The hacker news / Dark reading

Link: https://thehackernews.com/2026/01/servicenow-patches-critical-ai-platform.html

Link: https://www.darkreading.com/remote-workforce/ai-vulnerability-servicenow

MITRE Launches New Security Framework for Embedded Systems

MITRE on Tuesday announced the launch of Embedded Systems Threat Matrix (ESTM), a cybersecurity framework designed to help organizations protect critical embedded systems.

Inspired by the popular ATT&CK framework and derived from MITRE’s theoretical research and proof-of-concept models, the ESTM categorizes specific attack tactics and techniques tailored to hardware and firmware environments.

The model maps both established and emerging attack vectors to assist organizations in identifying vulnerabilities within embedded architectures.

MITRE says the framework can be used in industries such as energy, robotics, industrial controls, transportation, and healthcare.

“The ESTM has proven valuable in various applications, including cyber threat modeling and attack path analysis, and its alignment with established cybersecurity frameworks ensures seamless integration with existing security practices,” MITRE says on its website.

The non-profit R&D organization also points out that ESTM works with the EMB3D Threat Model.

Source: Securityweek

Link: https://www.securityweek.com/mitre-launches-new-security-framework-for-embedded-systems/

Oracle’s First 2026 CPU Delivers 337 New Security Patches

Oracle has released 337 new security patches for over 30 products as part of its first Critical Patch Update (CPU) for 2026.

There appear to be roughly 230 unique CVEs in Oracle’s January 2026 CPU advisory.

More than two dozen of the fresh fixes resolve critical-severity vulnerabilities and over 235 patches address flaws that are remotely exploitable without authentication.

Roughly half a dozen patches address CVE-2025-66516 (CVSS score of 10/10), a critical defect in Apache Tika that could lead to XML External Entity (XXE) injection attacks.

Impacting three modules of Apache Tika, the vulnerability can be exploited by placing crafted XFA files inside PDF documents.

Oracle products that received patches for the issue include Commerce, Communications, Construction and Engineering, Fusion Middleware, and PeopleSoft.

Once again, Oracle Communications received the largest number of security fixes, at 56. Of these 34 resolve bugs that can be exploited by remote, unauthenticated attackers.

Source: Securityweek / Oracle security advisory

Link: https://www.securityweek.com/oracles-first-2026-cpu-delivers-337-new-security-patches/

Link: https://www.oracle.com/security-alerts/cpujan2026.html#AppendixFMW

Adobe Patches Critical Apache Tika Bug in ColdFusion

Adobe has released security updates for 11 products on January 2026 Patch Tuesday, addressing a total of 25 vulnerabilities, including a critical code execution flaw.

The critical-severity issue, tracked as CVE-2025-66516 (CVSS score of 10/10), is an XML External Entity (XXE) injection bug in Apache Tika modules that could be exploited via XFA files placed inside PDF documents.

The security defect was patched in early December, when Apache warned that successful exploitation could lead to information leaks, SSRF attacks, denial-of-service (DoS), or remote code execution (RCE).

On Tuesday, Adobe released a ColdFusion security update to resolve CVE-2025-66516, noting that all ColdFusion 2025 Update 5 and earlier versions, and ColdFusion 2023 Update 17 and earlier versions are affected, on all platforms.

The vulnerability was addressed in ColdFusion 2025 Update 6 and ColdFusion 2023 Update 18. Adobe has slapped a priority rating of ‘1’ on the security bulletin, urging users to update as soon as possible.

Another Adobe product that received an update on January 2026 Patch Tuesday is Dreamweaver. The security refresh resolves five high-severity flaws, four leading to arbitrary code execution and one leading to arbitrary system file write.

Source: Securityweek

Link: https://www.securityweek.com/adobe-patches-critical-apache-tika-bug-in-coldfusion/

SAP’s January 2026 Security Updates Patch Critical Vulnerabilities

Enterprise software maker SAP on Tuesday announced the release of 17 new security notes as part of its January 2026 Security Patch Day. Four of the notes address critical-severity vulnerabilities.

The first note in SAP’s January 2026 advisory resolves CVE-2026-0501 (CVSS score of 9.9), a critical SQL injection bug in S/4HANA.

The issue impacts a Remote Function Call-enabled module relying on the ABAP Database Connectivity (ADBC) framework for the execution of a native SQL statement, explains Onapsis, which discovered and reported the bug.

“This SQL statement is provided through an input parameter and allows an attacker to execute arbitrary SQL commands. On successful exploitation, the system can be fully compromised,” the security firm notes.

The second critical bug that SAP addressed on Tuesday is CVE-2026-0500 (CVSS score of 9.6), a remote code execution (RCE) issue in Wily Introscope Enterprise Manager.

According to Onapsis, the application allows unauthenticated attackers to craft malicious JNLP (Java Network Launch Protocol) files that can be accessed via URLs.

Source: Securityweek

Link: https://www.securityweek.com/saps-january-2026-security-updates-patch-critical-vulnerabilities/

SCANT: A (kind-of-decent) Framework for Ethical Deepfake Creation & Distribution

Lots of damage has been done with AI, and to keep from deep-sixing the forward-leaning tone I want in this article, I’ll refrain from noting any details – the internet is available for you to search to your heart’s content. I want to start with that note because how we use AI is not just an option, like whether we want a cinnamon roll or a bagel at breakfast. AI use has meaning – whether it’s dark or not depends on each of us.

Source: Secjuice

Link: https://www.secjuice.com/scant-framework-for-ethical-deepfake-creation-distribution/

Threat Newsletter Week 49-50

Warning: WinRAR Vulnerability CVE-2025-6218 Under Active Attack by Multiple Threat Groups

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a security flaw impacting the WinRAR file archiver and compression utility to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability, tracked as CVE-2025-6218 (CVSS score: 7.8), is a path traversal bug that could enable code execution. However, for exploitation to succeed, it requires a prospective target to visit a malicious page or open a malicious file.

„RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user,“ CISA said in an alert.

The vulnerability was patched by RARLAB with WinRAR 7.12 in June 2025. It only affects Windows-based builds. Versions of the tool for other platforms, including Unix and Android, are not affected.

Source: The hacker news

Link: https://thehackernews.com/2025/12/warning-winrar-vulnerability-cve-2025.html

Microsoft Issues Security Fixes for 56 Flaws, Including Active Exploit and Two Zero-Days

Microsoft closed out 2025 with patches for 56 security flaws in various products across the Windows platform, including one vulnerability that has been actively exploited in the wild.

Of the 56 flaws, three are rated Critical, and 53 are rated Important in severity. Two other defects are listed as publicly known at the time of the release. These include 29 privilege escalation, 18 remote code execution, four information disclosure, three denial-of-service, and two spoofing vulnerabilities.

In total, Microsoft has addressed a total of 1,275 CVEs in 2025, according to data compiled by Fortra. Tenable’s Satnam Narang said 2025 also marks the second consecutive year where the Windows maker has patched over 1,000 CVEs. It’s the third time it has done so since Patch Tuesday’s inception.

The update is in addition to 17 shortcomings the tech giant patched in its Chromium-based Edge browser since the release of the November 2025 Patch Tuesday update. This also consists of a spoofing vulnerability in Edge for iOS (CVE-2025-62223, CVSS score: 4.3).

The vulnerability that has come under active exploitation is CVE-2025-62221 (CVSS score: 7.8), a use-after-free in Windows Cloud Files Mini Filter Driver that could allow an authorized attacker to elevate privileges locally and obtain SYSTEM permissions.

„File system filter drivers, aka minifilters, attach to the system software stack, and intercept requests targeted at a file system, and extend or replace the functionality provided by the original target,“ Adam Barnett, lead software engineer at Rapid7, said in a statement. „Typical use cases include data encryption, automated backup, on-the-fly compression, and cloud storage.“

Source: The hacker news / Dark reading / Krebs on security / Securityweek / CISCO Talos intelligence group / Infosecurity magazine / SANS internet storm center

Link: https://thehackernews.com/2025/12/microsoft-issues-security-fixes-for-56.html

Link: https://www.darkreading.com/application-security/microsoft-fixes-exploited-zero-day-light-patch-tuesday

Link: https://krebsonsecurity.com/2025/12/microsoft-patch-tuesday-december-2025-edition/

Link: https://www.securityweek.com/microsoft-patches-57-vulnerabilities-three-zero-days/

Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-december-2025/

Link: https://www.infosecurity-magazine.com/news/microsoft-three-zerodays-patch/

Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20December%202025/32550

Fortinet, Ivanti, and SAP Issue Urgent Patches for Authentication and Code Execution Flaws

Fortinet, Ivanti, and SAP have moved to address critical security flaws in their products that, if successfully exploited, could result in an authentication bypass and code execution.

