Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped
Microsoft on Tuesday released fixes for a whopping 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild, as the tech giant officially ended support for its Windows 10 operating system unless the PCs are enrolled in the Extended Security Updates (ESU) program.
Of the 183 vulnerabilities, eight of them are non-Microsoft issued CVEs. As many as 165 flaws have been rated as Important in severity, followed by 17 as Critical and one as Moderate. The vast majority of them relate to elevation of privilege vulnerabilities (84), with remote code execution (33), information disclosure (28), spoofing (14), denial-of-service (11), and security feature bypass (11) issues accounting for the rest.
The updates are in addition to the 25 vulnerabilities Microsoft addressed in its Chromium-based Edge browser since the release of September 2025’s Patch Tuesday update.
The two Windows zero-days that have come under active exploitation are as follows –
- CVE-2025-24990 (CVSS score: 7.8) – Windows Agere Modem Driver (“ltmdm64.sys”) Elevation of Privilege Vulnerability
- CVE-2025-59230 (CVSS score: 7.8) – Windows Remote Access Connection Manager (RasMan) Elevation of Privilege Vulnerability
Microsoft said both issues could allow attackers to execute code with elevated privileges, although there are currently no indications on how they are being exploited and how widespread these efforts may be. In the case of CVE-2025-24990, the company said it’s planning to remove the driver entirely, rather than issue a patch for a legacy third-party component.
Source: The hacker news / Bleeping computer / CISCO Talos intelligence group / Dark reading / Securityweek / SANS internet storm center / Krebs on security
Link: https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html
Link: https://www.darkreading.com/vulnerabilities-threats/microsoft-october-patch-update
Link: https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20October%202025/32368
Link: https://krebsonsecurity.com/2025/10/patch-tuesday-october-2025-end-of-10-edition/
New Oracle E-Business Suite Bug Could Let Hackers Access Data Without Login
Oracle on Saturday issued a security alert warning of a fresh security flaw impacting its E-Business Suite that it said could allow unauthorized access to sensitive data.
The vulnerability, tracked as CVE-2025-61884, carries a CVSS score of 7.5, indicating high severity. It affects versions from 12.2.3 through 12.2.14.
“Easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Configurator,” according to a description of the flaw in the NIST’s National Vulnerability Database (NVD). “Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.”
In a standalone alert, Oracle said the flaw is remotely exploitable without requiring any authentication, making it crucial that users apply the update as soon as possible. The company, however, makes no mention of it being exploited in the wild.
Oracle’s Chief Security Officer, Rob Duhart, pointed out that the vulnerability affects “some deployments” of E-Business Suite and that it could be weaponized to allow access to sensitive resources.
The development comes shortly after Google Threat Intelligence Group (GTIG) and Mandiant disclosed that dozens of organizations may have been impacted following the zero-day exploitation of CVE-2025-61882 in Oracle’s E-Business Suite (EBS) software.
Source: The hacker news / Bleeping computer / Securityweek / Oracle security alert advisory
Link: https://thehackernews.com/2025/10/new-oracle-e-business-suite-bug-could.html
Link: https://www.securityweek.com/cisa-confirms-exploitation-of-latest-oracle-ebs-vulnerability/
Link: https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a critical security flaw impacting Adobe Experience Manager to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The vulnerability in question is CVE-2025-54253 (CVSS score: 10.0), a maximum-severity misconfiguration bug that could result in arbitrary code execution.
According to Adobe, the shortcoming impacts Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier. It was addressed in version 6.5.0-0108 released early August 2025, alongside CVE-2025-54254 (CVSS score: 8.6).
Details of the two vulnerabilities were disclosed by Searchlight Cyber researchers Adam Kues and Shubham Shah in July 2025, describing CVE-2025-54253 as an “authentication bypass to [remote code execution] chain via Struts2 devmode” and CVE-2025-54254 as an XML external entity (XXE) injection within AEM Forms web services.
Source: The hacker news
Link: https://thehackernews.com/2025/10/cisa-flags-adobe-aem-flaw-with-perfect.html
TP-Link Patches Four Omada Gateway Flaws, Two Allow Remote Code Execution
TP-Link has released security updates to address four security flaws impacting Omada gateway devices, including two critical bugs that could result in arbitrary code execution.
The vulnerabilities in question are listed below –
- CVE-2025-6541 (CVSS score: 8.6) – An operating system command injection vulnerability that could be exploited by an attacker who can log in to the web management interface to run arbitrary commands
- CVE-2025-6542 (CVSS score: 9.3) – An operating system command injection vulnerability that could be exploited by a remote unauthenticated attacker to run arbitrary commands
- CVE-2025-7850 (CVSS score: 9.3) – An operating system command injection vulnerability that could be exploited by an attacker in possession of an administrator password of the web portal to run arbitrary commands
- CVE-2025-7851 (CVSS score: 8.7) – An improper privilege management vulnerability that could be exploited by an attacker to obtain the root shell on the underlying operating system under restricted conditions
“Attackers may execute arbitrary commands on the device’s underlying operating system,” TP-Link said in an advisory released Tuesday.
Source: The hacker news / Bleeping computer
Link: https://thehackernews.com/2025/10/tp-link-patches-four-omada-gateway.html
New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login
SAP has rolled out security fixes for 13 new security issues, including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution.
