A brief daily summary of what is important in cyber security. The podcast is published every weekday and designed to get you ready for the day with a brief, usually about 5 minute long, summary of current network security related events. The content is late breaking, educational and based on listeneā¦
Listeners of SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast that love the show mention: infosec news, daily cyber, information security, isc, daily update, cybersecurity, security podcast, day's, best daily, pound, great daily, brief, good way, digestible, required, speed, updates, concise, professionals, consistent.
The SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast podcast is truly an exceptional resource for anyone interested in staying up-to-date with the latest news, vulnerabilities, and threats in the field of cybersecurity. Hosted by Dr. Johannes Ulrich, this podcast provides concise and clear updates on a daily basis, making it an essential part of many listeners' routines.
One of the best aspects of this podcast is its consistency. It releases episodes daily, ensuring that listeners have access to the most current information available. This dedication to regular updates means that listeners can rely on the podcast as a reliable source of information. Additionally, Dr. Johannes's clear presentation and explanation of complex topics make it accessible to both technical professionals and those new to the field.
Another standout feature of this podcast is its concise format. With episodes averaging around 5 minutes in length, it provides a quick yet comprehensive overview of important news and research in the cybersecurity world. This brevity is appreciated by busy professionals who may not have time to listen to longer podcasts but still want to stay informed.
Furthermore, Dr. Johannes's expertise shines through in his delivery. As a renowned figure in the information security sector, he brings valuable insights and analysis to each episode. His ability to distill technical information into easily understandable language ensures that listeners gain a deeper understanding of the topics discussed.
While there are few negative aspects to mention about this podcast, one potential drawback could be its brevity. Some listeners may prefer more in-depth discussions or additional analysis on certain topics covered. However, given its intended purpose as a brief daily update, this can be seen as more of a personal preference rather than a flaw in the podcast itself.
In conclusion, The SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast podcast is undoubtedly one of the best resources available for staying informed about cybersecurity news and developments. Its consistent release schedule, concise format, and expert analysis make it an invaluable tool for professionals and enthusiasts alike.
KongTuke Activity This diary investigates how a recent Kong Tuke infections evolved all the way from starting with a ClickFix attack. https://isc.sans.edu/diary/KongTuke%20activity/32498 Cloudflare Outage Cloudflare suffered a large outage today after an oversized configuration file was loaded into its bot protection service https://x.com/dok2001 Google Patches Chrome 0-Day Google patched two vulnerabilities in Chrome. One of them is already being exploited. https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop_17.html
Decoding Binary Numeric Expressions Didier updated his number to hex script to support simple arithmetic operations in the text. https://isc.sans.edu/diary/Decoding%20Binary%20Numeric%20Expressions/32490 Tea Token NPM Pollution The NPM repository was hit with around 150,000 submissions that did not contain any useful contributions, but instead attempted to fake contributions to earn a new tea coin. https://aws.amazon.com/blogs/security/amazon-inspector-detects-over-150000-malicious-packages-linked-to-token-farming-campaign/ IBM AIX NIMSH Vulnerabilities IBM patched several critical vulnerablities in the NIMSH daemon https://www.ibm.com/support/pages/node/7251173
Fortiweb Vulnerability Fortinet, with significant delay, acknowledged a recently patched vulnerability after exploit attempts were seen publicly. https://isc.sans.edu/diary/Honeypot+FortiWeb+CVE202564446+Exploits/32486 https://labs.watchtowr.com/when-the-impersonation-function-gets-used-to-impersonate-users-fortinet-fortiweb-auth-bypass/ https://fortiguard.fortinet.com/psirt/FG-IR-25-910?ref=labs.watchtowr.com Flnger.exe and ClickFix Attackers started to use the finger.exe binary to retrieve additional payload in ClickFix attacks https://isc.sans.edu/diary/Finger.exe%20%26%20ClickFix/32492