The Fortinet vulnerabilities affect FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager and relate to a case of improper verification of a cryptographic signature. They are tracked as CVE-2025-59718 and CVE-2025-59719 (CVSS scores: 9.8).

„An Improper Verification of Cryptographic Signature vulnerability [CWE-347] in FortiOS, FortiWeb, FortiProxy, and FortiSwitchManager may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML message, if that feature is enabled on the device,“ Fortinet said in an advisory.

The company, however, noted that the FortiCloud SSO login feature is not enabled in the default factory settings. FortiCloud SSO login is enabled when an administrator registers the device to FortiCare and has not disabled the toggle „Allow administrative login using FortiCloud SSO“ in the registration page.

Source: The hacker news / Securityweek

Link: https://thehackernews.com/2025/12/fortinet-ivanti-and-sap-issue-urgent.html

Link: https://www.securityweek.com/ivanti-epm-update-patches-critical-remote-code-execution-flaw/

Link: https://www.securityweek.com/sap-patches-critical-vulnerabilities-with-december-2025-security-updates/

Link: https://www.securityweek.com/fortinet-patches-critical-authentication-bypass-vulnerabilities/

Critical React2Shell Flaw Added to CISA KEV After Confirmed Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild.

The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an unauthenticated attacker without requiring any special setup. It’s also tracked as React2Shell.

„Meta React Server Components contains a remote code execution vulnerability that could allow unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints,“ CISA said in an advisory.

The problem stems from insecure deserialization in the library’s Flight protocol, which React uses to communicate between a server and client. As a result, it leads to a scenario where an unauthenticated, remote attacker can execute arbitrary commands on the server by sending specially crafted HTTP requests.

Source: The hacker news / Securityweek / Infosecurity magazine / Cloudflare blog / AWS security blog

Link: https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html

Link: https://www.securityweek.com/react2shell-attacks-linked-to-north-korean-hackers/

Link: https://www.securityweek.com/exploitation-of-react2shell-surges/

Link: https://www.infosecurity-magazine.com/news/react2shell-exploit-campaigns/

Link: https://blog.cloudflare.com/5-december-2025-outage/

Link: https://aws.amazon.com/de/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/

Critical XXE Bug CVE-2025-66516 (CVSS 10.0) Hits Apache Tika, Requires Urgent Patch

A critical security flaw has been disclosed in Apache Tika that could result in an XML external entity (XXE) injection attack.

The vulnerability, tracked as CVE-2025-66516, is rated 10.0 on the CVSS scoring scale, indicating maximum severity.

„Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF,“ according to an advisory for the vulnerability.

It affects the following Maven packages –

• org.apache.tika:tika-core >= 1.13, <= 3.2.1 (Patched in version 3.2.2)
• org.apache.tika:tika-parser-pdf-module >= 2.0.0, <= 3.2.1 (Patched in version 3.2.2)
• org.apache.tika:tika-parsers >= 1.13, < 2.0.0 (Patched in version 2.0.0)

XXE injection refers to a web security vulnerability that allows an attacker to interfere with an application’s processing of XML data. This, in turn, makes it possible to access files on the application server file system and, in some cases, even, achieve remote code execution.

Source: The hacker news / Dark reading / Securityweek

 Link: https://thehackernews.com/2025/12/critical-xxe-bug-cve-2025-66516-cvss.html

Link: https://www.darkreading.com/application-security/apache-max-severity-tika-cve-patch-miss

Link: https://www.securityweek.com/critical-apache-tika-vulnerability-leads-to-xxe-injection/

Building SOX compliance through smarter training and stronger password practices

A SOX audit can reveal uncomfortable truths about how a company handles access to financial systems. Even organizations that invest in strong infrastructure often discover that everyday password habits weaken the controls they thought were solid. CISOs know that passwords still sit at the center of most access decisions, and any weakness in how people create, store or share them can undermine internal control over financial reporting.

Source: Helpnet security

Link: https://www.helpnetsecurity.com/2025/12/10/sox-compliance-password-practices/

Threat Newsletter Week 47-48

CISA Warns of Actively Exploited Critical Oracle Identity Manager Zero-Day Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a critical security flaw impacting Oracle Identity Manager to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

The vulnerability in question is CVE-2025-61757 (CVSS score: 9.8), a case of missing authentication for a critical function that can result in pre-authenticated remote code execution. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. It was addressed by Oracle as part of its quarterly updates released last month.

Source: The hacker news | Bleeping computer | Securityweek | Darkreading | SANS internet storm center | Searchlight Cyber security research

Link: https://thehackernews.com/2025/11/cisa-warns-of-actively-exploited.html

Link: https://www.bleepingcomputer.com/news/security/cisa-warns-oracle-identity-manager-rce-flaw-is-being-actively-exploited/

Link: https://www.securityweek.com/cisa-confirms-exploitation-of-recent-oracle-identity-manager-vulnerability/

Link: https://www.darkreading.com/vulnerabilities-threats/critical-flaw-oracle-identity-manager-under-exploitation

Link: https://isc.sans.edu/diary/Oracle%20Identity%20Manager%20Exploit%20Observation%20from%20September%20%28CVE-2025-61757%29/32506

Link: https://slcyber.io/research-center/breaking-oracles-identity-manager-pre-auth-rce/

New SonicWall SonicOS flaw allows hackers to crash firewalls

American cybersecurity company SonicWall urged customers today to patch a high-severity SonicOS SSLVPN security flaw that can allow attackers to crash vulnerable firewalls.

Tracked as CVE-2025-40601, this denial-of-service vulnerability is caused by a stack-based buffer overflow impacting Gen8 and Gen7 (hardware and virtual) firewalls.

„A Stack-based buffer overflow vulnerability in the SonicOS SSLVPN service allows a remote unauthenticated attacker to cause Denial of Service (DoS), which could cause an impacted firewall to crash,“ SonicWall said.

„SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a PoC have been made public and malicious use of this vulnerability has not been reported to SonicWall.“

However, the company added that its Gen6 firewalls, as well as the SMA 1000 and SMA 100 series SSL VPN products, are not vulnerable to attacks potentially targeting this vulnerability.

Source: Bleeping computer | Securityweek | SonicWall psirt

Link: https://www.bleepingcomputer.com/news/security/new-sonicwall-sonicos-flaw-allows-hackers-to-crash-firewalls/

Link: https://www.securityweek.com/sonicwall-patches-high-severity-flaws-in-firewalls-email-security-appliance/

 Link: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0016

ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access

A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad.

„The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access,“ AhnLab Security Intelligence Center (ASEC) said in a report published last week. „They then used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl.“

ShadowPad, assessed to be a successor to PlugX, is a modular backdoor widely used by Chinese state-sponsored hacking groups. It first emerged in 2015. In an analysis published in August 2021, SentinelOne called it a „masterpiece of privately sold malware in Chinese espionage.“

Source: The hacker news | hawktrace

Link: https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html

Link: https://hawktrace.com/blog/CVE-2025-59287-UNAUTH

3 SOC Challenges You Need to Solve Before 2026

2026 will mark a pivotal shift in cybersecurity. Threat actors are moving from experimenting with AI to making it their primary weapon, using it to scale attacks, automate reconnaissance, and craft hyper-realistic social engineering campaigns.

Source: The hacker news

Link: https://thehackernews.com/2025/11/3-soc-challenges-you-need-to-solve.html

When Your $2M Security Detection Fails: Can your SOC Save You?

Enterprises today are expected to have at least 6-8 detection tools, as detection is considered a standard investment and the first line of defense. Yet security leaders struggle to justify dedicating resources further down the alert lifecycle to their superiors.

