Daily Brief

SAP has released security updates addressing 13 vulnerabilities, including a critical flaw in SAP NetWeaver AS Java with a CVSS score of 10.0, enabling arbitrary command execution. The vulnerability, CVE-2025-42944, involves insecure deserialization, allowing unauthenticated attackers to exploit the system via the RMI-P4 module. Additional security measures include a JVM-wide filter to prevent deserialization of untrusted Java objects, enhancing application confidentiality, integrity, and availability. Another significant flaw, CVE-2025-42937, involves directory traversal in SAP Print Service, allowing unauthorized file overwriting, with a CVSS score of 9.8. SAP also addressed an unrestricted file upload vulnerability in SAP Supplier Relationship Management, CVE-2025-42910, which could lead to malicious file execution. No active exploitation of these vulnerabilities has been reported, but immediate application of patches and mitigations is strongly advised to prevent potential threats. Security experts emphasize the ongoing risk of deserialization vulnerabilities, urging organizations to implement SAP's fixes and enhanced JVM configurations.

A threat actor known as TigerJack targets developers with malicious Visual Studio Code (VSCode) extensions, aiming to steal cryptocurrency and install backdoors. Two compromised extensions, with 17,000 downloads, were removed from VSCode but remain available on OpenVSX, a community-maintained marketplace. TigerJack republished the malicious code under new names, exploiting the open-source nature of these platforms to reach unsuspecting users. Extensions like C++ Playground and HTTP Format can exfiltrate source code and run crypto miners, significantly impacting the host's processing power. Another variant fetches and executes JavaScript from a remote server, allowing dynamic payload deployment, including credential theft and ransomware. Koi Security researchers identified this campaign, noting the sophisticated use of multiple accounts and credible developer personas to evade detection. Despite being reported, OpenVSX has yet to respond, leaving developers vulnerable; caution is advised when downloading extensions from unverified sources.

Researchers unveiled Pixnapping, a side-channel attack on Android devices, enabling unauthorized pixel extraction to steal sensitive data, including two-factor authentication codes, from apps like Signal and Google Authenticator. The attack exploits Android’s intents system and SurfaceFlinger composition process, allowing a malicious app to isolate and reconstruct pixels, effectively capturing screen content without permissions. Demonstrated on Google Pixel and Samsung Galaxy devices, Pixnapping affects Android versions 13 to 16, suggesting widespread vulnerability across older devices and operating systems. Google and Samsung plan to address the flaw by year-end, with a comprehensive patch expected in the December Android security update, following a bypass of the initial September fix. The attack relies on the GPU.zip side-channel, leveraging graphical data compression in GPUs, although no GPU vendors have announced patching plans for this specific vulnerability. Despite the potential for data theft, current checks show no malicious apps exploiting Pixnapping on Google Play, and the attack requires specific device data, resulting in a low success rate. Organizations should remain vigilant, ensuring devices are updated promptly and monitoring for any emerging threats exploiting this vulnerability.

Microsoft released security updates for 172 vulnerabilities, including six zero-day flaws, during October 2025's Patch Tuesday, enhancing defenses across multiple platforms. Critical vulnerabilities addressed involve remote code execution and privilege elevation, affecting systems such as Windows SMB Server and Microsoft SQL Server. Windows 10 reaches the end of free security support, prompting enterprises to consider Extended Security Updates for continued protection. Key zero-day fixes include vulnerabilities in Windows Agere Modem Driver and Windows Remote Access Connection Manager, which allowed unauthorized privilege escalation. A Secure Boot bypass in IGEL OS and a memory integrity issue in AMD EPYC processors were also addressed, improving system security. Microsoft's proactive measures include removing vulnerable drivers and enhancing security protocols in Azure Confidential Computing environments. Organizations are advised to promptly apply these updates to mitigate potential exploitation risks and safeguard their systems.

The U.S. Department of Justice seized $15 billion in bitcoin from the Prince Group, a criminal syndicate involved in cryptocurrency investment scams targeting U.S. victims. The Prince Group, operating since 2015, used social media, dating sites, and messaging apps to lure victims into fraudulent investment schemes, stealing billions in the process. The organization managed over 100 shell companies in more than 30 countries, employing forced labor in Cambodian compounds to execute scams under threats of violence. Chen Zhi, the leader of the Prince Group, remains at large, having orchestrated the scams and bribed officials to evade law enforcement. Advanced money laundering techniques were employed to obscure the origins of the stolen funds, which were spent on luxury items and investments. In collaboration with the UK, the U.S. Treasury sanctioned Chen Zhi and 146 associates, highlighting the international effort to curb such scams. The rise in online investment scams has resulted in significant financial losses, with U.S. victims losing over $16.6 billion in recent years.

