Weekly Threat Landscape Digest – Week 42

1. Remotely Exploitable Vulnerability in Oracle E-Business Suite

Oracle has published a Security Alert for CVE-2025-61884, a high-severity (CVSS 7.5) remotely exploitable vulnerability in the Oracle Configurator – Runtime UI component of Oracle E-Business Suite (EBS). The flaw can be exploited without authentication over HTTP/HTTPS, potentially exposing sensitive configuration data and impacting the confidentiality of affected systems. 

Vulnerability Details

• CVE: CVE-2025-61884 – Oracle E-Business Suite Remote Unauthorized Access
• Severity: High (CVSS v3.1: 7.5)
• Component: Oracle Configurator (Runtime UI)
• Attack Vector: Network
• Protocol Affected: HTTP/HTTPS
• Authentication Required: No
• Affected Versions: Oracle E-Business Suite 12.2.3 to 12.2.14
• Impact: Exposure of sensitive configuration data (confidentiality impact)

Recommended Actions

1. Immediate Patching: Apply the official Oracle security patch for CVE-2025-61884 across all affected E-Business Suite versions (12.2.3–12.2.14).
2. Restrict Access: Temporarily restrict HTTP/HTTPS access to EBS Configurator endpoints from untrusted networks until patching is complete.
3. Monitor Activity: Enable detailed logging and monitor for any anomalous requests to /OA_HTML/cz.servlet or similar Configurator paths.

Reference

• https://www.oracle.com/security-alerts/alert-cve-2025-61884.html

2. Security Updates – GitLab Community Edition and Enterprise Edition

GitLab has released critical security patches (versions 18.4.2, 18.3.4, and 18.2.8) addressing multiple vulnerabilities in both GitLab Community Edition (CE) and Enterprise Edition (EE). These flaws could lead to unauthorized access, denial of service, and sensitive data exposure if left unpatched. Organizations using GitLab CE/EE are strongly advised to update to the latest fixed versions immediately to mitigate potential exploitation risks.

Vulnerability Details

• CVE-2025-11340 – Incorrect Authorization in GraphQL Mutations (EE Only)
  Authenticated users with read-only API tokens could exploit incorrectly scoped GraphQL mutations to perform unauthorized write actions on vulnerability records.
  Severity: High (CVSS 7.7)
• CVE-2025-10004 – Denial of Service in GraphQL Blob Type (CE/EE)
  Crafted GraphQL queries requesting large repository blobs could cause service degradation or outages.
  Severity: High (CVSS 7.5)
• CVE-2025-9825 – Missing Authorization in Manual Jobs (CE/EE)
  Authenticated users without project membership could view sensitive manual CI/CD variables via the GraphQL API.
  Severity: Medium (CVSS 5.0)
• CVE-2025-2934 – Denial of Service in Webhook Endpoints (CE/EE)
  Authenticated users could create webhook endpoints that send crafted HTTP responses, triggering denial of service due to a Ruby Core library flaw.
  Severity: Medium (CVSS 4.3)

Fixed Versions

• GitLab CE/EE: 18.4.2, 18.3.4, and 18.2.8

Recommended Actions

1. Immediate Update: Upgrade all GitLab CE and EE instances to versions 18.4.2 or later.
2. Restrict Access: Implement strict access controls on GraphQL APIs and webhook endpoints.
3. Monitor for Abuse: Check system logs for unusual GraphQL queries, webhook creation patterns, or API token misuse.
4. Review Permissions: Audit user roles and API token scopes to prevent unauthorized modifications.

Reference

• https://about.gitlab.com/releases/2025/10/08/patch-release-gitlab-18-4-2-released/

3. High-Severity Vulnerabilities in 7-Zip

Multiple high-severity vulnerabilities (CVE-2025-11001 and CVE-2025-11002) have been discovered in the open-source file compression utility 7-Zip, which could allow attackers to execute arbitrary code when a user opens or extracts a specially crafted ZIP file. The flaws stem from improper handling of symbolic links inside ZIP archives, potentially enabling attackers to overwrite sensitive files or execute malicious code on affected systems.

Vulnerability Details

• CVE IDs: CVE-2025-11001, CVE-2025-11002
• Severity: High (CVSS 7.0)
• Impact: Remote Code Execution
• Attack Vector: User-assisted (malicious ZIP file)
• Root Cause: Improper validation of symbolic links during ZIP extraction allows directory traversal and file overwrite outside intended paths.
• Affected Product: 7-Zip prior to version 25.00
• Fixed Version: 7-Zip 25.00 or later

Exploitation Scenarios

• Overwriting configuration or startup files to achieve persistence.
• Dropping malicious executables into trusted directories.
• Executing overwritten files or scripts for privilege escalation.
• Delivering malicious ZIP files via phishing campaigns (e.g., invoices, resumes, project files).

Recommended Actions

1. Immediate Update: Upgrade to 7-Zip version 25.00 or later on all systems.
2. Exercise Caution: Avoid opening or extracting ZIP files from untrusted or unknown sources.
3. Isolation: For automated or sandboxed extraction workflows, ensure isolation from production environments and monitor for file writes outside designated directories.
4. Audit and Monitor:
   • Review access to trusted directories and file paths.
   • Monitor for new files or scripts spawned by 7-Zip processes.

Reference

• https://www.zerodayinitiative.com/advisories/ZDI-25-950/
• https://www.zerodayinitiative.com/advisories/ZDI-25-949/

4. Critical Vulnerability in F5 Platforms

F5 has disclosed a critical vulnerability (CVE-2023-28863) affecting systems running AMI MegaRAC SPx12 and SPx13 firmware used in the Intelligent Platform Management Interface (IPMI). The flaw results from insufficient verification of data authenticity, allowing remote attackers with network access to bypass integrity and confidentiality protections negotiated in IPMI v2.0 sessions. Successful exploitation could lead to unauthorized access to the Always-On Management (AOM) subsystem and compromise of platform-level security controls on affected devices.

Vulnerability Details

• CVE ID: CVE-2023-28863
• Severity: Critical (CVSS 9.1)
• Vulnerability Type: Insufficient Verification of Data Authenticity
• Component: Intelligent Platform Management Interface (IPMI) – AMI MegaRAC SPx
• Attack Vector: Network
• Impact:
  • Bypass of IPMI session integrity and confidentiality mechanisms
  • Unauthorized access to management interfaces
  • System manipulation or firmware-level compromise
  • Potential exposure of credentials and operational data

Affected Platforms

• i2000 (C117)
• i4000 (C115)
• i5000 (C119)
• i7000 (C118)
• i10000 (C116)
• i11000 (C123)
• i15000 (D116)

Recommended Actions

1. Immediate Assessment: Identify all systems using affected AMI MegaRAC SPx12 or SPx13 firmware.
2. Restrict Access: Disable or isolate IPMI services from untrusted networks; limit management access to secure internal subnets only.
3. Apply Fixes: Monitor F5’s official advisories and apply the latest available firmware or patches once released.
4. Network Segmentation: Place management interfaces in dedicated, restricted VLANs to reduce exposure.
5. Audit and Monitor: Review logs for unauthorized IPMI activity or unusual management connections.

Reference

• https://my.f5.com/manage/s/article/K000156992

5. Critical Vulnerability in Elastic Cloud Enterprise (ECE)

Elastic has released urgent security updates for Elastic Cloud Enterprise (ECE) addressing a critical template injection vulnerability (CVE-2025-37729) in the Jinjava engine, which could allow authenticated attackers with administrative access to execute arbitrary commands or exfiltrate sensitive information. The flaw arises from improper neutralization of user-supplied input processed by Jinjava templates and affects multiple ECE versions.