As a result, most organizations‘ security investments are asymmetrical, robust detection tools paired with an under-resourced SOC, their last line of defense.

A recent case study demonstrates how companies with a standardized SOC prevented a sophisticated phishing attack that bypassed leading email security tools. In this case study, a cross-company phishing campaign targeted C-suite executives at multiple enterprises. Eight different email security tools across these organizations failed to detect the attack, and phishing emails reached executive inboxes. However, each organization’s SOC team detected the attack immediately after employees reported the suspicious emails.

Source: The hacker news

Link: https://thehackernews.com/2025/11/when-your-2m-security-detection-fails.html

Recent 7-Zip Vulnerability Exploited in Attacks

Threat actors are exploiting a recently patched 7-Zip vulnerability that leads to remote code execution (RCE), NHS England warns.

The bug, tracked as CVE-2025-11001 (CVSS score of 7.0), is described as a file parsing directory traversal issue, and requires user interaction for successful exploitation.

The flaw impacts 7-Zip’s handling of symbolic links in ZIP files, as crafted data could be used to traverse to unintended directories during processing.

“An attacker can leverage this vulnerability to execute code in the context of a service account,” a Trend Micro Zero Day Initiative (ZDI) advisory reads. According to ZDI, attack vectors depend on implementation.

Ryota Shiga of GMO Flatt Security was credited for finding this security defect and an identical vulnerability tracked as CVE-2025-11002.

Source: Securityweek

Link: https://www.securityweek.com/recent-7-zip-vulnerability-exploited-in-attacks/

Four-Step Intelligence Model for Decision Making

The OODA loop is a four-step model used in intelligence for decision making that involves analyzing information and acting on it. In this article, I explain the roots of its history, its applications in combat operations, and how it can be utilized for time-sensitive decision making processes in cybersecurity, including other areas of our lives.

Source: Secjuice

Link: https://www.secjuice.com/time-sensitive-decision-making-with-the-ooda-loop-model/

Threat Newsletter Week 46

Microsoft Fixes 63 Security Flaws, Including a Windows Kernel Zero-Day Under Active Attack

Microsoft on Tuesday released patches for 63 new security vulnerabilities identified in its software, including one that has come under active exploitation in the wild. Of the 63 flaws, four are rated Critical and 59 are rated Important in severity. Twenty-nine of these vulnerabilities are related to privilege escalation, followed by 16 remote code execution, 11 information disclosure, three denial-of-service (DoS), two security feature bypass, and two spoofing bugs.

The patches are in addition to the 27 vulnerabilities the Windows maker addressed in its Chromium-based Edge browser since the release of October 2025’s Patch Tuesday update.

The zero-day vulnerability that has been listed as exploited in Tuesday’s update is CVE-2025-62215 (CVSS score: 7.0), a privilege escalation flaw in Windows Kernel. The Microsoft Threat Intelligence Center (MSTIC) and Microsoft Security Response Center (MSRC) have been credited with discovering and reporting the issue.

„Concurrent execution using shared resource with improper synchronization (‚race condition‘) in Windows Kernel allows an authorized attacker to elevate privileges locally,“ the company said in an advisory.

That said, successful exploitation hinges on an attacker who has already gained a foothold on a system to win a race condition. Once this criterion is satisfied, it could permit the attacker to obtain SYSTEM privileges.

Source: The hacker news / Bleeping computer / Securityweek / CISCO Talos intelligence group / Dark reading / Helpnet security / Infosecurity magazine / SANS internet storm center

Link: https://thehackernews.com/2025/11/microsoft-fixes-63-security-flaws.html

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2025-patch-tuesday-fixes-1-zero-day-63-flaws/

Link: https://www.securityweek.com/microsoft-patches-actively-exploited-windows-kernel-zero-day/

Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-november-2025/

Link: https://www.darkreading.com/vulnerabilities-threats/patch-now-microsoft-zero-day-critical-zero-click-bugs

Link: https://www.helpnetsecurity.com/2025/11/12/patch-tuesday-microsoft-cve-2025-62215/

Link: https://www.infosecurity-magazine.com/news/microsoft-windows-kernel-zero-day/

Link: https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+for+November+2025/32468/

Amazon Uncovers Attacks Exploited Cisco ISE and Citrix NetScaler as Zero-Day Flaws

Amazon’s threat intelligence team on Wednesday disclosed that it observed an advanced threat actor exploiting two then-zero-day security flaws in Cisco Identity Service Engine (ISE) and Citrix NetScaler ADC products as part of attacks designed to deliver custom malware.

„This discovery highlights the trend of threat actors focusing on critical identity and network access control infrastructure – the systems enterprises rely on to enforce security policies and manage authentication across their networks,“ CJ Moses, CISO of Amazon Integrated Security, said in a report shared with The Hacker News.

The attacks were flagged by its MadPot honeypot network, with the activity weaponizing the following two vulnerabilities –

• CVE-2025-5777 or Citrix Bleed 2 (CVSS score: 9.3) – An insufficient input validation vulnerability in Citrix NetScaler ADC and Gateway that could be exploited by an attacker to bypass authentication. (Fixed by Citrix in June 2025)
• CVE-2025-20337 (CVSS score: 10.0) – An unauthenticated remote code execution vulnerability in Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could allow a remote attacker to execute arbitrary code on the underlying operating system as root. (Fixed by Cisco in July 2025)

While both shortcomings have come under active exploitation in the wild, the report from Amazon sheds light on the exact nature of the attacks leveraging them.

Source: The hacker news / Securityweek / Dark reading / AWS blog

Link: https://thehackernews.com/2025/11/amazon-uncovers-attacks-exploited-cisco.html

Link: https://www.securityweek.com/cisco-ise-citrixbleed-2-vulnerabilities-exploited-as-zero-days-amazon/

Link: https://www.darkreading.com/vulnerabilities-threats/citrixbleed-2-cisco-zero-day-bugs

Link: https://aws.amazon.com/de/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/

Active Directory Under Siege: Why Critical Infrastructure Needs Stronger Security

Active Directory remains the authentication backbone for over 90% of Fortune 1000 companies. AD’s importance has grown as companies adopt hybrid and cloud infrastructure, but so has its complexity. Every application, user, and device traces back to AD for authentication and authorization, making it the ultimate target. For attackers, it represents the holy grail: compromise Active Directory, and you can access the entire network.

AD serves as the gatekeeper for everything in your enterprise. So, when adversaries compromise AD, they gain privileged access that lets them create accounts, modify permissions, disable security controls, and move laterally, all without triggering most alerts.

The 2024 Change Healthcare breach showed what can happen when AD is compromised. In this attack, hackers exploited a server lacking multifactor authentication, pivoted to AD, escalated privileges, and then executed a highly costly cyberattack. Patient care came to a screeching halt. Health records were exposed. The organization paid millions in ransom.

Once attackers control AD, they control your entire network. And standard security tools often struggle to detect these attacks because they look like legitimate AD operations.

Source: The hacker news

Link: https://thehackernews.com/2025/11/active-directory-under-siege-why.html

Cisco Warns of New Firewall Attack Exploiting CVE-2025-20333 and CVE-2025-20362

Cisco on Wednesday disclosed that it became aware of a new attack variant that’s designed to target devices running Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software releases that are susceptible to CVE-2025-20333 and CVE-2025-20362.

„This attack can cause unpatched devices to unexpectedly reload, leading to denial-of-service (DoS) conditions,“ the company said in an updated advisory, urging customers to apply the updates as soon as possible.

Both vulnerabilities were disclosed in late September 2025, but not before they were exploited as zero-day vulnerabilities in attacks delivering malware such as RayInitiator and LINE VIPER, according to the U.K. National Cyber Security Centre (NCSC).

While successful exploitation of CVE-2025-20333 allows an attacker to execute arbitrary code as root using crafted HTTP requests, CVE-2025-20362 makes it possible to access a restricted URL without authentication.