The vulnerability, tracked as CVE-2025-42944, carries a CVSS score of 10.0. It has been described as a case of insecure deserialization.
“Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting a malicious payload to an open port,” according to a description of the flag in CVE.org.
“The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application’s confidentiality, integrity, and availability.”
While the vulnerability was first addressed by SAP last month, security company Onapsis said the latest fix provides extra safeguards to secure against the risk posed by deserialization.
Source: the hacker news / Securityweek / SAP security note / Onapsis SAP security notes
Link: https://thehackernews.com/2025/10/new-sap-netweaver-bug-lets-attackers.html
Link: https://www.securityweek.com/sap-patches-critical-vulnerabilities-in-netweaver-print-service-srm/
Link: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2025.html
Link: https://onapsis.com/blog/sap-security-patch-day-october-2025/
Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers
A new malware attributed to the Russia-linked hacking group known as COLDRIVER has undergone numerous developmental iterations since May 2025, suggesting an increased “operations tempo” from the threat actor.
The findings come from Google Threat Intelligence Group (GTIG), which said the state-sponsored hacking crew has rapidly refined and retooled its malware arsenal merely five days following the publication of its LOSTKEYS malware around the same time.
While it’s currently not known for how long the new malware families have been under development, the tech giant’s threat intelligence team said it has not observed a single instance of LOSTKEYS since disclosure.
The new malware, codenamed NOROBOT, YESROBOT, and MAYBEROBOT, is “a collection of related malware families connected via a delivery chain,” GTIG researcher Wesley Shields said in a Monday analysis.
Source: The hacker news / Bleeping computer / Securityweek / Google Threat Intelligence Group
Link: https://thehackernews.com/2025/10/google-identifies-three-new-russian.html
Link: https://cloud.google.com/blog/topics/threat-intelligence/new-malware-russia-coldriver/?hl=en
Hackers exploit Cisco SNMP flaw to deploy rootkit on switches
Threat actors exploited a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco networking devices to deploy a rootkit and target unprotected Linux systems.
The security issue leveraged in the attacks affects the Simple Network Management Protocol (SNMP) in Cisco IOS and IOS XE and leads to RCE if the attacker has root privileges.
According to cybersecurity company Trend Micro, the attacks exploited the flaw in Cisco 9400, 9300, and legacy 3750G series devices and deployed rootkits on “older Linux systems that do not have endpoint detection response solutions.”
In the original bulletin for CVE-2025-20352, updated on October 6, Cisco tagged the vulnerability as exploited as a zero day, with the company’s Product Security Incident Response Team (PSIRT) saying it was “aware of successful exploitation.”
Trend Micro researchers track the attacks under the name ‘Operation Zero Disco’ because the malware sets a universal access password that contains the word “disco.”
Source: Bleeping computer / The hacker news / Securityweek / Trendmicro Research / CISCO security advisory
Link: https://thehackernews.com/2025/10/hackers-deploy-linux-rootkits-via-cisco.html
Link: https://www.securityweek.com/cisco-routers-hacked-for-rootkit-deployment/
Link: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte
The OSINT Intelligence Cycle
Many newcomers to open source intelligence immediately gravitate towards the tools and become reliant on them rather quickly. This becomes problematic when the tools break, become deprecated, or otherwise unavailable. While automation, collection assistance, and visualization tools can help immensely in an investigation, they cannot analyze the work and do your job for you.
One of my most repeated bits of advice for those new to OSINT or those wishing to improve their current OSINT skills is to go back to the basics, namely the intelligence cycle. This series of articles aims to reframe each phase of the intelligence cycle to show specifically how I apply it during one of my OSINT investigations.
Source: Secjuice
Link: https://www.secjuice.com/osint-intelligence-cycle-part-i-planning-and-direction/
Link: https://www.secjuice.com/osint-intelligence-cycle-part-ii-collection/
Link: https://www.secjuice.com/osint-intelligence-cycle-part-iii-processing-raw-intelligence/
Link: https://www.secjuice.com/osint-the-intelligence-cycle-part-iv-processing-raw-intelligence/
Link: https://www.secjuice.com/osint-intelligence-cycle-part-v-dissemination/
Oracle Releases October 2025 Patches
Oracle on Tuesday released 374 new security patches as part of its October 2025 Critical Patch Update (CPU), including over 230 fixes for vulnerabilities that are remotely exploitable without authentication.
There appear to be roughly 260 unique CVEs in Oracle’s October 2025 CPU advisory, including a dozen critical-severity flaws.
The October CPU was rolled out roughly a week after Oracle released patches for an E-Business Suite defect allowing access to sensitive data, and two weeks after the company warned of a zero-day in the product that was exploited by an extortion group.
This month, Oracle Communications received the largest number of security patches, at 73, including 47 for vulnerabilities that can be exploited by remote, unauthenticated attackers.
Oracle rolled out 64 new security patches for Communications Applications, including 46 for remotely exploitable flaws, and 33 new security patches for Financial Services Applications, 29 of which address remotely exploitable, unauthenticated bugs.
Source: Securityweek
Link: https://www.securityweek.com/oracle-releases-october-2025-patches/