CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779 require immediate attention

The post Three New React Vulnerabilities Surface on the Heels of React2Shell appeared first on Security Boulevard.

The NCSC warns prompt injection is fundamentally different from SQL injection. Organizations must shift from prevention to impact reduction and defense-in-depth for LLM security.

The post Prompt Injection Can’t Be Fully Mitigated, NCSC Says Reduce Impact Instead  appeared first on Security Boulevard.

As they work to fend off the rapidly expanding number of attempts by threat actors to exploit the dangerous React2Shell vulnerability, security teams are learning of two new flaws in React Server Components that could lead to denial-of-service attacks or the exposure of source code.

The post React Fixes Two New RSC Flaws as Security Teams Deal with React2Shell appeared first on Security Boulevard.

Bad actors that include nation-state groups to financially-motivated cybercriminals from across the globe are targeting the maximum-severity but easily exploitable React2Shell flaw, with threat researchers see everything from probes and backdoors to botnets and cryptominers.

The post Attackers Worldwide are Zeroing In on React2Shell Vulnerability appeared first on Security Boulevard.

Overview On December 10, NSFOCUS CERT detected that Microsoft released the December Security Update patch, which fixed 57 security issues involving widely used products such as Windows, Microsoft Office, Microsoft Exchange Server, Azure, etc., including high-risk vulnerability types such as privilege escalation and remote code execution. Among the vulnerabilities fixed by Microsoft’s monthly update this […]

The post Microsoft’s December Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post Microsoft’s December Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on Security Boulevard.

The exploitation efforts by China-nexus groups and other bad actors against the critical and easily abused React2Shell flaw in the popular React and Next.js software accelerated over the weekend, with threats ranging from stolen credentials and initial access to downloaders, crypto-mining, and the NoodleRat backdoor being executed.

The post Exploitation Efforts Against Critical React2Shell Flaw Accelerate appeared first on Security Boulevard.

A critical React2Shell (CVE-2025-55182) RCE flaw in React and Next.js is being actively exploited by China-nexus threat groups, prompting urgent patching and global mitigations.

The post Cloudflare Forces Widespread Outage to Mitigate Exploitation of Maximum Severity Vulnerability in React2Shell  appeared first on Security Boulevard.

The Washington Post last month reported it was among a list of data breach victims of the Oracle EBS-related vulnerabilities, with a threat actor compromising the data of more than 9,700 former and current employees and contractors. Now, a former worker is launching a class-action lawsuit against the Post, claiming inadequate security.

The post Ex-Employee Sues Washington Post Over Oracle EBS-Related Data Breach appeared first on Security Boulevard.

The Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has confirmed that a command injection vulnerability affecting Array Networks AG Series secure access gateways has been actively exploited in Japan since August 2025. The advisory, updated on December 5, 2025, states that attackers have leveraged the flaw to implant web shells and gain unauthorized access to internal networks.  According to JPCERT, the vulnerability originates in the DesktopDirect feature of the AG Series, Array Networks’ remote desktop access capability designed to help users connect securely to office resources. Although the issue was quietly resolved by the vendor on May 11, 2025, the lack of a public CVE identifier and the continued presence of unpatched devices have left a notable attack surface exposed.  “Exploitation of this vulnerability could allow attackers to execute arbitrary commands,” the advisory states. JPCERT added that systems running DesktopDirect are specifically at risk, emphasizing that the feature enablement is a prerequisite for successful exploitation. 

Ongoing Attacks Traced to a Single IP Address 

JPCERT reports that organizations in Japan have experienced intrusions tied to this security gap beginning in August 2025. In these incidents, attackers attempted to plant PHP-based web shells in paths containing “/webapp/,” a technique that would provide persistent remote access.   The agency noted that malicious traffic has consistently originated from the IP address 194.233.100[.]138, though the identity and motivations of the threat actors remain unclear. Details regarding the scope of the campaign, the tools deployed beyond web shells, or whether the attackers represent a known threat group have not yet been released. 

No Evidence Linking to Past Exploits of CVE-2023-28461 

The newly exposed vulnerability exists alongside another previously exploited flaw in the same product line, CVE-2023-28461, a high-severity authentication bypass rated CVSS 9.8. That earlier issue was abused in 2024 by a China-linked espionage group known as MirrorFace, which has targeted Japanese institutions since at least 2019.  Despite the overlap in affected systems, JPCERT emphasized that there is no current evidence connecting the recent command injection attacks with MirrorFace or with prior activity related to CVE-2023-28461. 

Affected Versions and Required Updates 

The vulnerability impacts ArrayOS AG 9.4.5.8 and earlier versions, all of which support the DesktopDirect functionality. Array Networks issued a fixed release, ArrayOS 9.4.5.9, to address the flaw. The company has advised users to test and deploy the updated firmware as soon as possible.  JPCERT cautioned administrators that rebooting devices after applying the patch may lead to log loss. Because log files are crucial to intrusion investigations, the agency recommends preserving these records before performing any update or system reboot. 

Workarounds 

For organizations unable to immediately apply the firmware update, Array Networks has provided temporary mitigation steps: 

• Disable all DesktopDirect services if the feature is not actively in use. 

• Implement URL filtering to block requests containing semicolons (“;”), a common vector used for command injection payloads. 

These measures aim to reduce exposure until patching becomes feasible.  In its advisory, JPCERT urged all users of affected products to examine their systems for signs of compromise. Reported malicious activity includes the installation of web shells, the creation of unauthorized user accounts, and subsequent internal intrusions launched through the compromised AG gateways.

Security and developer teams are scrambling to address a highly critical security flaw in frameworks tied to the popular React JavaScript library. Not only is the vulnerability, which also is in the Next.js framework, easy to exploit, but React is widely used, including in 39% of cloud environments.

