The CRM giant’s investigation indicates that this activity may have enabled unauthorized access to Salesforce data through the applications’ external connections.

In an immediate response to contain the threat, Salesforce has revoked all active access and refresh tokens associated with the affected Gainsight apps and temporarily removed them from the AppExchange.​

Salesforce explicitly stated that this incident does not stem from a vulnerability within the Salesforce platform itself. Instead, it exploits the trust relationship between the platform and third-party integrations.

The attack leverages compromised OAuth tokens and digital keys that allow apps to access data without sharing user credentials.

Salesforce Gainsight Breach

This mirrors the tactics used in the August 2025 campaign involving Salesloft Drift, in which attackers used stolen OAuth tokens to bypass authentication and access CRM-layer data, such as business contacts and case logs, across hundreds of organizations.​

Gainsight had previously acknowledged its exposure to the Salesloft Drift incident, confirming that stolen secrets from that breach were the likely root cause. Now, threat actors appear to be replaying the same playbook: combining stolen OAuth tokens with over-permissioned applications to create a “perfect attack chain” that bypasses traditional perimeter defenses.​

Security researchers have linked this campaign to ShinyHunters (also tracked as UNC6040), a threat group notorious for targeting SaaS ecosystems. This group typically employs social engineering to trick users into approving malicious apps or, as seen here, pivots from one compromised vendor to another.

From a Third-Party Risk Management (TPRM) perspective, this incident exemplifies a “supply-chain blast radius” event, where a single compromised vendor serves as a gateway into dozens of downstream environments.

Risk in modern SaaS ecosystems no longer travels linearly; it fans out, creating exponential exposure from a single point of failure.​

Organizations using Gainsight integrations must assume their current connections are compromised until re-authenticated. Teams should immediately audit every connected app in their Salesforce instance, removing or restricting any integration that does not require wide API access.

It is critical to rotate vendor OAuth tokens immediately and treat any token with broad permissions as high-risk. Furthermore, security teams should harden their approval processes for new integrations, as threat actors have previously used social engineering to get malicious apps approved.

Ferhat Dikbiyik, Chief Research and Intelligence Officer (CRIO) at Black Kite, said to cybersecuritynews.com “that this wasn’t a breach of Salesforce’s core platform. Instead, attackers linked to ShinyHunters (ScatteredSpider Lapsu$ Hunters) exploited a third-party integration, using access from a compromised vendor to pull customer data out of Salesforce environments. And there’s an important pattern here”.

“Gainsight has already acknowledged exposure in a previous campaign involving Salesloft Drift, where stolen OAuth tokens were used to access Salesforce data across many organizations. In that earlier case, Gainsight disconnected the Salesloft app and confirmed that only CRM-layer data, mostly business contact info and some Salesforce case text, had been accessed”.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Salesforce Confirms that Customers’ Data Was Accessed Following the Gainsight Breach appeared first on Cyber Security News.

This development is part of a massive extortion campaign exploiting a critical zero-day vulnerability in Oracle E-Business Suite (EBS), designated as CVE-2025-61882.

The group, tracked as Graceful Spider, claims to have exfiltrated sensitive data from Oracle and dozens of its high-profile customers, marking a significant escalation in supply chain attacks reminiscent of the MOVEit incident.​

The Zero-Day Exploit: CVE-2025-61882

The attack vector centers on a critical, unauthenticated remote code execution (RCE) vulnerability in Oracle E-Business Suite.

Security researchers indicate that Clop affiliates began exploiting this flaw as early as August 2025, months before Oracle released a patch in October 2025.

The exploit chain specifically targets the OA_HTML/SyncServlet endpoint to bypass authentication, followed by malicious XSLT template injection via OA_HTML/RF.jsp to execute arbitrary commands.

This “pre-auth” nature allowed attackers to compromise servers without valid credentials, granting them full control over sensitive ERP data.​

Extortion Campaign and High-Profile Victims

Evidence from Clop’s leak site displays a “PAGE CREATED” status for ORACLE.COM, appearing alongside major entities such as MAZDA.COM, HUMANA.COM, and the Washington Post.

The listing of Oracle Corporation itself suggests the vendor may have fallen victim to its own software flaw, potentially exposing internal corporate data.

Victims report receiving extortion emails from addresses like support@pubstorm[.]com, threatening the release of financial and personal records if ransom demands are not met.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Oracle Allegedly Breached by Clop Ransomware via E-Business Suite 0-Day Hack appeared first on Cyber Security News.

With a CVSS score of 9.8, this vulnerability poses a severe threat to Windows users worldwide, as it requires no user interaction for exploitation.

