Daily Brief

A zero-day vulnerability in Gogs, a self-hosted Git service, has led to over 700 compromised instances, with no immediate fix available. The flaw, tracked as CVE-2025-8110, allows authenticated users to execute remote code, bypassing previous security patches. Attackers exploit symbolic link vulnerabilities, enabling file overwriting and remote code execution through the Gogs API. The vulnerability affects Gogs versions 0.13.3 and earlier, especially those with open-registration enabled, which is the default setting. Wiz researchers discovered the flaw during a malware investigation and have disclosed it to Gogs maintainers, who are working on a resolution. The attacks use the Supershell remote command-and-control framework, with indications suggesting threat actors may be based in Asia. Organizations are advised to disable open-registration and limit internet exposure by using VPNs to protect self-hosted Git services. A list of indicators of compromise has been published, aiding in the detection and mitigation of potential threats.

Huntress reports ongoing exploitation of React Server Components (RSC) vulnerability, CVE-2025-55182, enabling remote code execution across various industries, notably construction and entertainment. Attackers deploy cryptocurrency miners and new malware families, including PeerBlight, CowTunnel, and ZinFoq, affecting both Linux and Windows systems. PeerBlight establishes communication with a hard-coded C2 server and uses a domain generation algorithm for fallback, while ZinFoq disguises itself as legitimate Linux services. Automated exploitation tools are likely used, as evidenced by identical vulnerability probes and payload deployment on different operating systems. Shadowserver Foundation identifies over 165,000 IPs and 644,000 domains with vulnerable code, with the U.S. hosting over 99,200 instances. Organizations using react-server-dom packages are urged to update immediately to mitigate potential exploitation risks. The widespread vulnerability poses a significant threat, emphasizing the need for timely patch management and robust cybersecurity practices.

Microsoft is set to release a new Teams feature that identifies suspicious interactions with external domains, enhancing security without disrupting legitimate communications. The "External Domains Anomalies Report" will analyze messaging trends, flagging spikes in activity, new domains, and unusual engagement patterns. This tool aims to provide IT administrators with early visibility into potential data-sharing or security risks, supporting proactive threat management. The feature will be available worldwide from February 2026, targeting standard multi-tenant environments on the web platform. Microsoft has yet to confirm if this feature requires additional licensing or will be part of existing Teams subscriptions. This initiative follows recent enhancements to Teams' security, including alerts for malicious links and automatic blocking of screen-capture attempts during meetings. By improving detection and response capabilities, Microsoft aims to bolster tenant security while maintaining productive cross-organization collaboration.

WatchTowr Labs identified a critical vulnerability, named SOAPwn, in the .NET Framework, affecting applications like Barracuda Service Center RMM and Ivanti Endpoint Manager. The flaw allows attackers to exploit Web Services Description Language (WSDL) imports to execute arbitrary code by manipulating HTTP client proxies. Attackers can use SOAP clients to achieve arbitrary file writes, potentially leading to remote code execution by uploading malicious web shells or PowerShell scripts. Microsoft has not issued a fix, attributing the issue to application behavior, advising against consuming untrusted inputs that could generate and execute code. Barracuda and Ivanti have released patches addressing this vulnerability, with CVSS scores of 9.8 and 8.8 respectively, emphasizing the severity of the flaw. The vulnerability underscores the importance of validating inputs in applications using the .NET Framework to prevent exploitation paths like NTLM relaying. The research was presented at Black Hat Europe, highlighting the potential risks associated with expected behaviors in widely-used frameworks.

Security researchers identified over 10,000 Docker Hub images leaking sensitive data, affecting more than 100 organizations, including a Fortune 500 company and a major national bank. Exposed data includes live credentials for production systems, CI/CD databases, and AI model keys, posing significant risks to cloud environments and core infrastructure components. The most frequent leaks were access tokens for AI models such as OpenAI and HuggingFace, with 42% of affected images exposing at least five sensitive values. Many leaks originated from 'shadow IT' accounts, which lack strict corporate oversight, leading to potential unauthorized access and exploitation. While 25% of developers quickly removed exposed secrets, 75% failed to revoke them, leaving systems vulnerable to future attacks. Flare recommends avoiding static credentials in container images, centralizing secrets management, and implementing active scanning and immediate revocation of exposed keys. The breach underscores the need for robust secrets management and proactive monitoring throughout the software development lifecycle to prevent similar incidents.

Victoria Eduardovna Dubranova, a Ukrainian national, was extradited to the US for alleged involvement in cyber attacks linked to Russian-backed groups targeting critical infrastructure. The Justice Department charged Dubranova with conspiracy to damage protected computers and other offenses, potentially facing 27 years in prison if convicted. Dubranova is accused of participating in attacks on US meat processing and public water systems, causing significant operational disruptions and financial damages. The hacktivist groups CyberArmyofRussia_Reborn (CARR) and NoName057(16) are implicated, with ties to Russian intelligence agencies, including the GRU and FSB. CARR and NoName have been known to recruit global volunteers for DDoS attacks, impacting sectors like government, finance, and transportation. US authorities, alongside international partners, issued guidance to secure operational technology networks against such threats, emphasizing reducing public internet exposure. The US State Department announced rewards for information on individuals associated with these groups, highlighting the ongoing threat to national and international security. The case underscores the persistent risk posed by state-sponsored hacktivist groups leveraging unsophisticated yet impactful cyber attack methods.

Security researchers identified a vulnerability in the .NET framework affecting numerous enterprise applications, potentially enabling remote code execution (RCE) attacks via SOAP message handling. The flaw involves the SoapHttpClientProtocol class, which can be manipulated to write SOAP requests to local files, posing a risk of arbitrary file writes and NTLM relay attacks. Microsoft has opted not to address the vulnerability, asserting that developers should prevent untrusted inputs, treating the behavior as a feature rather than a flaw. The vulnerability impacts various products, including Barracuda Service Center, Ivanti Endpoint Manager, and Umbraco 8 CMS, with potential for broader exposure across other vendor and in-house solutions. Researchers discovered additional exploitation paths, such as using Web Services Description Language (WSDL) files to generate HTTP client proxies, facilitating RCE through ASPX webshells or PowerShell scripts. Despite repeated reports, Microsoft maintains that application developers are responsible for input validation, leaving the vulnerability unpatched and shifting the onus to users and developers. The situation underscores the importance of rigorous input validation and the potential risks associated with relying on vendor responses for critical security issues.

The article discusses the concept of cyber risk quantification (CRQ) as a tool for CISOs to articulate risks in financial terms to boards and prioritize security measures effectively. Building a Risk Operations Center (ROC) alongside traditional Security Operations Centers (SOCs) can proactively manage potential risks before they materialize into actual threats. CRQ involves assessing the monetary impact and likelihood of threats, providing a business-friendly language to communicate risks and justify security investments. Gartner predicts that many cybersecurity leaders struggle to implement CRQ effectively, emphasizing the need for collaboration between IT and business units. Continuous risk management, rather than static estimates, is recommended to adapt quickly to changing threat landscapes and emerging vulnerabilities. The approach encourages evaluating risks based on their potential financial impact, rather than relying solely on severity scores like CVSS. Communicating risks in monetary terms can enhance board-level understanding and support for cybersecurity initiatives, aligning security actions with business priorities.

Jaguar Land Rover experienced a significant breach that halted production for weeks, impacting up to 5,000 organizations and potentially costing the British economy over $2 billion. The breach originated from compromised credentials within JLR's supply chain, highlighting the vulnerability of third-party contractor relationships in manufacturing. The U.K. government intervened with a nearly $2 billion loan guarantee to support JLR's recovery efforts, emphasizing the economic impact of such breaches. Attackers increasingly target software development processes, including malicious node package managers, which can infiltrate supply chains and cause widespread disruption. Manufacturers are urged to adopt a secure software development life cycle (SSDLC) to mitigate risks, as mandated by the EU NIS 2 directive. IEC 62443-4-1 certification is recommended for evaluating software suppliers, ensuring security is embedded from development to deployment in industrial environments. The JLR incident serves as a critical reminder for manufacturers to reassess supply chain security, focusing on SSDLC to prevent operational and financial repercussions.

The Spiderman phishing kit is targeting customers of major European banks and fintech companies, including Deutsche Bank, ING, and PayPal, using highly convincing fake websites. Cybercriminals using Spiderman can capture sensitive data such as login credentials, two-factor authentication codes, and credit card information from unsuspecting users. This modular phishing platform allows for the addition of new targets and authentication methods, adapting alongside evolving e-banking systems in Europe. Researchers from Varonis identified a group of 750 cybercriminals using Spiderman, with capabilities to intercept PhotoTAN and OTP codes, crucial for European banking security. The phishing kit's dashboard offers real-time victim session monitoring and one-click data export, enabling efficient data theft and potential account takeovers. Spiderman's operators can fine-tune their attacks by targeting specific countries, ISPs, and device types, enhancing the effectiveness of their phishing campaigns. Users are advised to verify website authenticity before entering credentials and report any suspicious SMS or PhotoTAN prompts to their banks immediately to prevent fraud.

Three vulnerabilities in the PCIe Integrity and Data Encryption protocol impact systems using PCIe 5.0 and newer, posing risks of data exposure and privilege escalation. The flaws were identified by Intel researchers and affect PCIe's ability to secure data transfers, potentially leading to information disclosure and denial of service. Exploitation requires physical or low-level access to the PCIe IDE interface, classifying these vulnerabilities as low-severity with CVSS scores of 3.0 and 1.8. The vulnerabilities risk breaching isolation between trusted execution environments, affecting systems implementing IDE and Trusted Domain Interface Security Protocol. CERT Coordination Center advises manufacturers to adopt the updated PCIe 6.0 standard and apply Erratum #1 guidance to mitigate these vulnerabilities. Intel and AMD have issued alerts, recommending firmware updates for affected products to safeguard environments relying on IDE for data protection. Organizations should prioritize firmware updates from suppliers to maintain data integrity and prevent potential security breaches in sensitive environments.

NATO's Cyber Coalition exercise engaged 1,500 military cyber defenders in a week-long simulation to enhance coordination and response to cyber threats on the fictional island of Occasus-Icebergen. Participants from 29 NATO members and seven partner countries tackled seven concurrent cyberattack scenarios, reflecting real-world threats to critical national infrastructure and military systems. The exercise included scenarios such as cyberattacks on satellite communications and fuel management systems, testing defenders' abilities to respond to complex, hybrid threats. Scenarios are crafted based on recent global cyber incidents, ensuring relevance and realism, with this year's addition inspired by Russia's attack on Viasat during the Ukraine invasion. The exercise is designed to foster collaboration and communication among nations, emphasizing the importance of shared responsibility and trust in multinational cyber defense efforts. Cyber Coalition exercises are not competitive; rather, they focus on skill development and cooperation without grading, allowing participants to take risks and learn from their experiences. The event took place at CR14 in Estonia, with a mix of on-site and remote participation, highlighting NATO's commitment to continuous improvement in cyber defense capabilities.

U.S. prosecutors charged Ukrainian national Victoria Dubranova for cyberattacks on critical infrastructure, including water and election systems, allegedly supporting Russian-backed hacktivist groups. Dubranova, extradited to the U.S., faces trials in February and April 2026 for her involvement with NoName057(16) and CyberArmyofRussia_Reborn (CARR). NoName057(16), linked to Russian state directives, developed a DDoS tool and recruited volunteers for attacks on government and critical infrastructure targets. CARR, directed by the Russian GRU, executed numerous cyberattacks, including damaging U.S. water systems and causing an ammonia leak at a Los Angeles facility. The U.S. State Department is offering up to $12 million in rewards for information on individuals associated with CARR and NoName groups. CISA, alongside global agencies, issued warnings about pro-Russia hacktivist groups targeting critical infrastructure, with potential for significant physical damage. Sanctions were imposed on two CARR members by the U.S. Treasury Department for their roles in attacks on U.S. infrastructure.

CISA added WinRAR vulnerability CVE-2025-6218 to its Known Exploited Vulnerabilities catalog, citing active exploitation by various threat actors. The flaw, a path traversal bug with a CVSS score of 7.8, allows code execution if a user opens a malicious file or visits a compromised page. RARLAB patched the vulnerability in June 2025 with WinRAR version 7.12; it affects only Windows-based builds. Threat groups like GOFFEE, Bitter APT, and Gamaredon have exploited the flaw, targeting organizations in Russia and Ukraine through phishing campaigns. Exploits include dropping malicious files in sensitive locations, enabling persistent backdoors, and deploying C# trojans for data exfiltration and remote access. Federal Civilian Executive Branch agencies must apply patches by December 30, 2025, to mitigate risks and secure their networks. This incident emphasizes the critical need for timely patch management and vigilance against spear-phishing tactics.

Palo Alto Networks' Cortex Cloud team will host a webinar detailing how attackers exploit cloud misconfigurations, focusing on AWS, AI models, and Kubernetes. The session will explore three attack vectors: AWS identity misconfigurations, malicious file masking in AI models, and overprivileged Kubernetes entities. These vulnerabilities often go unnoticed by standard security tools due to their resemblance to normal activity, creating a significant visibility gap. The webinar aims to demonstrate how Code-to-Cloud detection can bridge this gap, using runtime intelligence and audit logs to identify threats early. Attendees will gain actionable insights on auditing cloud logs, cleaning up Kubernetes permissions, and applying AI-aware controls to their development pipelines. The session is designed to equip security teams with the knowledge to proactively address vulnerabilities before they lead to a breach.