The post Dangerous RCE Flaw in React, Next.js Threatens Cloud Environments, Apps appeared first on Security Boulevard.

CISA warned today that two Android zero-day vulnerabilities are under active attack, within hours of Google releasing patches for the flaws. Both are high-severity Android framework vulnerabilities. CVE-2025-48572 is a Privilege Escalation vulnerability, while CVE-2025-48633 is an Information Disclosure vulnerability. Both were among 107 Android vulnerabilities addressed by Google in its December security bulletin released today.

Android Vulnerabilities CVE-2025-48572 and CVE-2025-48633 Under Attack

Google warned that the CVE-2025-48572 and CVE-2025-48633 framework vulnerabilities “may be under limited, targeted exploitation.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) followed with its own alert adding the Android vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. “These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned. “CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice,” the U.S. cybersecurity agency added. The vulnerabilities are so new that the CVE Program lists the CVE numbers as “reserved,” with details yet to be released. Neither Google nor CISA provided further details on how the vulnerabilities are being exploited.

7 Critical Android Vulnerabilities Also Patched

The December Android security bulletin also addressed seven critical vulnerabilities, the most severe of which is CVE-2025-48631, a framework Denial of Service (DoS) vulnerability that Google warned “could lead to remote denial of service with no additional execution privileges needed.” Four of the critical vulnerabilities affect the Android kernel and are all Elevation of Privilege (EoP) vulnerabilities: CVE-2025-48623, CVE-2025-48624, CVE-2025-48637, and CVE-2025-48638. The other two critical vulnerabilities affect Qualcomm closed-source components: CVE-2025-47319, an Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability, and CVE-2025-47372, a Buffer Overflow vulnerability that could lead to memory corruption. Google lists CVE-2025-47319 as “Critical” while Qualcomm lists the vulnerability as Medium severity; both list CVE-2025-47372 as Critical. The Qualcomm vulnerabilities are addressed in detail in The Cyber Express article Qualcomm Issues Critical Security Alert Over Secure Boot Vulnerability published earlier today.

Cybersecurity startup Aisle discovered a subtle but dangerous coding error in a Firefox WebAssembly implementation sat undetected for six months despite being shipped with a regression testing capability created by Mozilla to find such a problem.

The post Undetected Firefox WebAssembly Flaw Put 180 Million Users at Risk appeared first on Security Boulevard.

Airbus has entered the final phase of its unprecedented global retrofit effort, confirming that fewer than 100 A320s in service still require updates after the discovery of a software vulnerability that triggered the largest emergency recall the manufacturer has ever executed. The company disclosed on Monday that nearly the entire A320-family fleet, about 6,000 aircraft worldwide, has now received the mandated modification. 

Origins of the Airbus Recall and Early Regulatory Response

The action followed a recent mid-air incident involving a JetBlue A320 in which the aircraft experienced a sudden altitude drop. Investigators later identified that intense solar flares may have compromised data essential to the jet’s flight-control functions, exposing a software vulnerability in the system managing the aircraft’s nose-angle performance. The incident alarmed regulators around the world and quickly led to mandatory retrofit orders across the global fleet of A320s.  Airbus moved quickly, implementing what it described as a “precautionary fleet action” and issuing an eight-page safety alert that initiated immediate groundings. The timing created operational chaos for many carriers, particularly in the United States, where the rush to complete the required updates collided with the heavy travel surge over the Thanksgiving weekend. Airlines from Asia to South America were compelled to take aircraft out of service with little warning as the scale of the issue emerged.  Sources familiar with the internal decision-making reported that the recall was initiated shortly after engineers drew a potential connection between the JetBlue event and the flawed software logic. The findings pointed to how solar radiation could corrupt flight-control data, prompting Airbus to request urgent repairs before allowing affected aircraft back into rotation.

Operational Disruptions Across Airlines Worldwide

The consequences were immediate for operators. Avianca, based in Colombia, suspended new bookings until December 8 in order to manage the grounding of its impacted A320s. Finnair and other carriers were forced to inspect their fleets on one aircraft at a time because Airbus’s initial alert did not list specific serial numbers, complicating efforts to determine which jets required urgent attention.  Airbus detailed the nature of the issue in a formal statement: “Analysis of a recent event involving an A320 Family aircraft has revealed that intense solar radiation may corrupt data critical to the functioning of flight controls. Airbus has consequently identified a significant number of A320 Family aircraft currently in-service which may be impacted.”  The company added that it worked “proactively with the aviation authorities” to implement available software and hardware protections, acknowledging the operational disruptions and apologizing to passengers while emphasizing that safety remains its “number one and overriding priority.” 

Implementing the Fix and Remaining Challenges

The mandated fix itself was relatively straightforward but required precise execution. Technicians reverted affected A320s to an earlier version of the software governing the aircraft’s nose-angle system. This involved uploading the legacy software through a data-loader device brought directly into the cockpit, a measure designed to prevent cyber interference. While the installation process was simple in principle, each aircraft had to be updated individually, creating workload bottlenecks for carriers with large fleets.  Airlines also faced an unexpected hurdle: a shortage of data loaders. One industry executive noted privately that some operators had only a handful of these devices on hand, slowing the pace of updates during a period when hundreds of A320s required immediate attention. In addition, an unspecified number of older aircraft will ultimately need full computer replacements rather than software changes, adding another layer of complexity for maintenance teams.  Even with these challenges, the majority of the fleet has now been restored to service, marking good progress just days after regulators issued their emergency directives. With fewer than 100 jets awaiting updates, Airbus appears close to closing one of the most disruptive safety events ever to affect the A320 family, an episode that reshaped holiday travel plans worldwide and highlighted the unexpected risks posed by solar radiation on modern aircraft systems. 