Discovered in May 2025 and patched by Microsoft on August 12, 2025, the issue stems from an untrusted pointer dereference in the windowscodecs.dll library, affecting core image processing functions.​

Attackers can embed the malicious JPEG in everyday files like Microsoft Office documents, enabling silent compromise when the file is opened or previewed.

This flaw highlights ongoing risks in legacy graphics handling, where seemingly innocuous image decoding can result in a complete system takeover. As Windows powers billions of devices, unpatched systems remain highly exposed to phishing campaigns or drive-by downloads.​

Zscaler ThreatLabz identified the vulnerability through targeted fuzzing of the Windows Imaging Component, focusing on JPEG encoding and decoding paths in windowscodecs.dll.

The entry point for exploitation lies in the GpReadOnlyMemoryStream::InitFile function, where manipulated buffer sizes allow attackers to control memory snapshots during file mapping.

Fuzzing revealed a crash triggered by dereferencing an uninitialized pointer at jpeg_finish_compress+0xcc, exposing user-controllable data via heap spraying.​

Stack traces from WinDbg analysis pointed to key functions like CJpegTurboFrameEncode::HrWriteSource and CFrameEncodeBase::WriteSource, confirming the flaw in JPEG metadata encoding processes.

This uninitialized resource issue enables arbitrary code execution without privileges, making it exploitable over networks. Microsoft confirmed the vulnerability affects automatic image rendering in applications reliant on the Graphics Component.​

Affected Versions and Patching

The vulnerability impacts recent Windows releases, particularly those using vulnerable builds of windowscodecs.dll. Organizations must prioritize updates to mitigate risks, as exploitation could chain with other attacks for lateral movement in networks.

Exploitation Mechanics and Proof-of-Concept

Exploiting CVE-2025-50165 involves crafting a JPEG that triggers the pointer dereference during decoding, often via embedded files in Office or third-party apps.

For 64-bit systems, attackers bypass Control Flow Guard using Return-Oriented Programming (ROP) chains in sprayed heap chunks of size 0x3ef7. This pivots execution by creating read-write-execute memory with VirtualAlloc and loading shellcode for persistent access.​

Zscaler’s proof-of-concept demonstrates heap manipulation through an example app that allocates, frees, and processes Base64-encoded JPEGs, achieving RIP control.

While no in-the-wild exploits have been reported, the low complexity and wide network reach make it a prime target for ransomware or espionage. CFG is disabled by default in 32-bit versions, easing attacks on older setups.​

Users should immediately apply the August 2025 Patch Tuesday updates via Windows Update, targeting high-value assets first. Disable automatic image previews in email clients and enforce sandboxing for untrusted files. Zscaler has implemented cloud-based protections to block exploit attempts.​

This incident underscores the perils of unpatched graphics libraries in enterprise environments, where JPEGs are ubiquitous in workflows.

As threat actors evolve tactics, timely patching remains the strongest defense against such pixel-perfect poisons. With no observed active exploitation yet, proactive measures can prevent widespread damage.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Windows Graphics Vulnerability Lets Hackers Seize Control with a Single Image appeared first on Cyber Security News.

The campaign, attributed to the notorious Clop ransomware group and linked to the financially motivated threat actor FIN11, exploited a zero-day vulnerability, CVE-2025-61882, to achieve unauthenticated remote code execution on internet-facing EBS portals.

With nearly 30 victims publicly named and data leaks containing hundreds of gigabytes to several terabytes of sensitive corporate information, this incident serves as a stark reminder of the evolving threat landscape facing modern enterprises.

The breach affected prominent organizations, including Harvard University, The Washington Post, Logitech, Schneider Electric, and American Airlines’ subsidiary Envoy Air, exposing financial records, human resources data, supply chain information, and customer details.​

The Oracle EBS campaign represents a textbook example of how threat actors exploit widely used enterprise software to achieve mass compromise.

Oracle E-Business Suite serves as the operational backbone for thousands of organizations worldwide, managing critical functions including finance, human resources, supply chain operations, procurement, and customer relationship management.

By compromising this centralized platform, attackers gained access to the most sensitive data repositories within victim organizations, effectively turning a trusted business tool into an attack vector.​

Google Threat Intelligence Group (GTIG) and Mandiant researchers traced the earliest exploitation activity to July 10, 2025, with confirmed data theft beginning by August 9, 2025, weeks before Oracle released emergency patches.

The sophisticated nature of the attack, involving fileless malware and multi-stage payloads, enabled the threat actors to evade traditional file-based detection systems while maintaining persistent access to compromised environments.

Charles Carmakal, CTO of Mandiant Consulting, emphasized the pre-patch exploitation timeline, noting that attackers leveraged the zero-day vulnerability before defensive measures became available.​

The campaign surfaced publicly on September 29, 2025, when executives at numerous organizations received extortion emails from actors claiming affiliation with the Clop brand.

These emails, sent from hundreds of compromised third-party accounts to bypass spam filters, alleged the theft of sensitive data from victims’ Oracle EBS environments and threatened public disclosure unless ransom demands were met.

The use of stolen credentials from infostealer malware logs represents a sophisticated social engineering tactic designed to add legitimacy to the extortion attempts.​

Technical Exploitation: A Five-Stage Attack Chain

CVE-2025-61882, assigned a critical CVSS score of 9.8, enabled unauthenticated attackers to achieve remote code execution on Oracle EBS versions 12.2.3 through 12.2.14 without requiring any user interaction.

The vulnerability resides in the Oracle Concurrent Processing component and was actively exploited in the wild before patches became available, qualifying it as a true zero-day threat.​

Security researchers from watchTowr Labs published a comprehensive technical analysis revealing that the exploit chains together five distinct vulnerabilities to achieve pre-authenticated remote code execution.

The attack begins with a Server-Side Request Forgery (SSRF) vulnerability in the /OA_HTML/configurator/UiServlet endpoint, which accepts XML documents from unauthenticated users via the getUiType parameter.

When the redirectFromJsp parameter is present, the servlet parses the XML to extract a return_url and creates an outbound HTTP request, allowing attackers to force the server to contact arbitrary hosts.​

With SSRF control established, attackers inject Carriage-Return Line-Feed (CRLF) sequences into the URL payload to manipulate request framing and insert malicious headers.

This CRLF injection enables adversaries to convert simple GET requests into crafted POST requests and smuggle additional data to downstream services. The exploit leverages HTTP connection reuse through keep-alive mechanisms, allowing staged requests to be pipelined over the same TCP socket for improved timing reliability.​

Armed with POST-capable SSRF and header injection, attackers target internal services that are normally unreachable from public interfaces. Oracle EBS installations frequently expose internal HTTP services bound to private IP addresses and ports, commonly on port 7201.

The exploit uses path-traversal techniques to bypass pathname-based authentication filters and retrieve restricted JSP pages, transforming internal-only resources into attacker-controllable execution paths. Researchers documented this technique by accessing the ieshostedsurvey.jsp endpoint via path manipulation: /OA_HTML/help/../ieshostedsurvey.jsp.​

Once attackers reach the vulnerable JSP endpoint, the application constructs an XSL stylesheet URL by concatenating the incoming Host header with /ieshostedsurvey.xsl.

The server creates a URL object and passes it to Java’s XSL processing pipeline, which downloads and executes the stylesheet from the attacker-controlled server.

Because Java XSLT supports extension functions and can invoke arbitrary Java classes, the attacker-supplied XSL file decodes payloads and invokes javax.script other extensions to execute arbitrary code within the Java Virtual Machine.

This final unsafe XSLT processing stage grants attackers complete remote code execution capability on the compromised system.​

Mandiant investigators identified a secondary exploitation chain targeting the /OA_HTML/SyncServlet component in the August 2025 activity. This alternate attack path demonstrated the threat actors’ sophisticated understanding of Oracle EBS architecture and their ability to develop multiple exploitation techniques.

The malware deployed following exploitation included GOLDVEIN.JAVA, an in-memory Java-based loader that fetches second-stage payloads, showing logical similarities to malware used in suspected Clop campaigns against Cleo managed file transfer systems in late 2024.​

As of November 2025, the Clop data leak site listed 29 alleged victims spanning multiple sectors, including education, media, manufacturing, aerospace, technology, professional services, mining, construction, insurance, financial services, transportation, automotive, energy, and HVAC industries.

Confirmed victims who publicly acknowledged the breach include Harvard University, Wits University in South Africa, American Airlines subsidiary Envoy Air, The Washington Post, and Logitech.

Major industrial corporations named on the leak site include Schneider Electric, Emerson, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland, though most have not publicly confirmed the incidents.​

The Washington Post confirmed on November 6, 2025, that it was among the victims, though the organization declined to share specific details about the compromise. Logitech similarly disclosed a data breach shortly after being named on the Clop leak site.

In a particularly severe case, GlobalLogic reported on November 11, 2025, that personal information of 10,471 current and former employees was stolen, including names, addresses, phone numbers, emergency contacts, email addresses, dates of birth, nationalities, passport information, tax identifiers, salary information, and bank account details.​

Cybercriminals leaked data allegedly stolen from 18 victims, with some releases totaling hundreds of gigabytes and others reaching several terabytes. Limited structural analysis conducted by security researchers concluded that the leaked files likely originated from Oracle environments, lending credibility to the threat actors’ claims.

The extent of data exposure underscores the comprehensive access attackers achieved to victims’ EBS systems, which integrate finance, HR, supply chain, and procurement functions into centralized databases.​

Shadowserver researchers released data on October 8, 2025, showing 576 potentially vulnerable IP addresses based on internet scanning for the zero-day vulnerability.

This figure represents only internet-exposed Oracle EBS instances and does not account for organizations that may have been compromised but maintained the systems behind firewalls or other network security controls.​

Threat Actor Attribution and Tactics

The campaign bears the hallmarks of the Clop ransomware group, also tracked as FIN11 and TA505, a financially motivated threat actor with a documented history of mass exploitation campaigns targeting enterprise software vulnerabilities.

To substantiate their extortion claims, threat actors provided legitimate file listings from victim EBS environments to multiple organizations, with data timestamps dating back to mid-August 2025.

This tactic demonstrates the attackers’ possession of genuine stolen data and serves to pressure victims into negotiating ransom payments. Consistent with modern extortion operations, the threat actors typically specify payment amounts and methods only after victims contact them and indicate authorization to negotiate.​

The campaign methodology mirrors previous Clop operations, particularly the mass exploitation of vulnerabilities in MOVEit file transfer software in 2023, which affected hundreds of organizations globally.

The group was also linked to the exploitation of Cleo file transfer software flaws starting in late 2024 and previous attacks on Fortra file transfer products. This pattern of targeting widely deployed enterprise software to simultaneously compromise numerous organizations has become a signature tactic for the threat actor.​

Mandiant researchers identified overlaps between the Oracle EBS campaign and a leaked exploit code posted on October 3, 2025, by Scattered Lapsus$ Hunters, also known as ShinyHunters, a group linked to social engineering attacks against retailers and other companies.

The group claimed credit for a recent attack disrupting production at Jaguar Land Rover. However, researchers emphasized they could not definitively assess whether the July exploitation activity involved that specific exploit code or establish direct connections between the early Oracle activity and ShinyHunters.​

GTIG analysis noted that post-exploitation tooling showed “logical similarities” to malware deployed in other suspected Clop campaigns.

The use of compromised third-party email accounts for the extortion campaign represents a sophisticated operational security measure, as credentials sourced from infostealer malware logs on underground forums enable threat actors to send messages that bypass spam filters and appear more legitimate to recipients.​

Oracle’s Response and Patch Timeline

Oracle’s response to the vulnerability disclosure followed a multi-stage timeline that raised concerns about the gap between initial exploitation and patch availability.

The company released a Critical Patch Update in July 2025 that addressed several EBS vulnerabilities, but this update predated the emergency patch for CVE-2025-61882 by several months. Security researchers documented suspicious activity potentially related to exploitation dating back to July 10, 2025, even before the July patches were released.​

On October 2, 2025, Oracle reported that threat actors may have exploited vulnerabilities patched in the July 2025 update and recommended that customers apply the latest Critical Patch Updates.

Two days later, on October 4, 2025, Oracle released an emergency Security Alert specifically addressing CVE-2025-61882. The advisory confirmed that the vulnerability is remotely exploitable without authentication and, if successfully exploited, may result in remote code execution.

Oracle strongly recommends that customers apply the updates immediately, emphasizing its longstanding guidance to remain on actively supported versions and to apply all Security Alerts and Critical Patch Updates without delay.​

The emergency patch carried a critical prerequisite: organizations must first install the October 2023 Critical Patch Update before applying the CVE-2025-61882 patch.

This requirement can complicate and delay remediation efforts for organizations that do not maintain current patch levels. Oracle updated the guidance on October 11, 2025, with GTIG assessing that Oracle EBS servers updated through this patch were likely no longer vulnerable to known exploitation chains.​

On October 8, 2025, Oracle released an additional Security Alert for CVE-2025-61884, a high-severity vulnerability affecting the Runtime UI component of Oracle Configurator.

This vulnerability enables unauthenticated remote attackers with network access via HTTP to compromise Oracle Configurator and access sensitive resources. Rob Duhart, Oracle’s Chief Security Officer, noted that the vulnerability affects “some deployments” of Oracle E-Business Suite, suggesting configuration-dependent exposure.​

Oracle’s advisories included Indicators of Compromise (IOCs) derived from observed exploitation, including IP addresses, command patterns, and file hashes for suspected exploit scripts.

The publication of these IOCs enabled defensive teams to hunt for evidence of compromise in their environments, though the fileless nature of the malware complicated detection efforts.​

Zero-Day Exploitation Before Patches

The timeline between initial exploitation and patch availability represents one of the most concerning aspects of the Oracle EBS campaign. Mandiant confirmed that threat actors exploited CVE-2025-61882 as a zero-day vulnerability against Oracle EBS customers as early as August 9, 2025, with additional suspicious activity potentially dating back to July 10, 2025.

