Weekly Threat Landscape Digest – Week 38

1. Security Updates – Google Chrome
   Google has released security updates to address multiple high-severity vulnerabilities in Chrome for Desktop (Windows, macOS, and Linux), Android, and iOS. One of the flaws (CVE-2025-10585) is a zero-day vulnerability actively exploited in the wild. Successful exploitation could allow arbitrary code execution, application crashes, or full system compromise.

Vulnerability Details

• CVE-2025-10585 (High) – Type Confusion in V8 (actively exploited zero-day)
• CVE-2025-10500 (High) – Use-after-free in Dawn
• CVE-2025-10501 (High) – Use-after-free in WebRTC
• CVE-2025-10502 (High) – Heap buffer overflow in ANGLE

Fixed Versions

• Desktop: Chrome 140.0.7339.185/.186 (Windows/Mac), 140.0.7339.185 (Linux)
• Android: Chrome 140 (140.0.7339.155)
• iOS: Chrome Stable 141 (141.0.7390.26)

Recommendations

• Update Chrome across all platforms to the latest patched version.
• Enable auto-updates to ensure timely patching of future vulnerabilities.
• Restart the browser after applying updates to complete the installation.

Reference

• https://chromereleases.googleblog.com/2025/09/stable-channel-update-fordesktop_17.html
• https://chromereleases.googleblog.com/

2. Security Updates – Jenkins
   Jenkins has released patches for multiple vulnerabilities affecting both its weekly and Long-Term Support (LTS) releases. Exploitation could lead to denial-of-service conditions, unauthorized information disclosure, and log tampering, potentially hindering investigations.

Vulnerability Details

• CVE-2025-5115 (High, CVSS 7.5) – HTTP/2 Denial of Service in bundled Jetty (“MadeYouReset”); unauthenticated attackers can cause DoS if HTTP/2 is enabled (disabled by default in official installers and Docker images).
• CVE-2025-59474 (Medium) – Missing permission check in the sidepanel allows attackers without Overall/Read to list Jenkins agent names.
• CVE-2025-59475 (Medium) – Missing permission check in user profile dropdown enables attackers without Overall/Read to access limited configuration data (e.g., plugin presence, menu options).
• CVE-2025-59476 (Medium) – Log message injection due to improper character sanitization in log formatter; attackers can forge log lines, misleading administrators. Mitigated by adding line-break indicators ([CR], [LF], [CRLF]), but other characters (e.g., Unicode Trojan Source) may still pose risks.

Affected Versions

• Jenkins Weekly ≤ 2.527
• Jenkins LTS ≤ 2.516.2

Fixed Versions

• Jenkins Weekly 2.528
• Jenkins LTS 2.516.3

Recommendations

• Upgrade Jenkins to the latest fixed release (2.528 / 2.516.3).
• If HTTP/2 is not required, ensure it remains disabled to mitigate CVE-2025-5115.
• Review access permissions for users and agents to minimize exposure.
• Monitor Jenkins logs for anomalies or indicators of log injection attempts.

Reference

• https://www.jenkins.io/security/advisory/2025-09-17/

3. Security Updates – Mozilla
   Mozilla has released security updates addressing multiple vulnerabilities in Firefox, Thunderbird, and Focus for iOS. Successful exploitation could allow attackers to escape the browser sandbox, execute arbitrary code, or spoof trusted websites.

Vulnerability Details

• CVE-2025-10527 (High) – Use-after-free in Canvas2D graphics → sandbox escape, potential RCE.
• CVE-2025-10528 (High) – Undefined behavior in Canvas2D graphics → bypass of sandbox protections.
• CVE-2025-10537 (High) – Memory safety issues fixed in Firefox ESR 140.3, Thunderbird ESR 140.3, Firefox 143, and Thunderbird 143 → some exploitable for arbitrary code execution.
• CVE-2025-10290 (Moderate) – Toolbar UI spoofing in Focus for iOS → improper UI updates allow website spoofing.
• CVE-2025-10533 (Moderate) – Integer overflow in SVG component → incorrect rendering or exploitable memory conditions.

Affected Products and Fixed Versions

• Thunderbird 140.3, 143
• Firefox ESR 140.3, ESR 115.28, Firefox 143
• Focus for iOS 143.0

Recommendations

• Apply the latest Mozilla security updates immediately.
• Ensure automatic update mechanisms are enabled for Firefox, Thunderbird, and Focus for iOS.
• Restart applications post-update to fully apply patches.
• Monitor for suspicious browser or email activity that may indicate attempted exploitation.

Reference

• https://www.mozilla.org/en-US/security/advisories/

4. Security Updates – Atlassian
   Atlassian has released its September 2025 Security Bulletin addressing multiple high-severity vulnerabilities in Confluence, Jira, and Jira Service Management (Data Center and Server). These flaws could lead to remote code execution (RCE) or denial-of-service (DoS) conditions, impacting system availability and integrity.