SmartApeSG campaign uses ClickFix page to push NetSupport RAT A detailed analysis of a recent SamtApeSG campaign taking advantage of ClickFix https://isc.sans.edu/diary/32474 Formbook Delivered Through Multiple Scripts An analysis of a recent version of Formbook showing how it takes advantage of multiple obfuscation tricks https://isc.sans.edu/diary/32480 sudo-rs vulnerabilities Two vulnerabilities were patched in sudo-rs, the version of sudo written in Rust, showing that while Rust does have an advantage when it comes to memory safety, there are plenty of other vulnerabilities to worry about https://ubuntu.com/security/notices/USN-7867-1 https://github.com/trifectatechfoundation/sudo-rs/security/advisories/GHSA-c978-wq47-pvvw?ref=itsfoss.com SANS Holiday Hack Challenge https://sans.org/HolidayHack
OWASP Top 10 2025 Release Candidate OWASP published a release candidate for the 2025 version of its Top 10 list https://owasp.org/Top10/2025/0x00_2025-Introduction/ Citrix/Cisco Exploitation Details Amazon detailed how Citrix and Cisco vulnerabilities were used by advanced actors to upload webshells https://aws.amazon.com/blogs/security/amazon-discovers-apt-exploiting-cisco-and-citrix-zero-days/ Testing Quantum Readyness A website tests your services for post-quantum computing-resistant cryptographic algorithms https://qcready.com/
Microsoft Patch Tuesday for November 2025 https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+for+November+2025/32468/ Gladinet Triofox Vulnerability Triofox uses the host header in lieu of proper access control, allowing an attacker to access the page managing administrators by simply setting the host header to localhost. https://cloud.google.com/blog/topics/threat-intelligence/triofox-vulnerability-cve-2025-12480/ SAP November 2025 Patch Day SAP fixed a critical vulnerability, fixed default credentials in its SQL Anywhere Monitor https://onapsis.com/blog/sap-security-patch-day-november-2025/ Ivanti Endpoint Manager Updates https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2025-for-EPM-2024?language=en_US
It isn t always defaults: Scans for 3CX Usernames Our honeypots detected scans for usernames that may be related to 3CX business phone systems https://isc.sans.edu/diary/It%20isn%27t%20always%20defaults%3A%20Scans%20for%203CX%20usernames/32464 Watchguard Default Password Controversy A CVE number was assigned to a default password commonly used in Watchguard products. This was a documented username and password that was recently removed in a firmware upgrade. https://github.com/cyberbyte000/CVE-2025-59396/blob/main/CVE-2025-59396.txt https://nvd.nist.gov/vuln/detail/CVE-2025-59396 JavaScript expr-eval Vulnerability The JavaScript expr-eval library was vulnerable to a code execution issue. https://www.kb.cert.org/vuls/id/263614
Honeypot Requests for Code Repository Attackers continue to scan websites for source code repositories. Keep your repositories outside your document root and proactively scan your own sites. https://isc.sans.edu/diary/Honeypot%3A%20Requests%20for%20%28Code%29%20Repositories/32460 Malicious NuGet Packages Deliver Time-Delayed Destructive Payloads Newly discovered malicious .NET packages attempt to deliver a time-delayed attack targeting ICS systems. https://socket.dev/blog/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads Side Channel Leaks in Encrypted Traffic to LLMs Traffic to LLMs can be profiled to discover the nature of prompts sent by a user based on the amount and structure of the encrypted data. https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/
Binary Breadcrumbs: Correlating Malware Samples with Honeypot Logs Using PowerShell [Guest Diary] Windows, with PowerShell, has a great scripting platform to match common Linux/Unix command line utilities. https://isc.sans.edu/diary/Binary%20Breadcrumbs%3A%20Correlating%20Malware%20Samples%20with%20Honeypot%20Logs%20Using%20PowerShell%20%5BGuest%20Diary%5D/32454 RondoDox v2 Increases Exploits The RondoDox (or RondoWorm) added a substantial amount of new exploits to its repertoire. https://beelzebub.ai/blog/rondo-dox-v2/ Google Chrome Updates Google released an update for Google Chrome addressing five vulnerabilities. https://chromereleases.googleblog.com/2025/11/stable-channel-update-for-desktop.html Cisco Unified Contact Center Express Remote Code Execution Vulnerabilities Cisco patched two critical vulnerabilities in its Contact Center Express software. These vulnerabilities may lead to a full system compromise. https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cc-unauth-rce-QeN8h7mQ
