Cyber OSINT Overview, Oct 13 - Oct 19, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Microsoft’s October 2025 Patch Tuesday was a major focus, being the largest release to date with 175 CVEs addressed. The update included patches for three zero-day vulnerabilities, with two (CVE-2025-24990 and CVE-2025-59230) confirmed to be actively exploited in the wild. A critical remote code execution vulnerability (CVE-2025-59287, CVSS 9.8) in the Windows Server Update Service (WSUS) also received significant attention. This release also marked the end of free security support for Windows 10, pushing organizations to upgrade or purchase Extended Security Updates.

• A major security incident at F5 Networks involved a sophisticated nation-state actor gaining long-term access to corporate systems. The attackers exfiltrated sensitive data, including portions of the BIG-IP product source code and information on undisclosed vulnerabilities. In response, CISA issued Emergency Directive 26-01, mandating federal agencies to inventory, harden, and patch all F5 devices. F5 released multiple security updates and has urged all customers to apply patches immediately.

• Multiple vendors released patches for critical vulnerabilities in industrial control systems (ICS). Siemens addressed numerous flaws across its product lines, including SINEC NMS, Solid Edge, and SIMATIC processors, with risks ranging from SQL injection to remote code execution. Rockwell Automation also patched several vulnerabilities in its FactoryTalk suite and other products, which could lead to denial-of-service or privilege escalation. CISA published thirteen advisories consolidating these updates, urging operators in critical infrastructure sectors to apply mitigations.

• Vulnerabilities in the Linux Kernel were a recurring topic, with multiple advisories from different sources. Red Hat and Ubuntu both released updates to address flaws that could allow a local attacker to cause a denial-of-service, manipulate data, or escalate privileges. German and Canadian authorities also amplified these warnings, highlighting the broad impact on various distributions and platforms. The consistent stream of kernel patches underscores the ongoing effort required to secure the foundational component of many operating systems.

Critical Vulnerabilities #

• Microsoft patched three actively exploited zero-day vulnerabilities in its October update. These include two privilege escalation flaws in the Windows Agere Modem Driver (CVE-2025-24990) and the Remote Access Connection Manager (CVE-2025-59230). Another vulnerability in IGEL OS (CVE-2025-47827) allows for a Secure Boot bypass. CISA added all three to its Known Exploited Vulnerabilities (KEV) catalog, requiring immediate patching by federal agencies.

• A critical remote code execution vulnerability (CVE-2025-54253) in Adobe Experience Manager (AEM) Forms is being actively exploited. The flaw, rated CVSS 10, stems from a misconfiguration that leaves the Apache Struts framework in an insecure developer mode, allowing unauthenticated attackers to execute arbitrary code. CISA has added this vulnerability to its KEV catalog, emphasizing the urgency for organizations to apply the patch released by Adobe in August 2025.

• A remote code execution vulnerability (CVE-2025-61882) in Oracle E-Business Suite is being exploited in the wild. The vulnerability allows an unauthenticated attacker with network access via HTTP to take over the Oracle Concurrent Processing component. This flaw is reportedly being used by the Clop ransomware group in a widespread campaign targeting dozens of organizations, including Harvard University and Envoy Air. Oracle has released an emergency patch to address the issue.

• Multiple vulnerabilities have been reported in Ivanti’s Endpoint Manager (EPM), Endpoint Manager Mobile (EPMM), and Neurons for MDM products, with the most severe allowing for remote code execution. A path traversal flaw (CVE-2025-9713) in EPM enables an unauthenticated attacker to achieve RCE. Other vulnerabilities include OS command injection, SQL injection, and insecure deserialization, which could lead to privilege escalation or data theft. Organizations are advised to apply the latest security updates provided by Ivanti.

• A critical out-of-bounds write vulnerability (CVE-2025-9242) in WatchGuard Fireware OS allows a remote, unauthenticated attacker to execute arbitrary code. The flaw, rated CVSS 9.3, exists in the IKEv2 VPN service and can be triggered by sending specially crafted packets. Exploitation could grant an attacker full control over the affected Firebox appliance, posing a significant risk to network perimeters. WatchGuard has released patches and urges immediate updates.