Source: The hacker news / Bleeping computer

Link: https://thehackernews.com/2025/11/cisco-warns-of-new-firewall-attack.html

Link: https://www.bleepingcomputer.com/news/security/cisa-warns-feds-to-fully-patch-actively-exploited-cisco-flaws/

Link: https://www.bleepingcomputer.com/news/security/cisco-actively-exploited-firewall-flaws-now-abused-for-dos-attacks/

SAP fixes hardcoded credentials flaw in SQL Anywhere Monitor

SAP has released its November security updates that address multiple security vulnerabilities, including a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor and a critical code injection issue in the Solution Manager platform.

The security problem in SQL Anywhere Monitor is tracked as CVE-2025-42890 and consists of hardcoded credentials. Because of the elevated risk, the vulnerability received the maximum severity score of 10.0.

„SQL Anywhere Monitor (Non-GUI) baked credentials into the code, exposing the resources or functionality to unintended users and providing attackers with the possibility of arbitrary code execution,“ reads the description for the flaw.

Depending on how they are used, an attacker who obtains the credentials can use them to acceess administrative functions. SQL Anywhere Monitor is a database monitoring and alert tool, part of the SQL Anywhere suite, typically used by organizations managing distributed or remote databases.

Source: Bleeping computer / Securityweek / Onapsis SAP security notes

Link: https://www.bleepingcomputer.com/news/security/sap-fixes-hardcoded-credentials-flaw-in-sql-anywhere-monitor/

Link: https://www.securityweek.com/sap-patches-critical-flaws-in-sql-anywhere-monitor-solution-manager/

Link: https://onapsis.com/blog/sap-security-patch-day-november-2025/

Adobe Patches 29 Vulnerabilities

Adobe’s latest round of Patch Tuesday updates addresses 29 vulnerabilities across the company’s InDesign, InCopy, Photoshop, Illustrator, Pass, Substance 3D Stager, and Format Plugins products.

Critical vulnerabilities that can be exploited for arbitrary code execution have been addressed in InDesign, InCopy, Photoshop, Illustrator, Substance 3D Stager, and Format Plugins. A critical security bypass issue has been resolved in Pass. It’s worth noting that Adobe assigns a ‘critical’ severity to issues that, based on their CVSS score, have a ‘high’ severity rating.  Adobe says there is no evidence that the vulnerabilities patched this month have been exploited in the wild.

The company has assigned a priority rating of ‘3’ to all of the bugs, which indicates that malicious exploitation is not expected.  However, users were warned recently that a critical flaw in Adobe Commerce had been exploited to hack ecommerce websites.

Source: Securityweek

Link: https://www.securityweek.com/adobe-patches-29-vulnerabilities/

ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Rockwell, Aveva, Schneider

Industrial giants Siemens, Schneider Electric, Rockwell Automation, and Aveva have released Patch Tuesday advisories informing customers about vulnerabilities in their ICS/OT products.

Siemens published six new advisories. One of them covers two vulnerabilities in the Comos plant engineering software, including a critical code execution flaw, and a high-severity security bypass issue. Vulnerabilities have also been addressed in Siemens Solid Edge (remote MitM, code execution), Altair Grid Engine (code execution), Logo! 8 BM (code execution, DoS, settings tampering), and Sicam P850 (CSRF) products.

Rockwell Automation published five new advisories on November 11, each covering high-severity vulnerabilities found in various products.  The company informed customers of its Verve Asset Manager OT security platform that the product is affected by a high-severity access control issue that allows unauthorized read-only users to tamper with other user accounts via an API.

Source: Securityweek

Link: https://www.securityweek.com/ics-patch-tuesday-vulnerabilities-addressed-by-siemens-rockwell-aveva-schneider/

Threat Newsletter Week 45

CISA Flags VMware Zero-Day Exploited by China-Linked Hackers in Active Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Broadcom VMware Tools and VMware Aria Operations to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.

The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), which could be exploited by an attacker to attain root level privileges on a susceptible system.

„Broadcom VMware Aria Operations and VMware Tools contain a privilege defined with unsafe actions vulnerability,“ CISA said in an alert. „A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM.“

Quelle: The hacker news / Bleeping Computer / Security Week / Broadcom

Link: https://thehackernews.com/2025/10/cisa-flags-vmware-zero-day-exploited-by.html

Link: https://www.securityweek.com/cisa-adds-exploited-xwiki-vmware-flaws-to-kev-catalog/

Link: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-vmware-tools-flaw-exploited-since-october-2024/

Link: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149

CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation.

„By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyber attacks,“ CISA said.

The agencies said malicious activity aimed at Microsoft Exchange Server continues to take place, with unprotected and misconfigured instances facing the brunt of the attacks. Organizations are advised to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.

Quelle: The hacker news / Bleeping Computer / NSA Guidance / SANS internet storm center

Link: https://thehackernews.com/2025/10/cisa-and-nsa-issue-urgent-guidance-to.html

Link: https://www.bleepingcomputer.com/news/security/cisa-and-nsa-share-tips-on-securing-microsoft-exchange-servers/

Link: https://www.nsa.gov/Portals/75/documents/resources/cybersecurity-professionals/CSI_Microsoft_Exchange_Server_Security_Best_Practices.pdf?ver=9mpKKyUrwfpb9b9r4drVMg%3d%3d

Link: https://isc.sans.edu/diary/Scans+for+Port+85308531+TCP+Likely+related+to+WSUS+Vulnerability+CVE202559287/32440

The Evolution of SOC Operations: How Continuous Exposure Management Transforms Security Operations

 Security Operations Centers (SOC) today are overwhelmed. Analysts handle thousands of alerts every day, spending much time chasing false positives and adjusting detection rules reactively. SOCs often lack the environmental context and relevant threat intelligence needed to quickly verify which alerts are truly malicious. As a result, analysts spend excessive time manually triaging alerts, the majority of which are classified as benign.

Addressing the root cause of these blind spots and alert fatigue isn’t as simple as implementing more accurate tools. Many of these traditional tools are very accurate, but their fatal flaw is a lack of context and a narrow focus – missing the forest for the trees. Meanwhile, sophisticated attackers exploit exposures invisible to traditional reactive tools, often evading detection using widely-available bypass kits.

While all of these tools are effective in their own right, they often fail because of the reality that attackers don’t employ just one attack technique, exploit just one type of exposure or weaponize a single CVE when breaching an environment. Instead, attackers chain together multiple exposures, utilizing known CVEs where helpful, and employing evasion techniques to move laterally across an environment and accomplish their desired goals. Individually, traditional security tools may detect one or more of these exposures or IoCs, but without the context derived from a deeply integrated continuous exposure management program, it can be nearly impossible for security teams to effectively correlate otherwise seemingly disconnected signals.

Quelle: The hacker news

Link: https://thehackernews.com/2025/11/the-evolution-of-soc-operations-how.html

Microsoft: Patch for WSUS flaw disabled Windows Server hotpatching

An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices.

KB5070881, the emergency update causing this issue, was released on the same day that several cybersecurity companies confirmed the critical-severity CVE-2025-59287 remote code execution (RCE) flaw was being exploited in the wild. The Netherlands National Cyber Security Centre (NCSC-NL) confirmed the companies‘ findings, warning IT admins of the increased risk given that a PoC exploit is already available.

Days later, the Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to secure their systems after adding it to its catalog of security flaws that have been abused in attacks. The Shadowserver Internet watchdog group is now tracking over 2,600 WSUS instances with the default ports (8530/8531) exposed online, although it didn’t share how many have already been patched.

Quelle: Bleeping Computer

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-patch-for-wsus-flaw-disabled-windows-server-hotpatching/

Microsoft: October Windows updates trigger BitLocker recovery

Microsoft has warned that some systems may boot into BitLocker recovery after installing the October 2025 Windows security updates.

BitLocker is a Windows security feature that encrypts storage drives to block data theft attempts. Windows computers typically enter BitLocker recovery mode after hardware changes or Trusted Platform Module (TPM) updates to regain access to protected drives.

According to a service alert seen by BleepingComputer, Microsoft stated that the bug primarily impacts Intel devices with support for Connected Standby (now known as Modern Standby), which enables the PC to remain connected to the network while in low-power mode.

Quelle: Bleeping Computer

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-october-windows-updates-trigger-bitlocker-recovery/

Threat Newsletter Week 43-44

Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation

Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild.

The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week.

Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH, have been acknowledged for discovering and reporting the bug.