Updates to Domainname API Some updates to our domainname API will make it more flexible and make it easier and faster to get the complete dataset. https://isc.sans.edu/diary/Updates%20to%20Domainname%20API/32452 Microsoft Teams Impersonation and Spoofing Vulnerabilities Checkpoint released details about recently patched spoofing and impersonation vulnerabilities in Microsoft Teams https://research.checkpoint.com/2025/microsoft-teams-impersonation-and-spoofing-vulnerabilities-exposed/ NViso Report: VSHELL NViso published an amazingly detailed report describing the remote control implant VSHELL. The report includes details about the inner workings of the tool as well as detection ideas. https://www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool
Apple Patches Everything, Again Apple released a minor OS upgrade across its lineup, fixing a number of security vulnerabilities. https://isc.sans.edu/diary/Apple%20Patches%20Everything%2C%20Again/32448 Remote Access Tools Used to Compromise Trucking and Logistics Attackers infect trucking and logistics companies with regular remote management tools to inject malware into other companies or learn about high-value loads in order to steal them. https://www.proofpoint.com/us/blog/threat-insight/remote-access-real-cargo-cybercriminals-targeting-trucking-and-logistics Google Android Patch Day Google released its usual monthly Android updates this week https://source.android.com/docs/security/bulletin/2025-11-01
XWiki SolrSearch Exploit Attempts CVE-2025-24893 We have detected a number of exploit attempts against XWiki taking advantage of a vulnerability that was added to the KEV list on Friday. https://isc.sans.edu/diary/XWiki%20SolrSearch%20Exploit%20Attempts%20%28CVE-2025-24893%29%20with%20link%20to%20Chicago%20Gangs%20Rappers/32444 AMD Zen 5 Random Number Generator Bug The RDSEED function for AMD s Zen 5 processors does return 0 more often than it should. https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html SleepyDuck malware invades Cursor through Open VSX Yet another Open VSX extension stealing crypto credentials https://secureannex.com/blog/sleepyduck-malware/
Scans for WSUS: Port 8530/8531 TCP, CVE-2025-59287 We did observe an increase in scans for TCP ports 8530 and 8531. These ports are associated with WSUS and the scans are likely looking for servers vulnerable to CVE-2025-59287 https://isc.sans.edu/diary/Scans%20for%20Port%208530%208531%20%28TCP%29.%20Likely%20related%20to%20WSUS%20Vulnerability%20CVE-2025-59287/32440 BADCANDY Webshell Implant Deployed via The Australian Signals Directorate warns that they still see Cisco IOS XE devices not patches for CVE-2023-20198. A threat actor is now using this vulnerability to deploy the BADCANDY implant for persistent access https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/badcandy Improvements to Open VSX Security In reference to the Glassworm incident, OpenVSX published a blog post outlining some of the security improvements they will make to prevent a repeat of this incident. https://blogs.eclipse.org/post/mika l-barbero/open-vsx-security-update-october-2025
X-Request-Purpose: Identifying "research" and bug bounty related scans? Our honeypots captured a few requests with bug bounty specific headers. These headers are meant to make it easier to identify requests related to bug bounty, and they are supposed to identify the researcher conducting the scans https://isc.sans.edu/diary/X-Request-Purpose%3A%20Identifying%20%22research%22%20and%20bug%20bounty%20related%20scans%3F/32436 Proton Breach Observatory Proton opened up its breach observatory. This website will collect information about breaches affecting companies that have not yet made the breach public. https://proton.me/blog/introducing-breach-observatory Microsoft Exchange Server Security Best Practices A new document published by a collaboration of national cyber security agencies summarizes steps that should be taken to harden Exchange Server. https://www.nsa.gov/Portals/75/documents/resources/cybersecurity-professionals/CSI_Microsoft_Exchange_Server_Security_Best_Practices.pdf?ver=9mpKKyUrwfpb9b9r4drVMg%3d%3d MOVEit Vulnerability Progress published an advisory for its file transfer program MOVEIt . This software has had heavily exploited vulnerabilities in the past. https://community.progress.com/s/article/MOVEit-Transfer-Vulnerability-CVE-2025-10932-October-29-2025
