Welcome to this week’s version of the Cybersecurity Information Weekly Publication, the place we analyze the crucial incidents defining the present menace panorama.
If this week has taught us something, it’s that the steadiness of our digital infrastructure is simply as unstable because the safety of the software program operating upon it.
We’re witnessing a multi-front battle the place availability issues are colliding with crucial vulnerability administration. The huge Cloudflare outage served as a stark reminder of the web’s centralized fragility, disrupting international operations and forcing organizations to re-evaluate their resilience methods in opposition to single factors of failure within the cloud ecosystem.
Nonetheless, whereas community reliability faltered, menace actors wasted no time exploiting software program weaknesses. The disclosure of recent Chrome zero-day flaws has triggered yet one more pressing patching race, highlighting the relentless focusing on of browser-based entry factors. Concurrently, enterprise perimeters are below siege as crucial vulnerabilities in Fortinet home equipment proceed to floor, providing adversaries potential avenues for distant compromise if left unmitigated.
Maybe probably the most complicated narrative this week includes the Salesforce and Gainsight breach. This incident reinforces the treacherous nature of recent provide chain safety, demonstrating how trusted third-party integrations can turn out to be high-value vectors for knowledge exfiltration.
On this challenge, we dissect these occasions, offering the technical context, indicators of compromise, and mitigation steps essential to safe your atmosphere in opposition to these evolving dangers.
Vulnerabilities
Fortinet FortiWeb 0‑Day (CVE‑2025‑58034)
Fortinet disclosed a command injection flaw in FortiWeb (CWE‑78) that lets authenticated attackers execute arbitrary OS instructions by way of crafted HTTP requests or CLI, gaining system‑stage privileges and doubtlessly pivoting deeper into protected networks. The bug impacts FortiWeb 8.0 (as much as 8.0.1), 7.6 (as much as 7.6.5), 7.4 (as much as 7.4.10), 7.2 (as much as 7.2.11), and seven.0 (as much as 7.0.11), with exploitation noticed since early October, together with PoC circulation and creation of rogue admin accounts on web‑dealing with panels. Fortinet urges upgrading to eight.0.2, 7.6.6, 7.4.11, 7.2.12, or 7.0.12, tightening publicity of administration interfaces, and auditing admin customers for unauthorized additions.
Learn extra:
XWiki RCE Exploited within the Wild (CVE‑2025‑24893)
A crucial RCE in XWiki’s SolrSearch endpoint is being closely exploited to deploy botnets, coin miners, and chronic entry, with a number of unbiased menace actors now abusing Groovy scripting to obtain and run arbitrary payloads. CISA added CVE‑2025‑24893 to the KEV catalog simply two days after preliminary disclosure, whereas canary techniques and VulnCheck noticed fast progress in scanning, reverse shells, and multi‑stage an infection chains from various international IPs. Defenders ought to urgently patch XWiki, monitor SolrSearch requests, look ahead to suspicious outbound connections or mining exercise, and prohibit web publicity and section networks to shrink the assault floor.
Learn extra:
Chrome V8 Kind Confusion Zero‑Day (CVE‑2025‑13223)
Google pushed an emergency Chrome Steady replace (142.0.7444.175 for Home windows/Linux and 142.0.7444.176 for macOS) to repair two excessive‑severity sort confusion bugs within the V8 engine, with CVE‑2025‑13223 already exploited within the wild. Profitable exploitation can allow distant code execution, sandbox escape, knowledge theft, or malware supply with out consumer interplay, and Google’s TAG involvement suggests potential hyperlinks to APT‑stage operators. With over 65% of world browsers operating Chrome, Google urges customers to allow auto‑updates and keep away from dangerous hyperlinks as fuzzing instruments like Massive Sleep and AddressSanitizer proceed to floor such reminiscence corruption points.
Learn extra:
Imunify AI‑Bolit Arbitrary Code Execution
A severe flaw within the AI‑Bolit part of Imunify merchandise allowed crafted information or database entries to set off malicious PHP execution as root by way of unsafe deobfuscation logic and unfiltered enter. Particularly, deobfuscateDeltaOrd and deobfuscateEvalHexFunc handed attacker‑managed strings into Helpers::executeWrapper(), enabling arbitrary operate calls and privilege escalation if an adversary might plant payloads on the scanned server. Imunify silently shipped a repair on October 23, 2025, experiences no in‑the‑wild exploitation, and advises customers to make sure AI‑Bolit is up to date and computerized updates stay enabled.
