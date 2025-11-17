This week showed just how fast things can go wrong when no one's watching. Some attacks were silent and sneaky. Others used tools we trust every day — like AI, VPNs, or app stores — to cause damage without setting off alarms.

It's not just about hacking anymore. Criminals are building systems to make money, spy, or spread malware like it's a business. And in some cases, they're using the same apps and services that businesses rely on — flipping the script without anyone noticing at first.

The scary part? Some threats weren't even bugs — just clever use of features we all take for granted. And by the time people figured it out, the damage was done.

Let's look at what really happened, why it matters, and what we should all be thinking about now.

⚡ Threat of the Week

Silently Patched Fortinet Flaw Comes Under Attack — A vulnerability that was patched by Fortinet in FortiWeb Web Application Firewall (WAF) has been exploited in the wild since early October 2025 by threat actors to create malicious administrative accounts. The vulnerability, tracked as CVE-2025-64446 (CVSS score: 9.1), is a combination of two discrete flaws, a path traversal flaw and an authentication bypass, that could be exploited by an attacker to perform any privileged action. It's currently not known who is behind the exploitation activity. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by November 21, 2025.

🔔 Top News

— Malware families like Rhadamanthys Stealer, Venom RAT, and the Elysium botnet were disrupted as part of a coordinated law enforcement operation led by Europol and Eurojust. The activity, which took place between November 10 and 13, 2025, led to the arrest of an individual behind Venom RAT in Greece on November 3, along with the seizure of more than 1,025 servers and 20 domains. "The dismantled malware infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials," Europol said. "Many of the victims were not aware of the infection of their systems." Google Sues China-Based Hackers Behind Lighthouse PhaaS — Google filed a civil lawsuit in the U.S. District Court for the Southern District of New York (SDNY) against 25 unnamed China-based hackers who are behind a massive Phishing-as-a-Service (PhaaS) platform called Lighthouse that has ensnared over 1 million users across 120 countries. The PhaaS kit has been used to fuel large-scale smishing campaigns in the U.S. that are designed to steal users' personal and financial information by impersonating banks, cryptocurrency exchanges, mail and delivery services, police forces, state-owned enterprises, and electronic tolls, among others. The service has since been shut down, but Google said it will "continue to stay vigilant, adjust our tactics and take action like we did" as the cybercrime ecosystem evolves in response to the action.

‎️‍🔥 Trending CVEs

Attackers don't wait. A missed patch today can be a foothold tomorrow. All it takes is one overlooked CVE to open the door wide. This week's top vulnerabilities are already on threat actors' radar — scan the list, fix fast, and don't give them a head start.

This week's list includes — CVE-2025-64446 (Fortinet FortiWeb), CVE-2025-64740, CVE-2025-64741, CVE-2025-64738, CVE-2025-64739 (Zoom), CVE-2025-12485 (Devolutions Server), CVE-2025-59396 (WatchGuard Firebox), CVE-2025-42890 (SAP SQL Anywhere Monitor), CVE-2025-42887 (SAP Solution Manager) CVE-2025-12686 (Synology BeeStation OS), CVE-2025-10918 (Ivanti Endpoint Manager), CVE-2025-12120, CVE-2025-12121 (Lite XL), CVE-2025-11919 (Wolfram Cloud), CVE-2025-46608 (Dell Data Lakehouse), CVE-2025-64401, CVE-2025-64403, CVE-2025-64404, CVE-2025-64405 (Apache OpenOffice), CVE-2025-62449 (Visual Studio Code CoPilot Chat Extension), CVE-2025-62453 (GitHub Copilot and Visual Studio Code), CVE-2025-37734 (Kibana), CVE-2025-4619 (Palo Alto Networks PAN-OS), CVE-2025-11224 (GitLab CE/EE), CVE-2025-52970 (Fortinet FortiWeb), CVE-2025-59367 (ASUS DSL series), CVE-2025-43515 (Apple Compressor), CVE-2025-23361, CVE-2025-33178 (NVIDIA NeMo Framework), CVE-2025-20341 (Cisco Catalyst Center), and CVE-2025-12762 (pgAdmin4).

📰 Around the Cyber World

Leaking Sora 2's System Prompt — Cybersecurity researchers have discovered a way to leak the system prompt associated with Sora 2, OpenAI's text-to-video model. A system prompt refers to internal guidelines that define how the model behaves. While prompts to display the system prompt in the form of an image using ASCII characters or creating images that represent the text in an encoded form, such as QR codes or barcodes, new research from Mindgard found that the accuracy of the text displayed in the 15-second videos degraded quickly. However, Sora's ability to generate audio creates a new vector for system prompt recovery, making it possible to allow longer chunks of text by instructing the model to produce speech at 3x speed with no pauses in between. "When we prompted Sora with small units of text and requested narration, the audio output was clear enough to transcribe," the company said. "By stitching together many short audio clips, we reconstructed a nearly complete system prompt." The findings show that the multimodal nature of a model can open up new pathways for exfiltration, even if text-based output is restricted.