Oracle did not release the emergency patch until October 4, 2025, creating a window of approximately eight weeks between confirmed exploitation and patch availability, during which victims had no vendor-supplied defensive measures.​

This exploitation timeline highlights a fundamental challenge in enterprise software security: the asymmetry between attacker capabilities and defender readiness.

Sophisticated threat actors invest significant resources in vulnerability research and exploit development, often discovering flaws before vendors or security researchers identify them.

Once weaponized, these zero-day vulnerabilities give attackers a critical advantage, enabling them to compromise systems before defenses are in place.​

Charles Carmakal emphasized the gravity of the pre-patch exploitation timeline in his LinkedIn post, warning that organizations should proactively investigate for signs of compromise regardless of their current patching status.

This guidance recognizes that applying patches remediates future exploitation of vulnerabilities but does not address existing compromises that occurred during the zero-day window.​

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog on October 6, 2025, confirming active exploitation in ransomware campaigns.

This designation triggers binding operational directive requirements for federal agencies to patch affected systems within specified timeframes and serves as a strong signal to private sector organizations about the critical nature of the threat.​

Several security experts recommend migrating from on-premises Oracle EBS to cloud-based Oracle Fusion Cloud Applications to enhance security.

SaaS models like Oracle Fusion shift some security responsibilities to the vendor, who continuously updates security controls. The Oracle Fusion Cloud Supply Chain Management platform integrates security measures and supports decision-making during disruptions.

Organizations on EBS should adopt a “security-first mindset” from the design phase, embedding security into architecture, access controls, and patch management. Regular security assessments, including vulnerability scanning and penetration testing, help identify weaknesses before they can be exploited.

The Oracle EBS campaign affecting around 30 organizations highlights systemic challenges against sophisticated threats. The exploitation of zero-day vulnerabilities and fileless malware showcases modern cyber threats, indicating that organizations must limit internet exposure, maintain patch discipline, and implement defense-in-depth strategies.

The impact of this campaign may reach beyond the identified victims, with assessments suggesting over 100 organizations could be affected. Organizations using specific Oracle EBS versions should check their patch status, look for indicators of compromise, and ensure their security controls are up to date.

This incident underscores the necessity of collective security responsibility among vendors, customers, and researchers. Organizations must evolve their defensive strategies from reactive to proactive, treating this event as an opportunity for significant security transformation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Lessons from Oracle E-Business Suite Hack That Allegedly Compromises Nearly 30 Organizations Worldwide appeared first on Cyber Security News.

Priced at $30,000, the exploit purportedly works on most Office file formats, including the latest versions, and affects fully patched Windows installations.

This development raises alarms in the cybersecurity community, as it could enable attackers to bypass Microsoft’s robust sandbox protections and execute arbitrary code with minimal user interaction.

The advertisement, posted in Russian on a prominent hacking forum, describes the vulnerability as a high-impact 0-day capable of delivering payloads through malicious Office documents.

Zeroplayer claims the exploit chain allows remote attackers to escape the Office sandbox a critical security feature designed to isolate potentially harmful code—and achieve full system compromise on Windows.

Delivery methods involve embedding the exploit in common file types like Word or Excel documents, which could be distributed via phishing emails or compromised websites.

Details of the Hacker Forum Listing

The seller invites private messages for demonstrations and proof-of-concept details, emphasizing compatibility with recent updates to mitigate detection by antivirus tools.

This isn’t Zeroplayer’s first foray into the exploit market; the actor previously offered a WinRAR zero-day RCE for $80,000 in July 2025, highlighting a pattern of targeting widely used productivity and archiving software.

Such sales underscore the lucrative underground economy for zero-days, where exploits fetch premium prices before public disclosure or patching.​

Microsoft’s November 2025 Patch Tuesday addressed multiple critical RCE flaws in Office, including CVE-2025-62199, a use-after-free vulnerability exploitable via malicious documents.

However, that patch focused on known issues and did not reference this alleged 0-day, suggesting it remains unpatched and potentially more dangerous due to its sandbox escape component.

Sandbox escapes are particularly concerning, as they neutralize one of Office’s primary defenses against macro-based attacks, allowing malware to spread laterally across networks.​

Experts note that Russian-language forums like the one hosting this listing often serve as hubs for state-affiliated or opportunistic threat actors, who may weaponize such exploits for ransomware, espionage, or data theft.

Similar past incidents, such as the 2023 exploitation of CVE-2023-36884 by the Russian group Storm-0978, involved Office RCE for backdoor deployment against Western targets.​

The potential fallout from this 0-day is significant, especially for enterprises reliant on Microsoft 365. Attackers could leverage it to compromise supply chains or conduct targeted intrusions, evading endpoint detection responses.