Source: The hacker news / Bleeping computer / Securityweek / Dark reading / Microsoft security advisory / Hawktrace security

Link: https://thehackernews.com/2025/10/microsoft-issues-emergency-patch-for.html

Link: https://www.bleepingcomputer.com/news/security/hackers-now-exploiting-critical-windows-server-wsus-flaw-in-attacks/

Link: https://www.securityweek.com/critical-windows-server-wsus-vulnerability-exploited-in-the-wild/

Link: https://www.darkreading.com/vulnerabilities-threats/microsoft-emergency-patch-windows-server-bug

Link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

Link: https://hawktrace.com/blog/CVE-2025-59287

Chrome Zero-Day Exploited to Deliver Italian Memento Labs‘ LeetAgent Spyware

The zero-day exploitation of a now-patched security flaw in Google Chrome led to the distribution of an espionage-related tool from Italian information technology and services provider Memento Labs, according to new findings from Kaspersky.

The vulnerability in question is CVE-2025-2783 (CVSS score: 8.3), a case of sandbox escape which the company disclosed in March 2025 as having come under active exploitation as part of a campaign dubbed Operation ForumTroll targeting organizations in Russia. The cluster is also tracked as TaxOff/Team 46 by Positive Technologies and Prosperous Werewolf by BI.ZONE. It’s known to be active since at least February 2024.

Source: The hacker news / Bleeping computer / Securityweek / Helpnet security / Infosecurity magazine

Link: https://thehackernews.com/2025/10/chrome-zero-day-exploited-to-deliver.html

Link: https://www.bleepingcomputer.com/news/security/italian-spyware-vendor-linked-to-chrome-zero-day-attacks/

Link: https://www.securityweek.com/chrome-zero-day-exploitation-linked-to-hacking-team-spyware/

Link: https://www.helpnetsecurity.com/2025/10/28/dante-spyware-chrome-zero-day/

Link: https://www.infosecurity-magazine.com/news/chrome-zero-day-flaw-exploited/

PoC code drops for remotely exploitable BIND 9 DNS flaw (CVE-2025-40778)

A high-severity vulnerability (CVE-2025-40778) affecting BIND 9 DNS resolvers could be leveraged by remote, unauthenticated attackers to manipulate DNS entries via cache poisoning, allowing them to redirect Internet traffic to potentially malicious sites, distribute malware, or intercept network traffic.

While attackers have yet to be spotted exploiting the flaw, a proof-of-concept (PoC) exploit code has been published, making it critical for administrators to patch internet-facing resolvers.

Source: Helpnet security /GitHub

Link: https://www.helpnetsecurity.com/2025/10/28/bind-9-vulnerability-cve-2025-40778-poc/

Link: https://gist.github.com/N3mes1s/f76b4a606308937b0806a5256bc1f918

Why Early Threat Detection Is a Must for Long-Term Business Growth

In cybersecurity, speed isn’t just a win — it’s a multiplier. The faster you learn about emerging threats, the faster you adapt your defenses, the less damage you suffer, and the more confidently your business keeps scaling. Early threat detection isn’t about preventing a breach someday: it’s about protecting the revenue you’re supposed to earn every day.

Companies that treat cybersecurity as a reactive cost center usually find themselves patching holes, paying ransoms, and dealing with downtime. Companies that invest in proactive visibility, threat intelligence, and early detection mechanisms stay in the game longer. With trust, uptime, and innovation intact.

Source: The hacker news

Link: https://thehackernews.com/2025/10/why-early-threat-detection-is-must-for.html

Visibility Gaps: Streamlining Patching and Vulnerability Remediation

For years, patch management has been one of the least glamorous yet most consequential aspects of IT operations. Vulnerabilities emerge daily, and while most administrators know the importance of timely updates, the actual implementation is rarely straightforward.

Between managing complex environments, balancing uptime requirements, and coordinating across distributed endpoints, many organizations end up with blind spots that quietly expand into risk exposure.

Source: Bleeping computer

Link: https://www.bleepingcomputer.com/news/security/visibility-gaps-streamlining-patching-and-vulnerability-remediation/

Cybersecurity on a budget: Strategies for an economic downturn

During economic uncertainty, businesses face the challenge of maintaining strong cybersecurity while managing tightened budgets.  Cyber threats can become more numerous, motivated, and persistent during economic downturns, making the need for resilient, cost-effective security measures critical.  This blog shares practical strategies to help absorb budget cuts while minimizing the damage to an organization’s cybersecurity posture.

Source: CISCO Talos intelligence group

Link: https://blog.talosintelligence.com/cybersecurity-on-a-budget-strategies-for-an-economic-downturn/

MITRE Unveils ATT&CK v18 With Updates to Detections, Mobile, ICS

MITRE announced on Tuesday that its ATT&CK framework has been updated to version 18, with significant changes in several sections. The organization said the October 2025 update of ATT&CK, the widely used knowledge base of adversary tactics and techniques, brings improvements in terms of techniques, groups, campaigns, and software.

The federally funded research and development center said the biggest modifications compared to ATT&CK v17 are related to the defensive content of ATT&CK.

Specifically, two new objects have been added to detections: Detection Strategies, which defines high-level approaches for detecting specific attacker techniques, and Analytics, which provides platform-specific threat detection logic.

Source: Securityweek / MITRE ATT&CK

Link: https://www.securityweek.com/mitre-unveils-attck-v18-with-updates-to-detections-mobile-ics/

Link: https://attack.mitre.org/

Threat Newsletter Week 41-42

Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped

Microsoft on Tuesday released fixes for a whopping 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild, as the tech giant officially ended support for its Windows 10 operating system unless the PCs are enrolled in the Extended Security Updates (ESU) program.

Of the 183 vulnerabilities, eight of them are non-Microsoft issued CVEs. As many as 165 flaws have been rated as Important in severity, followed by 17 as Critical and one as Moderate. The vast majority of them relate to elevation of privilege vulnerabilities (84), with remote code execution (33), information disclosure (28), spoofing (14), denial-of-service (11), and security feature bypass (11) issues accounting for the rest.

The updates are in addition to the 25 vulnerabilities Microsoft addressed in its Chromium-based Edge browser since the release of September 2025’s Patch Tuesday update.

The two Windows zero-days that have come under active exploitation are as follows –

• CVE-2025-24990 (CVSS score: 7.8) – Windows Agere Modem Driver („ltmdm64.sys“) Elevation of Privilege Vulnerability
• CVE-2025-59230 (CVSS score: 7.8) – Windows Remote Access Connection Manager (RasMan) Elevation of Privilege Vulnerability

Microsoft said both issues could allow attackers to execute code with elevated privileges, although there are currently no indications on how they are being exploited and how widespread these efforts may be. In the case of CVE-2025-24990, the company said it’s planning to remove the driver entirely, rather than issue a patch for a legacy third-party component.

Source: The hacker news / Bleeping computer / CISCO Talos intelligence group / Dark reading / Securityweek / SANS internet storm center / Krebs on security

Link: https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2025-patch-tuesday-fixes-6-zero-days-172-flaws/

Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-for-october-2025-snort-rules-and-prominent-vulnerabilities/

Link: https://www.darkreading.com/vulnerabilities-threats/microsoft-october-patch-update

Link: https://www.securityweek.com/microsoft-patches-173-vulnerabilities-including-exploited-windows-flaws/

Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20October%202025/32368

Link: https://krebsonsecurity.com/2025/10/patch-tuesday-october-2025-end-of-10-edition/

New Oracle E-Business Suite Bug Could Let Hackers Access Data Without Login

Oracle on Saturday issued a security alert warning of a fresh security flaw impacting its E-Business Suite that it said could allow unauthorized access to sensitive data.

The vulnerability, tracked as CVE-2025-61884, carries a CVSS score of 7.5, indicating high severity. It affects versions from 12.2.3 through 12.2.14.

„Easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator,“ according to a description of the flaw in the NIST’s National Vulnerability Database (NVD). „Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.“

In a standalone alert, Oracle said the flaw is remotely exploitable without requiring any authentication, making it crucial that users apply the update as soon as possible. The company, however, makes no mention of it being exploited in the wild.