India’s Department of Telecommunications (DoT) has introduced a shift in the way messaging platforms operate in the country, mandating the adoption of SIM-binding as a core security requirement. Under the Telecommunication Cybersecurity Amendment Rules, 2025, all major messaging services, including Telegram, and regional platforms such as Arattai, must ensure that their applications remain continuously linked to an active SIM card on the user’s device.   The mandate is part of the government’s intensified efforts to combat cyber fraud and strengthen nationwide cybersecurity compliance. The directive requires App-Based Communication Service providers to implement persistent SIM-linking within 90 days and submit detailed cybersecurity compliance reports within 120 days. The move seeks to eliminate longstanding gaps in identity verification systems that have enabled malicious actors to misuse Indian mobile numbers from outside the country. 

New Rules for SIM-Binding Communication 

According to the new requirements, messaging services must operate only when the user’s active SIM card matches the credentials stored by the app. If a SIM card is removed, replaced, or deactivated, the corresponding app session must immediately cease to function. The rules also extend to web-based interfaces: platforms must automatically log users out at least every six hours, requiring a QR-based reauthentication that is tied to the same active SIM.  These changes aim to reduce the misuse of Indian telecom identifiers, which authorities say have been exploited for spoofing, impersonation, and other forms of cyber fraud. By enforcing strict SIM-binding, the DoT intends to establish a clearer traceability chain between the user, their device, and their telecom credentials. 

Why Stricter Controls Were Needed 

Government observations revealed that many communication apps continued functioning even after the linked SIM card was removed. This allowed foreign-based actors to operate accounts associated with Indian mobile numbers without proper authentication. The ability to hijack accounts or mask locations contributed directly to an uptick in cybercrimes, often involving financial scams or identity theft.  Industry groups had previously flagged this vulnerability as well. The Cellular Operators Association of India (COAI), for instance, noted that authentication typically occurs only once, during initial setup, which leaves apps operational even if the SIM is no longer present. By requiring ongoing SIM-binding, authorities aim to close this loophole and establish reliable verification pathways essential for cybersecurity compliance.  The new mandate draws support from multiple regulatory frameworks, including the Telecommunications Act, 2023, and subsequent cybersecurity rules issued in 2024 and 2025. Platforms that fail to comply could face penalties, service restrictions, or other legal consequences under India’s telecom and cybersecurity laws. 

Impact on Platforms and Users 

Messaging platforms must redesign parts of their infrastructure to support real-time SIM authentication and implement secure logout mechanisms for multi-device access. They are also expected to maintain detailed logs and participate in audits to demonstrate cybersecurity compliance.  For users, the changes may introduce constraints. Accessing a messaging app without the original active SIM will no longer be possible. Cross-device flexibility, particularly through desktop or browser-based interfaces, may also be reduced due to the six-hour logout requirement. However, policymakers argue that these inconveniences are offset by a reduced risk of cyber fraud.  India’s focus on SIM-binding aligns with practices already common in financial services. Banking and UPI applications, for example, require an active SIM for verification to minimize fraud. Other regulators have taken similar steps: earlier in 2025, the Securities and Exchange Board of India (SEBI) proposed linking trading accounts to specific SIM cards and incorporating biometric checks to prevent unauthorized transactions. 

India Mandates Pre-Installed Cybersecurity App on Smartphones

In a parallel move to strengthen digital security, India’s telecom ministry has ordered all major smartphone manufacturers, including Apple, Samsung, Vivo, Oppo, and Xiaomi, to pre-install its cybersecurity app Sanchar Saathi on all new devices within 90 days, and push it via updates to existing devices. The app must be installed in a way that users cannot disable or delete it. Launched in January, Sanchar Saathi has already helped recover over 700,000 lost phones, blocked 3.7 million stolen devices, terminated 30 million fraudulent connections, and assists in tracking devices and preventing counterfeit phones. The app verifies IMEI numbers, blocks stolen devices, and combats scams involving duplicate or spoofed IMEIs. The move is aimed at strengthening India’s telecom cybersecurity but may face resistance from Apple and privacy advocates, as Apple traditionally opposes pre-installation of government or third-party apps. Industry officials have expressed concerns over privacy, user choice, and operational feasibility, while the government emphasizes the app’s role in digital safety and fraud prevention.

A critical security flaw has been uncovered in Apache Syncope, the widely used open-source identity management system, potentially putting organizations at risk of exposing sensitive password information.   Tracked as CVE-2025-65998, the vulnerability was publicly disclosed on November 24, 2025, by Francesco Chicchiriccò through the official Apache Syncope user mailing list. Credit for discovering the issue goes to Clemens Bergmann of the Technical University of Darmstadt. 

Understanding the CVE-2025-65998 Vulnerability 

The vulnerability specifically affects Apache Syncope instances configured to store user passwords in their internal database using AES encryption. While this configuration is not enabled by default, organizations that activate it may unknowingly introduce a significant security risk. The system relies on a hard-coded AES key embedded directly in the application’s source code.  This design oversight means that any attacker who gains access to the internal database can easily decrypt stored password values, recovering them in plaintext. This compromise poses a severe risk for account security, allowing unauthorized access, privilege escalation, and lateral movement within affected networks.  It is important to note that this flaw only affects passwords stored using the internal AES encryption feature. Other database attributes encrypted through key management mechanisms remain unaffected, as they use separate AES keys and proper encryption handling. 