Given Office’s ubiquity across over 1.4 billion devices globally, unpatched systems face a heightened risk of infection through spear-phishing.​

Organizations should prioritize macro disabling in Office policies, enable Protected View for all documents, and deploy advanced threat protection tools.

Monitoring for anomalous forum activity and applying upcoming patches urgently is advised, as Microsoft may accelerate fixes if exploitation evidence emerges.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Threat Actors Allegedly Selling Microsoft Office 0-Day RCE Vulnerability on Hacking Forums appeared first on Cyber Security News.

CVE-2025-13223 is a flaw in the Chromium V8 JavaScript engine that poses significant risks to users worldwide, potentially enabling remote code execution and data breaches.

The vulnerability stems from a type confusion error, classified under CWE-843, which tricks the browser into mishandling data types and corrupts the heap memory. Discovered and patched by Google on November 19, 2025, via its stable channel update, the issue affects Chrome versions before 131.0.6778.72.

Attackers have already leveraged it in the wild, though details on specific campaigns remain limited. CISA added it to its Known Exploited Vulnerabilities (KEV) catalog the same day, mandating federal agencies to apply mitigations by December 10, 2025.

Vulnerability Breakdown and Affected Systems

This zero-day targets the core of Chrome’s rendering engine, making it a prime vector for drive-by downloads and malicious interactions on websites.

While primarily affecting desktop users on Windows, macOS, and Linux, the flaw extends to Chromium-based browsers such as Microsoft Edge and Brave.

No confirmed ties to ransomware exist yet, but experts warn of potential escalation in phishing and supply chain attacks.

CISA urges immediate updates to the latest Chrome version, available through Google’s release notes. In cloud environments, agencies must align with Binding Operational Directive 22-01 and emphasize zero-trust principles. If patches aren’t feasible, discontinuing the product is advised to curb risks.

This incident underscores the relentless pace of browser threats, especially in V8’s complex codebase. With over 3 billion users, Chrome’s dominance amplifies the stakes, as unpatched systems could fuel widespread compromises.

Security researchers highlight the need for vigilant monitoring, as zero-days like this often precede larger campaigns.

As exploitation continues, organizations should scan networks for indicators of compromise and educate users on safe browsing. Google’s swift response mitigates much of the danger, but proactive patching remains key to staying ahead of adversaries.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Google Chrome 0-Day Vulnerability Exploited in Attacks appeared first on Cyber Security News.

Announced on November 18, 2025, this tool empowers developers, hobbyists, and students to code, deploy, and oversee projects directly on local hardware without the usual cloud dependencies or network hassles.

By leveraging noBGP’s deterministic networking, pi GPT eliminates barriers like IP configuration and VPN setup, making vibe coding building apps through natural language prompts accessible on affordable devices like the Raspberry Pi, Nvidia Spark, or Jetson.​

Traditionally, vibe coding has been tethered to cloud platforms, incurring costs and requiring complex setups for local integration.

pi GPT changes this by allowing users to direct ChatGPT prompts straight to their Raspberry Pi, turning it into a seamless development or production environment.

Developers can generate and run code on the device in real time, bypassing the need for manual SSH sessions or environment matching.

This local approach not only cuts cloud bills but also enhances privacy, as all operations stay within the user’s controlled hardware ecosystem.

For instance, a prompt like “Write a Python script to monitor sensors on my Pi” results in instant deployment and testing, fostering rapid prototyping for IoT projects or edge computing tasks.​

pi GPT Tool for Raspberry Pi

One of Pi GPT’s standout features is its prompt-based control over device operations. Users can start, stop, edit, or monitor applications on their Raspberry Pi using simple ChatGPT conversations, such as “Restart my web server on the Pi” or “Debug the error in my script”.

This AI-driven management simplifies workflows, especially for beginners or those juggling multiple devices. The tool’s integration ensures commands are executed securely through noBGP’s overlay network, which handles authentication and execution without exposing the device to public internet risks.

In cybersecurity contexts, this means reduced attack surfaces, as no port forwarding or firewall tweaks are needed for remote access.​

noBGP’s deterministic networking underpins pi GPT by providing end-to-end encrypted connectivity that avoids traditional routing pitfalls like BGP’s unpredictability.

Users gain private links between ChatGPT and their Pi, free of access control lists or public IPs, ensuring consistent, reliable communication.

Sharing becomes effortless too: deploy a web app or Minecraft server on the Pi and generate a custom URL for public or private access with a single prompt. This feature supports hybrid setups, connecting local Pis to CI/CD pipelines or AI workflows for scalable production.

pi GPT is free for non-commercial use and works with both free and paid ChatGPT accounts, available via the OpenAI GPT Store. Commercial trials are open now, with licensing to follow.