Oracle’s Chief Security Officer, Rob Duhart, pointed out that the vulnerability affects „some deployments“ of E-Business Suite and that it could be weaponized to allow access to sensitive resources.

The development comes shortly after Google Threat Intelligence Group (GTIG) and Mandiant disclosed that dozens of organizations may have been impacted following the zero-day exploitation of CVE-2025-61882 in Oracle’s E-Business Suite (EBS) software.

Source: The hacker news / Bleeping computer / Securityweek / Oracle security alert advisory

Link: https://thehackernews.com/2025/10/new-oracle-e-business-suite-bug-could.html

Link: https://www.bleepingcomputer.com/news/security/cisa-confirms-hackers-exploited-oracle-e-business-suite-ssrf-flaw/

Link: https://www.bleepingcomputer.com/news/security/oracle-silently-fixes-zero-day-exploit-leaked-by-shinyhunters/

Link: https://www.bleepingcomputer.com/news/security/oracle-silently-fixes-zero-day-exploit-leaked-by-shinyhunters/

Link: https://www.securityweek.com/cisa-confirms-exploitation-of-latest-oracle-ebs-vulnerability/

Link: https://www.oracle.com/security-alerts/alert-cve-2025-61884.html

CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Adobe Experience Manager to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

The vulnerability in question is CVE-2025-54253 (CVSS score: 10.0), a maximum-severity misconfiguration bug that could result in arbitrary code execution.

According to Adobe, the shortcoming impacts Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier. It was addressed in version 6.5.0-0108 released early August 2025, alongside CVE-2025-54254 (CVSS score: 8.6).

Details of the two vulnerabilities were disclosed by Searchlight Cyber researchers Adam Kues and Shubham Shah in July 2025, describing CVE-2025-54253 as an „authentication bypass to [remote code execution] chain via Struts2 devmode“ and CVE-2025-54254 as an XML external entity (XXE) injection within AEM Forms web services.

Source: The hacker news

Link: https://thehackernews.com/2025/10/cisa-flags-adobe-aem-flaw-with-perfect.html

Link: https://www.bleepingcomputer.com/news/security/cisa-maximum-severity-adobe-flaw-now-exploited-in-attacks/

TP-Link Patches Four Omada Gateway Flaws, Two Allow Remote Code Execution

TP-Link has released security updates to address four security flaws impacting Omada gateway devices, including two critical bugs that could result in arbitrary code execution.

The vulnerabilities in question are listed below –

• CVE-2025-6541 (CVSS score: 8.6) – An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management interface to run arbitrary commands
• CVE-2025-6542 (CVSS score: 9.3) – An operating system command injection vulnerability that could be exploited by a remote unauthenticated attacker to run arbitrary commands
• CVE-2025-7850 (CVSS score: 9.3) – An operating system command injection vulnerability that could be exploited by an attacker in possession of an administrator password of the web portal to run arbitrary commands
• CVE-2025-7851 (CVSS score: 8.7) – An improper privilege management vulnerability that could be exploited by an attacker to obtain the root shell on the underlying operating system under restricted conditions

„Attackers may execute arbitrary commands on the device’s underlying operating system,“ TP-Link said in an advisory released Tuesday.

Source: The hacker news / Bleeping computer

Link: https://thehackernews.com/2025/10/tp-link-patches-four-omada-gateway.html

Link: https://www.bleepingcomputer.com/news/security/tp-link-warns-of-critical-command-injection-flaw-in-omada-gateways/

New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login

SAP has rolled out security fixes for 13 new security issues, including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution.

The vulnerability, tracked as CVE-2025-42944, carries a CVSS score of 10.0. It has been described as a case of insecure deserialization.

„Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting a malicious payload to an open port,“ according to a description of the flag in CVE.org.

„The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application’s confidentiality, integrity, and availability.“

While the vulnerability was first addressed by SAP last month, security company Onapsis said the latest fix provides extra safeguards to secure against the risk posed by deserialization.

Source: the hacker news / Securityweek / SAP security note / Onapsis SAP security notes

Link: https://thehackernews.com/2025/10/new-sap-netweaver-bug-lets-attackers.html

Link: https://www.securityweek.com/sap-patches-critical-vulnerabilities-in-netweaver-print-service-srm/

Link: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2025.html

Link: https://onapsis.com/blog/sap-security-patch-day-october-2025/

Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers

A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased „operations tempo“ from the threat actor.

The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following the publication of its LOSTKEYS malware around the same time.

While it’s currently not known for how long the new malware families have been under development, the tech giant’s threat intelligence team said it has not observed a single instance of LOSTKEYS since disclosure.

The new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is „a collection of related malware families connected via a delivery chain,“ GTIG researcher Wesley Shields said in a Monday analysis.

Source: The hacker news / Bleeping computer / Securityweek / Google Threat Intelligence Group

Link: https://thehackernews.com/2025/10/google-identifies-three-new-russian.html

Link: https://www.bleepingcomputer.com/news/security/russian-hackers-evolve-malware-pushed-in-i-am-not-a-robot-clickfix-attacks/

Link: https://www.securityweek.com/russian-apt-switches-to-new-backdoor-after-malware-exposed-by-researchers/

Link: https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver/?hl=en

Hackers exploit Cisco SNMP flaw to deploy rootkit on switches

Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy a rootkit and target unprotected Linux systems.

The security issue leveraged in the attacks affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE and leads to RCE if the attacker has root privileges.

According to cybersecurity company Trend Micro, the attacks exploited the flaw in Cisco 9400, 9300, and legacy 3750G series devices and deployed rootkits on „older Linux systems that do not have endpoint detection response solutions.“

In the original bulletin for CVE-2025-20352, updated on October 6, Cisco tagged the vulnerability as exploited as a zero day, with the company’s Product Security Incident Response Team (PSIRT) saying it was „aware of successful exploitation.“

Trend Micro researchers track the attacks under the name ‚Operation Zero Disco‘ because the malware sets a universal access password that contains the word „disco.“

Source: Bleeping computer / The hacker news / Securityweek / Trendmicro Research / CISCO security advisory

Link: https://www.bleepingcomputer.com/news/security/hackers-exploit-cisco-snmp-flaw-to-deploy-rootkit-on-switches/

Link: https://thehackernews.com/2025/10/hackers-deploy-linux-rootkits-via-cisco.html

Link: https://www.securityweek.com/cisco-routers-hacked-for-rootkit-deployment/

Link: https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html

Link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte

The OSINT Intelligence Cycle

Many newcomers to open source intelligence immediately gravitate towards the tools and become reliant on them rather quickly. This becomes problematic when the tools break, become deprecated, or otherwise unavailable. While automation, collection assistance, and visualization tools can help immensely in an investigation, they cannot analyze the work and do your job for you.

One of my most repeated bits of advice for those new to OSINT or those wishing to improve their current OSINT skills is to go back to the basics, namely the intelligence cycle. This series of articles aims to reframe each phase of the intelligence cycle to show specifically how I apply it during one of my OSINT investigations.

Source: Secjuice

Link: https://www.secjuice.com/osint-intelligence-cycle-part-i-planning-and-direction/

Link: https://www.secjuice.com/osint-intelligence-cycle-part-ii-collection/

Link: https://www.secjuice.com/osint-intelligence-cycle-part-iii-processing-raw-intelligence/

Link: https://www.secjuice.com/osint-the-intelligence-cycle-part-iv-processing-raw-intelligence/

Link: https://www.secjuice.com/osint-intelligence-cycle-part-v-dissemination/

Oracle Releases October 2025 Patches

Oracle on Tuesday released 374 new security patches as part of its October 2025 Critical Patch Update (CPU), including over 230 fixes for vulnerabilities that are remotely exploitable without authentication.

There appear to be roughly 260 unique CVEs in Oracle’s October 2025 CPU advisory, including a dozen critical-severity flaws.

The October CPU was rolled out roughly a week after Oracle released patches for an E-Business Suite defect allowing access to sensitive data, and two weeks after the company warned of a zero-day in the product that was exploited by an extortion group.

This month, Oracle Communications received the largest number of security patches, at 73, including 47 for vulnerabilities that can be exploited by remote, unauthenticated attackers.

