Vulnerability | Breaking Cybersecurity News | The Hacker News

Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025 , Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday. "We're still assessing the scope of this incident , but we believe it affected dozens of organizations," John Hultquist, chief analyst of GTIG at Google Cloud, said in a statement shared with The Hacker News. "Some historic Cl0p data extortion campaigns have had hundreds of victims. Unfortunately, large-scale zero-day campaigns like this are becoming a regular feature of cybercrime." The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashioned together multiple distinct vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to breach target networks and exfiltrate sensitive data. Google said it found evidence of ...

Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface. This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help preserve trust in an increasingly intelligent threat landscape. How Threat Actors Abuse Microsoft Teams Attackers Abuse Microsoft Teams for Extortion, Social Engineering, and Financial Theft Microsoft detailed the various ways threat actors can abuse its Teams chat software at various stages of the attack chain, even using it to support financial theft through extortion, social engineering, or technical means. " Octo Tempest has used communication apps, including Teams, to send taunting and threatening messages to organizations, defenders, and incident response teams as p...

Threat actors are actively exploiting a critical security flaw impacting the Service Finder WordPress theme that makes it possible to gain unauthorized access to any account, including administrators, and take control of susceptible sites. The authentication bypass vulnerability, tracked as CVE-2025-5947 (CVSS score: 9.8), affects the Service Finder Bookings, a WordPress plugin bundled with the Service Finder theme. It was discovered by a researcher who goes by the name Foxyyy. "This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site, including accounts with the 'administrator' role," Wordfence researcher István Márton said . The problem, at its core, is a case of privilege escalation stemming from authentication bypass due to the plugin not adequately validating a user's cookie value before logging them in through an account switching function (service_finder_switch_back()). As a result, an unauthenticate...

Cybersecurity researchers have disclosed details of a now-patched vulnerability in the popular figma-developer-mcp Model Context Protocol ( MCP ) server that could allow attackers to achieve code execution. The vulnerability, tracked as CVE-2025-53967 (CVSS score: 7.5), is a command injection bug stemming from the unsanitized use of user input, opening the door to a scenario where an attacker can send arbitrary system commands. "The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.)," according to a GitHub advisory for the flaw. "Successful exploitation can lead to remote code execution under the server process's privileges." Given that the Framelink Figma MCP server exposes various tools to perform operations in Figma using artificial intelligence (AI)-powered coding agents like Cursor, an attacker co...

Google's DeepMind division on Monday announced an artificial intelligence (AI)-powered agent called CodeMender that automatically detects, patches, and rewrites vulnerable code to prevent future exploits. The efforts add to the company's ongoing efforts to improve AI-powered vulnerability discovery, such as Big Sleep and OSS-Fuzz . DeepMind said the AI agent is designed to be both reactive and proactive, by fixing new vulnerabilities as soon as they are spotted as well as rewriting and securing existing codebases with an aim to eliminate whole classes of vulnerabilities in the process. "By automatically creating and applying high-quality security patches, CodeMender's AI-powered agent helps developers and maintainers focus on what they do best — building good software," DeepMind researchers Raluca Ada Popa and Four Flynn said . "Over the past six months that we've been building CodeMender, we have already upstreamed 72 security fixes to open source proje...

Redis has disclosed details of a maximum-severity security flaw in its in-memory database software that could result in remote code execution under certain circumstances. The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS score of 10.0. "An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution," according to a GitHub advisory for the issue. "The problem exists in all versions of Redis with Lua scripting." However, for exploitation to be successful, it requires an attacker to first gain authenticated access to a Redis instance, making it crucial that users don't leave their Redis instances exposed to the internet and secure them with strong authentication. The issue impacts all versions of Redis. It has been addressed in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 released on October 3, 2025. As tempor...