Learn extra:
SolarWinds Serv‑U RCE Chain (CVE‑2025‑40547/40548/40549)
SolarWinds patched three crucial Serv‑U vulnerabilities in model 15.5.3 that enable admins to escalate into arbitrary code execution by way of logic abuse, damaged entry management, and path restriction bypass. Whereas exploitation requires administrative entry, Linux deployments face crucial CVSS 9.1 affect as a result of typical service privileges, and legacy Serv‑U releases at the moment are finish‑of‑life, heightening operational threat. Upgrading to fifteen.5.3 or later brings each the CVE fixes and added defenses equivalent to ED25519 key help, stronger IP blocking, account lockouts, HSTS, X‑Forwarded‑For protections, and minimal password insurance policies.
Learn extra:
Twonky Server Authentication Bypass (CVE‑2025‑13315 & CVE‑2025‑13316)
Rapid7 disclosed two crucial Twonky Server flaws in model 8.5.2 that permit unauthenticated attackers acquire full admin entry by abusing an alternate API route and hardcoded Blowfish keys. Utilizing the /nmc/rpc/ prefix, an adversary can hit the log_getfile endpoint with out auth, extract encrypted admin credentials, after which decrypt them utilizing twelve static keys embedded within the binary. With the seller indicating no patches are forthcoming, organizations ought to deal with 8.5.2 as completely weak, prohibit Twonky entry to trusted IPs, rotate credentials, and leverage Rapid7’s Metasploit and detection content material to determine uncovered techniques.
Learn extra:
Home windows Graphics JPEG RCE (CVE‑2025‑50165)
A crucial RCE within the Home windows Graphics Element (windowscodecs.dll) lets attackers weaponize crafted JPEG photographs to grab management of techniques with a CVSS rating of 9.8 and no consumer interplay past opening or previewing a file. Zscaler ThreatLabz found the difficulty by way of focused fuzzing of the Home windows Imaging Element, tracing an untrusted pointer dereference in JPEG encode/decode paths that permits heap spraying, ROP chains, and Management Circulate Guard bypass on 64‑bit techniques. Microsoft patched affected Home windows Server 2025 and Home windows 11 24H2 builds on August 12, 2025, and admins are urged to prioritize these updates, restrict computerized picture previews, sandbox untrusted content material, and harden excessive‑worth property earlier than widespread exploitation emerges.
Learn extra:
Instruments
TaskHound: New Home windows Scheduled Process Safety Device
A brand new open-source safety device known as TaskHound has been launched to assist penetration testers and safety professionals determine high-risk Home windows scheduled duties that might expose techniques to assaults. The device mechanically discovers duties operating with privileged accounts and saved credentials, making it a beneficial addition to safety assessments. TaskHound stands out by automating the invention of harmful scheduled duties throughout Home windows networks, scanning distant machines over SMB and parsing process XML information to determine safety weaknesses. The device integrates with BloodHound for correlating scheduled duties with assault path knowledge and helps each fashionable BloodHound Group Version and legacy codecs.
Learn extra:
Microsoft Menace Intelligence Briefing Agent Now in Defender Portal
Microsoft has unveiled vital enhancements to menace intelligence at Ignite 2025, bringing the Menace Intelligence Briefing Agent immediately into the Defender portal. This integration marks a pivotal shift in how safety groups strategy cyber protection, transferring from reactive responses to proactive menace anticipation. The device delivers each day custom-made briefings that mix Microsoft’s international menace intelligence with organization-specific insights, saving analysts numerous hours beforehand spent manually gathering info from a number of sources. Microsoft has additionally expanded entry to its complete menace intelligence library by Menace Analytics, now out there to each Defender XDR and Sentinel-only prospects in Public Preview at no further price.
Learn extra:
Sysmon Coming Natively to Home windows
Microsoft is bringing native Sysmon performance immediately into Home windows, eliminating the necessity for guide deployment and separate downloads. Beginning subsequent yr, Home windows 11 and Home windows Server 2025 will embrace System Monitor capabilities, remodeling how safety groups detect threats and examine incidents. For years, Sysmon has been the go-to device for IT directors, safety professionals, and menace hunters looking for deep visibility into Home windows techniques. The native integration solves crucial ache factors by offering prompt menace visibility with automated compliance by customary Home windows Replace and official customer support help. Key detection capabilities embrace course of creation monitoring, community connection monitoring, credential entry detection, file system monitoring, and WMI persistence monitoring.
Learn extra:
Cyberattack
Iranian SpearSpecter espionage marketing campaign
Iran’s IRGC‑linked operators, tracked as APT42/Mint Sandstorm, are focusing on senior authorities and protection officers with the “SpearSpecter” marketing campaign, utilizing pretend convention invitations and trust-building WhatsApp conversations to ship malware. The assault chain abuses the Home windows search‑ms protocol to entry a malicious WebDAV share, dropping the in‑reminiscence TAMECAT PowerShell backdoor to steal credentials, seize screenshots, and exfiltrate knowledge by way of Telegram and Discord whereas evading detection.