Oracle rolled out 64 new security patches for Communications Applications, including 46 for remotely exploitable flaws, and 33 new security patches for Financial Services Applications, 29 of which address remotely exploitable, unauthenticated bugs.

Source: Securityweek

Link: https://www.securityweek.com/oracle-releases-october-2025-patches/

Threat Newsletter Week 39-40

Urgent: China-Linked Hackers Exploit New VMware Zero-Day Since October 2024

A newly patched security flaw impacting Broadcom VMware Tools and VMware Aria Operations has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor called UNC5174, according to NVISO Labs.

The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), a local privilege escalation bug affecting the following versions –

• VMware Cloud Foundation 4.x and 5.x
• VMware Cloud Foundation 9.x.x.x
• VMware Cloud Foundation 13.x.x.x (Windows, Linux)
• VMware vSphere Foundation 9.x.x.x
• VMware vSphere Foundation 13.x.x.x (Windows, Linux)
• VMware Aria Operations 8.x
• VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux)
• VMware Telco Cloud Platform 4.x and 5.x
• VMware Telco Cloud Infrastructure 2.x and 3.x

„A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM,“ VMware said in an advisory released Monday.

Source: The hacker news / Bleeping computer / Securityweek / Dark reading

Link: https://thehackernews.com/2025/09/urgent-china-linked-hackers-exploit-new.html

Link: https://www.bleepingcomputer.com/news/security/chinese-hackers-exploiting-vmware-zero-day-since-october-2024/

Link: https://www.securityweek.com/broadcom-fails-to-disclose-zero-day-exploitation-of-vmware-vulnerability/

Link: https://www.securityweek.com/high-severity-vulnerabilities-patched-in-vmware-aria-operations-nsx-vcenter/

Link: https://www.darkreading.com/remote-workforce/china-exploited-new-vmware-bug-nearly

CISA Sounds Alarm on Critical Sudo Flaw Actively Exploited in Linux and Unix Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a critical security flaw impacting the Sudo command-line utility for Linux and Unix-like operating systems to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.

The vulnerability in question is CVE-2025-32463 (CVSS score: 9.3), which affects Sudo versions prior to 1.9.17p1. It was disclosed by Stratascale researcher Rich Mirch back in July 2025.

„Sudo contains an inclusion of functionality from an untrusted control sphere vulnerability,“ CISA said. „This vulnerability could allow a local attacker to leverage sudo’s -R (–chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.“

Source: The hacker news / Bleeping computer

Link: https://thehackernews.com/2025/09/cisa-sounds-alarm-on-critical-sudo-flaw.html

Link: https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-linux-sudo-flaw-exploited-in-attacks/

Fortra GoAnywhere CVSS 10 Flaw Exploited as 0-Day a Week Before Public Disclosure

Cybersecurity company watchTowr Labs has disclosed that it has „credible evidence“ of active exploitation of the recently disclosed security flaw in Fortra GoAnywhere Managed File Transfer (MFT) software as early as September 10, 2025, a whole week before it was publicly disclosed.

„This is not ‚just‘ a CVSS 10.0 flaw in a solution long favored by APT groups and ransomware operators – it is a vulnerability that has been actively exploited in the wild since at least September 10, 2025,“ Benjamin Harris, CEO and Founder of watchTowr, told The Hacker News.

The vulnerability in question is CVE-2025-10035, which has been described as a deserialization vulnerability in the License Servlet that could result in command injection without authentication. Fortra GoAnywhere version 7.8.4, or the Sustain Release 7.6.3, was released by Fortra last week to remediate the problem.

Source: The hacker news / Bleeping computer / Securityweek / Dark reading / Watchtower blog

Link: https://thehackernews.com/2025/09/fortra-goanywhere-cvss-10-flaw.html

Link: https://www.bleepingcomputer.com/news/security/maximum-severity-goanywhere-mft-flaw-exploited-as-zero-day/

Link: https://www.securityweek.com/recent-fortra-goanywhere-mft-vulnerability-exploited-as-zero-day/

Link: https://www.darkreading.com/cyberattacks-data-breaches/patch-fortra-goanywhere-bug-command-injection

Link: https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/

Urgent: Cisco ASA Zero-Day Duo Under Attack; CISA Triggers Emergency Mitigation Directive

Cisco is urging customers to patch two security flaws impacting the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software, which it said have been exploited in the wild.

The zero-day vulnerabilities in question are listed below –

• CVE-2025-20333 (CVSS score: 9.9) – An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an authenticated, remote attacker with valid VPN user credentials to execute arbitrary code as root on an affected device by sending crafted HTTP requests
• CVE-2025-20362 (CVSS score: 6.5) – An improper validation of user-supplied input in HTTP(S) requests vulnerability that could allow an unauthenticated, remote attacker to access restricted URL endpoints without authentication by sending crafted HTTP requests

Cisco said it’s aware of „attempted exploitation“ of both vulnerabilities, but did not reveal who may be behind it, or how widespread the attacks are. It’s suspected that the two vulnerabilities are being chained to bypass authentication and execute malicious code on susceptible appliances.

Source: The hacker news / Bleeping computer / Dark reading / CISCO Talos intelligence group / Helpnet security / CISCO security event response

Link: https://thehackernews.com/2025/09/urgent-cisco-asa-zero-day-duo-under.html

Link: https://www.bleepingcomputer.com/news/security/nearly-50-000-cisco-firewalls-vulnerable-to-actively-exploited-flaws/

Link: https://www.bleepingcomputer.com/news/security/cisco-warns-of-asa-firewall-zero-days-exploited-in-attacks/

Link: https://www.darkreading.com/vulnerabilities-threats/cisco-actively-exploited-zero-day-bugs-firewalls-ios

Link: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-found-targeting-perimeter-network-devices/

Link: https://www.helpnetsecurity.com/2025/10/01/too-many-cisco-asa-firewalls-still-unsecure-despite-zero-day-attack-alerts/

Link: https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks

Cisco ASA Firewall Zero-Day Exploits Deploy RayInitiator and LINE VIPER Malware

The U.K. National Cyber Security Centre (NCSC) has revealed that threat actors have exploited the recently disclosed security flaws impacting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER.

„The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection,“ the agency said.

Cisco on Thursday revealed that it began investigating attacks on multiple government agencies linked to the state-sponsored campaign in May 2025 that targeted Adaptive Security Appliance (ASA) 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.

An in-depth analysis of firmware extracted from the infected devices running Cisco Secure Firewall ASA Software with VPN web services enabled ultimately led to the discovery of a memory corruption bug in the product software, it added.

„Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,“ the company said.

Source: The hacker news / Securityweek

Link: https://thehackernews.com/2025/09/cisco-asa-firewall-zero-day-exploits.html

Link: https://www.securityweek.com/cisco-firewall-zero-days-exploited-in-china-linked-arcanedoor-attacks/

SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw

SolarWinds has released hot fixes to address a critical security flaw impacting its Web Help Desk software that, if successfully exploited, could allow attackers to execute arbitrary commands on susceptible systems.

The vulnerability, tracked as CVE-2025-26399 (CVSS score: 9.8), has been described as an instance of deserialization of untrusted data that could result in code execution. It affects SolarWinds Web Help Desk 12.8.7 and all previous versions.

„SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine,“ SolarWinds said in an advisory released on September 17, 2025.

Source: The hacker news / Bleeping computer / Securityweek

Link: https://thehackernews.com/2025/09/solarwinds-releases-hotfix-for-critical.html

Link: https://www.bleepingcomputer.com/news/security/solarwinds-releases-third-patch-to-fix-web-help-desk-rce-bug/

Link: https://www.securityweek.com/solarwinds-makes-third-attempt-at-patching-exploited-vulnerability/

Cloudflare mitigates new record-breaking 22.2 Tbps DDoS attack

Cloudflare has mitigated a distributed denial-of-service (DDoS) attack that peaked at a record-breaking 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps).

DDoS attacks typically exhaust either system or network resources, aiming to make services slow or unavailable to legitimate users.

Record-breaking DDoS attacks are becoming more frequent, as just three weeks ago, Cloudflare disclosed that it mitigated a massive 11.5 Tbps and 5.1 Bpps attack, the largest publicly announced at the time.