Vulnerability Details

• CVE ID: CVE-2025-37729
• Severity: Critical (CVSS 9.1)
• Impact: Server-side code execution and sensitive data exfiltration
• Vulnerability Type: Template Injection in Jinjava Engine
• Root Cause: Improper neutralization of special characters in user-supplied strings processed by Jinjava
• Attack Vector: Administrative access to ECE console with Logging+Metrics enabled, allowing injection of malicious templates and retrieval of results from logs

Affected Versions

• 2.5.0 up to and including 3.8.1
• 4.0.0 up to and including 4.0.1

Fixed Versions

• Elastic Cloud Enterprise 3.8.2
• Elastic Cloud Enterprise 4.0.2

Recommended Actions

1. Immediate Update: Upgrade to Elastic Cloud Enterprise 3.8.2 or 4.0.2 immediately.
2. Access Review: Restrict administrative access to trusted personnel only.
3. Monitoring: Inspect logs for malicious Jinjava payloads or unauthorized template evaluations.
4. Harden Environments: Disable unnecessary admin interfaces and ensure separation between production and logging systems.

Reference

• https://discuss.elastic.co/t/elastic-cloud-enterprise-ece-3-8-2-and-4-0-2-security-update-esa-2025-21/382641 

6. Security Updates – Ivanti Endpoint Manager (EPM)

Ivanti has disclosed multiple security vulnerabilities in Ivanti Endpoint Manager (EPM), including two high-severity and eleven medium-severity flaws. Successful exploitation could enable privilege escalation or remote code execution (RCE) on affected systems. While no active exploitation has been reported yet, these vulnerabilities pose a significant risk to enterprise environments using Ivanti EPM for endpoint management.

High-Severity Vulnerability Details

• CVE-2025-11622 – Insecure Deserialization (CVSS 7.8, High)
  A local authenticated attacker could exploit insecure deserialization to escalate privileges on the affected system.
• CVE-2025-9713 – Path Traversal (CVSS 8.8, High)
  A remote unauthenticated attacker could exploit a path traversal flaw to achieve remote code execution (RCE).
  User interaction is required for successful exploitation.

Affected Versions

• Ivanti Endpoint Manager 2024 SU3 SR1 and prior:
  Vulnerable to CVE-2025-11622 and CVE-2025-9713. Fixes will be included in the 2024 SU4 version, targeted for November 12, 2025.
  Patches are currently in development; mitigations should be applied immediately.
• Ivanti Endpoint Manager 2022 SU8 SR2 and prior:
  This version is End of Life (EOL). Customers should migrate to the latest Ivanti EPM 2024 release to reduce exposure.
• Additional CVEs (CVE-2025-11623, CVE-2025-62392, CVE-2025-62390, CVE-2025-62389, CVE-2025-62388, CVE-2025-62387, CVE-2025-62385, CVE-2025-62391, CVE-2025-62383, CVE-2025-62386, CVE-2025-62384):
  These medium-severity issues will be addressed in the 2024 SU5 version, targeted for Q1 2026.

Recommended Actions

1. Monitor Vendor Updates: Follow Ivanti’s official advisories for patch release announcements and implementation timelines.
2. Upgrade Systems: Move to the latest supported Ivanti EPM version (2024 or newer) to mitigate risk.
3. Apply Mitigations: Use Ivanti’s published temporary mitigations until patches are officially released.
4. Review Privileges: Restrict local administrative access and audit user permissions within EPM.
5. Network Segmentation: Limit management server exposure by isolating EPM components and monitoring for abnormal traffic.

Reference

• https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025?language=en_US 

7. Critical Remote Code Execution Vulnerabilities in Veeam Backup & Replication

Veeam Software has released critical security updates addressing multiple vulnerabilities in Veeam Backup & Replication and Veeam Agent for Microsoft Windows. Two vulnerabilities (CVE-2025-48983 and CVE-2025-48984) can be exploited to achieve Remote Code Execution (RCE) on domain-joined backup servers by authenticated domain users, posing a significant risk to enterprise backup infrastructures. A third flaw (CVE-2025-48982) allows Local Privilege Escalation (LPE) on systems using Veeam Agent for Microsoft Windows.

Vulnerability Details

• CVE-2025-48983 – Remote Code Execution in Mount Service
  • Severity: Critical (CVSS 9.9)
  • Impact: Enables RCE on backup infrastructure hosts.
  • Attack Vector: Authenticated domain user exploiting the Mount service.
  • Affected Versions: Veeam Backup & Replication 12.3.2.3617 and earlier 12.x builds.
  • Notes: Impacts domain-joined infrastructure servers only; Veeam v13 and Software Appliance are not affected.
  • Fixed Version: 12.3.2.4165.
• CVE-2025-48984 – Remote Code Execution on Backup Server
  • Severity: Critical (CVSS 9.9)
  • Impact: RCE on domain-joined backup servers by authenticated users.
  • Attack Vector: Abuse of network access to compromise Veeam servers.
  • Affected Versions: Veeam Backup & Replication 12.3.2.3617 and earlier 12.x builds.
  • Notes: Impacts domain-joined environments; not applicable to the Veeam Software Appliance or v13 builds.
  • Fixed Version: 12.3.2.4165.
• CVE-2025-48982 – Local Privilege Escalation in Veeam Agent
  • Severity: High (CVSS 7.3)
  • Impact: Privilege escalation through restoration of malicious files.
  • Attack Vector: Requires user interaction or administrative file restoration.
  • Affected Versions: Veeam Agent for Microsoft Windows 6.3.2.1205 and earlier 6.x builds.
  • Fixed Version: 6.3.2.1302.

Recommended Actions

1. Apply Security Updates Immediately:
   Upgrade Veeam Backup & Replication and Veeam Agent for Microsoft Windows to the fixed versions or later.
2. Restrict Access:
   Limit administrative privileges on backup servers and ensure only trusted users have network access to management interfaces.
3. Monitor for Exploitation:
   Review system logs for unauthorized activities involving Veeam services or backup agents.
4. Segregate Backup Infrastructure:
   Place backup servers in isolated network zones to reduce exposure from compromised user accounts or lateral movement attempts.

Reference

• https://www.veeam.com/kb4771

8. Security Updates – Google Chrome

Google has released security updates addressing a high-severity vulnerability (CVE-2025-11756) in the Safe Browsing component of the Chrome browser. The flaw is classified as a use-after-free vulnerability, which could allow an attacker to execute arbitrary code or compromise the browser if a user visits a maliciously crafted webpage. This vulnerability impacts multiple platforms, including Windows, macOS, Linux, Android, and iOS.

Vulnerability Details

• CVE ID: CVE-2025-11756
• Vulnerability Type: Use-After-Free in Safe Browsing
• Severity: High
• Impact: Successful exploitation could allow arbitrary code execution within the context of the browser, potentially granting the attacker the same privileges as the logged-in user.

Fixed Versions

• Stable Channel Update for Desktop:
  • Chrome 141.0.7390.107/.108 for Windows and Mac
  • Chrome 141.0.7390.107 for Linux
• Chrome for Android:
  • Version 141.0.7390.111
• Extended Stable Channel for Desktop:
  • Chrome 140.0.7339.249 for Windows and Mac
• Chrome for iOS:
  • Version 141.0.7390.96

Recommended Actions

1. Update Immediately: Upgrade Google Chrome to the latest available version across all platforms (Windows, macOS, Linux, Android, iOS).
2. Enable Auto-Updates: Ensure automatic updates are enabled to prevent delay in applying future security patches.
3. Restart Browser: After updating, relaunch Chrome to ensure the new security patches are fully applied.
4. Monitor for Exploitation: SOC teams should monitor for any unusual browser behaviors or unauthorized network requests.

Reference

• https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_14.html 
• https://chromereleases.googleblog.com/

9. Security Updates – Microsoft (October 2025 Patch Tuesday)

Microsoft has released its October 2025 Patch Tuesday security updates addressing 172 vulnerabilities across multiple products, including six zero-day vulnerabilities and three actively exploited flaws. This release contains fixes for privilege escalation, remote code execution (RCE), and information disclosure vulnerabilities affecting Windows components, Azure services, Office products, and hardware drivers. Given the active exploitation of several vulnerabilities, organizations are urged to prioritize patching immediately.

Actively Exploited Zero-Day Vulnerabilities

1. CVE-2025-24990 – Windows Agere Modem Driver Elevation of Privilege
   • Type: Elevation of Privilege (EoP)
   • Impact: Local privilege escalation to SYSTEM level.
   • Description: Flaw in the Agere Modem driver (ltmdm64.sys) allows attackers to gain administrative privileges.
2. CVE-2025-47827 – Secure Boot Bypass in IGEL OS
   • Type: Secure Boot Bypass
   • Impact: Allows mounting of unverified root filesystems, leading to Secure Boot compromise.
   • Description: Improper signature verification in igel-flash-driver permits crafted images to bypass Secure Boot protection.
3. CVE-2025-59230 – Windows Remote Access Connection Manager Elevation of Privilege
   • Type: Elevation of Privilege (EoP)
   • Impact: SYSTEM-level access via improper permission handling.
   • Description: Local attackers can exploit weak access controls in the RasMan service to elevate privileges.

Other Zero-Day Vulnerabilities

1. CVE-2025-24052 – Windows Agere Modem Driver Elevation of Privilege
   • Type: EoP
   • Impact: Affects all supported Windows versions; exploitable even if the modem is inactive.
   • Description: Publicly disclosed flaw in the same driver class as CVE-2025-24990.
2. CVE-2025-0033 – AMD EPYC Processors SEV-SNP Race Condition
   • Type: Information Disclosure / Integrity Violation
   • Impact: Could compromise integrity of SEV-SNP protected memory during RMP initialization.
   • Description: Race condition in Secure Nested Paging (SNP) initialization may allow privileged attackers to alter RMP entries.
3. CVE-2025-2884 – TPM 2.0 Out-of-Bounds Read
   • Type: Information Disclosure / Denial of Service
   • Impact: Potential exposure of TPM data or service interruption.
   • Description: Out-of-bounds read in the CryptHmacSign function due to insufficient validation of signature schemes.

Recommended Actions

1. Prioritize Critical Patches: Apply fixes for all actively exploited zero-day vulnerabilities immediately.
2. Patch All Critical CVEs: Expedite patching for vulnerabilities rated “Exploitation More Likely” by Microsoft.
3. Comprehensive Update Rollout: Deploy all remaining October 2025 updates in line with your organization’s patch management schedule.
4. Monitor Systems: Enable advanced logging and review for exploitation indicators, especially privilege escalations and Secure Boot bypass attempts.

Reference

• https://msrc.microsoft.com/update-guide/releaseNote/2025-Oct

10. Immediate Action Required for F5 BIG-IP Product Compromise

A nation-state–affiliated threat actor has breached F5’s internal systems, stealing portions of BIG-IP source code and vulnerability data. This exposure significantly raises the risk of zero-day discovery and targeted exploitation of F5 products. Networks using BIG-IP and related F5 systems face severe threats, including credential theft, lateral movement, data exfiltration, and persistent compromise if not immediately remediated.

Incident Overview

The breach resulted in the theft of proprietary source code and internal vulnerability research data. The attacker may now have visibility into undisclosed weaknesses, potentially enabling the creation of targeted exploits against F5 products and environments. This event poses a high operational and national-level cybersecurity risk to organizations relying on F5 for traffic management, application delivery, and cloud-native network functions.

Affected Products

• Hardware: BIG-IP iSeries, rSeries, and all F5 devices that have reached end of support (EoS).
• Software:
  • BIG-IP (F5OS), BIG-IP (TMOS), Virtual Edition (VE)
  • BIG-IP Next
  • BIG-IQ
  • BIG-IP Next for Kubernetes (BNK) / Cloud-Native Network Functions (CNF)

Immediate Required Actions

1. Inventory and Identification:
   Identify all F5 BIG-IP hardware and software deployments, including on-premise, virtual, and cloud-native systems.
2. Harden Public-Facing Devices:
   • Check if BIG-IP management interfaces are exposed to the internet.
   • Restrict access to trusted management networks only.
   • Follow F5’s secure configuration best practices.
3. Update All F5 Products:
   • Apply the latest vendor-provided updates for F5OS, BIG-IP TMOS, BIG-IQ, and BNK/CNF.
   • Verify software integrity by validating checksums before applying updates.
   • Ensure continuous patching for both physical and virtual appliances.
4. Disconnect End-of-Support Devices:
   • Immediately disconnect and decommission all unsupported or legacy F5 devices exposed to the internet.
5. Mitigate Cookie Leakage:
   • Implement vendor-provided mitigations for known BIG-IP cookie leakage vulnerabilities.

Additional Security Recommendations

• Enable BIG-IP event streaming to your SIEM platform for continuous monitoring.
• Configure remote syslog servers for centralized log collection.
• Monitor for anomalous activity, including failed admin logins, unauthorized configuration changes, and suspicious privilege escalations.

F5 Vendor Updates

F5 has also released security updates addressing 44 vulnerabilities, including those linked to the breach discovered in August 2025. The updates are available for:

• BIG-IP
• F5OS
• BIG-IP Next for Kubernetes
• BIG-IQ
• APM Clients

Organizations must apply all available patches immediately, restrict external management access, and continuously monitor F5 devices for suspicious activity.

Reference

• https://www.cisa.gov/news-events/directives/ed-26-01-mitigate-vulnerabilities-f5-devices
• https://my.f5.com/manage/s/article/K000154696
• https://my.f5.com/manage/s/article/K000156572

11. Critical Adobe Experience Manager (AEM) Flaw Under Active Exploitation

A critical remote code execution (RCE) vulnerability in Adobe Experience Manager (AEM) — tracked as CVE-2025-54253 — is currently being actively exploited in the wild. The flaw impacts Adobe Experience Manager Forms 6.5.23 and earlier and has been assigned a CVSS score of 10.0, representing the highest level of severity. Public proof-of-concept (PoC) exploits for CVE-2025-54253 and related vulnerabilities are available online, increasing the likelihood of widespread exploitation.

Vulnerability Overview

The vulnerability arises from a misconfiguration weakness that allows unauthenticated attackers to bypass built-in security mechanisms and execute arbitrary code without user interaction. Successful exploitation can lead to complete system compromise, data theft, or deployment of ransomware and botnet payloads. Attackers are actively targeting internet-exposed AEM instances, making immediate remediation critical.

Vulnerability Details

• CVE-2025-54253 – Struts Dev Mode Configuration Issue (RCE)
  • Severity: Critical (CVSS 10.0)
  • Description: Misconfiguration vulnerability enabling arbitrary code execution by bypassing security mechanisms. Exploitation does not require user interaction.
  • Impact: Remote command execution and possible data exposure.
  • Status: Actively exploited in the wild.
• CVE-2025-49533 – GetDocumentServlet RCE
  • Severity: Critical
  • Description: Flaw in the GetDocumentServlet component allows unauthenticated, network-based code execution.
  • Impact: Remote attackers can execute arbitrary Java code on the affected server.
• CVE-2025-54254 – XML External Entity (XXE) Injection
  • Severity: High
  • Description: Improper XML input handling allows processing of external entities.
  • Impact: May expose internal files or sensitive data through crafted XML payloads.

Affected Versions

• Adobe Experience Manager (AEM) Forms on JEE 6.5.23.0 and earlier

Fixed Version

• Adobe Experience Manager (AEM) Forms on JEE 6.5.0-0108

Recommended Actions

1. Immediate Patching: Upgrade to AEM Forms 6.5.0-0108 or later as per Adobe’s October 2025 Security Update (APSB25-82).
2. Restrict Access: Limit external exposure of AEM administrative and authoring interfaces to internal or VPN-restricted networks.
3. Monitor for Exploitation: Review application logs for suspicious requests to AEM endpoints such as /bin/, /libs/, and /system/.
4. Network Segmentation: Isolate AEM servers from sensitive backend systems and enforce least-privilege access controls.
5. Incident Response: If compromise is suspected, preserve forensic data (logs, memory images) and initiate containment procedures immediately.

Reference

• https://helpx.adobe.com/security/products/aem-forms/apsb25-82.html

12. Security Updates – Cisco

Cisco has released multiple security updates addressing vulnerabilities across a wide range of its products, including Desk Phones, IP Phones, Video Phones, IOS XE Software, Snort 3, and TelePresence Collaboration systems. Successful exploitation of these flaws could allow attackers to execute arbitrary code, bypass secure boot protections, cause denial of service (DoS), or gain unauthorized access to sensitive data. Organizations using affected Cisco products should apply the recommended patches or mitigations immediately.

Vulnerability Details

1. Cisco Desk Phone 9800 Series, IP Phone 7800/8800 Series, and Video Phone 8875 (SIP Software Vulnerabilities)
   • Severity: High
   • CVE IDs: CVE-2025-20350, CVE-2025-20351
   • Description: Multiple vulnerabilities in the Session Initiation Protocol (SIP) software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) or execute arbitrary code on affected devices.
2. Cisco IOS XE Software – Secure Boot Bypass Vulnerabilities
   • Severity: High
   • CVE IDs: CVE-2025-20313, CVE-2025-20314
   • Description: Vulnerabilities in the Secure Boot implementation of Cisco IOS XE Software could allow a local attacker with root privileges to bypass secure boot restrictions and load unauthorized software, potentially leading to system compromise.
3. Cisco Products – Snort 3 MIME Denial of Service Vulnerabilities
   • Severity: Medium
   • CVE IDs: CVE-2025-20359, CVE-2025-20360
   • Description: Multiple DoS vulnerabilities in the Snort 3 detection engine’s handling of MIME data could allow an attacker to send crafted traffic that causes the Snort 3 process to restart unexpectedly, impacting network visibility and detection capabilities.
4. Cisco TelePresence Collaboration Endpoint and RoomOS Software – Information Disclosure Vulnerability
   • Severity: Medium
   • CVE ID: CVE-2025-20329
   • Description: A flaw in Cisco TelePresence and RoomOS software could allow an authenticated, remote attacker to access sensitive information due to improper access controls.

Recommended Actions

1. Apply Patches and Updates: Follow Cisco’s official guidance and apply the latest available updates for affected products.
2. Implement Mitigations: Where patches are not yet available, apply Cisco’s recommended workarounds to reduce exposure.
3. Restrict Access: Limit access to management interfaces to trusted networks only.
4. Monitor Systems: Continuously monitor affected devices for abnormal behavior, repeated restarts (Snort 3), or unauthorized access attempts.
5. Review Configurations: Validate secure boot settings and ensure only trusted software images are allowed to run.

Reference

• https://sec.cloudapps.cisco.com/security/center/publicationListing.x

13. Actively Exploited Flaw in Service Finder Bookings Plugin for WordPress

A critical authentication bypass vulnerability in the Service Finder Bookings plugin for WordPress — tracked as CVE-2025-5947 — is currently being actively exploited in the wild. The flaw allows unauthenticated attackers to gain access to any user account, including administrative accounts, resulting in complete site takeover. The plugin is distributed as part of the Service Finder WordPress theme, which is widely used for service-based websites.

Vulnerability Details

• CVE ID: CVE-2025-5947
• Severity: Critical (CVSS 9.8)
• Vulnerability Type: Authentication Bypass / Privilege Escalation
• Root Cause: Insufficient validation of user cookie values in the service_finder_switch_back() function allows attackers to impersonate other users by manipulating session cookies.
• Affected Component: Service Finder Bookings plugin (bundled with Service Finder theme)
• Impact: Full administrative access and arbitrary control over WordPress sites running vulnerable versions.

Observed Malicious Activity
Attackers have been observed exploiting this vulnerability to:

• Insert redirect code to fraudulent or malicious websites.
• Host malware, phishing kits, or spam content on compromised domains.

Affected Versions

• Service Finder theme: Versions ≤ 6.0

Fixed Version

• Service Finder theme: Version 6.1 or later

Recommended Actions

1. Immediate Update: Upgrade to Service Finder theme version 6.1 or later to patch the vulnerability.
2. Audit Accounts: Review WordPress admin and user access logs for unauthorized logins or privilege escalation events.
3. Revoke Sessions: After updating, revoke all active sessions and enforce strong cookie/session handling practices.
4. Web Application Firewall (WAF): Enable or update WAF rules to block exploitation attempts targeting this vulnerability.
5. Monitor Network Traffic: Flag and monitor any inbound connections originating from the IoCs listed above.

Reference

• https://www.wordfence.com/blog/2025/10/attackers-actively-exploiting-critical-vulnerability-in-service-finder-bookings-plugin/ 

14. Security Updates – Dell Client Platform

Dell Technologies has released security updates to remediate multiple high-severity vulnerabilities affecting NVIDIA® GPU Display Drivers used across Dell Client Platforms. Successful exploitation of these flaws could allow attackers to execute arbitrary code, escalate privileges, cause denial of service (DoS), or access sensitive system information. Both local and remote attack vectors may be leveraged depending on the configuration and driver version in use.

Vulnerability Details

• CVE-2025-23309 – Uncontrolled DLL Loading Path (High | CVSS 8.2)
  • A vulnerability in the NVIDIA Display Driver could allow arbitrary code execution, privilege escalation, denial of service, and data tampering due to an uncontrolled DLL loading path.
• CVE-2025-23347 – Permission Escalation in Project G-Assist (High | CVSS 7.8)
  • An issue in NVIDIA Project G-Assist may allow an attacker to escalate permissions, leading to potential code execution, privilege escalation, data tampering, denial of service, or information disclosure.
• CVE-2025-23345 – Out-of-Bounds Read in Video Decoder (Medium | CVSS 4.4)
  • A flaw in the NVIDIA Display Driver for Windows and Linux could cause an out-of-bounds read, enabling information disclosure or denial of service through crafted input data.

Affected Versions

• Dell OptiPlex 5080, 5090 (Micro, SFF, Tower), 7070, 7090 Tower, and Vostro 5890
  • NVIDIA GeForce GT 10xx / GTX 1xx0 / RTX x0x0 series
  • Affected Versions: Earlier than 32.0.15.8104
  • Remediated Version: 32.0.15.8104 and later

Note: This list may not include all affected Dell products. Users should confirm applicability through the Dell Drivers & Downloads page or contact Dell Support for validation.

Recommended Actions

1. Immediate Update: Upgrade NVIDIA GPU Display Drivers to version 32.0.15.8104 or later using Dell’s official support portal.
2. Verification: Validate driver integrity post-installation and ensure the latest NVIDIA patches are applied.
3. Monitoring: Monitor systems for anomalous GPU process behavior or unexpected service terminations.
4. System Hardening: Restrict administrative access and enforce the principle of least privilege for local users.
5. Asset Review: Confirm that all Dell client systems are using supported and up-to-date firmware and drivers.

Reference

• https://www.dell.com/support/kbdoc/en-us/000368128/dsa-2025-353

15. Local Privilege Escalation Vulnerability in HPE SimpliVity Servers

Hewlett Packard Enterprise (HPE) has released a security update addressing a local privilege escalation vulnerability — tracked as CVE-2025-20109 — affecting certain HPE SimpliVity Gen11 servers that use impacted Intel processors. The flaw originates from the Intel Processor Stream Cache component, disclosed under Intel Security Advisory INTEL-SA-01249 as part of the 2025.2 Intel Platform Update (IPU). Successful exploitation could allow a local attacker with limited privileges to gain elevated access on affected systems, compromising system confidentiality, integrity, and availability.

Vulnerability Details

• CVE ID: CVE-2025-20109
• Severity: High (CVSS v3.1: 7.8)
• Vulnerability Type: Local Privilege Escalation
• Description: A vulnerability in Intel’s Processor Stream Cache, if exploited, allows a local attacker to escalate privileges on HPE SimpliVity Gen11 systems using affected Intel processors.
• Affected Product: HPE SimpliVity 380 Gen11
• Affected Versions: Firmware versions prior to HPE SimpliVity Gen11 Firmware v2025_1001
• Fixed Version: HPE SimpliVity Gen11 Firmware v2025_1001 or later

Recommended Actions

1. Immediate Firmware Update: Upgrade all HPE SimpliVity Gen11 servers to Firmware v2025_1001 or later.
2. Validate Patch Application: Confirm firmware version post-update and ensure successful installation using HPE management utilities.
3. Access Control: Restrict local administrative privileges and monitor for unauthorized local activity.
4. Monitoring: Review system and kernel logs for privilege escalation attempts or anomalous user behavior.
5. Ongoing Maintenance: Regularly check HPE and Intel advisories for additional microcode or firmware updates associated with this issue.

Reference

• https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbhf04935en_us&docLocale=en_US 

16. Security Updates – NVIDIA

NVIDIA has released security updates addressing multiple vulnerabilities across its product lines, including GPU Display Drivers, vGPU Software, and Cloud Gaming components. Successful exploitation of these vulnerabilities could allow attackers to execute arbitrary code, escalate privileges, tamper with data, disclose sensitive information, or cause denial of service (DoS). These updates are part of NVIDIA’s October 2025 security release and apply to both Windows and Linux environments.

Vulnerability Details

• CVE-2025-23309 – High (CVSS 8.2): Uncontrolled DLL loading path in NVIDIA Display Driver.
• CVE-2025-23347 – High (CVSS 7.8): Vulnerability in NVIDIA Project G-Assist allowing privilege escalation and potential code execution.
• CVE-2025-23352 – High (CVSS 7.8): Uninitialized pointer access in NVIDIA vGPU Software Virtual GPU Manager leading to potential code execution.
• CVE-2025-23280 – High (CVSS 7.0): Use-after-free vulnerability in NVIDIA Display Driver for Linux that may result in arbitrary code execution.
• CVE-2025-23282 – High (CVSS 7.0): Race condition in NVIDIA Display Driver for Linux, enabling possible privilege escalation or DoS.
• CVE-2025-23300 – Medium (CVSS 5.5): Null pointer dereference in NVIDIA Display Driver for Linux causing potential DoS.
• CVE-2025-23330 – Medium (CVSS 5.5): Null pointer dereference in NVIDIA Display Driver for Linux kernel module.
• CVE-2025-23332 – Medium (CVSS 5.0): Null pointer dereference in Linux kernel module, leading to application crash or system instability.
• CVE-2025-23345 – Medium (CVSS 4.4): Out-of-bounds read in NVIDIA Display Driver for Windows and Linux resulting in information disclosure or DoS.

Affected Products

• Windows Drivers: GeForce, RTX, Quadro, NVS, Tesla (branches R580, R570, R535)
• Linux Drivers: GeForce, RTX, Quadro, NVS, Tesla (branches R580, R570, R535)
• vGPU Software: Guest Drivers and Virtual GPU Manager for Windows, Linux, XenServer, VMware vSphere, and RHEL KVM
• Cloud Gaming: Linux Guest Driver and vGPU Manager

Fixed Versions

• Windows: 581.42 (R580), 573.76 (R570), 539.56 (R535)
• Linux: 580.95.05 (R580), 570.195.03 (R570), 535.274.02 (R535)
• vGPU Manager / Cloud Gaming: Latest versions listed in NVIDIA’s official documentation

Recommended Actions

1. Apply Updates Immediately: Upgrade NVIDIA Display Drivers, vGPU Software, and Cloud Gaming components to the fixed or latest versions.
2. Validate Driver Integrity: Ensure installation packages are downloaded only from NVIDIA’s official sources.
3. System Hardening: Restrict local administrative privileges to reduce exploitation impact.
4. Monitor for Anomalies: Check logs for signs of GPU driver crashes, privilege escalation attempts, or abnormal process execution.
5. Regular Maintenance: Keep NVIDIA drivers and virtualization components up to date in alignment with enterprise patch management policies.

Reference

• https://nvidia.custhelp.com/app/answers/detail/a_id/5703

17. Security Updates – SAP

SAP has released its October 2025 Security Updates, addressing multiple critical and high-severity vulnerabilities across several SAP products. Successful exploitation could allow attackers to perform remote code execution, directory traversal, unrestricted file uploads, denial of service (DoS), unauthorized access, information disclosure, cross-site request forgery (CSRF), or memory corruption.
These vulnerabilities impact widely used SAP components such as NetWeaver, S/4HANA, Commerce Cloud, and Supplier Relationship Management, making immediate patching essential.

Critical Vulnerabilities

• CVE-2025-42944 – Security Hardening for Insecure Deserialization
  • Product: SAP NetWeaver AS Java
  • Version: SERVERCORE 7.50
  • CVSS: 10.0
• CVE-2025-42937 – Directory Traversal
  • Product: SAP Print Service
  • Versions: SAPSPRINT 8.00, 8.10
  • CVSS: 9.8
• CVE-2025-42910 – Unrestricted File Upload
  • Product: SAP Supplier Relationship Management
  • Versions: SRMNXP01 100, 150
  • CVSS: 9.0

High-Severity Vulnerabilities

• CVE-2025-5115 – Denial of Service (DoS)
  • Product: SAP Commerce Cloud
  • Versions: HY_COM 2205, COM_CLOUD 2211, 2211-JDK21
  • CVSS: 7.5
• CVE-2025-48913 – Security Misconfiguration
  • Product: SAP Data Hub Integration Suite
  • Version: CX_DATAHUB_INT_PACK 2205
  • CVSS: 7.1

Medium-Severity Vulnerabilities

• CVE-2025-0059 – Information Disclosure
  • Product: SAP NetWeaver Application Server ABAP
  • Versions: KRNL64UC 7.53, KERNEL 7.53–9.14
  • CVSS: 6.0
• CVE-2025-42901 – Code Injection (BAPI Browser)
  • Product: SAP Application Server for ABAP
  • Versions: SAP_BASIS 700–758, 816
  • CVSS: 5.4
• CVE-2025-42908 – Cross-Site Request Forgery (CSRF)
  • Product: SAP NetWeaver AS for ABAP
  • Versions: KRNL64UC 7.53–9.16
  • CVSS: 5.4
• CVE-2025-42906 – Directory Traversal
  • Product: SAP Commerce Cloud
  • Version: COM_CLOUD 2211
  • CVSS: 5.3
• CVE-2025-42902 – Memory Corruption
  • Product: SAP NetWeaver AS ABAP & ABAP Platform
  • Versions: KRNL64NUC 7.22–9.16
  • CVSS: 5.3
• CVE-2025-42939 – Missing Authorization Check
  • Product: SAP S/4HANA
  • Versions: S4CORE 104–109
  • CVSS: 4.3
• CVE-2025-42903 – User Enumeration & Sensitive Data Exposure via RFC
  • Product: SAP Financial Service Claims Management
  • Versions: INSURANCE 803–806, S4CEXT 107–109
  • CVSS: 4.3

Low-Severity Vulnerabilities

• CVE-2025-31672 – Deserialization Vulnerability
  • Product: SAP BusinessObjects
  • Versions: ENTERPRISE 430, 2025, 2027
  • CVSS: 3.5
• CVE-2025-42909 – Security Misconfiguration
  • Product: SAP Cloud Appliance Library Appliances
  • Version: TITANIUM_WEBAPP 4.0
  • CVSS: 3.0

Recommended Actions

1. Immediate Update: Apply the October 2025 SAP Security Patches across all affected products.
2. Prioritize Critical Components: Patch NetWeaver, Supplier Relationship Management, and Print Service first due to their critical exposure.
3. Review Configurations: Harden SAP applications against deserialization, file upload, and traversal attacks.
4. Access Control: Restrict administrative privileges and regularly review authorization settings.
5. Monitor Logs: Continuously monitor SAP systems for indicators of exploitation or suspicious access activity.

Reference

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october2025.html

18. Multiple Vulnerabilities in Rockwell Automation Products

Rockwell Automation has released multiple security advisories addressing critical vulnerabilities affecting the 1783-NATR Network Address Translation (NAT) Router, FactoryTalk suite, and ArmorStart AOP.
Successful exploitation could allow unauthorized access, privilege escalation, configuration tampering, or denial-of-service (DoS) conditions within industrial control environments. These vulnerabilities pose a severe risk to operational technology (OT) and industrial automation networks.

Vulnerability Details

1. 1783-NATR Network Address Translation (NAT) Router

• CVE-2025-7328 – Broken Authentication (CVSS 10.0)
  Missing authentication checks on key functions may allow remote administrative takeover, NAT rule modification, or device DoS.
• CVE-2025-7329 – Stored Cross-Site Scripting (CVSS 8.4)
  Improper filtering of input fields allows injection of malicious JavaScript, exposing configuration data or altering web content. Requires authentication.
• CVE-2025-7330 – Cross-Site Request Forgery (CSRF) (CVSS 8.0)
  Lack of CSRF protection allows attackers to modify router configurations if an authenticated administrator visits a crafted link.
• Affected Versions: 1.006 and earlier
• Fixed Version: 1.007 and later

2. FactoryTalk Product Line Vulnerabilities

FactoryTalk Linx

• CVE-2025-9067, CVE-2025-9068 – SYSTEM Privilege Escalation (CVSS v3.1: 7.8 / v4.0: 8.5)
  Flaws in the MSI repair mechanism allow authenticated users to spawn SYSTEM-level command prompts, granting full control of affected systems.
• Affected Versions: 6.40 and prior
• Fixed Version: 6.50 and later

FactoryTalk View Machine Edition (ME)

• CVE-2025-9064 – Path Traversal Deletion Flaw (CVSS 8.7)
  Unauthenticated attackers can delete arbitrary OS files on vulnerable panels.
• CVE-2025-9063 – Authentication Bypass in Web Browser ActiveX
  Allows unauthorized access to the file system and diagnostic data on PanelView Plus 7 Series B terminals.
• Affected Versions: Version 14 and prior
• Fixed Versions:
  • PanelView Plus 7 Standard / Performance Series A: v12, v13, v14 (Patch AID BF30506)
  • PanelView Plus 7 Performance Series B: v14.103

FactoryTalk ViewPoint

• CVE-2025-9066 – XML External Entity (XXE) to DoS (CVSS 8.7)
  Unauthenticated SOAP requests may trigger denial-of-service.
• Affected Versions: Firmware v14 and earlier
• Fixed Versions:
  • PanelView Plus 7 Standard / Performance Series A: v12, v13, v14 (Patch AID BF30506)
  • PanelView Plus 7 Performance Series B: v14.103

3. ArmorStart AOP for Studio 5000 Logix Designer

• CVE-2025-9437 – Denial-of-Service via COM Method Exception (CVSS 8.7)
  Improper input handling in COM methods can crash the add-on profile, disrupting motor controller functionality.
• Affected Version: V2.05.07
• Fix: Apply vendor patch and restrict AOP access to authorized engineering workstations only.

Recommended Actions

1. Update Immediately: Upgrade all affected Rockwell Automation products to the latest fixed versions.
2. Network Segmentation: Enforce strict segregation between OT and IT networks to minimize lateral movement.
3. Access Control: Restrict administrative interfaces to trusted management hosts.
4. System Hardening: Disable public exposure of control system assets to the internet.

References

• https://www.rockwellautomation.com/en-us/trust-center/securityadvisories/advisory.SD1756.html
• https://www.rockwellautomation.com/en-us/trust-center/securityadvisories/advisory.SD1754.html
• https://www.rockwellautomation.com/en-us/trust-center/securityadvisories/advisory.SD1753.html
• https://www.rockwellautomation.com/en-us/trust-center/securityadvisories/advisory.SD1752.html
• https://www.rockwellautomation.com/en-us/trust-center/securityadvisories/advisory.SD1751.html

19. Remote Code Execution Vulnerability in Apache ActiveMQ NMS AMQP Client

The Apache Software Foundation has released a security advisory addressing a critical remote code execution (RCE) vulnerability in Apache ActiveMQ NMS AMQP Client, which could be exploited by attackers to execute arbitrary code on affected systems. Successful exploitation may lead to data theft, unauthorized access, or lateral movement within enterprise environments.

This vulnerability arises from unsafe deserialization of untrusted data when connecting to malicious AMQP servers, posing a high risk to organizations using the affected client for messaging and integration workflows.

Vulnerability Details

• CVE ID: CVE-2025-54539
• Severity: Important
• Vulnerability Type: Deserialization of Untrusted Data
• Impact: Remote Code Execution (RCE)
• Description:
  The flaw exists in the Apache ActiveMQ NMS AMQP Client, a .NET library that facilitates communication between applications and ActiveMQ message brokers using AMQP. When the client connects to a malicious or compromised AMQP server, the unsafe deserialization process can be exploited to execute arbitrary code on the client system.
  A mitigation mechanism added in version 2.1.0 introduced allow/deny lists for deserialization control, but this restriction was later found to be bypassable, leaving all versions up to 2.3.0 vulnerable.

Affected Versions

• Apache ActiveMQ NMS AMQP Client versions up to and including 2.3.0

Fixed Versions

• Apache ActiveMQ NMS AMQP Client version 2.4.0 and later

Recommended Actions

1. Immediate Upgrade: Update to Apache ActiveMQ NMS AMQP Client v2.4.0 or later to mitigate the vulnerability.
2. Restrict External Connections: Avoid connecting to untrusted or unknown AMQP servers. Implement strict network-level segmentation between internal message brokers and external environments.
3. Code Integrity Validation: Validate libraries and dependencies to ensure no tampering or unapproved modifications.
4. Monitor for Suspicious Activity: Review system and application logs for unexpected AMQP connections or anomalous process creation.
5. Dependency Review: Audit existing integrations using Apache ActiveMQ NMS AMQP Client and update all affected components within the software supply chain.

Reference

• https://seclists.org/oss-sec/2025/q4/47

20. Critical Remote Code Execution Flaw in Samba Active Directory Domain Controller (AD DC)

The Samba Team has issued an urgent security advisory addressing two vulnerabilities impacting Samba Active Directory Domain Controllers (AD DCs). The most severe, CVE-2025-10230, is a command injection vulnerability rated CVSS 10.0 (Critical) that allows unauthenticated remote code execution (RCE) when the WINS server feature is enabled with a configured wins hook parameter.
A second flaw, CVE-2025-9640, is an information disclosure vulnerability in the vfs_streams_xattr module, allowing authenticated users to read portions of uninitialized memory, potentially exposing sensitive data.

These vulnerabilities pose a high risk of domain compromise and unauthorized code execution on affected systems.

Vulnerability Details

1. CVE-2025-10230 – Command Injection via WINS Server Hook

• Severity: Critical
• CVSS v3.1 Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
• Affected Component: WINS Server (Active Directory Domain Controller)
• Description: The vulnerability arises when the WINS hook mechanism is configured to run external scripts upon WINS name changes. Improper sanitization of parameters allows attackers to inject arbitrary shell commands, resulting in unauthenticated remote code execution.
• Affected Versions: All Samba versions since 4.0
• Fixed Versions: Samba 4.23.2, 4.22.5, 4.21.9

2. CVE-2025-9640 – Information Disclosure via vfs_streams_xattr

• Severity: Medium
• Description: Improper handling of uninitialized memory in the vfs_streams_xattr module could allow authenticated users to read fragments of memory containing potentially sensitive data.
• Impact: Information disclosure from Samba file services.

Recommended Actions

1. Immediate Patching:
   • Upgrade Samba installations to 4.23.2, 4.22.5, or 4.21.9 (or later).
2. Mitigation (if patching is delayed):
   • Disable the WINS server feature or remove the “wins hook” parameter from configurations.
3. Restrict Access:
   • Limit AD DC network exposure to trusted administrative subnets.
4. Monitoring:
   • Review Samba and system logs for unauthorized script execution or abnormal activity.
5. Information Security Controls:
   • Enforce least privilege and audit user access to Samba AD DC services.

Reference

• https://www.samba.org/samba/security/CVE-2025-10230.html

21. Critical SQL Injection Vulnerability in ArcGIS Server

Esri has released a critical security patch addressing a severe SQL Injection vulnerability (CVE-2025-57870) in ArcGIS Server Feature Services, which could allow unauthenticated attackers to execute arbitrary SQL commands on backend databases.
Successful exploitation may lead to data exfiltration, modification, or complete system compromise across environments including Windows, Linux, and Kubernetes.
Although no active exploitation has been reported yet, this vulnerability poses a high risk to all organizations running affected ArcGIS Server versions.

Vulnerability Details

• CVE ID: CVE-2025-57870
• Vulnerability Type: SQL Injection (CWE-89)
• Severity: Critical
• CVSS v4.0 Base Score: 10.0 (Critical)
• Impact:
  • Remote code execution
  • Data manipulation or exfiltration
  • Unauthorized access to sensitive databases and systems
• Exploit Status: No known active exploitation as of October 7, 2025
• Affected Versions: ArcGIS Server 11.3, 11.4, and 11.5
• Unaffected Versions: ArcGIS Server 11.2 and earlier; upcoming 12.x releases not impacted
• Mitigation Available: Web Application Firewall (WAF) rule set v2.2.1, provided through the ArcGIS Trust Center

Recommended Actions

1. Immediate Patch Deployment:
   Apply the ArcGIS Server Feature Services Security Patch (October 2025) on all affected instances (versions 11.3–11.5).
2. Patch Dependencies:
   Ensure all previously released patches are installed before applying this non-cumulative update.
3. WAF Mitigation:
   Implement the ArcGIS WAF rule set v2.2.1 as an additional security layer against injection attempts.
4. Database Monitoring:
   Review database query logs for unusual or unauthorized SQL activity.
5. Access Controls:
   Limit database access to essential services and enforce least privilege principles for connected applications.
6. Verification:
   After patching, validate system integrity and conduct regression testing to confirm patch effectiveness.

Reference

• https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/arcgis-server-feature-services-security-patch 

22. Hackers Weaponize Velociraptor DFIR Tool in LockBit Ransomware Attacks

According to research by Sophos, Cisco Talos, and Halcyon, Storm-2603 exploited on-premises Microsoft SharePoint vulnerabilities (ToolShell) to gain initial access and deployed an outdated Velociraptor version (0.73.4.0) vulnerable to CVE-2025-6264 — a privilege escalation flaw enabling arbitrary command execution.
After compromising the environment, the attackers created domain admin accounts, disabled real-time protection, and used Smbexec to execute programs over SMB for remote control and persistence.

The campaign also involved:

• Tampering with Active Directory Group Policy Objects (GPOs) to weaken security policies.
• Deploying multiple ransomware families (LockBit, Warlock, Babuk) to confuse attribution and accelerate encryption impact.
• Conducting data exfiltration prior to encryption to increase extortion leverage.

This marks the first known instance of Storm-2603 deploying Babuk ransomware, expanding beyond its previous LockBit-centric operations.

Technical Insights

• Abused Tool: Velociraptor DFIR Framework (v0.73.4.0 – vulnerable version)
• Vulnerability: CVE-2025-6264 – Privilege Escalation in Velociraptor
• Exploited Vector: Microsoft SharePoint on-premise vulnerabilities (ToolShell exploit chain)
• Ransomware Deployed: LockBit, Warlock, Babuk
• Post-Exploitation Tools: Smbexec, GPO modification, custom PowerShell scripts
• Observed Objective: Privilege escalation, domain compromise, data exfiltration, and ransomware deployment

Attribution

• Threat Actor: Storm-2603 (CL-CRI-1040 / Gold Salem)
• Assessed Origin: Likely China-based, indicated by build timestamps (compiled between 22:58–22:59 CST) and consistent C2 domain overlaps across Warlock, LockBit, and Babuk operations.
• Behavioral Traits:
  • 48-hour development cycles for ransomware feature updates.
  • Use of professional CI/CD-style build environments.
  • OPSEC measures like stripped timestamps and corrupted expiration mechanisms.

Recommended Actions

1. Patch and Update:
   • Upgrade Velociraptor to the latest version to mitigate CVE-2025-6264.
   • Ensure SharePoint servers are patched against known ToolShell vulnerabilities.
2. Restrict Tool Usage:
   • Limit use of DFIR or remote administration tools (e.g., Velociraptor, Smbexec) to authorized analysts only.
3. Monitor Network Behavior:
   • Detect abnormal SMB traffic, PowerShell executions, or mass GPO changes.
4. Harden AD Configurations:
   • Enforce least privilege, review Group Policy permissions, and monitor for unauthorized account creation.

Reference

• https://thehackernews.com/2025/10/hackers-turn-velociraptor-dfir-tool.html

23. NPM Infrastructure Abused in Phishing Campaign Targeting Industrial and Electronics Firms (Beamglea Campaign)

Security researchers discovered over 175 malicious NPM packages abusing unpkg[.]com, collectively downloaded more than 26,000 times. These packages were published using names with random six-character strings following the pattern “redirect-[a-z0-9]{6}”. Once uploaded to NPM, the unpkg CDN automatically served them over HTTPS, giving attackers a trusted distribution channel.

The phishing lure involves HTML documents masquerading as purchase orders, technical specifications, and project documents. When opened, these HTML files load malicious JavaScript from unpkg[.]com, redirecting victims to phishing domains that pre-fill the user’s email address for credibility.

Researchers confirmed the campaign targeted over 135 organizations, including:
Algodue, ArcelorMittal, Demag Cranes, D-Link, H2 Systems, Moxa, Piusi, Renishaw, Sasol, Stratasys, and ThyssenKrupp Nucera.
The primary targets are located in Western Europe, with additional victims in Northern Europe and the Asia-Pacific region.

Technical Details

• Campaign Name: Beamglea
• Infrastructure Abused: NPM registry + unpkg[.]com CDN
• Number of Packages Identified: 175 (with 630 associated phishing HTML files)
• File Pattern: redirect-[a-z0-9]{6}
• Campaign Tag: nb830r6x (found in meta tags of malicious HTML files)
• Behavior:
  • Loads JavaScript from unpkg[.]com to redirect to phishing URLs.
  • Passes victim email addresses through the URL fragment to pre-fill login forms.
  • Mimics legitimate document and project templates to lure users.
• Automation:
  • Attackers used Python scripts to auto-generate NPM packages and associated phishing HTML pages, drastically increasing scale and speed.
• Similar Campaigns:
  • Related packages using the naming scheme “mad-*” were observed hosting fake “Cloudflare Security Check” pages that redirect users to attacker-controlled GitHub URLs, with anti-analysis mechanisms and frame-busting logic.

Impact

• Credential theft targeting corporate and industrial users.
• Potential exposure of business email credentials and access tokens.
• Reputational risk due to abuse of legitimate open-source infrastructure.

Recommended Actions

1. Detection and Blocking:
   • Block access to unpkg[.]com URLs matching the redirect-* pattern.
   • Add the campaign identifier “nb830r6x” and related phishing URLs to deny lists.
2. Supply Chain Security:
   • Monitor NPM dependencies for unfamiliar or newly registered packages.
   • Implement NPM package integrity verification using npm audit or socket.dev.
3. User Awareness:
   • Warn staff against opening unsolicited HTML attachments or “purchase order” documents.
   • Train employees to identify fake login pages that auto-populate credentials.
4. Incident Response:
   • Review proxy and firewall logs for traffic to unpkg[.]com or GitHub-based phishing domains.
   • Rotate credentials if phishing exposure is suspected.
5. Developer Environment Hygiene:
   • Limit dependency auto-updates and enforce allowlisting of trusted NPM publishers.

References

• https://www.securityweek.com/npm-infrastructure-abused-in-phishing-campaign-aimed-at-industrial-and-electronics-firms/

24. Researchers Expose TA585’s MonsterV2 Malware Capabilities and Attack Chain

The threat actor leverages IRS-themed phishing emails, JavaScript web injections, and fake GitHub security alerts to deliver the MonsterV2 malware.
Initial access is achieved using the ClickFix social engineering tactic, which manipulates victims into executing malicious PowerShell commands disguised as legitimate actions, triggering the malware infection chain.

Subsequent attack waves observed since April 2025 include the use of malicious JavaScript injections on legitimate websites displaying fake CAPTCHA verification overlays, leading to PowerShell-based malware deployment.

Further campaigns abused GitHub notifications, tagging users in fake security advisories containing malicious URLs leading to attacker-controlled infrastructure.
The malware distribution infrastructure overlaps with intlspring[.]com, previously linked to Rhadamanthys Stealer and CoreSecThree, a persistent malware delivery framework active since 2022.

Technical Details

• Threat Actor: TA585
• Primary Malware: MonsterV2 (aka Aurotun Stealer)
• Initial Vector: IRS-themed phishing emails, fake GitHub alerts, malicious JavaScript web injections
• Exploited Mechanism: ClickFix social engineering technique (PowerShell execution)
• Malware Type: Stealer / RAT / Loader
• Crypter Used: SonicCrypt (C++ packer with anti-analysis capabilities)
• Infrastructure Overlaps: intlspring[.]com, CoreSecThree delivery framework
• C2 Communication: Uses “api.ipify[.]org” for IP-based geolocation and C2 initiation

MonsterV2 Capabilities:

• Data theft (browser credentials, cryptocurrency wallets, files)
• Hidden Virtual Network Computing (HVNC) for remote access
• Keylogging and screenshot capture
• Clipboard hijacking to replace cryptocurrency wallet addresses
• Process manipulation (terminate, suspend, resume)
• Privilege escalation and persistence setup
• Download and execute secondary payloads such as StealC and Remcos RAT

Configuration Flags:

• anti_dbg: Detect and evade debugging tools
• anti_sandbox: Detect and evade sandbox environments
• aurotun: Enable persistence
• privilege_escalation: Elevate local privileges

Attribution & Infrastructure

• Actor: TA585
• Associated Frameworks: CoreSecThree, CastleLoader
• Malware Pricing:
  • Standard edition: $800/month
  • Enterprise edition: $2,000/month (includes stealer, loader, HVNC, CDP integration)
• Language / Origin: Russian-speaking operators; avoids infecting CIS-based systems

Impact

• Full compromise of infected systems with potential remote takeover
• Theft of sensitive enterprise data and credentials
• Use of compromised accounts for lateral movement and further phishing operations
• Risk of multiple payload deployments (StealC, Remcos RAT, Rhadamanthys) within the same network

Recommended Actions

1. Email and Web Security:
   • Block suspicious PowerShell execution initiated from email attachments or embedded links.
   • Deploy URL rewriting and sandbox scanning for inbound emails.
2. Endpoint Protection:
   • Detect and block PowerShell abuse patterns related to ClickFix technique.
   • Monitor registry and persistence entries for unusual autorun modifications.
3. Network Defense:
   • Detect connections to known C2s and malicious domains such as intlspring[.]com and api.ipify[.]org.
   • Implement behavior-based detection for HVNC-related traffic.
4. Threat Intelligence Integration:
   • Add IOC patterns for MonsterV2 and TA585 infrastructure to SIEM/SOAR monitoring systems.
5. User Awareness:
   • Educate employees on phishing tactics involving fake IRS, CAPTCHA, or GitHub alerts.

References

• https://thehackernews.com/2025/10/researchers-expose-ta585s-monsterv2.html