— The Imunify360 malware scanner for Linux servers is vulnerable to a remote code execution vulnerability that could be exploited to compromise the hosting environment. According to October 2024 data from the vendor, Imunify360 had been used to protect 56 million sites. The issue (no CVE) affects versions of the AI-BOLIT malware scanning component prior to 32.7.4.0. "The vulnerability stems from the deobfuscation logic executing untrusted functions and payloads extracted from attacker-supplied malware," Patchstack said. "An attacker-controlled payload can cause the deobfuscator to call dangerous PHP functions (for example, system, exec, shell_exec, passthru, eval, etc.), resulting in arbitrary command execution and full compromise of the hosting environment." Users are advised to apply the patches as soon as possible and restrict the environment if immediate patching is not an option. FBI Warns About New Fraud Targeting Chinese Speakers — The U.S. Federal Bureau of Investigation (FBI) is warning people about a new financial fraud scheme that's impersonating U.S. health insurance providers and Chinese law enforcement to target Chinese-speaking individuals residing in the country. "Targeted individuals receive a call from a spoofed telephone number of a legitimate US health insurance provider's claims department," the FBI said. "The call is conducted in Chinese, and the recipient is asked about recent insurance claims for alleged surgical procedures. The criminal then shows the recipient fraudulent invoices on screen via video communication software and demands payment. If the recipient denies having filed the claim or that the procedure took place, the criminal transfers the recipient to someone purporting to be Chinese law enforcement. The law enforcement impersonator then asks for personal identifying information, threatens the individual with extradition or foreign prosecution, and demands a large payment for bail. The impersonator may instruct the victim to download video communication software and maintain connectivity for 24-hour surveillance." It's not clear how widespread these efforts are, but the fact that the FBI felt it necessary to issue an alert suggests that it has seen some amount of success.

🔧 Cybersecurity Tools

FlowViz – Attack Flow Visualizer: FlowViz is an open-source React app that reads cyber articles and builds interactive attack flow diagrams using the MITRE ATT&CK framework. It pulls attack data from URLs/text, scans images, and maps tactics/techniques. Users can explore flows in real time, use story mode, and export to PNG, STIX 2.1, .afb, or JSON. Runs on Node.js with Anthropic API (Claude) and needs a .env setup. Made for analysts, with a secure backend and solid error handling.

OWASP Noir — it is an open-source tool that scans source code to find API/web endpoints for whitebox testing. Supports many languages, works with curl, ZAP, Caido. Outputs in JSON, YAML, OAS. Fits into DevOps pipelines. Uses AI to spot hidden endpoints. Helps link code analysis with dynamic security tools.

Below — It is a system monitoring tool for Linux that shows and records detailed performance data. It supports viewing hardware usage, cgroup hierarchy and process info, pressure stall information (PSI), and offers live, record, and replay modes. Users can export data in formats like JSON or CSV, or create snapshots for later analysis. It doesn't support cgroup1 and differs from tools like atop in design choices. Available via package managers on Fedora, Alpine, and Gentoo, or installable from source with Cargo. It also has basic integration support for Prometheus and Grafana.

Disclaimer: These tools are for educational and research use only. They haven't been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules.

🔒 Tip of the Week

Control App Traffic with a Mobile Firewall — Most mobile apps keep talking to the internet in the background—even when you're not using them. Some even send out your data without asking clearly. On computers, firewalls help block this kind of behavior. But on phones? Not so much.

That's a big problem. It means your data could be leaking without you knowing. Some apps connect to ad networks, trackers, or other services quietly. This increases the risk of spying, privacy loss, or even attacks.

On Android, you can take control without needing to "root" your phone. Try these two free apps:

NetGuard: Blocks internet access for specific apps. Runs as a local VPN but doesn't send your data anywhere. You can log what's connecting, block by hostname, and even export your rules.

PersonalDNSfilter: Stops known trackers and malware at the DNS level. Lightweight and clear about what it blocks.

Both tools work by creating a secure tunnel on your phone. No data leaves your device. You can also whitelist safe domains and block risky ones.

iPhone user? It's harder. Apple blocks deep firewall control unless you use a full VPN or enterprise tools. But you can still improve privacy by:

Checking app permissions often

Turning off background refresh

Using strong VPNs like Mullvad or ProtonVPN

Phones are now mini-computers. And most people carry them everywhere. That makes them a big privacy target. Firewalls help stop hidden app traffic, reduce data leaks, and keep your info safe. Take 5 minutes. Set it up once. Stay safer every day.

Conclusion

This week's threats weren't loud — they were clever, quiet, and easy to miss. That's the danger now. Not chaos, but calm that hides the breach.

Security isn't just tools. It's attention. Stay sharp. Trust less. Check everything.