Learn extra:
Report 15.7 Tbps DDoS in opposition to Azure
Microsoft Azure efficiently mitigated a record-breaking 15.72 Tbps DDoS assault focusing on a buyer in Australia, orchestrated by the Aisuru botnet which mobilized over 500,000 compromised IoT units. The assault, which peaked at 3.64 billion packets per second, utilized UDP floods and randomized ports, however was neutralized by Azure’s international scrubbing facilities with out inflicting service downtime, persevering with a pattern of escalating hyper-scale assaults.
Learn extra:
Lazarus “ScoringMathTea” RAT targets UAV corporations
The North Korean Lazarus APT group has deployed a brand new distant entry trojan dubbed “ScoringMathTea” to focus on protection industrial base entities, particularly these concerned in UAV manufacturing. This refined C++ malware employs superior evasion methods, together with loading payloads immediately into reminiscence to keep away from disk detection and utilizing a customized C2 communication protocol that mimics authentic site visitors to take care of persistent entry for espionage.
Learn extra:
Huge bulletproof internet hosting takedown
Dutch authorities have seized roughly 250 servers backing hundreds of digital domains in a significant operation in opposition to a “bulletproof” internet hosting supplier used extensively for ransomware, phishing, and command-and-control infrastructure. The takedown disrupts a crucial logistical node for cybercriminals who relied on the host’s refusal to cooperate with legislation enforcement, doubtlessly yielding vital intelligence on a number of menace actor teams.
Learn extra:
Malicious “free VPN” Chrome extensions with 9M installs
A cluster of malicious Chrome extensions marketed as “Free Limitless VPN” instruments has been eliminated after accumulating 9 million installs whereas secretly turning consumer browsers right into a proxy botnet. These extensions intercepted navigation occasions and injected malicious JavaScript to monetize consumer site visitors, highlighting the continued threat of granting broad permissions to unverified browser add-ons.
Learn extra:
Operation WrtHug hijacks ASUS routers
Operation WrtHug has compromised hundreds of ASUS routers globally by exploiting a series of vulnerabilities in older firmware variations to put in a customized botnet. The attackers leverage these compromised edge units as residential proxies to masks malicious site visitors and launch additional assaults, emphasizing the crucial want for customers to interchange end-of-life {hardware} and apply firmware updates.
Learn extra:
Energetic RCE exploitation in 7‑Zip
Attackers are actively exploiting a distant code execution vulnerability (CVE-2025-11001) within the in style 7-Zip file archiver, which permits arbitrary code execution by way of malicious archives. The flaw stems from improper dealing with of symlinks, and with proof-of-concept code public, organizations are urged to replace to the newest model (25.00+) instantly to stop compromise by way of e mail or net downloads.
Learn extra:
Brute-force wave on Palo Alto GlobalProtect
Cybersecurity researchers have detected a large spike in brute-force assaults focusing on Palo Alto Networks GlobalProtect VPN portals, aiming to breach enterprise networks by way of credential stuffing. The marketing campaign focuses on figuring out legitimate consumer accounts for preliminary entry, prompting defenders to implement multi-factor authentication (MFA) and monitor for anomalous login failures on their VPN gateways.
Learn extra:
Threats
Outlook NotDoor Backdoor Detection Strategies – APT28/Fancy Bear-linked malware exploits Outlook macros for persistence and knowledge theft, utilizing DLL sideloading and registry modifications to ascertain command-and-control communications whereas evading detection.
Learn extra:
Yurei Ransomware Encryption Evaluation – Go-based ransomware makes use of ChaCha20-Poly1305 and secp256k1-ECIES dual-layer encryption, focusing on transportation, IT, advertising, and meals industries in Sri Lanka and Nigeria with case-by-case ransom calls for.
Learn extra:
Xanthorox AI Generates Unrestricted Malware – Darknet AI device constructed on Google’s Gemini Professional mannequin generates ransomware and malicious code with out security restrictions, charging $300 month-to-month for primary entry and $2,500 yearly for superior options.
Learn extra:
UNC1549 Iranian Group Deploys TWOSTROKE Backdoor – Iranian-backed menace group targets aerospace, aviation, and protection sectors with customized backdoors that includes distinctive hashes per deployment, exploiting DLL search order hijacking in FortiGate, VMWare, Citrix, Microsoft, and NVIDIA executables.
Learn extra:
Remcos RAT Command-and-Management Community Mapped – Over 150 lively Remcos C2 servers tracked worldwide, primarily working on port 2404 with further exercise on ports 5000, 5060, 5061, 8268, and 8808, hosted on COLOCROSSING, RAILNET, and CONTABO infrastructure.
Learn extra:
WhatsApp Display-Sharing Rip-off Exploits Customers – Social engineering assault impersonates financial institution representatives and Meta help to trick customers into sharing screens throughout video calls, resulting in account takeovers and monetary losses together with one HK$5.5 million case in Hong Kong.
Learn extra:
npm Malware Makes use of Adspect Cloaking Know-how – Menace actor dino_reborn created seven malicious npm packages with fingerprinting techniques that distinguish victims from researchers, displaying pretend CAPTCHAs to victims whereas displaying clean pages to analysts.
Learn extra:
Nova Stealer Swaps macOS Crypto Purposes – Bash-based malware replaces authentic Ledger Dwell, Trezor Suite, and Exodus purposes with pretend variations that steal seed phrases in real-time, utilizing LaunchAgent persistence and indifferent display periods.
Learn extra:
Xillen Stealer v4/v5 Evades AI Detection – Python-based cross-platform stealer targets 100+ browsers and 70+ cryptocurrency wallets, implementing AIEvasionEngine with behavioral mimicking, polymorphic code transformation, and P2P C2 over blockchain and Tor networks.
Learn extra:
Information Breach
Princeton College donor database breach
Attackers accessed a Princeton College Development database on November 10, 2025, exposing private particulars of alumni and donors, although monetary knowledge and Social Safety numbers weren’t compromised.Learn extra:
Eurofiber France ticketing platform compromise
A vulnerability in Eurofiber France’s ticket administration system allowed hackers to steal buyer knowledge on November 13, 2025, however banking info remained safe and companies continued with out interruption.Learn extra:
DoorDash social engineering–pushed knowledge breach
DoorDash confirmed {that a} social engineering assault on an worker uncovered consumer names, addresses, and telephone numbers, although no monetary or authorities ID info was accessed.Learn extra:
WhatsApp contact discovery flaw exposes 3.5 billion numbers
Researchers exploited a weak spot in WhatsApp’s contact discovery function to enumerate 3.5 billion lively telephone numbers and scrape public profile knowledge throughout 245 nations.Learn extra:
Salesforce–Gainsight OAuth Abuse
Salesforce warned that attackers are abusing compromised OAuth tokens from Gainsight purposes to entry buyer knowledge by way of trusted integrations, highlighting vital SaaS provide chain dangers.Learn extra:
Tech Information
Google to Penalize Battery-Draining Apps
Google is introducing strict battery effectivity requirements for the Play Retailer beginning March 1, 2026, using a brand new “extreme partial wake locks” metric in Android vitals. Apps that maintain wake locks for greater than two cumulative hours in 5% of periods over 28 days might face decreased visibility and warning labels to guard consumer system life.Learn extra:
Cloudflare International Outage Disrupts Main Platforms
A big inner service degradation at Cloudflare on November 18, 2025, triggered widespread HTTP 500 errors and disrupted core companies together with the dashboard and API. The outage impacted tens of millions of customers throughout main platforms like X, ChatGPT, and Spotify, underscoring the fragility of centralized web infrastructure.Learn extra:
Microsoft Groups Provides False-Constructive Reporting
Microsoft Groups is rolling out a function that permits customers to report messages they imagine had been incorrectly flagged as safety threats, immediately enhancing detection fashions. Organizations with Defender for Workplace 365 or Defender XDR can now centralize these consumer submissions within the Defender portal to refine AI menace classification.Learn extra:
pi GPT Device for Native AI Administration
The newly launched pi GPT device integrates OpenAI’s ChatGPT with Raspberry Pi units, enabling customers to handle and code on their units by way of pure language prompts with out cloud dependency. By utilizing noBGP’s deterministic networking, it provides safe, native management for duties like restarting servers or debugging scripts immediately from chat.Learn extra:
Home windows 11 Hides Crash Errors on Public Shows
Microsoft launched a brand new Home windows 11 mode for public-facing screens that suppresses the Blue Display of Dying (BSOD) and error dialogs to stop public embarrassment. Essential errors are displayed for less than 15 seconds for diagnostics earlier than the display turns black, requiring guide interplay to reactivate.Learn extra:
Home windows 11 24H2 Replace Breaks Shell Parts
Microsoft confirmed that the Home windows 11 model 24H2 replace (KB5062553) causes crucial failures within the Begin Menu, Taskbar, and Settings as a result of a race situation in XAML bundle registration. The problem, distinguished in VDI environments, requires guide PowerShell re-registration of dependency packages or synchronous logon scripts to resolve.Learn extra:
