Security firm Huntress has observed active, in-the-wild exploitation of a zero-day, unauthenticated local file inclusion (LFI) vulnerability in Gladinet CentreStack and TrioFox products. This flaw allows unauthenticated attackers to read sensitive files on the server, which can be chained to achieve remote code execution (RCE).
Business impact
Successful exploitation could lead to complete system compromise, data exfiltration of sensitive corporate files, deployment of ransomware, and unauthorized access to the internal network. The active exploitation status elevates the risk of immediate and widespread impact.
Recommended action
Due to the unpatched nature of this zero-day, organizations using Gladinet CentreStack or TrioFox products should immediately review logs for signs of LFI attacks, restrict access to the affected systems from the internet if possible, and prepare to apply a patch as soon as it becomes available.
Microsoft Threat Intelligence is tracking a cybercrime group, Storm-2657, conducting a campaign dubbed "payroll pirate." Since March 2025, the group has targeted university employees in the U.S. by compromising their Workday accounts to hijack salary payments and divert them to attacker-controlled accounts.
Business impact
This threat poses a direct financial risk through diverted salary payments, potential theft of personally identifiable information (PII) and financial data from HR systems, and reputational damage to affected universities. It also creates significant administrative overhead to investigate and remediate.
Recommended action
Universities and organizations using Workday should immediately enforce multi-factor authentication (MFA) for all users, audit recent changes to employee direct deposit information, and educate employees on phishing attacks targeting their HR portal credentials.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity directory traversal vulnerability in the Grafana analytics platform to its Known Exploited Vulnerabilities (KEV) catalog. This flaw allows attackers to read arbitrary local files on the server, potentially exposing sensitive configuration details, credentials, and data source information.
Business impact
Federal agencies are required to patch this vulnerability by a specified deadline. For private organizations, its inclusion in the KEV catalog confirms it is being actively exploited by threat actors, posing a significant risk of data breaches and unauthorized system access.
Recommended action
All organizations using Grafana must identify vulnerable instances and apply the necessary security patches immediately, prioritizing systems exposed to the internet. Review server logs for signs of directory traversal attempts targeting plugin asset directories.
A critical vulnerability has been discovered in a third-party option used for connecting the Figma design platform to agentic AI services. The bug can be exploited by an attacker to achieve remote code execution (RCE), granting them control over the server running the connector.
Business impact
Compromise of the server could lead to the theft of sensitive design files, intellectual property, and credentials used by the AI service. Attackers could also use the compromised server as a pivot point to move laterally within the corporate network.
Recommended action
Immediately identify and update any third-party connectors used between Figma and AI services. Organizations should audit their design and development toolchains for vulnerable third-party plugins and integrations.
Trend Micro's Zero Day Initiative (ZDI) has publicly disclosed details of 13 unpatched vulnerabilities affecting Ivanti Endpoint Manager (EPM). These flaws could allow remote attackers to execute arbitrary code and escalate privileges on affected systems, posing a significant security risk.
Business impact
Given Ivanti's prevalence in enterprise environments for device management, these vulnerabilities could allow for widespread compromise of endpoints, deployment of malware, and lateral movement across networks. The lack of available patches means organizations are currently exposed.
Recommended action
Organizations using Ivanti EPM should review the ZDI advisories, implement any suggested mitigation measures, restrict network access to EPM servers, and monitor vendor communications closely for forthcoming patches.
The Kiwire Captive Portal, a guest internet access gateway, is affected by three vulnerabilities: SQL injection, open redirection, and cross-site scripting (XSS). These flaws could allow an attacker to steal data from the underlying database, redirect users to malicious sites, or execute arbitrary scripts in a user's browser.
Business impact
Exploitation could lead to the compromise of guest and potentially internal user credentials, man-in-the-middle attacks, and reputational damage for organizations providing guest Wi-Fi services.
Recommended action
Administrators of Kiwire Captive Portal should review the CERT/CC advisory and apply vendor patches or workarounds immediately. Network segmentation should be verified to ensure the guest network is properly isolated from critical internal systems.
Google researchers report that dozens of organizations have been targeted in attacks exploiting a zero-day vulnerability in Oracle E-Business Suite (EBS). The campaign, which may have started as early as July, involves the deployment of sophisticated, custom malware post-exploitation.
Apple has updated its bug bounty program, increasing its top payout to $2 million and announcing it has paid over $35 million to researchers to date. The update includes new categories and target flags, signaling a continued investment in crowdsourced security.
New research from Anthropic and others demonstrates that Large Language Models (LLMs) can be 'backdoored' during training with a small number of malicious documents. This creates a significant supply chain risk, as models trained on data scraped from the open web could contain hidden vulnerabilities or biases that can be triggered by specific inputs, causing the model to behave in unintended and malicious ways. This highlights the critical need for data provenance and robust security testing for AI models being integrated into enterprise workflows.
Spotlight Rationale: Deepwatch is selected due to its recognition as "Managed Security Solution of the Year." Their Managed Detection and Response (MDR) service is directly relevant for identifying post-exploitation activity from today's actively exploited threats, such as the Gladinet/TrioFox LFI-to-RCE (CVE-2025-11371) and the Oracle EBS zero-day attacks, where preventative controls may fail.
Deepwatch's Precision MDR platform, powered by a combination of AI and human analysts, provides a critical defense layer for detecting threats that bypass traditional security tools. For zero-day vulnerabilities like CVE-2025-11371, where signatures and patches are non-existent, monitoring for anomalous behavior—such as unusual process execution by a web server or suspicious file access—is the most effective way to identify a compromise. An MDR service can provide the 24/7 monitoring and expert analysis needed to detect and respond to these sophisticated attacks.
Actionable Platform Guidance: Customers should engage with their Deepwatch team to ensure log sources from public-facing web applications (like Gladinet) and critical business systems (like Oracle EBS) are being ingested with the correct parsing. Confirm that alerting playbooks are enabled for detecting web-based attacks (LFI, RCE) and anomalous activity on critical application servers. Establish a clear incident response communication plan for any high-fidelity alerts related to these systems.
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Deepwatch MDR
# Deepwatch MDR Onboarding & Tuning for Today's Threats
# 1. Verify Critical Log Source Ingestion:
# - Navigate to your Deepwatch portal -> Data Sources.
# - Confirm that logs from edge firewalls, WAFs, and servers hosting Gladinet/TrioFox, Oracle EBS, and Grafana are listed and show a 'Healthy' status.
# - Specifically, ensure web server access logs (IIS, Apache, Nginx) are being collected.
# 2. Request Rule Review & Tuning:
# - Open a ticket with your Deepwatch support team.
# - Reference this rundown, specifically CVE-2025-11371 (Gladinet LFI) and CVE-2021-43798 (Grafana Traversal).
# - Ask the team to confirm that detection rules for LFI and Path Traversal patterns are active and applied to your relevant web server logs.
# - Request a review of rules that detect anomalous child processes spawned by your application server processes (e.g., w3wp.exe, java.exe).
# 3. Review Incident Response Playbook:
# - In your service agreement, review the defined communication plan for critical alerts.
# - Ensure on-call contacts for your application and infrastructure teams are up-to-date.
# - Discuss with Deepwatch what automated response actions (e.g., host isolation) are in place for a confirmed compromise of these critical assets.
2. YARA Rule for Gladinet/TrioFox LFI (CVE-2025-11371)
rule LFI_Exploitation_Gladinet_TrioFox_CVE_2025_11371 {
meta:
description = "Detects potential Local File Inclusion (LFI) attempts related to the Gladinet/TrioFox vulnerability (CVE-2025-11371). This rule looks for common LFI patterns in web logs or captured traffic."
author = "Threat Rundown"
date = "2025-10-10"
reference = "https://thehackernews.com/2025/10/from-lfi-to-rce-active-exploitation.html"
severity = "high"
tlp = "white"
strings:
$lfi1 = "../"
$lfi2 = "..\\"
$lfi_encoded1 = "%2e%2e%2f"
$lfi_encoded2 = "%2e%2e%5c"
$lfi_encoded3 = "..%2f"
$product1 = "Gladinet"
$product2 = "CentreStack"
$product3 = "TrioFox"
condition:
(any of ($lfi*)) and (any of ($product*))
}
3. SIEM Query — Potential Payroll Pirate Activity
// Splunk Search to detect potential payroll fraud
index=workday OR sourcetype=hr_platform_logs
(event_description="User updated direct deposit information" OR event_code=5104)
| lookup geoip src_ip OUTPUT country, city, asn
// Correlate with recent login events from the same user
| join type=inner user [
search index=sso OR sourcetype=okta event_description="Successful login"
| lookup geoip src_ip OUTPUT country as login_country, asn as login_asn
| stats latest(login_country) as login_country, latest(login_asn) as login_asn by user
]
// Flag changes where the login country is different from the user's typical location or from a high-risk ASN
| where login_country != user_baseline_country OR isnotnull(high_risk_asn_lookup(login_asn))
| table _time, user, src_ip, login_country, login_asn, event_description
| sort -_time
4. PowerShell Script — Check for Vulnerable Grafana Installations
<#
.SYNOPSIS
Checks for indicators of the Grafana path traversal vulnerability (CVE-2021-43798).
This script checks for the default installation path and looks for plugin directories.
.DISCLAIMER
This is a basic check and not a definitive vulnerability scan. Use with a proper vulnerability management tool.
#>
$grafanaPaths = @(
"C:\Program Files\GrafanaLabs\grafana",
"/usr/share/grafana",
"/etc/grafana"
)
Write-Host "[*] Searching for Grafana installations..."
foreach ($path in $grafanaPaths) {
if (Test-Path -Path $path) {
Write-Host "[+] Found potential Grafana installation at: $path" -ForegroundColor Green
# The vulnerability exists in the /public/plugins/{plugin-id} endpoint.
# We can check for the existence of a plugins directory as an indicator.
$pluginDir = Join-Path -Path $path -ChildPath "public\plugins"
if (Test-Path -Path $pluginDir) {
Write-Host "[!] Found plugins directory: $pluginDir" -ForegroundColor Yellow
Write-Host "[!] This installation may be vulnerable to CVE-2021-43798 if version is between 8.0.0-beta1 and 8.3.0. Manual version verification and patching is required."
} else {
Write-Host "[-] Public plugins directory not found at expected location."
}
}
}
Write-Host "[*] Script finished."
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT