Weekly Threat Landscape Digest – Week 46

1. Security Updates – Microsoft (November 2025 Patch Tuesday)

Microsoft has released its November 2025 Patch Tuesday updates, addressing 68 vulnerabilities across Windows, Office, SQL Server, Hyper-V, Visual Studio, Edge (Chromium), and more. This includes 1 actively exploited zero-day, 5 critical, and 64 important vulnerabilities. The most urgent issue is CVE-2025-62215, a Windows Kernel EoP zero-day already exploited in the wild, enabling attackers with local access to gain SYSTEM privileges.

Key Zero-Day and Critical Vulnerabilities

CVE-2025-62215 – Windows Kernel | Elevation of Privilege (Race Condition) – Zero-day
• Allows authenticated attackers to escalate to SYSTEM
• Actively exploited; highest priority

CVE-2025-60724 – GDI+ Component | Remote Code Execution (Heap Overflow)
• RCE via crafted metafile document
• Remote exploitation possible through malicious content

CVE-2025-62199 – Microsoft Office | Remote Code Execution (Use-after-free)
• Requires user to open malicious document
• Leads to code execution in user context

CVE-2025-60716 – DirectX Graphics Kernel | Elevation of Privilege (Use-after-free)
• SYSTEM-level privilege escalation
• Requires authenticated attacker

CVE-2025-62214 – Visual Studio | Command Injection
• Local code execution
• Requires authenticated access

CVE-2025-30398 – Nuance PowerScribe 360 | Information Disclosure
• Sensitive data exposed via unauthenticated API call

Affected Products

Windows OS Components: Kernel, DirectX, RRAS, Hyper-V, Smart Card, Bluetooth RFCOMM, Log File System, WLAN, TDX.sys
Microsoft Office: Word, Excel, SharePoint, Dynamics 365
Developer Tools: Visual Studio, VS Code, GitHub Copilot
Server Components: SQL Server, Windows License Manager, Configuration Manager
Other: Nuance PowerScribe 360, OneDrive for Android, Microsoft Graphics Component, WSL GUI

Recommended Actions

1. Prioritize CVE-2025-62215 (Zero-day) patching on critical servers, domain controllers, and exposed hosts.
2. Apply all November 2025 cumulative updates across Windows endpoints and servers.
3. Mitigate document-based RCE by enforcing Protected View, MOTW policies, and advising users about malicious attachments.
4. Patch PowerScribe 360 and third-party components integrated with Microsoft services.
5. Monitor for exploitation attempts via SIEM/EDR for privilege escalation and document-triggered crashes.
6. Verify patch compliance using SCCM, Intune, or on-prem reporting to ensure full deployment.

Reference

https://msrc.microsoft.com/update-guide/releaseNote/2025-Nov

2. Security Updates – Zoom

Zoom has released multiple security updates addressing high- and medium-severity vulnerabilities across Zoom Workplace Clients, Android, Windows, macOS, and VDI components. Successful exploitation could allow attackers to execute arbitrary code, bypass authorization controls, manipulate file paths, or expose sensitive information. All organizations relying on Zoom for communication or collaboration should update immediately to the latest patched versions.

High-Severity Vulnerabilities

CVE-2025-62484 – Zoom Workplace Clients | Inefficient Regular Expression Complexity
• May lead to performance degradation or potential denial of service.

CVE-2025-64741 – Zoom Workplace for Android | Improper Authorization Handling
• Could allow unauthorized actions due to insufficient authorization checks.

CVE-2025-64740 – Zoom Workplace VDI Client for Windows | Improper Verification of Cryptographic Signature
• Could enable tampering or code execution via unverified components.

Medium-Severity Vulnerabilities

CVE-2025-62483 – Zoom Clients | Improper Removal of Sensitive Information
• Risk of sensitive data exposure.

CVE-2025-62482 – Zoom Workplace for Windows | Cross-site Scripting (XSS)
• May allow script injection and unauthorized data access.

CVE-2025-30662 – Zoom Workplace VDI Plugin macOS Universal Installer | Symlink Following
• May result in file overwrite or privilege misuse.

CVE-2025-30669 – Zoom Workplace Clients | Improper Certificate Validation
• Could allow MITM attacks or unauthorized connections.

CVE-2025-64739 – Zoom Clients | External Control of File Name or Path
• Potential for file manipulation or privilege abuse.

CVE-2025-64738 – Zoom Workplace for macOS | External Control of File Name or Path
• Similar risk of unauthorized file control.

CVE-2025-30670 & CVE-2025-30671 – Zoom Workplace Apps for Windows | Null Pointer Dereference
• Could lead to crashes or denial of service conditions.

Impact

Exploitation of these vulnerabilities could result in:
• Unauthorized access to Zoom accounts or meetings
• Remote or local arbitrary code execution
• Exposure of sensitive user or system information
• Denial of service affecting video conferencing or collaboration
• Potential privilege escalation on Windows, Android, or macOS

Recommended Actions

1. Immediate Update: Upgrade all Zoom Workplace Clients (Windows, macOS, Linux, Android) and VDI components to the latest patched versions.
2. Mobile Device Security: Ensure Android and macOS Zoom apps are updated via official stores (Google Play / App Store).
3. Restrict Privileges: Limit installation and configuration permissions for Zoom VDI and desktop clients.
4. Certificate Validation: Enforce strict certificate security policies to mitigate MITM risks.
5. Monitor System Logs: Look for unusual Zoom client behavior, authorization events, or repeated crashes.
6. Security Awareness: Notify users not to use outdated Zoom clients and report suspicious meeting activity.

Reference

https://www.zoom.com/en/trust/security-bulletin/

3. SAP Security Patch Day – November 2025

SAP has released its November 2025 Security Patch Day updates, publishing 20 security notes — including 18 new and 2 updated advisories. The release contains three critical vulnerabilities (CVSS 10.0 & 9.9) affecting SQL Anywhere Monitor, SAP NetWeaver AS Java, and SAP Solution Manager. These flaws can enable remote code execution, insecure key management, and code injection without user interaction. Organizations using SAP systems are strongly urged to patch immediately due to the potential for full system compromise.

Critical Vulnerabilities

CVE-2025-42890 – SQL Anywhere Monitor | Insecure Key & Secret Management
• Affected Product: SYBASE_SQL_ANYWHERE_SERVER 17.0
• CVSS: 10.0 (Critical)
• Impact: Exposure of encryption keys and secrets, risk of full environment compromise.

CVE-2025-42944 – SAP NetWeaver AS Java | Insecure Deserialization
• Affected Product: SERVERCORE 7.50
• CVSS: 10.0 (Critical)
• Impact: Remote code execution via malicious serialized objects.

CVE-2025-42887 – SAP Solution Manager | Code Injection
• Affected Product: ST 720
• CVSS: 9.9 (Critical)
• Impact: Execution of attacker-supplied code on Solution Manager systems.

High- & Medium-Severity Vulnerabilities (Selected)

CVE-2025-42940 – SAP CommonCryptoLib | Memory Corruption (High)
• CVSS: 7.5
• Potential for denial of service or code execution.

CVE-2025-42895 – SAP HANA JDBC Client | Code Injection (Medium)
• CVSS: 6.9
• May allow RCE through malformed inputs.

CVE-2025-42892 & CVE-2025-42894 – SAP Business Connector | OS Command Injection & Path Traversal (Medium)
• CVSS: 6.8
• Risk of unauthorized file access or OS-level command execution.

CVE-2025-42884 – SAP Enterprise Portal | JNDI Injection (Medium)
• CVSS: 6.5
• Could enable malicious directory lookup and code execution.

CVE-2025-42924 – SAP S/4HANA E-Recruiting | Open Redirect (Medium)
• CVSS: 6.1
• Potential phishing or redirection attacks.

Other Issues Include:
• Missing authentication in SAP HANA (CVE-2025-42885)
• Information disclosure in SAP GUI (CVE-2025-42888)
• SQL Injection in SAP Starter Solution (CVE-2025-42889)
• Missing authorization checks in SAP ABAP and S4CORE components
• Cache poisoning and insecure file operations in Fiori and NetWeaver ABAP

Recommended Actions

1. Immediate Patch Deployment:
   Apply all November 2025 SAP security notes, prioritizing the three critical vulnerabilities (CVE-2025-42890, CVE-2025-42944, CVE-2025-42887).
2. Review Key & Credential Storage:
   Validate secure key management configurations—especially systems using SQL Anywhere Monitor.
3. Harden NetWeaver, HANA, and Solution Manager:
   Apply updated configurations and validate component-level security settings.
4. Monitor Logs for Exploitation Attempts:
   Check for signs of deserialization attacks, injection attempts, or unauthorized configuration changes.
5. Restrict Access to Critical SAP Components:
   Segment SAP administrative interfaces and enforce strict access control.
6. Validate Third-Party Integrations:
   Ensure SAP GUI, Business Connector, JDBC Client, and ABAP-based applications are updated and securely configured.

Reference

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/november2025.html

4. Security Updates – Google Chrome

Google has released security updates addressing a high-severity vulnerability in the Chrome browser, impacting Windows, macOS, Linux, Android, and iOS. The flaw resides in the V8 JavaScript engine and can be triggered via crafted HTML content, potentially enabling remote code execution within the browser environment.

Vulnerability Details

CVE-2025-13042 – High Severity | V8 Engine – Inappropriate Implementation
• Improper implementation in V8 may lead to heap corruption.
• Exploitable through maliciously crafted HTML pages.
• Successful exploitation could allow arbitrary code execution within the browser context, potentially leading to full system compromise if the sandbox is bypassed.

Fixed Versions

Stable Channel – Desktop
• Windows: 142.0.7444.162 / .163
• macOS: 142.0.7444.162
• Linux: 142.0.7444.162

Mobile Updates
• Android: 142.0.7444.158
• iOS: 142.0.7444.148

Recommended Actions

1. Immediate Update: Upgrade Chrome on all platforms to the latest stable version.
2. Browser Restart: Fully restart the Chrome browser to ensure patches are applied.
3. Monitor Browsing Activity: SOC teams should watch for exploit attempts or suspicious HTML/JavaScript payloads.
4. Extension Hardening: Restrict or review browser extensions to minimize attack surface.
5. Auto-Update Enforcement: Ensure Chrome automatic updates remain enabled across enterprise environments.

Reference

https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_11.html

5. Security Updates – Mozilla Products

Mozilla has released security updates addressing multiple high-severity vulnerabilities across Firefox 145, Firefox ESR 140.5, and Firefox ESR 115.30. Several of these flaws enable sandbox escapes, bypass memory protections, or lead to arbitrary code execution through WebGPU, JavaScript JIT, or graphics components. Organizations should prioritize updating Firefox installations to prevent exploitation through malicious web content.

Key Vulnerabilities Fixed

WebGPU Boundary & Sandbox Issues
• CVE-2025-13021
• CVE-2025-13022
• CVE-2025-13023
• CVE-2025-13025
• CVE-2025-13026
• Impact: Boundary condition errors and sandbox escapes enabling attackers to break isolation and execute malicious operations.

JavaScript & WebAssembly JIT Miscompilation
• CVE-2025-13016
• CVE-2025-13024
• Impact: Incorrect JIT compilation may lead to arbitrary code execution.

Graphics Component Race Condition
• CVE-2025-13012
• Impact: Race condition that could trigger crashes or allow code execution.

Memory Safety Bugs
• CVE-2025-13027
• Impact: Memory corruption vulnerabilities enabling potential RCE.

Additional Moderate Vulnerabilities
• Affect DOM, WebRTC, Audio/Video components
• May result in crashes, denial of service, or data exposure under certain conditions.

Fixed Versions

• Firefox 145
  • Firefox ESR 140.5
  • Firefox ESR 115.30

Recommended Actions

1. Immediate Update: Ensure all Firefox versions—stable and ESR—are updated to the latest patched releases.
2. Auto-Update Enforcement: Confirm auto-update is enabled on all managed devices.
3. Harden Browser Profiles: Restrict use of dangerous APIs or unverified extensions.
4. Monitor Web Activity: Watch for anomalous WebGPU or JavaScript execution patterns.
5. Enterprise Deployment: Push Firefox ESR updates across corporate environments using centralized management.

Reference

https://www.mozilla.org/en-US/security/advisories/mfsa2025-87/

6. Denial-of-Service (DoS) Vulnerability in Palo Alto Networks PAN-OS

A medium-severity Denial-of-Service (DoS) vulnerability (CVE-2025-4619) has been identified in Palo Alto Networks PAN-OS, affecting PA-Series hardware firewalls, VM-Series virtual firewalls, and Prisma Access. The flaw allows an unauthenticated remote attacker to force a firewall reboot by sending a single specially crafted packet through the dataplane, causing loss of service and repeated entry into maintenance mode.

Vulnerability Details

CVE-2025-4619 – PAN-OS DoS Vulnerability
• Severity: Medium (CVSS 6.6)
• Attack Vector: Network – unauthenticated packet triggers immediate device reboot
• Impact:

• Forced firewall reboot
• Loss of network availability
• Potential service interruption for all connected users
• Attacker can repeatedly send crafted packets to keep the firewall in maintenance mode

Affected Products & Fixed Versions

PAN-OS 11.2

• Upgrade to 11.2.4-h4, 11.2.5, or later
  • For specific builds:

• 11.2.3 → upgrade to 11.2.3-h6 or 11.2.5+
• 11.2.2 → upgrade to 11.2.2-h2 or 11.2.5+

PAN-OS 11.1

• Upgrade to 11.1.6-h1, 11.1.7, or later
  • For specific builds:

• 11.1.4 → upgrade to 11.1.4-h13 or 11.1.7+
• 11.1.2 → upgrade to 11.1.2-h18 or 11.1.7+
  • Versions older than 11.1.3-h2 → upgrade to 11.1.4-h13 or later

PAN-OS 10.2

• Upgrade to 10.2.13-h3, 10.2.14, or later
  • For specific builds:

• 10.2.12 → upgrade to 10.2.12-h6 or 10.2.14+
• 10.2.11 → upgrade to 10.2.11-h12 or 10.2.14+
• 10.2.10 → upgrade to 10.2.10-h14 or 10.2.14+
• 10.2.9 → upgrade to 10.2.9-h21 or 10.2.14+
• 10.2.8 → upgrade to 10.2.8-h21 or 10.2.14+
• 10.2.7 → upgrade to 10.2.7-h24 or 10.2.14+
  • Versions older than 10.2.4-h25 → must upgrade to a supported version

Prisma Access

• Upgrade to 11.2.4-h4 or later
  • Older versions (≤10.2.4-h25) must upgrade to supported releases

Recommended Actions

1. Immediate Upgrade:
   Update all affected PA-Series, VM-Series, and Prisma Access installations to the fixed versions listed above.
2. Restrict Exposure:
   Limit dataplane-facing interfaces from untrusted networks wherever possible.
3. Monitor for Anomalies:
   Check for repeated reboots, maintenance-mode events, or unexplained dataplane crashes.
4. High Availability (HA):
   Ensure HA failover configurations are correctly in place to maintain service continuity during attacks.
5. Traffic Inspection:
   Enable enhanced logging and packet capture if unexpected dataplane traffic is observed.

Reference

https://security.paloaltonetworks.com/CVE-2025-4619

7. Security Updates – Chrome OS

Google has released a Long Term Support (LTS) Channel update for Chrome OS addressing multiple high-severity vulnerabilities that could lead to arbitrary code execution, system crashes, or compromise of user data. These vulnerabilities span Safe Browsing, Storage, the V8 JavaScript engine, and the libaom media library—making timely updates essential for maintaining device and data security across Chrome OS environments.

High-Severity Vulnerabilities

CVE-2025-11756 – Use-after-free in Safe Browsing
• Memory corruption flaw in Safe Browsing component
• Could lead to arbitrary code execution or browser compromise

CVE-2025-11460 – Use-after-free in Storage
• Vulnerability in the Storage subsystem
• May cause system crashes or allow code execution in specific conditions

CVE-2025-12036 – Inappropriate Implementation in V8
• Improper implementation in the V8 engine
• Could enable remote code execution via malicious JavaScript or web content

CVE-2025-8879 – Heap Buffer Overflow in libaom
• A heap overflow in the libaom media library
• Enables code execution within the browser context when processing certain media files

Fixed Version

• Chrome OS LTS Version: 138.0.7204.296
  • Platform Version: 16295.81.0

Recommended Actions

1. Immediate Update:
   Update Chrome OS devices to the latest LTS version (138.0.7204.296).
2. Restart Devices:
   A full reboot ensures the patched components are fully applied.
3. Enforce Automatic Updates:
   Ensure Chrome OS auto-update policies remain enabled across managed fleets.
4. Monitor for Exploitation Indicators:
   Watch for unexpected browser crashes, abnormal storage behavior, or suspicious JavaScript-heavy pages.
5. User Awareness:
   Advise users to avoid downloading untrusted media files or visiting unknown websites until updates are applied.

Reference

https://chromereleases.googleblog.com/2025/11/long-term-support-channel-updatefor.html

8. Multiple Zero-Day Vulnerabilities in QNAP Products

QNAP has released urgent security updates addressing multiple zero-day vulnerabilities across its core operating systems and backup/security applications. These flaws pose a critical risk to NAS environments, allowing attackers to achieve remote code execution (RCE), privilege escalation, data compromise, and backup manipulation. The vulnerabilities affect essential components such as QTS, QuTS hero, Hybrid Backup Sync (HBS 3), Hyper Data Protector, and Malware Remover.

Critical Zero-Day Vulnerabilities

Core Operating Systems – QTS & QuTS hero
• CVE-2025-62847
• CVE-2025-62848
• CVE-2025-62849
• Impact: Remote code execution, takeover of NAS devices, data compromise

Backup & Data Protection – HBS 3 Hybrid Backup Sync
• CVE-2025-62840
• CVE-2025-62842
• Impact: Unauthorized access to backup data, tampering with historical backups

Hyper Data Protector
• CVE-2025-59389
• Impact: Compromise of VM and container backup repositories

Malware Remover
• CVE-2025-11837
• Impact: Attackers may exploit the security tool itself, bypassing or disabling protection

Impact

Successful exploitation could allow an attacker to:
• Execute arbitrary code on the NAS device
• Gain elevated privileges
• Access, steal, or corrupt sensitive data
• Manipulate or destroy backup files
• Compromise overall device integrity and security controls

These vulnerabilities create a high-risk scenario for ransomware attacks, data exfiltration, and persistent compromise within NAS environments.

Affected Products & Fixed Versions

QTS 5.2.x:
• Fixed in 5.2.7.3297 (build 20251024) or later

QuTS hero h5.2.x:
• Fixed in 5.2.7.3297 (build 20251024) or later

QuTS hero h5.3.x:
• Fixed in 5.3.1.3292 (build 20251024) or later

HBS 3 Hybrid Backup Sync (26.1.x and earlier):
• Fixed in 26.2.0.938 or later

Hyper Data Protector 2.2.x:
• Fixed in 2.2.4.1 or later

Malware Remover 6.6.x:
• Fixed in 6.6.8.20251023 or later

Recommended Actions

1. Immediate Patch Installation:
   Update all affected QNAP devices and applications to the fixed versions or latest available releases.
2. Network Isolation:
   Ensure NAS devices are not exposed directly to the internet; restrict access using firewalls/VPN.
3. Backup Protection:
   Verify integrity of backups on HBS 3 and Hyper Data Protector after applying updates.
4. Malware Remover Validation:
   Re-run security scans using updated Malware Remover to ensure no persistent threats remain.
5. Log Monitoring:
   Monitor NAS logs for suspicious login attempts, unexpected file changes, or unusual backup behavior.
6. Two-Factor Authentication:
   Enforce MFA on all admin accounts for QTS and QuTS hero.

References

https://www.qnap.com/en/security-advisory/qsa-25-45
https://www.qnap.com/en/security-advisory/qsa-25-46
https://www.qnap.com/en/security-advisory/qsa-25-48
https://www.qnap.com/en/security-advisory/qsa-25-47

9. Security Updates – F5 Products

F5 has released updates and advisories addressing multiple high-severity vulnerabilities affecting BIG-IP DNS, F5OS platforms, and Traffix SDC. These vulnerabilities originate from widely used third-party components—BIND DNS and linux-pam—and may enable cache poisoning, denial-of-service (DoS), or local privilege escalation. While no active exploitation has been reported, these flaws pose a serious threat to enterprise DNS infrastructure and system integrity.

Key Vulnerabilities

1. CVE-2025-40778 – BIND Cache Poisoning Vulnerability
   • Severity: High (CVSS 8.6 for F5OS, 7.5 for BIG-IP DNS)
   • Affected Versions:

• BIND 9.11.0–9.16.50, 9.18.0–9.18.39, 9.20.0–9.20.13, 9.21.0–9.21.12
• F5OS-A: 1.5.1–1.5.4, 1.8.0–1.8.3
• F5OS-C: 1.6.0–1.6.4, 1.8.0–1.8.2
• BIG-IP DNS: 15.x–17.x (no fixes released yet)
  • Description:
  A flaw in BIND’s record acceptance logic allows remote attackers to inject forged DNS records into cache responses. This can lead to cache poisoning, redirecting traffic to malicious destinations.

2. CVE-2025-8677 – BIND DoS via Malformed DNSKEY Records
   • Severity: High (CVSS 7.5)
   • Affected Versions:

• BIND 9.18.0–9.18.39, 9.20.0–9.20.13, 9.21.0–9.21.12
• F5OS-A: 1.5.1–1.5.4, 1.8.0–1.8.3
• F5OS-C: 1.6.0–1.6.4, 1.8.0–1.8.2
• BIG-IP DNS: 15.x–17.x (no fix yet)
  • Description:
  Improper handling of malformed DNSKEY records may cause excessive CPU consumption, triggering a denial-of-service (DoS) condition on DNS systems.

3. CVE-2025-8941 – linux-pam Privilege Escalation (pam_namespace)
   • Severity: High (CVSS 7.8)
   • Affected Product: Traffix SDC 5.2.0
   • Description:
   A flaw in pam_namespace allows local attackers to exploit symlink or race condition issues in polyinstantiated directories, enabling root-level privilege escalation under specific configurations.

Recommended Actions

1. Apply Available Updates:
   Install any F5 patches released for F5OS-A, F5OS-C, and Traffix SDC as soon as possible.
   (Note: Fixes for BIG-IP DNS 15.x–17.x are pending—monitor vendor advisories.)
2. Restrict Administrative Interfaces:
   Ensure F5 management and DNS services are not exposed to untrusted networks.
3. Enable DNSSEC Monitoring:
   Strengthen DNS validation and detect anomalies related to DNSKEY or forged responses.
4. Monitor System Resource Usage:
   Watch for spikes in CPU usage, which may indicate attempted DoS exploitation.
5. Review Access Controls:
   Limit local access on Traffix SDC appliances to mitigate privilege escalation risk.
6. Implement Temporary Mitigations (If Patching Not Possible):
   • Configure DNS rate limiting
   • Restrict recursion
   • Apply BIND configuration hardening
   • Follow least-privilege principles on Traffix SDC

References

https://my.f5.com/manage/s/article/K000157334
https://my.f5.com/manage/s/article/K000157317
https://my.f5.com/manage/s/article/K000157322

10. Security Updates – Cisco

Cisco has released multiple security updates addressing critical, high, and medium-severity vulnerabilities across ASA, FTD, IOS/IOS XE/IOS XR, Cisco ISE, Unified Contact Center Express, BroadWorks, and other Cisco platforms. These vulnerabilities could enable remote code execution (RCE), unauthorized access, denial of service (DoS), and information disclosure, posing significant risks to enterprise network infrastructure.

Critical-Severity Vulnerabilities

CVE-2025-20333 – Cisco ASA & FTD VPN Web Server | Remote Code Execution
• Exploitable via crafted HTTP requests targeting the VPN web interface
• Could lead to full device compromise

CVE-2025-20363 – Cisco ASA, FTD, IOS, IOS XE, IOS XR Web Services | Remote Code Execution
• Unauthenticated RCE through exposed web services
• Enables attackers to run arbitrary system-level commands

CVE-2025-20354 / CVE-2025-20358 – Cisco Unified Contact Center Express | RCE
• Allows remote code execution on contact center systems
• High impact on environments relying on automated communications infrastructure

High-Severity Vulnerability

CVE-2025-20343 – Cisco ISE | RADIUS Suppression DoS
• Attackers can disrupt authentication services
• Potential for widespread network access outages

Medium-Severity Vulnerabilities

CVE-2025-20362 – Cisco ASA & FTD VPN Web Server | Unauthorized Access
• May allow unauthorized users to access restricted VPN areas

CVE-2025-20289 / 20303 / 20304 – Cisco ISE | Reflected XSS & Information Disclosure
• Attackers can inject malicious scripts
• Potential leakage of sensitive configuration or user data

CVE-2025-20374 / 20375 / 20376 – Cisco Contact Center Products
• May allow limited unauthorized actions
• Could leak operational or call-handling information

CVE-2025-20307 – Cisco BroadWorks CommPilot | Cross-Site Scripting
• Allows malicious script execution in user browsers
• Could be used for session hijacking or credential theft

Impact

Successful exploitation of these vulnerabilities may lead to:
• Full system compromise via RCE
• Unauthorized administrative access
• Service disruption (DoS) impacting network authentication or VPN
• Exposure of sensitive configuration and operational data

These vulnerabilities affect widely deployed Cisco infrastructure components, making timely mitigation essential.

Recommended Actions

1. Immediate Patching or Workaround Application:
   Follow Cisco-provided patches or mitigation steps for ASA, FTD, ISE, IOS/IOS XE/IOS XR, Contact Center, and BroadWorks systems.
2. Restrict Access to Management Interfaces:
   Ensure web-based admin portals and VPN interfaces are not exposed to untrusted networks.
3. Enhance Monitoring:
   Look for indicators of exploitation such as unusual VPN activity, failed authentication attempts, or unexpected system commands.
4. Update RADIUS and Contact Center Services:
   Prioritize environments relying on Cisco ISE and Contact Center solutions due to their high operational impact.
5. Apply Defense-in-Depth Controls:
   • Web application firewall (WAF) for web services
   • MFA enforcement for administrative access
   • Network segmentation

Reference

https://sec.cloudapps.cisco.com/security/center/publicationListing.x

11. Security Updates – Django Framework

The Django development team has released security patches addressing two significant vulnerabilities: a critical SQL Injection flaw and a high-severity Denial-of-Service (DoS) vulnerability. Updated versions 5.2.8, 5.1.14, and 4.2.26 include the necessary fixes. Organizations using Django for web applications should apply these updates immediately to prevent exploitation, especially in production environments.

Vulnerability Details

1. CVE-2025-64459 – SQL Injection via _connector Keyword Argument
   • Severity: Critical (CVSS 9.1)
   • Affected Components: QuerySet and Q objects
   • Description:
   Attackers could manipulate the _connector argument to inject arbitrary SQL fragments, potentially enabling full database compromise.
   • Impact: Data theft, unauthorized modification, credential extraction, or full takeover of backend systems.
2. CVE-2025-64458 – DoS in Redirect Responses on Windows
   • Severity: High (CVSS 7.5)
   • Affected Components: HttpResponseRedirect and HttpResponsePermanentRedirect
   • Description:
   Improper handling of redirect paths on Windows may lead to excessive processing or resource exhaustion.
   • Impact: Service unavailability, increased server load, and potential downtime.

Updated Versions

• Django 5.2.8
  • Django 5.1.14
  • Django 4.2.26

These releases include security patches for both vulnerabilities.

Recommended Actions

1. Immediate Upgrade:
   Update all Django projects to the fixed versions (5.2.8, 5.1.14, or 4.2.26).
2. Review Application Code:
   Ensure no custom QuerySet manipulations expose the vulnerable _connector pattern.
3. Deploy with Least Privilege:
   Restrict database user permissions to reduce potential impact of SQL injection.
4. Test in Staging:
   Validate application behavior after upgrading, especially redirect logic on Windows-based deployments.
5. Monitor Logs:
   Watch for unusual database queries or abnormal redirect activity.
6. Harden Server Configuration:
   Add WAF rules and database query monitoring to detect injection attempts.

Reference

https://www.djangoproject.com/weblog/2025/nov/05/security-releases/

12. High-Severity Vulnerability in Amazon WorkSpaces Client for Linux

Amazon has released a security update addressing a high-severity vulnerability in the Amazon WorkSpaces client for Linux. The flaw allows local users to extract authentication tokens belonging to other users on the same machine, enabling unauthorized access to their virtual WorkSpace sessions. This vulnerability exposes sensitive files, internal applications, and potentially corporate cloud environments.

Vulnerability Details

CVE-2025-12779 – Improper Handling of Authentication Tokens
• Severity: High (CVSS 8.8)
• Root Cause: Improper protection of authentication tokens within the Linux WorkSpaces client
• Attack Method:

• Local users can access exposed DCV-based WorkSpaces session tokens
• Attackers can reuse these tokens to log into another user’s WorkSpace
  • Impact:
• Unauthorized access to files, applications, and sensitive internal systems
• Potential lateral movement within cloud-connected environments
• Exposure of confidential data stored or accessed in the victim’s WorkSpace

Affected Versions

• Amazon WorkSpaces Client for Linux 2023.0 through 2024.8

Fixed Version

• Amazon WorkSpaces Client for Linux 2025.0 or later

Recommended Actions

1. Immediate Upgrade:
   Update all Linux-based WorkSpaces clients to version 2025.0 or later.
2. Restrict Local Access:
   Limit shared system usage, especially on multi-user machines or enterprise Linux hosts.
3. Session Monitoring:
   Review WorkSpaces session logs for unusual access patterns or unfamiliar device fingerprints.
4. Revoke Active Tokens:
   Encourage users to log out and regenerate tokens after upgrading to invalidate potentially compromised ones.
5. Access Control Hardening:
   Enforce strong Linux file permissions and monitor /tmp, user directories, and session-storage locations.
6. Awareness for Users:
   Notify users about the risk of shared devices until updates are fully applied.

Reference

https://aws.amazon.com/security/security-bulletins/AWS-2025-025/

13. Critical Vulnerabilities in Cisco Unified CCX

Cisco has released emergency patches for two critical remote code execution (RCE) vulnerabilities affecting Cisco Unified Contact Center Express (Unified CCX). These flaws are exploitable without authentication and allow remote attackers to gain root-level access or full administrative control over enterprise call-center systems. Due to their severity and exploitability, organizations should patch immediately and review all externally exposed CCX instances.

Vulnerability Details

1. CVE-2025-20354 – Java RMI Remote Code Execution
   • Severity: Critical (CVSS 9.8)
   • Description:

• A critical flaw in the Java RMI process within Unified CCX
• Caused by improper authentication and unsafe file-handling logic
• Attackers can send a specially crafted RMI request to an exposed CCX server
  • Impact:
• Remote, unauthenticated execution of arbitrary code
• Potential full takeover of CCX infrastructure

2. CVE-2025-20358 – CCX Editor Authentication Bypass
   • Severity: Critical (CVSS 9.4)
   • Description:

• Flaw in the CCX Editor communication process
• Attackers can spoof or redirect authentication between the CCX Editor and server
• Allows forging of authentication tokens
  • Impact:
• Gaining administrative permissions without credentials
• Creation, modification, and execution of CCX scripts
• Opportunity to implant persistent malware or manipulate workflows used by enterprise call centers

Impact

If exploited, these vulnerabilities may allow attackers to:
• Remotely execute code with root/system privileges
• Modify call-center workflows, routing rules, and scripts
• Elevate privileges to full administrative access
• Install persistence mechanisms or malware
• Exfiltrate sensitive configuration files or call-handling data
• Disrupt business operations dependent on Unified CCX

Due to the nature of call-center systems, exploitation may create significant operational, financial, and reputational impact.

Patched Versions

• Unified CCX 12.5 SU3 ES07
  • Unified CCX 15.0 ES01

Recommended Actions

1. Immediate Patch Deployment:
   Upgrade to the patched versions (12.5 SU3 ES07 or 15.0 ES01) without delay.
2. Audit Exposure:
   Identify and restrict any publicly accessible Unified CCX servers—particularly those exposing RMI or CCX Editor services.
3. Network Segmentation:
   Limit Unified CCX access to internal secure zones and restrict administrative ports to trusted IP ranges.
4. Monitor for Indicators of Compromise:
   Review logs for unusual RMI requests, unauthorized script modifications, or unexpected admin actions.
5. Revalidate Script Integrity:
   Verify the integrity of CCX scripts and workflows to ensure they haven’t been tampered with.
6. Enforce MFA and Hardening:
   Apply multi-factor authentication where available and review admin account policies.
7. Conduct a Post-Patch Security Review:
   Ensure no persistence mechanisms or changes were introduced before patching.

Reference

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ

14. Security Updates – Apple (iOS 18.7.2 & iPadOS 18.7.2)

Apple has released iOS 18.7.2 and iPadOS 18.7.2, addressing over 25 security vulnerabilities across multiple system components, including WebKit, Kernel, Siri, Notes, Camera, CloudKit, Model I/O, Accessibility, Spotlight, and App Store.
These vulnerabilities range from information disclosure, sandbox escape, process crash, UI spoofing, memory corruption, keystroke monitoring, and denial-of-service.
Several of these issues can be triggered remotely through malicious web content (WebKit) or malicious applications, making immediate updates essential for both users and enterprise environments.

Security Update Version

iOS 18.7.2 / iPadOS 18.7.2 is available for:

• iPhone XS and later
• All recent iPad Pro models
• iPad Air 3rd gen and later
• iPad 7th gen and later
• iPad mini 5th gen and later

Recommendations

• Update all devices immediately to iOS/iPadOS 18.7.2.
• Enterprises should enforce updates via MDM to ensure compliance.
• Due to the number of WebKit remote-exploitable flaws, ensure Safari and all web-rendering contexts are updated.
• Audit high-risk applications handling media files or sensitive data.
• Apply additional hardening and review permissions for apps accessing Notes, Siri, Camera, and Spotlight.
• Monitor Apple advisories for any notice of exploitation in the wild.

Reference

https://support.apple.com/en-ae/125633

15. Multiple Vulnerabilities in Apache OFBiz

Apache OFBiz is affected by two important-severity vulnerabilities that may allow attackers to execute arbitrary code or hijack user sessions.

Executive Summary

Two vulnerabilities — CVE-2025-59118 (File Upload RCE) and CVE-2025-61623 (Reflected XSS) — allow attackers to upload malicious files or inject JavaScript into user sessions.
Exploitation can lead to system compromise, data manipulation, and session hijacking.
A fix is available in Apache OFBiz 24.09.03.

Technical Details

1. CVE-2025-59118 – Unrestricted File Upload

• Allows uploading malicious files (scripts/web shells).
• Can result in remote code execution and full system takeover.

2. CVE-2025-61623 – Reflected XSS

• Allows injection of malicious JavaScript via crafted URLs.
• Could lead to credential theft or session hijacking.

Affected Versions

• All Apache OFBiz versions before 24.09.03

Fixed Version

• Apache OFBiz 24.09.03

Recommendations

• Upgrade immediately to 24.09.03 or later
• Review logs for suspicious uploads or XSS activity
• Restrict admin access and enable MFA
• Use WAF rules to block malicious upload attempts

References

• https://www.cve.org/CVERecord?id=CVE-2025-59118
• https://www.cve.org/CVERecord?id=CVE-2025-61623

16. Actively Exploited Vulnerability in Gladinet Triofox

A critical authentication bypass vulnerability in Gladinet Triofox (CVE-2025-12480) is actively exploited, allowing attackers to gain administrative access and execute code with SYSTEM privileges.

Executive Summary

Attackers are exploiting improper access control in the Triofox web interface to bypass authentication, create rogue admin accounts, and run malicious PowerShell payloads.
Exploitation has resulted in remote access tool installation, RDP tunneling, and SYSTEM-level command execution.

Technical Details

CVE-2025-12480 – Authentication Bypass & RCE

• Severity: Critical (9.4)
• Attackers spoof the HTTP Host header to access restricted admin setup pages.
• Can create new admin accounts and execute malicious scripts via antivirus configuration.
• Observed attacker actions:
  • Creation of “Cluster Admin” unauthorized account
  • PowerShell payload downloads
  • Installation of Zoho Assist, AnyDesk
  • RDP tunneling using PuTTY/Plink

Indicators of Compromise

• Provided in attached Excel (as per original advisory)

Affected Versions

• Triofox ≤ 16.4.10317.56372

Fixed Version

• Triofox ≥ 16.7.10368.56560

Recommendations

• Update to the latest Triofox fixed version.
• Remove unauthorized admin accounts immediately.
• Block suspicious script executions and remote access tools.
• Monitor network traffic for PowerShell downloads & RDP tunneling.
• Conduct full security audit and threat hunting.

References

• https://www.tenable.com/cve/CVE-2025-12480

17. SQL Injection Vulnerabilities in SuiteCRM

Two authenticated SQL injection vulnerabilities have been identified in SuiteCRM, enabling attackers to extract sensitive database information without requiring admin privileges.

Executive Summary

SuiteCRM maintainers released security updates addressing two blind SQL injection flaws (CVE-2025-64492 & CVE-2025-64493). These vulnerabilities allow authenticated users to enumerate database content or manipulate queries. Immediate upgrade to version 8.9.1 is required.

Technical Details

1. CVE-2025-64492 — Blind SQL Injection

• Severity: High (CVSS 8.8)
• Time-based blind SQL injection in reconciling data fields.
• Allows enumeration of database schema and extraction of sensitive data.
• Affects: SuiteCRM ≤ 8.9.0.

2. CVE-2025-64493 — Blind SQL Injection (GraphQL)

• Severity: Medium (CVSS 6.5)
• Occurs in appMetadata GraphQL operation.
• Can be exploited by any logged-in user (no admin rights needed).
• Affects: SuiteCRM 8.6.0 – 8.8.0.

Affected Versions

• SuiteCRM ≤ 8.9.0 (CVE-2025-64492)
• SuiteCRM 8.6.0 – 8.9.0 (CVE-2025-64493)

Fixed Version

• SuiteCRM 8.9.1

Recommendations

• Upgrade all SuiteCRM instances to 8.9.1 immediately.
• Review logs for suspicious database access patterns.
• Limit user permissions where possible.
• Harden GraphQL endpoints and disable unused API components.

References

• https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-5gcj-mfqq-v8f7
• https://github.com/SuiteCRM/SuiteCRM-Core/security/advisories/GHSA-54m4-4p54-j8hp

18. Synology BeeStation Remote Code Execution Vulnerability

A critical remote code execution (RCE) vulnerability (CVE-2025-12686) has been identified in Synology BeeStation OS, potentially allowing attackers to execute arbitrary code and fully compromise affected devices.

Executive Summary

Synology released a security update addressing a buffer overflow vulnerability in BeeStation OS. With a CVSS score of 9.8 (Critical), this flaw enables remote attackers to execute arbitrary code without authentication. All BeeStation OS versions from 1.0 to 1.3 are impacted and require urgent upgrading.

Technical Details

CVE-2025-12686 — Buffer Copy Without Size Check (CWE-120)

• Severity: Critical (CVSS 9.8)
• The vulnerability exists due to improper validation of input size during memory operations.
• Exploitation may allow remote attackers to trigger a buffer overflow and execute arbitrary code with high privileges.

Affected Versions

• BeeStation OS 1.0
• BeeStation OS 1.1
• BeeStation OS 1.2
• BeeStation OS 1.3

Fixed Version

• BeeStation OS 1.3.2-65648 or later

Recommendations

• Upgrade BeeStation OS to 1.3.2-65648 or above immediately.
• Restrict remote access to BeeStation devices until fully updated.
• Monitor system logs for suspicious activity indicating possible exploitation attempts.
• Ensure backups are secured and stored offline as a precaution.

References

• https://www.synology.com/en-my/security/advisory/Synology_SA_25_12

19. High-Severity Vulnerability in Elastic Defend

Elastic has released security updates addressing a high-severity vulnerability in Elastic Defend for Windows. The flaw allows local attackers to delete arbitrary files using the high-privilege Defend service, potentially leading to SYSTEM-level privilege escalation.

Executive Summary

A high-severity vulnerability (CVE-2025-37735) impacts Elastic Defend on Windows. The issue stems from improper permission handling, enabling local attackers to exploit the Elastic Defend service and delete protected files. Successful exploitation may result in full system compromise.

Technical Details

CVE-2025-37735 — Improper Preservation of Permissions

• Severity: High (CVSS 7.0)
• Local attackers may abuse the privileged Elastic Defend service to delete arbitrary files.
• Deletion of critical system files may lead to privilege escalation to NT AUTHORITY\SYSTEM.

Affected Versions

• Elastic Defend ≤ 8.19.5
• Elastic Defend 9.0.0 – 9.1.5

Fixed Versions

• 8.19.6
• 9.1.6
• 9.2.0

Recommendations

• Immediately upgrade to one of the fixed versions.
• Restrict local access to systems running Elastic Defend.
• Monitor for unusual file deletion activity or privilege escalation attempts.
• Apply endpoint hardening policies to limit misuse of privileged services.

References

• https://discuss.elastic.co/t/elastic-defend-8-19-6-9-1-6-and-9-2-0-security-update-esa2025-23/383272

20. Access Bypass Vulnerability in Drupal Email TFA

A moderately critical access bypass vulnerability has been identified in the Drupal Email TFA module, allowing authenticated users under specific conditions to skip the email-based two-factor authentication (2FA) step.

The vulnerability affects the Email TFA module’s enforcement of 2FA during login flows. Due to a logic flaw, users with valid credentials may partially bypass the required email verification, weakening authentication security and increasing the risk of unauthorized access.

Email TFA – Access Bypass – SA-CONTRIB-2025-115

• Incomplete enforcement of email-based 2FA during certain login sequences.
• The system may authenticate a user without requiring the second authentication step.
• Successful exploitation allows partial 2FA bypass for users with valid credentials.

Affected Versions

• Email TFA < 2.0.6

Fixed Version

• Email TFA 2.0.6 or later

Recommendations

• Upgrade all Drupal Email TFA module installations to version 2.0.6 or later.
• Review application logs for unusual login activity.
• Enforce strong password policies and consider implementing additional 2FA methods.
• Validate all authentication workflows after patching.

References

• https://www.drupal.org/sa-contrib-2025-115

21. 
    Android Spyware LANDFALL Exploiting Samsung Devices

Attackers exploited critical vulnerabilities in Samsung’s libimagecodec.quram.so to execute arbitrary code by processing malicious DNG files. The spyware used a zero-click delivery method and deployed two modules enabling surveillance, privilege escalation, and persistence. Targeting focused on Samsung Galaxy S22/S23/S24 and Fold/Flip series devices.

Key Vulnerabilities

• CVE-2025-21042 (Critical)
  • Zero-day in Samsung image processing library
  • Triggered by malformed DNG images containing ZIP archives
  • Allowed arbitrary code execution
  • Exploited in the wild July 2024 – April 2025
• CVE-2025-21043 (Critical)
  • Related flaw in same library
  • Delivered via DNG files through messaging applications
  • Patched in September 2025
• Related Exploits (Cross-Platform)
  • Apple CVE-2025-43300 (iOS DNG parsing)
  • WhatsApp CVE-2025-55177

Attack Chain

• Delivery:
  • Malicious DNG files disguised as WhatsApp images
  • Zero-click execution—no user interaction required
• Payload Deployment:
  • b.so (Loader/backdoor)
  • l.so (SELinux privilege manipulation)

Capabilities

• Audio recording
• Call/SMS collection
• Location tracking
• Photo & contact extraction
• App inventory & network surveillance
• Frida/Xposed detection
• Custom encrypted C2 channels

Targeted Devices

• Samsung Galaxy S22, S23, S24
• Samsung Z Fold4 / Z Flip4
• Targeting observed in Middle Eastern countries

Recommendations

1. Immediate Actions

• Ensure all Samsung devices have April 2025 or later security patches
• Enable automatic firmware updates
• Audit devices for suspicious DNG/TIFF files

2. Detection & Response

• Block known LANDFALL IPs/domains
• Deploy advanced mobile threat defense (MTD/MDR)
• Monitor for abnormal encrypted outbound traffic
• Ingest IoCs into SIEM/MISP

3. Prevention

• User awareness: Avoid opening unsolicited media files
• Enforce MDM controls and least-privilege settings on devices
• Use secure DNS, URL filtering & network-layer protections

References

• https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/

22. Critical Vulnerability in Dell Data Lakehouse

A critical vulnerability (CVE-2025-46608, CVSS 9.1) affects all Dell Data Lakehouse versions prior to 1.6.0.0. The issue stems from improper access control, which can be exploited to escalate privileges and bypass authentication checks. Immediate upgrades are required to mitigate risk.

Vulnerability Information

• CVE ID: CVE-2025-46608
• Severity: Critical
• CVSS v3.1 Score: 9.1
• Vulnerability Type: Improper Access Control → Privilege Escalation & Authentication Bypass
• Affected Product: Dell Data Lakehouse
• Affected Versions: All versions prior to 1.6.0.0
• Fixed Version: 1.6.0.0 and later
• Vendor Advisory: DSA-2025-375

Impact

• Unauthorized administrative access
• Compromise of enterprise data
• Manipulation of analytics workloads
• Potential full system takeover

Recommendations

• Upgrade all Dell Data Lakehouse deployments to version 1.6.0.0 or later immediately.
• Review existing access controls and audit administrative accounts.
• Monitor systems for signs of unauthorized access or privilege escalation.

References

• https://www.dell.com/support/kbdoc/en-us/000390529/dsa-2025-375-security-update-for-dell-data-lakehouse-multiple-vulnerabilities

23. ClickFix Malware Evolves With Multi-OS Support and Social Engineering Enhancements

ClickFix is an ongoing malware campaign where attackers convince victims to paste malicious terminal commands into their systems. The latest variant introduces video-based instructions, fake Cloudflare-style verification screens, OS detection, and automatic clipboard manipulation, drastically increasing success rates. The malware is spread via malvertising, SEO poisoning, and compromised WordPress sites.

Key Enhancements in the Latest ClickFix Campaign

• Video Tutorials:
  Embedded videos guide users step-by-step to copy and execute malicious commands, making the attack appear legitimate.
• Countdown Timers & Urgency:
  Fake “verification” pages show a 1-minute timer to pressure users into executing commands quickly.
• Cloudflare-Style Fake Screens:
  Pages mimic Cloudflare CAPTCHA verification, including realistic branding and UI elements.
• OS Detection & Dynamic Payloads:
  Malicious JavaScript identifies the user’s OS (Windows, macOS, Linux) and auto-generates OS-specific payloads.
• Automatic Clipboard Copying:
  The malicious webpage copies the command directly to the victim’s clipboard, reducing user awareness.

Delivery Methods

• Malvertising via Google Search
  Attackers buy ads or leverage SEO to push victims into malicious “verification” pages.
• Compromised WordPress Sites
  Injected JavaScript distributes ClickFix payloads through trusted domains.

Multi-Platform Malware Execution

• Windows:
  Uses MSHTA, PowerShell, and built-in components (LOLBins) for stealthy execution.
• macOS & Linux:
  Uses shell commands and native binaries that bypass standard antivirus detection.

Likely Payloads

• Infostealers targeting:
  • Browser credentials
  • Cryptocurrency wallets
  • System fingerprints
  • Session tokens
    This information is commonly sold on dark web markets or used for follow-up attacks.

Recommendations

1. User Awareness & Training

• Reinforce that no legitimate website requires users to paste commands into a terminal.
• Train employees to recognize Cloudflare-style spoofing and suspicious verification pages.

2. Technical Controls

• Block malvertising & SEO poisoning:
  • Use DNS filtering, safe browsing features, and ad blockers.
• Monitor command-line activity triggered by browsers:
  • PowerShell
  • Bash/sh
  • MSHTA
• Patch WordPress Plugins & CMS Platforms
  Prevent script injection into legitimate sites.
• Deploy browser isolation/sandboxing
  Reduce impact of in-browser social engineering exploitation.
• Leverage threat intelligence feeds
  Block known ClickFix domains and indicators.

References

• https://www.esecurityplanet.com/threats/clickfix-malware-evolves-with-multi-os-support-and-video-tutorials/

25. Rhadamanthys Infostealer Infrastructure Disrupted Following Suspected Law Enforcement Action

Rhadamanthys is a widely used infostealer that harvests credentials, browser cookies, email data, and authentication tokens. It is distributed through fake software cracks, malicious ads, and YouTube tutorials. The malware is sold via a subscription model, providing threat actors with a web dashboard to manage infected hosts.

As of November 2025, multiple subscribers reported losing SSH access to their control panels and servers. Systems previously accessible via password authentication now require certificate-based authentication — a strong indicator of unauthorized server takeover. The Rhadamanthys developer and affected users believe the disruption was caused by German law enforcement, with connections traced to EU-based data centers.

The Tor infrastructure supporting the operation is also offline, though without police seizure banners.

Observed Disruption Indicators

• Rhadamanthys subscribers report:
  • Loss of SSH access to their VPS infrastructure
  • Password-based logins replaced with certificate-only access
  • Deleted passwords and locked-out accounts
• Web panels hosted in EU data centers show logins from German IP addresses prior to access loss.

Actor Reactions (Hacking Forum Posts)

• “Guests have visited my server, the password has been deleted.”
• “Server login became strictly certificate-based.”
• “Those using the smart panel were hit hard; manual installations survived.”

Developer Statement

• Rhadamanthys developer believes German police (BKA) are behind the action.
• Tor onion services related to the malware are offline.

Malware Overview

• Steals:
  • Browser credentials
  • Authentication cookies
  • Email credentials
  • Wallet data
  • System metadata
• Distributed through:
  • Malvertising
  • YouTube crack videos
  • Search-engine poisoning
• Sold via monthly subscription with tiered pricing.

Recommendations

1. For Organizations

• Conduct enterprise-wide credential resets for users potentially exposed to past Rhadamanthys infections.
• Monitor for:
  • Suspicious browser credential access
  • Beaconing to Rhadamanthys C2 infrastructure
  • Unusual cookie re-use patterns
• Strengthen browser security policies and enable hardware-backed tokens (WebAuthn).

2. Preventive Measures

• Block suspicious download sources and crack-related keywords.
• Tighten EDR rules for:
  • Credential harvesting behavior
  • Browser cookie extraction
  • Suspicious PowerShell and Loader activity
• Use DNS filtering to block known Rhadamanthys distribution sites.

References

https://www.bleepingcomputer.com/news/security/rhadamanthys-infostealer-disrupted-as-cybercriminals-lose-server-access/ 

26. DanaBot Malware Resurfaces After Six-Month Disruption

DanaBot, a long-running malware-as-a-service (MaaS) platform known for credential theft, crypto-wallet harvesting, and ransomware deployment, has resurfaced after a six-month inactivity period following the May 2025 takedown under Operation Endgame.
Zscaler ThreatLabz has identified a new DanaBot variant (version 669) leveraging rebuilt C2 infrastructure hosted on Tor (.onion) domains and supported by “backconnect” nodes.
Attackers are also using multiple cryptocurrency wallets (BTC, ETH, LTC, TRX) for laundering stolen funds. DanaBot’s comeback highlights the resilience of threat operators who were not arrested during previous disruptions.

Malware Overview

• Originally a Delphi-based banking trojan discovered by Proofpoint.
• Distributed through:
  • Malicious emails (attachments/links)
  • SEO poisoning
  • Malvertising campaigns
• Operates as MaaS, rented to cybercriminals.

New Variant (v669) Characteristics

• Rebuilt infrastructure hosted on Tor (.onion) C2 nodes
• Utilizes backconnect nodes for remote operator control
• Actively used in credential theft and financial fraud
• Multiple cryptocurrency wallets identified for receiving stolen assets:
  • Bitcoin (BTC)
  • Ethereum (ETH)
  • Litecoin (LTC)
  • Tron (TRX)

Threat Impact

• Credential theft from browsers
• Crypto wallet data harvesting
• Loader functionality enabling ransomware deployment
• Facilitates Initial Access Brokers (IABs) operations

Observed Initial Access Methods

• Malicious email campaigns
• SEO poisoning targeting popular software searches
• Malvertising (fake installers/downloaders)

RECOMMENDATIONS:

1. Immediate Network Controls

• Block all domains, IPs, and Tor-based IoCs shared by Zscaler.
• Enable strict DNS filtering to block malvertising redirections.

2. Endpoint & Browser Protections

• Enhance monitoring for:
  • Browser credential access attempts
  • Unusual PowerShell/LOLBIN execution
  • DanaBot loader behavior
• Force multi-factor authentication (MFA) where possible.

3. Email & Web Security

• Strengthen phishing detection rules around invoice/quotation themes.
• Inspect HTML attachments and suspicious ZIP/ISO files.

4. Threat Hunting

• Search for indications of:
  • DanaBot persistence modules
  • Browser data exfiltration
  • Communication to Tor-based C2 infrastructure

5. User Awareness

• Educate users on the risks of installing cracked software or clicking on “urgent” invoice links.

REFERENCES:

https://www.bleepingcomputer.com/news/security/danabot-malware-is-back-to-infecting-windows-after-6-month-break/