Affected Versions 

Research indicates that multiple versions of Apache Syncope are vulnerable to CVE-2025-65998, including: 

• Apache Syncope (org.apache.syncope.core:syncope-core-spring) 2.1 through 2.1.14 
• Apache Syncope (org.apache.syncope.core:syncope-core-spring) 3.0 through 3.0.14 
• Apache Syncope (org.apache.syncope.core:syncope-core-spring) 4.0 through 4.0.2 

Organizations running these versions are strongly advised to upgrade to patched releases—version 3.0.15 or 4.0.3—to mitigate the risk. The update replaces the vulnerable hard-coded AES key approach with a more secure key management process, ensuring that password data cannot be trivially decrypted even if the database is compromised. 

Potential Impact 

Exploitation of CVE-2025-65998 can have serious operational consequences. Once an attacker accesses the internal database, all passwords stored with the default AES encryption method can be decrypted, exposing users’ credentials.   This breach can lead to unauthorized account logins, elevated privileges, and potential internal movement across systems, amplifying the threat to organizational security. Francesco Chicchiriccò, in the advisory posted to the Apache Syncope mailing list, emphasized the importance of upgrading affected systems promptly:  “Apache Syncope can be configured to store user password values in the internal database with AES encryption, though this is not the default option. When AES is configured, the default key value, hard-coded in the source code, is always used. This allows a malicious attacker, once obtaining access to the internal database content, to reconstruct the original cleartext password values.”  Clemens Bergmann of the Technical University of Darmstadt is credited with identifying this security gap, bringing attention to the risks associated with embedded AES encryption keys without proper key management. 

Mitigation Steps 

Administrators should promptly review their Apache Syncope deployments. Systems using AES encryption for internal password storage must be updated to versions 3.0.15 or 4.0.3, and key management practices should be strengthened to avoid hard-coded keys.  Cyble can help organizations proactively identify exposed assets and vulnerabilities, providing AI-powered threat intelligence and automated recommendations to prevent credential compromise.   Protect your organization from vulnerabilities like CVE-2025-65998. Leverage Cyble’s AI-powered threat intelligence to uncover exposed assets, assess risks, and secure your systems. Book a free demo today. 

Grafana Labs has issued a warning regarding a maximum-severity security flaw, identified as CVE-2025-41115, affecting its Enterprise product. The vulnerability can allow attackers to impersonate administrators or escalate privileges if certain SCIM (System for Cross-domain Identity Management) settings are enabled.  According to the company, the issue arises only when SCIM provisioning is activated and configured. Specifically, both the enableSCIM feature flag and the user_sync_enabled option must be set to true. Under these conditions, a malicious or compromised SCIM client could create a user with a numeric externalId that directly maps to an internal account, potentially even an administrative account. 

SCIM Mapping Flaw (CVE-2025-41115) Enables Impersonation Risks 

In SCIM systems, the externalId attribute functions as a bookkeeping field used by identity providers to track user records. Grafana Labs’ implementation mapped this value directly to the platform’s internal user.uid. Because of this design, a numeric external ID such as “1” could be interpreted as an existing Grafana account. This behavior opens a door for impersonation or privilege escalation, enabling unauthorized users to assume the identity of legitimate internal accounts.  Grafana Labs notes in its documentation that SCIM is intended to simplify automated provisioning and management of users and groups, particularly for organizations relying on SAML authentication. The feature, available in Grafana Enterprise and certain Grafana Cloud plans, remains in Public Preview. As a result, breaking changes may occur, and administrators are encouraged to test the feature thoroughly in non-production environments before deployment. 

SAML Alignment Required to Prevent Authentication Mismatches 

A major security requirement highlighted by Grafana Labs involves the alignment between the SCIM externalId and the identifier used in SAML authentication. SCIM provisioning relies on a stable identity provider attribute, such as Entra ID’s user.objectid, which becomes the external ID in Grafana. SAML authentication must use the same unique identifier, delivered through a SAML claim, to ensure proper account linkage.  If these identifiers do not match, Grafana may fail to associate authenticated SAML sessions with the intended SCIM-provisioned accounts. This mismatch can allow attackers to generate crafted SAML assertions that result in unauthorized access or impersonation. The company recommends using the assertion_attribute_external_uid setting to guarantee that Grafana reads the precise identity claim required to maintain secure user associations.  To reduce risk, Grafana requires organizations to use the same identity provider for both user provisioning and authentication. Additionally, the SAML assertion exchange must include the correct userUID claim to ensure the system can link the session to the appropriate SCIM entry. 

Configuration Requirements, Supported Workflows, and Automation Capabilities 

Administrators can set up SCIM in Grafana through the user interface, configuration files, or infrastructure-as-code tools such as Terraform. The UI option, available to Grafana Cloud users, applies changes without requiring a restart and allows more controlled access through restricted authentication settings.  Grafana’s SCIM configuration includes options for enabling user synchronization (user_sync_enabled), group synchronization (group_sync_enabled), and restricting access for accounts not provisioned through SCIM (reject_non_provisioned_users). Group sync cannot operate alongside Team Sync, though user sync can. Supported identity providers include Entra ID and Okta.  SCIM provisioning streamlines user lifecycle tasks by automating account creation, updates, deactivation, and team management, reducing manual administrative work and improving security. Grafana notes that SCIM offers more comprehensive, near real-time automation than alternatives such as Team Sync, LDAP Sync, Role Sync, or Org Mapping.  Grafana Labs is urging organizations to review their SCIM and SAML identifier mappings immediately, warning that inconsistencies may lead to unauthorized access scenarios tied to CVE-2025-41115.  In parallel, cybersecurity intelligence leaders such as Cyble continue tracking identity-related risks and misconfigurations across global environments. Security teams looking to strengthen visibility, detect threats earlier, and reduce exposure can explore Cyble’s capabilities, book a free demo to see how Cyble’s AI-driven threat intelligence enhances defense across cloud, endpoints, and identity systems. 