As Ryo Koyama, noBGP’s CEO, noted, “pi GPT makes vibe coding truly accessible; no cloud bills, no setup headaches”. For security researchers and content creators, this tool opens doors to secure, local testing of vulnerabilities or threat simulations on Pi hardware, aligning with edge device trends in cybersecurity.

Overall, pi GPT democratizes AI-assisted development by blending ChatGPT’s intuition with Raspberry Pi’s versatility to enable innovative, cost-effective projects.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post pi GPT Tool Turns Your Raspberry Pi into A ChatGPT Powered AI-managed device appeared first on Cyber Security News.

This surge, which intensified dramatically within 24 hours to reach a 40-fold increase, represents the highest activity level in the past 90 days and underscores growing risks to remote access systems worldwide.​

The attacks primarily target the /global-protect/login.esp URI on Palo Alto PAN-OS and GlobalProtect platforms, focusing on brute-force login attempts that could expose corporate networks to unauthorized access.

GreyNoise researchers noted the rapid buildup starting last week, with activity peaking as organizations rely heavily on these VPNs for secure remote work. This campaign not only threatens data breaches but also highlights persistent vulnerabilities in widely used network security tools.​

Surge Linked to Coordinated Threat Actors

GreyNoise has uncovered strong ties between this Palo Alto assault and earlier malicious campaigns, attributing them with high confidence to overlapping threat actors.

Key indicators include consistent TCP and JA4t fingerprints across incidents, shared infrastructure via recurring Autonomous System Numbers (ASNs), and synchronized timing in activity spikes.

These patterns suggest a sophisticated, possibly state-sponsored or cybercrime operation iterating on proven tactics to probe for weaknesses in enterprise defenses.​

The infrastructure behind the attacks is highly concentrated, with 62% of sessions originating from AS200373 (3xK Tech GmbH), a German company, forming the campaign’s backbone.

An additional 15% traces to the same ASN but is routed through Canadian clusters, indicating distributed hosting to evade detection. Secondary contributions come from AS208885 (Noyobzoda Faridduni Saidilhom), reinforcing a coordinated footprint that spans continents.​

Targets appear geographically focused, with the United States, Mexico, and Pakistan each facing roughly equal volumes of login probes. This distribution may reflect attackers prioritizing high-value regions or leveraging stolen credential lists from diverse sources.

For defensive hunting, GreyNoise highlighted two JA4t fingerprints covering all observed activity: 65495_2-4-8-1-3_65495_7 and 33280_2-4-8-1-3_65495_7.​

This incident echoes historical patterns observed by GreyNoise, where spikes in Fortinet VPN brute-force attacks often precede vulnerability disclosures within six weeks, a trend first noted in July 2025.

Similar surges hit Palo Alto portals in April and October 2025, prompting advisories and linked to broader campaigns against Cisco and Fortinet devices.

Organizations should audit exposed GlobalProtect portals, enforce multi-factor authentication, and monitor for these indicators to prevent potential exploits.​

As remote access remains a prime vector for ransomware and espionage, this 2.3 million-attack wave serves as a stark reminder for enterprises to harden VPN configurations amid rising threat sophistication.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Attacking Palo Alto Networks’ GlobalProtect VPN Portals with 2.3 Million Attacks appeared first on Cyber Security News.

The flaw, tracked as CVE-2025-11001, stems from improper handling of symbolic links in ZIP archives, allowing attackers to traverse directories and execute arbitrary code on vulnerable systems.

First disclosed in October 2025, this vulnerability has a CVSS v3 score of 7.0, highlighting its high severity due to the potential for widespread exploitation without requiring elevated privileges.​

7-Zip RCE Vulnerability Exploited

CVE-2025-11001 arises during the parsing of ZIP files containing crafted symbolic links, which trick 7-Zip into writing files outside the intended extraction directory.

This directory traversal can enable attackers to overwrite critical system files or inject malicious payloads, leading to full code execution in the context of the user or service account running the application.

Security researchers at Trend Micro’s Zero Day Initiative (ZDI) detailed how an attacker could leverage this to escape sandboxed environments, making it particularly dangerous for automated file processing in enterprise settings.​

The vulnerability was discovered by Ryota Shiga of GMO Flatt Security Inc., in collaboration with their AI-powered AppSec Auditor tool, and reported promptly to the 7-Zip developers.

A proof-of-concept (PoC) exploit has since been publicly released, demonstrating how a malicious ZIP file can abuse symbolic link handling to facilitate arbitrary file writes and, in certain scenarios, direct RCE.