How to Collect Memory-Only Filesystems on Linux Systems Getting forensically sound copies of memory-only file systems on Linux can be tricky, as tools like dd do not work. https://isc.sans.edu/diary/How%20to%20collect%20memory-only%20filesystems%20on%20Linux%20systems/32432 Microsoft Azure Front Door Outage Today, Microsoft s Azure Front Door service failed, leading to users not being able to authenticate to various Azure-related services. https://azure.status.microsoft/en-us/status Docker-Compose Vulnerability A vulnerability in docker-compose may be used to trick users into creating files outside the docker-compose directory https://github.com/docker/compose/security/advisories/GHSA-gv8h-7v7w-r22q
Phishing with Invisible Characters in the Subject Line Phishing emails use invisible UTF-8 encoded characters to break up keywords used to detect phishing (or spam). This is aided by mail clients not rendering some characters that should be rendered. https://isc.sans.edu/diary/A%20phishing%20with%20invisible%20characters%20in%20the%20subject%20line/32428 Apache Tomcat PUT Directory Traversal Apache released an update to Tomcat fixing a directory traversal vulnerability in how the PUT method is used. Exploits could upload arbitrary files, leading to remote code execution. https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog BIND9 DNS Spoofing Vulnerability A PoC exploit is now available for the recently patched BIND9 spoofing vulnerability https://gist.github.com/N3mes1s/f76b4a606308937b0806a5256bc1f918
Bytes over DNS Didiear investigated which bytes may be transmitted as part of a hostname in DNS packets, depending on the client resolver and recursive resolver constraints https://isc.sans.edu/diary/Bytes%20over%20DNS/32420 Unifi Access Vulnerability Unifi fixed a critical vulnerability in it s Access product https://community.ui.com/releases/Security-Advisory-Bulletin-056-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191 OpenAI Atlas Omnibox Prompt Injection OpenAI s latest browser can be jailbroken by inserting prompts in URLs https://neuraltrust.ai/blog/openai-atlas-omnibox-prompt-injection
Bilingual Phishing for Cloud Credentials Guy observed identical phishing messages in French and English attempting to phish cloud credentials https://isc.sans.edu/diary/Phishing%20Cloud%20Account%20for%20Information/32416 Kaitai Struct WebIDE The binary file analysis tool Kaitai Struct is now available in a web only version https://isc.sans.edu/diary/Kaitai%20Struct%20WebIDE/32422 WSUS Emergency Update Microsoft released an emergency patch for WSUS to fix a currently exploited critical vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287 Network Security Devices Endanger Orgs with 90s-era Flaws Attackers increasingly use simple-to-exploit network security device vulnerabilities to compromise organizations. https://www.csoonline.com/article/4074945/network-security-devices-endanger-orgs-with-90s-era-flaws.html
Infostealer Targeting Android Devices This infostealer, written in Python, specifically targets Android phones. It takes advantage of Termux to gain access to data and exfiltrates it via Telegram. https://isc.sans.edu/diary/Infostealer%20Targeting%20Android%20Devices/32414 Attackers exploit recently patched Adobe Commerce Vulnerability CVE-2025-54236 Six weeks after Adobe's emergency patch, SessionReaper (CVE-2025-54236) has entered active exploitation. E-Commerce security company SanSec has detected multiple exploit attempts. https://sansec.io/research/sessionreaper-exploitation Patch for BIND and unbound nameservers CVE-2025-40780 The Internet Systems Consortium (ISC.org), as well as the Unbound project, patched a flaw that may allow for DNS spoofing due to a weak random number generator. https://kb.isc.org/docs/cve-2025-40780 WSUS Exploit Released CVE-2025-59287 Hawktrace released a walk through showing how to exploit the recently patched WSUS vulnerability https://hawktrace.com/blog/CVE-2025-59287
webctrl.cgi/Blue Angel Software Suite Exploit Attempts. Maybe CVE-2025-34033 Variant? Our honeypots detected attacks that appear to exploit CVE-2025-34033 or a similar vulnerability in the Blue Angle Software Suite. https://isc.sans.edu/diary/webctrlcgiBlue+Angel+Software+Suite+Exploit+Attempts+Maybe+CVE202534033+Variant/32410 Oracle Critical Patch Update Oracle released its quarterly critical patch update. The update includes patches for 374 vulnerabilities across all of Oracle s products. There are nine more patches for Oracle s e-Business Suite. https://www.oracle.com/security-alerts/cpuoct2025.html#AppendixEBS Rust TAR Library Vulnerability A vulnerability in the popular, but no longer maintained, async-tar vulnerability could lead to arbitrary code execution https://edera.dev/stories/tarmageddon