• Critical vulnerabilities were discovered in Redis (CVE-2025-49844) and Veeam Backup & Replication. The Redis flaw, dubbed “RediShell,” is a Use-After-Free in the Lua scripting engine with a CVSS score of 10.0, allowing an authenticated attacker to escape the sandbox and achieve RCE. Veeam Backup & Replication has multiple vulnerabilities allowing RCE and local privilege escalation, enabling unauthorized access to backup environments. Both vendors have released patches and strongly advise immediate updates.

• Multiple high-severity vulnerabilities were addressed in Cisco IOS, IOS XE, and other products. One actively exploited SNMP vulnerability in IOS XE (CVE-2025-20352) could lead to a denial-of-service condition. Another flaw in IOS and IOS XE could allow for remote code execution. Advisories also cover information disclosure and DoS vulnerabilities in Cisco TelePresence, IP Phones, and Snort 3, impacting a wide range of networking and communication devices.

Major Incidents #

• F5 Networks disclosed a significant data breach orchestrated by a nation-state actor that resulted in the theft of BIG-IP source code and details on undisclosed vulnerabilities. The attackers maintained long-term access to F5’s product development and engineering systems. While F5 states there is no evidence of a supply chain compromise, the exfiltrated data provides the actor with a technical advantage for future attacks. This incident prompted CISA to issue an emergency directive for federal agencies to immediately patch and harden their F5 devices.

• A widespread hacking campaign attributed to the Clop ransomware group is exploiting vulnerabilities in Oracle E-Business Suite. Victims include Harvard University and Envoy Air, a subsidiary of American Airlines. Attackers are exfiltrating sensitive data and attempting to extort corporate executives. Oracle has released patches, but the campaign’s success highlights the significant risk posed by unpatched enterprise applications and their potential for supply chain impact.

• UK outsourcing firm Capita was fined a record £14 million by the ICO for data protection failures following a March 2023 BlackBasta ransomware attack. The breach exposed the personal data of 6.6 million people after the company failed to act on a security alert for 58 hours, allowing attackers to exfiltrate nearly one terabyte of data. The investigation found that Capita had known vulnerabilities, an understaffed SOC, and inadequate security testing, highlighting severe lapses in its security posture.

• Peer-to-peer lending marketplace Prosper suffered a data breach affecting approximately 17.6 million individuals. The incident, detected on September 2, 2025, resulted in the theft of personal information including names, Social Security numbers, government IDs, income levels, and physical addresses. While Prosper stated that no customer accounts or funds were accessed, the stolen data creates a significant risk of targeted phishing and identity theft for the affected users.

• The Dairy Farmers of America cooperative confirmed it was hit by a Play ransomware attack in June 2025. The attackers gained access through a social engineering campaign and exfiltrated personal information of 4,546 employees and members. Stolen data included names, Social Security numbers, bank account numbers, and driver’s license details. This incident is part of a broader trend of increased ransomware attacks targeting the food and agriculture sector.

Emerging Threats #

• North Korean threat actors, including UNC5342 and Famous Chollima, are adopting more evasive techniques. Researchers observed UNC5342 using ‘EtherHiding,’ a method that leverages public blockchains to store and retrieve malicious JavaScript payloads, making C2 infrastructure resilient to takedowns. Concurrently, Famous Chollima is merging the BeaverTail and OtterCookie malware families to enhance its data theft capabilities, adding keylogging and screenshotting modules to steal credentials and cryptocurrency in campaigns disguised as job offers.

• A new Phishing-as-a-Service (PhaaS) platform named ‘Whisper 2FA’ has emerged, actively targeting Microsoft 365 accounts. In the last month, it has become the third most common PhaaS observed, after Tycoon and EvilProxy. The kit utilizes AJAX for a real-time credential exfiltration loop, allowing attackers to repeatedly attempt to steal credentials and valid MFA tokens. The campaigns use a variety of lures, impersonating brands like DocuSign, Voicemail, and Adobe to maximize their success rate.

• Researchers have detailed ‘Pixnapping,’ a novel side-channel attack targeting Android devices that can steal pixel data from the screen. This allows a malicious app to reconstruct sensitive information, including 2FA codes from authenticators, by observing graphical rendering behavior. The attack (CVE-2025-48561) was demonstrated on modern Google Pixel and Samsung Galaxy devices, bypassing browser and app protections. Although complex, this technique poses a significant threat to user privacy and security on vulnerable devices.

• A new malware campaign dubbed ‘PhantomVAI Loader’ is delivering a range of infostealers, including Katz Stealer, AsyncRAT, XWorm, and FormBook. The multi-stage infection chain begins with phishing emails and uses obfuscated scripts and steganography to conceal payloads. The campaign targets a wide variety of industries globally, including manufacturing, education, and government, highlighting the loader’s versatility as a distribution mechanism for various malware families.

• A new Brazilian banking trojan named ‘Maverick’ is being distributed on a massive scale via WhatsApp. The malware, which shows code overlaps with the Coyote trojan, is delivered through a ZIP file containing a malicious LNK file. Once installed, Maverick hijacks the victim’s WhatsApp Web session to self-propagate to contacts and targets users of 26 Brazilian banks and 6 cryptocurrency exchanges by monitoring browser activity and deploying phishing overlays.

• Researchers uncovered a sophisticated passive Linux backdoor named ‘Butoflex’ that remained undetected on a server for over a decade. The malware uses library injection to hook the accept system call in legitimate services like httpd, waiting for a specific HTTP request to trigger its payload. This long-term, low-noise approach highlights the threat of dormant compromises in critical systems, where attackers prioritize stealth and operational security to conduct targeted espionage over time.

Regulatory and Policy Updates #

• CISA issued Emergency Directive 26-01 in response to a nation-state compromise of F5 Networks. The directive mandates that all Federal Civilian Executive Branch (FCEB) agencies identify and inventory F5 BIG-IP products, harden internet-facing management interfaces, apply the latest vendor updates by October 22, 2025, and disconnect unsupported devices. This action underscores the imminent threat posed by the stolen F5 source code and vulnerability data to federal networks.

• CISA has added several actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, mandating remediation by federal agencies. The additions include a critical code execution flaw in Adobe Experience Manager Forms (CVE-2025-54253). Also added were multiple Microsoft vulnerabilities, including privilege escalation flaws in the Agere Modem Driver (CVE-2025-24990) and Remote Access Connection Manager (CVE-2025-59230), and a Secure Boot bypass in IGEL OS (CVE-2025-47827). These actions highlight the significant risk these vulnerabilities pose to the federal enterprise.

• Microsoft officially ended free security support for Windows 10 on October 14, 2025. This major policy shift impacts millions of users and businesses, as systems running the OS will no longer receive security patches, leaving them vulnerable to new threats. Microsoft is offering paid Extended Security Updates (ESU) for up to three years, but security experts strongly recommend upgrading to Windows 11 to ensure continued protection and compatibility.

Security Operations #

• The Estonian Information System Authority (RIA) has launched a web-based support application for the Estonian Information Security Standard (E-ITS). This tool is designed to help organizations systematically assess and improve their information security posture by simplifying the complex E-ITS framework. The application provides guided workflows, automatic checklists, and helps generate initial implementation plans, making it easier for organizations without prior experience to adopt the national standard.

• The UK’s National Cyber Security Centre (NCSC) launched a new toolkit to bolster the cybersecurity defenses of small businesses. This initiative comes as the agency reported that the UK is experiencing four ’nationally significant’ cyberattacks every week, a significant increase from previous years. The NCSC’s Annual Review highlighted the need for improved resilience across all sectors, emphasizing that even basic preparedness, such as having a printed incident response plan, can be critical when digital infrastructure is compromised.

• The rise of AI-powered phishing and social engineering is placing increased importance on robust security awareness training. Generative AI tools are making it easier for attackers to create convincing malicious emails, deepfakes, and other deceptive content, raising the human risk factor inside organizations. Security experts stress that a culture of security, reinforced by continuous training and phishing simulations, is a critical and cost-effective defense against these evolving social engineering techniques.

Wins #

• European law enforcement agencies, including Europol, dismantled a large-scale cybercrime-as-a-service network in an operation codenamed ‘SIMCARTEL’. The operation resulted in seven arrests and the seizure of 1,200 SIM box devices containing 40,000 active SIM cards. This network provided fraudulent phone numbers from over 80 countries, which were used to create millions of fake online accounts for phishing, fraud, and other illicit activities, causing over €5 million in losses.

• Microsoft successfully disrupted a ransomware campaign by the threat actor Vanilla Tempest (also known as Vice Society). The attackers were using fraudulently obtained code-signing certificates to sign and distribute fake Microsoft Teams installers, which deployed the Oyster backdoor and ultimately the Rhysida ransomware. Microsoft responded by revoking over 200 malicious certificates and updating its security products to detect the fake installers and associated malware, effectively blunting the campaign.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.