Vulnerability Details

• Confluence Data Center & Server
  • CVE-2025-48734 (High, CVSS 8.8) – RCE via third-party dependency.
  • Affected Versions: 9.5.1, 9.4.0–9.4.1, 9.3.1–9.3.2, 9.2.0–9.2.5 (LTS), 9.1.0–9.1.1, 9.0.1–9.0.3, 8.9.0–8.9.8, 8.8.0–8.8.1, 8.7.1–8.7.2, 8.6.0–8.6.2, 8.5.2–8.5.23 (LTS), 7.19.15–7.19.30 (LTS).
  • Fixed Versions: 10.0.3, 9.5.2–9.5.4, 9.2.6–9.2.8 (LTS), 8.5.24–8.5.26 (LTS).
• Jira Software Data Center & Server
  • CVE-2025-52520, CVE-2025-53506 (High, CVSS 7.5) – DoS via third-party dependency.
  • Affected Versions: 11.0.0, 10.7.1–10.7.2, 10.6.0–10.6.1, 10.5.0–10.5.1, 10.4.0–10.4.1, 10.3.0–10.3.8 (LTS), 10.2.0–10.2.1, 10.1.1–10.1.2, 10.0.0–10.0.1, 9.17.0–9.17.5, 9.16.0–9.16.1, 9.15.2, 9.14.0–9.14.1, 9.13.0–9.13.1, 9.12.0–9.12.25 (LTS), 9.11.1–9.11.3.
  • Fixed Versions: 11.0.1, 10.7.3–10.7.4, 10.3.9–10.3.10 (LTS), 9.12.26–9.12.27 (LTS).
• Jira Service Management Data Center & Server
  • CVE-2025-52520, CVE-2025-53506 (High, CVSS 7.5) – DoS via third-party dependency.
  • Affected Versions: 11.0.0, 10.7.1–10.7.2, 10.6.0–10.6.1, 10.5.0–10.5.1, 10.4.0–10.4.1, 10.3.0–10.3.8 (LTS), 10.2.0–10.2.1, 10.1.1–10.1.2, 10.0.0–10.0.1, 5.17.0–5.17.5, 5.16.0–5.16.1, 5.15.2, 5.14.0–5.14.1, 5.13.0–5.13.1, 5.12.0–5.12.25 (LTS), 5.11.1–5.11.3.
  • Fixed Versions: 11.0.1, 10.7.3–10.7.4, 10.3.9–10.3.10 (LTS), 5.12.26–5.12.27 (LTS).

Recommendations

• Update Atlassian Confluence, Jira, and Jira Service Management to the latest patched versions immediately.
• Remove unsupported or outdated versions that remain vulnerable.
• Restrict public exposure of Confluence/Jira instances and apply network segmentation.
• Monitor system logs for unusual activity or service instability indicative of exploitation attempts.

Reference

• https://confluence.atlassian.com/security/security-bulletin-september-16-2025-1627098357.html 

5. Multiple Vulnerabilities – HPE Aruba Networking EdgeConnect SD-WAN Gateways
   Hewlett Packard Enterprise (HPE) Aruba Networking has released patches addressing multiple high-severity vulnerabilities in EdgeConnect SD-WAN Gateways. Successful exploitation could enable attackers to bypass access controls, execute arbitrary commands with root privileges, misroute traffic, exfiltrate sensitive information, or disrupt operations.

Vulnerability Details

• CVE-2025-37123 – Authenticated command injection → root access
  • Severity: High | CVSS 8.8
  • Fixed in: 9.5.3.3+
• CVE-2025-37124 – Unauthenticated access → SD-WAN transit traffic misrouting
  • Severity: High | CVSS 8.6
  • Fixed in: 9.2.11.3, 9.3.8.0, 9.4.3.5, 9.5.3.3+
• CVE-2025-37125 – Broken firewall access control → unauthorized network access
  • Severity: High | CVSS 7.5
  • Fixed in: 9.4.3.5, 9.5.3.3+
• CVE-2025-37126 – Authenticated RCE via CLI
  • Severity: High | CVSS 7.2
  • Fixed in: 9.3.0.0+
• CVE-2025-37127 – Cryptographic replay attack → shell access
  • Severity: High | CVSS 7.2
  • Discovered by: NCC Group
• CVE-2025-37128 – Authenticated arbitrary process termination → DoS
  • Severity: Medium | CVSS 6.8
  • Discovered by: NCC Group
• CVE-2025-37129 – Authenticated RCE via CLI scripting
  • Severity: Medium | CVSS 6.7
  • Discovered by: NCC Group
• CVE-2025-37130 – Authenticated arbitrary file read
  • Severity: Medium | CVSS 6.5
  • Discovered by: NCC Group
• CVE-2025-37131 – Authenticated file read → sensitive data exposure
  • Severity: Medium | CVSS 4.9
  • Discovered by: NCC Group

Resolution

• Upgrade to:
  • EdgeConnect SD-WAN 9.5.4.1 and above
  • EdgeConnect SD-WAN 9.4.4.2 and above
• Ensure the Orchestrator version is greater than or equal to the ECOS software running on any gateways.
• Decommission unsupported versions and restrict management plane exposure.

Recommendations

• Apply patches immediately.
• Harden access controls and limit management interfaces to trusted networks.
• Continuously monitor for suspicious activity targeting SD-WAN appliances.