Chinese state-affiliated group Flax Typhoon exploited an ArcGIS server, transforming it into a backdoor for over a year, leveraging sophisticated techniques to evade detection. The attack involved modifying a geo-mapping application's Java server object extension (SOE) into a web shell, ensuring deep persistence even through system recoveries. Flax Typhoon employed living-off-the-land strategies, using trusted software components to bypass security and blend in with normal server traffic. The group targeted a public-facing ArcGIS server by compromising an administrator account, deploying a malicious SOE to execute commands via a public portal. They established a covert VPN channel using a renamed SoftEther VPN executable, enabling lateral movement and data exfiltration while appearing as part of the internal network. IT personnel workstations were specifically targeted to obtain credentials, facilitating deeper network infiltration and administrative account control. This incident underscores the need for heightened vigilance against the manipulation of legitimate tools and processes, as attackers increasingly weaponize trusted system functionalities.

FuzzingLabs accuses Gecko Security of replicating its vulnerability disclosures and backdating blog posts to claim credit for CVEs, sparking a public dispute. FuzzingLabs asserts that Gecko copied proofs of concept (PoCs) and resubmitted them, leading to duplicate CVE IDs and questions about research integrity. Gecko Security denies plagiarism, attributing the situation to a misunderstanding over disclosure processes and emphasizing direct coordination with project maintainers. GitHub has updated some advisories to credit FuzzingLabs for original reports, while Gecko has amended blog posts to acknowledge FuzzingLabs' contributions. The incident raises broader concerns about the complexities of credit and coordination in vulnerability disclosure, particularly with potential overlaps in findings. The security community remains divided, with some questioning Gecko's explanation and others noting challenges in managing duplicate vulnerability reports. The situation underscores the importance of clear communication and transparency in the vulnerability disclosure process to maintain trust and integrity.

Oracle addressed a critical zero-day vulnerability (CVE-2025-61884) in its E-Business Suite, exploited by ShinyHunters, with an out-of-band security update over the weekend. The vulnerability allowed unauthenticated remote access to sensitive resources, posing significant risks to affected systems. Despite the active exploitation, Oracle did not publicly disclose the issue's severity or the existence of a publicly leaked exploit. Researchers confirmed the fix addressed a pre-authentication Server-Side Request Forgery (SSRF) flaw, enhancing security against the leaked exploit. Oracle E-Business Suite users are urged to apply the latest patches to mitigate risks from known exploit chains and enhance system security. The Clop ransomware group and ShinyHunters have been linked to exploiting similar vulnerabilities, emphasizing the need for vigilance and timely patching. Security experts recommend implementing additional security measures, such as mod_security rules, to further protect vulnerable endpoints until patches are fully deployed.

FuzzingLabs accuses Gecko Security of replicating its vulnerability disclosures and claiming CVE credits, sparking a public dispute between the two cybersecurity firms. FuzzingLabs alleges Gecko copied proof-of-concepts and backdated blog posts to appear as the original discoverer of vulnerabilities. Gecko Security denies the allegations, attributing the situation to an unfortunate overlap and emphasizing direct coordination with project maintainers. FuzzingLabs claims to possess evidence of plagiarism, including unique identifiers in their exploits, and notes that multiple vulnerabilities on Gecko's site seem copied from other researchers. Gecko has since updated its blog posts to credit FuzzingLabs and adjusted publishing dates, while maintaining that some CVEs were marked as duplicates or invalid. The incident underscores challenges in managing duplicate vulnerability reports and the complexities of crediting in responsible disclosure practices. The broader security community remains divided, with some questioning Gecko's explanation and others highlighting the need for improved coordination in vulnerability reporting.

Asahi Brewer, a major Japanese beer producer, experienced a ransomware attack in September, causing significant operational disruptions and potential data breaches. The Qilin ransomware group claimed responsibility, alleging the theft of 27 GB of sensitive data, including contracts, employee records, and financial information. Initial reports suggested systems failures, but further investigation revealed traces of unauthorized data transfers, raising concerns about personal data exposure. The attack severely impacted Asahi's logistics, delaying shipments and forcing a temporary return to manual processing methods like pen and paper. Asahi postponed its quarterly financial results due to ongoing system outages and challenges in accessing accounting data, with no clear recovery timeline. The company is investigating the extent of the data breach and plans to notify affected individuals in compliance with data protection laws. A National Cyber Security Centre report indicates a 50% rise in ransomware attacks, suggesting a broader trend impacting businesses globally.

The rise of autonomous AI agents is reshaping enterprise operations, with these systems now performing tasks such as ticket management, log analysis, and incident remediation independently. Unlike traditional bots, these AI agents can interpret goals, plan steps, and interact with multiple systems, making them powerful yet potentially risky users within an organization. The complexity of multi-agent ecosystems complicates tracing actions back to their human initiators, posing challenges for accountability and oversight. Companies are facing the emergence of "shadow AI," where AI tools enter environments without formal security reviews, creating governance challenges. Traditional visibility tools struggle to detect these agents, which can operate at machine speed across cloud functions or virtual machines, eluding standard oversight mechanisms. To address these challenges, enterprises are advised to develop AI agent inventories, detailing each agent's purpose, permissions, and lifespan for better management. Effective governance strategies are crucial, requiring organizations to redefine access controls, ensure proper oversight, and prevent unauthorized actions by these autonomous systems. The shift towards recognizing AI agents as a distinct category of identity, beyond human or non-human, is essential for maintaining security and operational integrity.

Mozilla is initiating beta tests for a new built-in VPN feature in Firefox, selecting users at random to participate over the coming months. The Firefox VPN will be free and integrated within the browser, differing from Mozilla's existing paid VPN service, which supports multiple devices. This feature aims to enhance user privacy by routing web traffic through Mozilla-managed servers, masking IP addresses, and encrypting communications. Initially available on desktop, the VPN feature may expand to mobile platforms, reflecting Mozilla's ambition to create a leading VPN-integrated browser. Participants must register for a Mozilla account, and their VPN location will default to the best-performing server, primarily within the US. Mozilla will store minimal user logs for three months to improve performance and security, ensuring no logging of visited websites or communication content. The initiative comes amid increased interest in VPNs, especially in the UK, where they are used to bypass age verification checks under the Online Safety Act.

Approximately 200,000 Linux systems by Framework were shipped with UEFI components that could be exploited to bypass Secure Boot protections. The vulnerability stems from a 'memory modify' (mm) command in signed UEFI shells, allowing attackers to disable signature verification. Attackers can leverage this flaw to load bootkits like BlackLotus, which can evade OS-level security and persist through OS re-installs. Eclypsium identified that the mm command can overwrite the gSecurity2 variable, disrupting the Secure Boot trust chain. Framework is actively working on remediation, advising users to apply security updates or use secondary protection measures. Temporary mitigations include deleting Framework's DB key via BIOS and preventing unauthorized physical access to affected systems. This incident emphasizes the importance of thorough security validation in firmware components to prevent similar vulnerabilities.

Oracle issued an emergency patch for a critical vulnerability in its E-Business Suite, specifically targeting the Runtime UI component, tracked as CVE-2025-61884. The flaw carries a CVSS score of 7.5 and allows remote exploitation without authentication, posing significant risks to enterprise systems. This vulnerability could enable attackers to access sensitive resources, potentially leading to data theft or further network infiltration. Oracle advises immediate application of the patch or mitigations to protect against potential exploitation. The patch follows a recent fix for a zero-day vulnerability linked to Clop attacks, affecting numerous organizations, including universities and major enterprises. Google's Threat Intelligence Group reported "dozens" of confirmed victims, with expectations that the actual number exceeds a hundred. Harvard University is investigating a cybersecurity incident related to these Oracle EBS breaches, affecting a small administrative unit. The ongoing vulnerabilities in Oracle's EBS highlight the critical need for timely patch management and comprehensive security reviews.

Chinese state-sponsored hackers infiltrated a target environment for over a year using ArcGIS, a geo-mapping tool, to create a web shell for persistent access. The attackers, identified as the Flax Typhoon group, used valid administrator credentials to compromise a public-facing ArcGIS server linked to an internal network. By uploading a malicious Java SOE, the hackers executed base64-encoded commands through a REST API, masked as routine operations, ensuring covert control. To maintain persistence, the attackers installed SoftEther VPN Bridge, creating an outbound HTTPS tunnel to their server, facilitating lateral movement and data exfiltration. ReliaQuest researchers noted attempts to escalate privileges by targeting IT staff workstations, aiming to harvest credentials and deepen network infiltration. The use of SOE for such attacks is unprecedented, prompting Esri to update its documentation to alert users of potential risks associated with malicious SOEs. The incident underscores the need for organizations to monitor legitimate software for unusual activity and strengthen internal network defenses against advanced persistent threats.