Microsoft on Monday attributed a threat actor it tracks as Storm-1175 to the exploitation of a critical security flaw in Fortra GoAnywhere software to facilitate the deployment of Medusa ransomware. The vulnerability is CVE-2025-10035 (CVSS score: 10.0), a critical deserialization bug that could result in command injection without authentication. It was addressed in version 7.8.4, or the Sustain Release 7.6.3. "The vulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection and potential remote code execution (RCE)," the Microsoft Threat Intelligence team said . According to the tech giant, Storm-1175 is a cybercriminal group known for deploying Medusa ransomware and exploiting public-facing applications for initial access. Exploitation activity related to CVE-2025-10035 is said to have been detected in multiple organizations on September 11, 2025. It...

Oracle has released an emergency update to address a critical security flaw in its E-Business Suite software that it said has been exploited in the recent wave of Cl0p data theft attacks. The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component. "This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password," Oracle said in an advisory. "If successfully exploited, this vulnerability may result in remote code execution." In a separate alert, Oracle's Chief Security Officer Rob Duhart said the company has released fixes for CVE-2025-61882 to "provide updates against additional potential exploitation that were discovered during our investigation." As indicators of compromise...

Threat intelligence firm GreyNoise disclosed on Friday that it has observed a massive spike in scanning activity targeting Palo Alto Networks login portals. The company said it observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the highest level recorded in the last three months. It described the traffic as targeted and structured, and aimed primarily at Palo Alto login portals. As many as 1,300 unique IP addresses have participated in the effort, a significant jump from around 200 unique IP addresses observed before. Of these IP addresses, 93% are classified as suspicious and 7% as malicious. The vast majority of the IP addresses are geolocated to the U.S., with smaller clusters detected in the U.K., the Netherlands, Canada, and Russia. "This Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours," GreyNoise noted. "In both cases, the scanners exhibited regional clu...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a high-severity security flaw impacting Smartbedded Meteobridge to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The vulnerability, CVE-2025-4008 (CVSS score: 8.7), is a case of command injection in the Meteobridge web interface that could result in code execution. "Smartbedded Meteobridge contains a command injection vulnerability that could allow remote unauthenticated attackers to gain arbitrary command execution with elevated privileges (root) on affected devices," CISA Said. According to ONEKEY, which discovered and reported the issue in late February 2025, the Meteobridge web interface lets an administrator manage their weather station data collection and control the system through a web application written in CGI shell scripts and C. Specifically, the web interface exposes a "template.cgi" script through "/cgi-bin/tem...

From unpatched cars to hijacked clouds, this week's Threatsday headlines remind us of one thing — no corner of technology is safe. Attackers are scanning firewalls for critical flaws, bending vulnerable SQL servers into powerful command centers, and even finding ways to poison Chrome's settings to sneak in malicious extensions. On the defense side, AI is stepping up to block ransomware in real time, but privacy fights over data access and surveillance are heating up just as fast. It's a week that shows how wide the battlefield has become — from the apps on our phones to the cars we drive. Don't keep this knowledge to yourself: share this bulletin to protect others, and add The Hacker News to your Google News list so you never miss the updates that could make the difference. Claude Now Finds Your Bugs Anthropic Touts Safety Protections Built Into Claude Sonnet 4.6 Anthropic said it has rolled out a number of safety and security improve...

A high-severity security flaw has been disclosed in the One Identity OneLogin Identity and Access Management (IAM) solution that, if successfully exploited, could expose sensitive OpenID Connect ( OIDC ) application client secrets under certain circumstances. The vulnerability, tracked as CVE-2025-59363 , has been assigned a CVSS score of 7.7 out of 10.0. It has been described as a case of incorrect resource transfer between spheres ( CWE-669 ), which causes a program to cross security boundaries and obtain unauthorized access to confidential data or functions. CVE-2025-59363 "allowed attackers with valid API credentials to enumerate and retrieve client secrets for all OIDC applications within an organization's OneLogin tenant," Clutch Security said in a report shared with The Hacker News. The identity security said the problem stems from the fact that the application listing endpoint – /api/2/apps – was configured to return more data than expected, including the ...