Reference

• HPE Aruba Networking Security Bulletin: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04943en_us&docLocale=en_US 

6. Critical Vulnerabilities – NVIDIA Triton Inference Server
   NVIDIA has released security updates for Triton Inference Server to address critical and high-severity vulnerabilities affecting deployments on both Windows and Linux. Successful exploitation could enable attackers to compromise AI inference workloads, steal or manipulate sensitive data, and disrupt ML services.

Vulnerability Details

• CVE-2025-23316 – Python backend model control API manipulation
  • CVSS 9.8 | Critical
  • Remote code execution, denial of service, data tampering, and information disclosure
• CVE-2025-23268 – Improper input validation in DALI backend
  • CVSS 8.0 | High
  • Potential code execution
• CVE-2025-23328 – Out-of-bounds write via crafted input
  • CVSS 7.5 | High
  • Denial of service
• CVE-2025-23329 – Memory corruption in Python backend shared memory
  • CVSS 7.5 | High
  • Denial of service
• CVE-2025-23336 – Misconfigured model loading flaw
  • CVSS 4.4 | Medium
  • Denial of service

Affected Products / Fixed Versions

• Triton Inference Server (Windows/Linux) – All versions prior to 25.08 → Fixed in 25.08
• Triton Inference Server (DALI Backend) – All versions prior to 25.07 → Fixed in 25.07

Recommendations

• Upgrade to Triton Inference Server 25.08 (25.07 for DALI backend) immediately.
• Review deployment security configurations to minimize attack surface.
• Restrict untrusted input sources and enforce strong workload isolation.
• Monitor inference servers for abnormal activity or crashes.

Reference

• NVIDIA Security Bulletin: https://nvidia.custhelp.com/app/answers/detail/a_id/5691

7. Critical Vulnerability – Daikin Security Gateway
   A critical authentication bypass vulnerability (CVE-2025-10127) has been identified in Daikin Security Gateway systems, widely deployed in industrial control and energy sector environments. Exploitation requires no privileges or user interaction and can be performed remotely, with public PoC exploits already available. Successful exploitation could allow attackers to bypass login mechanisms entirely, access or modify sensitive ICS data, and disrupt critical infrastructure operations.

Vulnerability Details

• CVE ID: CVE-2025-10127
• CVSS v3.1 Score: 9.8 (Critical)
• Vulnerability Type: Weak Password Recovery Mechanism (CWE-640)
• Impact:
  • Complete authentication bypass
  • Unauthorized access to sensitive industrial control data
  • Modification of configurations and operational parameters
  • Disruption of critical energy sector operations
  • Full compromise of confidentiality, integrity, and availability
• Exploit Availability: Public Proof of Concept (PoC) confirmed

Affected Products

• Daikin Security Gateway: App: 100, Frm: 214

Recommendations

• Restrict Exposure: Place Daikin Security Gateway systems behind firewalls; prevent direct internet access.
• Network Segmentation: Isolate ICS networks from corporate and untrusted environments.
• Remote Access Protections: Use VPNs with strong device authentication if remote access is required.
• Network Hardening: Limit exposure of control devices; restrict access to trusted management networks.
• Monitoring & Detection: Continuously monitor for anomalous access attempts.
• Incident Response Preparedness: Update contingency and recovery plans for possible compromise or disruption.

Reference

• NVD Advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-10127

8. Actively Exploited Vulnerability – Case Theme User Plugin
   A critical authentication bypass vulnerability (CVE-2025-5821, CVSS 9.8) has been identified in the Case Theme User WordPress plugin, bundled with several premium WordPress themes. The flaw, caused by improper authentication logic in the facebook_ajax_login_callback() function, allows unauthenticated attackers to log in as any user (including admin) if the target email address is known or guessable. The vulnerability is being actively exploited in the wild.

Vulnerability Details

• CVE ID: CVE-2025-5821
• CVSS v3.1 Score: 9.8 (Critical)
• Vulnerability Type: Authentication Bypass
• Root Cause: Faulty authentication logic in Facebook-based social login function
• Impact:
  • Unauthorized administrative access
  • Privilege escalation and persistence
  • Full compromise of affected WordPress sites
• Affected Versions: Case Theme User ≤ 1.0.3
• Fixed Version: Case Theme User 1.0.4 or later

Exploitation Activity

• Attackers create temporary user accounts, exploit the bypass to escalate to administrator, then delete the accounts to hide evidence.
• Commonly targeted emails: [email protected], [email protected], [email protected]

Recommendations

• Update Immediately: Upgrade to Case Theme User v1.0.4 or later.
• Audit Accounts: Check all administrator and privileged accounts for unauthorized additions.
• Log Review: Analyze webserver and WordPress logs for suspicious AJAX activity and IOCs.
• Credential Security: Reset admin credentials and enforce strong authentication.
• WAF Deployment: Apply WAF rules to block malicious login attempts.
• Incident Response: If compromise is suspected, conduct a full forensic review and restore from clean backups.