Salesforce has issued a new update on the ongoing Salesforce Gainsight security incident, confirming additional details about the unusual activity detected across Gainsight-published applications connected to the CRM platform. The company reiterated that the incident stemmed from the app’s external integration with Salesforce rather than any vulnerability in the Salesforce core platform.

Salesforce Confirms Expanded Investigation

In its latest advisory, Salesforce stated that the unusual activity affecting Gainsight applications may have enabled unauthorized access to certain customers' Salesforce data through the app-to-Salesforce connection. As part of its precautionary measures, Salesforce revoked all active access and refresh OAuth tokens associated with Gainsight-published applications and removed the apps from its AppExchange. While initial communication referenced only three affected customers, Salesforce confirmed on November 21 that the list has expanded, and all newly identified impacted customers have been notified directly. Salesforce emphasized that a broader investigation is underway and continues to provide updates on its official Help portal. [caption id="attachment_107067" align="aligncenter" width="895"] Source: Salesforce[/caption]

Gainsight Products and Connectors Temporarily Impacted

According to Gainsight’s latest communication, several of its products, including Gainsight CS, Community (CC), Northpass (CE), Skilljar (SJ), and Staircase (ST), have been affected by Salesforce’s precautionary disconnection. Although the products remain operational, they are currently unable to read or write data to Salesforce. In addition, several third-party connectors integrated with Gainsight, such as Gong.io, Zendesk, and HubSpot, have been temporarily disabled by their respective vendors out of an abundance of caution. Gainsight urged customers to rotate their S3 keys if they have not done so since November 20, 2025, as part of the secure log retrieval process.

No Indication of Salesforce Platform Vulnerability

Salesforce reiterated that there is no evidence suggesting the issue originated from a flaw within the Salesforce platform itself. Instead, the activity appears tied to the external OAuth-based connection between Gainsight applications and Salesforce environments. Crucially, Salesforce confirmed that while the OAuth tokens have been revoked, historical audit trails and logs remain intact, enabling full customer-led investigation efforts. The company also strongly encouraged customers to conduct thorough log reviews using Setup Audit Trail, Event Monitoring logs, and API activity records. Salesforce referenced the Salesforce Log Analysis Guide to support customers in assessing potential compromise indicators.

Indicators of Compromise Published

As part of its transparency efforts, Salesforce shared a list of Indicators of Compromise (IOCs) associated with the threat activity. These include several user agents—such as python-requests/2.32.3 and Salesforce-Multi-Org-Fetcher/1.0—and dozens of IP addresses linked to suspicious access attempts. Gainsight echoed Salesforce’s recommendations and is conducting its own forensic review with support from independent investigators. Both organizations confirmed that the Salesforce Gainsight security incident remains under active investigation. Gainsight has published a detailed timeline and continues to coordinate with Salesforce to determine the full impact. Customers seeking assistance have been directed to Salesforce Help and Gainsight Support for further updates.

According to the Indian Computer Emergency Response Team (CERT-In), thousands of households, small offices, and service providers across the country may already be at risk due to a newly uncovered authentication bypass flaw tracked as CVE-2025-59367. India’s national cybersecurity agency has issued a security alert after identifying a severe vulnerability in several widely used Asus DSL-series WiFi routers. The warning, published in CERT-In Vulnerability Note CIVN-2025-0322, outlines how remote attackers could infiltrate specific router models without user involvement. The affected devices include the Asus DSL-AC51, DSL-N16, and DSL-AC750, three routers that are common in home and SOHO environments relying on DSL internet connections.  CERT-In states that the flaw enables an attacker to bypass login controls and gain unrestricted access to the router’s administrative interface. Once the router is compromised, the intruder could alter configuration settings, observe or reroute internet traffic, intercept personal or financial information, or even compromise connected devices. The agency describes the risks to confidentiality, integrity, and availability as “critical.” 

CVE-2025-59367 Enables Authentication Bypass and Network Compromise 

In its advisory, CERT-In explains that a "vulnerability has been reported in ASUS DSL series routers that allows a remote attacker to gain unauthorized access into the affected system.” The agency notes that the issue affects the DSL-AC51, DSL-N16, and DSL-AC750 models and warns that successful exploitation could result in unauthorized access, modification of configuration parameters, access to sensitive information transmitted through the router, and compromise of connected systems.  The advisory is targeted at IT and network administrators, SOC analysts, SMB operators, home and SOHO users, and managed service providers or ISPs, highlighting the widespread nature of the vulnerability. CERT-In’s assessment reiterates that the authentication bypass flaw, identified as CVE-2025-59367, poses direct threats to data confidentiality and system integrity.  The report also details the broader context of the Asus DSL series line, explaining that these devices serve as integrated modem-router units for environments dependent on DSL connections. Because these routers often operate as central networking hubs, any breach may expose all devices and data flowing through the network.  The advisory includes a directive: “Apply appropriate security updates as mentioned in: https://www.asus.com/security-advisory.” CERT-In urges users to immediately install the firmware patches that Asus has begun releasing for the affected models. The agency also recommends that users change default passwords, disable remote management functions unless necessary, and review router security settings for any misconfigurations. Monitoring router logs for abnormalities has also been emphasized as a crucial preventive step. 

Conclusion  

Asus rolls out patches for the authentication bypass flaw CVE-2025-59367; CERT-In is urging all users of affected DSL-series routers to apply updates immediately. The agency has reiterated the seriousness of the vulnerability and advised users to review their router settings, update firmware through the Asus security advisory page, and remain alert to suspicious activity. Incidents like CVE-2025-59367 show how essential it is for organizations to have reliable insight into new vulnerabilities. Cyble supports this need through detailed vulnerability intelligence, helping teams identify high-risk issues, track exploit activity, and prioritize remediation across assets and products. Its intelligence goes beyond standard CVE and NVD listings, offering context on exploits, attack methods, and threat actor discussions.  Schedule a personalized demo with Cyble to assess how its intelligence platform can support your security operations. 

A newly discovered security flaw, identified as CVE-2025-11001, is targeting users across both public and private sectors. The vulnerability, affecting all versions of 7-Zip before 25.00, allows attackers to execute malicious code remotely, potentially compromising critical systems. NHS Digital issued a cyber alert urging organizations and users to take immediate action. 

Details of the CVE-2025-11001 Vulnerability

CVE-2025-11001 is classified as a file-parsing directory traversal remote code execution vulnerability. With a CVSS score of 7.0, the flaw is considered high severity. Exploitation occurs through 7-Zip’s handling of symbolic links during the extraction of archive files. By crafting malicious archives, attackers can manipulate 7-Zip to write files outside the intended extraction directory. This misbehavior enables the placement of executable files in sensitive system locations, which can then be triggered to execute arbitrary code.  Security researchers have released a proof-of-concept (PoC) exploit demonstrating how CVE-2025-11001 can be leveraged. While the PoC does not constitute a fully weaponized attack, it lowers the barrier for cybercriminals, making unpatched systems increasingly vulnerable. 

Impact and Threat Assessment

All 7-Zip versions before 25.00 are at risk, which includes a vast number of enterprise systems, government agencies, and personal computers. The NHS Digital cybersecurity team has classified this issue as Threat ID CC-4719 with medium severity, highlighting the urgent need for patching.  Although initial reports suggested active exploitation in the wild, a subsequent update on November 20, 2025, clarified that no confirmed exploitation of CVE-2025-11001 has been observed by NHS England’s National Cyber Security Operations Centre (CSOC). The National CSOC did confirm the existence of the public PoC exploit and indicated that potential exploitation remains likely in the future if systems are left unpatched.  Given the deployment of 7-Zip across multiple environments, the potential attack surface is significant. A successful attack could allow unauthorized access to sensitive systems and facilitate the deployment of additional malware payloads. 

Remediation and Recommendations

In response to CVE-2025-11001, 7-Zip released version 25.00, which addresses the vulnerability and mitigates the risk of remote code execution via malicious archive files. Organizations and individual users are strongly advised to upgrade immediately. Delaying the update leaves systems exposed to potential threats that could be exploited once more attacks emerge.  System administrators should prioritize updating all endpoints and servers running vulnerable 7-Zip versions. Implementing this patch eliminates the directory traversal flaw, effectively neutralizing the possibility of arbitrary code execution through symbolic link abuse. 

Conclusion

CVE-2025-11001 is a high-severity 7-Zip vulnerability. While NHS systems haven’t seen confirmed exploitation, the public proof-of-concept raises the risk. Organizations should update to 7-Zip 25.00 or later and report incidents to NHS Digital.  To stay protected from threats like CVE-2025-11001, Cyble provides AI-driven vulnerability intelligence, helping organizations prioritize and patch critical risks before they are exploited. Schedule a personalized demo with Cyble to protect your systems today. 

Fortinet may have silently patched an exploited zero-day vulnerability more than two weeks before officially disclosing the vulnerability. CVE-2025-64446 in Fortinet’s FortiWeb web application firewall (WAF) may have been exploited as early as October 6, according to DefusedCyber in a post on X. Fortinet is believed to have patched the 9.8-rated vulnerability in FortiWeb 8.0.2 in late October, but didn’t publish an advisory disclosing the exploited vulnerability until November 14. CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog the same day as Fortinet’s disclosure. Late today, Fortinet disclosed another exploited FortiWeb vulnerability - CVE-2025-58034, a 7.2-rated OS Command Injection vulnerability.

Fortinet Silent Patch Raises Concerns

The delayed notification in the case of CVE-2025-64446 has raised concerns with some in the cybersecurity industry, who say the delay may have put Fortinet customers at a disadvantage. “Silently patching vulnerabilities is an established bad practice that enables attackers and harms defenders, particularly for devices and systems (including FortiWeb) that have previously been exploited in the wild,” VulnCheck’s Caitlin Condon said in a blog post. “We already know security by obscurity doesn't work; adversaries monitor new product releases and are actively reverse engineering patches regardless of whether suppliers tell their customers about fixed vulnerabilities or not,” Condon added. “When popular technology vendors fail to communicate new security issues, they are issuing an invitation to attackers while choosing to keep that same information from defenders.” The Cyber Express has reached out to Fortinet for comment and will update this article with any response.

CVE-2025-64446 FortiWeb Vulnerability

CVE-2025-64446 is a 9.8-severity relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, and FortiWeb 7.0.0 through 7.0.11. The vulnerability could potentially allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests. Fortinet recommends disabling HTTP or HTTPS for internet facing interfaces until an upgrade can be performed. “If the HTTP/HTTPS Management interface is internally accessible only as per best practice, the risk is significantly reduced,” Fortinet’s advisory said. Shadowserver shows several hundred internet-facing FortiWeb management instances, which presumably would be vulnerable until upgraded. After completing upgrades, Fortinet recommends that FortiWeb customers “review their configuration for and review logs for unexpected modifications, or the addition of unauthorized administrator accounts.” watchTowr said CVE-2025-64446 appears to comprise two vulnerabilities: a path traversal vulnerability, and an authentication bypass vulnerability. watchTowr shared one sample request stream that it said was “evidence of a threat actor looking to exploit a vulnerability ... that allowed privileged administrative functions to be reached.” In the example, the threat actor “exploited the vulnerability to add administrative accounts to the target and vulnerable appliance, serving as a weak persistence mechanism. “To be explicitly clear,” watchTowr added, “this is a complete compromise of the vulnerable appliance.”

TL;DR

AI-powered vulnerability remediation often fails because it lacks context about how your applications actually work. Runtime intelligence solves this by providing AI with real-world application behavior data, architecture insights, and dependency information. This context-aware approach reduces remediation time by up to 87% while eliminating the false positives that plague traditional scanning.

The post AI Application Vulnerability Remediation: Why AI Vulnerability Fixes Fail Without Runtime Context appeared first on Security Boulevard.

Vulnerabilities in the IBM AIX operating system for Power servers could allow remote attackers to execute arbitrary commands, obtain Network Installation Manager (NIM) private keys, or traverse directories. IBM flagged the vulnerabilities - three critical and one high-severity - in a new security bulletin, and security firm Mondoo also urged AIX users to mitigate the flaws in a blog post. While there has been no evidence of exploitation as of yet, Mondoo warns the vulnerabilities could be chained together to compromise the critical environments that typically rely on IBM Power systems, like financial services and healthcare. “These four vulnerabilities together present a very serious threat, especially in environments where the NIM infrastructure is exposed,” Mondoo said.

IBM AIX Vulnerability CVE-2025-36250 Rated 10.0

The highest-rated vulnerability is CVE-2025-36250, which scored a perfect 10.0. In IBM AIX 7.2 and 7.3 and IBM VIOS (Virtual I/O Server) 3.1 and 4.1, NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls. The fix issued by IBM “addresses additional attack vectors for a vulnerability that was previously addressed” as CVE-2024-56346, which was also rated 10.0. CVE-2025-36251, rated 9.6, also affects IBM AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1. IBM notes that nimsh service SSL/TLS implementations could allow a remote attacker to execute arbitrary commands due to improper process controls. The fix also addresses additional attack vectors for a previous vulnerability, CVE-2024-56347, which was also rated 9.6. CVE-2025-36096, rated 9.0, notes that AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1 store NIM private keys used in NIM environments “in an insecure way which is susceptible to unauthorized access by an attacker using man in the middle techniques.” CVE-2025-36236, rated 8.2, also affects AIX 7.2 and 7.3 and IBM VIOS 3.1 and 4.1. The NIM server service could allow a remote attacker to traverse system directories or send a specially crafted URL request to write arbitrary files on the system. IBM credited Jan Alsenz of Oneconsult AG for the discoveries.

IBM AIX Vulnerabilities Could Allow System ‘Hijack’

In a statement shared with The Cyber Express, Mondoo CSO Patrick Münch said the four vulnerabilities “present a very serious threat because they allow a remote attacker with no privileges to perform arbitrary commands on an IBM Network Installation Manager (NIM) that’s exposed to the internet (which NIM servers typically are). This means that they could 'hijack' unattended operating system installations and updates to deploy malicious payloads onto AIX hosts, move laterally, and persist in the broader environment.” Münch noted that because of their critical nature, “Patch cycles are often delayed on IBM AIX because uptime is so critical for these enterprises. We haven’t seen any reports of active exploitation yet, but due to the high risk of these vulnerabilities, we strongly advise organizations to patch immediately.” IBM provided lengthy mitigation instructions, and Mondoo said affected organizations should configure NIM in SSL/TLS Secure mode (nimconfig -c) and apply the fixes, which can be downloaded via https from: https://aix.software.ibm.com/aix/efixes/security/nim_fix2.tar, which downloads a tar file that contains the advisory, fix packages, and OpenSSL signatures for each package.  

A cybersecurity incident at Eurofiber France was officially confirmed after the company identified unauthorized activity on November 13, 2025. The incident involved a software vulnerability that allowed a malicious actor to access data from Eurofiber France’s ticket management platform and the ATE customer portal. According to the company, the situation is now under control, with systems secured and additional protective measures implemented.

Cybersecurity Incident Impacted Ticketing Platform and ATE Portal

Eurofiber France stated that the cybersecurity incident affected its central ticket management platform used by regional brands Eurafibre, FullSave, Netiwan, and Avelia. It also impacted the ATE portal, part of Eurofiber France’s cloud services operating under the Eurofiber Cloud Infra France brand. The company confirmed that the attacker exploited a software vulnerability in this shared environment, leading to the exfiltration of customer-related data. The company emphasized that the incident is limited to customers in France using the affected platforms. Customers using Eurofiber services in Belgium, Germany, or the Netherlands, including Eurofiber Cloud Infra in the Netherlands, were not impacted. Eurofiber also noted that the effect on indirect sales and wholesale partners within France remains minimal, as most partners operate on separate systems.

Immediate Response and Containment Measures

Within hours of detecting the breach, Eurofiber France placed both the ticketing platform and the ATE portal under reinforced security. The vulnerability was patched, and additional layers of protection were deployed. The company said its internal teams, working alongside external cybersecurity experts, are now focused on assisting customers in assessing and managing the impact. Eurofiber clarified that no sensitive financial information, such as bank details or regulated critical data stored in other systems, was compromised. All services remained fully operational during the attack, and there was no disruption to customer connectivity or service availability. Customers were notified immediately after the breach was detected. Eurofiber stated it would continue to update affected organizations transparently as the investigation progresses.