What time is it? Accuracy of pool.ntp.org. How accurate and reliable is pool.ntp.org? Turns out it is very good! https://isc.sans.edu/diary/What%20time%20is%20it%3F%20Accuracy%20of%20pool.ntp.org./32390 Xubuntu Compromise The Xubuntu website was compromised last weekend and served malware https://floss.social/@bluesabre/115401767635718361 Squid Proxy Vulnerability The Squid team fixed an information disclosure vulnerabilty that may leak authentication credentials. https://github.com/squid-cache/squid/security/advisories/GHSA-c8cc-phh7-xmxr Lanscope Endpoint Manager Vulnerablity https://jvn.jp/en/jp/JVN86318557/index.html
Using Syscall() for Obfuscation/Fileless Activity Fileless malware written in Python can uses syscall() to create file descriptors in memory, evading signatures. https://isc.sans.edu/diary/Using%20Syscall%28%29%20for%20Obfuscation%20Fileless%20Activity/32384 AWS Outages AWS has had issues most of the day on Monday, affecting numerous services. https://health.aws.amazon.com/health/status Time Server Hack China reports a compromise of its time standard servers. https://thehackernews.com/2025/10/mss-claims-nsa-used-42-cyber-tools-in.html
TikTok Videos Promoting Malware InstallationTikTok Videos Promoting Malware Installation Tiktok videos advertising ways to obtain software like Photoshop for free will instead trick users into downloading https://isc.sans.edu/diary/TikTok%20Videos%20Promoting%20Malware%20Installation/32380 Google Ads Advertise Malware Targeting MacOS Developers Hunt.io discovered Google ads that pretend to advertise tools like Homebrew and password managers to spread malware https://hunt.io/blog/macos-odyssey-amos-malware-campaign Satellite Transmissions are often unencrypted A large amount of satellite traffic is unencrypted and easily accessible to eavesdropping https://satcom.sysnet.ucsd.edu
New DShield Support Slack Workspace Due to an error on Salesforce s side, we had to create a new Slack Workspace for DShield support. https://isc.sans.edu/diary/New%20DShield%20Support%20Slack/32376 Attackers Exploiting Recently Patched Cisco SNMP Flaw (CVE-2025-20352) Trend Micro published details explaining how attackers took advantage of a recently patched Cisco SNMP Vulnerability https://www.trendmicro.com/en_us/research/25/j/operation-zero-disco-cisco-snmp-vulnerability-exploit.html https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-snmp-x4LPhte Framework BIOS Backdoor The mm command impleneted in Framework BIOS shells can be used to compromise a device pre-boot. https://eclypsium.com/blog/bombshell-the-signed-backdoor-hiding-in-plain-sight-on-framework-devices/ SANS.edu Research: Mark Stephens, Validating the Effectiveness of MITRE Engage and Active Defense https://www.sans.edu/cyber-research/validating-effectiveness-mitre-engage-active-defense/
Clipboard Image Stealer Xavier presents an infostealer in Python that steals images from the clipboard. https://isc.sans.edu/diary/Clipboard%20Pictures%20Exfiltration%20in%20Python%20Infostealer/32372 F5 Compromise F5 announced a wide-ranging compromise today. Source code and information about unpatched vulnerabilities were stolen. https://my.f5.com/manage/s/article/K000157005 https://my.f5.com/manage/s/article/K000156572 https://my.f5.com/manage/s/article/K000154696 Adobe Updates Adobe updated 12 different products yesterday. https://helpx.adobe.com/security.html SAP Patchday Among the critical vulnerabilities patched in SAP s products are two deserialization vulnerabilities with a CVSS score of 10.0 https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2025.html https://onapsis.com/blog/sap-security-patch-day-october-2025/
Microsoft Patch Tuesday Microsoft not only released new patches, but also the last patches for Windows 10, Office 2016, Office 2019, Exchange 2016 and Exchange 2019. https://isc.sans.edu/diary/Microsoft%20Patch%20Tuesday%20October%202025/32368 Ivanti Advisory Ivanti released an advisory with some mitigation steps users can take until the recently made public vulnerablities are patched. https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-EPM-October-2025?language=en_US Fortinet Patches https://fortiguard.fortinet.com/psirt/FG-IR-25-010 https://fortiguard.fortinet.com/psirt/FG-IR-24-361