References

• Wordfence Advisory: https://www.wordfence.com/blog/2025/09/attackers-actively-exploiting-critical-vulnerability-in-case-theme-user-plugin/ 
• NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5821

9. Security Updates – Apple
   Apple has released critical security updates across its product ecosystem, addressing vulnerabilities in components such as Kernel, WebKit, Bluetooth, CoreMedia, Safari, and Sandbox. Several of these flaws could enable remote code execution, data leakage, sandbox escapes, and denial-of-service attacks. Organizations and individuals are strongly urged to apply updates immediately.

Key Vulnerabilities

• Kernel (CVE-2025-43359): Logic flaw may cause improper socket binding, potentially exposing services.
• WebKit (CVE-2025-43272, CVE-2025-43343, CVE-2025-43342, CVE-2025-43368): Malicious web content may trigger crashes, memory corruption, or unauthorized sensor access.
• Bluetooth (CVE-2025-43354, CVE-2025-43303): Logging flaws could expose sensitive data.
• LaunchServices (CVE-2025-43362): May allow unauthorized keystroke monitoring.
• Sandbox & Shortcuts (CVE-2025-43329, CVE-2025-43358): Potential sandbox escapes.
• Notes (CVE-2025-43203): Physical attackers may bypass protections to view locked note images.
• Text Input (CVE-2025-24133): Sensitive keyboard suggestions may appear on the lock screen.
• Safari (CVE-2025-31254): URL validation flaw enables redirection attacks.
• SQLite (CVE-2025-6965): Memory corruption inherited from open-source dependency.

Affected Products & Fixed Versions

• iOS 26 / iPadOS 26 → iPhone 11+, iPad Pro (3rd gen+), iPad Air (3rd gen+), iPad 8+, iPad mini 5+
• iOS 18.7 / iPadOS 18.7 → iPhone XS+, iPad Pro 13”, iPad Air 3+, iPad 7+, iPad mini 5+
• iOS 16.7.12 / iPadOS 16.7.12 → iPhone 8, iPhone X, iPad 5th gen, iPad Pro 9.7”, iPad Pro 12.9” (1st gen)
• iOS 15.8.5 / iPadOS 15.8.5 → iPhone 6s, iPhone 7, iPhone SE (1st gen), iPad Air 2, iPad mini 4, iPod touch 7
• macOS Tahoe 26 → Mac Studio (2022+), iMac (2020+), Mac Pro (2019+), Mac mini (2020+), MacBook Air/Pro (2020+, Apple silicon)
• macOS Sequoia 15.7
• macOS Sonoma 14.8
• tvOS 26 → Apple TV HD, Apple TV 4K
• watchOS 26 → Apple Watch Series 6+
• visionOS 26 → Apple Vision Pro
• Safari 26 → macOS Sonoma & Sequoia
• Xcode 26 → macOS Sequoia 15.6+

Recommendations

• Apply the latest Apple security updates immediately.
• Prioritize patching devices handling sensitive data or exposed to the internet.
• Regularly audit devices to confirm updates have been applied across the environment.

References

• https://support.apple.com/en-us/100100

10. Critical Vulnerabilities in Chaos Mesh Could Enable Kubernetes Cluster Takeover
    Researchers have disclosed multiple critical flaws in Chaos Mesh, an open-source chaos engineering platform for Kubernetes. Tracked collectively as Chaotic Deputy, the vulnerabilities impact the Chaos Controller Manager’s GraphQL server, which lacks sufficient authentication controls. Exploitation could allow attackers with minimal in-cluster access to execute arbitrary commands, kill processes, disrupt services, and ultimately take over the entire Kubernetes cluster.

Vulnerability Set: Chaotic Deputy

• CVE-2025-59358 – Improper Authentication (CVSS 7.5)
  • Unauthenticated GraphQL debugging server allows arbitrary process termination in pods → cluster-wide denial-of-service.
• CVE-2025-59359 – OS Command Injection (CVSS 9.8)
  • Flaw in cleanTcs mutation enables arbitrary command execution.
• CVE-2025-59360 – OS Command Injection (CVSS 9.8)
  • Flaw in killProcesses mutation enables arbitrary command execution.
• CVE-2025-59361 – OS Command Injection (CVSS 9.8)
  • Flaw in cleanIptables mutation enables arbitrary command execution.

Attack Scenarios

• Minimal Access Needed: Only basic in-cluster network access is required.
• Cluster Takeover: Vulnerabilities can be chained for RCE on Chaos Daemons, escalating to full cluster control.
• Potential Impact:
  • Disruption of workloads (DoS).
  • Theft of Kubernetes service account tokens.
  • Lateral movement across the cluster.
  • Exfiltration of sensitive data.

Fixed Versions

• Chaos Mesh v2.7.3 and later.

Recommendations

• Upgrade to Chaos Mesh v2.7.3 or newer immediately.
• Restrict Chaos Mesh API and Daemon services to trusted components only.
• Block unauthenticated or external access at the network layer.
• Continuously monitor cluster activity for suspicious GraphQL mutations or anomalous process kills.

References

• https://jfrog.com/blog/chaotic-deputy-critical-vulnerabilities-in-chaos-mesh-lead-to-kubernetes-cluster-takeover/ 

11. Multiple Critical Vulnerabilities in HPE Telco Intelligent Assurance
    Hewlett Packard Enterprise (HPE) has released a bulletin addressing multiple critical and high-severity vulnerabilities in HPE Telco Intelligent Assurance (INT-A Analytics) V5.0. Exploitation could enable remote code execution, privilege escalation, denial-of-service (DoS), and data compromise. Several flaws carry CVSS 9.8 (Critical), highlighting the risk of unauthenticated remote exploitation.

Key Vulnerabilities

• CVE-2021-47621 – CVSS 7.5 (High) – Remote information disclosure (no authentication)
• CVE-2022-1471 – CVSS 9.8 (Critical) – Remote code execution
• CVE-2022-25857 – CVSS 7.5 (High) – Remote DoS
• CVE-2022-38749 – CVSS 6.5 (Medium) – DoS (low-privileged attacker)
• CVE-2022-38750 – CVSS 5.5 (Medium) – Local DoS
• CVE-2022-38751 – CVSS 6.5 (Medium) – DoS
• CVE-2022-38752 – CVSS 6.5 (Medium) – DoS
• CVE-2022-41854 – CVSS 6.5 (Medium) – Remote DoS (requires user interaction)
• CVE-2024-25710 – CVSS 5.5 (Medium) – Local DoS
• CVE-2024-26308 – CVSS 5.5 (Medium) – Local DoS
• CVE-2024-50379 – CVSS 9.8 (Critical) – RCE / Full system compromise
• CVE-2024-56337 – CVSS 9.8 (Critical) – RCE / Full system compromise
• CVE-2025-24813 – CVSS 9.8 (Critical) – RCE / Full system compromise

Affected Products

• HPE Telco Intelligent Assurance V5.0

Resolution / Mitigation

• Upgrade immediately to HPE Telco Intelligent Assurance V5.1 (patched release).
• Apply vendor-recommended mitigations until full upgrade is completed.
• Restrict exposure of vulnerable systems to reduce attack surface.

Reference

• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04940en_us&docLocale=en_US 

12. Multiple Vulnerabilities in OpenPrinting CUPS
    OpenPrinting has released updates to fix two vulnerabilities in the Common Unix Printing System (CUPS), widely used in enterprise, education, and government environments. Exploitation could lead to denial-of-service (DoS) attacks or unauthorized administrative access.

Vulnerability Details

• CVE-2025-58364 – Remote DoS via Null Dereference
  • CVSS: 6.5 (Medium)
  • Impact: Crafted printer responses can crash CUPS/cups-browsed, disrupting print services.
  • Affected: CUPS < 2.4.12
• CVE-2025-58060 – Authentication Bypass with AuthType Negotiate
  • CVSS: 8.0 (High)
  • Impact: Improper enforcement of Basic auth headers allows attackers to bypass authentication and gain admin access.
  • Affected: CUPS < 2.4.13

Fixed Versions

• CUPS 2.4.14 or later

Recommendations

• Update immediately to CUPS 2.4.14 or higher.
• Restrict exposure of CUPS servers to trusted networks only.
• Monitor logs for abnormal crashes or unauthorized print job activity.

References

• https://github.com/OpenPrinting/cups/security/advisories/GHSA-7qx3-r744-6qv4
• https://github.com/OpenPrinting/cups/security/advisories/GHSA-4c68-qgrh-rmmq
• https://github.com/OpenPrinting/cups/releases/tag/v2.4.14

13. Security Updates – Samsung Mobile
    Samsung has released its September 2025 Security Maintenance Release (SMR-SEP-2025) for flagship devices, addressing critical and high-severity vulnerabilities. The update integrates fixes from the Android Security Bulletin (September 2025), Samsung Semiconductor, and 25 Samsung-specific vulnerabilities (SVE). Notably, a critical RCE flaw (CVE-2025-21043) in libimagecodec.quram.so is actively exploited in the wild.

Vulnerability Details

• Google Security Patches
  • Critical: CVE-2025-48539, CVE-2025-27034
  • High: Multiple vulnerabilities (e.g., CVE-2025-48543, CVE-2025-0089, CVE-2025-48540, CVE-2025-48546, CVE-2025-48548, CVE-2025-48549, …)
• Samsung Semiconductor Patch
  • CVE-2025-32100 (High)
• Samsung Vulnerabilities (SVE) – 25 issues fixed
  • Examples:
    • SVE-2024-2288 / CVE-2025-21032 – Improper access control in One UI Home
    • SVE-2025-0012 / CVE-2025-21033 – Improper access control in ContactProvider
    • SVE-2025-0659 / CVE-2025-21034 – Out-of-bounds write in libsavsvc.so
    • SVE-2025-1702 / CVE-2025-21043 – Critical OOB Write in libimagecodec.quram.so
      • Exploit confirmed in the wild
      • Enables remote code execution

Affected Versions

• Samsung flagship models running Android 13, 14, 15, and 16

Recommendations

• Apply the September 2025 Samsung SMR update immediately.
• Ensure automatic updates are enabled on all supported Samsung devices.
• Monitor mobile endpoints for signs of suspicious app crashes or exploitation attempts.