Regulatory Notifications and Ongoing Investigation

In line with European regulatory requirements, Eurofiber France has notified the CNIL (France’s Data Protection Authority under GDPR) and reported the incident to ANSSI (the French National Cybersecurity Agency). A police complaint has also been filed in connection with an extortion attempt linked to the attack. The company reaffirmed its commitment to transparency, data protection, and cybersecurity throughout the remediation process.

External Research Points to Larger Data Exposure

International Cyber Digest, a third-party cybersecurity research group, reported that the breach may have exposed information belonging to approximately 3,600 customers. According to their analysis, the threat actor — who identifies as “ByteToBreach” — gained full access to Eurofiber’s GLPI database, including client data, support tickets, internal messages, passwords, and API keys. Researchers noted that Eurofiber’s GLPI installation may have been operating on versions 10.0.7–10.0.14, potentially outdated and vulnerable. The attacker, in comments shared with the researchers, claimed to have executed a slow, time-based SQL injection attack and extracted nearly 10,000 password hashes over a period of 10 days. They reportedly used administrator-level API keys to download internal documents and customer PII. ByteToBreach also claimed to have contacted both GLPI’s developer, Teclib, and Eurofiber to negotiate ransom demands. According to the research group, those attempts received no response. Eurofiber France operates over 76,000 kilometers of fiber network and 11 data centers, serving between 9,000 and 12,000 business and government customers. The company’s French clientele includes several major public institutions and private-sector organizations. Eurofiber France reiterated that all systems have now been secured and that enhanced monitoring and preventive measures are in place. The company said its teams remain fully mobilized until the cybersecurity incident is completely resolved.

Overview On November 12, NSFOCUS CERT detected that Microsoft released the November Security Update patch, which fixed 63 security issues involving widely used products such as Windows, Microsoft Office, Microsoft SQL Server, Azure, and Microsoft Visual Studio, including privilege escalation, high-risk vulnerability types such as remote code execution. Among the vulnerabilities fixed by Microsoft’s monthly […]

The post Microsoft’s November Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post Microsoft’s November Security Update of High-Risk Vulnerability Notice for Multiple Products appeared first on Security Boulevard.

A newly disclosed security flaw in the Amazon WorkSpaces client for Linux has raised serious concerns across organizations relying on AWS virtual desktop infrastructure. The vulnerability, identified as CVE-2025-12779, enables local attackers to extract valid authentication tokens and gain unauthorized access to other users’ WorkSpace sessions.  On November 5, 2025, AWS issued a formal security bulletin, AWS-2025-025, detailing the issue and urging immediate remediation. The bulletin categorized the flaw as “Important (requires attention)” and warned users that improper token handling in specific client versions could expose sensitive credentials on shared systems. 

CVE-2025-12779 Vulnerability Details and Impact

According to the advisory, the vulnerability affects the Amazon WorkSpaces client for Linux versions 2023.0 through 2024.8. These versions mishandle authentication tokens used in DCV-based WorkSpaces, potentially leaving them accessible to other local users on the same client machine. Under the right conditions, a malicious local user could retrieve these tokens and establish unauthorized access to another individual’s virtual desktop session.  In its official statement, AWS noted:  “Improper handling of the authentication token in the Amazon WorkSpaces client for Linux, versions 2023.0 through 2024.8, may expose the authentication token for DCV-based WorkSpaces to other local users on the same client machine. Under certain circumstances, an unintended user may be able to extract a valid authentication token from the client machine and access another user’s WorkSpace.”  The issue stems from improper token management within the affected client versions. When deployed in multi-user or shared Linux environments, these tokens may remain accessible to other users on the system. This creates a direct path for attackers to exploit the weakness and impersonate legitimate users.  Once a valid token is obtained, an attacker can connect to the victim’s WorkSpace as an authenticated user, bypassing standard access controls. Because the session would appear legitimate, traditional network-based intrusion detection tools might fail to detect the compromise. This allows an attacker to maintain persistent access to sensitive applications, data, and system resources hosted within the virtual environment.  The CVE-2025-12779 flaw highlights a critical risk in desktop virtualization environments where shared systems or contractor workstations are common. Unlike remote exploits that target network vulnerabilities, this issue operates at the local level. 

AWS Response and Patch Availability

To mitigate the vulnerability, AWS confirmed that the problem has been resolved in the Amazon WorkSpaces client for Linux version 2025.0. Users are strongly advised to upgrade to version 2025.0 or newer as soon as possible. The updated client can be downloaded directly from the Amazon WorkSpaces Client Download page.  Furthermore, AWS announced the end of support for the affected client versions, effectively requiring all organizations to transition to the patched release. Security teams are urged to audit their current deployments to identify any instances still running versions 2023.0 through 2024.8. Immediate upgrades should be prioritized for environments where multiple users share access to the same Linux systems.  In addition to updating software, organizations are encouraged to review access logs for signs of unauthorized token extraction or abnormal login activity during the period when the vulnerability was active. This step is critical for detecting potential breaches that may have already occurred before the patch was applied. 

The security research team at JFrog, a provider of a platform for building and deploying software, have discovered a critical vulnerability in a node package manager (NPM) found in tools used by application developers that enable unauthenticated attackers to remotely trigger arbitrary operating system commands by sending a post request to a Metro server used..

The post JFrog Uncovers Severe React Vulnerability Threat to Software Supply Chains appeared first on Security Boulevard.

A critical security flaw in Microsoft's WSUS feature is being actively exploited in the wild by threat actors who could gain access into unpatched servers, remotely control networks, and use them to deliver malware or do other damage. Microsoft is urging organizations to apply a patch to their systems.

The post Critical Microsoft WSUS Security Flaw is Being Actively Exploited appeared first on Security Boulevard.