Two months before that, the company dealt with another ecord attack that peaked at 7.3 Tbps. In April, the internet giant warned that it was dealing with a record number of DDoS attacks this year.

The latest DDoS incident, also volumentric, lasted 40 seconds and is by far the largest ever mitigated.

Source: Bleeping computer

Link: https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-new-record-breaking-222-tbps-ddos-attack/

Threat Newsletter Week 37-38

Microsoft Fixes 80 Flaws — Including SMB PrivEsc and Azure CVSS 10.0 Bugs

Microsoft on Tuesday addressed a set of 80 security flaws in its software, including one vulnerability that has been disclosed as publicly known at the time of release.

Of the 80 vulnerabilities, eight are rated Critical and 72 are rated Important in severity. None of the shortcomings has been exploited in the wild as a zero-day. Like last month, 38 of the disclosed flaws are related to privilege escalation, followed by remote code execution (22), information disclosure (14), and denial-of-service (3).

„For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws,“ Satnam Narang, senior staff research engineer at Tenable, said. „Nearly 50% (47.5%) of all bugs this month are privilege escalation vulnerabilities.“

The patches are in addition to 12 vulnerabilities addressed in Microsoft’s Chromium-based Edge browser since the release of August 2025’s Patch Tuesday update, including a security bypass bug (CVE-2025-53791, CVSS score: 4.7) that has been patched in version 140.0.3485.54 of the browser.

The vulnerability that has been flagged as publicly known is CVE-2025-55234 (CVSS score: 8.8), a case of privilege escalation in Windows SMB.

„SMB Server might be susceptible to relay attacks depending on the configuration,“ Microsoft said. „An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks.“

Source: The hacker news / Bleeping computer / Krebs on security / Securityweek / CISCO Talos intelligence group / SANS internet storm center

Link: https://thehackernews.com/2025/09/microsoft-fixes-80-flaws-including-smb.html

Link: https://www.bleepingcomputer.com/news/microsoft/microsoft-september-2025-patch-tuesday-fixes-81-flaws-two-zero-days/

Link: https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/

Link: https://www.securityweek.com/microsoft-patches-86-vulnerabilities/

Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-september-2025/

Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20September%202025/32270

Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks

Samsung has released its monthly security updates for Android, including a fix for a security vulnerability that it said has been exploited in zero-day attacks.

The vulnerability, CVE-2025-21043 (CVSS score: 8.8), concerns an out-of-bounds write that could result in arbitrary code execution.

„Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code,“ Samsung said in an advisory. „The patch fixed the incorrect implementation.“ According to a 2020 report from Google Project Zero, libimagecodec.quram.so is a closed-source image parsing library developed by Quramsoft that implements support for various image formats.

The critical-rated issue, per the South Korean electronics giant, affects Android versions 13, 14, 15, and 16. The vulnerability was privately disclosed to the company on August 13, 2025.

Source: The hacker news / Bleeping computer / Securityweek

Link: https://thehackernews.com/2025/09/samsung-fixes-critical-zero-day-cve.html

Link: https://www.bleepingcomputer.com/news/security/samsung-patches-actively-exploited-zero-day-reported-by-whatsapp/

Link: https://www.securityweek.com/samsung-patches-zero-day-exploited-against-android-users/

Apple Backports Fix for CVE-2025-43300 Exploited in Sophisticated Spyware Attack

Apple on Monday backported fixes for a recently patched security flaw that has been actively exploited in the wild.

The vulnerability in question is CVE-2025-43300 (CVSS score: 8.8), an out-of-bounds write issue in the ImageIO component that could result in memory corruption when processing a malicious image file.

„Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,“ the company said.

Since then, WhatsApp has acknowledged that a vulnerability in its messaging apps for Apple iOS and macOS (CVE-2025-55177, CVSS score: 5.4) had been chained with CVE-2025-43300 as part of highly-targeted spyware attacks aimed at less than 200 individuals.

While the shortcoming was first addressed by the iPhone maker late last month with the release of iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Ventura 13.7.8, macOS Sonoma 14.7.8, and macOS Sequoia 15.6.1, it has also been released for the following older versions –

• iOS 16.7.12 and iPadOS 16.7.12 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
• iOS 15.8.5 and iPadOS 15.8.5 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

The updates have been rolled out alongside iOS 26, iPadOS 26, iOS 18.7, iPadOS 18.7, macOS Tahoe 26, macOS Sequoia 15.7, macOS Sonoma 14.8, tvOS 26, visionOS 26, watchOS 26, Safari 26, and Xcode 26, which also address a number of other security flaws.

Source: The hacker news / Bleeping computer / Securityweek

Link: https://thehackernews.com/2025/09/apple-backports-fix-for-cve-2025-43300.html

Link: https://www.bleepingcomputer.com/news/security/apple-backports-zero-day-patches-to-older-iphones-and-ipads/

Link: https://www.securityweek.com/apple-rolls-out-ios-26-macos-tahoe-26-with-patches-for-over-50-vulnerabilities/

Chaos Mesh Critical GraphQL Flaws Enable RCE and Full Kubernetes Cluster Takeover

Cybersecurity researchers have disclosed multiple critical security vulnerabilities in Chaos Mesh that, if successfully exploited, could lead to cluster takeover in Kubernetes environments.

„Attackers need only minimal in-cluster network access to exploit these vulnerabilities, execute the platform’s fault injections (such as shutting down pods or disrupting network communications), and perform further malicious actions, including stealing privileged service account tokens,“ JFrog said in a report shared with The Hacker News.

Chaos Mesh is an open-source cloud-native Chaos Engineering platform that offers various types of fault simulation and simulates various abnormalities that might occur during the software development lifecycle.

The issues, collectively called Chaotic Deputy, are listed below –

• CVE-2025-59358 (CVSS score: 7.5) – The Chaos Controller Manager in Chaos Mesh exposes a GraphQL debugging server without authentication to the entire Kubernetes cluster, which provides an API to kill arbitrary processes in any Kubernetes pod, leading to cluster-wide denial-of-service
• CVE-2025-59359 (CVSS score: 9.8) – The cleanTcs mutation in Chaos Controller Manager is vulnerable to operating system command injection
• CVE-2025-59360 (CVSS score: 9.8) – The killProcesses mutation in Chaos Controller Manager is vulnerable to operating system command injection
• CVE-2025-59361 (CVSS score: 9.8) – The cleanIptables mutation in Chaos Controller Manager is vulnerable to operating system command injection

An in-cluster attacker, i.e., a threat actor with initial access to the cluster’s network, could chain CVE-2025-59359, CVE-2025-59360, CVE-2025-59361, or with CVE-2025-59358 to perform remote code execution across the cluster, even in the default configuration of Chaos Mesh.

Source: The hacker news

Link: https://thehackernews.com/2025/09/chaos-mesh-critical-graphql-flaws.html

Critical SAP S/4HANA Vulnerability Under Attack, Patch Now

A critical code injection vulnerability in SAP’s S/4HANA ERP software that was first disclosed last month is now under exploitation in the wild.

SAP previously disclosed and patched CVE-2025-42957, which affects both private cloud and on-premise S/4HANA instances. The flaw, which received a 9.9 CVSS score, allows attackers with low-privileged user access to inject SAP’s ABAP code into a system to fully compromise it. The vulnerability was discovered and reported to the software maker by SecurityBridge, an SAP-focused security firm based in Germany.

In a blog post Thursday, SecurityBridge said it discovered an exploit for CVE-2025-42957 and confirmed it has been used in the wild. „While widespread exploitation has not yet been reported, SecurityBridge has verified actual abuse of this vulnerability,“ the blog post said. „That means attackers already know how to use it – leaving unpatched SAP systems exposed.“

SecurityBridge added that SAP’s patch for CVE-2025-42957 is „relatively easy“ to reverse engineer, and that successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Joris Van De Vis, director of research at SecurityBridge, says the scope and scale of the exploitation activity is „limited“ and that to the company’s knowledge, there is no public proof-of-concept exploit for the vulnerability.

Source: Dark reading

Link: https://www.darkreading.com/vulnerabilities-threats/sap-4hana-vulnerability-under-attack