Reference

• https://security.samsungmobile.com/securityUpdate.smsb

14. Security Updates – NVIDIA NVDebug Tool
    NVIDIA has released a security update for its NVDebug Tool, addressing multiple high-severity vulnerabilities that could allow unauthorized access, privilege escalation, arbitrary code execution, and denial-of-service. Exploitation of these flaws could compromise host systems on both x86_64 and arm64-SBSA platforms.

Vulnerability Details

• CVE-2025-23342 – (CVSS 8.2, High) Unauthorized access to privileged accounts → potential code execution, DoS, privilege escalation, information disclosure, and data tampering.
• CVE-2025-23343 – (CVSS 7.6, High) Allows file writes to restricted components → risk of information disclosure, tampering, and DoS.
• CVE-2025-23344 – (CVSS 7.3, High) Arbitrary code execution by non-privileged users → could lead to privilege escalation, information disclosure, tampering, and DoS.

Affected Versions

• Product: NVIDIA NVDebug Tool
• Platforms: x86_64, arm64-SBSA
• Affected: All versions prior to 1.7.0
• Fixed Version: 1.7.0 and later

Recommendations

• Upgrade immediately to NVDebug Tool v1.7.0 or later from the official NVIDIA Developer Tools page.
• Restrict access to debugging tools to trusted administrators.
• Monitor for unusual system behavior that may indicate exploitation attempts.

Reference

• https://nvidia.custhelp.com/app/answers/detail/a_id/5696

15. Multiple Vulnerabilities in Dell PowerProtect DP Series Appliance (IDPA)
    Dell Technologies has released critical security updates to address multiple third-party component vulnerabilities affecting the PowerProtect DP Series Appliance (IDPA). Exploitation could allow attackers to gain elevated privileges, execute arbitrary code, bypass security restrictions, or cause denial-of-service.

Vulnerability Details

• Hypervisor Manager: CVE-2025-22224, CVE-2025-22225, CVE-2025-22226, CVE-2024-37086, CVE-2024-37085, CVE-2024-22273
• Appliance OS: CVEs ranging from legacy (CVE-2008-5161) through CVE-2025-0725, CVE-2024-47685
• iDRAC: CVE-2025-26465, CVE-2025-26466, CVE-2024-45490, CVE-2024-50602, etc.
• BIOS: Multiple firmware issues (e.g., CVE-2024-38796, CVE-2024-36293, CVE-2023-45229 – CVE-2023-45237) enabling privilege escalation and secure boot bypass
• Apache Tomcat: CVE-2024-50379, CVE-2025-31650, CVE-2025-31651, CVE-2024-38286, CVE-2024-34750

Affected Products

• Dell PowerProtect DP Series (IDPA) appliances, versions prior to patched release

Fixed Versions

• IDPA 2.7.9 Upgrade for DP4400, DP5900, and DP8xxx appliances

Recommendations

• Upgrade all affected DP Series appliances to IDPA 2.7.9 or later.
• Prioritize patching in high-risk environments (e.g., internet-facing management interfaces).
• Restrict access to management interfaces to trusted networks.
• Monitor for suspicious activity targeting appliance OS, iDRAC, or Tomcat services.

Reference

• https://www.dell.com/support/kbdoc/en-us/000368282/dsa-2025-300-securityupdate-for-dell-powerprotect-dp-series-appliance-idpa-multiple-third-party-componentvulnerabilities

16. Ongoing Supply Chain Attack – Malicious npm Package Campaign
    Researchers uncovered a large-scale supply chain attack targeting the npm ecosystem. Attackers compromised the widely used @ctrl/tinycolor package (2.2M weekly downloads) along with 40+ other packages across multiple maintainers. The campaign, dubbed “Shai-Hulud,” has also been linked to compromises of npm packages published under the CrowdStrike publisher account.

Attack Details

• Injected bundle.js payload that:
  • Downloaded and executed TruffleHog.
  • Scanned for tokens and cloud credentials.
  • Validated stolen credentials.
  • Created unauthorized GitHub Actions workflows.
  • Exfiltrated results to a hardcoded webhook.

Affected Scope

• Dozens of publishers impacted, including:
  • @crowdstrike (commitlint, falcon-shoelace, foundry-js, glide-core, logscale-* modules, tailwind-toucan-base)
  • @ctrl, @operato, @nativescript-community, @nstudio, @things-factory, @teselagen, among others
• Infections observed Sept 14–16, 2025
• Largest burst (Sept 16, 01:14 UTC) compromised ~100 packages in one push

Impact

• CI/CD compromise – injected workflows persist in repos and re-trigger credential theft
• Token & credential theft – GitHub, npm, AWS keys targeted
• Unauthorized npm publishes/code modifications
• High downstream risk for developers and organizations installing affected packages

Recommendations

• Uninstall/Pin – roll back to known-good versions; avoid recent compromised releases
• Audit environments – check developer laptops, CI/CD agents, build servers
• Rotate secrets – revoke and rotate npm tokens, GitHub PATs, AWS keys immediately
• Monitor activity – watch for unusual npm publish events, workflow creation, or package changes
• Incident response – treat environments that consumed malicious packages as potentially compromised

Reference

• https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages

17. Phishing Wave Hits U.S. Energy Giants: Chevron & ConocoPhillips Targeted
    Hunt Intelligence uncovered a large-scale phishing campaign impersonating major U.S. energy companies including Chevron, ConocoPhillips, PBF Energy, and Phillips 66. Attackers use HTTrack-based cloning and punycode tricks to replicate official websites and harvest credentials, blending phishing with investment fraud schemes.

Key Findings

• 1,465 phishing detections in the energy sector in the past year.
• Chevron – 158 impersonating domains in 2025 (vs. just 8 in 2024). Fake sites like chevroncvxstocks[.]com mimicked branding and slogan “Human Energy.”
• ConocoPhillips – Domains such as conocophillips.live, conocophils.com, and punycode xn--conocopillips-2z0g.com exploited branding; most evaded detection (1/94 engines flagged).
• PBF Energy – Domain advancedownloads[.]com staged phishing kit locally before deployment; payload delivered via malicious ZIP built through Base64 execution.
• Phillips 66 – Fake site phillips66-carros[.]site escaped all detections on VirusTotal (0/94 engines). Additional domains include phillips66shop[.]com and phillips66lubricants[.]ru.

Impact

• Credential theft – fraudulent login/registration forms send POST requests to attacker servers.
• Fraudulent investment scams – e.g., “Chev Corp Stocks” HYIP scheme blending phishing with financial fraud.
• Persistence tactics – SSL reuse, scattered hosting across U.S. & Europe, and industrialized phishing kit recycling.

Trend Insight

• Attacks against critical infrastructure sectors are evolving beyond phishing into fraud, brand abuse, and persistence.
• Researchers warn campaigns aim to erode trust in global energy brands.

Reference

• https://securityonline.info/phishing-wave-hits-u-s-energy-giants-chevron-conocophillips-targeted/

18. FileFix in the Wild – Steganography-Powered Campaign Delivers StealC
    Acronis TRU researchers uncovered the first sophisticated in-the-wild FileFix attack, evolving from proof-of-concept (POC) to real-world exploitation. Unlike ClickFix, FileFix abuses the Windows file upload dialog’s address bar to trick victims into pasting malicious commands.

Key Findings

• First active FileFix campaign observed since Mr. d0x’s POC in July 2025.
• Phishing lure – fake Facebook Security page with multilingual support (16+ languages) and anti-analysis techniques.
• Steganography – JPG images conceal second-stage PowerShell scripts and encrypted executables, parsed by the payload to drop malware.
• Obfuscation & evasion – PowerShell payloads use Base64, variable-based command reconstruction, encrypted URLs, and fragmented commands.
• Final payload: StealC Infostealer – deployed via a Go-based loader with VM checks and string encryption. Targets browsers, wallets, messaging apps, cloud creds, and can fetch additional malware.
• Rapid evolution – multiple variants within 2 weeks; attackers migrated from malicious domains to Bitbucket-hosted payloads for persistence and detection evasion.

Impact

• Credential & financial theft via StealC.
• Bypasses traditional detection using images + PowerShell loaders.
• Global targeting across U.S., Asia, and Europe.

Recommendations

• User awareness – train against *Fix-style attacks (ClickFix, FileFix).
• Block execution of PowerShell/CMD spawned by browsers.
• Monitor for suspicious image downloads via PowerShell.
• Rotate credentials if compromise suspected.

Reference

• https://www.acronis.com/en/tru/posts/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography/

19. RaccoonO365 Phishing Network Dismantled by Microsoft & Cloudflare
    Microsoft’s Digital Crimes Unit (DCU), in coordination with Cloudflare, seized 338 domains linked to the RaccoonO365 Phishing-as-a-Service (PhaaS) network. Active since September 2024, RaccoonO365 facilitated large-scale credential theft targeting Microsoft 365 users globally.

Key Findings

• Scope of Impact: Over 5,000 Microsoft 365 credentials stolen from victims in 94 countries.
• Takedown Timeline: Court-ordered domain seizures executed Sept 2–8, 2025; domains redirected to warning pages, Workers scripts terminated, accounts suspended.
• Service Model: Subscription-based PhaaS toolkit — $355/month or $999/90 days. Marketed as “bulletproof” with no backdoors.
• Attack Vectors: Phishing campaigns spoofing Microsoft, DocuSign, SharePoint, Adobe, Maersk. Often a precursor to malware/ransomware deployment (e.g., Latrodectus, AHKBot, GuLoader, BruteRatel C4).
• Technical Evasion: Used Cloudflare Turnstile CAPTCHAs and Workers scripts to filter traffic, ensuring only targeted victims accessed phishing sites.
• Attribution: Identified operator Joshua Ogundipe (Nigeria) and associates, linked via exposed cryptocurrency wallet; ~100–200 subscriptions sold, earning $100K+ in crypto.
• Targeting: >2,300 U.S. organizations hit, including at least 20 healthcare entities.
• Latest Feature: “AI-MailCheck” — AI-powered service to improve phishing effectiveness.

Impact

• Enabled adversaries to send up to 9,000 phishing emails per day.
• Provided tools to circumvent MFA and gain persistent access.
• Demonstrates continued industrialization of phishing through PhaaS ecosystems.

Recommendations

• Monitor for suspicious logins and token misuse tied to recent phishing lures.
• Apply strict email authentication (SPF/DKIM/DMARC).
• Enforce conditional access policies and MFA fatigue protections.
• Review Cloudflare-protected phishing IOCs for detection tuning.

Reference

• The Hacker News – RaccoonO365 Phishing Network Shut Down

20. Storm-2603 Actively Exploiting Microsoft SharePoint Worldwide
    Research from Trustwave SpiderLabs highlights Storm-2603, a threat group exploiting Microsoft SharePoint vulnerabilities for espionage and financial gain via ransomware. The actor, first observed in March 2025, uses the AK47 C2 toolkit to gain access, deploy malware, and maintain persistence across global targets.

Key Findings

• Attribution:
  • Tracked by Microsoft as Storm-2603; Palo Alto tags it as CL-CRI-1040.
  • Suspected China-based, with links to APT27 (Emissary Panda) and APT31 (Judgment Panda), but not conclusively state-directed.
• Exploited Vulnerabilities:
  • CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, CVE-2025-53771 in SharePoint.
  • Used for unauthenticated code execution, cryptographic key extraction, and web shell deployment.
• Tooling:
  • Project AK47: ransomware, backdoors, custom C2.
  • LockBit Black & Warlock ransomware observed in campaigns.
• Targeting:
  • U.S. critical infrastructure (incl. Nuclear Weapons Agency).
  • Espionage in Europe; ransomware in APAC & Latin America.
  • Global scope across gov, energy, and strategic sectors.
• TTPs (MITRE-aligned):
  • Initial Access: SharePoint RCEs, key extraction.
  • Execution: Base64 PowerShell, PsExec, WMI.
  • Persistence: Web shells, scheduled tasks, DNS/HTTP backdoors.
  • Defense Evasion: PsExec/masscan, domain masquerading, BYOVD, Defender registry tampering.
  • Lateral Movement: Impacket, PsExec, GPO manipulation.
  • Credential Access: Mimikatz, LSASS dumping.
  • C2: Reverse proxy + HTTP/DNS backdoors.
  • Impact: Service disruption, encryption, financial theft.

Impact

• Demonstrates dual motivation: espionage + profit.
• Ransomware ops disrupt critical services, while espionage compromises strategic intel.
• Blends APT-like tradecraft with cybercrime TTPs.

Mitigations

• Apply Microsoft patches (KB5002768 for SharePoint Subscription Edition).
• Isolate and patch all SharePoint instances (test, dev, prod).
• Harden detection for web shells, WMI, PsExec, Impacket activity.
• Monitor for masscan use, GPO changes, and Defender tampering.

Reference

• Trustwave Blog – Storm-2603 Targeting SharePoint Vulnerabilities and Critical Infrastructure

21. ShinyHunters Claims Theft of 1.5 Billion Salesforce Records

The extortion group ShinyHunters, now operating as part of Scattered Lapsus$ Hunters (with Spider & Lapsus$), claims to have stolen 1.5 billion Salesforce records from 760 companies via compromised Salesloft Drift integrations.

Key Findings

• Initial Access:
  • Attackers breached Salesloft’s private GitHub repo.
  • Used TruffleHog to scan source code and extract OAuth tokens.
• Scope of Theft:
  • 1.5B Salesforce records stolen, including:
    • 250M Account records
    • 579M Contact records
    • 171M Opportunity records
    • 60M User records
    • 459M Case records
  • Data exfiltration occurred between Aug 8–18, 2025.
• Targets: ~700 Salesloft customers using Drift–Salesforce integrations.
• Victims Named: BeyondTrust, Cato Networks, Cloudflare, CyberArk, JFrog, Nutanix, Palo Alto Networks, Proofpoint, Qualys, Rubrik, SpyCloud, Tenable, Zscaler.
• Expansion: Attackers also leveraged tokens to access other integrated apps (Google Workspace, Marketo, Zapier, Zoom, etc.).

Threat Actor Insights

• Group: ShinyHunters + Lapsus$ + Spider = Scattered Lapsus$ Hunters.
• Tactics: Token theft, credential harvesting, data extortion, occasional ransomware.
• Google TAG (UNC6395): Assesses primary goal is credential harvesting, with secondary exploitation of AWS keys, Snowflake tokens, etc.
• FBI Advisory (Sept 2025): Warned of OAuth token abuse against Salesforce customers.

Impact

• Credential exposure poses risk of follow-on intrusions into cloud ecosystems.
• Enterprise trust erosion with stolen customer, opportunity, and case data.
• Highlights persistent GitHub token theft techniques (used since 2020 by Lapsus$/ShinyHunters).

Mitigations

• Revoke and rotate OAuth tokens across Salesforce, Drift, and integrated apps.
• Audit GitHub repos for hardcoded secrets (use tools like Gitleaks, TruffleHog).
• Apply least-privilege policies for integrations and monitor for suspicious API activity.
• Prepare for extortion attempts leveraging stolen data.

Reference

• BankInfoSecurity – ShinyHunters Counts 1.5 Billion Stolen Salesforce Records