A severe security flaw has been disclosed in the Red Hat OpenShift AI service that could allow attackers to escalate privileges and take control of the complete infrastructure under certain conditions. OpenShift AI is a platform for managing the lifecycle of predictive and generative artificial intelligence (GenAI) models at scale and across hybrid cloud environments. It also facilitates data acquisition and preparation, model training and fine-tuning, model serving and model monitoring, and hardware acceleration. The vulnerability, tracked as CVE-2025-10725 , carries a CVSS score of 9.9 out of a maximum of 10.0. It has been classified by Red Hat as "Important" and not "Critical" in severity owing to the need for a remote attacker to be authenticated in order to compromise the environment. "A low-privileged attacker with access to an authenticated account, for example, as a data scientist using a standard Jupyter notebook, can escalate their privileges to ...

Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022. French cybersecurity company SEKOIA said the attackers are exploiting the cellular router's API to send malicious SMS messages containing phishing URLs, with the campaigns primarily targeting Sweden, Italy, and Belgium using typosquatted URLs that impersonate government platforms like CSAM and eBox, as well as banking, postal, and telecom providers. Of the 18,000 routers of this type accessible on the public internet, no less than 572 are assessed to be potentially vulnerable due to them exposing the inbox/outbox APIs. About half of the identified vulnerable routers are located in Europe. "Moreover, the API enables retrieval of both incoming and outgoing SMS messages, which indicates that the vulnerability has been actively exploited to disseminate malicious SMS campaigns since at le...

A group of academics from KU Leuven and the University of Birmingham has demonstrated a new vulnerability called Battering RAM to bypass the latest defenses on Intel and AMD cloud processors. "We built a simple, $50 interposer that sits quietly in the memory path, behaving transparently during startup and passing all trust checks," researchers Jesse De Meulemeester, David Oswald, Ingrid Verbauwhede, and Jo Van Bulck said on a website publicizing the findings. "Later, with just a flip of a switch, our interposer turns malicious and silently redirects protected addresses to attacker-controlled locations, allowing corruption or replay of encrypted memory." Battering RAM compromises Intel's Software Guard Extensions ( SGX ) and AMD's Secure Encrypted Virtualization with Secure Nested Paging ( SEV-SNP ) hardware security features, which ensure that customer data remains encrypted in memory and protected during use. It affects all systems using DDR4 memory...

Cybersecurity researchers have disclosed three now-patched security vulnerabilities impacting Google's Gemini artificial intelligence (AI) assistant that, if successfully exploited, could have exposed users to major privacy risks and data theft. "They made Gemini vulnerable to search-injection attacks on its Search Personalization Model; log-to-prompt injection attacks against Gemini Cloud Assist; and exfiltration of the user's saved information and location data via the Gemini Browsing Tool," Tenable security researcher Liv Matan said in a report shared with The Hacker News. The vulnerabilities have been collectively codenamed the Gemini Trifecta by the cybersecurity company. They reside in three distinct components of the Gemini suite - A prompt injection flaw in Gemini Cloud Assist that could allow attackers to exploit cloud-based services and compromise cloud resources by taking advantage of the fact that the tool is capable of summarizing logs pulled dir...

A newly patched security flaw impacting Broadcom VMware Tools and VMware Aria Operations has been exploited in the wild as a zero-day since mid-October 2024 by a threat actor called UNC5174, according to NVISO Labs . The vulnerability in question is CVE-2025-41244 (CVSS score: 7.8), a local privilege escalation bug affecting the following versions - VMware Cloud Foundation 4.x and 5.x VMware Cloud Foundation 9.x.x.x VMware Cloud Foundation 13.x.x.x (Windows, Linux) VMware vSphere Foundation 9.x.x.x VMware vSphere Foundation 13.x.x.x (Windows, Linux) VMware Aria Operations 8.x VMware Tools 11.x.x, 12.x.x, and 13.x.x (Windows, Linux) VMware Telco Cloud Platform 4.x and 5.x VMware Telco Cloud Infrastructure 2.x and 3.x "A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM," VMware sai...