Scans for ESAFENET CDG V5 We do see some increase in scans for the Chinese secure document management system, ESAFENET. https://isc.sans.edu/diary/Heads%20Up%3A%20Scans%20for%20ESAFENET%20CDG%20V5%20/32364 Investigating targeted payroll pirate attacks affecting US universities Microsoft wrote about how payroll pirates redirect employee paychecks via phishing. https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/ Attacks against Edge via IE Mode Microsoft Edge offers an IE legacy mode to support websites created for Internet Explorer. The old JavaScript engine, which is part of this mode, has been abused in recent attacks, and Microsoft will make it more difficult to enable IE Mode to counter these attacks. https://microsoftedge.github.io/edgevr/posts/Changes-to-Internet-Explorer-Mode-in-Microsoft-Edge/
New Oracle E-Business Suite Patches Oracle released one more patch for the e-business suite. Oracle does not state if it is already exploited, but the timing of the patch suggests that it should be expedited. https://www.oracle.com/security-alerts/alert-cve-2025-61884.html Widespread Sonicwall SSLVPN Compromise Huntress Labs observed the widespread compromise of the Sonicwall SSLVPN appliance. https://www.huntress.com/blog/sonicwall-sslvpn-compromise Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw (CVE-2025-11371) An unpatched vulnerability in the secure file sharing solutions Gladinet CentreStack and TrioFox is being exploited. https://www.huntress.com/blog/gladinet-centrestack-triofox-local-file-inclusion-flaw Two 7-Zip Vulnerabilities CVE-2025-11002, CVE-2025-11001 7-Zip patched two vulnerabilities that may lead to arbitrary code execution https://www.zerodayinitiative.com/advisories/ZDI-25-949/ https://www.zerodayinitiative.com/advisories/ZDI-25-950/
Building Better Defenses: RedTail Observations Defending against attacks like RedTail is more then blocking IoCs, but instead one must focus on the techniques and tactics attackers use. https://isc.sans.edu/diary/Guest+Diary+Building+Better+Defenses+RedTail+Observations+from+a+Honeypot/32312 Sonicwall: It wasn t the user s fault Sonicwall admits to a breach resulting in the loss of user configurations stored in its cloud service https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330 Crowdstrike has Issues Crowdstrike fixes two vulnerabilities in the Windows version of its Falcon sensor. https://www.crowdstrike.com/en-us/security-advisories/issues-affecting-crowdstrike-falcon-sensor-for-windows/ Interrogators: Attack Surface Mapping in an Agentic World A SANS.edu master s degree student research paper by Michael Samson https://isc.sans.edu/researchpapers/pdfs/michael_samson.pdf keywords: ai; agentic; attack surface; crowdstrike; sonicwall; ivanti; zero day; initiative; redline
Polymorphic Python Malware Xavier discovered self-modifying Python code on Virustotal. The remote access tool takes advantage of the inspect module to modify code on the fly. https://isc.sans.edu/diary/Polymorphic%20Python%20Malware/32354 SSH ProxyCommand Vulnerability A user cloning a git repository may be tricked into executing arbitrary code via the SSH proxycommand option. https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984 Framelink Figma MCP Server CVE-2025-53967 Framelink Figma s MCP server suffers from a remote code execution vulnerability.
FreePBX Exploit Attempts (CVE-2025-57819) A FreePBX SQL injection vulnerability disclosed in August is being used to execute code on affected systems. https://isc.sans.edu/diary/Exploit%20Against%20FreePBX%20%28CVE-2025-57819%29%20with%20code%20execution./32350 Disrupting Threats Targeting Microsoft Teams Microsoft published a blog post outlining how to better secure Teams. https://www.microsoft.com/en-us/security/blog/2025/10/07/disrupting-threats-targeting-microsoft-teams/ Kibana XSS Patch CVE-2025-25009 Elastic patched a stored XSS vulnerability in Kibana https://discuss.elastic.co/t/kibana-8-18-8-8-19-5-9-0-8-and-9-1-5-security-update-esa-2025-20/382449 QT SVG Vulnerabilities CVE-2025-10728, CVE-2025-10729, The QT group fixed two vulnerabilities in the QT SVG module. One of the vulnerabilities may be used for code execution https://www.qt.io/blog/security-advisory-uncontrolled-recursion-and-use-after-free-vulnerabilities-in-qt-svg-module-impact-qt
More Details About Oracle 0-Day The exploit is now widely distributed and has been analyzed to show the nature of the underlying vulnerabilities. https://isc.sans.edu/diary/Quick%20and%20Dirty%20Analysis%20of%20Possible%20Oracle%20E-Business%20Suite%20Exploit%20Script%20%28CVE-2025-61882%29%20%5BUPDATED%5B/32346 https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/ Redis Vulnerability Redis patched a ciritcal use after free vulnerability that could lead to arbitrary code execution. https://redis.io/blog/security-advisory-cve-2025-49844/ GoAnywhere Bug Exploited Microsoft is reporting about the exploitation of the recent GoAnywhere vulnerability https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/