This PoC has lowered the barrier for threat actors, accelerating real-world attacks observed in the wild. Notably, exploitation requires minimal user interaction; simply opening or extracting a booby-trapped archive suffices, a common vector in phishing campaigns and drive-by downloads.​

This issue is not isolated; 7-Zip version 25.00, released in July 2025, also patches a related flaw, CVE-2025-11002, which shares the same symbolic link mishandling root cause and carries an identical CVSS score of 7.0.

Both vulnerabilities were introduced in version 21.02, affecting all prior releases of the open-source tool used by over 100 million Windows users worldwide for compression tasks. Early indicators suggest attackers are targeting unpatched systems in sectors like healthcare and finance, where file handling is routine.​

The U.K.’s NHS England Digital issued an urgent advisory on November 18, 2025, confirming active exploitation of CVE-2025-11001, urging immediate updates to mitigate risks.

Threat actors could use this RCE to deploy ransomware, steal sensitive data, or establish persistent backdoors, amplifying the danger in supply chain attacks where compromised archives spread via email or shared drives.

Organizations relying on 7-Zip for bulk file operations face elevated threats, as automated extractions could silently propagate malware across networks.​

To counter this threat, users and organizations must update 7-Zip to version 25.00 or later, available from the official website, which enforces stricter path canonicalization to block traversal attempts.

The patch prevents symbolic links from escaping extraction boundaries, neutralizing both CVE-2025-11001 and CVE-2025-11002. Affected platforms include all Windows versions running 7-Zip prior to 25.00, with no reported impacts on Linux or macOS ports yet.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Actively Exploiting 7-Zip RCE Vulnerability in the Wild appeared first on Cyber Security News.

SecurityScorecard’s STRIKE team, in collaboration with ASUS, revealed the operation on November 18, 2025, highlighting how attackers exploited outdated firmware to build a stealthy network infrastructure.

This breach underscores the rising threat to end-of-life consumer devices, with infections concentrated in Taiwan and spreading to the U.S., Russia, and Southeast Asia.​

Researchers first detected Operation WrtHug through a suspicious self-signed TLS certificate shared across compromised devices, featuring an unusually long 100-year expiration date from April 2022.

This certificate, with SHA1 thumbprint 1894a6800dff523894eba7f31cea8d05d51032b4, appeared on 99% of affected ASUS AiCloud services, a feature meant for remote home network access but now exploited as an entry point.

The campaign targets exclusively ASUS WRT models, many of which are end-of-life and unpatched, allowing attackers to inject commands and gain root privileges without altering the device’s outward appearance.

The operation’s scale is alarming, with estimates of 50,000 unique IP addresses involved over the past six months, based on proprietary scans and tools like Driftnet.

Unlike random botnets, WrtHug shows a deliberate geographic focus, infecting 30-50% of devices in Taiwan, a pattern that aligns with geopolitical tensions. Smaller clusters hit South Korea, Japan, Hong Kong, central Europe, and the U.S., but mainland China remains largely untouched, aside from Hong Kong.

Exploited Vulnerabilities

Attackers chained six known flaws in ASUS firmware to propagate the malware, focusing on N-day exploits in AiCloud and OS injection vectors, SecurityScorecard said to CybersecurityNews.

These vulnerabilities, all patched by ASUS, primarily affect outdated routers running lighttpd or Apache web servers.

The table below details the key CVEs, their impacts, and prerequisites:​

These flaws link to CVE-2023-39780, a command injection bug tied to the earlier AyySSHush campaign, suggesting possible actor overlap. Seven IPs show dual compromise, hinting at coordinated efforts.

STRIKE assesses low-to-moderate confidence that China Nexus actors drive WrtHug, mirroring tactics in ORBs like LapDogs and PolarEdge. The focus on Taiwan and router persistence via SSH backdoors points to espionage infrastructure building.

This fits a trend of state-sponsored router hijacks, evolving from brute-force to multi-stage infections.

Targeted models include RT-AC1200HP, GT-AC5300, and DSL-AC68U, often in homes or small offices. While post-exploitation details remain unclear, the setup enables proxying C2 traffic and data exfiltration.

Indicators of Compromise

Monitoring for these IOCs can help detect infections:

Additional IPs: 59.26.66[.]44, 83.188.236[.]86, 195.234.71[.]218

ASUS urges firmware updates and disabling unused features like AiCloud on supported devices. For EoL models, replacement is recommended, alongside network segmentation and TLS certificate monitoring.

Organizations should scan for the IOC certificate and apply CISA’s known exploited catalog patches.

As router attacks escalate in 2025, this incident highlights the need for vigilant SOHO security to thwart nation-state probing. SecurityScorecard calls for industry collaboration to counter such calculated threats.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Massive Hacking Operation WrtHug Compromises Thousands of ASUS Routers Worldwide appeared first on Cyber Security News.